VyOS Documentation

发布 1.4.x (sagitta)

VyOS maintainers and contributors

2021 年 05 月 04 日
 Contents

1 About 1

2 History 2

3 Changelog 3

4 Installation and Image Management 94

5 快速开始 169

6 命令行接口 173

7 Configuration Overview 175

8 Configuration Guide 186

9 Operation Mode 563

10 VyOS Automation 567

11 Troubleshooting 576

12 配置蓝图 584

13 Contributing 620

14 Debugging 649

15 Documentation 653

16 Coverage 659

17 Copyright Notice 1221

索引 1222

i
 CHAPTER 1

About

VyOS is an open source network operating system based on Debian GNU/Linux.

VyOS provides a free routing platform that competes directly with other commercially available solutions from well known
network providers. Because VyOS is run on standard amd64, i586 and ARM systems, it is able to be used as a router and
firewall platform for cloud deployments.
We use multiple live versions of our manual hosted thankfully by https://readthedocs.org. We will provide one version
of the manual for every VyOS major version starting with VyOS 1.2 which will receive Long-term support (LTS).
The manual version is selected/specified by it’s Git branch name. You can switch between versions of the documentation
by selecting the appropriate branch on the bottom left corner.
VyOS CLI syntax may change between major (and sometimes minor) versions. Please always refer to the documentation
matching your current, running installation. If a change in the CLI is required, VyOS will ship a so called migration script
which will take care of adjusting the syntax. No action needs to be taken by you.

1
 CHAPTER 2

History

VyOS is a Linux-based network operating system that provides software-based network routing, firewall, and VPN func-
tionality.
The VyOS project was started in late 2013 as a community fork of the GPL portions of Vyatta Core 6.6R1 with the goal
of maintaining a free and open source network operating system in response to the decision to discontinue the community
edition of Vyatta. Here everyone loves learning, older managers and new users.
VyOS is primarily based on Debian GNU/Linux and the Quagga routing engine. Its configuration syntax and 命令行接
口 are loosely derived from Juniper JUNOS as modelled by the XORP project, which was the original routing engine for
Vyatta.
In the 4.0 release of Vyatta, the routing engine was changed to Quagga. As of VyOS version 1.2, VyOS now uses
FRRouting as the routing engine.
How is VyOS different from any other router distributions and platform?
• It’s more than just a firewall and VPN, VyOS includes extended routing capabilities like OSPFv2, OSPFv3, BGP,
VRRP, and extensive route policy mapping and filtering
• Unified command line interface in the style of hardware routers.
• Scriptable CLI
• Stateful configuration system: prepare changes and commit at once or discard, view previous revisions or rollback
to them, archive revisions to remote server and execute hooks at commit time
• Image-based upgrade: keep multiple versions on the same system and revert to previous image if a problem arises
• Multiple VPN capabilities: OpenVPN, IPSec, Wireguard, DPMVPN, IKEv2 and more
• DHCP, TFTP, mDNS repeater, broadcast relay and DNS forwarding support
• Both IPv4 and IPv6 support
• Runs on physical and virtual platforms alike: small x86 boards, big servers, KVM, Xen, VMware, Hyper-V, and
more
• Completely free and open source, with documented internal APIs and build procedures
• Community driven. Patches are welcome and all code, bugs, and nightly builds are publicly accessible

2
 CHAPTER 3

Changelog

3.1 1.4 Sagitta

3.1.1 2021-03-14

• T3395 (bug): WAN load-balancing fails with nexthop dhcp

• T3289 (bug): No description for node “service”conf-mode
• T3345 (default): BGP: add per VRF instance support
• T3344 (default): Per VRF dynamic routing support
• T3325 (bug): Bgp listen-range wrong commit message
• T1513 (default): Move OSPF and RIP interface configuration under protocols

3.1.2 2021-03-13

• T3406 (bug): tunnel: interface no longer supports specifying encaplimit none - or migrator is missing
• T3407 (bug): console-server: do not allow to spawn a console-server session on serial port used by“system console”

3.1.3 2021-03-11

• T3305 (bug): Ingress qdisc does not work anymore in 1.3-rolling-202101 snapshot
• T2927 (bug): isc-dhcpd release and expiry events never execute

3
 VyOS Documentation, 发布 1.4.x (sagitta)

3.1.4 2021-03-09

• T3389 (default): gretap tunnel type missing from vyos documentation after renamed from gre-bridge
• T3382 (bug): Error creating Console Server

3.1.5 2021-03-08

• T3387 (bug): Command “Monitor vpn ipsec”is not working

3.1.6 2021-03-07

• T3388 (bug): show interfaces doesn’t display pppoeX

• T3211 (feature): ability to redistribute ISIS into other routing protocols

3.1.7 2021-03-04

• T3377 (bug): show interfaces throws error

3.1.8 2021-03-02

• T3375 (bug): Interface becomes up at boot even when disabled

3.1.9 2021-02-28

• T3370 (bug): dhcp: Invalid domain name “private”

• T3369 (feature): VXLAN: add IPv6 underlay support
• T3363 (bug): VyOS-Build interactive prompt when using Podman
• T3320 (bug): Bgp neighbor peer-group without peer-group fail

3.1.10 2021-02-27

• T3365 (bug): Bgp neighbor interface ordering for remote-as

• T3225 (bug): Adding a BGP neighbor with an address on a local interface throws a vyos.frr.CommitError: Con-
figuration FRR failed while committing code: ‘’
• T3368 (feature): macsec: add support for gcm-aes-256 cipher
• T3173 (feature): Need ‘nopmtudisc’option for tunnel interface

3.1. 1.4 Sagitta 4

 VyOS Documentation, 发布 1.4.x (sagitta)

3.1.11 2021-02-26

• T3324 (bug): Bgp space in the password

• T3357 (default): HTTP-API redirect from http correct https port
• T3323 (bug): Bgp ttl-security and ebgp-multihop fail

3.1.12 2021-02-24

• T3303 (feature): Change welcome message on boot

3.1.13 2021-02-22

• T3322 (bug): Bgp neighbor timers not applyed to FRR config

• T3327 (bug): OSPFv3: Cannot add dummy interface

3.1.14 2021-02-21

• T3331 (bug): Bgp unsuppress-map should be as “value leafNode”

• T3330 (bug): Bgp capability orf prefix-list fail
• T3163 (feature): ethernet ring-buffer can be set with an invalid value

3.1.15 2021-02-19

• T3326 (bug): OSPFv3: Cannot add L2TPv3 interface

• T3332 (bug): BGP unnumbered - UnboundLocalError: local variable‘peer_group’referenced before assignment

3.1.16 2021-02-18

• T3259 (default): many dnat rules makes the vyos http api crash, even showConfig op timeouts

3.1.17 2021-02-17

• T3312 (feature): SolarFlare NICs support

3.1.18 2021-02-16

• T3313 (bug): ospfv3 interface missing options

• T3318 (feature): Update Linux Kernel to v5.4.105 / 5.10.23

3.1. 1.4 Sagitta 5

 VyOS Documentation, 发布 1.4.x (sagitta)

3.1.19 2021-02-15

• T3311 (bug): BGP Error: Remote AS must be set for neighbor or peer-group

3.1.20 2021-02-14

• T2848 (feature): bgp-add-path configuration options

• T1875 (feature): Add the ability to use network address as BGP neighbor (bgp listen range)

3.1.21 2021-02-12

• T3301 (bug): Wrong format and valueHelp for policy as-path-list regex

3.1.22 2021-02-11

• T3281 (default): Rewrite protocol RIPng [conf-mode] to new XML/Python style

• T3282 (default): Add XML for [conf-mode] RIPng
• T3279 (default): Rewrite protocol STATIC [op-mode] to new XML/Python style
• T3297 (bug): Optimize irrelevant error stack hints

3.1.23 2021-02-08

• T3295 (feature): Update Linux Kernel to v5.4.96 / 5.10.14

3.1.24 2021-02-05

• T3030 (feature): Support ERSPAN Tunnel Protocol

3.1.25 2021-02-04

• T3283 (feature): Support for IPv4 neigh tables

• T3280 (default): Add XML for [conf-mode] STATIC

3.1.26 2021-02-03

• T3278 (feature): Add XML for “protocols vrf”[conf-mode]

• T3239 (default): XML: override ‘defaultValue’for mtu of certain interfaces; remove workarounds
• T2910 (feature): XML: generator should support override of variables

3.1. 1.4 Sagitta 6

 VyOS Documentation, 发布 1.4.x (sagitta)

3.1.27 2021-02-02

• T3018 (bug): Unclear behaviour when configuring vif and vif-s interfaces
• T3255 (default): Rewrite protocol RPKI to new XML/Python style
• T3263 (feature): OSPF Hello subsecond timer

3.1.28 2021-01-31

• T3276 (feature): Update Linux Kernel to v5.4.94 / 5.10.12

3.1.29 2021-01-30

• T3240 (feature): Support per-interface DHCPv6 DUIDs

• T3273 (default): PPPoE static default-routes deleted on interface down when not added by interface up

3.1.30 2021-01-29

• T3261 (bug): Does not possible to disable pppoe client interface.

• T3272 (default): OSPF: interface config is not removed

3.1.31 2021-01-27

• T3257 (feature): tcpdump supporting complete protocol

• T3244 (default): Rewrite protocol OSPFv3 to new XML/Python style

3.1.32 2021-01-26

• T3251 (bug): PPPoE client trying to authorize with the wrong username
• T3256 (default): Add XML for protocol RPKI [conf-mode]

3.1.33 2021-01-25

• T3249 (feature): Support operation mode forwarding table output

3.1.34 2021-01-24

• T3227 (bug): Latest releases don’t work with RPKI (crash)

• T3230 (bug): RPKI can’t be deleted
• T3221 (bug): FRR config
• T3245 (default): Add XML for protocol ospfv3 [conf-mode]

3.1. 1.4 Sagitta 7

 VyOS Documentation, 发布 1.4.x (sagitta)

3.1.35 2021-01-23

• T3236 (default): Add XML for [conf-mode] OSPF

3.1.36 2021-01-17

• T3222 (bug): BGP dampening description

• T3226 (bug): Repair bridge smoke test damage

3.1.37 2021-01-16

• T3215 (bug): show ipv6 route Broken on 1.4 Rolling

• T3157 (bug): salt-minion fails to start due to permission error accessing /root/.salt/minion.log
• T3137 (feature): Let VLAN aware bridge approach the behavior of professional equipment

3.1.38 2021-01-15

• T3210 (feature): ISIS three-way-handshake

• T3184 (feature): Add correct desctiptions for BGP neighbors

3.1.39 2021-01-14

• T3213 (bug): show interface command python error

3.1.40 2021-01-12

• T3205 (bug): Does not possible to configure tunnel mode gre-bridge

3.1.41 2020-12-20

• T3132 (feature): Enable egress flow accounting

3.2 1.3 Equuleus

3.2.1 2021-03-14

• T3395 (bug): WAN load-balancing fails with nexthop dhcp

• T3289 (bug): No description for node “service”conf-mode
• T2271 (feature): OSPF: add per VRF instance support
• T175 (feature): Add source route option to vti interface

3.2. 1.3 Equuleus 8

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.2 2021-03-13

• T3406 (bug): tunnel: interface no longer supports specifying encaplimit none - or migrator is missing
• T3407 (bug): console-server: do not allow to spawn a console-server session on serial port used by“system console”

3.2.3 2021-03-11

• T3399 (bug): RPKI: dashes in hostnames are replaced with underscores when rendering the FRR config
• T3305 (bug): Ingress qdisc does not work anymore in 1.3-rolling-202101 snapshot
• T2927 (bug): isc-dhcpd release and expiry events never execute
• T899 (bug): Tunnels cannot be moved from one bridge to another
• T786 (feature): new style xml and conf-mode scripts: posibillity to add tagNode value as parameter to conf-script

3.2.4 2021-03-09

• T3389 (default): gretap tunnel type missing from vyos documentation after renamed from gre-bridge
• T3382 (bug): Error creating Console Server

3.2.5 2021-03-08

• T3387 (bug): Command “Monitor vpn ipsec”is not working

3.2.6 2021-03-07

• T3319 (bug): VXLAN uses ttl 1 (auto) by default

• T3391 (feature): Add CLI support for specifying maximum-paths per address family ipv4 unicast and ipv6 unicast
• T3211 (feature): ability to redistribute ISIS into other routing protocols

3.2.7 2021-03-05

• T2659 (feature): Add fastnetmon (DDoS detection) support

3.2.8 2021-03-04

• T2861 (bug): route-map “set community additive”not working correctly

3.2. 1.3 Equuleus 9

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.9 2021-03-03

• T2966 (feature): tunnel: add new encapsulation types ip6tnl and ip6gretap

3.2.10 2021-03-01

• T3342 (bug): On xen-netback interfaces must set “scattergather”offload before MTU>1500

3.2.11 2021-02-28

• T3370 (bug): dhcp: Invalid domain name “private”

• T3369 (feature): VXLAN: add IPv6 underlay support

3.2.12 2021-02-27

• T2291 (bug): Bad hostnames in /etc/hosts with static-mapping in dhcp server config
• T3364 (feature): tunnel: cleanup/rename CLI nodes
• T3368 (feature): macsec: add support for gcm-aes-256 cipher
• T3366 (bug): tunnel: can not change local / remote ip address for gre-bridge tunnel

3.2.13 2021-02-26

• T3347 (default): vyos 1.3 beta fails to configure Xen HVM guest ethernet interfaces due to ethtool -g error
• T3357 (default): HTTP-API redirect from http correct https port

3.2.14 2021-02-24

• T1774 (default): Add a show config operation to the HTTP API

• T3303 (feature): Change welcome message on boot

3.2.15 2021-02-21

• T3163 (feature): ethernet ring-buffer can be set with an invalid value

• T2521 (bug): Need to restart pdns-recursor to check new entries in /etc/hosts

3.2. 1.3 Equuleus 10

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.16 2021-02-20

• T2647 (default): ipsec disableuniqreqids generate a wrong ipsec.conf

3.2.17 2021-02-19

• T3326 (bug): OSPFv3: Cannot add L2TPv3 interface

• T2061 (bug): protocol logs not sent to remote syslog

3.2.18 2021-02-18

• T3259 (default): many dnat rules makes the vyos http api crash, even showConfig op timeouts

3.2.19 2021-02-17

• T3047 (bug): OSPF : virtual-link and passive-interface default parameters does not work together
• T3312 (feature): SolarFlare NICs support

3.2.20 2021-02-16

• T3318 (feature): Update Linux Kernel to v5.4.105 / 5.10.23

3.2.21 2021-02-14

• T2152 (bug): ddclient has bug which prevents use_web from being used
• T3308 (feature): BGP: add gracefull shutdown support

3.2.22 2021-02-13

• T3028 (feature): Create a default user when metadata is not available (for Cloud-init builds)
• T2867 (feature): Cleanup DataSourceOVF.py in the Cloud-init
• T2726 (feature): Allow to use all supported SSH key types in Cloud-init
• T2403 (feature): Full support for networking config in Cloud-init
• T2387 (feature): Create XML scheme for [conf_mode] BGP
• T2174 (feature): Rewrite protocol BGP to new XML/Python style
• T1987 (bug): A default route can be deleted by dhclient-script in some cases
• T2310 (bug): vyos-cloud-init use global config to configure pass and ssh login
• T723 (feature): Add support for first boot or installation time saved config modification
• T1775 (bug): Cloud-init not running userdata runcmd
• T1389 (feature): Add support for NoCloud cloud-init datasource
• T1315 (feature): Allow BGP to use address-family l2vpn evpn

3.2. 1.3 Equuleus 11

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.23 2021-02-12

• T3301 (bug): Wrong format and valueHelp for policy as-path-list regex

3.2.24 2021-02-11

• T2638 (default): FRR: New framework for configuring FRR

• T3035 (enhancment): Allow IPv4 over IPv6 IPsec and vice versa
• T1957 (feature): PPPoE server: maintenance mode
• T1773 (default): Make it possible to export config to JSON

3.2.25 2021-02-08

• T3295 (feature): Update Linux Kernel to v5.4.96 / 5.10.14

• T3292 (bug): RIPng: access-lists/prefix-list reference IPv4 and not IPv6 lists during verification

3.2.26 2021-02-07

• T3293 (bug): RPKI migration script errors out after CLI rewrite

3.2.27 2021-02-06

• T3285 (feature): Schedule reboots through systemd-shutdownd instead of atd

• T661 (feature): Show a warning if router going to reboot soon (due to “commit-confirm”command)

3.2.28 2021-02-05

• T2450 (feature): Rewrite “protocols vrf”tree in XML and Python

• T208 (feature): Ability to ignore default-route from dhcpcd per interface

3.2.29 2021-02-04

• T2834 (bug): Config rollback function is broken due lack access to the config.boot

3.2.30 2021-02-03

• T3239 (default): XML: override ‘defaultValue’for mtu of certain interfaces; remove workarounds
• T2910 (feature): XML: generator should support override of variables
• T2873 (bug): “show nat destination translation address”doesn’t filter at all
• T627 (bug): IPSec configuration directive deletion fails, causes bad IPSec state on reboot.

3.2. 1.3 Equuleus 12

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.31 2021-02-02

• T3018 (bug): Unclear behaviour when configuring vif and vif-s interfaces
• T3255 (default): Rewrite protocol RPKI to new XML/Python style

3.2.32 2021-02-01

• T3268 (feature): Add VRF support to VIF-S interfaces

• T3274 (default): ask_yes_no() doesn’t handle EOFError

3.2.33 2021-01-31

• T3276 (feature): Update Linux Kernel to v5.4.94 / 5.10.12

3.2.34 2021-01-30

• T3269 (bug): VIF-C interfaces don’t verify configuration

• T3240 (feature): Support per-interface DHCPv6 DUIDs
• T3037 (bug): Bgp afi ipv6-unicast capability dynamic bug
• T3273 (default): PPPoE static default-routes deleted on interface down when not added by interface up

3.2.35 2021-01-29

• T3262 (bug): DHCPv6 client runs when dhcpv6-options is configured without requesting an address or PD
• T3261 (bug): Does not possible to disable pppoe client interface.
• T3246 (bug): OSPFv3 router ID not configured in FRR
• T3126 (bug): unsuppress-map doesn’t work for BGP IPv4

3.2.36 2021-01-27

• T3257 (feature): tcpdump supporting complete protocol

• T3194 (bug): OSPF redistribution metric issue
• T3110 (bug): Broken pipe in show interfaces
• T3085 (feature): IPv6 BGP Neighbor Weight
• T651 (enhancment): Split CI’ed, VyOS-specific packages and other packages into separate repos
• T597 (enhancment): Code testing on sonarcloud.com
• T516 (default): Make Python / XML code development more testable
• T625 (default): IKEv1 lifetime negotiation in VyOS 1.2.0
• T613 (bug): Missing linux-kbuild
• T505 (bug): Hostapd cannot log

3.2. 1.3 Equuleus 13

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.37 2021-01-26

• T3251 (bug): PPPoE client trying to authorize with the wrong username
• T2859 (bug): show nat source translation - Errors out

3.2.38 2021-01-25

• T3252 (bug): rpki: AttributeError: ‘Config’object has no attribute ‘return__value’

• T3249 (feature): Support operation mode forwarding table output

3.2.39 2021-01-24

• T3230 (bug): RPKI can’t be deleted

• T3243 (feature): Update Linux Kernel to v5.4.92 / 5.10.10

3.2.40 2021-01-21

• T3237 (bug): DHCP Server Static-Mapping Validation Error

3.2.41 2021-01-18

• T2761 (feature): Extend “show vrrp”op-mode command with router priority

• T2679 (feature): VRRP with BFD Failure Detection
• T3212 (bug): SSH: configuration directory is not always created on boot
• T3231 (bug): “system option ctrl-alt-delete”has no effect

3.2.42 2021-01-17

• T3222 (bug): BGP dampening description

• T2944 (bug): NTP by default listen on any address/interface
• T3226 (bug): Repair bridge smoke test damage
• T2442 (enhancment): Move application of STP settings for bridge members from interfaces-bridge.py to Inter-
face.add_to_bridge()
• T2381 (bug): OpenVPN: openvpn-option parsed/rendered improperly

3.2. 1.3 Equuleus 14

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.43 2021-01-16

• T3215 (bug): show ipv6 route Broken on 1.4 Rolling

• T3172 (bug): Builds sometime after 2020-12-17 have broken routing after reboot
• T3157 (bug): salt-minion fails to start due to permission error accessing /root/.salt/minion.log
• T3167 (default): Recurring bugs in Intel NIC drivers
• T3151 (default): Decide on the final list of packages for 1.3
• T3137 (feature): Let VLAN aware bridge approach the behavior of professional equipment
• T3223 (feature): Update Linux Kernel to v5.4.89 / 5.10.7

3.2.44 2021-01-15

• T3210 (feature): ISIS three-way-handshake

• T3184 (feature): Add correct desctiptions for BGP neighbors
• T2850 (feature): Add BGP template for FRR

3.2.45 2021-01-14

• T3218 (feature): Replace Intel out-of-tree drivers with Linux Kernel stock drivers.

3.2.46 2021-01-13

• T3186 (bug): NAT: bug with “!”invert character

3.2.47 2021-01-12

• T3205 (bug): Does not possible to configure tunnel mode gre-bridge

3.2.48 2021-01-11

• T3208 (bug): Does not possible to change user password

• T3198 (bug): OSPF database filtering issue
• T3206 (bug): Unable to delete destination NAT rule
• T3193 (bug): DHCPv6 PD verification issues
• T3201 (bug): show log all Not Working for RADIUS Users

3.2. 1.3 Equuleus 15

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.49 2021-01-10

• T3178 (feature): Migrate vyatta-op-quagga to vyos-1x

3.2.50 2021-01-09

• T2467 (bug): Restarting Flow Accounting Fails

• T3199 (feature): Update Linux Kernel to v5.4.88 / 5.10.6

3.2.51 2021-01-07

• T3192 (feature): login: radius: add support for IPv6 RADIUS servers

3.2.52 2021-01-05

• T3169 (enhancment): Reimplement smoke test of span (mirror)

• T3161 (default): Consider removing ConfigLoad.pm
• T1398 (default): Remove vyatta-config-migrate package
• T805 (enhancment): Drop config compatibility with Vyatta Core older than 6.5

3.2.53 2021-01-04

• T3185 (bug): [conf-mode] Wrong CompletionHelp for Tunnel local-ip

• T3152 (bug): wan-load-balance does not show connections
• T2601 (bug): pppoe-server: does not possible to disable ccp

3.2.54 2021-01-03

• T3180 (bug): DHCP server raises NameError

3.2.55 2021-01-02

• T3175 (bug): Dynamic DNS validations don’t reflect supported protocols in ddclient
• T2321 (feature): VRF support for SSH, NTP, SNMP service
• T3177 (bug): Rolling Release no longer reports VMware UUID

3.2. 1.3 Equuleus 16

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.56 2021-01-01

• T3171 (feature): Add CLI option to enable RPS (Receive Packet Steering)

3.2.57 2020-12-31

• T3162 (bug): PPPoE server pado-delay issue

• T3160 (bug): PPPoE server called-sid option does not work
• T3168 (feature): Update Linux Kernel to v5.4.86

3.2.58 2020-12-29

• T3082 (bug): multi_to_list must distinguish between values and defaults

• T1466 (feature): Add EAPOL login support

3.2.59 2020-12-28

• T1732 (feature): Removing vyatta-webproxy module

• T2666 (feature): Packet Processing with eBPF and XDP
• T2581 (default): webproxy: implement proxy chaining
• T563 (feature): webproxy: migrate ‘service webproxy’to get_config_dict()

3.2.60 2020-12-27

• T3150 (bug): When configuring QoS, the setting procedure of port mirroring is wrong

3.2.61 2020-12-23

• T3143 (bug): OpenVPN server: Push route does not work

• T3146 (feature): Upgrade FRR from 7.4 -> 7.5 version incl. new libyang
• T3145 (feature): Update Linux Kernel to v5.4.85
• T3147 (feature): Upgrade to SaltStack version 3002.2

3.2.62 2020-12-22

• T3142 (bug): OpenVPN op-command completion issue

• T2940 (feature): Update FRR to 7.4
• T2573 (bug): BFD opmode Commands are broken
• T2495 (feature): Add xml for ISIS [conf_mode]
• T1316 (feature): Support for IS-IS

3.2. 1.3 Equuleus 17

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.63 2020-12-20

• T3131 (bug): Typo in ipsec preshared-secret help

• T3134 (bug): DHCPv6 DUID configuration node missing
• T3140 (feature): Relax “ethernet offload-options”CLI definition

3.2.64 2020-12-17

• T2810 (default): Docs for vpn anyconnect-server

• T2036 (default): Open Connect VPN Server () support

3.2.65 2020-12-14

• T3128 (bug): pppoe smoke test failed

• T3129 (feature): Update Linux Kernel to v5.4.83
• T3089 (feature): Migrate port mirroring to vyos-1x and support two-way traffic mirroring
• T3130 (feature): Replace vyos-netplug with upstream debian version

3.2.66 2020-12-13

• T3114 (bug): When the bridge member is a non-ethernet interface, setting VLAN-aware bridge parameters fails

3.2.67 2020-12-11

• T3123 (bug): Configuration of vti interface impossible

3.2.68 2020-12-10

• T3117 (bug): OpenVPN config migration errors upgrading from 1.3-rolling-202010280217 to 1.3-rolling-
202012060217

3.2.69 2020-12-09

• T3122 (feature): Update Linux Kernel to v4.19.162

• T3121 (bug): get_config_dict() and key_mangling=(‘-‘, ‘_’) Broke PowerDNS dns_forwarding config file

3.2. 1.3 Equuleus 18

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.70 2020-12-08

• T2562 (bug): VyOS can’t be used as a DHCP server for a DHCP relay

3.2.71 2020-12-07

• T3120 (bug): 1.3-rolling-202012070217 python error when deleting nat rule

• T3119 (feature): migrate “system ip”to get_config_dict() and provide smoketest

3.2.72 2020-12-05

• T2744 (bug): igmp-proxy issue: Address already in use

3.2.73 2020-12-04

• T3108 (bug): Section Config overlapped match with FRRConfig

• T3112 (feature): PPPoE IPv6: remove “enable”node
• T3100 (feature): Migrate DHCP/DHCPv6 server to get_config_dict()

3.2.74 2020-12-03

• T3105 (bug): static-host-mapping writing in one line

• T3107 (feature): Update Linux Kernel to v4.19.161
• T3104 (bug): LLDP Traceback error

3.2.75 2020-12-01

• T3094 (bug): Can not specify multiple deny ports in FW rule

• T3102 (bug): Destination NAT fails to commit
• T2713 (bug): VyOS must not change permissions on files in /config/auth

3.2.76 2020-11-30

• T3091 (feature): Add “tag”for static route

• T1207 (feature): DMVPN behind NAT

3.2. 1.3 Equuleus 19

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.77 2020-11-29

• T2297 (feature): NTP add support for pool configuration

• T3095 (feature): Migrate dhcp-relay and dhcpv6-relay to get_config_dict()

3.2.78 2020-11-28

• T2890 (bug): NAT error adding translation address range

• T2868 (bug): Tcp-mss option in policy calls kernel-panic
• T3092 (feature): nat: migrate to get_config_dict()

3.2.79 2020-11-27

• T2715 (feature): Duplicate address detection option supporting ARP

• T2714 (feature): A collection of utilities supporting IPv6 or ipv4
• T3088 (feature): Migrate IGMP-Proxy over to get_config_dict() and add smoketests

3.2.80 2020-11-24

• T3087 (feature): Update Linux Kernel to v4.19.160

3.2.81 2020-11-23

• T2177 (default): Commit fails on adding disabled interface to bridge

• T3066 (bug): reboot in - Invalid time
• T2802 (bug): Tunnel interface does not apply EUI-64 IPv6 Address
• T2359 (bug): Adding IPIP6 tun interface to bridge [conf_mode] errors
• T2357 (bug): GRE-bridge conf_mode errors
• T2259 (feature): Support for bind vif-c interfaces into VRFs
• T2205 (bug): “set interface ethernet”fails on Hyper-V
• T2182 (bug): Failure to commit an IPv6 address on a tunnel interface
• T2155 (bug): Cannot set anything on Intel 82599ES 10-Gigabit SFI/SFP+
• T2153 (bug): traceroute circular reference
• T3081 (bug): get_config_dict() does not honor whitespaces in the CLI values field
• T3080 (bug): OpenVPN failing silently for a number of reasons in rolling post Nov/02
• T3074 (bug): openvpn site-to-site dosn’t work
• T2542 (bug): OpenVPN client tap interfaces not coming up
• T3084 (bug): wifi: TypeError on “show interfaces wireless info”

3.2. 1.3 Equuleus 20

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.82 2020-11-21

• T3079 (bug): Fix the problem that VLAN 1 will be deleted in VLAN-aware bridge
• T3060 (bug): OpenVPN not working in vyos-1.3-rolling-20201101 and after

3.2.83 2020-11-20

• T3078 (feature): CLI cleanup: rename “system options”-> “system option”

• T2997 (feature): DHCP: disallow/do-not-request certain options when requesting IP address from server
• T3077 (feature): WireGuard: automatically create link-local IPv6 adresses
• T2550 (default): OpenVPN: IPv4 not working in client mode
• T3072 (feature): Migrate tunnel interfaces to new get_config_dict() approach
• T3065 (feature): Add “interfaces wirelessmodem”IPv6 support
• T3048 (feature): Drop static smp-affinity for a more dynamic way using tuned

3.2.84 2020-11-19

• T3067 (bug): Wireless interface can no longer be added to the bridge after bridge VLAN support
• T3075 (feature): Update Linux Kernel to v4.19.158

3.2.85 2020-11-16

• T3003 (enhancment): Extend smoketest framework to allow loading an arbitrary config file

3.2.86 2020-11-15

• T3069 (bug): openvpn - routed networks not available

• T3038 (feature): Supporting AZERTY keyboards
• T2993 (bug): op-mode: lldp: show lldp neighbors - AttributeError: ‘str’object has no attribute ‘items’
• T2564 (enhancment): Extend VyOS to support appliance LCDs

3.2.87 2020-11-14

• T3041 (bug): Intel QAT: vyos-1.3-rolling-202011020217-amd64 kernel panic during configure

3.2. 1.3 Equuleus 21

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.88 2020-11-13

• T3063 (feature): Add support for Huawei LTE Module ME909s-120

• T3059 (bug): L2TPv3 interface: Enforced to shutdown but no command to enable interface permanently

3.2.89 2020-11-12

• T3064 (feature): Update Linux Kernel to v4.19.157

3.2.90 2020-11-10

• T2103 (bug): Abnormal interface names if VIF present

3.2.91 2020-11-08

• T3050 (bug): Broken address/subnet validation on NAT configuration

3.2.92 2020-11-07

• T2914 (bug): OpenVPN: Fix for IPv4 remote-host hostname in client mode:
• T2653 (feature): “set interfaces”Python handler code improvements - next iteration
• T311 (feature): DHCP: set client-hostname via CLI

3.2.93 2020-11-06

• T3051 (bug): OpenVPN: multiple client routes do not work in server mode
• T3046 (bug): openvpn directory is not auto-created
• T3052 (feature): Update Linux firmware files to 20201022 version
• T2731 (bug): “show interfaces”returns invalid state when link is down

3.2.94 2020-11-05

• T3049 (feature): Update Linux Kernel to v4.19.155

• T2994 (feature): Migrate OpenVPN interfaces to get_config_dict() syntax

3.2. 1.3 Equuleus 22

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.95 2020-11-03

• T3043 (feature): Wireless: Refactor CLI

• T3034 (feature): Add WiFi WPA 3 support
• T2967 (bug): Duplicate IPv6 BFD Peers Created
• T2483 (bug): DHCP most likely not restarting pdns_recursor

3.2.96 2020-11-02

• T3024 (bug): DHCPv6 PD configuration doesn’t really render an expected behavior

3.2.97 2020-11-01

• T3036 (feature): OpenVPN remote-address does not accept IPv6 address

• T3032 (feature): Ability to “set table”in the policy route-map
• T2193 (feature): Display disabled VRRP instances in a show vrrp output

3.2.98 2020-10-30

• T2790 (feature): Add ability to set ipv6 protocol route-map for OSPFv3
• T3033 (feature): Update Linux Kernel to v4.19.154
• T2969 (bug): OpenVPN: command_set on interface is not applied, if interface doesn’t come up in commit

3.2.99 2020-10-28

• T2631 (default): l2tp, sstp, pptp add option to disable radius accounting
• T2630 (feature): Allow Interface MTU over 9000
• T3027 (bug): Unable to update system Signature check FAILED
• T2995 (bug): Enhancements/bugfixes for vyos_dict_search()
• T2968 (feature): Add support for Intel Atom C2000 series QAT

3.2.100 2020-10-27

• T3026 (default): qemu: update script for deprecated ssh_host_port_min/max

• T2938 (feature): Adding remote Syslog RFC5424 compatibility
• T2924 (bug): Using ‘set src’in a route-map invalidates it as part of a subsequent boot-up
• T2587 (bug): Cannot enable the interface when the MTU is set to less than 1280
• T2885 (default): configd: print commit errors to config session terminal
• T2808 (default): Add smoketest to ensure script consistency with config daemon
• T2582 (default): Script daemon to offload processing during commit

3.2. 1.3 Equuleus 23

 VyOS Documentation, 发布 1.4.x (sagitta)

• T1721 (bug): Recursive Next Hop not updated for static routes

3.2.101 2020-10-26

• T3016 (feature): dhcp-server: use better constraint error message on invalid subnet

3.2.102 2020-10-24

• T3007 (default): HTTP-API should use config load script, not backend config load
• T2984 (bug): (igb, ixgbe) HW queues applied only for the first 2 interfaces
• T3009 (bug): vpn l2tp remoteaccess require option broken
• T3010 (bug): ttl option of gre-bridge
• T3005 (bug): Intel: update out-of-tree drivers, i40e driver warning
• T3004 (feature): ConfigSession should (optionally) use config load script
• T2723 (feature): Support tcptraceroute

3.2.103 2020-10-22

• T2978 (bug): IPoE service does not work on shared mode.

• T2906 (bug): OpenVPN: tls-auth missing key direction

3.2.104 2020-10-21

• T2828 (bug): BGP conf_mode error enforce-first-as

• T2749 (bug): Setting ethx configuration issue.
• T2138 (default): Can’t load archived configs as they are gzipped

3.2.105 2020-10-20

• T2987 (bug): VxLAN not working properly after upgrading to latest October build (also with newinstallation)
• T2989 (default): MPLS documentation expansion

3.2.106 2020-10-19

• T1588 (bug): VRRP failed to start if any of its interaces not exist
• T1385 (feature): Allow bonding interfaces to have pseudo-ethernet interfaces
• T3000 (bug): Mismatch between “prefix-length”and “preference”in dhcp6-server syntax
• T2992 (feature): Automatically verify sha256 checksum on ISO download
• T752 (feature): Disable IPv4 forwarding on specific interface only

3.2. 1.3 Equuleus 24

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.107 2020-10-18

• T2965 (feature): Brief BFD Peer Info

• T2907 (feature): OpenVPN: Option to disable encryption
• T2985 (feature): Add glue code to create bridge interface on demand

3.2.108 2020-10-17

• T2980 (bug): FRR bfdd crash due to invalid length

• T2991 (feature): Update WireGuard to 1.0.20200908
• T2990 (feature): Update Linux Kernel to v4.19.152
• T2981 (feature): MPLS LDP neighbor session clear capability
• T2792 (default): Failed to run sudo make qemu with vyos-build container due to the change of packer

3.2.109 2020-10-14

• T2972 (bug): PPPoE server rate limiter allows max 65535 kbps to be set

3.2.110 2020-10-13

• T2976 (bug): Client IP pool does not work for PPPoE local users

3.2.111 2020-10-12

• T2951 (bug): monitor nat not working

• T2782 (bug): Changing timezone, does not restart rsyslog

3.2.112 2020-10-11

• T2973 (bug): tftp-server cannot listen on IPv6 address

3.2.113 2020-10-08

• T2891 (feature): Support to change ring-buffers from CLI

3.2. 1.3 Equuleus 25

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.114 2020-10-06

• T2957 (bug): show openvpn not returning anything

3.2.115 2020-10-05

• T2963 (bug): Wireless: WIFI is not password protected when security wpa mode is not defined but passphrase is

3.2.116 2020-10-04

• T2953 (feature): Accel-PPP services CLI config cleanup (SSTP, L2TP, PPPoE, IPoE)
• T2829 (bug): PPPoE server: mppe setting is implemented as node instead of leafNode
• T2960 (feature): sstp: migrate to get_config_dict()

3.2.117 2020-10-03

• T2956 (feature): Add support for list of defaultValues

• T2955 (feature): Update Linux Kernel to v4.19.149

3.2.118 2020-10-02

• T2952 (bug): configd: timeout breaks synchronization of messages, causing freeze

3.2.119 2020-10-01

• T2945 (bug): Interface removed from BRIDGE on setting changed

• T2948 (bug): NAT: OSError when configuring translation address range
• T2936 (feature): Migrate PPPoE server to get_config_dict() do reduce boilerplate code

3.2.120 2020-09-30

• T2939 (bug): Wireguard Remove Peer Fails

• T2932 (bug): The second QAT device does not start

3.2.121 2020-09-29

• T2919 (feature): PPPoE server: Called-Station-Id attribute

• T2918 (feature): Accounting interim jitter for pppoe, l2tp, pptp, ipoe
• T2917 (feature): PPPoE server: Preallocate NAS-Port-Id
• T2937 (feature): Update Linux Kernel to v4.19.148

3.2. 1.3 Equuleus 26

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.122 2020-09-27

• T2930 (feature): Support configuration of MAC address for VXLAN and GENEVE tunnel

3.2.123 2020-09-26

• T2902 (bug): “add system image”fails when appending XX to image name

• T2856 (bug): equuleus: show version all throws broken pipe exception on abort
• T2482 (enhancment): Update PowerDNS recursor to 4.3.1 for CVE-2020-10995
• T2929 (bug): Upgrading from 1.2 (crux) to 1.3 rolling causes vyos.configtree.ConfigTreeError for RADIUS set-
tings
• T2928 (bug): MTU less then 1280 bytes and IPv6 will raise FileNotFoundError
• T2926 (bug): snmp.py missing an import
• T2912 (feature): When setting MTU check for hardware maximum supported MTU size

3.2.124 2020-09-25

• T2915 (bug): Lost “proxy-arp-pvlan”option for vlan

• T2925 (feature): Update Linux Kernel to v4.19.147
• T2921 (feature): Migrate “service dns forwarding”to get_config_dict() for ease of source maintenance

3.2.125 2020-09-24

• T2896 (bug): set ip route 0.0.0.0/0 dhcp-interface eth0

• T2923 (bug): Configuring DHCPv6-PD without a interface to delegate to raises TypeError

3.2.126 2020-09-23

• T2846 (bug): ip route doesn’t show longer-prefixes

3.2.127 2020-09-20

• T2904 (feature): 802.1ad / Q-in-Q ethertype default not utilized

• T2905 (feature): Sync CLI nodes between PPPoE and WWAN interface
• T2903 (feature): Q-in-Q (802.1.ad) ethertype should be defined explicitly and not via its raw value

3.2. 1.3 Equuleus 27

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.128 2020-09-19

• T2894 (bug): bond: lacp: member interfaces get removed once bond interface has vlans configured
• T2901 (feature): Update Linux Kernel to v4.19.146
• T2900 (bug): DNS forwarding: invalid warning is shown for“system name-server”or“system name-servers-dhcp”
even if present

3.2.129 2020-09-18

• T945 (bug): Unable to change configuration after changing it from script (vbash + script-template)

3.2.130 2020-09-16

• T2886 (bug): RADIUS authentication broken only returns operator level

• T2887 (bug): WiFi ht40+ channel width is not set in hostaptd.conf

3.2.131 2020-09-15

• T2515 (bug): Ethernet interface is automatically disabled when removing it from bond

3.2.132 2020-09-14

• T2872 (bug): “Show log”for nat and openvpn got inter-mixed

• T2301 (bug): Delete PBR vyatta_policy_ref
• T2880 (feature): Update Linux Kernel to v4.19.145
• T2879 (feature): Cleanup 4.19.144 kernel configuration

3.2.133 2020-09-13

• T2878 (feature): LACP / bonding: new op-mode command: show interfaces bonding bond0 detail
• T2858 (feature): Rewrite dynamic dns client to get_config_dict()
• T2857 (feature): Cleanup Intel QAT configuration script
• T2841 (bug): “monitor bandwidth-test initiate”does not accept IPv6 address as option
• T2877 (feature): LACP / bonding: support configuration of minimum number of links

3.2. 1.3 Equuleus 28

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.134 2020-09-12

• T2863 (default): Wireguard IPv6 Link-Local Addresses Are Not Unique

• T2876 (feature): Update Linux Kernel to v4.19.144

3.2.135 2020-09-10

• T2870 (feature): Update Linux Kernel to v5.8.8

3.2.136 2020-09-09

• T2728 (bug): Protocol option ignored for IPSec peers in transport mode
• T1934 (default): Change default hostname when deploy from OVA without params.
• T1953 (bug): DDNS service name validation rejects valid service names

3.2.137 2020-09-07

• T1729 (default): PIM (Protocol Independent Multicast) implementation

3.2.138 2020-09-06

• T2860 (bug): Update Accel-PPP to fix l2tp CVE

3.2.139 2020-09-02

• T2833 (bug): vyos 1.3-rolling-202008200357 RIP outgoing update filter list no longer operational
• T2849 (bug): vyos.xml.defaults should return a list on multi nodes, by default

3.2.140 2020-08-31

• T2636 (bug): get_config_dict() shall always return a list on <multi/> nodes

3.2.141 2020-08-30

• T2843 (feature): Upgrade Linux Kernel to 5.8 series

• T2814 (default): kernel 5.1+ : NAT : module nft_chain_nat_ipv4 renamed
• T2839 (feature): Upgrade WireGuard user-space tools and Kernel module
• T2842 (feature): Replace custom “wireguard, wireguard-tools”package with debian-backports version
• T1205 (bug): module pcspkr missing

3.2. 1.3 Equuleus 29

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.142 2020-08-29

• T2836 (default): show system integrity broken in 1.3

3.2.143 2020-08-28

• T2126 (bug): show vpn ipsec sa IPSec - Process NOT Running

• T2813 (bug): NAT: possible to commit illegal source nat without translation
• T1463 (bug): Missing command show ip bgp scan appears in command completion

3.2.144 2020-08-27

• T2832 (feature): Migrate vyos-smoketest content into vyos-1x

3.2.145 2020-08-26

• T2830 (default): Migrate “service https”to use get_config_dict()

• T2831 (feature): Update Linux Kernel to v4.19.142

3.2.146 2020-08-25

• T2826 (bug): frr: frr python lib error in replace_section

3.2.147 2020-08-24

• T2423 (bug): Loadkey scp ssh key errors

3.2.148 2020-08-23

• T2811 (bug): Does not possible to delete vpn anyconnect

• T2823 (bug): VXLAN has state A/D after configuration
• T2812 (default): Add basic smoketest for anyconnect

3.2.149 2020-08-22

• T2822 (feature): Update Linux Kernel to v4.19.141

• T2821 (feature): Support DHCPv6-PD without “address dhcpv6”
• T2677 (feature): Proposal for clearer DHCPv6-PD configuration options

3.2. 1.3 Equuleus 30

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.150 2020-08-20

• T2209 (bug): Documentation has reference to the old ‘user x level admin’option
• T1665 (default): prefix-list and prefix-list6 rules incorrectly accept a host address where prefix is required
• T2815 (default): Move certbot config directory under /config/auth

3.2.151 2020-08-19

• T2794 (bug): op-mode: lldp: “show lldp neighbors”IndexError: list index out of range
• T2791 (feature): “monitor traceroute”has no explicit IPv4/IPv6 support
• T1515 (bug): FRR ospf6d crashes when performing: “show ipv6 ospfv3 database”

3.2.152 2020-08-16

• T2277 (bug): dhclient-script-vyos does not support VRFs

• T2090 (default): Deleting ‘service salt-minion’causes python TypeError

3.2.153 2020-08-15

• T2797 (feature): Update Linux Kernel to v4.19.139

• T2796 (bug): PPPoE-Server: listen interface is mandatory but validation check is missing

3.2.154 2020-08-14

• T2795 (bug): console server fails to commit

3.2.155 2020-08-12

• T2786 (bug): OSPF Interface Cost

• T2325 (bug): NHRP op-mode errors
• T2227 (feature): MPLS documentation
• T2767 (bug): The interface cannot be disabled for network enabled configuration
• T2316 (bug): DHCP-server op-mode errors

3.2. 1.3 Equuleus 31

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.156 2020-08-11

• T2779 (bug): LLDP: “show lldp neighbors interface”does not yield any result
• T2379 (bug): But when I get DHCPv6 address for interface deletion, script execution error occurs
• T2784 (default): Remove unused arg from host_name.py functions verify and get_config

3.2.157 2020-08-10

• T2780 (feature): Update Linux Kernel to v4.19.138

3.2.158 2020-08-08

• T2716 (bug): Shaper-HFSC shapes but does not control latency correctly
• T2497 (default): Cache config string during commit
• T2501 (bug): Cannot recover from failed boot config load
• T1974 (feature): Allow route-map to set administrative distance
• T1949 (bug): Multihop IPv6 BFD is unconfigurable

3.2.159 2020-08-04

• T2758 (bug): router-advert: ‘infinity’is not a valid integer number

• T2637 (bug): Vlan is not removed from the system
• T1194 (bug): cronjob is being setup even if not saved
• T1287 (bug): No DHCPv6 leases reported for “show dhcpv6 client leases”

3.2.160 2020-08-03

• T2241 (default): Changing settings on an interface causes it to fall out of bridge

• T2757 (bug): “show system image version”contains additional new-line character breaking output
• T1826 (bug): Misleading message on “reboot at”command
• T1511 (default): Rewrite ethernet setup scripts to python
• T1600 (default): Convert ‘ping’operation from vyatta-op to new syntax
• T1486 (bug): Unknown LLDP version reported to peers
• T1414 (enhancment): equuleus: buster: 10-unmountfs.chroot fail under apply
• T1076 (bug): SSH: make configuration (sshd_config) volatile and store it to /run
• T770 (bug): Bonded interfaces get updated with incorrect hw-id in config.
• T2724 (feature): Support for IPv6 Toolset
• T2323 (bug): LLDP: “show lldp neighbors detail”returns warnings when service is not configured
• T1754 (bug): DHCPv6 client is impossible to restart

3.2. 1.3 Equuleus 32

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.161 2020-08-02

• T2756 (feature): Accel-PPP: make RADIUS accounting port configurable

3.2.162 2020-08-01

• T2752 (bug): Exception when configuring unavailable ethernet interface

• T2751 (feature): Update Linux Kernel to v4.19.136
• T2753 (feature): Rewrite “add system image”op mode commands in XML
• T2690 (feature): Add VRF support to the add system image command

3.2.163 2020-07-30

• T2746 (feature): IPv6 link-local addresses not configured

• T2678 (bug): High RAM usage on SSH logins with lots of IPv6 routes in the routing table.
• T2701 (bug): vpn ipsec pfs enable doesn’t work with IKE groups
• T2745 (feature): router-advert: migrate to get_config_dict()

3.2.164 2020-07-29

• T2743 (feature): WireGuard: move key migration from config script to migration script
• T1241 (bug): Remove of policy route throws CLI error
• T2742 (feature): mDNS repeater: migrate to get_config_dict()

3.2.165 2020-07-28

• T1117 (feature): ‘show ipv6 bgp route-map’missing

• T928 (feature): pimd support

3.2.166 2020-07-27

• T2729 (feature): Pseudo-ethernet replace fail message.

• T1249 (feature): multiply PBR rules can set to a single interface
• T1956 (feature): PPPoE server: support PADO-delay
• T1295 (feature): FRR: update documentation
• T1222 (bug): OSPF routing problem - route looping
• T1158 (bug): Route-Map configuration dropped updating rc11 to epa2
• T1130 (bug): Deleting BGP communities from prefix does not work
• T1086 (bug): Configs not saving
• T2067 (feature): pppoe-server: Add possibility set multiple service-name

3.2. 1.3 Equuleus 33

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.167 2020-07-26

• T2734 (feature): WireGuard: fwmark CLI definition is inconsistent

• T2733 (feature): Support MTU configuration on pseudo ethernet devices
• T2644 (default): Disabling Bonded Interfaces Broken
• T2476 (bug): Bond member description change leads to network outage
• T2443 (feature): NHRP: Add debugging information to syslog
• T2021 (bug): OSPFv3 doesn’t support decimal area syntax
• T1901 (bug): Semicolon in values is interpreted as a part of the shell command by validators
• T2000 (bug): strongSwan does not install routes to table 220 in certain cases
• T2091 (bug): swanctl.conf file is not generated properly is more than one IPsec profile is used
• T1983 (feature): Expose route-map when BGP routes are programmed in to FIB
• T1973 (feature): Allow route-map to match on BGP local preference value
• T1853 (bug): wireguard - disable peer doesn’t work
• T832 (bug): show monitoring protocols bgp doesn’t work with frr
• T1985 (feature): pppoe: Enable ipv6 modules without configured ipv6 pools

3.2.168 2020-07-25

• T2730 (feature): Update Linux Kernel to v4.19.134

• T2106 (bug): Wrong interface states after reboot
• T1507 (default): cli: logical redundancy with boolean type

3.2.169 2020-07-24

• T2097 (bug): Problems when using <path> as completion helper in op-mode

• T2092 (bug): dhcp-server rfc3442 static route sould add default route
• T1817 (bug): BGP next-hop-self not working.
• T1462 (bug): Upgrade path errors 1.1.8 to 1.2.1-S2
• T1372 (bug): Diff functionality behaves incorrectly in some cases
• T2073 (feature): ipoe-server: reset op-mode command for sessions
• T1715 (bug): System DNS Server Order Incorrect

3.2. 1.3 Equuleus 34

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.170 2020-07-23

• T2673 (bug): After the bridge is configured with Mac, bridge is automatically disabled
• T2626 (bug): Changing pseudo-ethernet mode, throws CLI error
• T2608 (bug): delete pseudo-ethernet failed (another error type)
• T2527 (bug): bonding: the last slave interface is not deleted
• T2358 (bug): ip6ip6 bridge conf_mode errors
• T2346 (bug): Setting Hostname Returns Error
• T2330 (bug): Vpn op-mode syntax
• T2188 (default): NTP op-mode commands don’t work

3.2.171 2020-07-22

• T2718 (bug): ntp.conf updated incorrectly.

• T2658 (bug): Interface description comment display error
• T2643 (bug): Show Interface Command Issues
• T2725 (bug): Recent 1.3 rolling (since May) fail to load config if user has no password - KeyError:
‘password_encrypted’
• T2707 (default): Allow alternative initialization data for Config

3.2.172 2020-07-20

• T2709 (bug): Destination NAT translation port without address fails to commit
• T2519 (bug): Broadcast address does not add automatically

3.2.173 2020-07-19

• T2708 (bug): “show flow-accounting”should not display script’s “usage”help

• T2592 (default): dhcp-relay discarding packets on valid interfaces
• T2712 (feature): udp-broadcast-relay: serivce no longer starts
• T2706 (feature): Support NDP protocol monitoring

3.2.174 2020-07-18

• T2704 (bug): connect/disconnect Missing newline in op-mode tab completion helper

• T2689 (feature): Add helper functions to query changes between session and effective configs
• T2585 (bug): Unable to access the Internet after opening PPPoE on-demand dialing

3.2. 1.3 Equuleus 35

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.175 2020-07-15

• T2675 (bug): DNS service failed to start

• T2596 (feature): Allow specifying source IP for ‘add system image’

3.2.176 2020-07-12

• T1575 (default): show snmp mib ifmib crashes with IndexError

• T2696 (bug): Some bugfixes of vyatta-wanloadbalance

3.2.177 2020-07-11

• T2687 (feature): SNMP: change logic on v3 password encryption

• T2693 (bug): Dhcp6c cannot be restarted after PPPoE link is reset

3.2.178 2020-07-08

• T2692 (bug): Evaluate Setting Default Hash Policy to L3+L4

• T2646 (bug): Sysctl for IPv4 ECMP Hash Policy Not Set

3.2.179 2020-07-07

• T2691 (bug): Upgrade from 1.2.5 to 1.3-rolling-202007040117 results in broken config due to case mismatch
• T2389 (bug): BGP community-list unknown command
• T2686 (bug): FRR: BGP: large-community configuration is not applied properly after upgrading FRR to 7.3.x
series

3.2.180 2020-07-06

• T2680 (bug): Dhcp6c service can not recover when it fails.

3.2.181 2020-07-05

• T2684 (feature): Update Linux Kernel to v4.19.131

• T2685 (feature): Update Accel-PPP to fix SSTP client issues
• T2681 (bug): PPPoE stops negotiating IPv6

3.2. 1.3 Equuleus 36

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.182 2020-07-04

• T2682 (bug): VRF aware services - connection no longer possible after system reboot

3.2.183 2020-07-03

• T2670 (default): Remove dependency on show_config from get_config_dict

• T2676 (feature): NTP: migrate to get_config_dict() implementation

3.2.184 2020-07-02

• T2668 (default): get_config_dict: add get_first_key arg to utility function get_sub_dict

3.2.185 2020-07-01

• T2662 (default): get_config_dict includes node name as key only for tag and leaf nodes
• T2667 (feature): get_config_dict: Use utility function for non-empty path argument

3.2.186 2020-06-28

• T2660 (bug): XML: Python default dictionary does not obey underscore (_) when flat is False

3.2.187 2020-06-27

• T2656 (bug): XML: Python default dictionary returns wrong dictionary level(s)

3.2.188 2020-06-26

• T2642 (bug): sshd Broken on Latest Rolling Release

• T2588 (default): Add support for default values to the interface-definition format
• T2622 (bug): An issue with config migration (interface pseudo ethernet)
• T2057 (feature): Generalised Interface configuration
• T2625 (feature): Provide generic Library for package builds

3.2.189 2020-06-25

• T2487 (bug): VRRP does not display info when group disabled
• T2329 (bug): Show remote config openvpn
• T2165 (bug): When trying to add route to ripng it complains that ip address should be IPv4 format.
• T2159 (default): webproxy log read from wrong file
• T2101 (feature): Fix VXLAN config option parsing
• T2062 (bug): Wrong dhcp-server static route subnet bytes

3.2. 1.3 Equuleus 37

 VyOS Documentation, 发布 1.4.x (sagitta)

• T1986 (bug): Python configuration manipulation library leaks open files

• T1762 (bug): VLAN interface configuration fails after internal representation of edit level was switched from a
string to a list
• T1538 (bug): Update conntrack-sync packages to fix VRRP issues
• T1808 (feature): add package nftables

3.2.190 2020-06-24

• T2634 (feature): remove autogeneration of interface “ip section”from vyatta-cfg-system

• T2633 (bug): Error with arp_accept on tun interface
• T2595 (feature): Update Linux Kernel to v4.19.128
• T1938 (bug): syslog doesn’t start automatically

3.2.191 2020-06-23

• T2632 (bug): WireGuard: Can not use only one preshared-key for one peer
• T1829 (bug): Install Image script does not respect size of partition greater than 2G but less than disk size
• T2635 (feature): SSH: migrate to get_config_dict()

3.2.192 2020-06-22

• T2486 (bug): DNS records set via ‘system static-host-mapping’return NXDOMAIN from ‘service dns for-
warding’after a request to a forwarded zone
• T2463 (bug): DHCP-received nameserver not added to vyos-hostsd
• T2534 (bug): pdns-recursor override.conf error
• T2054 (bug): Changing “system name-server”doesn’t update dns forwarding config, neither does “restart dns
forwarding”
• T2225 (default): PIM/IGMP documentation

3.2.193 2020-06-21

• T2624 (feature): Serial Console: fix migration script for configured powersave and no console
• T2610 (bug): default-lifetime is not reflected in the RA message
• T2299 (feature): login radius-server priority
• T1739 (bug): Serial interface seems not to be deleted properly
• T480 (bug): Error if no serial interface is present (/dev/ttyS0: not a tty)

3.2. 1.3 Equuleus 38

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.194 2020-06-20

• T2621 (bug): show interfaces repeats interface description if it is longer then an arbitrary number of characters
• T2618 (default): Conversion from 1.2 to 1.3 lost RADVD prefix autonomous-flag setting

3.2.195 2020-06-19

• T2589 (bug): delete pseudo-ethernet failed

• T2490 (feature): Add serial (rs232) to ssh bridge service

3.2.196 2020-06-18

• T2614 (default): Add an option to mangle dict keys to vyos.config.get_config_dict()

• T2026 (default): Make cli-shell-api correctly exit with non-zero code on failures
• T1868 (default): Add opportunity to get current values from API

3.2.197 2020-06-17

• T2478 (feature): login radius: use NAS-IP-Address if defined source address

• T2141 (bug): Static ARP is not applied on boot
• T2609 (bug): router-advert: radvd does not start when lifetime is improperly configured
• T1720 (feature): support for more ‘show ip route’commands

3.2.198 2020-06-16

• T2604 (default): Remove use of is_tag in system-syslog.py

• T2605 (bug): SNMP service is not disabled by default
• T2568 (bug): Add some missing checks in config
• T2156 (default): PIM op-mode commands

3.2.199 2020-06-15

• T2600 (bug): RADIUS system login configuration rendered wrongly

• T2599 (bug): “show interfaces”does not list VIF interfaces in ascending order
• T2591 (bug): show command has wrong interfaces ordering
• T2576 (bug): “show interfaces”does not return VTI

3.2. 1.3 Equuleus 39

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.200 2020-06-14

• T2354 (bug): Wireless conf_mode errors

• T2593 (bug): source NAT translation port can not be set when translation address is set to masquerade
• T2594 (default): Missing firmware for iwlwifi

3.2.201 2020-06-11

• T2578 (bug): ipaddrcheck unaware of /31 host addresses - can no longer assign /31 mask to interface addresses
• T2571 (bug): NAT destination port with ! results in error
• T2570 (feature): Drop support for “system console device <device> modem”
• T2586 (bug): WWAN default route is not installed into VRF
• T2561 (feature): Drop support for “system console netconsole”
• T2569 (feature): Migrate “set system console”to XML and Python representation

3.2.202 2020-06-10

• T2575 (bug): pppoe-server: does not possibly assign IP address

• T2565 (bug): Does not possible connect to l2tp server with radius auth
• T2553 (bug): Regression: set interface ethN vif-s nnnn does not commit on 1.3-rolling-202006050621

3.2.203 2020-06-08

• T2559 (feature): Add operational mode command to retrieve hardware sensor data

3.2.204 2020-06-07

• T2529 (feature): WWAN: migrate from ttyUSB device to new device in /dev/serial/by-bus
• T2560 (feature): New op-mode command to display information about USB interfaces

3.2.205 2020-06-05

• T2548 (bug): Interfaces allowing inappropriate network addresses to be assigned

• T1958 (default): Include only firmware we actually need

3.2. 1.3 Equuleus 40

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.206 2020-06-04

• T2514 (enhancment): “mac”setting for bond members

3.2.207 2020-06-02

• T2129 (feature): XML schema: tagNode not allowed on first level in new XML op-mode definition
• T2545 (feature): Show physical device offloading capabilities for specified ethernet interface
• T2544 (feature): Enable Kernel KONFIG_KALLSYMS
• T2543 (feature): Kernel: always build perf binary but ship as additional deb package to not bloat the image
• T1096 (bug): BGP process memory leak

3.2.208 2020-06-01

• T2535 (feature): Update Intel QAT drivers to 1.7.l.4.9.0-00008

• T2537 (feature): Migrate “show log dns”from vyatta-op to vyos-1x
• T2536 (bug): “show log dns forwarding”still refers to dnsmasq
• T2538 (feature): Update Intel NIC drivers to recent release (preparation for Kernel >=5.4)
• T2526 (feature): Wake-On-Lan CLI implementation

3.2.209 2020-05-31

• T2532 (feature): VRF aware OpenVPN

3.2.210 2020-05-30

• T2388 (feature): template rendering should create folder and set permission
• T2531 (feature): Update Linux Kernel to v4.19.125
• T2530 (bug): Error creating VRF with a name of exactly 16 characters
• T2460 (default): Migrate vyatta-nat-translations.pl to Python

3.2.211 2020-05-29

• T2528 (bug): “update dns dynamic”throws FileNotFoundError excepton

3.2. 1.3 Equuleus 41

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.212 2020-05-28

• T1291 (default): Under certain conditions the VTI will stay forever down

3.2.213 2020-05-27

• T2395 (feature): HTTP API move to flask/flask-restx as microframework

• T1121 (bug): Can’t search for prefixes by community: Community malformed: AA:NN

3.2.214 2020-05-26

• T2520 (bug): Show conntrack fail

• T2502 (bug): PPPoE default route not installed for IPv6 when “default-route auto”
• T2458 (feature): Update FRR to 7.3.1
• T2506 (feature): DHCPv6-PD add prefix hint CLI option

3.2.215 2020-05-25

• T2391 (bug): pppoe-server session-control does not work

• T2269 (feature): SSTP specify tunnels names
• T1137 (bug): ‘sh ip bgp sum’being truncated

3.2.216 2020-05-22

• T2491 (feature): MACsec: create CLI for replay protection

• T2489 (feature): Add MACsec interfaces to “show interfaces”output
• T2201 (feature): Rewrite protocol BGP [op-mode] to new XML/Python style
• T2492 (feature): Do not set encrypted user password when it is not changed
• T2496 (feature): Set default to new syntax for config file component versions
• T2493 (feature): Update Linux Kernel to v4.19.124
• T2380 (bug): After PPPoE 0 is restarted, the default static route is lost

3.2.217 2020-05-21

• T1876 (bug): IPSec VTI tunnels are deleted after rekey and dangling around as A/D
• T2488 (feature): Remove logfile for dialup interfaces like pppoe and wwan
• T2475 (bug): linting
• T1820 (bug): VRRP transition scripts for sync-groups are not supported in VyOS (anymore)
• T2364 (default): Add CLI command for mroute
• T2023 (feature): Add support for 802.1ae MACsec

3.2. 1.3 Equuleus 42

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.218 2020-05-20

• T2480 (bug): NAT: after rewrite commit tells that dnat IP address is not locally connected
• T103 (bug): DHCP server prepends shared network name to hostnames

3.2.219 2020-05-19

• T2481 (feature): WireGuard: support tunnel via IPv6 underlay

• T421 (bug): VyOS lacks DHCPv6-PD (Prefix delegation) length / IA_PD support
• T815 (feature): Add DHCPv6 prefix-delegation support

3.2.220 2020-05-17

• T2471 (feature): PPPoE server: always add AdvAutonomousFlag when IPv6 is configured
• T2409 (default): At boot, effective config should not be equal to current config

3.2.221 2020-05-16

• T2466 (bug): live-build encounters apt dependency problem when building with local packages
• T2470 (feature): Update to PowerDNS recursor 4.3
• T2469 (feature): Update Linux Kernel to v4.19.123
• T2198 (default): Rewrite NAT in new XML/Python style

3.2.222 2020-05-15

• T2449 (bug): ‘ipv6 address autoconf’and ‘address dhcpv6’don’t work because interfaces have accept_ra=1
(they should have accept_ra=2 when forwarding=1)

3.2.223 2020-05-14

• T2456 (bug): netflow source-ip cannot be configured

3.2.224 2020-05-13

• T2435 (bug): Pseudo-ethernet Interfaces Broken

• T2294 (bug): ipoe-server broken (jinja2 template issue)

3.2. 1.3 Equuleus 43

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.225 2020-05-12

• T2454 (feature): Update Linux Kernel to v4.19.122

• T2392 (bug): SSTP with ipv6

3.2.226 2020-05-10

• T2445 (bug): VRF route leaking for ipv4 not working

• T2372 (bug): VLAN: error on commit if main interface is disabled
• T2439 (bug): Configuration dependency problem, unable to load complex configuration after reboot

3.2.227 2020-05-09

• T2427 (default): Interface addressing broken since fix for T2372 was merged
• T2438 (default): isc-dhcp-server(6).service reports startup success immediately even if dhcpd fails to start up
• T2432 (default): dhcpd: Can’t create new lease file: Permission denied
• T2367 (default): Flush addresses from bridge members

3.2.228 2020-05-08

• T2441 (bug): TZ validator has a parse error

• T2429 (bug): Vyos cannot apply VLAN sub interface to bridge

3.2.229 2020-05-06

• T2402 (bug): Live ISO should warn when configuring that changes won’t persist

3.2.230 2020-05-05

• T1899 (bug): Unionfs metadata folder is copied to the active configuration directory

3.2.231 2020-05-04

• T2412 (bug): ping flood does not work

• T701 (bug): LTE interface dosen’t come up
• T951 (bug): command ‘isolate-stations true/false’does not make any changes in the hostapd.conf

3.2. 1.3 Equuleus 44

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.232 2020-05-03

• T2420 (feature): Update Linux Kernel to v4.19.120

• T2406 (feature): DHCPv6 CLI improvements
• T2421 (feature): Update WireGuard to Debian release 1.0.20200429-2_bpo10+1

3.2.233 2020-05-02

• T2414 (feature): Improve runtime from Python numeric validator

• T2413 (feature): Update Linux Kernel to v4.19.119

3.2.234 2020-05-01

• T2411 (feature): op-mode: make “monitor traceroute”VRF aware

• T2347 (bug): During commit, any script output directed to stdout will contain path
• T2239 (default): build-vmware-image script ignores the predefined file path, uses the environment variable uncon-
ditionally.

3.2.235 2020-04-29

• T2399 (bug): op-mode “dhcp client leases”does not return leases

• T2398 (bug): op-mode “dhcp client leases interface”completion helper misses interfaces
• T2394 (feature): dhcpv6 client does not start
• T2393 (feature): dhclient: migrate from SysVinit to systemd
• T2268 (bug): DHCPv6 is broken

3.2.236 2020-04-28

• T1227 (bug): rip PW can’t be set at interface config

3.2.237 2020-04-27

• T2373 (feature): Required auth options for pppoe-server

• T1381 (feature): Enable DHCP option 121 processing
• T2010 (bug): Reboot at reports wrong time or missing timezone

3.2. 1.3 Equuleus 45

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.238 2020-04-26

• T2386 (bug): salt: upgrade to 2019.2 packages

• T2385 (bug): salt-minion: improve completion helpers
• T2384 (bug): salt-minion: log to syslog and remove custom logging option
• T2383 (feature): Update Linux Kernel to v4.19.118
• T2382 (bug): salt-minion: Throws KeyError on commit
• T2350 (bug): Interface geneve conf-mode error

3.2.239 2020-04-25

• T2304 (feature): “system login”add RADIUS VRF support

• T1842 (bug): Equuleus: “reboot at 04:00”command not working

3.2.240 2020-04-24

• T2375 (feature): WireGuard: throw exception if address and port are not given as both are mandatory
• T2348 (bug): On IPv6 address distribution and DHCPv6 bugs

3.2.241 2020-04-23

• T2369 (feature): VRF: can not leak interface route from default VRf to any other VRF
• T2368 (bug): VRF: missing completion helper when leaking to default table
• T2374 (bug): Tunnel interface can not be disabled
• T2362 (default): IPv6 link-local addresses missing due to EUI64 address code, causing router-advert not to work
• T2345 (default): IPv6 router-advert not working

3.2.242 2020-04-22

• T2361 (bug): Unable to delete VLAN vif interface

• T2339 (bug): OpenVPN: IPv4 no longer working after adding IPv6 support
• T2331 (bug): VRRP op-mode errors
• T2320 (bug): Wireguard creates non-existing interfaces in [op-mode].
• T2096 (feature): Provide “generate”and “show”commands via the http API
• T2351 (feature): Cleanup PPTP server implementation and CLI commands

3.2. 1.3 Equuleus 46

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.243 2020-04-21

• T2341 (bug): Pseudo-ethernet Interfaces Not Loaded on Boot

• T2270 (bug): using load with scp/sftp and a username and password does not work
• T2255 (bug): DNS forwarding op-mode error
• T1907 (bug): Traceback on a non-existent interface.
• T2204 (feature): Support tunnel source-interface

3.2.244 2020-04-20

• T2335 (bug): Unable to assign IPv6 from ISP

• T2317 (bug): l2tp overwriting ipsec config files
• T2292 (bug): Ensure graceful shutdown of vyos-http-api
• T2344 (bug): PPPoE server client static IP assignment silently fails

3.2.245 2020-04-19

• T2337 (default): hw-id gone missing from interfaces after upgrade to 1.3-rolling-202004191028
• T2340 (feature): Remove informational “sg”messages from syslog
• T2338 (bug): Can’t delete static IPv6 route on vrf
• T2336 (bug): OpenVPN service fails to start
• T2308 (default): openvpn op-mode scripts broken after migrating to systemd service
• T2185 (default): Start daemons with systemd units instead of with start-stop-daemon

3.2.246 2020-04-18

• T2318 (bug): dns-forwarding migrationscript broken

• T2319 (feature): Update Linux Kernel to v4.19.116
• T2314 (feature): Cleanup PPPoE server implementation and CLI commands
• T2313 (bug): Accel-PPP / PPPoEserver raises “Floating point exception”when not all limits are defined
• T2312 (feature): Use LED modules to enable more visible feedback on VyOS hardware chassis
• T2306 (feature): Add new cipher suites to the WiFi configuration
• T2286 (default): IPoE server vulnerability
• T2224 (feature): Update Linux Kernel to v4.19.114
• T2110 (feature): RADIUS: supply include file for radius config to have a uniform CLI
• T1874 (bug): FRR crashing triggered by RPKI
• T2324 (feature): Cleanup IPoE server implementation and CLI commands

3.2. 1.3 Equuleus 47

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.247 2020-04-17

• T2275 (bug): flow-accounting broken in rolling

• T2256 (feature): Accel-ppp op-mode syntax

3.2.248 2020-04-16

• T2295 (bug): Passwords with Special Characters Broken

• T2305 (feature): Add release name to “show version”command
• T2235 (default): OpenVPN server client IP doesn’t reserve that IP in the pool
• T149 (feature): IPv6 support in OpenVPN tunnel

3.2.249 2020-04-15

• T2293 (bug): OpenVPN: UnboundLocalError after merging server_network PullRequest

• T2298 (bug): Errors PDNS with name-server set

3.2.250 2020-04-14

• T2213 (bug): vyos-1x: WiFi mode ieee80211ac should also activate ieee80211n

3.2.251 2020-04-13

• T2283 (default): openvpn not starting: ccd path in template not moved to /run/openvpn/ccd
• T2236 (bug): DMVPN broken after tunnel rewrite to XML/Python
• T2284 (default): Upgrade ddclient to 3.9.1 which also brings systemd files
• T2282 (feature): Clarify hw-id in ethernet and wireless interface nodes
• T611 (feature): Static route syntax should reflect ip command routing capabilities, if possible.

3.2.252 2020-04-12

• T2273 (default): OpenVPN no longer starts in latest rolling, migrate to systemd

• T2263 (feature): Reset feature for SSTP sessions
• T2262 (bug): Broken reset commands for pptp and l2tp
• T2059 (default): Set source-validation on bond vif don’t work
• T2276 (default): PPPoE server vulnerability
• T1490 (bug): BGP configuration (is lost|not applied) when updating 1.1.8 -> 1.2.1
• T1828 (bug): Missing completion helper for “set system syslog host 192.0.2.1 facility all protocol”
• T2031 (bug): pseudo-ethernet link interface can not be changed

3.2. 1.3 Equuleus 48

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.253 2020-04-11

• T2264 (feature): l2tp: cleanup CLI definition

• T2233 (bug): Typos in wlanX.cfg
• T2238 (bug): After re-writing list_interfaces.py to use Interfaces() pseudo-ethernet is missing

3.2.254 2020-04-10

• T2265 (feature): DHCP to be an attribute of the class instead of a inheritance

• T2261 (bug): “client-config-dir”not being set for openvpn in 1.3-rolling-202004090909
• T2248 (bug): PPPoE Broken in Latest 1.3 Rolling (1.3-rolling-202004070629)
• T1629 (bug): IP addresses configured on vif-s interfaces are not added to the system
• T2266 (default): openvpn bridged client-server doesn’t work (validation error)
• T2253 (default): Fix use of cmd in merge config and remote function helpers

3.2.255 2020-04-09

• T2260 (feature): vxlan, pseudo-ethernet: convert link nodes to source-interface

• T2252 (bug): HTTP API add system image can return ‘504 Gateway Time-out’
• T2172 (feature): Enable conf VXLAN without remote address
• T2237 (bug): l2tp, pptp, pppoe wrong chap-secrets file

3.2.256 2020-04-08

• T2244 (feature): WireGuard: cleanup Python implementation and reduce amount of boilerplate code
• T2186 (feature): Provide more information to the user when a traceback is reported to the user
• T2246 (bug): LLDP op-mode error
• T2240 (feature): Support for bind vif-c interfaces into VRFs
• T2160 (feature): Allow restricting HTTP API to specific virtual hosts
• T2247 (feature): WireGuard: add VRF support

3.2.257 2020-04-05

• T2228 (bug): WireGuard does not allow ports < 1024 to be used
• T2212 (bug): vyos-1x: WiFi card antenna count not set accordingly
• T2230 (feature): Split out inlined Jina2 template to data/templates folder
• T2206 (feature): Split WireGuard endpoint into proper host and port nodes
• T2032 (bug): Monitor bandwidth bits

3.2. 1.3 Equuleus 49

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.258 2020-04-04

• T2158 (bug): Commit fails if ethernet interface doesn’t support flow control (pause)
• T2221 (bug): Ability to remove a VRF that has a next-hop-vrf as target
• T2211 (bug): vyos-1x: VHT channel width not set accordingly
• T2208 (bug): vyos-1x: commit on interfaces wireless wlanX capabilities vht link-adaptation (both|unsolicited) fails
• T2183 (bug): Number of bugs with wireguard script due to interface rearrangement.
• T2104 (default): ifconfig.py size
• T2028 (feature): Convert “interfaces tunnel”to new XML/Python representation
• T2219 (bug): VRF default route of PPPoE and WWAN interfaces do not get added into proper routing table
• T2222 (default): openvpn: requires “multihome”option to listen on all addresses with udp protocol

3.2.259 2020-04-02

• T2072 (bug): Shell autocomplete of option (config node) with quoted value doesn’t work
• T1823 (feature): l2tpv3 interface migration fails
• T2202 (feature): Update PowerDNS recursor to 4.2 series
• T2200 (feature): Add VRF support on wirelessmodem interfaces

3.2.260 2020-03-31

• T2166 (bug): Broken proxy-arp on vif

• T2069 (bug): PPPoE-client does not works with service-name option
• T2180 (bug): get_config_dict should be independent of CLI edit level
• T2053 (default): Update vyos-load-config.py for version string syntax change
• T2052 (default): Update vyos-merge-config.py for version string syntax change
• T2144 (default): vyos-build: docker: selection of text in the terminal still selects it in vim (mouse isn’t completely
disabled)

3.2.261 2020-03-30

• T2176 (default): ‘WiFiIf’object has no attribute ‘set_state’

• T2029 (feature): Switch to new syntax for config file component versions

3.2. 1.3 Equuleus 50

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.262 2020-03-29

• T2178 (bug): VRF interface don’t get removed when VRF is deleted
• T2170 (feature): Add ability to create static route from default to VRF
• T1831 (feature): Denest IPv6 router-advert from Interfaces to general service

3.2.263 2020-03-28

• T2167 (bug): vyos.ifconfig.get_mac() broken

• T2151 (default): wireless: can’t delete interface present in config but not present in system
• T1988 (feature): Migrate wirelessmodem to new XML/Python style interface

3.2.264 2020-03-27

• T2164 (bug): Package libstrongswan-standard-plugins missing from image

• T2105 (bug): wireless: not possible to disabled wlan0
• T2169 (default): Remove redundant use of show_config in vyos-merge-config

3.2.265 2020-03-26

• T2162 (default): migration script for router-advert sets link-mtu 0 on bridge interfaces
• T1735 (bug): Issue in “show vpn ipsec/ike sa”output with ipsec encryption algorithm
aes128gcm128/aes256gcm128/chacha etc

3.2.266 2020-03-25

• T2148 (default): openvpn: setting“server client”config without“server client ip”results in ValueError: ‘’does
not appear to be an IPv4 or IPv6 address
• T2146 (default): openvpn: “delete server client”doesn’t delete the corresponding ccd configs

3.2.267 2020-03-24

• T2157 (default): Organize service https listen-address/listen-port/server-name under ‘virtual-host’node

• T1845 (bug): syslog host no longer accepts a port

3.2. 1.3 Equuleus 51

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.268 2020-03-22

• T2150 (feature): SSTP ssl certificates can only be stored in /config/user-data/sstp

• T2149 (feature): Update Linux Kernel to v4.19.112
• T1884 (default): Keeping VRRP transition-script native behaviour and adding stop-script
• T1020 (bug): OSPF Stops distributing default route after a while
• T476 (enhancment): Start builds for Debian 10 (Buster)

3.2.269 2020-03-21

• T2142 (bug): vyos-build: Add required packages and step to build-GCE-image script
• T1870 (feature): Extend Pipeline scripts to support PullRequests
• T1936 (feature): pppoe-server CLI control features

3.2.270 2020-03-20

• T2006 (bug): SSTP RADIUS CLI accepts invalid values

• T2140 (default): openvpn: tls file check function checkCertHeader returns True even when no match is found
• T2007 (feature): SSTP accepts client MTU up to 16384 bytes
• T2008 (feature): Adjustment of SSTP CLI to be more consistent to the rest of VyOS

3.2.271 2020-03-19

• T2135 (bug): Login banner missing spacing now

• T2132 (feature): Document kernel boot parameter ‘vyos-config-debug’
• T1744 (default): Config load fails in ConfigTree with ValueError: Failed to parse config: lexing: empty token
• T1301 (default): bgp peer-groups don’t work when “no-ipv4-unicast”is enabled.

3.2.272 2020-03-17

• T2134 (bug): VXLAN: NameError: name ‘config’is not defined

3.2.273 2020-03-16

• T1803 (bug): Unbind NTP while it’s not requested…

• T2131 (feature): Improve syslog remote host CLI definition

3.2. 1.3 Equuleus 52

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.274 2020-03-15

• T2122 (feature): Update Intel out-of-tree drivers to latest version(s)

• T2121 (feature): Update Linux Kernel to v4.19.109
• T2119 (bug): Error on boot when removing ethernet interface from VM
• T1970 (bug): Correct adding interfaces on boot
• T1967 (bug): BGP parameter “enforce-first-as”does not work anymore
• T1432 (enhancment): Implement config write API for Python
• T1431 (feature): Implement an HTTP API for config reading and modification
• T2120 (bug): “reset vpn ipsec-peer”doesn’t work with named peers
• T2001 (bug): Error when router reboot
• T1891 (bug): Router announcements broken on boot
• T1832 (feature): radvd adding feature DNSSL branch.example.com example.com to existing package

3.2.275 2020-03-14

• T834 (feature): accel-ppp: l2tp implementation

3.2.276 2020-03-13

• T1935 (bug): NIC identification and usage problem in Hyper-V environments

• T1821 (bug): “authentication mode radius”has no effect for PPPoE server
• T1622 (default): Add failsafe and back trace to boot config loader

3.2.277 2020-03-11

• T1961 (bug): VXLAN - fails to commit due to non-existent variable, broken MTU
• T2084 (default): conntrack-tools package build error for current/equuleus

3.2.278 2020-03-10

• T1331 (bug): DNS stops working

3.2.279 2020-03-09

• T2111 (feature): VRF add route leaking support

• T2109 (bug): Ping by name broken in VyOS 1.3-rolling-202003080217
• T1416 (default): 2 dhcp server run in failover mode can’t sync hostname with each other
• T2065 (bug): VyOS 1.3 Don’t set daemon in openvpn-{intf}.conf file
• T31 (feature): Add VRF support

3.2. 1.3 Equuleus 53

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.280 2020-03-08

• T1954 (bug): Having system login radius configured causes exponentially long boot times
• T1760 (bug): RADIUS shared secret is not redacted from “show configuration”op mode command

3.2.281 2020-03-07

• T2107 (bug): Wireless interfaces do not work in station mode without security

3.2.282 2020-03-05

• T2074 (bug): VyOS docker container: Does not possible to configure ethernet interface

3.2.283 2020-03-04

• T2098 (bug): Wrong call to cli-shell-api in generated op-mode templates for path completion helper

3.2.284 2020-03-03

• T2095 (bug): Copy command errors out

3.2.285 2020-03-01

• T2082 (bug): WireGuard broken after merging T2057

• T2089 (feature): RADIUS: do not query servers when commit is running started from a non RADIUS user
• T2087 (feature): Add maxfail 0 option to pppoe configuration.
• T2086 (feature): Move sudo session open/close log entries to auth.log

3.2.286 2020-02-29

• T2046 (feature): allowing sub-classes of Interface to redefine how the interface is created
• T2077 (bug): ISO build from crux branch is failing

3.2.287 2020-02-28

• T2083 (default): vyos-build: build-packages fails at mdns-repeater due to wrong branch

• T2080 (default): traffic-policy shaper error when setting bandwidth

3.2. 1.3 Equuleus 54

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.288 2020-02-27

• T2075 (feature): Add support for OpenVPN tls-crypt file option

• T2079 (feature): Update Linux Kernel to v4.19.106
• T2068 (feature): Update Linux Kernel to v4.19.105
• T1703 (default): Macvlan PPPoE support
• T2078 (feature): Kernel: remove unused RAID functions 5,6,10,jbod,dm

3.2.289 2020-02-25

• T1971 (bug): Missing modules in initrd.img for PXE boot

• T2070 (feature): Rewrite (dis-)connect op-mode commands in XML and Python
• T2071 (feature): Add possibility to temporary disable a RADIUS server used for system login

3.2.290 2020-02-23

• T2055 (feature): Remove IPv6 router-advert options for PPPoE

• T1998 (feature): Update FRR to 7.3
• T1318 (feature): PPPoE client CLI redesign

3.2.291 2020-02-22

• T2063 (feature): vyos-salt-minion package is missing from vyos-world

3.2.292 2020-02-20

• T1969 (default): OSPF with WireGuard cause Route Inactive

3.2.293 2020-02-18

• T2034 (default): Removal of interfaces loopback lo removed 127.0.0.1 and ::1

3.2.294 2020-02-17

• T2047 (feature): Update Linux Kernel to v4.19.104

• T2048 (bug): ISO boot failes when wireleass adapter is present

3.2. 1.3 Equuleus 55

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.295 2020-02-16

• T2043 (bug): Bond VLANs can’t be extended on the fly

• T2030 (bug): Bond doesn’t survive reboot
• T1992 (bug): Adding vlan on a bond resets all BGP connections on same bond
• T1908 (feature): Add zone option for Cloudflare DDNS
• T1246 (bug): VyOS 1.2.0 “openvpn-options”configuration does not allow quotes in values

3.2.296 2020-02-15

• T2042 (bug): Error on reboot after deleting “service snmp”and not “service lldp snmp enable”
• T2041 (bug): Adding non existent bond interface raises exception

3.2.297 2020-02-14

• T2039 (bug): Wrong system type displayed.

• T2040 (bug): vyos-http-api-server should reload Config in all routes

3.2.298 2020-02-13

• T2033 (feature): Drop vyos-replace package

• T1635 (feature): Rewrite interface pseudo-ethernet in new XML/Python style

3.2.299 2020-02-10

• T2024 (feature): Migrate “system login banner”to XML/Python

3.2.300 2020-02-09

• T2022 (feature): When RADIUS config is active, local logins won’t work
• T2020 (default): Unable to log in after upgrade to 1.3-rolling-202002080217
• T1931 (bug): Enabling SNMP commit error

3.2.301 2020-02-08

• T1851 (bug): wireguard - changing the pubkey on an existing peer seems to destroy the running config.

3.2. 1.3 Equuleus 56

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.302 2020-02-05

• T1948 (bug): RADIUS login broken in 1.3

• T1990 (feature): Migrate “system login”to XML/Python representation
• T1585 (default): Add letsencrypt/certbot support for ‘service https’

3.2.303 2020-02-04

• T1965 (bug): VyOS-1.3: ping no longer supports specifying interface or source

3.2.304 2020-02-02

• T2011 (feature): Update Linux Kernel to v4.19.101

• T640 (bug): Images no longer work when built without “recommended”packages

3.2.305 2020-02-01

• T2009 (bug): Ethernet Interface always stays down

• T1989 (bug): conf.get_config_dict() throws exception

3.2.306 2020-01-31

• T1768 (bug): PPtP - vyos.config rewrite

• T2002 (bug): VLAN interfaces try to be enabled even if parent interface is A/D

3.2.307 2020-01-30

• T1994 (default): lldpd not bound to specified interfaces - Fix jinja template
• T1896 (enhancment): Remove LLDP-MED civic_based location information
• T1724 (feature): wireguard - add endpoint check in verify()

3.2.308 2020-01-29

• T1392 (bug): Large firewall rulesets cause the system to lose configuration and crash at startup
• T1996 (feature): Update Linux Kernel to 4.19.99
• T1950 (default): Store VyOS configuration syntax version data in JSON file
• T1862 (default): Use regex pattern s+ to split strings on whitespace in Python 3.7
• T1780 (feature): Adding ipsec ike closeaction
• T1755 (bug): Python KeyError exceptions raised with‘show vpn ipsec sa’command under use of certain IPSEC
cipher suites.
• T1747 (bug): L2TP breaks after upgrading to VyOS 1.2-rolling-201910180117 [issue report and proposed solu-
tion]

3.2. 1.3 Equuleus 57

 VyOS Documentation, 发布 1.4.x (sagitta)

• T1664 (bug): Ipoe with bond per vlan don’t work

• T1452 (feature): accel-pppoe - add vendor option to shaper
• T1376 (feature): Incorrect DHCP lease counting
• T1341 (default): Adding rate-limiter for pppoe server users
• T1895 (feature): There is not restriction on selection of syslog facility
• T1670 (feature): OpenVPN option for tls-auth

3.2.309 2020-01-26

• T1937 (bug): snmpd throwing a tremendous amount of errors

• T1767 (bug): IPoE - vyos.config rewrite
• T1765 (bug): wireguard - vyos.config rewrite
• T1964 (default): SNMP Script-extensions allows names with spaces, but commit fails

3.2.310 2020-01-25

• T1902 (feature): Add redistribute non main table in bgp

• T1900 (default): Enable SNMP for VRRP.

3.2.311 2020-01-24

• T1975 (bug): OpenVPN tap devices won’t come up automatically

3.2.312 2020-01-23

• T1766 (bug): service-pppoe - vyos.config rewrite

3.2.313 2020-01-21

• T1784 (bug): DMVPN with IPSec does not work in HUB mode
• T1977 (bug): webproxy error on fresh install

3.2.314 2020-01-18

• T1830 (feature): 1.3-rolling boots to GRUB prompt post-install on UEFI systems

• T1940 (bug): EFI Fresh Install fails to boot, 4K Sector Drives Fail to boot EFI

3.2. 1.3 Equuleus 58

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.315 2020-01-16

• T1880 (default): “A stop job is running for live-tools - System Support Scripts”hangs, times out when shutting
down equuleus live iso

3.2.316 2020-01-15

• T1959 (bug): Error message when adding IPSec VPN

• T1827 (feature): Increase default gc_thresh

3.2.317 2020-01-13

• T1909 (bug): Incorrect behaviour of static routes with overlapping networks

3.2.318 2020-01-09

• T1955 (feature): snmp - cli config val_help missing

• T1813 (bug): error in generated /etc/hosts file

3.2.319 2020-01-08

• T1946 (bug): Recovery ifname for PPtP remote-access

3.2.320 2020-01-03

• T1939 (feature): Provide abstraction for interface “ip”options

3.2.321 2020-01-01

• T1903 (default): Implementation udev predefined interface naming

• T1825 (feature): Improve DHCP configuration error message
• T1779 (bug): Tunnel interfaces aren’t suggested as being available for bridging
• T1430 (default): Add options for custom DHCP client-id and hostname

3.2.322 2019-12-31

• T1654 (bug): sFlow: multiple “sflow server”not work, and “disable-imt”could break configuration
• T1923 (feature): Migrate L2TPv3 interface to XML/Python

3.2. 1.3 Equuleus 59

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.323 2019-12-30

• T1920 (bug): beep: Error: Running under sudo, which is not supported for security reasons.
• T1918 (bug): l2tp / ipsec config broken in latest daily
• T1897 (bug): IPSec - 1.2 to 1.3 migration failed
• T1921 (bug): snmp: VyOS options no longer recognized
• T1922 (feature): Add VXLAN IPv6 support
• T1858 (default): l2tp: Delete depricated outside-nexthop and add gateway-address
• T1919 (feature): Migrate “system options”to XML/Python representation

3.2.324 2019-12-28

• T1917 (feature): Update WireGuard to Debian release 0.0.20191219-1

• T1916 (feature): Update Linux Kernel to v4.19.91
• T1915 (bug): Remove “system ipv6 blacklist”option
• T1912 (feature): Migrate “system (ip|ipv6)”to XML/Python representation

3.2.325 2019-12-27

• T1910 (bug): Invalid parmissions on latest 1.3 rolling ISO images

3.2.326 2019-12-26

• T1794 (bug): Interface description can’t contain a colon

• T1906 (feature): Migrate “system time-zone”configuration to XML/Python

3.2.327 2019-12-23

• T1898 (enhancment): Support multiple IPv4/IPv6 LLDP management addresses

• T1878 (bug): accel-ppp: pppoe single-session option implementation
• T258 (default): Can not configure wan load-balancing on vyos-1.2

3.2.328 2019-12-22

• T393 (enhancment): Migrate vyatta-lldpd to vyos-1x

3.2. 1.3 Equuleus 60

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.329 2019-12-20

• T1892 (default): vyos-build: Do not install recommends in docker image [enhancement]

• T1893 (bug): igmp-proxy: Do not allow adding unknown interface
• T1411 (enhancment): equuleus: buster: vyatta-ravpn: libfreeradius-client2 is missing in buster

3.2.330 2019-12-19

• T1873 (default): DHCP server fails to start due to a change in isc-dhcp-server init scripts
• T1881 (bug): Execute permissions are removed from custom SNMP scripts at commit time

3.2.331 2019-12-18

• T1889 (bug): Error building docker build image

• T1132 (default): Build on Debian Buster

3.2.332 2019-12-17

• T1886 (feature): Update Linux Kernel to v4.19.89

• T1887 (feature): Update WireGuard to Debian release 0.0.20191212-1

3.2.333 2019-12-15

• T1879 (bug): Extend Dynamic DNS XML definition value help strings and validators

3.2.334 2019-12-13

• T1861 (default): hosts lost after modified static-host-mapping

3.2.335 2019-12-12

• T1864 (feature): Lower IPSec DPD timeout lower limit from 10s -> 2s

3.2.336 2019-12-10

• T1843 (feature): Add GCC preprocessor support for XML files

• T1017 (bug): 1.2.0-rc7 duplex auto (autogenerated config) setting not accepted

3.2. 1.3 Equuleus 61

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.337 2019-12-08

• T1566 (feature): Extend L2TP/IPSec server with IPv6

3.2.338 2019-12-07

• T1714 (bug): Disable DHCP Nameservers Not Working

3.2.339 2019-12-06

• T1860 (feature): Update WireGuard to Debian release 0.0.20191127-2

• T1859 (feature): Update Linux Kernel to v4.19.88
• T1854 (bug): Dynamic DNS configuration cannot be deleted
• T1568 (default): strip-private command improvement for additional masking of IPv6 and MAC address
• T1849 (bug): DHCPv6 client does not start
• T1169 (bug): LLDP potentially broken
• T586 (bug): Cannot add ethernet vif-s vif-c interface to bridge-group

3.2.340 2019-12-05

• T1847 (bug): set_level incorrectly handles path given as empty string

3.2.341 2019-12-04

• T1787 (default): Failed config migration from V1.2.3 to 1.2-rolling-201911030217

• T1212 (bug): IPSec Tunnel to Cisco ASA drops reliably after 4.2GB transferred
• T1704 (feature): OpenVPN - Add support for ncp-ciphers

3.2.342 2019-12-03

• T1782 (bug): pppoe0: showing as “Coming up”

• T1801 (bug): Unescaped backslashes in config values cause configuration failure

3.2.343 2019-12-02

• T1841 (bug): PPP ipv6-up.d direcotry missing

• T1840 (bug): PPPoE doesn’t not rename pppX to pppoeX

3.2. 1.3 Equuleus 62

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.344 2019-11-28

• T1299 (feature): Allow SNMPd to be extended with custom scripts

3.2.345 2019-11-25

• T1824 (bug): Permission denied: ‘/opt/vyatta/etc/config/vyos-migrate.log’

3.2.346 2019-11-24

• T1673 (bug): vif bridge-group not migrated to bridge member interface

• T1799 (feature): Add support for GENEVE (Generic Network Virtualization Encapsulation)

3.2.347 2019-11-23

• T1812 (bug): DHCP: hostnames of clients not resolving after update v1.2.3 -> 1.2-rolling
• T1627 (feature): Rewrite wireless interface in new style XML syntax
• T1811 (bug): Upgrade from 1.1.8: Config file migration failed: module=l2tp

3.2.348 2019-11-22

• T1786 (bug): disable-dhcp-nameservers is missed in current host_name.py implementation

• T1749 (bug): numeric validator doesn’t support multiple ranges
• T1701 (bug): Delete domain-name and domain-search won’t work
• T1694 (default): NTPd: Do not listen on all interfaces by default
• T1678 (bug): hostfile-update missing line feed
• T1593 (feature): Support ip6gre
• T1391 (feature): In route-map set community additive
• T1772 (bug): <regex> constraints in XML are partially broken
• T1597 (bug): /usr/sbin/rsyslogd after deleting “system syslog”

3.2.349 2019-11-21

• T1818 (default): Print name of migration script on failure

• T1814 (default): Add log of migration scripts run during config migration

3.2. 1.3 Equuleus 63

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.350 2019-11-19

• T1705 (default): High CPU usage by bgpd when snmp is active

3.2.351 2019-11-17

• T1742 (default): NHRP unable to commit.

• T1740 (default): Broken OSPFv2 virtual-link authentication
• T1485 (bug): Enable ‘AdvIntervalOpt’option in for radvd.conf
• T1470 (enhancment): improve output of “show dhcpv6 server leases”
• T1421 (bug): OpenVPN client push-route stopped working, needs added quotes to fix
• T1183 (feature): BFD Support via FRR
• T1578 (bug): completion offers “show table”, but show table does not exist
• T1401 (bug): Copying files with the FTP protocol fails if the password contains special characters
• T1351 (feature): accel-pppoe adding CIDR based IP pool option

3.2.352 2019-11-16

• T1788 (feature): Intel QAT (QuickAssist Technology ) implementation

3.2.353 2019-11-14

• T1710 (default): [equuleus] buster: add patch to fix live-build missing key error
• T1804 (default): Add python3-psutil to docker image
• T1736 (default): Decide on best practice for patching live-team packages for VyOS build system
• T1424 (default): Rewrite the config load script

3.2.354 2019-11-12

• T1800 (feature): Update Linux Kernel to v4.19.84

3.2.355 2019-11-11

• T1793 (feature): Editing description on an interface causes BGP sessions to reset on commit

3.2. 1.3 Equuleus 64

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.356 2019-11-10

• T1598 (default): New implementation of the resolv.conf and hosts update mechanism
• T1792 (feature): Update WireGuard to Debian release 0.0.20191012-1
• T1791 (feature): Update Linux Kernel to 4.19.82

3.2.357 2019-11-09

• T1030 (bug): Upgrade ddclient from 3.8.2 to 3.9.0 (support Cloudflare API v4)

3.2.358 2019-11-08

• T1789 (bug): ddclient not working with generated RFC2136 / nsupdate config

3.2.359 2019-11-03

• T1777 (bug): Bonding interface MAC address missmatch after reboot

• T1752 (bug): PPPoE does not automatically start on boot

3.2.360 2019-11-02

• T1783 (bug): Interface can’t unpin from bridge

3.2.361 2019-10-30

• T1778 (bug): Kilobits/Megabits difference in configuration Vyos/FRR

3.2.362 2019-10-28

• T1769 (feature): Remove complex SNMPv3 Transport Security Model (TSM)

• T1738 (bug): Copy SNMP configuration from node to node raises exception
• T818 (feature): SNMP v3 - remove required engineid from user node

3.2.363 2019-10-26

• T1560 (default): “set load-balancing wan rule 0”causes segfault and prevents load balancing from starting

3.2. 1.3 Equuleus 65

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.364 2019-10-22

• T1756 (feature): Modify output to be more useful - Wireguard

3.2.365 2019-10-21

• T1741 (feature): Add system wide proxy setting

3.2.366 2019-10-19

• T1746 (bug): 201910180117 fails startup with ‘Permission Denied’errors

• T1745 (default): dhcp-server commit fails with“DHCP range stop address x must be greater or equal to the range
start address y!”when static mapping has same IP as range stop
• T1743 (default): equuleus: remove references to SSH key type “rsa1”deprecated in Debian Buster

3.2.367 2019-10-18

• T1712 (default): DHCP client sometimes doesn’t start

• T1684 (bug): Unable to enable IPv6 autoconf on PPPoE
• T1604 (enhancment): equuleus: buster: vbash: tab completion breaks

3.2.368 2019-10-17

• T1737 (bug): SNMP tab completion missing

3.2.369 2019-10-14

• T1726 (bug): Update Linux Firmware binaries to a more recent version 2019-03-14 -> 2019-10-07
• T1716 (feature): Update Intel NIC drivers to recent versions

3.2.370 2019-10-13

• T1728 (feature): Update Linux Kernel to 4.19.79

3.2.371 2019-10-11

• T1723 (bug): wireguard - Interface wg01 could not be brought up in time

3.2. 1.3 Equuleus 66

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.372 2019-10-09

• T1719 (feature): ssh deprecated options

• T1718 (bug): ISO check in /opt/vyatta/sbin/install-image faulty
• T1682 (feature): Migrate to new Jenkins Pipeline script

3.2.373 2019-10-08

• T1717 (bug): disable multiple daemons to autostart at boot

3.2.374 2019-10-06

• T1713 (feature): Remove deprecated packages no longer required after migration to Accel-PPP
• T1709 (bug): Update WireGuard to 0.0.20190913
• T1708 (bug): Update Rolling Release Kernel to 4.19.76

3.2.375 2019-10-04

• T1707 (bug): DHCP static mapping and exclude address not working
• T1496 (bug): Separate rolling release and LTS kernel builds

3.2.376 2019-10-03

• T1689 (feature): “reset openvpn”op-mode command should terminate and restart OpenVPN process

3.2.377 2019-10-01

• T1706 (bug): wireguard broken in latest rolling

3.2.378 2019-09-30

• T1642 (bug): BGP configuration error when using remove-private-as

• T1688 (feature): OpenVPN - Add new cipher aes-(128|192|256)-gcm

3.2.379 2019-09-28

• T1696 (bug): NTP - Tests fail when building vyos-1x

• T1512 (bug): vyos 1.2 openvpn client names with spaces created incorrectly

3.2. 1.3 Equuleus 67

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.380 2019-09-27

• T1681 (feature): cleanup wireguard code since tagnodes are now visible
• T1695 (bug): Syntax error in interface-dummy.py

3.2.381 2019-09-26

• T1692 (bug): ipoe-server verify function error

• T1691 (bug): OpenVPN - Commiting config when OpenVPN peer/server not available makes commit hang
• T1690 (feature): restart op-mode commands for ‘service (pppoe|ipoe)-server’

3.2.382 2019-09-25

• T1672 (bug): Wireguard keys not automatically moved

3.2.383 2019-09-23

• T1679 (bug): during bootup: invalid literal for int() with base 10
• T1680 (feature): DHCP client does not release IP address on exit/deletion

3.2.384 2019-09-21

• T1676 (default): [equuleus] buster: update GRUB boot parameters during upgrade
• T1637 (feature): Rewrite ethernet interface in new style XML syntax
• T1675 (feature): OpenVPN - Specify minimum TLS version

3.2.385 2019-09-20

• T1602 (default): equuleus: buster: add live build apt options for choosing vyos packages

3.2.386 2019-09-19

• T1666 (feature): Deleting a bond will place member interfaces into A/D state

3.2.387 2019-09-17

• T239 (bug): firewall all-ping setting is confusing

3.2. 1.3 Equuleus 68

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.388 2019-09-16

• T1040 (default): rc.local is executed too early

3.2.389 2019-09-15

• T1662 (default): openvpn: ‘show openvpn client’error

• T1661 (default): openvpn: wrong checking for existence cert files
• T1630 (bug): OpenVPN after changing it from root to nobody (unprivileged user) cant add routes

3.2.390 2019-09-13

• T1660 (bug): Bonding dont’t work on VyOS 1.2-rolling-201909120338

• T1655 (enhancment): equuleus: buster: arm: vyos-accel-ppp build failes because of filename hardcoded as x86_64
in debian/rules

3.2.391 2019-09-12

• T1572 (feature): Wireguard keyPair per interface

• T1545 (bug): IPSEC vti issue

3.2.392 2019-09-10

• T1650 (feature): implement wireguard default key removal

• T1649 (feature): feature documentation different keypairs per interface
• T1648 (feature): add cli command ‘delete wireguard named-key <key>’

3.2.393 2019-09-09

• T1639 (bug): wireguard pubkey change error

3.2.394 2019-09-07

• T1640 (feature): Update Linux Kernel to v4.19.70

3.2. 1.3 Equuleus 69

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.395 2019-09-06

• T1624 (bug): Failed to set up config session

• T1636 (feature): Rewrite VXLAN in new style XML/Python
• T1623 (default): Systemd reports dependency cycle during boot
• T1479 (bug): libvyosconfig error reporting doesn’t include line numbers
• T808 (feature): replace lighthttpd with nginx
• T1616 (bug): ‘renew dhcpv6 interface <interfaceName>’command fails, but work within config session
• T1478 (bug): libvyosconfig parser does not support escaped quotes inside single-quoted strings
• T1360 (bug): DNS nameservers from dhcp not set

3.2.396 2019-09-05

• T1443 (default): New “service https”implementation

3.2.397 2019-09-04

• T1632 (bug): OpenVPN ‘push’options with quotes

• T1631 (bug): Multiple push-route options cause error generating openvpn configuration
• T1605 (bug): L2tp over IPsec not working in Crux
• T1557 (feature): Create generic abstraction for configuring interfaces e.g. IP address
• T1439 (bug): DHCPv6 static-mappings not working due to excess quotes around dhcp6.client-id
• T1628 (feature): Adopt WireGuard configuration script to new vyos.ifconfig class
• T1543 (enhancment): Add a source address/interface option for commit archive connections
• T1614 (feature): Rewrite bonding interface in new style XML syntax

3.2.398 2019-09-02

• T1621 (default): Rewrite the rest of trivial vyatta-op commands to new syntax

3.2.399 2019-08-31

• T1559 (default): webproxy (squidguard) doesn’t work

• T1531 (bug): Several bugs in cluster configuration
• T1530 (bug): vyos 1.2.1 “set system syslog global archive file”don’t work
• T1529 (bug): BGP unnumbered is not working with a vif interface
• T1472 (bug): Impossible to recreate group in rfc3768-compatibility mode
• T1468 (bug): BGP route-reflector-client config erroneously claims remote-as is incorrect
• T1460 (bug): “show firewall ….”doesn’t support counters with more than eight digits
• T1456 (bug): Port group cannot be configured if the same port is configured as standalone and inside a range

3.2. 1.3 Equuleus 70

 VyOS Documentation, 发布 1.4.x (sagitta)

• T1450 (default): crux: ping * flood is not working

• T1428 (default): Wireguard: fwmark setting is not honored
• T1420 (bug): logrotate permission errors on vyatta logfiles
• T1362 (bug): Incorrect handling of special characters in VRRP passwords

3.2.400 2019-08-30

• T1587 (bug): New implementation of “monitor interface”

3.2.401 2019-08-29

• T1571 (bug): show log vpn ipsec produces no output

3.2.402 2019-08-28

• T1615 (feature): After migration to pyroute2 the address DHCP statement is no longer covered

3.2.403 2019-08-27

• T1613 (bug): IPv6 traffic is not captured by NetFlow sensor (pmacct/NFLOG)

• T1617 (default): OpenVPN push route failure
• T1250 (bug): FRR not setting default gateway from dhcp

3.2.404 2019-08-26

• T1591 (bug): OpenVPN “run show openvpn client status”does not work
• T1608 (feature): bridge: Bridge adding non existing interfaces is allowed but does not work
• T1548 (feature): Rewrite OpenVPN interface/op-commands in new style XML/Python
• T1607 (default): Convert ‘reset conntrack’and ‘reset ip[v6] cache’operations from vyatta-op to new syntax

3.2.405 2019-08-25

• T1611 (default): Migration to latest rolling fails with vyos.configtree.ConfigTreeError: Path [b’interfaces bridge
br0 igmp-snooping querier’] doesn’t exist
• T1333 (bug): pdns_recursor does not perform recursive lookups on domain specific forwarders
• T1524 (feature): Add support to set allow-from network in DNS forwarding

3.2. 1.3 Equuleus 71

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.406 2019-08-23

• T1606 (bug): Rolling release no longer boots after adding hostname daemon

3.2.407 2019-08-22

• T1131 (bug): open-vm-tools causing 100% CPU load

3.2.408 2019-08-21

• T1601 (feature): Rewrite loopback interface type with new style XML/Python interface
• T1596 (default): Convert ‘telnet’and ‘traceroute’vyatta-op commands to new syntax

3.2.409 2019-08-20

• T1595 (feature): Migrate deprecated “service dns forwarding listen-on”to listen-address

3.2.410 2019-08-19

• T1580 (feature): Rewrite dummy interface type with new style XML/Python interface
• T1590 (default): Convert ‘show system’operations from vyatta-op to python/xml syntax
• T1377 (default): BGP Weight Not properly applying

3.2.411 2019-08-17

• T1592 (feature): Update Linux Kernel to v4.19.67

• T1551 (default): Error when creating QinQ interface without earlier sets firewall name, if it used

3.2.412 2019-08-15

• T1584 (default): equuleus: buster: add consistent grub options for predictable interface names

3.2.413 2019-08-13

• T1556 (feature): Rewrite Bridge in new style XML syntax

3.2. 1.3 Equuleus 72

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.414 2019-08-09

• T1569 (feature): interfaceconfig class documetation

3.2.415 2019-08-05

• T1562 (feature): Change version scheme on current branch used for rolling releases

3.2.416 2019-08-04

• T1561 (bug): VyOS rolling ISO cluttered with vyatta-ravpn Git Repo

3.2.417 2019-08-03

• T1554 (bug): Enable RSS (Receive Side Scaling) and Multiqueue for Intel drivers

3.2.418 2019-08-02

• T853 (feature): accel-ppp: SSTP implementation

• T742 (feature): Implement accel-ppp in VyOS

3.2.419 2019-08-01

• T1544 (feature): L2TP documentation

3.2.420 2019-07-31

• T1552 (feature): accel-ppp: SSTP documentation

• T1553 (default): equuleus: buster: add ‘noautologin’to boot parameters

3.2.421 2019-07-29

• T1532 (default): [equuleus] buster: GPG error on vyos package repository

3.2.422 2019-07-28

• T1547 (feature): accel-ppp/L2TP restructure CLI

• T1546 (bug): accel-ppp/L2TP radius-source address is not honored

3.2. 1.3 Equuleus 73

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.423 2019-07-23

• T1533 (bug): Rolling builds broken!

• T1489 (feature): Add vlan_mon usage at Accel

3.2.424 2019-07-22

• T1435 (enhancment): Make ip-address [OPTIONAL] (in dhcp-server -> static-mapping) to cope with“unfriendly”
client-hostnames of IoT-Devices

3.2.425 2019-07-21

• T823 (feature): Rewrite DHCP op mode in the new style

3.2.426 2019-07-18

• T1497 (bug): “set system name-server”generates invalid/incorrect resolv.conf

• T533 (feature): PPPoE MTU graeter than 1492

3.2.427 2019-07-15

• T1526 (feature): [SNMP] write documentation for snmp script extension

• T1516 (bug): [wireguard] config changes cause an error

3.2.428 2019-07-14

• T1066 (bug): Missing NICs

3.2.429 2019-07-10

• T1505 (bug): vyos.config return_effective_values does not convert the output to a list
• T1503 (feature): Add functions for commit lock checking
• T1504 (bug): DHCP-provided DNS servers are not propagated to resolv.conf
• T1400 (bug): iBGP: remote-as and router AS can’t be the same value

3.2. 1.3 Equuleus 74

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.430 2019-07-08

• T1465 (bug): Priority inversion in “interfaces vti vtiX ip”

• T1510 (feature): [IPoE] vlan-mon option implementation
• T1508 (feature): [pppoe] migration script for service pppoe-server interface
• T1494 (feature): accel-ppp: IPoE update documentation
• T989 (feature): accel-ppp: IPoE implementation

3.2.431 2019-07-03

• T1502 (feature): Add build sanity checking tools to the dev builds
• T1469 (enhancment): Create forward-zones-recurse entry instead of forward-zones when setting service dns for-
warding

3.2.432 2019-07-02

• T1099 (default): Openvpn: use config files instead of one long command.
• T1495 (feature): accel-ppp: IPoE implement IPv6 PD

3.2.433 2019-07-01

• T1498 (bug): Nameservers are not propagated into resolv.conf

3.2.434 2019-06-24

• T1482 (feature): Add OpenVPN SHA384 hashing algorithm

• T1484 (bug): OSPF md5 key not removed in strip-private

3.2.435 2019-06-23

• T1477 (feature): Intel i40evf fails to load - unknown symbol

• T1474 (feature): Update WireGuard to 0.0.20190601
• T1473 (feature): Update Kernel from 4.19.52 to 4.19.54
• T1476 (bug): Update PowerDNS recursor to 4.2 series
• T1475 (feature): Enable Kernel Data Center Bridging (CONFIG_DCB) support
• T1471 (bug): Wireguard interfaces have no firewall subtree
• T1455 (feature): Update Intel i40e driver to 2.9.21
• T1464 (feature): FRR: Set explicit OSPFv3 network type for specified interface

3.2. 1.3 Equuleus 75

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.436 2019-06-22

• T1371 (bug): Arguments of VRRP health check scripts are ignored

• T1313 (feature): Add support for reusable build flavours
• T1202 (bug): Add hvinfo to the packages directory
• T1433 (bug): “show dhcpv6 server leases”shows leases from wrong file

3.2.437 2019-06-20

• T1461 (bug): Deleting ‘firewall options’causes Python TypeError

• T1413 (enhancment): equuleus: buster: vyos-xe-guest-utilities is not installable and breaks live-build
• T1412 (enhancment): equuleus: buster: vyos-netplug is not installable and breaks live-build

3.2.438 2019-06-19

• T1453 (bug): Warning: nss-myhostname is not installed

• T1447 (bug): Python subprocess called without import in host_name.py
• T1334 (feature): Migration script runner rewrite
• T1327 (bug): Set the serial console speed to 115200 by default
• T1454 (bug): Reading deprecated /etc/frr/daemons.conf

3.2.439 2019-06-18

• T1451 (bug): Intel e1000e driver missing in lates rolling release

• T1446 (default): Raid install with efi can generate some warning output.
• T1444 (feature): Update Linux Kernel to v4.19.52

3.2.440 2019-06-17

• T1394 (bug): syslog systemd and host_name.py race condition

• T1408 (feature): pppoe-server - implement local-ipv6 for pure IPv6 based deployments
• T1390 (default): Extend bgp config for bestpath as-path multipath-relax

3.2.441 2019-06-16

• T1438 (bug): DMI board/product serial can’t be read

3.2. 1.3 Equuleus 76

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.442 2019-06-12

• T1397 (default): Rewrite the config merge script

3.2.443 2019-06-05

• T1426 (default): Update the script that checks conntrack hash-size on reboot

3.2.444 2019-06-04

• T1379 (bug): Deprecated functions in /sbin/dhclient-script

3.2.445 2019-06-03

• T1423 (default): When merging remote config files, create known_hosts file if not present.

3.2.446 2019-06-01

• T1422 (feature): Add a utility for querying values in config files

• T1309 (bug): allow duplicate ip adresses on different interfaces

3.2.447 2019-05-30

• T1419 (bug): Can’t delete multiple OSPF passive-interfaces in single commit

3.2.448 2019-05-28

• T1410 (feature): Upgrade Linux Kernel to 4.19.46

3.2.449 2019-05-26

• T1388 (bug): OpenVPN client connections with password and certificate authentication don’t work
• T1387 (bug): Disabling a DHCP interface with no address displays an error
• T1404 (feature): Update iproute2 package to 4.19

3.2.450 2019-05-24

• T1407 (bug): pppoe IPv6 PD documention by practical example

3.2. 1.3 Equuleus 77

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.451 2019-05-23

• T1402 (feature): Update Linux Kernel to 4.19.45

3.2.452 2019-05-22

• T1399 (bug): accel-ppp kernel modules missing in rolling build 20190522

• T1393 (bug): pppoe IPv6 pool doesn’t work

3.2.453 2019-05-21

• T592 (bug): lldpcli: unknown command from argument 1: #

3.2.454 2019-05-20

• T1384 (bug): vxlan remote-port

3.2.455 2019-05-16

• T1267 (feature): FRR: Add interface name for static routes

• T1148 (bug): epa2 BGP peers initiate before config is fully loaded, routes leak.

3.2.456 2019-05-13

• T1378 (feature): Embed Git commit ID of vyos-build repo in resulting image

3.2.457 2019-05-12

• T1370 (bug): Webproxy with ldap authentication don’t start

3.2.458 2019-05-09

• T1367 (bug): VIF deletion fails inconsistently

3.2.459 2019-05-06

• T1368 (feature): Enable MPLS support in Linux Kernel

3.2. 1.3 Equuleus 78

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.460 2019-05-05

• T1366 (feature): Update Linux Kernel to v4.19.40

3.2.461 2019-05-04

• T1365 (bug): Cannot configure syslog on 1.2.0-rolling+201904260337

3.2.462 2019-04-29

• T1359 (bug): Changing VLAN interface address from DHCP to static is not handeled in vyatta-address script
• T1352 (feature): vyos-documentaion: accel-pppoe adding CIDR based IP pool option

3.2.463 2019-04-26

• T1357 (feature): Wrong exit code produced by dhcp-server migration script

3.2.464 2019-04-25

• T1355 (bug): rsyslog stopped after reboot or clean start

3.2.465 2019-04-23

• T1242 (bug): Error when setting ‘pppoe 0 ipv6 address autoconf’

• T1345 (feature): Specify RADIUS source IP for system login command
• T41 (feature): Feature Request: Include bgpq3 for BGP policy creation

3.2.466 2019-04-21

• T314 (default): Unable to apply MSS Clamp with VyOS configuration

• T1348 (feature): Upgrade WireGuard to 0.0.20190406-1
• T1347 (feature): Upgrade Linux Kernel to 4.19.36
• T1343 (default): do not remove trailing zeroes from subnets in DHCP static route config
• T1332 (bug): Upgrade ethtool from 3.16 to 4.19

3.2. 1.3 Equuleus 79

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.467 2019-04-20

• T1335 (default): Configuration migration issue from 1.1.8 to latest 1.2.0 regarding DHCP authoritative enable
statement
• T1336 (default): system domain-name statement doesn’t allow domain names ending in a dot on latest 1.2.0
• T1344 (feature): Unclutter “system login radius”configuration nodes
• T1245 (default): Cannot Clamp MSS on Transient Bridge Interfaces - Turn On br_netfilter
• T1310 (feature): Replace system prompt with FQDN

3.2.468 2019-04-19

• T1325 (default): GRE tunnel to Cisco router fails in 1.2.0 - works in 1.1.8

3.2.469 2019-04-17

• T14 (enhancment): Provide VMware OVF and OVA

3.2.470 2019-04-16

• T1274 (feature): Update QLogic firmware files

• T1184 (feature): wireguard - extend documentation with the show interface wireguard commands

3.2.471 2019-04-15

• T1260 (feature): VICI-based implementation of “run show vpn ipsec sa”

• T1273 (default): Add script profiling functionality to the config backend
• T1248 (default): Add a function for copying nodes to the vyos.configtree library

3.2.472 2019-04-10

• T1329 (default): support installation on SD cards fix

3.2.473 2019-04-07

• T1296 (default): Image install can’t install to SD cards (mmcblk…)

3.2. 1.3 Equuleus 80

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.474 2019-04-05

• T1324 (feature): update documtation for ‘set system login user level’
• T1322 (bug): Wrong configuration generated for DHCPv6 Relay

3.2.475 2019-04-04

• T1323 (feature): migrate operator accounts to admin accounts and remove the option to setup an operator account

3.2.476 2019-03-26

• T1312 (feature): Allow many to many NAT rules with networks of different size
• T1305 (bug): libvyosconfig parser doesn’t work when config lacks a version comment and ends at a leaf node

3.2.477 2019-03-22

• T1308 (bug): Use of ‘<’in PPPoE password fails

• T1279 (bug): ACPI power event don’t work

3.2.478 2019-03-20

• T1282 (feature): Configure VyOS to send syslog messages to remote syslog using fully-qualified domain name
• T1004 (feature): ISO + System Boot with Serial Console for APU2 and Embedded Devices
• T405 (feature): Add binaries for lcdproc

3.2.479 2019-03-17

• T1218 (bug): Static routes not being applied in 1.2 Release

• T1067 (feature): VXLAN support improvements
• T1285 (bug): Kernel issues with 1.2.0 & 1.2.0-rolling+201903060337 causing lockup
• T1252 (feature): Extend vyos-ci Kernel Pipeline to build Intel native drivers
• T1240 (feature): Wireguard module update to 0.0.20190123
• T484 (bug): Rules can’t be deleted from firewall rule sets used in zone policies
• T986 (feature): Please update the i40e driver

3.2. 1.3 Equuleus 81

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.480 2019-03-16

• T1272 (bug): VRRP is using physical rather than virtual MAC in RFC-compliant mode

3.2.481 2019-03-12

• T1284 (feature): accel-ppp: pptp implementation documention

• T833 (feature): accel-ppp: pptp implementation

3.2.482 2019-03-08

• T1277 (bug): Source build of VyOS 1.2.0 (crux) FileNotFound exception in show_dhcp.py

3.2.483 2019-03-02

• T929 (bug): Replace Debian firmware packages with upstream Kernel

3.2.484 2019-02-25

• T1261 (default): TFTP-Server only listen on 127.0.0.1

• T1211 (default): Blank hostnames from dhcpd are able to bring down DNS
• T1247 (bug): WAN load-balancing fail when !<x.x.x.x/x> configured in rules
• T1234 (bug): DHCP relay relay-agents-packets is dysfunctional

3.2.485 2019-02-22

• T1257 (bug): implement ‘set system static-host-mapping’in host_name.py and remove old function calls

3.2.486 2019-02-21

• T1214 (bug): Add ipaddrcheck to the packages directory

• T1255 (bug): /usr/libexec/vyos/conf_mode/host_name.py needs to add an additional newline char

3.2.487 2019-02-19

• T1051 (default): Update openvpn to support TLS 1.2

3.2. 1.3 Equuleus 82

 VyOS Documentation, 发布 1.4.x (sagitta)

3.2.488 2019-02-16

• T1174 (bug): “system domain-name”is not reflected in /etc/resolv.conf

3.2.489 2019-02-10

• T1154 (default): use of local cache to build iso

3.2.490 2019-02-09

• T1239 (feature): make module build for vyos-accel-ppp dynamic

• T1236 (feature): Update Linux Kernel to 4.19.20
• T1238 (bug): Wireguard allows invalid IP’s
• T1010 (bug): improper pid file handling of webgui

3.2.491 2019-02-08

• T173 (bug): Static routes ignored with DHCP received gateway

3.2.492 2019-02-05

• T1231 (feature): Remove “service dns dynamic“cache file on node change/delete

3.2.493 2019-01-29

• T166 (bug): NPTv6 is broken

3.2.494 2018-12-07

• T1060 (default): Add an option to exclude addresses from transparent wev proxying

3.2.495 2018-04-03

• T477 (bug): Strongswan issue #1220 (packet loss on AWS)

3.3 1.2.6-S1

1.2.6-S1 is a security release release made in September 2020.

3.3. 1.2.6-S1 83
 VyOS Documentation, 发布 1.4.x (sagitta)

3.3.1 Resolved issues

VyOS 1.2.6 release was found to be suspectible to CVE-2020-10995. It’s a low- impact vulnerability in the PowerDNS
recursor that allows an attacker to cause performance degradation via a specially crafted authoritative DNS server reply.
• T2899 remote syslog server migration error on update

3.4 1.2.6

1.2.6 is a maintenance release made in September 2020.

3.4.1 Resolved issues

• T103 DHCP server prepends shared network name to hostnames

• T125 Missing PPPoE interfaces in l2tp configuration
• T1194 cronjob is being setup even if not saved
• T1205 module pcspkr missing
• T1219 Redundant active-active configuration, asymmetric routing and conntrack-sync cache
• T1220 Show transceiver information from plugin modules, e.g SFP+, QSFP
• T1221 BGP - Default route injection is not processed by the specific route-map
• T1241 Remove of policy route throws CLI error
• T1291 Under certain conditions the VTI will stay forever down
• T1463 Missing command show ip bgp scan appears in command completion
• T1575 show snmp mib ifmib crashes with IndexError
• T1699 Default net.ipv6.route.max_size 32768 is too low
• T1729 PIM (Protocol Independent Multicast) implementation
• T1901 Semicolon in values is interpreted as a part of the shell command by validators
• T1934 Change default hostname when deploy from OVA without params.
• T1938 syslog doesn’t start automatically
• T1949 Multihop IPv6 BFD is unconfigurable
• T1953 DDNS service name validation rejects valid service names
• T1956 PPPoE server: support PADO-delay
• T1973 Allow route-map to match on BGP local preference value
• T1974 Allow route-map to set administrative distance
• T1982 Increase rotation for atop.acct
• T1983 Expose route-map when BGP routes are programmed in to FIB
• T1985 pppoe: Enable ipv6 modules without configured ipv6 pools
• T2000 strongSwan does not install routes to table 220 in certain cases
• T2021 OSPFv3 doesn’t support decimal area syntax

3.4. 1.2.6 84
 VyOS Documentation, 发布 1.4.x (sagitta)

• T2062 Wrong dhcp-server static route subnet bytes

• T2091 swanctl.conf file is not generated properly is more than one IPsec profile is used
• T2131 Improve syslog remote host CLI definition
• T2224 Update Linux Kernel to v4.19.114
• T2286 IPoE server vulnerability
• T2303 Unable to delete the image version that came from OVA
• T2305 Add release name to “show version”command
• T2311 Statically configured name servers may not take precedence over ones from DHCP
• T2327 Unable to create syslog server entry with different port
• T2332 Backport node option for a syslog server
• T2342 Bridge l2tpv3 + ethX errors
• T2344 PPPoE server client static IP assignment silently fails
• T2385 salt-minion: improve completion helpers
• T2389 BGP community-list unknown command
• T2398 op-mode “dhcp client leases interface”completion helper misses interfaces
• T2402 Live ISO should warn when configuring that changes won’t persist
• T2443 NHRP: Add debugging information to syslog
• T2448 monitor protocol bgp subcommands fail with ‘command incomplete’
• T2458 Update FRR to 7.3.1
• T2476 Bond member description change leads to network outage
• T2478 login radius: use NAS-IP-Address if defined source address
• T2482 Update PowerDNS recursor to 4.3.1 for CVE-2020-10995
• T2517 vyos-container: link_filter: No such file or directory
• T2526 Wake-On-Lan CLI implementation
• T2528 “update dns dynamic”throws FileNotFoundError excepton
• T2536 “show log dns forwarding”still refers to dnsmasq
• T2538 Update Intel NIC drivers to recent release (preparation for Kernel >=5.4)
• T2545 Show physical device offloading capabilities for specified ethernet interface
• T2563 Wrong interface binding for Dell VEP 1445
• T2605 SNMP service is not disabled by default
• T2625 Provide generic Library for package builds
• T2686 FRR: BGP: large-community configuration is not applied properly after upgrading FRR to 7.3.x series
• T2701 vpn ipsec pfs enable doesn’t work with IKE groups
• T2728 Protocol option ignored for IPSec peers in transport mode
• T2734 WireGuard: fwmark CLI definition is inconsistent
• T2757 “show system image version”contains additional new-line character breaking output

3.4. 1.2.6 85
 VyOS Documentation, 发布 1.4.x (sagitta)

• T2797 Update Linux Kernel to v4.19.139

• T2822 Update Linux Kernel to v4.19.141
• T2829 PPPoE server: mppe setting is implemented as node instead of leafNode
• T2831 Update Linux Kernel to v4.19.142
• T2852 rename dynamic dns interface breaks ddclient.cache permissions
• T2853 Intel QAT acceleration does not work

3.5 1.2.5

1.2.5 is a maintenance release made in April 2020.

3.5.1 Resolved issues

• T1020 OSPF Stops distributing default route after a while

• T1228 pppoe default-route force option not working (Rel 1.2.0-rc11)
• T1301 bgp peer-groups don’t work when “no-ipv4-unicast”is enabled.
• T1341 Adding rate-limiter for pppoe server users
• T1376 Incorrect DHCP lease counting
• T1392 Large firewall rulesets cause the system to lose configuration and crash at startup
• T1416 2 dhcp server run in failover mode can’t sync hostname with each other
• T1452 accel-pppoe - add vendor option to shaper
• T1490 BGP configuration (is lost|not applied) when updating 1.1.8 -> 1.2.1
• T1780 Adding ipsec ike closeaction
• T1803 Unbind NTP while it’s not requested…
• T1821 “authentication mode radius”has no effect for PPPoE server
• T1827 Increase default gc_thresh
• T1828 Missing completion helper for “set system syslog host 192.0.2.1 facility all protocol”
• T1832 radvd adding feature DNSSL branch.example.com example.com to existing package
• T1837 PPPoE unrecognized option ‘replacedefaultroute’
• T1851 wireguard - changing the pubkey on an existing peer seems to destroy the running config.
• T1858 l2tp: Delete depricated outside-nexthop and add gateway-address
• T1864 Lower IPSec DPD timeout lower limit from 10s -> 2s
• T1879 Extend Dynamic DNS XML definition value help strings and validators
• T1881 Execute permissions are removed from custom SNMP scripts at commit time
• T1884 Keeping VRRP transition-script native behaviour and adding stop-script
• T1891 Router announcements broken on boot
• T1900 Enable SNMP for VRRP.

3.5. 1.2.5 86
 VyOS Documentation, 发布 1.4.x (sagitta)

• T1902 Add redistribute non main table in bgp

• T1909 Incorrect behaviour of static routes with overlapping networks
• T1913 “system ipv6 blacklist”command has no effect
• T1914 IPv6 multipath hash policy does not apply
• T1917 Update WireGuard to Debian release 0.0.20191219-1
• T1934 Change default hostname when deploy from OVA without params.
• T1935 NIC identification and usage problem in Hyper-V environments
• T1936 pppoe-server CLI control features
• T1964 SNMP Script-extensions allows names with spaces, but commit fails
• T1967 BGP parameter “enforce-first-as”does not work anymore
• T1970 Correct adding interfaces on boot
• T1971 Missing modules in initrd.img for PXE boot
• T1998 Update FRR to 7.3
• T2001 Error when router reboot
• T2032 Monitor bandwidth bits
• T2059 Set source-validation on bond vif don’t work
• T2066 PPPoE interface can be created multiple times - last wins
• T2069 PPPoE-client does not works with service-name option
• T2077 ISO build from crux branch is failing
• T2079 Update Linux Kernel to v4.19.106
• T2087 Add maxfail 0 option to pppoe configuration.
• T2100 BGP route adverisement wih checks rib
• T2120 “reset vpn ipsec-peer”doesn’t work with named peers
• T2197 Cant add vif-s interface into a bridge
• T2228 WireGuard does not allow ports < 1024 to be used
• T2252 HTTP API add system image can return ‘504 Gateway Time-out’
• T2272 Set system flow-accounting disable-imt has syntax error
• T2276 PPPoE server vulnerability

3.6 1.2.4

1.2.4 is a maintenance release made in December 2019.

3.6. 1.2.4 87
 VyOS Documentation, 发布 1.4.x (sagitta)

3.6.1 Resolved issues

• T258 Can not configure wan load-balancing on vyos-1.2

• T818 SNMP v3 - remove required engineid from user node
• T1030 Upgrade ddclient from 3.8.2 to 3.9. (support Cloudflare API v4)
• T1183 BFD Support via FRR
• T1299 Allow SNMPd to be extended with custom scripts
• T1351 accel-pppoe adding CIDR based IP pool option
• T1391 In route-map set community additive
• T1394 syslog systemd and host_name.py race condition
• T1401 Copying files with the FTP protocol fails if the passwor contains special characters
• T1421 OpenVPN client push-route stopped working, needs added quotes to fix
• T1430 Add options for custom DHCP client-id and hostname
• T1447 Python subprocess called without import in host_name.py
• T1470 improve output of “show dhcpv6 server leases”
• T1485 Enable ‘AdvIntervalOpt’option in for radvd.conf
• T1496 Separate rolling release and LTS kernel builds
• T1560 “set load-balancing wan rule 0”causes segfault and prevent load balancing from starting
• T1568 strip-private command improvement for additional masking o IPv6 and MAC address
• T1578 completion offers “show table”, but show table does not exist
• T1593 Support ip6gre
• T1597 /usr/sbin/rsyslogd after deleting “system syslog”
• T1638 vyos-hostsd not setting system domain name
• T1678 hostfile-update missing line feed
• T1694 NTPd: Do not listen on all interfaces by default
• T1701 Delete domain-name and domain-search won’t work
• T1705 High CPU usage by bgpd when snmp is active
• T1707 DHCP static mapping and exclude address not working
• T1708 Update Rolling Release Kernel to 4.19.76
• T1709 Update WireGuard to 0.0.20190913
• T1716 Update Intel NIC drivers to recent versions
• T1726 Update Linux Firmware binaries to a more recen version 2019-03-14 -> 2019-10-07
• T1728 Update Linux Kernel to 4.19.79
• T1737 SNMP tab completion missing
• T1738 Copy SNMP configuration from node to node raises exception
• T1740 Broken OSPFv2 virtual-link authentication
• T1742 NHRP unable to commit.

3.6. 1.2.4 88
 VyOS Documentation, 发布 1.4.x (sagitta)

• T1745 dhcp-server commit fails with“DHCP range stop address must be greater or equal to the range start address
y!”when static mapping has same IP as range stop
• T1749 numeric validator doesn’t support multiple ranges
• T1769 Remove complex SNMPv3 Transport Security Model (TSM)
• T1772 <regex> constraints in XML are partially broken
• T1778 Kilobits/Megabits difference in configuration Vyos/FRR
• T1780 Adding ipsec ike closeaction
• T1786 disable-dhcp-nameservers is missed in current host_name.p implementation
• T1788 Intel QAT (QuickAssist Technology ) implementation
• T1792 Update WireGuard to Debian release 0.0.20191012-1
• T1800 Update Linux Kernel to v4.19.84
• T1809 Wireless: SSID scan does not work in AP mode
• T1811 Upgrade from 1.1.8: Config file migratio failed: module=l2tp
• T1812 DHCP: hostnames of clients not resolving afte update v1.2.3 -> 1.2-rolling
• T1819 Reboot kills SNMPv3 configuration
• T1822 Priority inversion wireless interface dhcpv6
• T1825 Improve DHCP configuration error message
• T1836 import-conf-mode-commands in vyos-1x/scripts fails to create an xml
• T1839 LLDP shows “VyOS unknown”instead of “VyOS”
• T1841 PPP ipv6-up.d direcotry missing
• T1893 igmp-proxy: Do not allow adding unknown interface
• T1903 Implementation udev predefined interface naming
• T1904 update eth1 and eth2 link files for the vep4600

3.7 1.2.3

1.2.3 is a maintenance and feature backport release made in September 2019.

3.7.1 New features

• HTTP API
• T1524 “set service dns forwarding allow-from <IPv4 net|IPv6 net>”option for limiting queries to specific client
networks
• T1503 Functions for checking if a commit is in progress
• T1543 “set system contig-mangement commit-archive source-address”option
• T1554 Intel NIC drivers now support receive side scaling and multiqueue

3.7. 1.2.3 89
 VyOS Documentation, 发布 1.4.x (sagitta)

3.7.2 Resolved issues

• T1209 OSPF max-metric values over 100 no longer causes commit errors
• T1333 Fixes issue with DNS forwarding not performing recursive lookups on domain specific forwarders
• T1362 Special characters in VRRP passwords are handled correctly
• T1377 BGP weight is applied properly
• T1420 Fixed permission for log files
• T1425 Wireguard interfaces now support /31 addresses
• T1428 Wireguard correctly handles firewall marks
• T1439 DHCPv6 static mappings now work correctly
• T1450 Flood ping commands now works correctly
• T1460 Op mode “show firewall”commands now support counters longer than 8 digits (T1460)
• T1465 Fixed priority inversion in VTI commands
• T1468 Fixed remote-as check in the BGP route-reflector-client option
• T1472 It’s now possible to re-create VRRP groups with RFC compatibility mode enabled
• T1527 Fixed a typo in DHCPv6 server help strings
• T1529 Unnumbered BGP peers now support VLAN interfaces
• T1530 Fixed “set system syslog global archive file”command
• T1531 Multiple fixes in cluster configuration scripts
• T1537 Fixed missing help text for “service dns”
• T1541 Fixed input validation in DHCPv6 relay options
• T1551 It’s now possible to create a QinQ interface and a firewall assigned to it in one commit
• T1559 URL filtering now uses correct rule database path and works again
• T1579 “show log vpn ipsec”command works again
• T1576 “show arp interface <intf>”command works again
• T1605 Fixed regression in L2TP/IPsec server
• T1613 Netflow/sFlow captures IPv6 traffic correctly
• T1616 “renew dhcpv6”command now works from op mode
• T1642 BGP remove-private-as option iBGP vs eBGP check works correctly now
• T1540, T1360, T1264, T1623 Multiple improvements in name servers and hosts configuration handling

3.7. 1.2.3 90
 VyOS Documentation, 发布 1.4.x (sagitta)

3.7.3 Internals

/etc/resolv.conf and /etc/hosts files are now managed by the vyos-hostsd service that listens on a ZMQ
socket for update messages.

3.8 1.2.2

1.2.2 is a maintenance release made in July 2019.

3.8.1 New features

• Options for per-interface MSS clamping.

• BGP extended next-hop capability
• Relaxed BGP multipath option
• Internal and external options for “remote-as”(accept any AS as long as it’s the same to this router or different,
respectively)
• “Unnumbered”(interface-based) BGP peers
• BGP no-prepend option
• Additive BGP community option
• OSPFv3 network type option
• Custom arguments for VRRP scripts
• A script for querying values from config files

3.8.2 Resolved issues

• Linux kernel 4.19.54, including a fix for the TCP SACK vulnerability

• T1371 VRRP health-check scripts now can use arguments
• T1497 DNS server addresses coming from a DHCP server are now correctly propagated to resolv.conf
• T1469 Domain-specific name servers in DNS forwarding are now used for recursive queries
• T1433 run show dhcpv6 server leases now display leases correctly
• T1461 Deleting firewall options node no longer causes errors
• T1458 Correct hostname is sent to remote syslog again
• T1438 Board serial number from DMI is correctly displayed in show version
• T1358, T1355, T1294 Multiple corrections in remote syslog config
• T1255 Fixed missing newline in /etc/hosts
• T1174 system domain-name is correctly included in /etc/resolv.conf
• T1465 Fixed priority inversion in interfaces vti vtiX ip settings
• T1446 Fixed errors when installing with RAID1 on UEFI machines
• T1387 Fixed an error on disabling an interfaces that has no address

3.8. 1.2.2 91
 VyOS Documentation, 发布 1.4.x (sagitta)

• T1367 Fixed deleting VLAN interface with non-default MTU

• T1505 vyos.config return_effective_values() function now correctly returns a list rather than a string

3.9 1.2.1

VyOS 1.2.1 is a maintenance release made in April 2019.

3.9.1 Resolved issues

• Package updates: kernel 4.19.32, open-vm-tools 10.3, latest Intel NIC drivers
• T1326 The kernel now includes drivers for various USB serial adapters, which allows people to add a serial console
to a machine without onboard RS232, or connect to something else from the router
• The collection of network card firmware is now much more extensive
• T1271 VRRP now correctly uses a virtual rather than physical MAC addresses in the RFC-compliant mode
• T1330 DHCP WPAD URL option works correctly again
• T1312 Many to many NAT rules now can use source/destination and translation networks of non-matching size. If
1:1 network bits translation is desired, it’s now users responsibility to check if prefix length matches.
• T1290 IPv6 network prefix translation is fixed
• T1308 Non-alphanumeric characters such as > can now be safely used in PPPoE passwords
• T1305 show | commands no longer fails when a config section ends with a leaf node such as timezone in
show system | commands
• T1235 show | commands correctly works in config mode now
• T1298 VTI is now compatible with the DHCP-interface IPsec option
• T1277 show dhcp server statistics command was broken in latest Crux
• T1261 An issue with TFTP server refusing to listen on addresses other than loopback was fixed
• T1224 Template issue that might cause UDP broadcast relay fail to start is fixed
• T1067 VXLAN value validation is improved
• T1211 Blank hostnames in DHCP updates no longer can crash DNS forwarding
• T1322 Correct configuration is now generated for DHCPv6 relays with more than one upstream interface
• T1234 relay-agents-packets option works correctly now
• T1231 Dynamic DNS data is now cleaned on configuration change
• T1282 Remote Syslog can now use a fully qualified domain name
• T1279 ACPI power off works again
• T1247 Negation in WAN load balancing rules works again
• T1218 FRR staticd now starts on boot correctly
• T1296 The installer now correctly detects SD card devices
• T1225 Wireguard peers can be disabled now
• T1217 The issue with Wireguard interfaces impossible to delete is fixed

3.9. 1.2.1 92
 VyOS Documentation, 发布 1.4.x (sagitta)

• T1160 Unintended IPv6 access is fixed in SNMP configuration

• T1060 It’s now possible to exclude hosts from the transparent web proxy
• T484 An issue with rules impossible to delete from the zone-based firewall is fixed

3.9. 1.2.1 93
 CHAPTER 4

Installation and Image Management

4.1 Installation

VyOS installation requires to download a VyOS .iso file. That file is a live install image that lets you boot a live VyOS.
From that live system you can proceed to the permanent installation on a hard drive or any other type of storage.

4.1.1 Hardware requirements

The minimum system requirements are 512 MiB RAM and 2 GiB storage. Depending on your use you might need
additional RAM and CPU resources e.g. when having multiple BGP full tables in your system.

4.1.2 Download

Registered Subscribers

Registered subscribers can log into https://support.vyos.io/ to have access to a variety of different downloads via the
“Downloads”link. These downloads include LTS (Long-Term-Support) and associated hot-fix releases, early public
access releases, pre-built VM images, as well as device specific installation ISOs.

Building from source

Non-subscribers can always get the LTS release by building it from source. Instruction can be found in the Build VyOS
section of this manual. VyOS source code repository is available for everyone at https://github.com/vyos/vyos-build.

94
 VyOS Documentation, 发布 1.4.x (sagitta)

Rolling Release

Everyone can download bleeding-edge VyOS rolling images from: https://downloads.vyos.io/

注解: Rolling releases contain all the latest enhancements and fixes. This means that there will be new bugs of course.
If you think you hit a bug please follow the guide at Bug Report/Issue. To improve VyOS we depend on your feedback!

The following link will always fetch the most recent VyOS build for AMD64 systems from the current branch: https:
//downloads.vyos.io/rolling/current/amd64/vyos-rolling-latest.iso

Download Verification

LTS images are signed by VyOS lead package-maintainer private key. With the official public key, the authenticity of the
package can be verified. GPG (GNU Privacy Guard) is used for verification.

注解: This subsection only applies e applies to LTS images, for Rolling images please jump to Live installation.

Preparing for the verification

First, install GPG or another OpenPGP implementation. On most GNU+Linux distributions it is installed by default as
package managers use it to verify package signatures. If not pre-installed, it will need to be downloaded and installed.
The official VyOS public key can be retrieved in a number of ways. Skip to GPG verification if the key is already present.
It can be retrieved directly from a key server:
gpg --recv-keys FD220285A0FE6D7E
Or it can be accessed via a web browser:
https://pgp.mit.edu/pks/lookup?op=get&search=0xFD220285A0FE6D7E
Or from the following block:

4.1. Installation 95
 VyOS Documentation, 发布 1.4.x (sagitta)

-----BEGIN PGP PUBLIC KEY BLOCK-----

Version: GnuPG v1.4.12 (GNU/Linux)

mQINBFXKsiIBEACyid9PR/v56pSRG8VgQyRwvzoI7rLErZ8BCQA2WFxA6+zNy+6G
+0E/6XAOzE+VHli+wtJpiVJwAh+wWuqzOmv9css2fdJxpMW87pJAS2i3EVVVf6ab
wU848JYLGzc9y7gZrnT1m2fNh4MXkZBNDp780WpOZx8roZq5X+j+Y5hk5KcLiBn/
lh9Zoh8yzrWDSXQsz0BGoAbVnLUEWyo0tcRcHuC0eLx6oNG/IHvd/+kxWB1uULHU
SlB/6vcx56lLqgzywkmhP01050ZDyTqrFRIfrvw6gLQaWlgR3lB93txvF/sz87Il
VblV7e6HEyVUQxedDS8ikOyzdb5r9a6Zt/j8ZPSntFNM6OcKAI7U1nDD3FVOhlVn
7lhUiNc+/qjC+pR9CrZjr/BTWE7Zpi6/kzeH4eAkfjyALj18oC5udJDjXE5daTL3
k9difHf74VkZm29Cy9M3zPckOZpsGiBl8YQsf+RXSBMDVYRKZ1BNNLDofm4ZGijK
mriXcaY+VIeVB26J8m8y0zN4/ZdioJXRcy72c1KusRt8e/TsqtC9UFK05YpzRm5R
/nwxDFYb7EdY/vHUFOmfwXLaRvyZtRJ9LwvRUAqgRbbRZg3ET/tn6JZk8hqx3e1M
IxuskOB19t5vWyAo/TLGIFw44SErrq9jnpqgclTSRgFjcjHEm061r4vjoQARAQAB
tDZWeU9TIE1haW50YWluZXJzIChWeU9TIFJlbGVhc2UpIDxtYWludGFpbmVyc0B2
eW9zLm5ldD6JAjgEEwECACIFAlXKsiICGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4B
AheAAAoJEP0iAoWg/m1+xbgP+QEDYZi5dA4IPY+vU1L95Bavju2m2o35TSUDPg5B
jfAGuhbsNUceU+l/yUlxjpKEmvshyW3GHR5QzUaKGup/ZDBo1CBxZNhpSlFida2E
KAYTx4vHk3MRXcntiAj/hIJwRtzCUp5UQIqHoU8dmHoHOkKEP+zhJuR6E2s+WwDr
nTwE6eRa0g/AHY+chj2Je6flpPm2CKoTfUE7a2yBBU3wPq3rGtsQgVxPAxHRZz7A
w4AjH3NM1Uo3etuiDnGkJAuoKKb1J4X3w2QlbwlR4cODLKhJXHIufwaGtRwEin9S
1l2bL8V3gy2Hv3D2t9TQZuR5NUHsibJRXLSa8WnSCcc6Bij5aqfdpYB+YvKH/rIm
GvYPmLZDfKGkx0JE4/qtfFjiPJ5VE7BxNyliEw/rnQsxWAGPqLlL61SD8w5jGkw3
CinwO3sccTVcPz9b6A1RsbBVhTJJX5lcPn1lkOEVwQ7l8bRhOKCMe0P53qEDcLCd
KcXNnAFbVes9u+kfUQ4oxS0G2JS9ISVNmune+uv+JR7KqSdOuRYlyXA9uTjgWz4y
Cs7RS+CpkJFqrqOtS1rmuDW9Ea4PA8ygGlisM5d/AlVkniHz/2JYtgetiLCj9mfE
MzQpgnldNSPumKqJ3wwmCNisE+lXQ5UXCaoaeqF/qX1ykybQn41LQ+0xT5Uvy7sL
9IwGuQINBFXKsiIBEACg2mP3QYkXdgWTK5JyTGyttE6bDC9uqsK8dc1J66Tjd5Ly
Be0amO+88GHXa0o5Smwk2QNoxsRR41G/D/eAeGsuOEYnePROEr3tcLnDjo4KLgQ+
H69zRPn77sdP3A34Jgp+QIzByJWM7Cnim31quQP3qal2QdpGJcT/jDJWdticN76a
Biaz+HN13LyvZM+DWhUDttbjAJc+TEwF9YzIrU+3AzkTRDWkRh4kNIQxjlpNzvho
9V75riVqg2vtgPwttPEhOLb0oMzy4ADdfezrfVvvMb4M4kY9npu4MlSkNTM97F/I
QKy90JuSUIjE05AO+PDXJF4Fd5dcpmukLV/2nV0WM2LAERpJUuAgkZN6pNUFVISR
+nSfgR7wvqeDY9NigHrJqJbSEgaBUs6RTk5hait2wnNKLJajlu3aQ2/QfRT/kG3h
ClKUz3Ju7NCURmFE6mfsdsVrlIsEjHr/dPbXRswXgC9FLlXpWgAEDYi9Wdxxz8o9
JDWrVYdKRGG+OpLFh8AP6QL3YnZF+p1oxGUQ5ugXauAJ9YS55pbzaUFP8oOO2P1Q
BeYnKRs1GcMI8KWtE/fze9C9gZ7Dqju7ZFEyllM4v3lzjhT8muMSAhw41J22mSx6
VRkQVRIAvPDFES45IbB6EEGhDDg4pD2az8Q7i7Uc6/olEmpVONSOZEEPsQe/2wAR
AQABiQIfBBgBAgAJBQJVyrIiAhsMAAoJEP0iAoWg/m1+niUQAKTxwJ9PTAfB+XDk
3qH3n+T49O2wP3fhBI0EGhJp9Xbx29G7qfEeqcQm69/qSq2/0HQOc+w/g8yy71jA
6rPuozCraoN7Im09rQ2NqIhPK/1w5ZvgNVC0NtcMigX9MiSARePKygAHOPHtrhyO
rJQyu8E3cV3VRT4qhqIqXs8Ydc9vL3ZrJbhcHQuSLdZxM1k+DahCJgwWabDCUizm
sVP3epAP19FP8sNtHi0P1LC0kq6/0qJot+4iBiRwXMervCD5ExdOm2ugvSgghdYN
BikFHvmsCxbZAQjykQ6TMn+vkmcEz4fGAn4L7Nx4paKEtXaAFO8TJmFjOlGUthEm
CtHDKjCTh9WV4pwG2WnXuACjnJcs6LcK377EjWU25H4y1ff+NDIUg/DWfSS85iIc
UgkOlQO6HJy0O96L5uxn7VJpXNYFa20lpfTVZv7uu3BC3RW/FyOYsGtSiUKYq6cb
CMxGTfFxGeynwIlPRlH68BqH6ctR/mVdo+5UIWsChSnNd1GreIEI6p2nBk3mc7jZ
7pTEHpjarwOjs/S/lK+vLW53CSFimmW4lw3MwqiyAkxl0tHAT7QMHH9Rgw2HF/g6
XD76fpFdMT856dsuf+j2uuJFlFe5B1fERBzeU18MxML0VpDmGFEaxxypfACeI/iu
8vzPzaWHhkOkU8/J/Ci7+vNtUOZb
=Ld8S
-----END PGP PUBLIC KEY BLOCK-----

Store the key in a new text file and import it into GPG via: gpg --import file_with_the_public_key
The import can be verified with:

4.1. Installation 96
 VyOS Documentation, 发布 1.4.x (sagitta)

$ gpg --list-keys
...
pub rsa4096 2015-08-12 [SC]
0694A9230F5139BF834BA458FD220285A0FE6D7E
uid [ unknown] VyOS Maintainers (VyOS Release) <[email protected]>
sub rsa4096 2015-08-12 [E]

GPG verification

With the public key imported, the signature for the desired image needs to be downloaded.

注解: The signature can be downloaded by appending .asc to the URL of the downloaded VyOS image. That small .asc
file is the signature for the associated image.

Finally, verify the authenticity of the downloaded image:

$ gpg2 --verify vyos-1.2.1-amd64.iso.asc vyos-1.2.1-amd64.iso

gpg: Signature made So 14 Apr 12:58:07 2019 CEST
gpg: using RSA key FD220285A0FE6D7E
gpg: Good signature from "VyOS Maintainers (VyOS Release) <[email protected]>"␣
,→[unknown]

Primary key fingerprint: 0694 A923 0F51 39BF 834B A458 FD22 0285 A0FE 6D7E

4.1.3 Live installation

注解: A permanent VyOS installation always requires to go first through a live installation.

VyOS, as other GNU+Linux distributions, can be tested without installing it in your hard drive. With your downloaded
VyOS .iso file you can create a bootable USB drive that will let you boot into a fully functional VyOS system.
Once you have tested it, you can either decide to begin a Permanent installation in your hard drive or power your system
off, remove the USB drive, and leave everythng as it was.
If you have a GNU+Linux system, you can create your VyOS bootable USB stick with with the dd command:
1. Open your terminal emulator.
2. Find out the device name of your USB drive (you can use the lsblk command)
3. Unmount the USB drive. Replace X in the example below with the letter of your device and keep the
asterisk (wildcard) to unmount all partitions.

$ umount /dev/sdX*

4. Write the image (your VyOS .iso file) to the USB drive. Note that here you want to use the device
name (e.g. /dev/sdb), not the partition name (e.g. /dev/sdb1).
Warning: This will destroy all data on the USB drive!

# dd if=/path/to/vyos.iso of=/dev/sdX bs=8M; sync

5. Wait until you get the outcome (bytes copied). Be patient, in some computers it might take more than
one minute.

4.1. Installation 97
 VyOS Documentation, 发布 1.4.x (sagitta)

6. Once dd has finished, pull the USB drive out and plug it into the powered-off computer where you
want to install (or test) VyOS.
7. Power the computer on, making sure it boots from the USB drive (you might need to select booting
device or change booting settings).
8. Once VyOS is completely loaded, enter the default credentials (login: vyos, password: vyos).
If you find difficulties with this method, prefer to use a GUI program, or have a different operating system, there are other
programs you can use to create a bootable USB drive, like balenaEtcher (for GNU/Linux, macOS and Windows), Rufus
(for Windows) and many others. You can follow their instructions to create a bootable USB drive from an .iso file.

提示: The default username and password for the live system is vyos.

4.1.4 Permanent installation

注解: Before a permanent installation, VyOS requires a Live installation.

Unlike general purpose Linux distributions, VyOS uses“image installation”that mimics the user experience of traditional
hardware routers and allows keeping multiple VyOS versions installed simultaneously. This makes it possible to switch
to a previous version if something breaks or miss-behaves after an image upgrade.
Every version is contained in its own squashfs image that is mounted in a union filesystem together with a directory for
mutable data such as configurations, keys, or custom scripts.

注解: Older versions (prior to VyOS 1.1) used to support non-image installation (install system command).
Support for this has been removed from VyOS 1.2 and newer releases. Older releases can still be upgraded via the general
add system image <image_path> upgrade command (consult Image Management for further information).

In order to proceed with a permanent installation:

1. Log into the VyOS live system (use the default credentials: vyos, vyos)
2. Run the install image command and follow the wizard:
vyos@vyos:~$ install image
Welcome to the VyOS install program. This script
will walk you through the process of installing the
VyOS image to a local hard drive.
Would you like to continue? (Yes/No) [Yes]: Yes
Probing drives: OK
Looking for pre-existing RAID groups...none found.
The VyOS image will require a minimum 2000MB root.
Would you like me to try to partition a drive automatically
or would you rather partition it manually with parted? If
you have already setup your partitions, you may skip this step

Partition (Auto/Parted/Skip) [Auto]:

I found the following drives on your system:

sda 4294MB

Install the image on? [sda]:

(下页继续)

4.1. Installation 98
 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)

This will destroy all data on /dev/sda.

Continue? (Yes/No) [No]: Yes

How big of a root partition should I create? (2000MB - 4294MB) [4294]MB:

Creating filesystem on /dev/sda1: OK

Done!
Mounting /dev/sda1...
What would you like to name this image? [1.2.0-rolling+201809210337]:
OK. This image will be named: 1.2.0-rolling+201809210337
Copying squashfs image...
Copying kernel and initrd images...
Done!
I found the following configuration files:
/opt/vyatta/etc/config.boot.default
Which one should I copy to sda? [/opt/vyatta/etc/config.boot.default]:

Copying /opt/vyatta/etc/config.boot.default to sda.

Enter password for administrator account
Enter password for user 'vyos':
Retype password for user 'vyos':
I need to install the GRUB boot loader.
I found the following drives on your system:
sda 4294MB

Which drive should GRUB modify the boot partition on? [sda]:

Setting up grub: OK
Done!

3. After the installation is complete, remove the live USB stick or CD.
4. Reboot the system.

vyos@vyos:~$ reboot
Proceed with reboot? (Yes/No) [No] Yes

You will boot now into a permanent VyOS system.

4.1.5 PXE Boot

VyOS can also be installed through PXE. This is a more complex installation method which allows deploying VyOS
through the network.
Requirements
• Clients (where VyOS is to be installed) with a PXE-enabled NIC
• DHCP Server
• TFTP Server
• Webserver (HTTP) - optional, but we will use it to speed up installation
• VyOS ISO image to be installed (do not use images prior to VyOS 1.2.3)
• Files pxelinux.0 and ldlinux.c32 from the Syslinux distribution

4.1. Installation 99
 VyOS Documentation, 发布 1.4.x (sagitta)

Configuration

Step 1: DHCP

Configure a DHCP server to provide the client with:

• An IP address
• The TFTP server address (DHCP option 66). Sometimes referred as boot server
• The bootfile name (DHCP option 67), which is pxelinux.0
In this example we configured an existent VyOS as the DHCP server:

vyos@vyos# show service dhcp-server

shared-network-name mydhcp {
subnet 192.168.1.0/24 {
bootfile-name pxelinux.0
bootfile-server 192.168.1.50
default-router 192.168.1.50
range 0 {
start 192.168.1.70
stop 192.168.1.100
}
}
}

Step 2: TFTP

Configure a TFTP server so that it serves the following:

• The pxelinux.0 file from the Syslinux distribution
• The ldlinux.c32 file from the Syslinux distribution
• The kernel of the VyOS software you want to deploy. That is the vmlinuz file inside the /live directory of the
extracted contents from the ISO file.
• The initial ramdisk of the VyOS ISO you want to deploy. That is the initrd.img file inside the /live directory of the
extracted contents from the ISO file. Do not use an empty (0 bytes) initrd.img file you might find, the correct file
may have a longer name.
• A directory named pxelinux.cfg which must contain the configuration file. We will use the configuration file shown
below, which we named default.
In the example we configured our existent VyOS as the TFTP server too:

vyos@vyos# show service tftp-server

directory /config/tftpboot
listen-address 192.168.1.50

Example of the contents of the TFTP server:

vyos@vyos# ls -hal /config/tftpboot/

total 29M
drwxr-sr-x 3 tftp tftp 4.0K Oct 14 00:23 .
drwxrwsr-x 9 root vyattacfg 4.0K Oct 18 00:05 ..
-r--r--r-- 1 root vyattacfg 25M Oct 13 23:24 initrd.img-4.19.54-amd64-vyos
(下页继续)

4.1. Installation 100

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
-rwxr-xr-x 1 root vyattacfg 120K Oct 13 23:44 ldlinux.c32
-rw-r--r-- 1 root vyattacfg 46K Oct 13 23:24 pxelinux.0
drwxr-xr-x 2 root vyattacfg 4.0K Oct 14 01:10 pxelinux.cfg
-r--r--r-- 1 root vyattacfg 3.7M Oct 13 23:24 vmlinuz

vyos@vyos# ls -hal /config/tftpboot/pxelinux.cfg

total 12K
drwxr-xr-x 2 root vyattacfg 4.0K Oct 14 01:10 .
drwxr-sr-x 3 tftp tftp 4.0K Oct 14 00:23 ..
-rw-r--r-- 1 root root 191 Oct 14 01:10 default

Example of simple (no menu) configuration file:

vyos@vyos# cat /config/tftpboot/pxelinux.cfg/default

DEFAULT VyOS123

LABEL VyOS123
KERNEL vmlinuz
APPEND initrd=initrd.img-4.19.54-amd64-vyos boot=live nopersistence noautologin␣
,→nonetworking fetch=http://address:8000/filesystem.squashfs

Step 3: HTTP

We also need to provide the filesystem.squashfs file. That is a heavy file and TFTP is slow, so you could send it through
HTTP to speed up the transfer. That is how it is done in our example, you can find that in the configuration file above.
First run a web server - you can use a simple one like Python’s SimpleHTTPServer and start serving the filesys-
tem.squashfs file. The file can be found inside the /live directory of the extracted contents of the ISO file.
Second, edit the configuration file of the Step 2: TFTP so that it shows the correct URL at fetch=http://
<address_of_your_HTTP_server>/filesystem.squashfs.

注解: Do not change the name of the filesystem.squashfs file. If you are working with different versions, you can create
different directories instead.

And third, restart the TFTP service. If you are using VyOS as your TFTP Server, you can restart the service with sudo
service tftpd-hpa restart.

注解: Make sure the available directories and files in both TFTP and HTTP server have the right permissions to be
accessed from the booting clients.

4.1. Installation 101

 VyOS Documentation, 发布 1.4.x (sagitta)

Client Boot

Finally, turn on your PXE-enabled client or clients. They will automatically get an IP address from the DHCP server and
start booting into VyOS live from the files automatically taken from the TFTP and HTTP servers.
Once finished you will be able to proceed with the install image command as in a regular VyOS installation.

4.1.6 Known Issues

This is a list of known issues that can arise during installation.

Black screen on install

GRUB attempts to redirect all output to a serial port for ease of installation on headless hosts. This appears to cause an
hard lockup on some hardware that lacks a serial port, with the result being a black screen after selecting the Live system
option from the installation image.
The workaround is to type e when the boot menu appears and edit the GRUB boot options. Specifically, remove the:
console=ttyS0,115200
option, and type CTRL-X to boot.
Installation can then continue as outlined above.

4.2 Running VyOS in Virtual Environments

4.2.1 Running on Libvirt Qemu/KVM

Libvirt is an open-source API, daemon and management tool for managing platform virtualization. There are several
ways to deploy VyOS on libvirt kvm. Use Virt-manager and native CLI. In an example we will be use use 4 gigabytes of
memory, 2 cores CPU and default network virbr0.

CLI

Deploy from ISO

Create VM name vyos_r1. You must specify the path to the ISO image, the disk qcow2 will be created automatically.
The default network is the virtual network (type Virtio) created by the hypervisor with NAT.

$ virt-install -n vyos_r1 \
--ram 4096 \
--vcpus 2 \
--cdrom /var/lib/libvirt/images/vyos.iso \
--os-type linux \
--os-variant debian10 \
--network network=default \
--graphics vnc \
--hvm \
--virt-type kvm \
--disk path=/var/lib/libvirt/images/vyos_r1.qcow2,bus=virtio,size=8 \
--noautoconsole

4.2. Running VyOS in Virtual Environments 102

 VyOS Documentation, 发布 1.4.x (sagitta)

Connect to VM with command virsh console vyos_r1

$ virsh console vyos_r1

Connected to domain vyos_r1

Escape character is ^]

vyos login: vyos

Password:

vyos@vyos:~$ install image

After installation - exit from the console using the key combination Ctrl + ] and reboot the system.

Deploy from qcow2

The convenience of using KVM (Kernel-based Virtual Machine) images is that they don’t need to be installed. Download
predefined VyOS.qcow2 image for KVM

curl --url link_to_vyos_kvm.qcow2 --output /var/lib/libvirt/images/vyos_kvm.qcow2

Create VM with import qcow2 disk option.

$ virt-install -n vyos_r2 \
--ram 4096 \
--vcpus 2 \
--os-type linux \
--os-variant debian10 \
--network network=default \
--graphics vnc \
--hvm \
--virt-type kvm \
--disk path=/var/lib/libvirt/images/vyos_kvm.qcow2,bus=virtio \
--import \
--noautoconsole

Connect to VM with command virsh console vyos_r2

$ virsh console vyos_r2

Connected to domain vyos_r2

Escape character is ^]

vyos login: vyos

Password:

vyos@vyos:~$

The system is fully operational.

4.2. Running VyOS in Virtual Environments 103

 VyOS Documentation, 发布 1.4.x (sagitta)

Virt-manager

The virt-manager application is a desktop user interface for managing virtual machines through libvirt. On the linux open
VMM (Virtual Machine Manager).

Deploy from ISO

1. Open VMM and Create a new VM (Virtual Machine)

2. Choose Local install media (ISO)

4.2. Running VyOS in Virtual Environments 104

 VyOS Documentation, 发布 1.4.x (sagitta)

3. Choose path to iso vyos.iso. Operating System can be any Debian based.

4. Choose Memory and CPU

5. Disk size
6. Name of VM and network selection
7. Then you will be taken to the console.

4.2. Running VyOS in Virtual Environments 105

 VyOS Documentation, 发布 1.4.x (sagitta)

4.2. Running VyOS in Virtual Environments 106

 VyOS Documentation, 发布 1.4.x (sagitta)

4.2. Running VyOS in Virtual Environments 107

 VyOS Documentation, 发布 1.4.x (sagitta)

4.2. Running VyOS in Virtual Environments 108

 VyOS Documentation, 发布 1.4.x (sagitta)

4.2. Running VyOS in Virtual Environments 109

 VyOS Documentation, 发布 1.4.x (sagitta)

Deploy from qcow2

Download predefined VyOS.qcow2 image for KVM

curl --url link_to_vyos_kvm.qcow2 --output /var/lib/libvirt/images/vyos_kvm.qcow2

1. Open VMM and Create a new VM

2. Choose Import existing disk image

3. Choose the path to the image vyos_kvm.qcow2 that was previously downloaded . Operation System can be any
Debian based.

4.2. Running VyOS in Virtual Environments 110

 VyOS Documentation, 发布 1.4.x (sagitta)

4.2. Running VyOS in Virtual Environments 111

 VyOS Documentation, 发布 1.4.x (sagitta)

4. Choose Memory and CPU

5. Name of VM and network selection

6. Then you will be taken to the console.

4.2. Running VyOS in Virtual Environments 112

 VyOS Documentation, 发布 1.4.x (sagitta)

4.2. Running VyOS in Virtual Environments 113

 VyOS Documentation, 发布 1.4.x (sagitta)

4.2. Running VyOS in Virtual Environments 114

 VyOS Documentation, 发布 1.4.x (sagitta)

4.2.2 Proxmox

References

https://www.proxmox.com/en/proxmox-ve

4.2.3 Running on VMware ESXi

ESXi 5.5 or later

.ova files are available for supporting users, and a VyOS can also be stood up using a generic Linux instance, and attaching
the bootable ISO file and installing from the ISO using the normal process around install image.

注解: There have been previous documented issues with GRE/IPSEC tunneling using the E1000 adapter on the VyOS
guest, and use of the VMXNET3 has been advised.

Memory Contention Considerations

When the underlying ESXi host is approaching ~92% memory utilisation it will start the balloon process in s a ‘soft’
state to start reclaiming memory from guest operating systems. This causes an artificial pressure using the vmmemctl
driver on memory usage on the virtual guest. As VyOS by default does not have a swap file, this vmmemctl pressure is
unable to force processes to move in memory data to the paging file, and blindly consumes memory forcing the virtual
guest into a low memory state with no way to escape. The balloon can expand to 65% of guest allocated memory, so a
VyOS guest running >35% of memory usage, can encounter an out of memory situation, and trigger the kernel oom_kill
process. At this point a weighted lottery favouring memory hungry processes will be run with the unlucky winner being
terminated by the kernel.
It is advised that VyOS routers are configured in a resource group with adequate memory reservations so that ballooning
is not inflicted on virtual VyOS guests.

References

https://muralidba.blogspot.com/2018/03/how-does-linux-out-of-memory-oom-killer.html

4.2.4 Running on GNS3

Sometimes you may want to test VyOS in a lab environment. GNS3 is a network emulation software you might use for it.
This guide will provide the necessary steps for installing and setting up VyOS on GNS3.

4.2. Running VyOS in Virtual Environments 115

 VyOS Documentation, 发布 1.4.x (sagitta)

Requirements

The following items are required:

• A VyOS installation image (.iso file). You can find how to get it on the Installation page
• A working GNS3 installation. For further information see the GNS3 documentation.

VM setup

First, a virtual machine (VM) for the VyOS installation must be created in GNS3.
Go to the GNS3 File menu, click New template and choose select Manually create a new Template.

Select Quemu VMs and then click on the New button.

Write a name for your VM, for instance “VyOS”, and click Next.
Select qemu-system-x86_64 as Quemu binary, then 512MB of RAM and click Next.
Select telnet as your console type and click Next.
Select New image for the base disk image of your VM and click Create.
Use the defaults in the Binary and format window and click Next.
Use the defaults in the Qcow2 options window and click Next.
Set the disk size to 2000 MiB, and click Finish to end the Quemu image creator.
Click Finish to end the New QEMU VM template wizard.
Now the VM settings have to be edited.
Being again at the Preferences window, having Qemu VMs selected and having our new VM selected, click the Edit
button.
In the General settings tab of your QEMU VM template configuration, do the following:
• Click on the Browse... button to choose the Symbol you want to have representing your VM.

4.2. Running VyOS in Virtual Environments 116

 VyOS Documentation, 发布 1.4.x (sagitta)

4.2. Running VyOS in Virtual Environments 117

 VyOS Documentation, 发布 1.4.x (sagitta)

4.2. Running VyOS in Virtual Environments 118

 VyOS Documentation, 发布 1.4.x (sagitta)

4.2. Running VyOS in Virtual Environments 119

 VyOS Documentation, 发布 1.4.x (sagitta)

4.2. Running VyOS in Virtual Environments 120

 VyOS Documentation, 发布 1.4.x (sagitta)

4.2. Running VyOS in Virtual Environments 121

 VyOS Documentation, 发布 1.4.x (sagitta)

• In Category select in which group you want to find your VM.

• Set the Boot priority to CD/DVD-ROM.
At the HDD tab, change the Disk interface to sata to speed up the boot process.
At the CD/DVD tab click on Browse... and locate the VyOS image you want to install.

注解: You probably will want to accept to copy the .iso file to your default image directory when you are asked.

In the Network tab, set 0 as the number of adapters, set the Name format to eth{0} and the Type to Paravirtualized
Network I/O (virtio-net-pci).
In the Advanced tab, unmark the checkbox Use as a linked base VM and click OK, which will save and close the QEMU
VM template configuration window.
At the general Preferences window, click OK to save and close.

4.2. Running VyOS in Virtual Environments 122

 VyOS Documentation, 发布 1.4.x (sagitta)

4.2. Running VyOS in Virtual Environments 123

 VyOS Documentation, 发布 1.4.x (sagitta)

4.2. Running VyOS in Virtual Environments 124

 VyOS Documentation, 发布 1.4.x (sagitta)

4.2. Running VyOS in Virtual Environments 125

 VyOS Documentation, 发布 1.4.x (sagitta)

4.2. Running VyOS in Virtual Environments 126

 VyOS Documentation, 发布 1.4.x (sagitta)

4.2. Running VyOS in Virtual Environments 127

 VyOS Documentation, 发布 1.4.x (sagitta)

4.2. Running VyOS in Virtual Environments 128

 VyOS Documentation, 发布 1.4.x (sagitta)

4.2. Running VyOS in Virtual Environments 129

 VyOS Documentation, 发布 1.4.x (sagitta)

VyOS installation

• Create a new project.

• Drag the newly created VyOS VM into it.
• Start the VM.
• Open a console. The console should show the system booting. It will ask for the login credentials, you are at the
VyOS live system.
• Install VyOS as normal (that is, using the install image command).
• After a successful installation, shutdown the VM with the poweroff command.
• Delete the VM from the GNS3 project.
The VyOS-hda.qcow2 file now contains a working VyOS image and can be used as a template. But it still needs some
fixes before we can deploy VyOS in our labs.

VyOS VM configuration

To turn the template into a working VyOS machine, further steps are necessary as outlined below:
General settings tab: Set the boot priority to HDD
CD/DVD tab: Unmount the installation image file by clearing the Image entry field.
Set the number of required network adapters, for example 4.
Advanced settings tab: Mark the checkbox Use as a linked base VM and click OK to save the changes.
The VyOS VM is now ready to be deployed.

4.2.5 EVE-NG

References

https://www.eve-ng.net/

4.3 Running VyOS in Cloud Environments

4.3.1 亚马逊 AWS

部署虚拟机

在 AWS 上部署 VyOS

1. 点击 Instance 查看实例，然后点 Launch Instance 来启动实例
2. 在市场中搜索“VyOS”
3. 选择实例类型。最低推荐 m3.medium 起步
4. 根据你的需求配置实例。选择实例数量、网络及子网
5. 额外存储。你可以移除额外的存储 /dev/sdb 。第一个根设备为 /dev/xvda 。这一步也可以跳过
6. 配置安全组。强烈建议你配置仅允许从特定的源地址进行 SSH 连接，否则默认为允许所有 SSH 连接。

4.3. Running VyOS in Cloud Environments 130

 VyOS Documentation, 发布 1.4.x (sagitta)

4.3. Running VyOS in Cloud Environments 131

 VyOS Documentation, 发布 1.4.x (sagitta)

4.3. Running VyOS in Cloud Environments 132

 VyOS Documentation, 发布 1.4.x (sagitta)

4.3. Running VyOS in Cloud Environments 133

 VyOS Documentation, 发布 1.4.x (sagitta)

4.3. Running VyOS in Cloud Environments 134

 VyOS Documentation, 发布 1.4.x (sagitta)

4.3. Running VyOS in Cloud Environments 135

 VyOS Documentation, 发布 1.4.x (sagitta)

4.3. Running VyOS in Cloud Environments 136

 VyOS Documentation, 发布 1.4.x (sagitta)

7. Select SSH key pair and click Launch Instances

8. Find out your public IP address.

9. Connect to the instance by SSH key.

ssh -i ~/.ssh/amazon.pem [email protected]

vyos@ip-192-0-2-10:~$

References

https://console.aws.amazon.com/

4.3.2 Azure

部署虚拟机

Deploy VyOS on Azure.

1. Go to the Azure services and Click to Add new Virtual machine
2. Choose vm name, resource group, region and click Browse all public and private images
3. On the marketplace search VyOS and choose the appropriate subscription

4.3. Running VyOS in Cloud Environments 137

 VyOS Documentation, 发布 1.4.x (sagitta)

4.3. Running VyOS in Cloud Environments 138

 VyOS Documentation, 发布 1.4.x (sagitta)

4. Generate new SSH key pair or use existing.

5. Define network, subnet, Public IP. Or it will be created by default.

6. Click Review + create. After a few seconds your deployment will be complete
7. Click to your new vm and find out your Public IP address.
8. Connect to the instance by SSH key.

ssh -i ~/.ssh/vyos_azure [email protected]

vyos@vyos-doc-r1:~$

Add interface

If instance was deployed with one eth0 WAN interface and want to add new one. To add new interface an example eth1
LAN you need shutdown the instance. Attach the interface in the Azure portal and then start the instance.

注解: Azure does not allow you attach interface when the instance in the Running state.

Absorbing Routes

If using as a router, you will want your LAN interface to absorb some or all of the traffic from your VNET by using a
route table applied to the subnet.
1. Create a route table and browse to Configuration
2. Add one or more routes for networks you want to pass through the VyOS VM. Next hop type Virtual Appliance
with the Next Hop Address of the VyOS LAN interface.

注解: If you want to create a new default route for VMs on the subnet, use Address Prefix 0.0.0.0/0 Also note that
if you want to use this as a typical edge device, you’ll want masquerade NAT for the WAN interface.

4.3. Running VyOS in Cloud Environments 139

 VyOS Documentation, 发布 1.4.x (sagitta)

4.3. Running VyOS in Cloud Environments 140

 VyOS Documentation, 发布 1.4.x (sagitta)

4.3. Running VyOS in Cloud Environments 141

 VyOS Documentation, 发布 1.4.x (sagitta)

Serial Console

Azure has a way to access the serial console of a VM, but this needs to be configured on the VyOS. It’s there by default, but
keep it in mind if you are replacing config.boot and rebooting: set system console device ttyS0 speed
'9600'

References

https://azure.microsoft.com

4.3.3 Google Cloud Platform

部署虚拟机

To deploy VyOS on GCP (Google Cloud Platform)

1. Generate SSH key pair type ssh-rsa from the host that will connect to VyOS.
Example:

ssh-keygen -t rsa -f ~/.ssh/vyos_gcp -C "vyos@mypc"

注解: In name “vyos@mypc”The first value must be “vyos”. Because default user is vyos and google api uses this
option.

2. Open GCP console and navigate to the menu Metadata. Choose SSH Keys and click edit.

Click Add item and paste your public ssh key. Click Save.
2. On marketplace search “VyOS”
3. Change Deployment name/Zone/Machine type and click Deploy
4. After fiew seconds click to instance
5. Find out your external IP address
6. Connect to the instance. SSH key was generated in the first step.

ssh -i ~/.ssh/vyos_gcp [email protected]

vyos@vyos-r1-vm:~$

4.3. Running VyOS in Cloud Environments 142

 VyOS Documentation, 发布 1.4.x (sagitta)

4.3. Running VyOS in Cloud Environments 143

 VyOS Documentation, 发布 1.4.x (sagitta)

References

https://console.cloud.google.com/

4.3.4 Oracle

References

https://www.oracle.com/cloud/

4.4 Running on Bare Metal

4.4.1 Supermicro A2SDi (Atom C3000)

I opted to get one of the new Intel Atom C3000 CPUs to spawn VyOS on it. Running VyOS on an UEFI only device is
supported as of VyOS release 1.2.

Shopping Cart

• 1x Supermicro CSE-505-203B (19”1U chassis, inkl. 200W PSU)

• 1x Supermicro MCP-260-00085-0B (I/O Shield for A2SDi-2C-HLN4F)
• 1x Supermicro A2SDi-2C-HLN4F (Intel Atom C3338, 2C/2T, 4MB cache, Quad LAN with Intel C3000 SoC
1GbE)
• 1x Crucial CT4G4DFS824A (4GB DDR4 RAM 2400 MT/s, PC4-19200)
• 1x SanDisk Ultra Fit 32GB (USB-A 3.0 SDCZ43-032G-G46 mass storage for OS)
• 1x Supermicro MCP-320-81302-0B (optional FAN tray)

4.4. Running on Bare Metal 144

 VyOS Documentation, 发布 1.4.x (sagitta)

Optional (10GE)

If you want to get additional ethernet ports or even 10GE connectivity the following optional parts will be required:
• 1x Supermicro RSC-RR1U-E8 (Riser Card)
• 1x Supermicro MCP-120-00063-0N (Riser Card Bracket)
Latest VyOS rolling releases boot without any problem on this board. You also receive a nice IPMI interface realized
with an ASPEED AST2400 BMC (no information about OpenBMC so far on this motherboard).

Pictures

4.4.2 PC Engines APU4

As this platform seems to be quite common in terms of noise, cost, power and performance it makes sense to write a
small installation manual.
This guide was developed using an APU4C4 board with the following specs:
• AMD Embedded G series GX-412TC, 1 GHz quad Jaguar core with 64 bit and AES-NI support, 32K data + 32K
instruction cache per core, shared 2MB L2 cache.
• 4 GB DDR3-1333 DRAM, with optional ECC support
• About 6 to 10W of 12V DC power depending on CPU load
• 2 miniPCI express (one with SIM socket for 3G modem).

4.4. Running on Bare Metal 145

 VyOS Documentation, 发布 1.4.x (sagitta)

4.4. Running on Bare Metal 146

 VyOS Documentation, 发布 1.4.x (sagitta)

4.4. Running on Bare Metal 147

 VyOS Documentation, 发布 1.4.x (sagitta)

4.4. Running on Bare Metal 148

 VyOS Documentation, 发布 1.4.x (sagitta)

4.4. Running on Bare Metal 149

 VyOS Documentation, 发布 1.4.x (sagitta)

4.4. Running on Bare Metal 150

 VyOS Documentation, 发布 1.4.x (sagitta)

• 4 Gigabit Ethernet channels using Intel i211AT NICs

The board can be powered via 12V from the front or via a 5V onboard connector.

Shopping Cart

• 1x apu4c4 = 4 i211AT LAN / AMD GX-412TC CPU / 4 GB DRAM / dual SIM

• 1x Kingston SUV500MS/120G
• 1x VARIA Group Item 326745 19”dual rack for APU4
The 19”enclosure can accommodate up to two APU4 boards - there is a single and dual front cover.

Extension Modules

WiFi

Refer to Wireless LAN (WiFi) for additional information, below listed modules have been tested successfully on this
Hardware platform:
• Compex WLE900VX mini-PCIe WiFi module, only supported in mPCIe slot 1.

WWAN

Refer to WirelessModem (WWAN) for additional information, below listed modules have been tested successfully on this
Hardware platform using VyOS 1.3 (equuleus):
• Sierra Wireless AirPrime MC7304 miniPCIe card (LTE)
• Sierra Wireless AirPrime MC7430 miniPCIe card (LTE)
• Sierra Wireless AirPrime MC7455 miniPCIe card (LTE)
• Sierra Wireless AirPrime MC7710 miniPCIe card (LTE)
• Huawei ME909u-521 miniPCIe card (LTE)

VyOS 1.2 (crux)

Depending on the VyOS versions you intend to install there is a difference in the serial port settings (T1327).
Create a bootable USB pendrive using e.g. Rufus on a Windows machine.
Connect serial port to a PC through null modem cable (RXD / TXD crossed over). Set terminal emulator to 115200 8N1.

PC Engines apu4
coreboot build 20171130
BIOS version v4.6.4
4080 MB ECC DRAM
SeaBIOS (version rel-1.11.0.1-0-g90da88d)

Press F10 key now for boot menu:

Select boot device:

(下页继续)

4.4. Running on Bare Metal 151

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
1. ata0-0: KINGSTON SUV500MS120G ATA-11 Hard-Disk (111 GiBytes)
2. USB MSC Drive Generic Flash Disk 8.07
3. Payload [memtest]
4. Payload [setup]

Now boot from the USB MSC Drive Generic Flash Disk 8.07 media by pressing 2, the VyOS boot menu
will appear, just wait 10 seconds or press Enter to continue.

lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x VyOS - Boot Menu x
tqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu
x Live (amd64-vyos) x
x Live (amd64-vyos failsafe) x
x x
mqqqqqqPress ENAutomatic boot in 10 seconds...nu entryqqqqqqqj

The image will be loaded and the last lines you will get will be:

Loading /live/vmlinuz... ok
Loading /live/initrd.img...

The Kernel will now spin up using a different console setting. Set terminal emulator to 9600 8N1 and after a while your
console will show:

Loading /live/vmlinuz... ok
Loading /live/initrd.img...
Welcome to VyOS - vyos ttyS0

vyos login:

You can now proceed with a regular image installation as described in Installation.
As the APU board itself still used a serial setting of 115200 8N1 it is strongly recommended that you change the VyOS
serial interface settings after your first successful boot.
Use the following command to adjust the Serial Console settings:

set system console device ttyS0 speed 115200

注解: Once you commit the above changes access to the serial interface is lost until you set your terminal emulator to
115200 8N1 again.

vyos@vyos# show system console

device ttyS0 {
speed 115200
}

4.4. Running on Bare Metal 152

 VyOS Documentation, 发布 1.4.x (sagitta)

VyOS 1.2 (rolling)

Installing the rolling release on an APU2 board does not require any change on the serial console from your host side as
T1327 was successfully implemented.
Simply proceed with a regular image installation as described in Installation.

Pictures

注解: Both device types operate without any moving parts and emit zero noise.

Rack Mount

VyOS custom print

Desktop / Bench Top

4.4.3 Qotom Q355G4

The install on this Q355G4 box is pretty much plug and play. The port numbering the OS does might differ from the
labels on the outside, but the UEFI firmware has a port blink test built in with MAC addresses so you can very quickly
identify which is which. MAC labels are on the inside as well, and this test can be done from VyOS or plain Linux too.
Default settings in the UEFI will make it boot, but depending on your installation wishes (i.e. storage type, boot type,
console type) you might want to adjust them. This Qotom company seems to be the real OEM/ODM for many other
relabelling companies like Protectli.

4.4. Running on Bare Metal 153

 VyOS Documentation, 发布 1.4.x (sagitta)

4.4. Running on Bare Metal 154

 VyOS Documentation, 发布 1.4.x (sagitta)

4.4. Running on Bare Metal 155

 VyOS Documentation, 发布 1.4.x (sagitta)

4.4. Running on Bare Metal 156

 VyOS Documentation, 发布 1.4.x (sagitta)

4.4. Running on Bare Metal 157

 VyOS Documentation, 发布 1.4.x (sagitta)

4.4. Running on Bare Metal 158

 VyOS Documentation, 发布 1.4.x (sagitta)

Hardware

There are a number of other options, but they all seem to be close to Intel reference designs, with added features like
more serial ports, more network interfaces and the likes. Because they don’t deviate too much from standard designs all
the hardware is well-supported by mainline. It accepts one LPDDR3 SO-DIMM, but chances are that if you need more
than that, you’ll also want something even beefier than an i5. There are options for antenna holes, and SIM slots, so you
could in theory add an LTE/Cell modem (not tested so far).
The chassis is a U-shaped alu extrusion with removable I/O plates and removable bottom plate. Cooling is completely
passive with a heatsink on the SoC with internal and external fins, a flat interface surface, thermal pad on top of that,
which then directly attaches to the chassis, which has fins as well. It comes with mounting hardware and rubber feet, so
you could place it like a desktop model or mount it on a VESA mount, or even wall mount it with the provided mounting
plate. The closing plate doubles as internal 2.5”mounting place for an HDD or SSD, and comes supplied with a small
SATA cable and SATA power cable.
Power supply is a 12VDC barrel jack, and included switching power supply, which is why SATA power regulation is
on-board. Internally it has a NUC-board-style on-board 12V input header as well, the molex locking style.
There are WDT options and auto-boot on power enable, which is great for remote setups. Firmware is reasonably secure
(no backdoors found, BootGuard is enabled in enforcement mode, which is good but also means no coreboot option), yet
has most options available to configure (so it’s not locked out like most firmwares are).
An external RS232 serial port is available, internally a GPIO header as well. It does have Realtek based audio on board
for some reason, but you can disable that. Booting works on both USB2 and USB3 ports. Switching between serial BIOS
mode and HDMI BIOS mode depends on what is connected at startup; it goes into serial mode if you disconnect HDMI
and plug in serial, in all other cases it’s HDMI mode.

4.4. Running on Bare Metal 159

 VyOS Documentation, 发布 1.4.x (sagitta)

4.4.4 Partaker i5

I believe this is actually the same hardware as the Protectli. I purchased it in June 2018. It came pre-loaded with pfSense.
Manufacturer product page.

Installation

• Write VyOS ISO to USB drive of some sort

• Plug in VGA, power, USB keyboard, and USB drive
• Press “SW”button on the front (this is the power button; I don’t know what “SW”is supposed to mean).
• Begin rapidly pressing delete on the keyboard. The boot prompt is very quick, but with a few tries you should be
able to get into the BIOS.
• Chipset > South Bridge > USB Configuration: set XHCI to Disabled and USB 2.0 (EHCI) to Enabled. Without
doing this, the USB drive won’t boot.
• Boot to the VyOS installer and install as usual.
Warning the interface labels on my device are backwards; the left-most“LAN4”port is eth0 and the right-most“LAN1”
port is eth3.

4.4.5 Acrosser AND-J190N1

This microbox network appliance was build to create OpenVPN bridges. It can saturate a 100Mbps link. It is a small
(serial console only) PC with 6 Gb LAN http://www.acrosser.com/upload/AND-J190_J180N1-2.pdf
You may have to add your own RAM and HDD/SSD. There is no VGA connector. But Acrosser provides a DB25 adapter
for the VGA header on the motherboard (not used).

4.4. Running on Bare Metal 160

 VyOS Documentation, 发布 1.4.x (sagitta)

BIOS Settings:

First thing you want to do is getting a more user friendly console to configure BIOS. Default VT100 brings a lot of issues.
Configure VT100+ instead.
For practical issues change speed from 115200 to 9600. 9600 is the default speed at which both linux kernel and VyOS
will reconfigure the serial port when loading.
Connect to serial (115200bps). Power on the appliance and press Del in the console when requested to enter BIOS
settings.
Advanced > Serial Port Console Redirection > Console Redirection Settings:
• Terminal Type : VT100+
• Bits per second : 9600
Save, reboot and change serial speed to 9600 on your client.
Some options have to be changed for VyOS to boot correctly. With XHCI enabled the installer can’t access the USB
key. Enable EHCI instead.
Reboot into BIOS, Chipset > South Bridge > USB Configuration:
• Disable XHCI
• Enable USB 2.0 (EHCI) Support

4.4. Running on Bare Metal 161

 VyOS Documentation, 发布 1.4.x (sagitta)

Install VyOS:

Create a VyOS bootable USB key. I used the 64-bit ISO (VyOS 1.1.7) and LinuxLive USB Creator.
I’m not sure if it helps the process but I changed default option to live-serial (line “default xxxx”) on the USB key
under syslinux/syslinux.cfg.
I connected the key to one black USB port on the back and powered on. The first VyOS screen has some readability
issues. Press Enter to continue.
Then VyOS should boot and you can perform the install image

4.5 Update VyOS

New system images can be added using the add system image command. The command will extract the chosen
image and will prompt you to use the current system configuration and SSH security keys, allowing for the new image to
boot using the current configuration.

注解: Only LTS releases are PGP-signed.

add system image <url | path> [vrf name] [username user [password pass]]
Use this command to install a new system image. You can reach the image from the web (http://, https://) or from
your local system, e.g. /tmp/vyos-1.2.3-amd64.iso.
The add system image command also supports installing new versions of VyOS through an optional given VRF.
Also if URL in question requires authentication, you can specify an optional username and password via the
commandline which will be passed as “Basic-Auth”to the server.
If there is not enough free disk space available, the installation will be canceled. To delete images use the delete
system image command.
VyOS configuration is associated to each image, and each image has a unique copy of its configuration. This is
different than a traditional network router where the configuration is shared across all images.

注解: If you have any personal files, like some scripts you created, and you don’t want them to be lost during the
upgrade, make sure those files are stored in /config as this directory is always copied to newer installed images.

You can access files from a previous installation and copy them to your current image if they were located in the /config
directory. This can be done using the copy command. So, for instance, in order to copy /config/config.boot
from VyOS 1.2.1 image, you would use the following command:

copy file 1.2.1://config/config.boot to /tmp/config.boot.1.2.1

4.5. Update VyOS 162

 VyOS Documentation, 发布 1.4.x (sagitta)

4.5.1 Example

vyos@vyos:~$ add system image https://downloads.vyos.io/rolling/current/amd64/vyos-

,→rolling-latest.iso

Trying to fetch ISO file from https://downloads.vyos.io/rolling/current/amd64/vyos-

,→rolling-latest.iso

% Total % Received % Xferd Average Speed Time Time Time Current

Dload Upload Total Spent Left Speed
100 338M 100 338M 0 0 3837k 0 0:01:30 0:01:30 --:--:-- 3929k
ISO download succeeded.
Checking for digital signature file...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (22) The requested URL returned error: 404 Not Found

Unable to fetch digital signature file.

Do you want to continue without signature check? (yes/no) [yes]
Checking MD5 checksums of files on the ISO image...OK.
Done!

What would you like to name this image? [vyos-1.3-rolling-201912201452]:

OK. This image will be named: vyos-1.3-rolling-201912201452

提示: The most up-do-date Rolling Release for AMD64 can be accessed using the following URL:
https://downloads.vyos.io/rolling/current/amd64/vyos-rolling-latest.iso

After reboot you might want to verify the version you are running with the show version command.

4.6 Image Management

The VyOS image-based installation is implemented by creating a directory for each image on the storage device selected
during the install process.
The directory structure of the boot device:

/
/boot
/boot/grub
/boot/1.2.0-rolling+201810021347

The image directory contains the system kernel, a compressed image of the root filesystem for the OS, and a directory
for persistent storage, such as configuration. On boot, the system will extract the OS image into memory and mount the
appropriate live-rw sub-directories to provide persistent storage system configuration.
This process allows for a system to always boot to a known working state, as the OS image is fixed and non-persistent. It
also allows for multiple releases of VyOS to be installed on the same storage device. The image can be selected manually
at boot if needed, but the system will otherwise boot the image configured to be the default.
show system image
List all available system images which can be booted on the current system.

4.6. Image Management 163

 VyOS Documentation, 发布 1.4.x (sagitta)

vyos@vyos:~$ show system image

The system currently has the following image(s) installed:

1: 1.2.0-rolling+201810021347 (default boot)

2: 1.2.0-rolling+201810021217
3: 1.2.0-rolling+201809252218

delete system image [image-name]

Delete no longer needed images from the system. You can specify an optional image name to delete, the image
name can be retrieved via a list of available images can be shown using the show system image.

vyos@vyos:~$ delete system image

The following image(s) can be deleted:

1: 1.3-rolling-201912181733 (default boot) (running image)

2: 1.3-rolling-201912180242
3: 1.2.2
4: 1.2.1

Select the image to delete: 2

Are you sure you want to delete the

"1.3-rolling-201912180242" image? (Yes/No) [No]: y
Deleting the "1.3-rolling-201912180242" image...
Done

show version
Show current system image version.

vyos@vyos:~$ show version

Version: VyOS 1.3-rolling-201912181733
Built by: [email protected]
Built on: Wed 18 Dec 2019 17:33 UTC
Build UUID: bccde2c3-261c-49cc-b421-9b257204e06c
Build Commit ID: f7ce0d8a692f2d

Architecture: x86_64
Boot via: installed image
System type: bare metal

Hardware vendor: VMware, Inc.

Hardware model: VMware Virtual Platform
Hardware S/N: VMware-42 1d 83 b9 fe c1 bd b2-7d 3d 49 db 94 18 f5 c9
Hardware UUID: b9831d42-c1fe-b2bd-7d3d-49db9418f5c9

Copyright: VyOS maintainers and contributors

4.6. Image Management 164

 VyOS Documentation, 发布 1.4.x (sagitta)

4.6.1 System rollback

If you need to rollback to a previous image, you can easily do so. First check the available images through the show
system image command and then select your image with the following command:
set system image default-boot [image-name]
Select the default boot image which will be started on the next boot of the system.
Then reboot the system.

注解: VyOS automatically associates the configuration to the image, so you don’t need to worry about that. Each image
has a unique copy of its configuration.

If you have access to the console, there is a another way to select your booting image: reboot and use the GRUB menu at
startup.

4.7 Migrate from Vyatta Core

VyOS 1.x line aims to preserve backward compatibility and provide a safe upgrade path for existing Vyatta Core users.
You may think of VyOS 1.0.0 as VC7.0.

4.7.1 Vyatta release compatibility

Vyatta Core releases from 6.5 to 6.6 should be 100% compatible.

Vyatta Core 6.4 and earlier may have incompatibilities. In Vyatta 6.5 the “modify”firewall was removed and replaced
with the set policy route command family, old configs can not be automatically converted. You will have to adapt
it to post-6.5 Vyatta syntax manually.

注解: Also, in Vyatta Core 6.5 remote access VPN interfaces have been renamed from pppX to l2tpX and pptpX.
If you are using zone based firewalling in Vyatta Core pre-6.5 versions, make sure to change interface names in rules for
remote access VPN.

4.7.2 Upgrade procedure

You just use add system image, as if it was a new VC release (see Update VyOS for additional information). The
only thing you want to do is to verify the new images digital signature. You will have to add the public key manually once
as it is not shipped the first time.

vyatta@vyatta:~$ wget http://wiki.vyos.net/so3group_maintainers.key

Connecting to vyos.net (x.x.x.x:80)
so3group_maintainers 100% |*************************| 3125 --:--:-- ETA
vyatta@vyatta:~$ sudo apt-key add so3group_maintainers.key
OK
vyatta@vyatta:~$

For completion the key below corresponds to the key listed in the URL above.

4.7. Migrate from Vyatta Core 165

 VyOS Documentation, 发布 1.4.x (sagitta)

-----BEGIN PGP PUBLIC KEY BLOCK-----

Version: GnuPG v1.4.12 (GNU/Linux)

mQINBFIIUZwBEADGl+wkZpYytQxd6LnjDZZScziBKYJbjInetYeS0SUrgpqnPkzL
2CiGfPczLwpYY0zWxpUhTvqjFsE5yDpgs0sPXIgUTFE1qfZQE+WD1I1EUM6sp/38
2xKQ9QaNc8oHuYINLYYmNYra6ZjIGtQP9WOX//IDYB3fhdwlmiW2z0hux2OnPWdh
hPZAmSrx5AiXFEEREJ1cAQyvYk7hgIRvM/rdQMUm+u4/z+S4mxCHE10KzlqOGhRv
hA8WQxHCVusMFGwXoKHxYf9OQpV7lsfOCODfXOMP/L9kHQ5/gBsLL5hHst+o/3VG
ec0QuVrVkBBehgrqhfJW2noq+9gTooURGImQHEOyE0xpJdFrrgk5Ii9RqQwdVRzI
ZPbqbo8uuldZIRJRGnfx+vAR9812yo38NVZ/X0P/hkkrx+UeGVgpC/ao5XLRiOzL
7ZBMWLA6FVmZ7mkpqdzuMXX5548ApACm6EKErULIhTYDGDzFxA3cf6gr5VVi4usD
wglVs+FHuiLehmuuPTMoVcT2R6+Ht44hG3BmQmKzh/SSEa1g9gKgrhZrMdIyK4hu
GvMqLw9z9BgJbWB3BgXOUdlkXLDwBvVpEcWsPJgxSjAvjAbLLE4YkKAdYU8bQ0Pd
JuN485tcXxgQCadFZB0gcipQAvVf4b810HrY88g6FldfauHxiACOlXscZwARAQAB
tDBTTzMgR3JvdXAgTWFpbnRhaW5lcnMgPG1haW50YWluZXJzQHNvM2dyb3VwLm5l
dD6JAjgEEwECACIFAlIIUZwCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJ
ELdE4lqkQubp8GsQAKntoRFG6bWX/4WPw7Vo7kIF5kWcmv3lVb0AQkacscWope7T
Iq0VcgpAycJue2bSS9LAsvNtpVkQmFawbwFjqB3CC5NbPNQ4Kf+gswKa+yaHwejo
7dkslAwxgXHe5g76DG7CVLMsMg6zVDFYuzeksPywls/OJBIpkuGqeXy9tAHjQzjA
SlZV3Gsx7azESjiVQ73EUBt2OXkwN4TN9TEHAnVsrNIXHwFl1VfFsSG1Q6uZDtkk
CB4DZJKN4RzCY2QSwMAqRRC2OXdwk5IAk8wwCGoFpp0UV6CO9YCeOaqJderEcBA4
MGHqdiPDIbH5wvckjZzFznU/Paz3MwPwBdtN+WSKvwf+JItSiUqm8Dy2Pl/1cnux
1g1I4WQlXUVaS/MDusqL7tbS8k5A5a2+YVMxShWH9BhXZwNXzEihl4sm8Hrg5SvZ
givJj2y93WoL69Wq0/86wkkH2xcrz4gsiUcQf5YXU/RHXOLnPR29/pg8TS0L7sST
dv0X23C2IpfqYoqN7YZ3K0Wczhi0yLPCrc27IczuHgjt/8ICda11xhB1t/pUbvnX
oksehaLp8O3uU8GyAsTfUgpijZFc/3jIadOl0L9NGUbYYgPzFeaZTa/njeEbz3wX
PZMn278sbL9UhupI5Hx7eREbKzV4VPVKz81ndKNMXyuJHXv2R0xou3nvuo1WuQIN
BFIIUZwBEADAhoYPDCSogG41Naq+wFkG+IPszqe0dW/UWg0xrZDT0UblwDSd4OGY
7FATMIhjOUyFxk6+XKA5CDCWP8Npkl0modTL59uVWNxU1vUKincc/j4ipHQeAhE6
fvZkrprvADD8TYIGesl/3EGNc7bzc5ZqX71hKPHG+autRtgFSOR2PSXD9MlJXIBb
RzHAXxlh72zvsGadcxLJm4pSWXitkR/5Wc3e0IippKdzGwZnCDpNmcBGtSTFgixP
JqyRZFVCPWs7jr/oQeZnq65wJp1KD2HvhhKHJfsPrnNjLSm1SQVh8hXzE9odcv6N
mJB7tNXywuROBt6a01ojBa9J3zuMYQj3iQl2MhxtHylKVBjr7NjZ4evZbLsRMxY1
hYk7sl+ZxCPFeOZ9D2ppU/CUDXCS095I1x+s+VuiUNf/3yd8ahCWDXVp9nsXyYjm
2pHIxb2F6r8Vd4AjlD2MQwszECS88INF3l/9ksIHEMKuuW+JAC9FiZ7k4IGcIltv
If/V2TgE6t6qoWIlmLhMTjOyJpwnokY1nIuXHH7yp+HsuqnYnf/dgLnt4czPLeHO
+TdIDHhUym0AKlCcbdgn0C6EJVTnA8BFgFjiIOMAeT0rhATg0W/cND8KQcX4V9wM
nHSEsgSEuP9H+67xuRx5Imuh5ntecrcuCYSNuOneUXWPThDKQPO9lQARAQABiQIf
BBgBAgAJBQJSCFGcAhsMAAoJELdE4lqkQubpc+0P/0IzUx8nTpF0/ii2TA0YCOgj
tviM6PRTVPrFcxijNeXiIMHZYrALYUvXxXGp1IZBP3IcOyuZNp2WLqF/f9a3cIr1
9b/LJPrwopGqV3K30lormk7hH0s3IXbhd0ZYWvRj+5kQ8TFRAFfPwjlItzjYJmYX
AGJmM9PxJID/4LgWSfQ/ZfNu7MJ7+2goQLu9b6x7UC1FlE4q1lcjBvHjVPM//S9G
lGAHaysyTjVu88W2wwBpBrO1MQnDvqFRddXPOIWp0jecBMUd4E0fB36yuStsXZT3
RN4V8vKRBYXuqHhiTwZeh153cHZk2EZBwz5A6DJubMaGdJTesHW5Qf2goph0pmjC
+XuXn8J6tc5nFDf8DP4AFVMtqa3Brj2fodWd0Zzxq3AVsbX144c1oqJUhO4t3+ie
8fD/6/jx4iuPCQTfyhHG+zGfyUb2LQ+OVLW1WYTxH5tzHaZUmZFdV2I1kuhuvZ1t
WRlmTnHZOnEb3+t8KCRWzRMfweTzXfRRKBC0/QpeX1r5pbaMHH8zF/J5PKmL0+jg
+DS8JSbSfv7Ke6rplf7lHYaDumAFZfxXuQkajzLZbX0E5Xu5BNz4Vq6LGBj7LDXL
gswIK8FFgZB+W8zwOqUV1vjIr9wkdLifXXezKpTeYpFDGLdfsK+uNAtGyvI61TDi
Pr6fWpIruuc7Gg9rUF0L
=VQTr
-----END PGP PUBLIC KEY BLOCK-----

Next add the VyOS image.

This example uses VyOS 1.0.0, however, it’s better to install the latest release.

4.7. Migrate from Vyatta Core 166

 VyOS Documentation, 发布 1.4.x (sagitta)

vyatta@vyatta:~$ show system image

The system currently has the following image(s) installed:
1: VC6.6R1 (default boot) (running image)

vyatta@vyatta:~$ add system image https://downloads.vyos.io/release/legacy/1.0.0/vyos-

,→1.0.0-amd64.iso

Trying to fetch ISO file from https://downloads.vyos.io/release/legacy/1.0.0/vyos-1.

,→0.0-amd64.iso

% Total % Received % Xferd Average Speed Time Time Time Current

Dload Upload Total Spent Left Speed
100 223M 100 223M 0 0 960k 0 0:03:57 0:03:57 --:--:-- 657k
ISO download succeeded.
Checking for digital signature file...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 836 100 836 0 0 4197 0 --:--:-- --:--:-- --:--:-- 4287
Found it. Checking digital signature...
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: Signature made Sun Dec 22 16:51:42 2013 GMT using RSA key ID A442E6E9
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: Good signature from "SO3 Group Maintainers <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: DD5B B405 35E7 F6E3 4278 1ABF B744 E25A A442 E6E9
Digital signature is valid.
Checking MD5 checksums of files on the ISO image...OK.
Done!

What would you like to name this image? [1.0.0]: [return]

OK. This image will be named: 1.0.0
Installing "1.0.0" image.
Copying new release files...

Would you like to save the current configuration

directory and config file? (Yes/No) [Yes]: [return]
Copying current configuration...

Would you like to save the SSH host keys from your
current configuration? (Yes/No) [Yes]: [return]
Copying SSH keys...
Setting up grub configuration...
Done.

vyatta@vyatta:~$ show system image

The system currently has the following image(s) installed:

1: 1.0.0 (default boot)

2: VC6.6R1 (running image)

Upon reboot, you should have a working installation of VyOS.

You can go back to your Vyatta install using the set system image default-boot command and selecting the
your previous Vyatta Core image.

注解: Future releases of VyOS will break the direct upgrade path from Vyatta core. Please upgrade through an interme-

4.7. Migrate from Vyatta Core 167

 VyOS Documentation, 发布 1.4.x (sagitta)

diate VyOS version e.g. VyOS 1.2. After this you can continue upgrading to newer releases once you bootet into VyOS
1.2 once.

4.7. Migrate from Vyatta Core 168

 CHAPTER 5

快速开始

这一章会指导你如何快速使用你的新 VyOs 系统。这里展示了一个简单的配置样例供你学习，样例提供了一

个带有两个网络接口（eth0 和 eth1）的设备作为一个NAT 网关的配置方法。

5.1 配置模式

Vyos 默认处于操作模式，此时命令行会显示一个 $ 符号。配置 Vyos 需要进入配置模式，进入该模式后命令

行会显示一个 # 符号，如下所示：

vyos@vyos$ configure
vyos@vyos#

5.2 提交和保存

每次配置更改之后，需要使用下面的命令来应用更改：

commit

当你的配置能够达到预期的效果时，可以使用下面的命令来永久保存：

save

169
 VyOS Documentation, 发布 1.4.x (sagitta)

5.3 接口配置

• 系统外部/WAN 口为 eth0。该接口的地址通过 DHCP 获得。

• 系统内部/Lan 口为 eth1。该接口使用静态地址 192.168.0.1/24
切换到配置模式 后，输入下列命令：

set interfaces ethernet eth0 address dhcp

set interfaces ethernet eth0 description 'OUTSIDE'
set interfaces ethernet eth1 address '192.168.0.1/24'
set interfaces ethernet eth1 description 'INSIDE'

5.4 SSH 管理

切换到配置模式 之后，输入下列命令，此时系统将会监听每一个接口上进来的 SSH 连接。你也可查看SSH 章

节学习如何只监听指定地址。

set service ssh port '22'

5.5 DHCP/DNS 快速开始

下列设置会在你的本地/LAN 网络上配置 DHCP 和域名服务，在该网络中 VyOS 会作为默认的网关和 DNS 服

务器。
• 默认的网关和 DNS 地址为 192.168.0.1/24
• 地址段 192.168.0.2/24 - 192.168.0.8/24 会被保留作静态分配用
• DHCP 客户端会被分配一个地址段 192.168.0.9 - 192.168.0.254 中的地址，以及一个名为 internal-network
的域名
• DHCP 租期为 1 天（86400 秒）
• VyOS 会作为一个完全的 DNS 服务器，无需再利用 Google，Clouldflare 或其他公共 DNS 服务器（这样
做对隐私比较好）
• 只有本地/LAN 网络中的主机可以使用 DNS

set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 default-router

,→'192.168.0.1'

set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 dns-server '192.

,→168.0.1'

set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 domain-name

,→'vyos.net'

set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 lease '86400'

set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range 0 start␣
,→192.168.0.9

set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range 0 stop

,→'192.168.0.254'

set service dns forwarding cache-size '0'

set service dns forwarding listen-address '192.168.0.1'
set service dns forwarding allow-from '192.168.0.0/24'

5.3. 接口配置 170

 VyOS Documentation, 发布 1.4.x (sagitta)

5.6 NAT

下列设置会为我们的本地/LAN 网络配置SNAT 规则，允许主机通过 IP 伪装与外部/WAN 网络进行通信。

set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 source address '192.168.0.0/24'
set nat source rule 100 translation address masquerade

5.7 防火墙

为外部/WAN 口添加一组防火墙策略。
下面的配置将创建一个合适的有状态的防火墙，可以阻止所有最初不是从本地/LAN 侧发出的流量
set firewall name OUTSIDE-IN default-action 'drop'
set firewall name OUTSIDE-IN rule 10 action 'accept'
set firewall name OUTSIDE-IN rule 10 state established 'enable'
set firewall name OUTSIDE-IN rule 10 state related 'enable'

set firewall name OUTSIDE-LOCAL default-action 'drop'

set firewall name OUTSIDE-LOCAL rule 10 action 'accept'
set firewall name OUTSIDE-LOCAL rule 10 state established 'enable'
set firewall name OUTSIDE-LOCAL rule 10 state related 'enable'
set firewall name OUTSIDE-LOCAL rule 20 action 'accept'
set firewall name OUTSIDE-LOCAL rule 20 icmp type-name 'echo-request'
set firewall name OUTSIDE-LOCAL rule 20 protocol 'icmp'
set firewall name OUTSIDE-LOCAL rule 20 state new 'enable'

如果想启用从外部/WAN 口通过 SSH 访问防火墙的话，可以创建一些额外的规则来允许这一类的流量

下列规则可以允许 SSH 流量并将请求频率限制在 4 次/分钟，这样可以阻止暴力尝试：
set firewall name OUTSIDE-LOCAL rule 30 action 'drop'
set firewall name OUTSIDE-LOCAL rule 30 destination port '22'
set firewall name OUTSIDE-LOCAL rule 30 protocol 'tcp'
set firewall name OUTSIDE-LOCAL rule 30 recent count '4'
set firewall name OUTSIDE-LOCAL rule 30 recent time '60'
set firewall name OUTSIDE-LOCAL rule 30 state new 'enable'

set firewall name OUTSIDE-LOCAL rule 31 action 'accept'

set firewall name OUTSIDE-LOCAL rule 31 destination port '22'
set firewall name OUTSIDE-LOCAL rule 31 protocol 'tcp'
set firewall name OUTSIDE-LOCAL rule 31 state new 'enable'

应用防火墙规则
set interfaces ethernet eth0 firewall in name 'OUTSIDE-IN'
set interfaces ethernet eth0 firewall local name 'OUTSIDE-LOCAL'

提交更改，保存配置然后推出配置模式
vyos@vyos# commit
vyos@vyos# save
Saving configuration to '/config/config.boot'...
Done
(下页继续)

5.6. NAT 171

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
vyos@vyos# exit
vyos@vyos$

5.8 加固

特别是当你允许从外部/WAN 口远程 SSH 连接时，下面几个额外的配置步骤是很有必要的。

替换默认的 vyos 系统用户：

set system login user myvyosuser authentication plaintext-password mysecurepassword

设置Key Based Authentication

set system login user myvyosuser authentication public-keys myusername@mydesktop type␣

,→ssh-rsa

set system login user myvyosuser authentication public-keys myusername@mydesktop key␣

,→contents_of_id_rsa.pub

最后，尝试以新用户 SSH 连接到 VyOS。确认新的用户可以不使用密码访问路由器之后删除原来的 vyos 用

户，然后完全禁止使用密码验证的方式进行SSH：

delete system login user vyos

set service ssh disable-password-authentication

上述操作之后，提交更改、保存配置然后退出配置模式：

vyos@vyos# commit
vyos@vyos# save
Saving configuration to '/config/config.boot'...
Done
vyos@vyos# exit
vyos@vyos$

现在你应该有一个简单但安全，且正常工作的路由器来进行后续的玩耍了。尽情享受吧！

5.8. 加固 172
 CHAPTER 6

命令行接口

VyOS CLI (命令行接口) 由操作模式和配置模式构成。

6.1 操作模式

操作模式允许使用命令执行操作型的系统任务，以及查看系统和服务的状态；而配置模式允许修改系统配
置。
CLI 提供了内置帮助系统。在 CLI 中，？键可以用来显示可用的命令。TAB 键可以用来自动补全命令，以及
在有冲突和无法识别的值时调出帮助系统。
比如输入 sh 后按下 TAB 会自动补全命令为 show。再次按下 TAB 会显示所有可用的 show 子命令。

vyos@vyos:~$ s[tab]
set show

显示可能的 show 子命令的例子：

vyos@vyos:~$ show [tab]

Possible completions:
arp Show Address Resolution Protocol (ARP) information
bridge Show bridging information
cluster Show clustering information
configuration Show running configuration
conntrack Show conntrack entries in the conntrack table
conntrack-sync
Show connection syncing information
date Show system date and time
dhcp Show Dynamic Host Configuration Protocol (DHCP) information
dhcpv6 Show status related to DHCPv6
disk Show status of disk device
dns Show Domain Name Server (DNS) information
file Show files for a particular image
(下页继续)

173
 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
firewall Show firewall information
flow-accounting
Show flow accounting statistics
hardware Show system hardware details
history show command history
host Show host information
incoming Show ethernet input-policy information
: q

可以使用 [Shift]+[PageUp] 向上翻页，以及 [Shift]+[PageDown] 向下翻页。

When the output of a command results in more lines than can be displayed on the terminal screen the output is paginated
as indicated by a : prompt.
When viewing in page mode the following commands are available:
• q key can be used to cancel output
• space will scroll down one page
• b will scroll back one page
• return will scroll down one line
• up-arrow and down-arrow will scroll up or down one line at a time respectively
• left-arrow and right-arrow can be used to scroll left or right in the event that the output has lines
which exceed the terminal size.

6.2 Configuration Mode

To enter configuration mode use the configure command:

vyos@vyos:~$ configure
[edit]
vyos@vyos:~#

注解: Prompt changes from $ to #. To exit configuration mode, type exit.

vyos@vyos:~# exit
exit
vyos@vyos:~$

See the configuration section of this document for more information on configuration mode.

6.2. Configuration Mode 174

 CHAPTER 7

Configuration Overview

VyOS makes use of a unified configuration file for the entire system’s configuration: /config/config.boot. This
allows easy template creation, backup, and replication of system configuration. A system can thus also be easily cloned
by simply copying the required configuration files.

7.1 Terminology

live A VyOS system has three major types of configurations:

• Active or running configuration is the system configuration that is loaded and currently active (used by VyOS).
Any change in the configuration will have to be committed to belong to the active/running configuration.
• Working configuration is the one that is currently being modified in configuration mode. Changes made to the
working configuration do not go into effect until the changes are committed with the commit command. At which
time the working configuration will become the active or running configuration.
• Saved configuration is the one saved to a file using the save command. It allows you to keep safe a configuration
for future uses. There can be multiple configuration files. The default or“boot”configuration is saved and loaded
from the file /config/config.boot.

7.1.1 Seeing and navigating the configuration

show configuration
View the current active configuration, also known as the running configuration, from the operational mode.

vyos@vyos:~$ show configuration

interfaces {
ethernet eth0 {
address dhcp
hw-id 00:53:00:00:aa:01
}
(下页继续)

175
 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
loopback lo {
}
}
service {
ssh {
port 22
}
}
system {
config-management {
commit-revisions 20
}
console {
device ttyS0 {
speed 9600
}
}
login {
user vyos {
authentication {
encrypted-password ****************
}
level admin
}
}
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
}

By default, the configuration is displayed in a hierarchy like the above example, this is only one of the possible ways to
display the configuration. When the configuration is generated and the device is configured, changes are added through a
collection of set and delete commands.
show configuration commands
Get a collection of all the set commands required which led to the running configuration.

vyos@vyos:~$ show configuration commands

set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth0 hw-id '00:53:dd:44:3b:0f'
set interfaces loopback 'lo'
(下页继续)

7.1. Terminology 176

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
set service ssh port '22'
set system config-management commit-revisions '20'
set system console device ttyS0 speed '9600'
set system login user vyos authentication encrypted-password '$6$Vt68...QzF0'
set system login user vyos level 'admin'
set system ntp server '0.pool.ntp.org'
set system ntp server '1.pool.ntp.org'
set system ntp server '2.pool.ntp.org'
set system syslog global facility all level 'notice'
set system syslog global facility protocols level 'debug'

Both these show commands should be executed when in operational mode, they do not work directly in configuration
mode. There is a special way on how to Access opmode from config mode.

提示: Use the show configuration commands | strip-private command when you want to hide pri-
vate data. You may want to do so if you want to share your configuration on the forum.

The config mode

When entering the configuration mode you are navigating inside a tree structure, to enter configuration mode enter the
command configure when in operational mode.

vyos@vyos$ configure
[edit]
vyos@vyos#

注解: When going into configuration mode, prompt changes from $ to #.

All commands executed here are relative to the configuration level you have entered. You can do everything from the top
level, but commands will be quite lengthy when manually typing them.
The current hierarchy level can be changed by the edit command.

[edit]
vyos@vyos# edit interfaces ethernet eth0

[edit interfaces ethernet eth0]

vyos@vyos#

You are now in a sublevel relative to interfaces ethernet eth0, all commands executed from this point on are
relative to this sublevel. Use eithe the top or exit command to go back to the top of the hierarchy. You can also use
the up command to move only one level up at a time.
show
The show command within configuration mode will show the working configuration indicating line changes with + for
additions, > for replacements and - for deletions.
Example:

vyos@vyos:~$ configure
[edit]
(下页继续)

7.1. Terminology 177

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
vyos@vyos# show interfaces
ethernet eth0 {
description MY_OLD_DESCRIPTION
disable
hw-id 00:53:dd:44:3b:03
}
loopback lo {
}
[edit]
vyos@vyos# set interfaces ethernet eth0 address dhcp
[edit]
vyos@vyos# set interfaces ethernet eth0 description MY_NEW_DESCRIPTION
[edit]
vyos@vyos# delete interfaces ethernet eth0 disable
[edit]
vyos@vyos# show interfaces
ethernet eth0 {
+ address dhcp
> description MY_NEW_DESCRIPTION
- disable
hw-id 00:53:dd:44:3b:03
}
loopback lo {
}

It is also possible to display all set commands within configuration mode using show | commands

vyos@vyos# show interfaces ethernet eth0 | commands

set address dhcp
set hw-id 00:53:ad:44:3b:03

These commands are also relative to the level you are inside and only relevant configuration blocks will be displayed when
entering a sub-level.

[edit interfaces ethernet eth0]

vyos@vyos# show
address dhcp
hw-id 00:53:ad:44:3b:03

Exiting from the configuration mode is done via the exit command from the top level, executing exit from within a
sub-level takes you back to the top level.

[edit interfaces ethernet eth0]

vyos@vyos# exit
[edit]
vyos@vyos# exit
Warning: configuration changes have not been saved.

7.1. Terminology 178

 VyOS Documentation, 发布 1.4.x (sagitta)

7.1.2 Editing the configuration

The configuration can be edited by the use of set and delete commands from within configuration mode.
set
Use this command to set the value of a parameter or to create a new element.
Configuration commands are flattened from the tree into ‘one-liner’commands shown in show configuration
commands from operation mode. Commands are relative to the level where they are executed and all redundant infor-
mation from the current level is removed from the command entered.
[edit]
vyos@vyos# set interface ethernet eth0 address 192.0.2.100/24

[edit interfaces ethernet eth0]

vyos@vyos# set address 203.0.113.6/24

These two commands above are essentially the same, just executed from different levels in the hierarchy.
delete
To delete a configuration entry use the delete command, this also deletes all sub-levels under the current level
you’ve specified in the delete command. Deleting an entry will also result in the element reverting back to its
default value if one exists.
[edit interfaces ethernet eth0]
vyos@vyos# delete address 192.0.2.100/24

commit
Any change you do on the configuration, will not take effect until committed using the commit command in
configuration mode.
vyos@vyos# commit
[edit]
vyos@vyos# exit
Warning: configuration changes have not been saved.
vyos@vyos:~$

save
Use this command to preserve configuration changes upon reboot. By default it is stored at /config/config.boot. In
the case you want to store the configuration file somewhere else, you can add a local path, an SCP address, an FTP
address or a TFTP address.
vyos@vyos# save
Saving configuration to '/config/config.boot'...
Done

vyos@vyos# save [tab]

Possible completions:
<Enter> Save to system config file
<file> Save to file on local machine
scp://<user>:<passwd>@<host>:/<file> Save to file on remote machine
ftp://<user>:<passwd>@<host>/<file> Save to file on remote machine
tftp://<host>/<file> Save to file on remote machine
vyos@vyos# save tftp://192.168.0.100/vyos-test.config.boot
Saving configuration to 'tftp://192.168.0.100/vyos-test.config.boot'...
(下页继续)

7.1. Terminology 179

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
######################################################################## 100.0%
Done

exit [discard]
Configuration mode can not be exited while uncommitted changes exist. To exit configuration mode without
applying changes, the exit discard command must be used.
All changes in the working config will thus be lost.

vyos@vyos# exit
Cannot exit: configuration modified.
Use 'exit discard' to discard the changes and exit.
[edit]
vyos@vyos# exit discard

commit-confirm <minutes>
Use this command to temporarily commit your changes and set the number of minutes available for validation.
confirm must be entered within those minutes, otherwise the system will reboot into the previous configuration.
The default value is 10 minutes.
What if you are doing something dangerous? Suppose you want to setup a firewall, and you are not sure
there are no mistakes that will lock you out of your system. You can use confirmed commit. If you issue the
commit-confirm command, your changes will be commited, and if you don’t issue issue the confirm
command in 10 minutes, your system will reboot into previous config revision.

vyos@router# set interfaces ethernet eth0 firewall local name FromWorld

vyos@router# commit-confirm
commit confirm will be automatically reboot in 10 minutes unless confirmed
Proceed? [confirm]y
[edit]
vyos@router# confirm
[edit]

注解: A reboot because you did not enter confirm will not take you necessarily to the saved configuration, but
to the point before the unfortunate commit.

copy
Copy a configuration element.
You can copy and remove configuration subtrees. Suppose you set up a firewall ruleset FromWorld with one rule
that allows traffic from specific subnet. Now you want to setup a similar rule, but for different subnet. Change your
edit level to firewall name FromWorld and use copy rule 10 to rule 20, then modify rule 20.

vyos@router# show firewall name FromWorld

default-action drop
rule 10 {
action accept
source {
address 203.0.113.0/24
}
}
[edit]
vyos@router# edit firewall name FromWorld
(下页继续)

7.1. Terminology 180

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
[edit firewall name FromWorld]
vyos@router# copy rule 10 to rule 20
[edit firewall name FromWorld]
vyos@router# set rule 20 source address 198.51.100.0/24
[edit firewall name FromWorld]
vyos@router# commit
[edit firewall name FromWorld]

rename
Rename a configuration element.
You can also rename config subtrees:
vyos@router# rename rule 10 to rule 5
[edit firewall name FromWorld]
vyos@router# commit
[edit firewall name FromWorld]

Note that show command respects your edit level and from this level you can view the modified firewall ruleset
with just show with no parameters.
vyos@router# show
default-action drop
rule 5 {
action accept
source {
address 203.0.113.0/24
}
}
rule 20 {
action accept
source {
address 198.51.100.0/24
}
}

comment <config node> “comment text”

Add comment as an annotation to a configuration node.
The comment command allows you to insert a comment above the <config node> configuration section.
When shown, comments are enclosed with /* and */ as open/close delimiters. Comments need to be commited,
just like other config changes.
To remove an existing comment from your current configuration, specify an empty string enclosed in double quote
marks ("") as the comment text.
Example:
vyos@vyos# comment firewall all-ping "Yes I know this VyOS is cool"
vyos@vyos# commit
vyos@vyos# show
firewall {
/* Yes I know this VyOS is cool */
all-ping enable
broadcast-ping disable
...
}

7.1. Terminology 181

 VyOS Documentation, 发布 1.4.x (sagitta)

注解: An important thing to note is that since the comment is added on top of the section, it will not appear if
the show <section> command is used. With the above example, the show firewall command would return
starting after the firewall { line, hiding the comment.

7.1.3 Access opmode from config mode

When inside configuration mode you are not directly able to execute operational commands.
run
Access to these commands are possible through the use of the run [command] command. From this command
you will have access to everything accessible from operational mode.
Command completion and syntax help with ? and [tab] will also work.

[edit]
vyos@vyos# run show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 0.0.0.0/0 u/u

7.1.4 Managing configurations

VyOS comes with an integrated versioning system for the system configuration. It automatically maintains a backup
of every previous configuration which has been committed to the system. The configurations are versioned locally for
rollback but they can also be stored on a remote host for archiving/backup reasons.

Local Archive

Revisions are stored on disk. You can view, compare and rollback them to any previous revisions if something goes
wrong.
show system commit
View all existing revisions on the local system.

vyos@vyos:~$ show system commit

0 2015-03-30 08:53:03 by vyos via cli
1 2015-03-30 08:52:20 by vyos via cli
2 2015-03-26 21:26:01 by root via boot-config-loader
3 2015-03-26 20:43:18 by root via boot-config-loader
4 2015-03-25 11:06:14 by root via boot-config-loader
5 2015-03-25 01:04:28 by root via boot-config-loader
6 2015-03-25 00:16:47 by vyos via cli
7 2015-03-24 23:43:45 by root via boot-config-loader

set system config-management commit-revisions <N>

You can specify the number of revisions stored on disk. N can be in the range of 0 - 65535. When the number of
revisions exceeds the configured value, the oldest revision is removed. The default setting for this value is to store
100 revisions locally.

7.1. Terminology 182

 VyOS Documentation, 发布 1.4.x (sagitta)

Compare configurations

VyOS lets you compare different configurations.

compare <saved | N> <M>
Use this command to spot what the differences are between different configurations.

vyos@vyos# compare [tab]

Possible completions:
<Enter> Compare working & active configurations
saved Compare working & saved configurations
<N> Compare working with revision N
<N> <M> Compare revision N with M
Revisions:
0 2013-12-17 20:01:37 root by boot-config-loader
1 2013-12-13 15:59:31 root by boot-config-loader
2 2013-12-12 21:56:22 vyos by cli
3 2013-12-12 21:55:11 vyos by cli
4 2013-12-12 21:27:54 vyos by cli
5 2013-12-12 21:23:29 vyos by cli
6 2013-12-12 21:13:59 root by boot-config-loader
7 2013-12-12 16:25:19 vyos by cli
8 2013-12-12 15:44:36 vyos by cli
9 2013-12-12 15:42:07 root by boot-config-loader
10 2013-12-12 15:42:06 root by init

The command compare allows you to compare different type of configurations. It also lets you compare different
revisions through the compare N M command, where N and M are revision numbers. The output will describe
how the configuration N is when compared to M indicating with a plus sign (+) the additional parts N has when
compared to M, and indicating with a minus sign (-) the lacking parts N misses when compared to M.

vyos@vyos# compare 0 6
[edit interfaces]
+dummy dum1 {
+ address 10.189.0.1/31
+}
[edit interfaces ethernet eth0]
+vif 99 {
+ address 10.199.0.1/31
+}
-vif 900 {
- address 192.0.2.4/24
-}

show system commit diff <number>

Show commit revision difference.
The command above also lets you see the difference between two commits. By default the difference with the running
config is shown.

vyos@router# run show system commit diff 4

[edit system]
+ipv6 {
+ disable-forwarding
+}

This means four commits ago we did set system ipv6 disable-forwarding.

7.1. Terminology 183

 VyOS Documentation, 发布 1.4.x (sagitta)

Rollback Changes

You can rollback configuration changes using the rollback command. This will apply the selected revision and trigger a
system reboot.
rollback <N>
Rollback to revision N (currently requires reboot)

vyos@vyos# compare 1
[edit system]
>host-name vyos-1
[edit]

vyos@vyos# rollback 1
Proceed with reboot? [confirm][y]
Broadcast message from root@vyos-1 (pts/0) (Tue Dec 17 21:07:45 2013):
The system is going down for reboot NOW!

Remote Archive

VyOS can upload the configuration to a remote location after each call to commit. You will have to set the commit-
archive location. TFTP, FTP, SCP and SFTP servers are supported. Every time a commit is successfull the config.
boot file will be copied to the defined destination(s). The filename used on the remote host will be config.
boot-hostname.YYYYMMDD_HHMMSS.
set system config-management commit-archive location <URI>
Specify remote location of commit archive as any of the below URI (Uniform Resource Identifier)
• scp://<user>:<passwd>@<host>:/<dir>
• sftp://<user>:<passwd>@<host>/<dir>
• ftp://<user>:<passwd>@<host>/<dir>
• tftp://<host>/<dir>

注解: The number of revisions don’t affect the commit-archive.

注解: You may find VyOS not allowing the secure connection because it cannot verify the legitimacy of the remote server.
You can use the workaround below to quickly add the remote host’s SSH fingerprint to your ~/.ssh/known_hosts
file:

vyos@vyos# ssh-keyscan <host> >> ~/.ssh/known_hosts

7.1. Terminology 184

 VyOS Documentation, 发布 1.4.x (sagitta)

Saving and loading manually

You can use the save and load commands if you want to manually manage specific configuration files.
When using the save command, you can add a specific location where to store your configuration file. And, when needed
it, you will be able to load it with the load command:
load <URI>
Use this command to load a configuration which will replace the running configuration. Define the
location of the configuration file to be loaded. You can use a path to a local file, an SCP address, an
SFTP address, an FTP address, an HTTP address, an HTTPS address or a TFTP address.

vyos@vyos# load
Possible completions:
<Enter> Load from system config file
<file> Load from file on local machine
scp://<user>:<passwd>@<host>:/<file> Load from file on remote machine
sftp://<user>:<passwd>@<host>/<file> Load from file on remote machine
ftp://<user>:<passwd>@<host>/<file> Load from file on remote machine
http://<host>/<file> Load from file on remote machine
https://<host>/<file> Load from file on remote machine
tftp://<host>/<file> Load from file on remote machine

Restore Default

In the case you want to completely delete your configuration and restore the default one, you can enter the following
command in configuration mode:

load /opt/vyatta/etc/config.boot.default

You will be asked if you want to continue. If you accept, you will have to use commit if you want to make the changes
active.
Then you may want to save in order to delete the saved configuration too.

注解: If you are remotely connected, you will lose your connection. You may want to copy first the config, edit it to
ensure connectivity, and load the edited config.

7.1. Terminology 185

 CHAPTER 8

Configuration Guide

The following structure respresent the cli structure.

8.1 Firewall

8.1.1 Overview

VyOS makes use of Linux netfilter for packet filtering.

The firewall supports the creation of groups for ports, addresses, and networks (implemented using netfilter ipset) and the
option of interface or zone based firewall policy.

注解: Important note on usage of terms: The firewall makes use of the terms in, out, and local for firewall policy.
Users experienced with netfilter often confuse in to be a reference to the INPUT chain, and out the OUTPUT chain from
netfilter. This is not the case. These instead indicate the use of the FORWARD chain and either the input or output
interface. The INPUT chain, which is used for local traffic to the OS, is a reference to as local with respect to its input
interface.

8.1.2 Global settings

Some firewall settings are global and have a affect on the whole system.
set firewall all-ping [enable | disable]
By default, when VyOS receives an ICMP echo request packet destined for itself, it will answer with an ICMP
echo reply, unless you avoid it through its firewall.
With the firewall you can set rules to accept, drop or reject ICMP in, out or local traffic. You can also use the
general firewall all-ping command. This command affects only to LOCAL (packets destined for your VyOS
system), not to IN or OUT traffic.

186
 VyOS Documentation, 发布 1.4.x (sagitta)

注解: firewall all-ping affects only to LOCAL and it always behaves in the most restrictive way

set firewall all-ping enable

When the command above is set, VyOS will answer every ICMP echo request addressed to itself, but that will
only happen if no other rule is applied dropping or rejecting local echo requests. In case of conflict, VyOS will
not answer ICMP echo requests.

set firewall all-ping disable

When the command above is set, VyOS will answer no ICMP echo request addressed to itself at all, no matter
where it comes from or whether more specific rules are being applied to accept them.
set firewall broadcast-ping [enable | disable]
This setting enable or disable the response of icmp broadcast messages. The following system parameter will be
altered:
• net.ipv4.icmp_echo_ignore_broadcasts
set firewall ip-src-route [enable | disable]
set firewall ipv6-src-route [enable | disable]
This setting handle if VyOS accept packets with a source route option. The following system parameter will be
altered:
• net.ipv4.conf.all.accept_source_route
• net.ipv6.conf.all.accept_source_route
set firewall receive-redirects [enable | disable]
set firewall ipv6-receive-redirects [enable | disable]
enable or disable of ICMPv4 or ICMPv6 redirect messages accepted by VyOS. The following system parameter
will be altered:
• net.ipv4.conf.all.accept_redirects
• net.ipv6.conf.all.accept_redirects
set firewall send-redirects [enable | disable]
enable or disable of ICMPv4 redirect messages send by VyOS The following system parameter will be altered:
• net.ipv4.conf.all.send_redirects
set firewall log-martians [enable | disable]
enable or disable the logging of martian IPv4 packets. The following system parameter will be altered:
• net.ipv4.conf.all.log_martians
set firewall source-validation [strict | loose | disable]
Set the IPv4 source validation mode. The following system parameter will be altered:
• net.ipv4.conf.all.rp_filter
set firewall syn-cookies [enable | disable]
Enable or Disable if VyOS use IPv4 TCP SYN Cookies. The following system parameter will be altered:
• net.ipv4.tcp_syncookies

8.1. Firewall 187

 VyOS Documentation, 发布 1.4.x (sagitta)

set firewall twa-hazards-protection [enable | disable]

Enable or Disable VyOS to be RFC 1337 conform. The following system parameter will be altered:
• net.ipv4.tcp_rfc1337
set firewall state-policy established action [accept | drop | reject]
set firewall state-policy established log enable
Set the global setting for a established connections.
set firewall state-policy invalid action [accept | drop | reject]
set firewall state-policy invalid log enable
Set the global setting for invalid packets.
set firewall state-policy related action [accept | drop | reject]
set firewall state-policy related log enable
Set the global setting for related connections.

8.1.3 Groups

Firewall groups represent collections of IP addresses, networks, or ports. Once created, a group can be referenced by
firewall rules as either a source or destination. Members can be added or removed from a group without changes to, or
the need to reload, individual firewall rules.

注解: Groups can also be referenced by NAT configuration.

Groups need to have unique names. Even though some contain IPv4 addresses and others contain IPv6 addresses, they
still need to have unique names, so you may want to append “-v4”or “-v6”to your group names.

Address Groups

In a address group a single IP adresses or IP address ranges are definded.

set firewall group address-group <name> address [address | address range]
set firewall group ipv6-address-group <name> address <address>
Define a IPv4 or a IPv6 address group

set firewall group address-group ADR-INSIDE-v4 address 192.168.0.1

set firewall group address-group ADR-INSIDE-v4 address 10.0.0.1-10.0.0.8
set firewall group ipv6-address-group ADR-INSIDE-v6 address 2001:db8::1

set firewall group address-group <name> description <text>

set firewall group ipv6-address-group <name> description <text>
Provide a IPv4 or IPv6 address group description

8.1. Firewall 188

 VyOS Documentation, 发布 1.4.x (sagitta)

Network Groups

While network groups accept IP networks in CIDR notation, specific IP addresses can be added as a 32-bit prefix. If
you foresee the need to add a mix of addresses and networks, the network group is recommended.
set firewall group network-group <name> network <CIDR>
set firewall group ipv6-network-group <name> network <CIDR>
Define a IPv4 or IPv6 Network group.

set firewall group network-group NET-INSIDE-v4 network 192.168.0.0/24

set firewall group network-group NET-INSIDE-v4 network 192.168.1.0/24
set firewall group ipv6-network-group NET-INSIDE-v6 network 2001:db8::/64

set firewall group network-group <name> description <text>

set firewall group ipv6-network-group <name> description <text>
Provide a IPv4 or IPv6 network group description.

Port Groups

A port group represents only port numbers, not the protocol. Port groups can be referenced for either TCP or UDP. It is
recommended that TCP and UDP groups are created separately to avoid accidentally filtering unnecessary ports. Ranges
of ports can be specified by using -.
set firewall group port-group <name> port [portname | portnumber |
startport-endport]
Define a port group. A port name are any name defined in /etc/services. e.g.: http

set firewall group port-group PORT-TCP-SERVER1 port http

set firewall group port-group PORT-TCP-SERVER1 port 443
set firewall group port-group PORT-TCP-SERVER1 port 5000-5010

set firewall group port-group <name> description <text>

Provide a port group description.

8.1.4 Rule-Sets

A rule-set is a named collection of firewall rules that can be applied to an interface or zone. Each rule is numbered, has
an action to apply if the rule is matched, and the ability to specify the criteria to match. Data packets go through the rules
from 1 - 9999, at the first match the action of the rule will executed.
set firewall name <name> description <text>
set firewall ipv6-name <name> description <text>
Provide a rule-set description.
set firewall name <name> default-action [drop | reject | accept]
set firewall ipv6-name <name> default-action [drop | reject | accept]
This set the default action of the rule-set if no rule matched a paket criteria.
set firewall name <name> enable-default-log
set firewall ipv6-name <name> enable-default-log

8.1. Firewall 189

 VyOS Documentation, 发布 1.4.x (sagitta)

Use this command to enable the logging of the default action.

set firewall name <name> rule <1-9999> action [drop | reject | accept]
set firewall ipv6-name <name> rule <1-9999> action [drop | reject | accept]
This required setting define the action of the current rule.
set firewall name <name> rule <1-9999> description <text>
set firewall ipv6-name <name> rule <1-9999> description <text>
Provide a description for each rule.
set firewall name <name> rule <1-9999> log [disable | enable]
set firewall ipv6-name <name> rule <1-9999> log [disable | enable]
Enable or disable logging for the matched packet.
set firewall name <name> rule <1-9999> disable
set firewall ipv6-name <name> rule <1-9999> disable
If you want to disable a rule but let it in the configuration.

Matching criteria

There are a lot of matching criteria gainst which the package can be tested.
set firewall name <name> rule <1-9999> source address [address | addressrange
| CIDR]
set firewall name <name> rule <1-9999> destination address [address |
addressrange | CIDR]
set firewall ipv6-name <name> rule <1-9999> source address [address |
addressrange | CIDR]
set firewall ipv6-name <name> rule <1-9999> destination address [address |
addressrange | CIDR]
This is similiar to the network groups part, but here you are able to negate the matching addresses.

set firewall name WAN-IN-v4 rule 100 source address 192.0.2.10-192.0.2.11

# with a '!' the rule match everything except the specified subnet
set fitewall name WAN-IN-v4 rule 101 source address !203.0.113.0/24
set firewall ipv6-name WAN-IN-v6 rule 100 source address 2001:db8::202

set firewall name <name> rule <1-9999> source mac-address <mac-address>

set firewall ipv6-name <name> rule <1-9999> source mac-address <mac-address>
Only in the source criteria you can specify a mac-address

set firewall name LAN-IN-v4 rule 100 source mac-address 00:53:00:11:22:33

set firewall name LAN-IN-v4 rule 101 source mac-address !00:53:00:aa:12:34

set firewall name <name> rule <1-9999> source port [1-65535 | portname |
start-end]
set firewall name <name> rule <1-9999> destination port [1-65535 | portname |
start-end]

8.1. Firewall 190

 VyOS Documentation, 发布 1.4.x (sagitta)

set firewall ipv6-name <name> rule <1-9999> source port [1-65535 | portname |
start-end]
set firewall ipv6-name <name> rule <1-9999> destination port [1-65535 |
portname | start-end]
A port can be set with a portnumber or a name which is here defined: /etc/services.

set firewall name WAN-IN-v4 rule 10 source port '22'

set firewall name WAN-IN-v4 rule 11 source port '!http'
set firewall name WAN-IN-v4 rule 12 source port 'https'

Multiple source ports can be specified as a comma-separated list. The whole list can also be“negated”using‘!’
. For example:

set firewall ipv6-name WAN-IN-v6 rule 10 source port '!22,https,3333-3338'

set firewall name <name> rule <1-9999> source group address-group <name>
set firewall name <name> rule <1-9999> destination group address-group <name>
set firewall ipv6-name <name> rule <1-9999> source group address-group <name>
set firewall ipv6-name <name> rule <1-9999> destination group address-group
<name>
Use a specific address-group
set firewall name <name> rule <1-9999> source group network-group <name>
set firewall name <name> rule <1-9999> destination group network-group <name>
set firewall ipv6-name <name> rule <1-9999> source group network-group <name>
set firewall ipv6-name <name> rule <1-9999> destination group network-group
<name>
Use a specific network-group
set firewall name <name> rule <1-9999> source group port-group <name>
set firewall name <name> rule <1-9999> destination group port-group <name>
set firewall ipv6-name <name> rule <1-9999> source group port-group <name>
set firewall ipv6-name <name> rule <1-9999> destination group port-group
<name>
Use a specific port-group
set firewall name <name> rule <1-9999> protocol [<text> | <0-255> | all |
tcp_udp]
set firewall ipv6-name <name> rule <1-9999> protocol [<text> | <0-255> | all |
tcp_udp]
Match a protocol criteria. A protocol number or a name which is here defined: /etc/protocols. Special
names are all for all protocols and tcp_udp for tcp and upd based pakets. The ! negate the selected protocol.

set firewall name WAN-IN-v4 rule 10 protocol tcp_udp

set firewall name WAN-IN-v4 rule 11 protocol !tcp_udp
set firewall ipv6-name WAN-IN-v6 rule 10 protocol tcp

set firewall name <name> rule <1-9999> tcp flags <text>

8.1. Firewall 191

 VyOS Documentation, 发布 1.4.x (sagitta)

set firewall ipv6-name <name> rule <1-9999> tcp flags <text>

Allowed values fpr TCP flags: SYN, ACK, FIN, RST, URG, PSH, ALL When specifying more than one flag, flags
should be comma separated. The ! negate the selected protocol.

set firewall name WAN-IN-v4 rule 10 tcp flags 'ACK'

set firewall name WAN-IN-v4 rule 12 tcp flags 'SYN'
set firewall name WAN-IN-v4 rule 13 tcp flags 'SYN,!ACK,!FIN,!RST'

set firewall name <name> rule <1-9999> state [established | invalid | new |
related] [enable | disable ]
set firewall ipv6-name <name> rule <1-9999> state [established | invalid | new
| related] [enable | disable ]
Match against the state of a packet.

8.1.5 Applying a Rule-Set to an Interface

A Rule-Set can be appliend to every inteface:

• in: Ruleset for forwarded packets on inbound interface
• out: Ruleset for forwarded packets on outbound interface
• local: Ruleset for packets destined for this router
set interface ethernet <ethN> firewall [in | out | local] [name | ipv6-name]
<rule-set>
Here are some examples for applying a rule-set to an interface

set interface ethernet eth1 vif 100 firewall in name LANv4-IN

set interface ethernet eth1 vif 100 firewall out name LANv4-OUT
set interface bonding bond0 firewall in name LANv4-IN
set interfaces openvpn vtun1 firewall in name Lanv4-IN

注解: As you can see in the example here, you can assign the same rule-set to several interfaces. An interface
can only have one rule-set per chain.

8.1.6 Zone-based Firewall Policy

As an alternative to applying policy to an interface directly, a zone-based firewall can be created to simplify configuration
when multiple interfaces belong to the same security zone. Instead of applying rulesets to interfaces, they are applied to
source zone-destination zone pairs.
An basic introduction to zone-based firewalls can be found here, and an example at Zone-Policy 例子.

8.1. Firewall 192

 VyOS Documentation, 发布 1.4.x (sagitta)

Define a Zone

To define a zone setup either one with interfaces or a local zone.

set zone-policy zone <name> interface <interfacenames>
Set a interfaces to a zone. A zone can have multiple interfaces. But a interface can only be member in one zone.
set zone-policy zone <name> local-zone
Define the Zone as a local zone. A local zone have no interfaces and will be applied to the router itself.
set zone-policy zone <name> default-action [drop | reject]
Change the default-action with this setting.
set zone-policy zone <name> description
Set a meaningful description.

Applying a Rule-Set to a Zone

Before you are able to apply a rule-set to a zone you have to create the zones first.
set zone-policy zone <name> from <name> firewall name <rule-set>
set zone-policy zone <name> from <name> firewall ipv6-name <rule-set>
You apply a rule-set always to a zone from a other zone, it is recommended to create one rule-set for each zone
pair.
set zone-policy zone DMZ from LAN firewall name LANv4-to-DMZv4
set zone-policy zone LAN from DMZ firewall name DMZv4-to-LANv4

8.1.7 Operation-mode Firewall

Rule-set overview

show firewall
This will show you a basic firewall overview
vyos@vyos:~$ show firewall

------------------------
Firewall Global Settings
------------------------

Firewall state-policy for all IPv4 and Ipv6 traffic

state action log

----- ------ ---
invalid accept disabled
established accept disabled
related accept disabled

-----------------------------
Rulesets Information
-----------------------------
(下页继续)

8.1. Firewall 193

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
--------------------------------------------------------------------------
IPv4 Firewall "DMZv4-1-IN":

Active on (eth0,IN)

rule action proto packets bytes

---- ------ ----- ------- -----
10 accept icmp 0 0
condition - saddr 10.1.0.0/24 daddr 0.0.0.0/0 LOG enabled

10000 drop all 0 0

condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 LOG enabled

--------------------------------------------------------------------------
IPv4 Firewall "DMZv4-1-OUT":

Active on (eth0,OUT)

rule action proto packets bytes

---- ------ ----- ------- -----
10 accept tcp_udp 1 60
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 match-DST-PORT-GROUP DMZ-Ports /*
DMZv4-1-OUT-10 */LOG enabled

11 accept icmp 1 84
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 /* DMZv4-1-OUT-11 */LOG enabled

10000 drop all 6 360

condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 LOG enabled

--------------------------------------------------------------------------
IPv4 Firewall "LANv4-IN":

Inactive - Not applied to any interfaces or zones.

rule action proto packets bytes

---- ------ ----- ------- -----
10 accept all 0 0
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 /* LANv4-IN-10 */

10000 drop all 0 0

condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0

show firewall summary

This will show you a summary about rule-sets and groups
vyos@vyos:~$ show firewall summary

------------------------
Firewall Global Settings
------------------------

Firewall state-policy for all IPv4 and Ipv6 traffic

state action log

----- ------ ---
(下页继续)

8.1. Firewall 194

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
invalid accept disabled
related accept disabled
established accept disabled

------------------------
Firewall Rulesets
------------------------

IPv4 name:

Rule-set name Description References

------------- ----------- ----------
DMZv4-1-OUT (eth0,OUT)
DMZv4-1-IN (eth0,IN)

------------------------
Firewall Groups
------------------------

Port Groups:

Group name Description References

---------- ----------- ----------
DMZ-Ports DMZv4-1-OUT-10-destination

Network Groups:

Group name Description References

---------- ----------- ----------
LANv4 LANv4-IN-10-source,
DMZv4-1-OUT-10-source,
DMZv4-1-OUT-11-source

show firewall statistics

This will show you a statistic of all rule-sets since the last boot.
show firewall [name | ipv6name] <name> rule <1-9999>
This command will give an overview about a rule in a single rule-set
show firewall group <name>
Overview of defined groups. You see the type, the members, and where the group is used.

vyos@vyos:~$ show firewall group DMZ-Ports

Name : DMZ-Ports
Type : port
References : none
Members :
80
443
8080
8443

vyos@vyos:~$ show firewall group LANv4

Name : LANv4
Type : network
(下页继续)

8.1. Firewall 195

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
References : LANv4-IN-10-source
Members :
10.10.0.0/16

show firewall [name | ipv6name] <name>

This command will give an overview about a single rule-set
show firewall [name | ipv6name] <name> statistics
This will show you a rule-set statistic since the last boot.
show firewall [name | ipv6name] <name> rule <1-9999>
This command will give an overview about a rule in a single rule-set

Zone-Policy Overview

show zone-policy zone <name>

Use this command to get an overview about a zone
vyos@vyos:~$ show zone-policy zone DMZ
-------------------
Name: DMZ

Interfaces: eth0 eth1

From Zone:
name firewall
---- --------
LAN DMZv4-1-OUT

Show Firewall log

show log firewall [name | ipv6name] <name>

Show the logs of a specific Rule-Set

注解: At the moment it not possible to look at the whole firewall log with VyOS operational commands. All logs will
save to /var/logs/messages. For example: grep '10.10.0.10' /var/log/messages

Example Partial Config

firewall {
all-ping enable
broadcast-ping disable
config-trap disable
group {
network-group BAD-NETWORKS {
network 198.51.100.0/24
network 203.0.113.0/24
}
(下页继续)

8.1. Firewall 196

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
network-group GOOD-NETWORKS {
network 192.0.2.0/24
}
port-group BAD-PORTS {
port 65535
}
}
name FROM-INTERNET {
default-action accept
description "From the Internet"
rule 10 {
action accept
description "Authorized Networks"
protocol all
source {
group {
network-group GOOD-NETWORKS
}
}
}
rule 11 {
action drop
description "Bad Networks"
protocol all
source {
group {
network-group BAD-NETWORKS
}
}
}
rule 30 {
action drop
description "BAD PORTS"
destination {
group {
port-group BAD-PORTS
}
}
log enable
protocol all
}
}
}
interfaces {
ethernet eth1 {
address dhcp
description OUTSIDE
duplex auto
firewall {
in {
name FROM-INTERNET
}
}
}
}

8.1. Firewall 197

 VyOS Documentation, 发布 1.4.x (sagitta)

8.1.8 TCP-MSS Clamping

As Internet wide PMTU discovery rarely works, we sometimes need to clamp our TCP MSS value to a specific value.
This is a field in the TCP Options part of a SYN packet. By setting the MSS value, you are telling the remote side
unequivocally ‘do not try to send me packets bigger than this value’.
Starting with VyOS 1.2 there is a firewall option to clamp your TCP MSS value for IPv4 and IPv6.

注解: MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in 1452 bytes on a 1492 byte MTU.

IPv4

set firewall options interface <interface> adjust-mss <number-of-bytes>

Use this command to set the maximum segment size for IPv4 transit packets on a specific interface (500-1460
bytes).

Example

Clamp outgoing MSS value in a TCP SYN packet to 1452 for pppoe0 and 1372 for your WireGuard wg02 tunnel.

set firewall options interface pppoe0 adjust-mss '1452'

set firewall options interface wg02 adjust-mss '1372'

IPv6

set firewall options interface <interface> adjust-mss6 <number-of-bytes>

Use this command to set the maximum segment size for IPv6 transit packets on a specific interface (1280-1492
bytes).

Example

Clamp outgoing MSS value in a TCP SYN packet to 1280 for both pppoe0 and wg02 interface.

set firewall options interface pppoe0 adjust-mss6 '1280'

set firewall options interface wg02 adjust-mss6 '1280'

提示: When doing your byte calculations, you might find useful this Visual packet size calculator.

8.1. Firewall 198

 VyOS Documentation, 发布 1.4.x (sagitta)

8.2 High availability

VRRP (Virtual Router Redundancy Protocol) provides active/backup redundancy for routers. Every VRRP router has
a physical IP/IPv6 address, and a virtual address. On startup, routers elect the master, and the router with the highest
priority becomes the master and assigns the virtual address to its interface. All routers with lower priorities become
backup routers. The master then starts sending keepalive packets to notify other routers that it’s available. If the master
fails and stops sending keepalive packets, the router with the next highest priority becomes the new master and takes over
the virtual address.
VRRP keepalive packets use multicast, and VRRP setups are limited to a single datalink layer segment. You can setup
multiple VRRP groups (also called virtual routers). Virtual routers are identified by a VRID (Virtual Router IDentifier). If
you setup multiple groups on the same interface, their VRIDs must be unique, but it’s possible (even if not recommended
for readability reasons) to use duplicate VRIDs on different interfaces.

8.2.1 Basic setup

VRRP groups are created with the set high-availability vrrp group $GROUP_NAME commands. The
required parameters are interface, vrid, and virtual-address.
minimal config

set high-availability vrrp group Foo vrid 10

set high-availability vrrp group Foo interface eth0
set high-availability vrrp group Foo virtual-address 192.0.2.1/24

You can verify your VRRP group status with the operational mode run show vrrp command:

vyos@vyos# run show vrrp

Name Interface VRID State Last Transition
---------- ----------- ------ ------- -----------------
Foo eth1 10 MASTER 2s

8.2.2 IPv6 support

The virtual-address parameter can be either an IPv4 or IPv6 address, but you cannot mix IPv4 and IPv6 in the
same group, and will need to create groups with different VRIDs specially for IPv4 and IPv6.

8.2.3 Disabling a VRRP group

You can disable a VRRP group with disable option:

set high-availability vrrp group Foo disable

A disabled group will be removed from the VRRP process and your router will not participate in VRRP for that VRID.
It will disappear from operational mode commands output, rather than enter the backup state.

8.2. High availability 199

 VyOS Documentation, 发布 1.4.x (sagitta)

8.2.4 Setting VRRP group priority

VRRP priority can be set with priority option:

set high-availability vrrp group Foo priority 200

The priority must be an integer number from 1 to 255. Higher priority value increases router’s precedence in the master
elections.

8.2.5 Sync groups

A sync group allows VRRP groups to transition together.

edit high-availability vrrp

set sync-group MAIN member VLAN9
set sync-group MAIN member VLAN20

In the following example, when VLAN9 transitions, VLAN20 will also transition:

vrrp {
group VLAN9 {
interface eth0.9
virtual-address 10.9.1.1/24
priority 200
vrid 9
}
group VLAN20 {
interface eth0.20
priority 200
virtual-address 10.20.20.1/24
vrid 20
}
sync-group MAIN {
member VLAN20
member VLAN9
}
}

警告: All items in a sync group should be similarly configured. If one VRRP group is set to a different premption
delay or priority, it would result in an endless transition loop.

8.2.6 Preemption

VRRP can use two modes: preemptive and non-preemptive. In the preemptive mode, if a router with a higher priority
fails and then comes back, routers with lower priority will give up their master status. In non-preemptive mode, the newly
elected master will keep the master status and the virtual address indefinitely.
By default VRRP uses preemption. You can disable it with the “no-preempt”option:

set high-availability vrrp group Foo no-preempt

You can also configure the time interval for preemption with the“preempt-delay”option. For example, to set the higher
priority router to take over in 180 seconds, use:

8.2. High availability 200

 VyOS Documentation, 发布 1.4.x (sagitta)

set high-availability vrrp group Foo preempt-delay 180

8.2.7 Unicast VRRP

By default VRRP uses multicast packets. If your network does not support multicast for whatever reason, you can make
VRRP use unicast communication instead.

set high-availability vrrp group Foo peer-address 192.0.2.10

set high-availability vrrp group Foo hello-source-address 192.0.2.15

8.2.8 Scripting

VRRP functionality can be extended with scripts. VyOS supports two kinds of scripts: health check scripts and transition
scripts. Health check scripts execute custom checks in addition to the master router reachability. Transition scripts are
executed when VRRP state changes from master to backup or fault and vice versa and can be used to enable or disable
certain services, for example.

Health check scripts

This setup will make the VRRP process execute the /config/scripts/vrrp-check.sh script every 60
seconds, and transition the group to the fault state if it fails (i.e. exits with non-zero status) three times:

set high-availability vrrp group Foo health-check script /config/scripts/vrrp-check.sh

set high-availability vrrp group Foo health-check interval 60
set high-availability vrrp group Foo health-check failure-count 3

Transition scripts

Transition scripts can help you implement various fixups, such as starting and stopping services, or even modifying
the VyOS config on VRRP transition. This setup will make the VRRP process execute the /config/scripts/
vrrp-fail.sh with argument Foo when VRRP fails, and the /config/scripts/vrrp-master.sh when
the router becomes the master:

set high-availability vrrp group Foo transition-script backup "/config/scripts/vrrp-

,→fail.sh Foo"

set high-availability vrrp group Foo transition-script fault "/config/scripts/vrrp-

,→fail.sh Foo"

set high-availability vrrp group Foo transition-script master "/config/scripts/vrrp-

,→master.sh Foo"

To know more about scripting, check the Command Scripting section.

8.2. High availability 201

 VyOS Documentation, 发布 1.4.x (sagitta)

8.3 Interfaces

8.3.1 Bond / Link Aggregation

The bonding interface provides a method for aggregating multiple network interfaces into a single logical “bonded”
interface, or LAG, or ether-channel, or port-channel. The behavior of the bonded interfaces depends upon the mode;
generally speaking, modes provide either hot standby or load balancing services. Additionally, link integrity monitoring
may be performed.

Configuration

Common interface configuration

set interfaces bond <interface> address <address | dhcp | dhcpv6>

Configure interface <interface> with one or more interface addresses.
• address can be specified multiple times as IPv4 and/or IPv6 address, e.g. 192.0.2.1/24 and/or 2001:db8::1/64
• dhcp interface address is received by DHCP from a DHCP server on this segment.
• dhcpv6 interface address is received by DHCPv6 from a DHCPv6 server on this segment.
Example:
set interfaces bond bond0 address 192.0.2.1/24
set interfaces bond bond0 address 2001:db8::1/64
set interfaces bond bond0 dhcp
set interfaces bond bond0 dhcpv6

set interfaces bond <interface> description <description>

Set a human readable, descriptive alias for this connection. Alias is used by e.g. the show interfaces
command or SNMP based monitoring tools.
Example:
set interfaces bond bond0 description 'This is an awesome interface running on␣
,→VyOS'

set interfaces bond <interface> disable

Disable given <interface>. It will be placed in administratively down (A/D) state.
Example:
set interfaces bond bond0 disable

set interfaces bond <interface> disable-flow-control

Ethernet flow control is a mechanism for temporarily stopping the transmission of data on Ethernet family computer
networks. The goal of this mechanism is to ensure zero packet loss in the presence of network congestion.
The first flow control mechanism, the pause frame, was defined by the IEEE 802.3x standard.
A sending station (computer or network switch) may be transmitting data faster than the other end of the link can
accept it. Using flow control, the receiving station can signal the sender requesting suspension of transmissions
until the receiver catches up.
Use this command to disable the generation of Ethernet flow control (pause frames).

8.3. Interfaces 202

 VyOS Documentation, 发布 1.4.x (sagitta)

Example:

set interfaces bond bond0 disable-flow-control

set interfaces bond <interface> disable-link-detect

Use this command to direct an interface to not detect any physical state changes on a link, for example, when the
cable is unplugged.
Default is to detects physical link state changes.
Example:

set interfaces bond bond0 disable-link-detect

set interfaces bond <interface> mac <xx:xx:xx:xx:xx:xx>

Configure user defined MAC (Media Access Control) address on given <interface>.
Example:

set interfaces bond bond0 mac '00:01:02:03:04:05'

set interfaces bond <interface> mtu <mtu>

Configure MTU (Maximum Transmission Unit) on given <interface>. It is the size (in bytes) of the largest ethernet
frame sent on this link.
Example:

set interfaces bond bond0 mtu 9000

set interfaces bond <interface> ip arp-cache-timeout

Once a neighbor has been found, the entry is considered to be valid for at least for this specifc time. An entry’s
validity will be extended if it receives positive feedback from higher level protocols.
This defaults to 30 seconds.
Example:

set interfaces bond bond0 ip arp-cache-timeout 180

set interfaces bond <interface> ip disable-arp-filter

If set the kernel can respond to arp requests with addresses from other interfaces. This may seem wrong but it
usually makes sense, because it increases the chance of successful communication. IP addresses are owned by the
complete host on Linux, not by particular interfaces. Only for more complex setups like load-balancing, does this
behaviour cause problems.
If not set (default) allows you to have multiple network interfaces on the same subnet, and have the ARPs for
each interface be answered based on whether or not the kernel would route a packet from the ARP’d IP out that
interface (therefore you must use source based routing for this to work).
In other words it allows control of which cards (usually 1) will respond to an arp request.
Example:

set interfaces bond bond0 ip disable-arp-filter

set interfaces bond <interface> ip disable-forwarding

8.3. Interfaces 203

 VyOS Documentation, 发布 1.4.x (sagitta)

Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 for-
warding will be disabled on this interface.

set interfaces bond bond0 ip disable-forwarding

set interfaces bond <interface> ip enable-arp-accept

Define behavior for gratuitous ARP frames who’s IP is not already present in the ARP table. If configured create
new entries in the ARP table.
Both replies and requests type gratuitous arp will trigger the ARP table to be updated, if this setting is on.
If the ARP table already contains the IP address of the gratuitous arp frame, the arp table will be updated regardless
if this setting is on or off.

set interfaces bond bond0 ip enable-arp-accept

set interfaces bond <interface> ip enable-arp-announce

Define different restriction levels for announcing the local source IP address from IP packets in ARP requests sent
on interface.
Use any local address, configured on any interface if this is not set.
If configured, try to avoid local addresses that are not in the target’s subnet for this interface. This mode is useful
when target hosts reachable via this interface require the source IP address in ARP requests to be part of their
logical network configured on the receiving interface. When we generate the request we will check all our subnets
that include the target IP and will preserve the source address if it is from such subnet. If there is no such subnet
we select source address according to the rules for level 2.

set interfaces bond bond0 ip enable-arp-announce

set interfaces bond <interface> ip enable-arp-ignore

Define different modes for sending replies in response to received ARP requests that resolve local target IP ad-
dresses:
If configured, reply only if the target IP address is local address configured on the incoming interface.
If this option is unset (default), reply for any local target IP address, configured on any interface.

set interfaces bond bond0 ip enable-arp-ignore

set interfaces bond <interface> ip enable-proxy-arp

Use this command to enable proxy Address Resolution Protocol (ARP) on this interface. Proxy ARP allows an
Ethernet interface to respond with its own MAC address to ARP requests for destination IP addresses on subnets
attached to other interfaces on the system. Subsequent packets sent to those destination IP addresses are forwarded
appropriately by the system.
Example:

set interfaces bond bond0 ip enable-proxy-arp

set interfaces bond <interface> ip proxy-arp-pvlan

Private VLAN proxy arp. Basically allow proxy arp replies back to the same interface (from which the ARP
request/solicitation was received).
This is done to support (ethernet) switch features, like RFC 3069, where the individual ports are NOT allowed to
communicate with each other, but they are allowed to talk to the upstream router. As described in RFC 3069, it
is possible to allow these hosts to communicate through the upstream router by proxy_arp’ing.

8.3. Interfaces 204

 VyOS Documentation, 发布 1.4.x (sagitta)

注解: Does not need to be used together with proxy_arp.

This technology is known by different names:

• In RFC 3069 it is called VLAN Aggregation
• Cisco and Allied Telesyn call it Private VLAN
• Hewlett-Packard call it Source-Port filtering or port-isolation
• Ericsson call it MAC-Forced Forwarding (RFC Draft)
set interfaces bond <interface> ip source-validation <strict | loose |
disable>
Enable policy for source validation by reversed path, as specified in RFC 3704. Current recommended practice
in RFC 3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or
other complicated routing, then loose mode is recommended.
• strict: Each incoming packet is tested against the FIB and if the interface is not the best reverse path the
packet check will fail. By default failed packets are discarded.
• loose: Each incoming packet’s source address is also tested against the FIB and if the source address is not
reachable via any interface the packet check will fail.
• disable: No source validation
set interfaces bond <interface> ipv6 address autoconf
SLAAC (Stateless Address Autoconfiguration) RFC 4862. IPv6 hosts can configure themselves automatically
when connected to an IPv6 network using the Neighbor Discovery Protocol via ICMP 6 (Internet Control Message
Protocol version 6) router discovery messages. When first connected to a network, a host sends a link-local router
solicitation multicast request for its configuration parameters; routers respond to such a request with a router
advertisement packet that contains Internet Layer configuration parameters.

注解: This method automatically disables IPv6 traffic forwarding on the interface in question.

Example:

set interfaces bond bond0 ipv6 address autoconf

set interfaces bond <interface> ipv6 address eui64 <prefix>

EUI-64 (64-Bit Extended Unique Identifier) as specified in RFC 4291 allows a host to assign iteslf a unique 64-Bit
IPv6 address.
Example:

set interfaces bond bond0 ipv6 address eui64 2001:db8:beef::/64

set interfaces bond <interface> ipv6 address no-default-link-local

Do not assign a link-local IPv6 address to this interface.
Example:

set interfaces bond bond0 ipv6 address no-default-link-local

set interfaces bond <interface> ipv6 disable-forwarding

8.3. Interfaces 205

 VyOS Documentation, 发布 1.4.x (sagitta)

Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 for-
warding will be disabled on this interface.
Example:

set interfaces bond bond0 ipv6 disable-forwarding

set interfaces bond <interface> vrf <vrf>

Place interface in given VRF instance.
参见:
There is an entire chapter about how to configure a VRF, please check this for additional information.
Example:

set interfaces bond bond0 vrf red

DHCP(v6)
set interfaces bond <interface> dhcp-options client-id <description>
RFC 2131 states: The client MAY choose to explicitly provide the identifier through the‘client identifier’option.
If the client supplies a ‘client identifier’, the client MUST use the same ‘client identifier’in all subsequent
messages, and the server MUST use that identifier to identify the client.
Example:

set interfaces bond bond0 dhcp-options client-id 'foo-bar'

set interfaces bond <interface> dhcp-options host-name <hostname>

Instead of sending the real system hostname to the DHCP server, overwrite the host-name with this given-value.
Example:

set interfaces bond bond0 dhcp-options host-name 'VyOS'

set interfaces bond <interface> dhcp-options vendor-class-id <vendor-id>

The vendor-class-id option can be used to request a specific class of vendor options from the server.
Example:

set interfaces bond bond0 dhcp-options vendor-class-id 'VyOS'

set interfaces bond <interface> dhcp-options no-default-route

Only request an address from the DHCP server but do not request a default gateway.
Example:

set interfaces bond bond0 dhcp-options no-default-route

set interfaces bond <interface> dhcp-options default-route-distance <distance>

Set the distance for the default gateway sent by the DHCP server.
Example:

set interfaces bond bond0 dhcp-options default-route-distance 220

set interfaces bond <interface> dhcpv6-options duid <duid>

8.3. Interfaces 206

 VyOS Documentation, 发布 1.4.x (sagitta)

The DHCP unique identifier (DUID) is used by a client to get an IP address from a DHCPv6 server. It has a 2-byte
DUID type field, and a variable-length identifier field up to 128 bytes. Its actual length depends on its type. The
server compares the DUID with its database and delivers configuration data (address, lease times, DNS servers,
etc.) to the client.

set interfaces bond bond0 duid '0e:00:00:01:00:01:27:71:db:f0:00:50:56:bf:c5:6d'

set interfaces bond <interface> dhcpv6-options parameters-only

This statement specifies dhcp6c to only exchange informational configuration parameters with servers. A list of
DNS server addresses is an example of such parameters. This statement is useful when the client does not need
stateful configuration parameters such as IPv6 addresses or prefixes.

set interfaces bond bond0 dhcpv6-options parameters-only

set interfaces bond <interface> dhcpv6-options rapid-commit

When rapid-commit is specified, dhcp6c will include a rapid-commit option in solicit messages and wait for an
immediate reply instead of advertisements.

set interfaces bond bond0 dhcpv6-options rapid-commit

set interfaces bond <interface> dhcpv6-options temporary

Request only a temporary address and not form an IA_NA (Identity Association for Non-temporary Addresses)
partnership.

set interfaces bond bond0 dhcpv6-options temporary

DHCPv6 Prefix Delegation (PD)

VyOS 1.3 (equuleus) supports DHCPv6-PD (RFC 3633). DHCPv6 Prefix Delegation is supported by most ISPs who
provide native IPv6 for consumers on fixed networks.
set interfaces bond <interface> dhcpv6-options pd <id> length <length>
Some ISPs by default only delegate a /64 prefix. To request for a specific prefix size use this option to request for
a bigger delegation for this pd <id>. This value is in the range from 32 - 64 so you could request up to a /32 prefix
(if your ISP allows this) down to a /64 delegation.
The default value corresponds to 64.
To request a /56 prefix from your ISP use:

set interfaces bond bond0 dhcpv6-options pd 0 length 56

set interfaces bond <interface> dhcpv6-options pd <id> interface <delegatee>

address <address>
Specify the interface address used locally on the interfcae where the prefix has been delegated to. ID must be a
decimal integer.
It will be combined with the delegated prefix and the sla-id to form a complete interface address. The default is to
use the EUI-64 address of the interface.
Example: Delegate a /64 prefix to interface eth8 which will use a local address on this router of
<prefix>::ffff, as the address 65534 will correspond to ffff in hexadecimal notation.

set interfaces bond bond0 dhcpv6-options pd 0 interface eth8 address 65534

8.3. Interfaces 207

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces bond <interface> dhcpv6-options pd <id> interface <delegatee>

sla-id <id>
Specify the identifier value of the site-level aggregator (SLA) on the interface. ID must be a decimal number
greater then 0 which fits in the length of SLA IDs (see below).
Example: If ID is 1 and the client is delegated an IPv6 prefix 2001:db8:ffff::/48, dhcp6c will combine the two
values into a single IPv6 prefix, 2001:db8:ffff:1::/64, and will configure the prefix on the specified interface.

set interfaces bond bond0 dhcpv6-options pd 0 interface eth8 sla-id 1

Member Interfaces

set interfaces bonding <interface> member interface <member>

Enslave <member> interface to bond <interface>.

Bond options

set interfaces bonding <interface> mode <802.3ad | active-backup | broadcast |

round-robin | transmit-load-balance | adaptive-load-balance | xor-hash>
Specifies one of the bonding policies. The default is 802.3ad. Possible values are:
• 802.3ad - IEEE 802.3ad Dynamic link aggregation. Creates aggregation groups that share the
same speed and duplex settings. Utilizes all slaves in the active aggregator according to the 802.3ad
specification.
Slave selection for outgoing traffic is done according to the transmit hash policy, which may be
changed from the default simple XOR policy via the hash-policy option, documented below.

注解: Not all transmit policies may be 802.3ad compliant, particularly in regards to the packet
mis-ordering requirements of section 43.2.4 of the 802.3ad standard.

• active-backup - Active-backup policy: Only one slave in the bond is active. A different slave
becomes active if, and only if, the active slave fails. The bond’s MAC address is externally visible
on only one port (network adapter) to avoid confusing the switch.
When a failover occurs in active-backup mode, bonding will issue one or more gratuitous ARPs
on the newly active slave. One gratuitous ARP is issued for the bonding master interface and each
VLAN interfaces configured above it, provided that the interface has at least one IP address config-
ured. Gratuitous ARPs issued for VLAN interfaces are tagged with the appropriate VLAN id.
This mode provides fault tolerance. The primary option, documented below, affects the behavior
of this mode.
• broadcast - Broadcast policy: transmits everything on all slave interfaces.
This mode provides fault tolerance.
• round-robin - Round-robin policy: Transmit packets in sequential order from the first available
slave through the last.
This mode provides load balancing and fault tolerance.

8.3. Interfaces 208

 VyOS Documentation, 发布 1.4.x (sagitta)

• transmit-load-balance - Adaptive transmit load balancing: channel bonding that does not
require any special switch support.
Incoming traffic is received by the current slave. If the receiving slave fails, another slave takes over
the MAC address of the failed receiving slave.
• adaptive-load-balance - Adaptive load balancing: includes transmit-load-balance plus re-
ceive load balancing for IPV4 traffic, and does not require any special switch support. The receive
load balancing is achieved by ARP negotiation. The bonding driver intercepts the ARP Replies sent
by the local system on their way out and overwrites the source hardware address with the unique
hardware address of one of the slaves in the bond such that different peers use different hardware
addresses for the server.
Receive traffic from connections created by the server is also balanced. When the local system
sends an ARP Request the bonding driver copies and saves the peer’s IP information from the
ARP packet. When the ARP Reply arrives from the peer, its hardware address is retrieved and the
bonding driver initiates an ARP reply to this peer assigning it to one of the slaves in the bond. A
problematic outcome of using ARP negotiation for balancing is that each time that an ARP request
is broadcast it uses the hardware address of the bond. Hence, peers learn the hardware address of the
bond and the balancing of receive traffic collapses to the current slave. This is handled by sending
updates (ARP Replies) to all the peers with their individually assigned hardware address such that
the traffic is redistributed. Receive traffic is also redistributed when a new slave is added to the bond
and when an inactive slave is re-activated. The receive load is distributed sequentially (round robin)
among the group of highest speed slaves in the bond.
When a link is reconnected or a new slave joins the bond the receive traffic is redistributed among
all active slaves in the bond by initiating ARP Replies with the selected MAC address to each of
the clients. The updelay parameter (detailed below) must be set to a value equal or greater than the
switch’s forwarding delay so that the ARP Replies sent to the peers will not be blocked by the
switch.
• xor-hash - XOR policy: Transmit based on the selected transmit hash policy. The default policy
is a simple [(source MAC address XOR’d with destination MAC address XOR packet type ID)
modulo slave count]. Alternate transmit policies may be selected via the hash-policy option,
described below.
This mode provides load balancing and fault tolerance.
set interfaces bonding <interface> min-links <0-16>
Specifies the minimum number of links that must be active before asserting carrier. It is similar to the Cisco
EtherChannel min-links feature. This allows setting the minimum number of member ports that must be up (link-
up state) before marking the bond device as up (carrier on). This is useful for situations where higher level services
such as clustering want to ensure a minimum number of low bandwidth links are active before switchover.
This option only affects 802.3ad mode.
The default value is 0. This will cause carrier to be asserted (for 802.3ad mode) whenever there is an active
aggregator, regardless of the number of available links in that aggregator.

注解: Because an aggregator cannot be active without at least one available link, setting this option to 0 or to 1
has the exact same effect.

set interfaces bonding <interface> hash-policy <policy>

• layer2 - Uses XOR of hardware MAC addresses and packet type ID field to generate the hash. The formula
is

8.3. Interfaces 209

 VyOS Documentation, 发布 1.4.x (sagitta)

hash = source MAC XOR destination MAC XOR packet type ID

slave number = hash modulo slave count

This algorithm will place all traffic to a particular network peer on the same slave.
This algorithm is 802.3ad compliant.
• layer2+3 - This policy uses a combination of layer2 and layer3 protocol information to generate the hash.
Uses XOR of hardware MAC addresses and IP addresses to generate the hash. The formula is:

hash = source MAC XOR destination MAC XOR packet type ID

hash = hash XOR source IP XOR destination IP
hash = hash XOR (hash RSHIFT 16)
hash = hash XOR (hash RSHIFT 8)

And then hash is reduced modulo slave count.

If the protocol is IPv6 then the source and destination addresses are first hashed using ipv6_addr_hash.
This algorithm will place all traffic to a particular network peer on the same slave. For non-IP traffic, the
formula is the same as for the layer2 transmit hash policy.
This policy is intended to provide a more balanced distribution of traffic than layer2 alone, especially in
environments where a layer3 gateway device is required to reach most destinations.
This algorithm is 802.3ad compliant.
• layer3+4 - This policy uses upper layer protocol information, when available, to generate the hash. This
allows for traffic to a particular network peer to span multiple slaves, although a single connection will not
span multiple slaves.
The formula for unfragmented TCP and UDP packets is

hash = source port, destination port (as in the header)

hash = hash XOR source IP XOR destination IP
hash = hash XOR (hash RSHIFT 16)
hash = hash XOR (hash RSHIFT 8)

And then hash is reduced modulo slave count.

If the protocol is IPv6 then the source and destination addresses are first hashed using ipv6_addr_hash.
For fragmented TCP or UDP packets and all other IPv4 and IPv6 protocol traffic, the source and destination
port information is omitted. For non-IP traffic, the formula is the same as for the layer2 transmit hash policy.
This algorithm is not fully 802.3ad compliant. A single TCP or UDP conversation containing both fragmented
and unfragmented packets will see packets striped across two interfaces. This may result in out of order
delivery. Most traffic types will not meet this criteria, as TCP rarely fragments traffic, and most UDP traffic
is not involved in extended conversations. Other implementations of 802.3ad may or may not tolerate this
noncompliance.
set interfaces bonding <interface> primary <interface>
An <interface> specifying which slave is the primary device. The specified device will always be the active slave
while it is available. Only when the primary is off-line will alternate devices be used. This is useful when one slave
is preferred over another, e.g., when one slave has higher throughput than another.
The primary option is only valid for active-backup, transmit-load-balance, and adaptive-load-balance mode.
set interfaces bonding <interface> arp-monitor interval <time>

8.3. Interfaces 210

 VyOS Documentation, 发布 1.4.x (sagitta)

Specifies the ARP link monitoring <time> in seconds.

The ARP monitor works by periodically checking the slave devices to determine whether they have sent or received
traffic recently (the precise criteria depends upon the bonding mode, and the state of the slave). Regular traffic is
generated via ARP probes issued for the addresses specified by the arp-monitor target option.
If ARP monitoring is used in an etherchannel compatible mode (modes round-robin and xor-hash), the switch
should be configured in a mode that evenly distributes packets across all links. If the switch is configured to
distribute the packets in an XOR fashion, all replies from the ARP targets will be received on the same link which
could cause the other team members to fail.
A value of 0 disables ARP monitoring. The default value is 0.
set interfaces bonding <interface> arp-monitor target <address>
Specifies the IP addresses to use as ARP monitoring peers when arp-monitor interval option is > 0.
These are the targets of the ARP request sent to determine the health of the link to the targets.
Multiple target IP addresses can be specified. At least one IP address must be given for ARP monitoring to
function.
The maximum number of targets that can be specified is 16. The default value is no IP addresses.

Offloading

set interfaces bonding <interface> xdp

Enable support for Linux XDP (eXpress Data Path) on recent 1.4 rolling releases. You must enable it for every
interface which should participate in the XDP forwarding.
XDP is an eBPF based high performance data path merged in the Linux kernel since version 4.8. The idea behind
XDP is to add an early hook in the RX path of the kernel, and let a user supplied eBPF program decide the fate
of the packet. The hook is placed in the NIC driver just after the interrupt processing, and before any memory
allocation needed by the network stack itself, because memory allocation can be an expensive operation.

警告: This is highly experimental!

注解: Enabling this feature will break any form of NAT or Firewalling on this interface, as XDP is handled way
earlier in the driver then iptables/ nftables.

Enabling this feature will only load the XDP router code as described here:
https://blog.apnic.net/2020/04/30/how-to-build-an-xdp-based-bgp-peering-router/
Example:

set interfaces bonding bond0 xdp

8.3. Interfaces 211

 VyOS Documentation, 发布 1.4.x (sagitta)

VLAN

IEEE 802.1q, often referred to as Dot1q, is the networking standard that supports virtual LANs (VLANs) on an IEEE
802.3 Ethernet network. The standard defines a system of VLAN tagging for Ethernet frames and the accompanying
procedures to be used by bridges and switches in handling such frames. The standard also contains provisions for a
quality-of-service prioritization scheme commonly known as IEEE 802.1p and defines the Generic Attribute Registration
Protocol.
Portions of the network which are VLAN-aware (i.e., IEEE 802.1q conformant) can include VLAN tags. When a frame
enters the VLAN-aware portion of the network, a tag is added to represent the VLAN membership. Each frame must
be distinguishable as being within exactly one VLAN. A frame in the VLAN-aware portion of the network that does not
contain a VLAN tag is assumed to be flowing on the native VLAN.
The standard was developed by IEEE 802.1, a working group of the IEEE 802 standards committee, and continues to be
actively revised. One of the notable revisions is 802.1Q-2014 which incorporated IEEE 802.1aq (Shortest Path Bridging)
and much of the IEEE 802.1d standard.
802.1q VLAN interfaces are represented as virtual sub-interfaces in VyOS. The term used for this is vif.
set interfaces bond <interface> vif <vlan-id>
Create a new VLAN interface on interface <interface> using the VLAN number provided via <vlan-id>.
You can create multiple VLAN interfaces on a physical interface. The VLAN ID range is from 0 to 4094.

注解: Only 802.1Q-tagged packets are accepted on Ethernet vifs.

set interfaces bond <interface> vif <vlan-id> address <address | dhcp |

dhcpv6>
Configure interface <interface> with one or more interface addresses.
• address can be specified multiple times as IPv4 and/or IPv6 address, e.g. 192.0.2.1/24 and/or 2001:db8::1/64
• dhcp interface address is received by DHCP from a DHCP server on this segment.
• dhcpv6 interface address is received by DHCPv6 from a DHCPv6 server on this segment.
Example:

set interfaces bond bond0 vif 10 address 192.0.2.1/24

set interfaces bond bond0 vif 10 address 2001:db8::1/64
set interfaces bond bond0 vif 10 dhcp
set interfaces bond bond0 vif 10 dhcpv6

set interfaces bond <interface> vif <vlan-id> description <description>

Set a human readable, descriptive alias for this connection. Alias is used by e.g. the show interfaces
command or SNMP based monitoring tools.
Example:

set interfaces bond bond0 vif 10 description 'This is an awesome interface␣

,→running on VyOS'

set interfaces bond <interface> vif <vlan-id> disable

Disable given <interface>. It will be placed in administratively down (A/D) state.
Example:

8.3. Interfaces 212

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces bond bond0 vif 10 disable

set interfaces bond <interface> vif <vlan-id> disable-link-detect

Use this command to direct an interface to not detect any physical state changes on a link, for example, when the
cable is unplugged.
Default is to detects physical link state changes.
Example:

set interfaces bond bond0 vif 10 disable-link-detect

set interfaces bond <interface> vif <vlan-id> mac <xx:xx:xx:xx:xx:xx>

Configure user defined MAC address on given <interface>.
Example:

set interfaces bond bond0 vif 10 mac '00:01:02:03:04:05'

set interfaces bond <interface> vif <vlan-id> mtu <mtu>

Configure MTU on given <interface>. It is the size (in bytes) of the largest ethernet frame sent on this link.
Example:

set interfaces bond bond0 vif 10 mtu 9000

set interfaces bond <interface> vif <vlan-id> ip arp-cache-timeout

Once a neighbor has been found, the entry is considered to be valid for at least for this specifc time. An entry’s
validity will be extended if it receives positive feedback from higher level protocols.
This defaults to 30 seconds.
Example:

set interfaces bond bond0 vif 10 ip arp-cache-timeout 180

set interfaces bond <interface> vif <vlan-id> ip disable-arp-filter

If set the kernel can respond to arp requests with addresses from other interfaces. This may seem wrong but it
usually makes sense, because it increases the chance of successful communication. IP addresses are owned by the
complete host on Linux, not by particular interfaces. Only for more complex setups like load-balancing, does this
behaviour cause problems.
If not set (default) allows you to have multiple network interfaces on the same subnet, and have the ARPs for
each interface be answered based on whether or not the kernel would route a packet from the ARP’d IP out that
interface (therefore you must use source based routing for this to work).
In other words it allows control of which cards (usually 1) will respond to an arp request.
Example:

set interfaces bond bond0 vif 10 ip disable-arp-filter

set interfaces bond <interface> vif <vlan-id> ip disable-forwarding

Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 for-
warding will be disabled on this interface.

8.3. Interfaces 213

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces bond bond0 vif 10 ip disable-forwarding

set interfaces bond <interface> vif <vlan-id> ip enable-arp-accept

Define behavior for gratuitous ARP frames who’s IP is not already present in the ARP table. If configured create
new entries in the ARP table.
Both replies and requests type gratuitous arp will trigger the ARP table to be updated, if this setting is on.
If the ARP table already contains the IP address of the gratuitous arp frame, the arp table will be updated regardless
if this setting is on or off.

set interfaces bond bond0 vif 10 ip enable-arp-accept

set interfaces bond <interface> vif <vlan-id> ip enable-arp-announce

Define different restriction levels for announcing the local source IP address from IP packets in ARP requests sent
on interface.
Use any local address, configured on any interface if this is not set.
If configured, try to avoid local addresses that are not in the target’s subnet for this interface. This mode is useful
when target hosts reachable via this interface require the source IP address in ARP requests to be part of their
logical network configured on the receiving interface. When we generate the request we will check all our subnets
that include the target IP and will preserve the source address if it is from such subnet. If there is no such subnet
we select source address according to the rules for level 2.

set interfaces bond bond0 vif 10 ip enable-arp-announce

set interfaces bond <interface> vif <vlan-id> ip enable-arp-ignore

Define different modes for sending replies in response to received ARP requests that resolve local target IP ad-
dresses:
If configured, reply only if the target IP address is local address configured on the incoming interface.
If this option is unset (default), reply for any local target IP address, configured on any interface.

set interfaces bond bond0 vif 10 ip enable-arp-ignore

set interfaces bond <interface> vif <vlan-id> ip enable-proxy-arp

Use this command to enable proxy Address Resolution Protocol (ARP) on this interface. Proxy ARP allows an
Ethernet interface to respond with its own MAC address to ARP requests for destination IP addresses on subnets
attached to other interfaces on the system. Subsequent packets sent to those destination IP addresses are forwarded
appropriately by the system.
Example:

set interfaces bond bond0 vif 10 ip enable-proxy-arp

set interfaces bond <interface> vif <vlan-id> ip proxy-arp-pvlan

Private VLAN proxy arp. Basically allow proxy arp replies back to the same interface (from which the ARP
request/solicitation was received).
This is done to support (ethernet) switch features, like RFC 3069, where the individual ports are NOT allowed to
communicate with each other, but they are allowed to talk to the upstream router. As described in RFC 3069, it
is possible to allow these hosts to communicate through the upstream router by proxy_arp’ing.

8.3. Interfaces 214

 VyOS Documentation, 发布 1.4.x (sagitta)

注解: Does not need to be used together with proxy_arp.

This technology is known by different names:

• In RFC 3069 it is called VLAN Aggregation
• Cisco and Allied Telesyn call it Private VLAN
• Hewlett-Packard call it Source-Port filtering or port-isolation
• Ericsson call it MAC-Forced Forwarding (RFC Draft)
set interfaces bond <interface> vif <vlan-id> ip source-validation <strict |
loose | disable>
Enable policy for source validation by reversed path, as specified in RFC 3704. Current recommended practice
in RFC 3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or
other complicated routing, then loose mode is recommended.
• strict: Each incoming packet is tested against the FIB and if the interface is not the best reverse path the
packet check will fail. By default failed packets are discarded.
• loose: Each incoming packet’s source address is also tested against the FIB and if the source address is not
reachable via any interface the packet check will fail.
• disable: No source validation
set interfaces bond <interface> vif <vlan-id> ipv6 address autoconf
SLAAC RFC 4862. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using
the Neighbor Discovery Protocol via ICMP 6 router discovery messages. When first connected to a network, a
host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such
a request with a router advertisement packet that contains Internet Layer configuration parameters.

注解: This method automatically disables IPv6 traffic forwarding on the interface in question.

Example:

set interfaces bond bond0 vif 10 ipv6 address autoconf

set interfaces bond <interface> vif <vlan-id> ipv6 address eui64 <prefix>
EUI-64 as specified in RFC 4291 allows a host to assign iteslf a unique 64-Bit IPv6 address.
Example:

set interfaces bond bond0 vif 10 ipv6 address eui64 2001:db8:beef::/64

set interfaces bond <interface> vif <vlan-id> ipv6 address

no-default-link-local
Do not assign a link-local IPv6 address to this interface.
Example:

set interfaces bond bond0 vif 10 ipv6 address no-default-link-local

set interfaces bond <interface> vif <vlan-id> ipv6 disable-forwarding

8.3. Interfaces 215

 VyOS Documentation, 发布 1.4.x (sagitta)

Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 for-
warding will be disabled on this interface.
Example:

set interfaces bond bond0 vif 10 ipv6 disable-forwarding

set interfaces bond <interface> vif <vlan-id> vrf <vrf>

Place interface in given VRF instance.
参见:
There is an entire chapter about how to configure a VRF, please check this for additional information.
Example:

set interfaces bond bond0 vif 10 vrf red

DHCP(v6)
set interfaces bond <interface> vif <vlan-id> dhcp-options client-id
<description>
RFC 2131 states: The client MAY choose to explicitly provide the identifier through the‘client identifier’option.
If the client supplies a ‘client identifier’, the client MUST use the same ‘client identifier’in all subsequent
messages, and the server MUST use that identifier to identify the client.
Example:

set interfaces bond bond0 vif 10 dhcp-options client-id 'foo-bar'

set interfaces bond <interface> vif <vlan-id> dhcp-options host-name

<hostname>
Instead of sending the real system hostname to the DHCP server, overwrite the host-name with this given-value.
Example:

set interfaces bond bond0 vif 10 dhcp-options host-name 'VyOS'

set interfaces bond <interface> vif <vlan-id> dhcp-options vendor-class-id

<vendor-id>
The vendor-class-id option can be used to request a specific class of vendor options from the server.
Example:

set interfaces bond bond0 vif 10 dhcp-options vendor-class-id 'VyOS'

set interfaces bond <interface> vif <vlan-id> dhcp-options no-default-route

Only request an address from the DHCP server but do not request a default gateway.
Example:

set interfaces bond bond0 vif 10 dhcp-options no-default-route

set interfaces bond <interface> vif <vlan-id> dhcp-options

default-route-distance <distance>
Set the distance for the default gateway sent by the DHCP server.
Example:

8.3. Interfaces 216

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces bond bond0 vif 10 dhcp-options default-route-distance 220

set interfaces bond <interface> vif <vlan-id> dhcpv6-options duid <duid>

The DHCP unique identifier (DUID) is used by a client to get an IP address from a DHCPv6 server. It has a 2-byte
DUID type field, and a variable-length identifier field up to 128 bytes. Its actual length depends on its type. The
server compares the DUID with its database and delivers configuration data (address, lease times, DNS servers,
etc.) to the client.

set interfaces bond bond0 vif 10 duid

,→'0e:00:00:01:00:01:27:71:db:f0:00:50:56:bf:c5:6d'

set interfaces bond <interface> vif <vlan-id> dhcpv6-options parameters-only

This statement specifies dhcp6c to only exchange informational configuration parameters with servers. A list of
DNS server addresses is an example of such parameters. This statement is useful when the client does not need
stateful configuration parameters such as IPv6 addresses or prefixes.

set interfaces bond bond0 vif 10 dhcpv6-options parameters-only

set interfaces bond <interface> vif <vlan-id> dhcpv6-options rapid-commit

When rapid-commit is specified, dhcp6c will include a rapid-commit option in solicit messages and wait for an
immediate reply instead of advertisements.

set interfaces bond bond0 vif 10 dhcpv6-options rapid-commit

set interfaces bond <interface> vif <vlan-id> dhcpv6-options temporary

Request only a temporary address and not form an IA_NA (Identity Association for Non-temporary Addresses)
partnership.

set interfaces bond bond0 vif 10 dhcpv6-options temporary

DHCPv6 Prefix Delegation (PD)

VyOS 1.3 (equuleus) supports DHCPv6-PD (RFC 3633). DHCPv6 Prefix Delegation is supported by most ISPs who
provide native IPv6 for consumers on fixed networks.
set interfaces bond <interface> vif <vlan-id> dhcpv6-options pd <id> length
<length>
Some ISPs by default only delegate a /64 prefix. To request for a specific prefix size use this option to request for
a bigger delegation for this pd <id>. This value is in the range from 32 - 64 so you could request up to a /32 prefix
(if your ISP allows this) down to a /64 delegation.
The default value corresponds to 64.
To request a /56 prefix from your ISP use:

set interfaces bond bond0 vif 10 dhcpv6-options pd 0 length 56

set interfaces bond <interface> vif <vlan-id> dhcpv6-options pd <id> interface

<delegatee> address <address>
Specify the interface address used locally on the interfcae where the prefix has been delegated to. ID must be a
decimal integer.
It will be combined with the delegated prefix and the sla-id to form a complete interface address. The default is to
use the EUI-64 address of the interface.

8.3. Interfaces 217

 VyOS Documentation, 发布 1.4.x (sagitta)

Example: Delegate a /64 prefix to interface eth8 which will use a local address on this router of
<prefix>::ffff, as the address 65534 will correspond to ffff in hexadecimal notation.

set interfaces bond bond0 vif 10 dhcpv6-options pd 0 interface eth8 address 65534

set interfaces bond <interface> vif <vlan-id> dhcpv6-options pd <id> interface

<delegatee> sla-id <id>
Specify the identifier value of the site-level aggregator (SLA) on the interface. ID must be a decimal number
greater then 0 which fits in the length of SLA IDs (see below).
Example: If ID is 1 and the client is delegated an IPv6 prefix 2001:db8:ffff::/48, dhcp6c will combine the two
values into a single IPv6 prefix, 2001:db8:ffff:1::/64, and will configure the prefix on the specified interface.

set interfaces bond bond0 vif 10 dhcpv6-options pd 0 interface eth8 sla-id 1

Port Mirror (SPAN)

SPAN port mirroring can copy the inbound/outbound traffic of the interface to the specified interface, usually the interface
can be connected to some special equipment, such as behavior control system, intrusion detection system and traffic
collector, and can copy all related traffic from this port
VyOS uses the mirror option to configure port mirroring. The configuration is divided into 2 different directions. Desti-
nation ports should be configured for different traffic directions.
set interfaces bonding <interface> mirror ingress <monitor-interface>
Configure port mirroring for interface inbound traffic and copy the traffic to monitor-interface
Example: Mirror the inbound traffic of bond1 port to eth3

set interfaces bonding bond1 mirror ingress eth3

set interfaces bonding <interface> mirror egress <monitor-interface>

Configure port mirroring for interface outbound traffic and copy the traffic to monitor-interface
Example: Mirror the outbound traffic of bond1 port to eth3

set interfaces bonding bond1 mirror egress eth3

Example

The following configuration on VyOS applies to all following 3rd party vendors. It creates a bond with two links and
VLAN 10, 100 on the bonded interfaces with a per VIF IPv4 address.

# Create bonding interface bond0 with 802.3ad LACP

set interfaces bonding bond0 hash-policy 'layer2'
set interfaces bonding bond0 mode '802.3ad'

# Add the required vlans and IPv4 addresses on them

set interfaces bonding bond0 vif 10 address 192.168.0.1/24
set interfaces bonding bond0 vif 100 address 10.10.10.1/24

# Add the member interfaces to the bonding interface

set interfaces bonding bond0 member interface eth1
set interfaces bonding bond0 member interface eth2

8.3. Interfaces 218

 VyOS Documentation, 发布 1.4.x (sagitta)

Cisco Catalyst

Assign member interfaces to PortChannel

interface GigabitEthernet1/0/23
description VyOS eth1
channel-group 1 mode active
!
interface GigabitEthernet1/0/24
description VyOS eth2
channel-group 1 mode active
!

A new interface becomes present Port-channel1, all configuration like allowed VLAN interfaces, STP will happen
here.

interface Port-channel1
description LACP Channel for VyOS
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,100
switchport mode trunk
spanning-tree portfast trunk
!

Juniper EX Switch

For a headstart you can use the below example on how to build a bond with two interfaces from VyOS to a Juniper EX
Switch system.

# Create aggregated ethernet device with 802.3ad LACP and port speeds of 10gbit/s
set interfaces ae0 aggregated-ether-options link-speed 10g
set interfaces ae0 aggregated-ether-options lacp active

# Create layer 2 on the aggregated ethernet device with trunking for our vlans
set interfaces ae0 unit 0 family ethernet-switching port-mode trunk

# Add the required vlans to the device

set interfaces ae0 unit 0 family ethernet-switching vlan members 10
set interfaces ae0 unit 0 family ethernet-switching vlan members 100

# Add the two interfaces to the aggregated ethernet device, in this setup both
# ports are on the same switch (switch 0, module 1, port 0 and 1)
set interfaces xe-0/1/0 ether-options 802.3ad ae0
set interfaces xe-0/1/1 ether-options 802.3ad ae0

# But this can also be done with multiple switches in a stack, a virtual
# chassis on Juniper (switch 0 and switch 1, module 1, port 0 on both switches)
set interfaces xe-0/1/0 ether-options 802.3ad ae0
set interfaces xe-1/1/0 ether-options 802.3ad ae0

8.3. Interfaces 219

 VyOS Documentation, 发布 1.4.x (sagitta)

Aruba/HP

For a headstart you can use the below example on how to build a bond,port-channel with two interfaces from VyOS to a
Aruba/HP 2510G switch.

# Create trunk with 2 member interfaces (interface 1 and 2) and LACP

trunk 1-2 Trk1 LACP

# Add the required vlans to the trunk

vlan 10 tagged Trk1
vlan 100 tagged Trk1

Arista EOS

When utilizing VyOS in an environment with Arista gear you can use this blue print as an initial setup to get an LACP
bond / port-channel operational between those two devices.
Lets assume the following topology:

R1

interfaces {
bonding bond10 {
hash-policy layer3+4
member {
interface eth1
interface eth2
}
mode 802.3ad
(下页继续)

8.3. Interfaces 220

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
vif 100 {
address 192.0.2.1/30
address 2001:db8::1/64
}
}

R2

interfaces {
bonding bond10 {
hash-policy layer3+4
member {
interface eth1
interface eth2
}
mode 802.3ad
vif 100 {
address 192.0.2.2/30
address 2001:db8::2/64
}
}

SW1

!
vlan 100
name FOO
!
interface Port-Channel10
switchport trunk allowed vlan 100
switchport mode trunk
spanning-tree portfast
!
interface Port-Channel20
switchport mode trunk
no spanning-tree portfast auto
spanning-tree portfast network
!
interface Ethernet1
channel-group 10 mode active
!
interface Ethernet2
channel-group 10 mode active
!
interface Ethernet3
channel-group 20 mode active
!
interface Ethernet4
channel-group 20 mode active
!

SW2

!
vlan 100
name FOO
(下页继续)

8.3. Interfaces 221

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
!
interface Port-Channel10
switchport trunk allowed vlan 100
switchport mode trunk
spanning-tree portfast
!
interface Port-Channel20
switchport mode trunk
no spanning-tree portfast auto
spanning-tree portfast network
!
interface Ethernet1
channel-group 10 mode active
!
interface Ethernet2
channel-group 10 mode active
!
interface Ethernet3
channel-group 20 mode active
!
interface Ethernet4
channel-group 20 mode active
!

注解: When using EVE-NG to lab this environment ensure you are using e1000 as the desired driver for your VyOS
network interfaces. When using the regular virtio network driver no LACP PDUs will be sent by VyOS thus the port-
channel will never become active!

Operation

show interfaces bonding

Show brief interface information.
vyos@vyos:~$ show interfaces bonding
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
bond0 - u/u my-sw1 int 23 and 24
bond0.10 192.168.0.1/24 u/u office-net
bond0.100 10.10.10.1/24 u/u management-net

show interfaces bonding <interface>

Show detailed information on given <interface>
vyos@vyos:~$ show interfaces bonding bond5
bond5: <NO-CARRIER,BROADCAST,MULTICAST,MASTER,UP> mtu 1500 qdisc noqueue state␣
,→DOWN group default qlen 1000

link/ether 00:50:56:bf:ef:aa brd ff:ff:ff:ff:ff:ff

inet6 fe80::e862:26ff:fe72:2dac/64 scope link tentative
valid_lft forever preferred_lft forever

RX: bytes packets errors dropped overrun mcast

(下页继续)

8.3. Interfaces 222

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
0 0 0 0 0 0
TX: bytes packets errors dropped carrier collisions
0 0 0 0 0 0

show interfaces bonding <interface> detail

Show detailed information about the underlaying physical links on given bond <interface>.

vyos@vyos:~$ show interfaces bonding bond5 detail

Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011)

Bonding Mode: IEEE 802.3ad Dynamic link aggregation

Transmit Hash Policy: layer2 (0)
MII Status: down
MII Polling Interval (ms): 100
Up Delay (ms): 0
Down Delay (ms): 0

802.3ad info
LACP rate: slow
Min links: 0
Aggregator selection policy (ad_select): stable

Slave Interface: eth1

MII Status: down
Speed: Unknown
Duplex: Unknown
Link Failure Count: 0
Permanent HW addr: 00:50:56:bf:ef:aa
Slave queue ID: 0
Aggregator ID: 1
Actor Churn State: churned
Partner Churn State: churned
Actor Churned Count: 1
Partner Churned Count: 1

Slave Interface: eth2

MII Status: down
Speed: Unknown
Duplex: Unknown
Link Failure Count: 0
Permanent HW addr: 00:50:56:bf:19:26
Slave queue ID: 0
Aggregator ID: 2
Actor Churn State: churned
Partner Churn State: churned
Actor Churned Count: 1
Partner Churned Count: 1

8.3. Interfaces 223

 VyOS Documentation, 发布 1.4.x (sagitta)

8.3.2 Bridge

A Bridge is a way to connect two Ethernet segments together in a protocol independent way. Packets are forwarded based
on Ethernet address, rather than IP address (like a router). Since forwarding is done at Layer 2, all protocols can go
transparently through a bridge. The Linux bridge code implements a subset of the ANSI/IEEE 802.1d standard.

注解: Spanning Tree Protocol is not enabled by default in VyOS. STP Parameter can be easily enabled if needed.

Configuration

Common interface configuration

set interfaces bridge <interface> address <address | dhcp | dhcpv6>

Configure interface <interface> with one or more interface addresses.
• address can be specified multiple times as IPv4 and/or IPv6 address, e.g. 192.0.2.1/24 and/or 2001:db8::1/64
• dhcp interface address is received by DHCP from a DHCP server on this segment.
• dhcpv6 interface address is received by DHCPv6 from a DHCPv6 server on this segment.
Example:

set interfaces bridge br0 address 192.0.2.1/24

set interfaces bridge br0 address 2001:db8::1/64
set interfaces bridge br0 dhcp
set interfaces bridge br0 dhcpv6

set interfaces bridge <interface> description <description>

Set a human readable, descriptive alias for this connection. Alias is used by e.g. the show interfaces
command or SNMP based monitoring tools.
Example:

set interfaces bridge br0 description 'This is an awesome interface running on␣
,→VyOS'

set interfaces bridge <interface> disable

Disable given <interface>. It will be placed in administratively down (A/D) state.
Example:

set interfaces bridge br0 disable

set interfaces bridge <interface> disable-flow-control

Ethernet flow control is a mechanism for temporarily stopping the transmission of data on Ethernet family computer
networks. The goal of this mechanism is to ensure zero packet loss in the presence of network congestion.
The first flow control mechanism, the pause frame, was defined by the IEEE 802.3x standard.
A sending station (computer or network switch) may be transmitting data faster than the other end of the link can
accept it. Using flow control, the receiving station can signal the sender requesting suspension of transmissions
until the receiver catches up.
Use this command to disable the generation of Ethernet flow control (pause frames).

8.3. Interfaces 224

 VyOS Documentation, 发布 1.4.x (sagitta)

Example:

set interfaces bridge br0 disable-flow-control

set interfaces bridge <interface> disable-link-detect

Use this command to direct an interface to not detect any physical state changes on a link, for example, when the
cable is unplugged.
Default is to detects physical link state changes.
Example:

set interfaces bridge br0 disable-link-detect

set interfaces bridge <interface> mac <xx:xx:xx:xx:xx:xx>

Configure user defined MAC address on given <interface>.
Example:

set interfaces bridge br0 mac '00:01:02:03:04:05'

set interfaces bridge <interface> mtu <mtu>

Configure MTU on given <interface>. It is the size (in bytes) of the largest ethernet frame sent on this link.
Example:

set interfaces bridge br0 mtu 9000

set interfaces bridge <interface> ip arp-cache-timeout

Once a neighbor has been found, the entry is considered to be valid for at least for this specifc time. An entry’s
validity will be extended if it receives positive feedback from higher level protocols.
This defaults to 30 seconds.
Example:

set interfaces bridge br0 ip arp-cache-timeout 180

set interfaces bridge <interface> ip disable-arp-filter

If set the kernel can respond to arp requests with addresses from other interfaces. This may seem wrong but it
usually makes sense, because it increases the chance of successful communication. IP addresses are owned by the
complete host on Linux, not by particular interfaces. Only for more complex setups like load-balancing, does this
behaviour cause problems.
If not set (default) allows you to have multiple network interfaces on the same subnet, and have the ARPs for
each interface be answered based on whether or not the kernel would route a packet from the ARP’d IP out that
interface (therefore you must use source based routing for this to work).
In other words it allows control of which cards (usually 1) will respond to an arp request.
Example:

set interfaces bridge br0 ip disable-arp-filter

set interfaces bridge <interface> ip disable-forwarding

Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 for-
warding will be disabled on this interface.

8.3. Interfaces 225

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces bridge br0 ip disable-forwarding

set interfaces bridge <interface> ip enable-arp-accept

Define behavior for gratuitous ARP frames who’s IP is not already present in the ARP table. If configured create
new entries in the ARP table.
Both replies and requests type gratuitous arp will trigger the ARP table to be updated, if this setting is on.
If the ARP table already contains the IP address of the gratuitous arp frame, the arp table will be updated regardless
if this setting is on or off.

set interfaces bridge br0 ip enable-arp-accept

set interfaces bridge <interface> ip enable-arp-announce

Define different restriction levels for announcing the local source IP address from IP packets in ARP requests sent
on interface.
Use any local address, configured on any interface if this is not set.
If configured, try to avoid local addresses that are not in the target’s subnet for this interface. This mode is useful
when target hosts reachable via this interface require the source IP address in ARP requests to be part of their
logical network configured on the receiving interface. When we generate the request we will check all our subnets
that include the target IP and will preserve the source address if it is from such subnet. If there is no such subnet
we select source address according to the rules for level 2.

set interfaces bridge br0 ip enable-arp-announce

set interfaces bridge <interface> ip enable-arp-ignore

Define different modes for sending replies in response to received ARP requests that resolve local target IP ad-
dresses:
If configured, reply only if the target IP address is local address configured on the incoming interface.
If this option is unset (default), reply for any local target IP address, configured on any interface.

set interfaces bridge br0 ip enable-arp-ignore

set interfaces bridge <interface> ip enable-proxy-arp

Use this command to enable proxy Address Resolution Protocol (ARP) on this interface. Proxy ARP allows an
Ethernet interface to respond with its own MAC address to ARP requests for destination IP addresses on subnets
attached to other interfaces on the system. Subsequent packets sent to those destination IP addresses are forwarded
appropriately by the system.
Example:

set interfaces bridge br0 ip enable-proxy-arp

set interfaces bridge <interface> ip proxy-arp-pvlan

Private VLAN proxy arp. Basically allow proxy arp replies back to the same interface (from which the ARP
request/solicitation was received).
This is done to support (ethernet) switch features, like RFC 3069, where the individual ports are NOT allowed to
communicate with each other, but they are allowed to talk to the upstream router. As described in RFC 3069, it
is possible to allow these hosts to communicate through the upstream router by proxy_arp’ing.

8.3. Interfaces 226

 VyOS Documentation, 发布 1.4.x (sagitta)

注解: Does not need to be used together with proxy_arp.

This technology is known by different names:

• In RFC 3069 it is called VLAN Aggregation
• Cisco and Allied Telesyn call it Private VLAN
• Hewlett-Packard call it Source-Port filtering or port-isolation
• Ericsson call it MAC-Forced Forwarding (RFC Draft)
set interfaces bridge <interface> ip source-validation <strict | loose |
disable>
Enable policy for source validation by reversed path, as specified in RFC 3704. Current recommended practice
in RFC 3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or
other complicated routing, then loose mode is recommended.
• strict: Each incoming packet is tested against the FIB and if the interface is not the best reverse path the
packet check will fail. By default failed packets are discarded.
• loose: Each incoming packet’s source address is also tested against the FIB and if the source address is not
reachable via any interface the packet check will fail.
• disable: No source validation
set interfaces bridge <interface> ipv6 address autoconf
SLAAC RFC 4862. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using
the Neighbor Discovery Protocol via ICMP 6 router discovery messages. When first connected to a network, a
host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such
a request with a router advertisement packet that contains Internet Layer configuration parameters.

注解: This method automatically disables IPv6 traffic forwarding on the interface in question.

Example:

set interfaces bridge br0 ipv6 address autoconf

set interfaces bridge <interface> ipv6 address eui64 <prefix>

EUI-64 as specified in RFC 4291 allows a host to assign iteslf a unique 64-Bit IPv6 address.
Example:

set interfaces bridge br0 ipv6 address eui64 2001:db8:beef::/64

set interfaces bridge <interface> ipv6 address no-default-link-local

Do not assign a link-local IPv6 address to this interface.
Example:

set interfaces bridge br0 ipv6 address no-default-link-local

set interfaces bridge <interface> ipv6 disable-forwarding

Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 for-
warding will be disabled on this interface.

8.3. Interfaces 227

 VyOS Documentation, 发布 1.4.x (sagitta)

Example:

set interfaces bridge br0 ipv6 disable-forwarding

set interfaces bridge <interface> vrf <vrf>

Place interface in given VRF instance.
参见:
There is an entire chapter about how to configure a VRF, please check this for additional information.
Example:

set interfaces bridge br0 vrf red

DHCP(v6)
set interfaces bridge <interface> dhcp-options client-id <description>
RFC 2131 states: The client MAY choose to explicitly provide the identifier through the‘client identifier’option.
If the client supplies a ‘client identifier’, the client MUST use the same ‘client identifier’in all subsequent
messages, and the server MUST use that identifier to identify the client.
Example:

set interfaces bridge br0 dhcp-options client-id 'foo-bar'

set interfaces bridge <interface> dhcp-options host-name <hostname>

Instead of sending the real system hostname to the DHCP server, overwrite the host-name with this given-value.
Example:

set interfaces bridge br0 dhcp-options host-name 'VyOS'

set interfaces bridge <interface> dhcp-options vendor-class-id <vendor-id>

The vendor-class-id option can be used to request a specific class of vendor options from the server.
Example:

set interfaces bridge br0 dhcp-options vendor-class-id 'VyOS'

set interfaces bridge <interface> dhcp-options no-default-route

Only request an address from the DHCP server but do not request a default gateway.
Example:

set interfaces bridge br0 dhcp-options no-default-route

set interfaces bridge <interface> dhcp-options default-route-distance

<distance>
Set the distance for the default gateway sent by the DHCP server.
Example:

set interfaces bridge br0 dhcp-options default-route-distance 220

set interfaces bridge <interface> dhcpv6-options duid <duid>

8.3. Interfaces 228

 VyOS Documentation, 发布 1.4.x (sagitta)

The DHCP unique identifier (DUID) is used by a client to get an IP address from a DHCPv6 server. It has a 2-byte
DUID type field, and a variable-length identifier field up to 128 bytes. Its actual length depends on its type. The
server compares the DUID with its database and delivers configuration data (address, lease times, DNS servers,
etc.) to the client.

set interfaces bridge br0 duid '0e:00:00:01:00:01:27:71:db:f0:00:50:56:bf:c5:6d'

set interfaces bridge <interface> dhcpv6-options parameters-only

This statement specifies dhcp6c to only exchange informational configuration parameters with servers. A list of
DNS server addresses is an example of such parameters. This statement is useful when the client does not need
stateful configuration parameters such as IPv6 addresses or prefixes.

set interfaces bridge br0 dhcpv6-options parameters-only

set interfaces bridge <interface> dhcpv6-options rapid-commit

When rapid-commit is specified, dhcp6c will include a rapid-commit option in solicit messages and wait for an
immediate reply instead of advertisements.

set interfaces bridge br0 dhcpv6-options rapid-commit

set interfaces bridge <interface> dhcpv6-options temporary

Request only a temporary address and not form an IA_NA (Identity Association for Non-temporary Addresses)
partnership.

set interfaces bridge br0 dhcpv6-options temporary

DHCPv6 Prefix Delegation (PD)

VyOS 1.3 (equuleus) supports DHCPv6-PD (RFC 3633). DHCPv6 Prefix Delegation is supported by most ISPs who
provide native IPv6 for consumers on fixed networks.
set interfaces bridge <interface> dhcpv6-options pd <id> length <length>
Some ISPs by default only delegate a /64 prefix. To request for a specific prefix size use this option to request for
a bigger delegation for this pd <id>. This value is in the range from 32 - 64 so you could request up to a /32 prefix
(if your ISP allows this) down to a /64 delegation.
The default value corresponds to 64.
To request a /56 prefix from your ISP use:

set interfaces bridge br0 dhcpv6-options pd 0 length 56

set interfaces bridge <interface> dhcpv6-options pd <id> interface <delegatee>

address <address>
Specify the interface address used locally on the interfcae where the prefix has been delegated to. ID must be a
decimal integer.
It will be combined with the delegated prefix and the sla-id to form a complete interface address. The default is to
use the EUI-64 address of the interface.
Example: Delegate a /64 prefix to interface eth8 which will use a local address on this router of
<prefix>::ffff, as the address 65534 will correspond to ffff in hexadecimal notation.

set interfaces bridge br0 dhcpv6-options pd 0 interface eth8 address 65534

8.3. Interfaces 229

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces bridge <interface> dhcpv6-options pd <id> interface <delegatee>

sla-id <id>
Specify the identifier value of the site-level aggregator (SLA) on the interface. ID must be a decimal number
greater then 0 which fits in the length of SLA IDs (see below).
Example: If ID is 1 and the client is delegated an IPv6 prefix 2001:db8:ffff::/48, dhcp6c will combine the two
values into a single IPv6 prefix, 2001:db8:ffff:1::/64, and will configure the prefix on the specified interface.

set interfaces bridge br0 dhcpv6-options pd 0 interface eth8 sla-id 1

Member Interfaces

set interfaces bridge <interface> member interface <member>

Assign <member> interface to bridge <interface>. A completion helper will help you with all allowed interfaces
which can be bridged. This includes Ethernet, Bond / Link Aggregation, L2TPv3, OpenVPN, VXLAN, Wireless
LAN (WiFi), Tunnel and GENEVE.
set interfaces bridge <interface> member interface <member> priority
<priority>
Configure individual bridge port <priority>.
Each bridge has a relative priority and cost. Each interface is associated with a port (number) in the STP code.
Each has a priority and a cost, that is used to decide which is the shortest path to forward a packet. The lowest
cost path is always used unless the other path is down. If you have multiple bridges and interfaces then you may
need to adjust the priorities to achieve optimium performance.
set interfaces bridge <interface> member interface <member> cost <cost>
Path <cost> value for Spanning Tree Protocol. Each interface in a bridge could have a different speed and this
value is used when deciding which link to use. Faster interfaces should have lower costs.

Bridge Options

set interfaces bridge <interface> aging <time>

MAC address aging <time> in seconds (default: 300).
set interfaces bridge <interface> max-age <time>
Bridge maximum aging <time> in seconds (default: 20).
If a another bridge in the spanning tree does not send out a hello packet for a long period of time, it is assumed to
be dead.
set interfaces bridge <interface> igmp querier
Enable IGMP querier

8.3. Interfaces 230

 VyOS Documentation, 发布 1.4.x (sagitta)

STP Parameter

STP (Spanning Tree Protocol) is a network protocol that builds a loop-free logical topology for Ethernet networks. The
basic function of STP is to prevent bridge loops and the broadcast radiation that results from them. Spanning tree also
allows a network design to include backup links providing fault tolerance if an active link fails.
set interfaces bridge <interface> stp
Enable spanning tree protocol. STP is disabled by default.
set interfaces bridge <interface> forwarding-delay <delay>
Spanning Tree Protocol forwarding <delay> in seconds (default: 15).
Forwarding delay time is the time spent in each of the Listening and Learning states before the Forwarding state
is entered. This delay is so that when a new bridge comes onto a busy network it looks at some traffic before
participating.
set interfaces bridge <interface> hello-time <interval>
Spanning Tree Protocol hello advertisement <interval> in seconds (default: 2).
Periodically, a hello packet is sent out by the Root Bridge and the Designated Bridges. Hello packets are used to
communicate information about the topology throughout the entire Bridged Local Area Network.

VLAN

Enable VLAN-Aware Bridge

set interfaces bridge <interface> enable-vlan

To activate the VLAN aware bridge, you must activate this setting to use VLAN settings for the bridge

VLAN Options

注解: It is not valid to use the vif 1 option for VLAN aware bridges because VLAN aware bridges assume that all
unlabeled packets belong to the default VLAN 1 member and that the VLAN ID of the bridge’s parent interface is
always 1

IEEE 802.1q, often referred to as Dot1q, is the networking standard that supports virtual LANs (VLANs) on an IEEE
802.3 Ethernet network. The standard defines a system of VLAN tagging for Ethernet frames and the accompanying
procedures to be used by bridges and switches in handling such frames. The standard also contains provisions for a
quality-of-service prioritization scheme commonly known as IEEE 802.1p and defines the Generic Attribute Registration
Protocol.
Portions of the network which are VLAN-aware (i.e., IEEE 802.1q conformant) can include VLAN tags. When a frame
enters the VLAN-aware portion of the network, a tag is added to represent the VLAN membership. Each frame must
be distinguishable as being within exactly one VLAN. A frame in the VLAN-aware portion of the network that does not
contain a VLAN tag is assumed to be flowing on the native VLAN.
The standard was developed by IEEE 802.1, a working group of the IEEE 802 standards committee, and continues to be
actively revised. One of the notable revisions is 802.1Q-2014 which incorporated IEEE 802.1aq (Shortest Path Bridging)
and much of the IEEE 802.1d standard.
802.1q VLAN interfaces are represented as virtual sub-interfaces in VyOS. The term used for this is vif.

8.3. Interfaces 231

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces bridge <interface> vif <vlan-id>

Create a new VLAN interface on interface <interface> using the VLAN number provided via <vlan-id>.
You can create multiple VLAN interfaces on a physical interface. The VLAN ID range is from 0 to 4094.

注解: Only 802.1Q-tagged packets are accepted on Ethernet vifs.

set interfaces bridge <interface> vif <vlan-id> address <address | dhcp |

dhcpv6>
Configure interface <interface> with one or more interface addresses.
• address can be specified multiple times as IPv4 and/or IPv6 address, e.g. 192.0.2.1/24 and/or 2001:db8::1/64
• dhcp interface address is received by DHCP from a DHCP server on this segment.
• dhcpv6 interface address is received by DHCPv6 from a DHCPv6 server on this segment.
Example:

set interfaces bridge br0 vif 10 address 192.0.2.1/24

set interfaces bridge br0 vif 10 address 2001:db8::1/64
set interfaces bridge br0 vif 10 dhcp
set interfaces bridge br0 vif 10 dhcpv6

set interfaces bridge <interface> vif <vlan-id> description <description>

Set a human readable, descriptive alias for this connection. Alias is used by e.g. the show interfaces
command or SNMP based monitoring tools.
Example:

set interfaces bridge br0 vif 10 description 'This is an awesome interface␣

,→running on VyOS'

set interfaces bridge <interface> vif <vlan-id> disable

Disable given <interface>. It will be placed in administratively down (A/D) state.
Example:

set interfaces bridge br0 vif 10 disable

set interfaces bridge <interface> vif <vlan-id> disable-link-detect

Use this command to direct an interface to not detect any physical state changes on a link, for example, when the
cable is unplugged.
Default is to detects physical link state changes.
Example:

set interfaces bridge br0 vif 10 disable-link-detect

set interfaces bridge <interface> vif <vlan-id> mac <xx:xx:xx:xx:xx:xx>

Configure user defined MAC address on given <interface>.
Example:

set interfaces bridge br0 vif 10 mac '00:01:02:03:04:05'

8.3. Interfaces 232

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces bridge <interface> vif <vlan-id> mtu <mtu>

Configure MTU on given <interface>. It is the size (in bytes) of the largest ethernet frame sent on this link.
Example:

set interfaces bridge br0 vif 10 mtu 9000

set interfaces bridge <interface> vif <vlan-id> ip arp-cache-timeout

Once a neighbor has been found, the entry is considered to be valid for at least for this specifc time. An entry’s
validity will be extended if it receives positive feedback from higher level protocols.
This defaults to 30 seconds.
Example:

set interfaces bridge br0 vif 10 ip arp-cache-timeout 180

set interfaces bridge <interface> vif <vlan-id> ip disable-arp-filter

If set the kernel can respond to arp requests with addresses from other interfaces. This may seem wrong but it
usually makes sense, because it increases the chance of successful communication. IP addresses are owned by the
complete host on Linux, not by particular interfaces. Only for more complex setups like load-balancing, does this
behaviour cause problems.
If not set (default) allows you to have multiple network interfaces on the same subnet, and have the ARPs for
each interface be answered based on whether or not the kernel would route a packet from the ARP’d IP out that
interface (therefore you must use source based routing for this to work).
In other words it allows control of which cards (usually 1) will respond to an arp request.
Example:

set interfaces bridge br0 vif 10 ip disable-arp-filter

set interfaces bridge <interface> vif <vlan-id> ip disable-forwarding

Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 for-
warding will be disabled on this interface.

set interfaces bridge br0 vif 10 ip disable-forwarding

set interfaces bridge <interface> vif <vlan-id> ip enable-arp-accept

Define behavior for gratuitous ARP frames who’s IP is not already present in the ARP table. If configured create
new entries in the ARP table.
Both replies and requests type gratuitous arp will trigger the ARP table to be updated, if this setting is on.
If the ARP table already contains the IP address of the gratuitous arp frame, the arp table will be updated regardless
if this setting is on or off.

set interfaces bridge br0 vif 10 ip enable-arp-accept

set interfaces bridge <interface> vif <vlan-id> ip enable-arp-announce

Define different restriction levels for announcing the local source IP address from IP packets in ARP requests sent
on interface.
Use any local address, configured on any interface if this is not set.

8.3. Interfaces 233

 VyOS Documentation, 发布 1.4.x (sagitta)

If configured, try to avoid local addresses that are not in the target’s subnet for this interface. This mode is useful
when target hosts reachable via this interface require the source IP address in ARP requests to be part of their
logical network configured on the receiving interface. When we generate the request we will check all our subnets
that include the target IP and will preserve the source address if it is from such subnet. If there is no such subnet
we select source address according to the rules for level 2.

set interfaces bridge br0 vif 10 ip enable-arp-announce

set interfaces bridge <interface> vif <vlan-id> ip enable-arp-ignore

Define different modes for sending replies in response to received ARP requests that resolve local target IP ad-
dresses:
If configured, reply only if the target IP address is local address configured on the incoming interface.
If this option is unset (default), reply for any local target IP address, configured on any interface.

set interfaces bridge br0 vif 10 ip enable-arp-ignore

set interfaces bridge <interface> vif <vlan-id> ip enable-proxy-arp

Use this command to enable proxy Address Resolution Protocol (ARP) on this interface. Proxy ARP allows an
Ethernet interface to respond with its own MAC address to ARP requests for destination IP addresses on subnets
attached to other interfaces on the system. Subsequent packets sent to those destination IP addresses are forwarded
appropriately by the system.
Example:

set interfaces bridge br0 vif 10 ip enable-proxy-arp

set interfaces bridge <interface> vif <vlan-id> ip proxy-arp-pvlan

Private VLAN proxy arp. Basically allow proxy arp replies back to the same interface (from which the ARP
request/solicitation was received).
This is done to support (ethernet) switch features, like RFC 3069, where the individual ports are NOT allowed to
communicate with each other, but they are allowed to talk to the upstream router. As described in RFC 3069, it
is possible to allow these hosts to communicate through the upstream router by proxy_arp’ing.

注解: Does not need to be used together with proxy_arp.

This technology is known by different names:

• In RFC 3069 it is called VLAN Aggregation
• Cisco and Allied Telesyn call it Private VLAN
• Hewlett-Packard call it Source-Port filtering or port-isolation
• Ericsson call it MAC-Forced Forwarding (RFC Draft)
set interfaces bridge <interface> vif <vlan-id> ip source-validation <strict |
loose | disable>
Enable policy for source validation by reversed path, as specified in RFC 3704. Current recommended practice
in RFC 3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or
other complicated routing, then loose mode is recommended.
• strict: Each incoming packet is tested against the FIB and if the interface is not the best reverse path the
packet check will fail. By default failed packets are discarded.

8.3. Interfaces 234

 VyOS Documentation, 发布 1.4.x (sagitta)

• loose: Each incoming packet’s source address is also tested against the FIB and if the source address is not
reachable via any interface the packet check will fail.
• disable: No source validation
set interfaces bridge <interface> vif <vlan-id> ipv6 address autoconf
SLAAC RFC 4862. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using
the Neighbor Discovery Protocol via ICMP 6 router discovery messages. When first connected to a network, a
host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such
a request with a router advertisement packet that contains Internet Layer configuration parameters.

注解: This method automatically disables IPv6 traffic forwarding on the interface in question.

Example:

set interfaces bridge br0 vif 10 ipv6 address autoconf

set interfaces bridge <interface> vif <vlan-id> ipv6 address eui64 <prefix>
EUI-64 as specified in RFC 4291 allows a host to assign iteslf a unique 64-Bit IPv6 address.
Example:

set interfaces bridge br0 vif 10 ipv6 address eui64 2001:db8:beef::/64

set interfaces bridge <interface> vif <vlan-id> ipv6 address

no-default-link-local
Do not assign a link-local IPv6 address to this interface.
Example:

set interfaces bridge br0 vif 10 ipv6 address no-default-link-local

set interfaces bridge <interface> vif <vlan-id> ipv6 disable-forwarding

Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 for-
warding will be disabled on this interface.
Example:

set interfaces bridge br0 vif 10 ipv6 disable-forwarding

set interfaces bridge <interface> vif <vlan-id> vrf <vrf>

Place interface in given VRF instance.
参见:
There is an entire chapter about how to configure a VRF, please check this for additional information.
Example:

set interfaces bridge br0 vif 10 vrf red

DHCP(v6)
set interfaces bridge <interface> vif <vlan-id> dhcp-options client-id
<description>

8.3. Interfaces 235

 VyOS Documentation, 发布 1.4.x (sagitta)

RFC 2131 states: The client MAY choose to explicitly provide the identifier through the‘client identifier’option.
If the client supplies a ‘client identifier’, the client MUST use the same ‘client identifier’in all subsequent
messages, and the server MUST use that identifier to identify the client.
Example:
set interfaces bridge br0 vif 10 dhcp-options client-id 'foo-bar'

set interfaces bridge <interface> vif <vlan-id> dhcp-options host-name

<hostname>
Instead of sending the real system hostname to the DHCP server, overwrite the host-name with this given-value.
Example:
set interfaces bridge br0 vif 10 dhcp-options host-name 'VyOS'

set interfaces bridge <interface> vif <vlan-id> dhcp-options vendor-class-id

<vendor-id>
The vendor-class-id option can be used to request a specific class of vendor options from the server.
Example:
set interfaces bridge br0 vif 10 dhcp-options vendor-class-id 'VyOS'

set interfaces bridge <interface> vif <vlan-id> dhcp-options no-default-route

Only request an address from the DHCP server but do not request a default gateway.
Example:
set interfaces bridge br0 vif 10 dhcp-options no-default-route

set interfaces bridge <interface> vif <vlan-id> dhcp-options

default-route-distance <distance>
Set the distance for the default gateway sent by the DHCP server.
Example:
set interfaces bridge br0 vif 10 dhcp-options default-route-distance 220

set interfaces bridge <interface> vif <vlan-id> dhcpv6-options duid <duid>

The DHCP unique identifier (DUID) is used by a client to get an IP address from a DHCPv6 server. It has a 2-byte
DUID type field, and a variable-length identifier field up to 128 bytes. Its actual length depends on its type. The
server compares the DUID with its database and delivers configuration data (address, lease times, DNS servers,
etc.) to the client.
set interfaces bridge br0 vif 10 duid
,→'0e:00:00:01:00:01:27:71:db:f0:00:50:56:bf:c5:6d'

set interfaces bridge <interface> vif <vlan-id> dhcpv6-options parameters-only

This statement specifies dhcp6c to only exchange informational configuration parameters with servers. A list of
DNS server addresses is an example of such parameters. This statement is useful when the client does not need
stateful configuration parameters such as IPv6 addresses or prefixes.
set interfaces bridge br0 vif 10 dhcpv6-options parameters-only

set interfaces bridge <interface> vif <vlan-id> dhcpv6-options rapid-commit

8.3. Interfaces 236

 VyOS Documentation, 发布 1.4.x (sagitta)

When rapid-commit is specified, dhcp6c will include a rapid-commit option in solicit messages and wait for an
immediate reply instead of advertisements.

set interfaces bridge br0 vif 10 dhcpv6-options rapid-commit

set interfaces bridge <interface> vif <vlan-id> dhcpv6-options temporary

Request only a temporary address and not form an IA_NA (Identity Association for Non-temporary Addresses)
partnership.

set interfaces bridge br0 vif 10 dhcpv6-options temporary

DHCPv6 Prefix Delegation (PD)

VyOS 1.3 (equuleus) supports DHCPv6-PD (RFC 3633). DHCPv6 Prefix Delegation is supported by most ISPs who
provide native IPv6 for consumers on fixed networks.
set interfaces bridge <interface> vif <vlan-id> dhcpv6-options pd <id> length
<length>
Some ISPs by default only delegate a /64 prefix. To request for a specific prefix size use this option to request for
a bigger delegation for this pd <id>. This value is in the range from 32 - 64 so you could request up to a /32 prefix
(if your ISP allows this) down to a /64 delegation.
The default value corresponds to 64.
To request a /56 prefix from your ISP use:

set interfaces bridge br0 vif 10 dhcpv6-options pd 0 length 56

set interfaces bridge <interface> vif <vlan-id> dhcpv6-options pd <id>

interface <delegatee> address <address>
Specify the interface address used locally on the interfcae where the prefix has been delegated to. ID must be a
decimal integer.
It will be combined with the delegated prefix and the sla-id to form a complete interface address. The default is to
use the EUI-64 address of the interface.
Example: Delegate a /64 prefix to interface eth8 which will use a local address on this router of
<prefix>::ffff, as the address 65534 will correspond to ffff in hexadecimal notation.

set interfaces bridge br0 vif 10 dhcpv6-options pd 0 interface eth8 address 65534

set interfaces bridge <interface> vif <vlan-id> dhcpv6-options pd <id>

interface <delegatee> sla-id <id>
Specify the identifier value of the site-level aggregator (SLA) on the interface. ID must be a decimal number
greater then 0 which fits in the length of SLA IDs (see below).
Example: If ID is 1 and the client is delegated an IPv6 prefix 2001:db8:ffff::/48, dhcp6c will combine the two
values into a single IPv6 prefix, 2001:db8:ffff:1::/64, and will configure the prefix on the specified interface.

set interfaces bridge br0 vif 10 dhcpv6-options pd 0 interface eth8 sla-id 1

set interfaces bridge <interface> member interface <member> native-vlan

<vlan-id>
Set the native VLAN ID flag of the interface. When a data packet without a VLAN tag enters the port, the data
packet will be forced to add a tag of a specific vlan id. When the vlan id flag flows out, the tag of the vlan id will
be stripped

8.3. Interfaces 237

 VyOS Documentation, 发布 1.4.x (sagitta)

Example: Set eth0 member port to be native VLAN 2

set interfaces bridge br1 member interface eth0 native-vlan 2

set interfaces bridge <interface> member interface <member> allowed-vlan

<vlan-id>
Allows specific VLAN IDs to pass through the bridge member interface. This can either be an individual VLAN
id or a range of VLAN ids delimited by a hyphen.
Example: Set eth0 member port to be allowed VLAN 4

set interfaces bridge br1 member interface eth0 allowed-vlan 4

Example: Set eth0 member port to be allowed VLAN 6-8

set interfaces bridge br1 member interface eth0 allowed-vlan 6-8

Port Mirror (SPAN)

SPAN port mirroring can copy the inbound/outbound traffic of the interface to the specified interface, usually the interface
can be connected to some special equipment, such as behavior control system, intrusion detection system and traffic
collector, and can copy all related traffic from this port
VyOS uses the mirror option to configure port mirroring. The configuration is divided into 2 different directions. Desti-
nation ports should be configured for different traffic directions.
set interfaces bridge <interface> mirror ingress <monitor-interface>
Configure port mirroring for interface inbound traffic and copy the traffic to monitor-interface
Example: Mirror the inbound traffic of br1 port to eth3

set interfaces bridge br1 mirror ingress eth3

set interfaces bridge <interface> mirror egress <monitor-interface>

Configure port mirroring for interface outbound traffic and copy the traffic to monitor-interface
Example: Mirror the outbound traffic of br1 port to eth3

set interfaces bridge br1 mirror egress eth3

Examples

Create a basic bridge

Creating a bridge interface is very simple. In this example we will have:

• A bridge named br100
• Member interfaces eth1 and VLAN 10 on interface eth2
• Enable STP
• Bridge answers on IP address 192.0.2.1/24 and 2001:db8::ffff/64

8.3. Interfaces 238

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces bridge br100 address 192.0.2.1/24

set interfaces bridge br100 address 2001:db8::ffff/64
set interfaces bridge br100 member interface eth1
set interfaces bridge br100 member interface eth2.10
set interfaces bridge br100 stp

This results in the active configuration:

vyos@vyos# show interfaces bridge br100

address 192.0.2.1/24
address 2001:db8::ffff/64
member {
interface eth1 {
}
interface eth2.10 {
}
}
stp

Using VLAN aware Bridge

An example of creating a VLAN-aware bridge is as follows:

• A bridge named br100
• The member interface eth1 is a trunk that allows VLAN 10 to pass
• VLAN 10 on member interface eth2 (ACCESS mode)
• Enable STP
• Bridge answers on IP address 192.0.2.1/24 and 2001:db8::ffff/64

set interfaces bridge br100 enable-vlan

set interfaces bridge br100 member interface eth1 allowed-vlan 10
set interfaces bridge br100 member interface eth2 native-vlan 10
set interfaces bridge br100 vif 10 address 192.0.2.1/24
set interfaces bridge br100 vif 10 address 2001:db8::ffff/64
set interfaces bridge br100 stp

This results in the active configuration:

vyos@vyos# show interfaces bridge br100

enable-vlan
member {
interface eth1 {
allowed-vlan 10
}
interface eth2 {
native-vlan 10
}
}
stp
vif 10 {
address 192.0.2.1/24
address 2001:db8::ffff/64
}

8.3. Interfaces 239

 VyOS Documentation, 发布 1.4.x (sagitta)

Using the operation mode command to view Bridge Information

show bridge
The show bridge operational command can be used to display configured bridges:

vyos@vyos:~$ show bridge

bridge name bridge id STP enabled interfaces
br100 8000.0050569d11df yes eth1
eth2.10

show bridge <name> spanning-tree

Show bridge <name> STP configuration.

vyos@vyos:~$ show bridge br100 spanning-tree

br100
bridge id 8000.0050569d11df
designated root 8000.0050569d11df
root port 0 path cost 0
max age 20.00 bridge max age 20.00
hello time 2.00 bridge hello time 2.00
forward delay 14.00 bridge forward delay 14.00
ageing time 300.00
hello timer 0.06 tcn timer 0.00
topology change timer 0.00 gc timer 242.02
flags

eth1 (1)
port id 8001 state disabled
designated root 8000.0050569d11df path cost 100
designated bridge 8000.0050569d11df message age timer 0.00
designated port 8001 forward delay timer 0.00
designated cost 0 hold timer 0.00
flags

eth2.10 (2)
port id 8002 state disabled
designated root 8000.0050569d11df path cost 100
designated bridge 8000.0050569d11df message age timer 0.00
designated port 8002 forward delay timer 0.00
designated cost 0 hold timer 0.00

8.3.3 Dummy

The dummy interface is really a little exotic, but rather useful nevertheless. Dummy interfaces are much like the Loopback
interface, except you can have as many as you want.

注解: Dummy interfaces can be used as interfaces that always stay up (in the same fashion to loopbacks in Cisco IOS),
or for testing purposes.

提示: A Dummy interface is always up, thus it could be used for management traffic or as source/destination for and
IGP (Interior Gateway Protocol) like BGP so your internal BGP link is not dependent on physical link states and multiple

8.3. Interfaces 240

 VyOS Documentation, 发布 1.4.x (sagitta)

routes can be chosen to the destination. A Dummy Interface should always be preferred over a Loopback interface.

Configuration

Common interface configuration

set interfaces dummy <interface> address <address>

Configure interface <interface> with one or more interface addresses.
• address can be specified multiple times as IPv4 and/or IPv6 address, e.g. 192.0.2.1/24 and/or 2001:db8::1/64
Example:

set interfaces dummy dum0 address 192.0.2.1/24

set interfaces dummy dum0 address 2001:db8::1/64

set interfaces dummy <interface> description <description>

Set a human readable, descriptive alias for this connection. Alias is used by e.g. the show interfaces
command or SNMP based monitoring tools.
Example:

set interfaces dummy dum0 description 'This is an awesome interface running on␣
,→VyOS'

set interfaces dummy <interface> disable

Disable given <interface>. It will be placed in administratively down (A/D) state.
Example:

set interfaces dummy dum0 disable

set interfaces dummy <interface> vrf <vrf>

Place interface in given VRF instance.
参见:
There is an entire chapter about how to configure a VRF, please check this for additional information.
Example:

set interfaces dummy dum0 vrf red

Operation

show interfaces dummy

Show brief interface information.information

vyos@vyos:~$ show interfaces dummy

Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
dum0 172.18.254.201/32 u/u

8.3. Interfaces 241

 VyOS Documentation, 发布 1.4.x (sagitta)

show interfaces dummy <interface>

Show detailed information on given <interface>

vyos@vyos:~$ show interfaces ethernet eth0

dum0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group␣
,→default qlen 1000

link/ether 26:7c:8e:bc:fc:f5 brd ff:ff:ff:ff:ff:ff

inet 172.18.254.201/32 scope global dum0
valid_lft forever preferred_lft forever
inet6 fe80::247c:8eff:febc:fcf5/64 scope link
valid_lft forever preferred_lft forever

RX: bytes packets errors dropped overrun mcast

0 0 0 0 0 0
TX: bytes packets errors dropped carrier collisions
1369707 4267 0 0 0 0

8.3.4 Ethernet

This will be the most widely used interface on a router carrying traffic to the real world.

Configuration

Common interface configuration

set interfaces ethernet <interface> address <address | dhcp | dhcpv6>

Configure interface <interface> with one or more interface addresses.
• address can be specified multiple times as IPv4 and/or IPv6 address, e.g. 192.0.2.1/24 and/or 2001:db8::1/64
• dhcp interface address is received by DHCP from a DHCP server on this segment.
• dhcpv6 interface address is received by DHCPv6 from a DHCPv6 server on this segment.
Example:

set interfaces ethernet eth0 address 192.0.2.1/24

set interfaces ethernet eth0 address 2001:db8::1/64
set interfaces ethernet eth0 dhcp
set interfaces ethernet eth0 dhcpv6

set interfaces ethernet <interface> description <description>

Set a human readable, descriptive alias for this connection. Alias is used by e.g. the show interfaces
command or SNMP based monitoring tools.
Example:

set interfaces ethernet eth0 description 'This is an awesome interface running␣

,→on VyOS'

set interfaces ethernet <interface> disable

Disable given <interface>. It will be placed in administratively down (A/D) state.
Example:

8.3. Interfaces 242

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces ethernet eth0 disable

set interfaces ethernet <interface> disable-flow-control

Ethernet flow control is a mechanism for temporarily stopping the transmission of data on Ethernet family computer
networks. The goal of this mechanism is to ensure zero packet loss in the presence of network congestion.
The first flow control mechanism, the pause frame, was defined by the IEEE 802.3x standard.
A sending station (computer or network switch) may be transmitting data faster than the other end of the link can
accept it. Using flow control, the receiving station can signal the sender requesting suspension of transmissions
until the receiver catches up.
Use this command to disable the generation of Ethernet flow control (pause frames).
Example:

set interfaces ethernet eth0 disable-flow-control

set interfaces ethernet <interface> disable-link-detect

Use this command to direct an interface to not detect any physical state changes on a link, for example, when the
cable is unplugged.
Default is to detects physical link state changes.
Example:

set interfaces ethernet eth0 disable-link-detect

set interfaces ethernet <interface> mac <xx:xx:xx:xx:xx:xx>

Configure user defined MAC address on given <interface>.
Example:

set interfaces ethernet eth0 mac '00:01:02:03:04:05'

set interfaces ethernet <interface> mtu <mtu>

Configure MTU on given <interface>. It is the size (in bytes) of the largest ethernet frame sent on this link.
Example:

set interfaces ethernet eth0 mtu 9000

set interfaces ethernet <interface> ip arp-cache-timeout

Once a neighbor has been found, the entry is considered to be valid for at least for this specifc time. An entry’s
validity will be extended if it receives positive feedback from higher level protocols.
This defaults to 30 seconds.
Example:

set interfaces ethernet eth0 ip arp-cache-timeout 180

set interfaces ethernet <interface> ip disable-arp-filter

If set the kernel can respond to arp requests with addresses from other interfaces. This may seem wrong but it
usually makes sense, because it increases the chance of successful communication. IP addresses are owned by the
complete host on Linux, not by particular interfaces. Only for more complex setups like load-balancing, does this
behaviour cause problems.

8.3. Interfaces 243

 VyOS Documentation, 发布 1.4.x (sagitta)

If not set (default) allows you to have multiple network interfaces on the same subnet, and have the ARPs for
each interface be answered based on whether or not the kernel would route a packet from the ARP’d IP out that
interface (therefore you must use source based routing for this to work).
In other words it allows control of which cards (usually 1) will respond to an arp request.
Example:
set interfaces ethernet eth0 ip disable-arp-filter

set interfaces ethernet <interface> ip disable-forwarding

Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 for-
warding will be disabled on this interface.
set interfaces ethernet eth0 ip disable-forwarding

set interfaces ethernet <interface> ip enable-arp-accept

Define behavior for gratuitous ARP frames who’s IP is not already present in the ARP table. If configured create
new entries in the ARP table.
Both replies and requests type gratuitous arp will trigger the ARP table to be updated, if this setting is on.
If the ARP table already contains the IP address of the gratuitous arp frame, the arp table will be updated regardless
if this setting is on or off.
set interfaces ethernet eth0 ip enable-arp-accept

set interfaces ethernet <interface> ip enable-arp-announce

Define different restriction levels for announcing the local source IP address from IP packets in ARP requests sent
on interface.
Use any local address, configured on any interface if this is not set.
If configured, try to avoid local addresses that are not in the target’s subnet for this interface. This mode is useful
when target hosts reachable via this interface require the source IP address in ARP requests to be part of their
logical network configured on the receiving interface. When we generate the request we will check all our subnets
that include the target IP and will preserve the source address if it is from such subnet. If there is no such subnet
we select source address according to the rules for level 2.
set interfaces ethernet eth0 ip enable-arp-announce

set interfaces ethernet <interface> ip enable-arp-ignore

Define different modes for sending replies in response to received ARP requests that resolve local target IP ad-
dresses:
If configured, reply only if the target IP address is local address configured on the incoming interface.
If this option is unset (default), reply for any local target IP address, configured on any interface.
set interfaces ethernet eth0 ip enable-arp-ignore

set interfaces ethernet <interface> ip enable-proxy-arp

Use this command to enable proxy Address Resolution Protocol (ARP) on this interface. Proxy ARP allows an
Ethernet interface to respond with its own MAC address to ARP requests for destination IP addresses on subnets
attached to other interfaces on the system. Subsequent packets sent to those destination IP addresses are forwarded
appropriately by the system.
Example:

8.3. Interfaces 244

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces ethernet eth0 ip enable-proxy-arp

set interfaces ethernet <interface> ip proxy-arp-pvlan

Private VLAN proxy arp. Basically allow proxy arp replies back to the same interface (from which the ARP
request/solicitation was received).
This is done to support (ethernet) switch features, like RFC 3069, where the individual ports are NOT allowed to
communicate with each other, but they are allowed to talk to the upstream router. As described in RFC 3069, it
is possible to allow these hosts to communicate through the upstream router by proxy_arp’ing.

注解: Does not need to be used together with proxy_arp.

This technology is known by different names:

• In RFC 3069 it is called VLAN Aggregation
• Cisco and Allied Telesyn call it Private VLAN
• Hewlett-Packard call it Source-Port filtering or port-isolation
• Ericsson call it MAC-Forced Forwarding (RFC Draft)
set interfaces ethernet <interface> ip source-validation <strict | loose |
disable>
Enable policy for source validation by reversed path, as specified in RFC 3704. Current recommended practice
in RFC 3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or
other complicated routing, then loose mode is recommended.
• strict: Each incoming packet is tested against the FIB and if the interface is not the best reverse path the
packet check will fail. By default failed packets are discarded.
• loose: Each incoming packet’s source address is also tested against the FIB and if the source address is not
reachable via any interface the packet check will fail.
• disable: No source validation
set interfaces ethernet <interface> ipv6 address autoconf
SLAAC RFC 4862. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using
the Neighbor Discovery Protocol via ICMP 6 router discovery messages. When first connected to a network, a
host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such
a request with a router advertisement packet that contains Internet Layer configuration parameters.

注解: This method automatically disables IPv6 traffic forwarding on the interface in question.

Example:

set interfaces ethernet eth0 ipv6 address autoconf

set interfaces ethernet <interface> ipv6 address eui64 <prefix>

EUI-64 as specified in RFC 4291 allows a host to assign iteslf a unique 64-Bit IPv6 address.
Example:

set interfaces ethernet eth0 ipv6 address eui64 2001:db8:beef::/64

8.3. Interfaces 245

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces ethernet <interface> ipv6 address no-default-link-local

Do not assign a link-local IPv6 address to this interface.
Example:

set interfaces ethernet eth0 ipv6 address no-default-link-local

set interfaces ethernet <interface> ipv6 disable-forwarding

Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 for-
warding will be disabled on this interface.
Example:

set interfaces ethernet eth0 ipv6 disable-forwarding

set interfaces ethernet <interface> vrf <vrf>

Place interface in given VRF instance.
参见:
There is an entire chapter about how to configure a VRF, please check this for additional information.
Example:

set interfaces ethernet eth0 vrf red

DHCP(v6)
set interfaces ethernet <interface> dhcp-options client-id <description>
RFC 2131 states: The client MAY choose to explicitly provide the identifier through the‘client identifier’option.
If the client supplies a ‘client identifier’, the client MUST use the same ‘client identifier’in all subsequent
messages, and the server MUST use that identifier to identify the client.
Example:

set interfaces ethernet eth0 dhcp-options client-id 'foo-bar'

set interfaces ethernet <interface> dhcp-options host-name <hostname>

Instead of sending the real system hostname to the DHCP server, overwrite the host-name with this given-value.
Example:

set interfaces ethernet eth0 dhcp-options host-name 'VyOS'

set interfaces ethernet <interface> dhcp-options vendor-class-id <vendor-id>

The vendor-class-id option can be used to request a specific class of vendor options from the server.
Example:

set interfaces ethernet eth0 dhcp-options vendor-class-id 'VyOS'

set interfaces ethernet <interface> dhcp-options no-default-route

Only request an address from the DHCP server but do not request a default gateway.
Example:

8.3. Interfaces 246

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces ethernet eth0 dhcp-options no-default-route

set interfaces ethernet <interface> dhcp-options default-route-distance

<distance>
Set the distance for the default gateway sent by the DHCP server.
Example:

set interfaces ethernet eth0 dhcp-options default-route-distance 220

set interfaces ethernet <interface> dhcpv6-options duid <duid>

The DHCP unique identifier (DUID) is used by a client to get an IP address from a DHCPv6 server. It has a 2-byte
DUID type field, and a variable-length identifier field up to 128 bytes. Its actual length depends on its type. The
server compares the DUID with its database and delivers configuration data (address, lease times, DNS servers,
etc.) to the client.

set interfaces ethernet eth0 duid

,→'0e:00:00:01:00:01:27:71:db:f0:00:50:56:bf:c5:6d'

set interfaces ethernet <interface> dhcpv6-options parameters-only

This statement specifies dhcp6c to only exchange informational configuration parameters with servers. A list of
DNS server addresses is an example of such parameters. This statement is useful when the client does not need
stateful configuration parameters such as IPv6 addresses or prefixes.

set interfaces ethernet eth0 dhcpv6-options parameters-only

set interfaces ethernet <interface> dhcpv6-options rapid-commit

When rapid-commit is specified, dhcp6c will include a rapid-commit option in solicit messages and wait for an
immediate reply instead of advertisements.

set interfaces ethernet eth0 dhcpv6-options rapid-commit

set interfaces ethernet <interface> dhcpv6-options temporary

Request only a temporary address and not form an IA_NA (Identity Association for Non-temporary Addresses)
partnership.

set interfaces ethernet eth0 dhcpv6-options temporary

DHCPv6 Prefix Delegation (PD)

VyOS 1.3 (equuleus) supports DHCPv6-PD (RFC 3633). DHCPv6 Prefix Delegation is supported by most ISPs who
provide native IPv6 for consumers on fixed networks.
set interfaces ethernet <interface> dhcpv6-options pd <id> length <length>
Some ISPs by default only delegate a /64 prefix. To request for a specific prefix size use this option to request for
a bigger delegation for this pd <id>. This value is in the range from 32 - 64 so you could request up to a /32 prefix
(if your ISP allows this) down to a /64 delegation.
The default value corresponds to 64.
To request a /56 prefix from your ISP use:

set interfaces ethernet eth0 dhcpv6-options pd 0 length 56

8.3. Interfaces 247

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces ethernet <interface> dhcpv6-options pd <id> interface

<delegatee> address <address>
Specify the interface address used locally on the interfcae where the prefix has been delegated to. ID must be a
decimal integer.
It will be combined with the delegated prefix and the sla-id to form a complete interface address. The default is to
use the EUI-64 address of the interface.
Example: Delegate a /64 prefix to interface eth8 which will use a local address on this router of
<prefix>::ffff, as the address 65534 will correspond to ffff in hexadecimal notation.

set interfaces ethernet eth0 dhcpv6-options pd 0 interface eth8 address 65534

set interfaces ethernet <interface> dhcpv6-options pd <id> interface

<delegatee> sla-id <id>
Specify the identifier value of the site-level aggregator (SLA) on the interface. ID must be a decimal number
greater then 0 which fits in the length of SLA IDs (see below).
Example: If ID is 1 and the client is delegated an IPv6 prefix 2001:db8:ffff::/48, dhcp6c will combine the two
values into a single IPv6 prefix, 2001:db8:ffff:1::/64, and will configure the prefix on the specified interface.

set interfaces ethernet eth0 dhcpv6-options pd 0 interface eth8 sla-id 1

Ethernet options

set interfaces ethernet <interface> duplex <auto | full | half>

Configure physical interface duplex setting.
• auto - interface duplex setting is auto-negotiated
• full - always use full-duplex
• half - always use half-duplex
VyOS default will be auto.
set interfaces ethernet <interface> speed <auto | 10 | 100 | 1000 | 2500 |
5000 | 10000 | 25000 | 40000 | 50000 | 100000>
Configure physical interface speed setting.
• auto - interface speed is auto-negotiated
• 10 - 10 MBit/s
• 100 - 100 MBit/s
• 1000 - 1 GBit/s
• 2500 - 2.5 GBit/s
• 5000 - 5 GBit/s
• 10000 - 10 GBit/s
• 25000 - 25 GBit/s
• 40000 - 40 GBit/s
• 50000 - 50 GBit/s

8.3. Interfaces 248

 VyOS Documentation, 发布 1.4.x (sagitta)

• 100000 - 100 GBit/s

VyOS default will be auto.
set interfaces ethernet <interface> mirror <interface>
Use this command to mirror the inbound traffic from one Ethernet interface to another interface. This feature
is typically used to provide a copy of traffic inbound on one interface to a system running a monitoring or IPS
application on another interface. The benefit of mirroring the traffic is that the application is isolated from the
source traffic and so application processing does not affect the traffic or the system performance.
Example:

set interfaces ethernet eth0 mirror eth1

Offloading

set interfaces ethernet <interface> offload <gro | gso | sg | tso | ufo | rps>
Enable different types of hardware offloading on the given NIC.
GSO (Generic Segmentation Offload) is a pure software offload that is meant to deal with cases where device
drivers cannot perform the offloads described above. What occurs in GSO is that a given skbuff will have its data
broken out over multiple skbuffs that have been resized to match the MSS provided via skb_shinfo()->gso_size.
Before enabling any hardware segmentation offload a corresponding software offload is required in GSO. Otherwise
it becomes possible for a frame to be re-routed between devices and end up being unable to be transmitted.
GRO (Generic receive offload) is the complement to GSO. Ideally any frame assembled by GRO should be seg-
mented to create an identical sequence of frames using GSO, and any sequence of frames segmented by GSO
should be able to be reassembled back to the original by GRO. The only exception to this is IPv4 ID in the case
that the DF bit is set for a given IP header. If the value of the IPv4 ID is not sequentially incrementing it will be
altered so that it is when a frame assembled via GRO is segmented via GSO.
RPS (Receive Packet Steering) is logically a software implementation of RSS (Receive Side Scaling). Being in
software, it is necessarily called later in the datapath. Whereas RSS selects the queue and hence CPU that will run
the hardware interrupt handler, RPS selects the CPU to perform protocol processing above the interrupt handler.
This is accomplished by placing the packet on the desired CPU’s backlog queue and waking up the CPU for
processing. RPS has some advantages over RSS:
• it can be used with any NIC,
• software filters can easily be added to hash over new protocols,
• it does not increase hardware device interrupt rate (although it does introduce inter-processor interrupts
(IPIs)).
set interfaces ethernet <interface> xdp
Enable support for Linux XDP on recent 1.4 rolling releases. You must enable it for every interface which should
participate in the XDP forwarding.
XDP is an eBPF based high performance data path merged in the Linux kernel since version 4.8. The idea behind
XDP is to add an early hook in the RX path of the kernel, and let a user supplied eBPF program decide the fate
of the packet. The hook is placed in the NIC driver just after the interrupt processing, and before any memory
allocation needed by the network stack itself, because memory allocation can be an expensive operation.

警告: This is highly experimental!

8.3. Interfaces 249

 VyOS Documentation, 发布 1.4.x (sagitta)

注解: Enabling this feature will break any form of NAT or Firewalling on this interface, as XDP is handled way
earlier in the driver then iptables/ nftables.

Enabling this feature will only load the XDP router code as described here:
https://blog.apnic.net/2020/04/30/how-to-build-an-xdp-based-bgp-peering-router/
Example:

set interfaces ethernet eth0 xdp

Authentication (EAPoL)

EAP (Extensible Authentication Protocol) over LAN (EAPoL) is a network port authentication protocol used in IEEE
802.1X (Port Based Network Access Control) developed to give a generic network sign-on to access network resources.
EAPoL comes with an identify option. We automatically use the interface MAC address as identity parameter.
set interfaces ethernet <interface> eapol ca-cert-file <file>
SSL CA (Certificate Authority) x509 PEM file used afor authentication of the remote side.

set interfaces ethernet eth0 eapol ca-cert-file /config/auth/ca.pem

set interfaces ethernet <interface> eapol cert-file <file>

SSL/x509 public certificate file provided by the client to authenticate against the 802.1x system.

set interfaces ethernet eth0 eapol cert-file /config/auth/public.pem

set interfaces ethernet <interface> eapol key-file <file>

SSL/x509 private certificate file provided by the client to authenticate against the 802.1x system.

set interfaces ethernet eth0 eapol key-file /config/auth/private.key

VLAN

Regular VLANs (802.1q)

IEEE 802.1q, often referred to as Dot1q, is the networking standard that supports virtual LANs (VLANs) on an IEEE
802.3 Ethernet network. The standard defines a system of VLAN tagging for Ethernet frames and the accompanying
procedures to be used by bridges and switches in handling such frames. The standard also contains provisions for a
quality-of-service prioritization scheme commonly known as IEEE 802.1p and defines the Generic Attribute Registration
Protocol.
Portions of the network which are VLAN-aware (i.e., IEEE 802.1q conformant) can include VLAN tags. When a frame
enters the VLAN-aware portion of the network, a tag is added to represent the VLAN membership. Each frame must
be distinguishable as being within exactly one VLAN. A frame in the VLAN-aware portion of the network that does not
contain a VLAN tag is assumed to be flowing on the native VLAN.
The standard was developed by IEEE 802.1, a working group of the IEEE 802 standards committee, and continues to be
actively revised. One of the notable revisions is 802.1Q-2014 which incorporated IEEE 802.1aq (Shortest Path Bridging)
and much of the IEEE 802.1d standard.

8.3. Interfaces 250

 VyOS Documentation, 发布 1.4.x (sagitta)

802.1q VLAN interfaces are represented as virtual sub-interfaces in VyOS. The term used for this is vif.
set interfaces ethernet <interface> vif <vlan-id>
Create a new VLAN interface on interface <interface> using the VLAN number provided via <vlan-id>.
You can create multiple VLAN interfaces on a physical interface. The VLAN ID range is from 0 to 4094.

注解: Only 802.1Q-tagged packets are accepted on Ethernet vifs.

set interfaces ethernet <interface> vif <vlan-id> address <address | dhcp |

dhcpv6>
Configure interface <interface> with one or more interface addresses.
• address can be specified multiple times as IPv4 and/or IPv6 address, e.g. 192.0.2.1/24 and/or 2001:db8::1/64
• dhcp interface address is received by DHCP from a DHCP server on this segment.
• dhcpv6 interface address is received by DHCPv6 from a DHCPv6 server on this segment.
Example:

set interfaces ethernet eth0 vif 10 address 192.0.2.1/24

set interfaces ethernet eth0 vif 10 address 2001:db8::1/64
set interfaces ethernet eth0 vif 10 dhcp
set interfaces ethernet eth0 vif 10 dhcpv6

set interfaces ethernet <interface> vif <vlan-id> description <description>

Set a human readable, descriptive alias for this connection. Alias is used by e.g. the show interfaces
command or SNMP based monitoring tools.
Example:

set interfaces ethernet eth0 vif 10 description 'This is an awesome interface␣

,→running on VyOS'

set interfaces ethernet <interface> vif <vlan-id> disable

Disable given <interface>. It will be placed in administratively down (A/D) state.
Example:

set interfaces ethernet eth0 vif 10 disable

set interfaces ethernet <interface> vif <vlan-id> disable-link-detect

Use this command to direct an interface to not detect any physical state changes on a link, for example, when the
cable is unplugged.
Default is to detects physical link state changes.
Example:

set interfaces ethernet eth0 vif 10 disable-link-detect

set interfaces ethernet <interface> vif <vlan-id> mac <xx:xx:xx:xx:xx:xx>

Configure user defined MAC address on given <interface>.
Example:

8.3. Interfaces 251

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces ethernet eth0 vif 10 mac '00:01:02:03:04:05'

set interfaces ethernet <interface> vif <vlan-id> mtu <mtu>

Configure MTU on given <interface>. It is the size (in bytes) of the largest ethernet frame sent on this link.
Example:

set interfaces ethernet eth0 vif 10 mtu 9000

set interfaces ethernet <interface> vif <vlan-id> ip arp-cache-timeout

Once a neighbor has been found, the entry is considered to be valid for at least for this specifc time. An entry’s
validity will be extended if it receives positive feedback from higher level protocols.
This defaults to 30 seconds.
Example:

set interfaces ethernet eth0 vif 10 ip arp-cache-timeout 180

set interfaces ethernet <interface> vif <vlan-id> ip disable-arp-filter

If set the kernel can respond to arp requests with addresses from other interfaces. This may seem wrong but it
usually makes sense, because it increases the chance of successful communication. IP addresses are owned by the
complete host on Linux, not by particular interfaces. Only for more complex setups like load-balancing, does this
behaviour cause problems.
If not set (default) allows you to have multiple network interfaces on the same subnet, and have the ARPs for
each interface be answered based on whether or not the kernel would route a packet from the ARP’d IP out that
interface (therefore you must use source based routing for this to work).
In other words it allows control of which cards (usually 1) will respond to an arp request.
Example:

set interfaces ethernet eth0 vif 10 ip disable-arp-filter

set interfaces ethernet <interface> vif <vlan-id> ip disable-forwarding

Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 for-
warding will be disabled on this interface.

set interfaces ethernet eth0 vif 10 ip disable-forwarding

set interfaces ethernet <interface> vif <vlan-id> ip enable-arp-accept

Define behavior for gratuitous ARP frames who’s IP is not already present in the ARP table. If configured create
new entries in the ARP table.
Both replies and requests type gratuitous arp will trigger the ARP table to be updated, if this setting is on.
If the ARP table already contains the IP address of the gratuitous arp frame, the arp table will be updated regardless
if this setting is on or off.

set interfaces ethernet eth0 vif 10 ip enable-arp-accept

set interfaces ethernet <interface> vif <vlan-id> ip enable-arp-announce

Define different restriction levels for announcing the local source IP address from IP packets in ARP requests sent
on interface.

8.3. Interfaces 252

 VyOS Documentation, 发布 1.4.x (sagitta)

Use any local address, configured on any interface if this is not set.
If configured, try to avoid local addresses that are not in the target’s subnet for this interface. This mode is useful
when target hosts reachable via this interface require the source IP address in ARP requests to be part of their
logical network configured on the receiving interface. When we generate the request we will check all our subnets
that include the target IP and will preserve the source address if it is from such subnet. If there is no such subnet
we select source address according to the rules for level 2.

set interfaces ethernet eth0 vif 10 ip enable-arp-announce

set interfaces ethernet <interface> vif <vlan-id> ip enable-arp-ignore

Define different modes for sending replies in response to received ARP requests that resolve local target IP ad-
dresses:
If configured, reply only if the target IP address is local address configured on the incoming interface.
If this option is unset (default), reply for any local target IP address, configured on any interface.

set interfaces ethernet eth0 vif 10 ip enable-arp-ignore

set interfaces ethernet <interface> vif <vlan-id> ip enable-proxy-arp

Use this command to enable proxy Address Resolution Protocol (ARP) on this interface. Proxy ARP allows an
Ethernet interface to respond with its own MAC address to ARP requests for destination IP addresses on subnets
attached to other interfaces on the system. Subsequent packets sent to those destination IP addresses are forwarded
appropriately by the system.
Example:

set interfaces ethernet eth0 vif 10 ip enable-proxy-arp

set interfaces ethernet <interface> vif <vlan-id> ip proxy-arp-pvlan

Private VLAN proxy arp. Basically allow proxy arp replies back to the same interface (from which the ARP
request/solicitation was received).
This is done to support (ethernet) switch features, like RFC 3069, where the individual ports are NOT allowed to
communicate with each other, but they are allowed to talk to the upstream router. As described in RFC 3069, it
is possible to allow these hosts to communicate through the upstream router by proxy_arp’ing.

注解: Does not need to be used together with proxy_arp.

This technology is known by different names:

• In RFC 3069 it is called VLAN Aggregation
• Cisco and Allied Telesyn call it Private VLAN
• Hewlett-Packard call it Source-Port filtering or port-isolation
• Ericsson call it MAC-Forced Forwarding (RFC Draft)
set interfaces ethernet <interface> vif <vlan-id> ip source-validation <strict
| loose | disable>
Enable policy for source validation by reversed path, as specified in RFC 3704. Current recommended practice
in RFC 3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or
other complicated routing, then loose mode is recommended.

8.3. Interfaces 253

 VyOS Documentation, 发布 1.4.x (sagitta)

• strict: Each incoming packet is tested against the FIB and if the interface is not the best reverse path the
packet check will fail. By default failed packets are discarded.
• loose: Each incoming packet’s source address is also tested against the FIB and if the source address is not
reachable via any interface the packet check will fail.
• disable: No source validation
set interfaces ethernet <interface> vif <vlan-id> ipv6 address autoconf
SLAAC RFC 4862. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using
the Neighbor Discovery Protocol via ICMP 6 router discovery messages. When first connected to a network, a
host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such
a request with a router advertisement packet that contains Internet Layer configuration parameters.

注解: This method automatically disables IPv6 traffic forwarding on the interface in question.

Example:

set interfaces ethernet eth0 vif 10 ipv6 address autoconf

set interfaces ethernet <interface> vif <vlan-id> ipv6 address eui64 <prefix>
EUI-64 as specified in RFC 4291 allows a host to assign iteslf a unique 64-Bit IPv6 address.
Example:

set interfaces ethernet eth0 vif 10 ipv6 address eui64 2001:db8:beef::/64

set interfaces ethernet <interface> vif <vlan-id> ipv6 address

no-default-link-local
Do not assign a link-local IPv6 address to this interface.
Example:

set interfaces ethernet eth0 vif 10 ipv6 address no-default-link-local

set interfaces ethernet <interface> vif <vlan-id> ipv6 disable-forwarding

Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 for-
warding will be disabled on this interface.
Example:

set interfaces ethernet eth0 vif 10 ipv6 disable-forwarding

set interfaces ethernet <interface> vif <vlan-id> vrf <vrf>

Place interface in given VRF instance.
参见:
There is an entire chapter about how to configure a VRF, please check this for additional information.
Example:

set interfaces ethernet eth0 vif 10 vrf red

DHCP(v6)

8.3. Interfaces 254

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces ethernet <interface> vif <vlan-id> dhcp-options client-id

<description>
RFC 2131 states: The client MAY choose to explicitly provide the identifier through the‘client identifier’option.
If the client supplies a ‘client identifier’, the client MUST use the same ‘client identifier’in all subsequent
messages, and the server MUST use that identifier to identify the client.
Example:

set interfaces ethernet eth0 vif 10 dhcp-options client-id 'foo-bar'

set interfaces ethernet <interface> vif <vlan-id> dhcp-options host-name

<hostname>
Instead of sending the real system hostname to the DHCP server, overwrite the host-name with this given-value.
Example:

set interfaces ethernet eth0 vif 10 dhcp-options host-name 'VyOS'

set interfaces ethernet <interface> vif <vlan-id> dhcp-options vendor-class-id

<vendor-id>
The vendor-class-id option can be used to request a specific class of vendor options from the server.
Example:

set interfaces ethernet eth0 vif 10 dhcp-options vendor-class-id 'VyOS'

set interfaces ethernet <interface> vif <vlan-id> dhcp-options

no-default-route
Only request an address from the DHCP server but do not request a default gateway.
Example:

set interfaces ethernet eth0 vif 10 dhcp-options no-default-route

set interfaces ethernet <interface> vif <vlan-id> dhcp-options

default-route-distance <distance>
Set the distance for the default gateway sent by the DHCP server.
Example:

set interfaces ethernet eth0 vif 10 dhcp-options default-route-distance 220

set interfaces ethernet <interface> vif <vlan-id> dhcpv6-options duid <duid>

The DHCP unique identifier (DUID) is used by a client to get an IP address from a DHCPv6 server. It has a 2-byte
DUID type field, and a variable-length identifier field up to 128 bytes. Its actual length depends on its type. The
server compares the DUID with its database and delivers configuration data (address, lease times, DNS servers,
etc.) to the client.

set interfaces ethernet eth0 vif 10 duid

,→'0e:00:00:01:00:01:27:71:db:f0:00:50:56:bf:c5:6d'

set interfaces ethernet <interface> vif <vlan-id> dhcpv6-options

parameters-only

8.3. Interfaces 255

 VyOS Documentation, 发布 1.4.x (sagitta)

This statement specifies dhcp6c to only exchange informational configuration parameters with servers. A list of
DNS server addresses is an example of such parameters. This statement is useful when the client does not need
stateful configuration parameters such as IPv6 addresses or prefixes.

set interfaces ethernet eth0 vif 10 dhcpv6-options parameters-only

set interfaces ethernet <interface> vif <vlan-id> dhcpv6-options rapid-commit

When rapid-commit is specified, dhcp6c will include a rapid-commit option in solicit messages and wait for an
immediate reply instead of advertisements.

set interfaces ethernet eth0 vif 10 dhcpv6-options rapid-commit

set interfaces ethernet <interface> vif <vlan-id> dhcpv6-options temporary

Request only a temporary address and not form an IA_NA (Identity Association for Non-temporary Addresses)
partnership.

set interfaces ethernet eth0 vif 10 dhcpv6-options temporary

DHCPv6 Prefix Delegation (PD)

VyOS 1.3 (equuleus) supports DHCPv6-PD (RFC 3633). DHCPv6 Prefix Delegation is supported by most ISPs who
provide native IPv6 for consumers on fixed networks.
set interfaces ethernet <interface> vif <vlan-id> dhcpv6-options pd <id>
length <length>
Some ISPs by default only delegate a /64 prefix. To request for a specific prefix size use this option to request for
a bigger delegation for this pd <id>. This value is in the range from 32 - 64 so you could request up to a /32 prefix
(if your ISP allows this) down to a /64 delegation.
The default value corresponds to 64.
To request a /56 prefix from your ISP use:

set interfaces ethernet eth0 vif 10 dhcpv6-options pd 0 length 56

set interfaces ethernet <interface> vif <vlan-id> dhcpv6-options pd <id>

interface <delegatee> address <address>
Specify the interface address used locally on the interfcae where the prefix has been delegated to. ID must be a
decimal integer.
It will be combined with the delegated prefix and the sla-id to form a complete interface address. The default is to
use the EUI-64 address of the interface.
Example: Delegate a /64 prefix to interface eth8 which will use a local address on this router of
<prefix>::ffff, as the address 65534 will correspond to ffff in hexadecimal notation.

set interfaces ethernet eth0 vif 10 dhcpv6-options pd 0 interface eth8 address␣

,→65534

set interfaces ethernet <interface> vif <vlan-id> dhcpv6-options pd <id>

interface <delegatee> sla-id <id>
Specify the identifier value of the site-level aggregator (SLA) on the interface. ID must be a decimal number
greater then 0 which fits in the length of SLA IDs (see below).
Example: If ID is 1 and the client is delegated an IPv6 prefix 2001:db8:ffff::/48, dhcp6c will combine the two
values into a single IPv6 prefix, 2001:db8:ffff:1::/64, and will configure the prefix on the specified interface.

8.3. Interfaces 256

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces ethernet eth0 vif 10 dhcpv6-options pd 0 interface eth8 sla-id 1

QinQ (802.1ad)

IEEE 802.1ad was an Ethernet networking standard informally known as QinQ as an amendment to IEEE standard 802.1q
VLAN interfaces as described above. 802.1ad was incorporated into the base 802.1q standard in 2011. The technique
is also known as provider bridging, Stacked VLANs, or simply QinQ or Q-in-Q. “Q-in-Q”can for supported devices
apply to C-tag stacking on C-tag (Ethernet Type = 0x8100).
The original 802.1q specification allows a single Virtual Local Area Network (VLAN) header to be inserted into an Eth-
ernet frame. QinQ allows multiple VLAN tags to be inserted into a single frame, an essential capability for implementing
Metro Ethernet network topologies. Just as QinQ extends 802.1Q, QinQ itself is extended by other Metro Ethernet
protocols.
In a multiple VLAN header context, out of convenience the term “VLAN tag”or just “tag”for short is often used in
place of“802.1q VLAN header”. QinQ allows multiple VLAN tags in an Ethernet frame; together these tags constitute
a tag stack. When used in the context of an Ethernet frame, a QinQ frame is a frame that has 2 VLAN 802.1q headers
(double-tagged).
In VyOS the terms vif-s and vif-c stand for the ethertype tags that are used.
The inner tag is the tag which is closest to the payload portion of the frame. It is officially called C-TAG (customer tag,
with ethertype 0x8100). The outer tag is the one closer/closest to the Ethernet header, its name is S-TAG (service tag
with Ethernet Type = 0x88a8).
set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> address
<address | dhcp | dhcpv6>
Configure interface <interface> with one or more interface addresses.
• address can be specified multiple times as IPv4 and/or IPv6 address, e.g. 192.0.2.1/24 and/or 2001:db8::1/64
• dhcp interface address is received by DHCP from a DHCP server on this segment.
• dhcpv6 interface address is received by DHCPv6 from a DHCPv6 server on this segment.
Example:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 address 192.0.2.1/24

set interfaces ethernet eth0 vif-s 1000 vif-c 20 address 2001:db8::1/64
set interfaces ethernet eth0 vif-s 1000 vif-c 20 dhcp
set interfaces ethernet eth0 vif-s 1000 vif-c 20 dhcpv6

set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id>

description <description>
Set a human readable, descriptive alias for this connection. Alias is used by e.g. the show interfaces
command or SNMP based monitoring tools.
Example:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 description 'This is an awesome␣
,→interface running on VyOS'

set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> disable

Disable given <interface>. It will be placed in administratively down (A/D) state.
Example:

8.3. Interfaces 257

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces ethernet eth0 vif-s 1000 vif-c 20 disable

set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id>

disable-link-detect
Use this command to direct an interface to not detect any physical state changes on a link, for example, when the
cable is unplugged.
Default is to detects physical link state changes.
Example:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 disable-link-detect

set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> mac

<xx:xx:xx:xx:xx:xx>
Configure user defined MAC address on given <interface>.
Example:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 mac '00:01:02:03:04:05'

set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> mtu <mtu>
Configure MTU on given <interface>. It is the size (in bytes) of the largest ethernet frame sent on this link.
Example:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 mtu 9000

set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> ip

arp-cache-timeout
Once a neighbor has been found, the entry is considered to be valid for at least for this specifc time. An entry’s
validity will be extended if it receives positive feedback from higher level protocols.
This defaults to 30 seconds.
Example:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 ip arp-cache-timeout 180

set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> ip

disable-arp-filter
If set the kernel can respond to arp requests with addresses from other interfaces. This may seem wrong but it
usually makes sense, because it increases the chance of successful communication. IP addresses are owned by the
complete host on Linux, not by particular interfaces. Only for more complex setups like load-balancing, does this
behaviour cause problems.
If not set (default) allows you to have multiple network interfaces on the same subnet, and have the ARPs for
each interface be answered based on whether or not the kernel would route a packet from the ARP’d IP out that
interface (therefore you must use source based routing for this to work).
In other words it allows control of which cards (usually 1) will respond to an arp request.
Example:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 ip disable-arp-filter

8.3. Interfaces 258

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> ip

disable-forwarding
Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 for-
warding will be disabled on this interface.

set interfaces ethernet eth0 vif-s 1000 vif-c 20 ip disable-forwarding

set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> ip

enable-arp-accept
Define behavior for gratuitous ARP frames who’s IP is not already present in the ARP table. If configured create
new entries in the ARP table.
Both replies and requests type gratuitous arp will trigger the ARP table to be updated, if this setting is on.
If the ARP table already contains the IP address of the gratuitous arp frame, the arp table will be updated regardless
if this setting is on or off.

set interfaces ethernet eth0 vif-s 1000 vif-c 20 ip enable-arp-accept

set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> ip

enable-arp-announce
Define different restriction levels for announcing the local source IP address from IP packets in ARP requests sent
on interface.
Use any local address, configured on any interface if this is not set.
If configured, try to avoid local addresses that are not in the target’s subnet for this interface. This mode is useful
when target hosts reachable via this interface require the source IP address in ARP requests to be part of their
logical network configured on the receiving interface. When we generate the request we will check all our subnets
that include the target IP and will preserve the source address if it is from such subnet. If there is no such subnet
we select source address according to the rules for level 2.

set interfaces ethernet eth0 vif-s 1000 vif-c 20 ip enable-arp-announce

set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> ip

enable-arp-ignore
Define different modes for sending replies in response to received ARP requests that resolve local target IP ad-
dresses:
If configured, reply only if the target IP address is local address configured on the incoming interface.
If this option is unset (default), reply for any local target IP address, configured on any interface.

set interfaces ethernet eth0 vif-s 1000 vif-c 20 ip enable-arp-ignore

set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> ip

enable-proxy-arp
Use this command to enable proxy Address Resolution Protocol (ARP) on this interface. Proxy ARP allows an
Ethernet interface to respond with its own MAC address to ARP requests for destination IP addresses on subnets
attached to other interfaces on the system. Subsequent packets sent to those destination IP addresses are forwarded
appropriately by the system.
Example:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 ip enable-proxy-arp

8.3. Interfaces 259

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> ip

proxy-arp-pvlan
Private VLAN proxy arp. Basically allow proxy arp replies back to the same interface (from which the ARP
request/solicitation was received).
This is done to support (ethernet) switch features, like RFC 3069, where the individual ports are NOT allowed to
communicate with each other, but they are allowed to talk to the upstream router. As described in RFC 3069, it
is possible to allow these hosts to communicate through the upstream router by proxy_arp’ing.

注解: Does not need to be used together with proxy_arp.

This technology is known by different names:

• In RFC 3069 it is called VLAN Aggregation
• Cisco and Allied Telesyn call it Private VLAN
• Hewlett-Packard call it Source-Port filtering or port-isolation
• Ericsson call it MAC-Forced Forwarding (RFC Draft)
set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> ip
source-validation <strict | loose | disable>
Enable policy for source validation by reversed path, as specified in RFC 3704. Current recommended practice
in RFC 3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or
other complicated routing, then loose mode is recommended.
• strict: Each incoming packet is tested against the FIB and if the interface is not the best reverse path the
packet check will fail. By default failed packets are discarded.
• loose: Each incoming packet’s source address is also tested against the FIB and if the source address is not
reachable via any interface the packet check will fail.
• disable: No source validation
set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> ipv6
address autoconf
SLAAC RFC 4862. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using
the Neighbor Discovery Protocol via ICMP 6 router discovery messages. When first connected to a network, a
host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such
a request with a router advertisement packet that contains Internet Layer configuration parameters.

注解: This method automatically disables IPv6 traffic forwarding on the interface in question.

Example:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 ipv6 address autoconf

set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> ipv6

address eui64 <prefix>
EUI-64 as specified in RFC 4291 allows a host to assign iteslf a unique 64-Bit IPv6 address.
Example:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 ipv6 address eui64␣
,→2001:db8:beef::/64

8.3. Interfaces 260

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> ipv6

address no-default-link-local
Do not assign a link-local IPv6 address to this interface.
Example:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 ipv6 address no-default-link-
,→local

set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> ipv6

disable-forwarding
Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 for-
warding will be disabled on this interface.
Example:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 ipv6 disable-forwarding

set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> vrf <vrf>
Place interface in given VRF instance.
参见:
There is an entire chapter about how to configure a VRF, please check this for additional information.
Example:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 vrf red

DHCP(v6)
set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id>
dhcp-options client-id <description>
RFC 2131 states: The client MAY choose to explicitly provide the identifier through the‘client identifier’option.
If the client supplies a ‘client identifier’, the client MUST use the same ‘client identifier’in all subsequent
messages, and the server MUST use that identifier to identify the client.
Example:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 dhcp-options client-id 'foo-bar'

set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id>

dhcp-options host-name <hostname>
Instead of sending the real system hostname to the DHCP server, overwrite the host-name with this given-value.
Example:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 dhcp-options host-name 'VyOS'

set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id>

dhcp-options vendor-class-id <vendor-id>
The vendor-class-id option can be used to request a specific class of vendor options from the server.
Example:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 dhcp-options vendor-class-id

,→'VyOS'

8.3. Interfaces 261

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id>

dhcp-options no-default-route
Only request an address from the DHCP server but do not request a default gateway.
Example:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 dhcp-options no-default-route

set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id>

dhcp-options default-route-distance <distance>
Set the distance for the default gateway sent by the DHCP server.
Example:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 dhcp-options default-route-

,→distance 220

set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id>

dhcpv6-options duid <duid>
The DHCP unique identifier (DUID) is used by a client to get an IP address from a DHCPv6 server. It has a 2-byte
DUID type field, and a variable-length identifier field up to 128 bytes. Its actual length depends on its type. The
server compares the DUID with its database and delivers configuration data (address, lease times, DNS servers,
etc.) to the client.

set interfaces ethernet eth0 vif-s 1000 vif-c 20 duid

,→'0e:00:00:01:00:01:27:71:db:f0:00:50:56:bf:c5:6d'

set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id>

dhcpv6-options parameters-only
This statement specifies dhcp6c to only exchange informational configuration parameters with servers. A list of
DNS server addresses is an example of such parameters. This statement is useful when the client does not need
stateful configuration parameters such as IPv6 addresses or prefixes.

set interfaces ethernet eth0 vif-s 1000 vif-c 20 dhcpv6-options parameters-only

set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id>

dhcpv6-options rapid-commit
When rapid-commit is specified, dhcp6c will include a rapid-commit option in solicit messages and wait for an
immediate reply instead of advertisements.

set interfaces ethernet eth0 vif-s 1000 vif-c 20 dhcpv6-options rapid-commit

set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id>

dhcpv6-options temporary
Request only a temporary address and not form an IA_NA (Identity Association for Non-temporary Addresses)
partnership.

set interfaces ethernet eth0 vif-s 1000 vif-c 20 dhcpv6-options temporary

DHCPv6 Prefix Delegation (PD)

VyOS 1.3 (equuleus) supports DHCPv6-PD (RFC 3633). DHCPv6 Prefix Delegation is supported by most ISPs who
provide native IPv6 for consumers on fixed networks.

8.3. Interfaces 262

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id>

dhcpv6-options pd <id> length <length>
Some ISPs by default only delegate a /64 prefix. To request for a specific prefix size use this option to request for
a bigger delegation for this pd <id>. This value is in the range from 32 - 64 so you could request up to a /32 prefix
(if your ISP allows this) down to a /64 delegation.
The default value corresponds to 64.
To request a /56 prefix from your ISP use:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 dhcpv6-options pd 0 length 56

set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id>

dhcpv6-options pd <id> interface <delegatee> address <address>
Specify the interface address used locally on the interfcae where the prefix has been delegated to. ID must be a
decimal integer.
It will be combined with the delegated prefix and the sla-id to form a complete interface address. The default is to
use the EUI-64 address of the interface.
Example: Delegate a /64 prefix to interface eth8 which will use a local address on this router of
<prefix>::ffff, as the address 65534 will correspond to ffff in hexadecimal notation.

set interfaces ethernet eth0 vif-s 1000 vif-c 20 dhcpv6-options pd 0 interface␣

,→eth8 address 65534

set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id>

dhcpv6-options pd <id> interface <delegatee> sla-id <id>
Specify the identifier value of the site-level aggregator (SLA) on the interface. ID must be a decimal number
greater then 0 which fits in the length of SLA IDs (see below).
Example: If ID is 1 and the client is delegated an IPv6 prefix 2001:db8:ffff::/48, dhcp6c will combine the two
values into a single IPv6 prefix, 2001:db8:ffff:1::/64, and will configure the prefix on the specified interface.

set interfaces ethernet eth0 vif-s 1000 vif-c 20 dhcpv6-options pd 0 interface␣

,→eth8 sla-id 1

Port Mirror (SPAN)

SPAN port mirroring can copy the inbound/outbound traffic of the interface to the specified interface, usually the interface
can be connected to some special equipment, such as behavior control system, intrusion detection system and traffic
collector, and can copy all related traffic from this port
VyOS uses the mirror option to configure port mirroring. The configuration is divided into 2 different directions. Desti-
nation ports should be configured for different traffic directions.
set interfaces ethernet <interface> mirror ingress <monitor-interface>
Configure port mirroring for interface inbound traffic and copy the traffic to monitor-interface
Example: Mirror the inbound traffic of eth1 port to eth3

set interfaces ethernet eth1 mirror ingress eth3

set interfaces ethernet <interface> mirror egress <monitor-interface>

8.3. Interfaces 263

 VyOS Documentation, 发布 1.4.x (sagitta)

Configure port mirroring for interface outbound traffic and copy the traffic to monitor-interface
Example: Mirror the outbound traffic of eth1 port to eth3
set interfaces ethernet eth1 mirror egress eth3

Operation

show interfaces ethernet

Show brief interface information.
vyos@vyos:~$ show interfaces ethernet
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 172.18.201.10/24 u/u LAN
eth1 172.18.202.11/24 u/u WAN
eth2 - u/D

show interfaces ethernet <interface>

Show detailed information on given <interface>
vyos@vyos:~$ show interfaces ethernet eth0
eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group␣
,→default qlen 1000

link/ether 00:50:44:00:f5:c9 brd ff:ff:ff:ff:ff:ff

inet6 fe80::250:44ff:fe00:f5c9/64 scope link
valid_lft forever preferred_lft forever

RX: bytes packets errors dropped overrun mcast

56735451 179841 0 0 0 142380
TX: bytes packets errors dropped carrier collisions
5601460 62595 0 0 0 0

show interfaces ethernet <interface> physical

Show information about physical <interface>
vyos@vyos:~$ show interfaces ethernet eth0 physical
Settings for eth0:
Supported ports: [ TP ]
Supported link modes: 1000baseT/Full
10000baseT/Full
Supported pause frame use: No
Supports auto-negotiation: No
Supported FEC modes: Not reported
Advertised link modes: Not reported
Advertised pause frame use: No
Advertised auto-negotiation: No
Advertised FEC modes: Not reported
Speed: 10000Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 0
Transceiver: internal
Auto-negotiation: off
(下页继续)

8.3. Interfaces 264

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
MDI-X: Unknown
Supports Wake-on: uag
Wake-on: d
Link detected: yes
driver: vmxnet3
version: 1.4.16.0-k-NAPI
firmware-version:
expansion-rom-version:
bus-info: 0000:0b:00.0
supports-statistics: yes
supports-test: no
supports-eeprom-access: no
supports-register-dump: yes
supports-priv-flags: no

show interfaces ethernet <interface> physical offload

Show available offloading functions on given <interface>

vyos@vyos:~$ show interfaces ethernet eth0 physical offload

rx-checksumming on
tx-checksumming on
tx-checksum-ip-generic on
scatter-gather off
tx-scatter-gather off
tcp-segmentation-offload off
tx-tcp-segmentation off
tx-tcp-mangleid-segmentation off
tx-tcp6-segmentation off
udp-fragmentation-offload off
generic-segmentation-offload off
generic-receive-offload off
large-receive-offload off
rx-vlan-offload on
tx-vlan-offload on
ntuple-filters off
receive-hashing on
tx-gre-segmentation on
tx-gre-csum-segmentation on
tx-udp_tnl-segmentation on
tx-udp_tnl-csum-segmentation on
tx-gso-partial on
tx-nocache-copy off
rx-all off

show interfaces ethernet <interface> transceiver

Show transceiver information from plugin modules, e.g SFP+, QSFP

vyos@vyos:~$ show interfaces ethernet eth5 transceiver

Identifier : 0x03 (SFP)
Extended identifier : 0x04 (GBIC/SFP defined by 2-wire interface ID)
Connector : 0x07 (LC)
Transceiver codes : 0x00 0x00 0x00 0x01 0x00 0x00 0x00 0x00 0x00
Transceiver type : Ethernet: 1000BASE-SX
Encoding : 0x01 (8B/10B)
BR, Nominal : 1300MBd
(下页继续)

8.3. Interfaces 265

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
Rate identifier : 0x00 (unspecified)
Length (SMF,km) : 0km
Length (SMF) : 0m
Length (50um) : 550m
Length (62.5um) : 270m
Length (Copper) : 0m
Length (OM3) : 0m
Laser wavelength : 850nm
Vendor name : CISCO-FINISAR
Vendor OUI : 00:90:65
Vendor PN : FTRJ-8519-7D-CS4
Vendor rev : A
Option values : 0x00 0x1a
Option : RX_LOS implemented
Option : TX_FAULT implemented
Option : TX_DISABLE implemented
BR margin, max : 0%
BR margin, min : 0%
Vendor SN : FNS092xxxxx
Date code : 0506xx

show interfaces ethernet <interface> xdp

Display XDP forwarding statistics

vyos@vyos:~$ show interfaces ethernet eth1 xdp

Collecting stats from BPF map

- BPF map (bpf_map_type:6) id:176 name:xdp_stats_map key_size:4 value_size:16␣
,→max_entries:5

XDP-action
XDP_ABORTED 0 pkts ( 0 pps) 0 Kbytes ( 0 Mbits/
,→s) period:0.250340

XDP_DROP 0 pkts ( 0 pps) 0 Kbytes ( 0 Mbits/

,→s) period:0.250317

XDP_PASS 0 pkts ( 0 pps) 0 Kbytes ( 0 Mbits/

,→s) period:0.250314

XDP_TX 0 pkts ( 0 pps) 0 Kbytes ( 0 Mbits/

,→s) period:0.250313

XDP_REDIRECT 0 pkts ( 0 pps) 0 Kbytes ( 0 Mbits/

,→s) period:0.250313

XDP-action
XDP_ABORTED 0 pkts ( 0 pps) 0 Kbytes ( 0 Mbits/
,→s) period:2.000410

XDP_DROP 0 pkts ( 0 pps) 0 Kbytes ( 0 Mbits/

,→s) period:2.000414

XDP_PASS 0 pkts ( 0 pps) 0 Kbytes ( 0 Mbits/

,→s) period:2.000414

XDP_TX 0 pkts ( 0 pps) 0 Kbytes ( 0 Mbits/

,→s) period:2.000414

XDP_REDIRECT 0 pkts ( 0 pps) 0 Kbytes ( 0 Mbits/

,→s) period:2.000414

8.3. Interfaces 266

 VyOS Documentation, 发布 1.4.x (sagitta)

8.3.5 GENEVE

GENEVE (Generic Network Virtualization Encapsulation) supports all of the capabilities of VXLAN (Virtual Extensible
LAN), NVGRE (Network Virtualization using Generic Routing Encapsulation), and STT (Stateless Transport Tunneling)
and was designed to overcome their perceived limitations. Many believe GENEVE could eventually replace these earlier
formats entirely.
GENEVE is designed to support network virtualization use cases, where tunnels are typically established to act as a
backplane between the virtual switches residing in hypervisors, physical switches, or middleboxes or other appliances.
An arbitrary IP network can be used as an underlay although Clos networks - A technique for composing network fabrics
larger than a single switch while maintaining non-blocking bandwidth across connection points. ECMP is used to divide
traffic across the multiple links and switches that constitute the fabric. Sometimes termed“leaf and spine”or“fat tree”
topologies.
Geneve Header:

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Ver| Opt Len |O|C| Rsvd. | Protocol Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Virtual Network Identifier (VNI) | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Variable Length Options |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Configuration

Common interface configuration

set interfaces geneve <interface> address <address>

Configure interface <interface> with one or more interface addresses.
• address can be specified multiple times as IPv4 and/or IPv6 address, e.g. 192.0.2.1/24 and/or 2001:db8::1/64
Example:

set interfaces geneve gnv0 address 192.0.2.1/24

set interfaces geneve gnv0 address 2001:db8::1/64

set interfaces geneve <interface> description <description>

Set a human readable, descriptive alias for this connection. Alias is used by e.g. the show interfaces
command or SNMP based monitoring tools.
Example:

set interfaces geneve gnv0 description 'This is an awesome interface running on␣
,→VyOS'

set interfaces geneve <interface> disable

Disable given <interface>. It will be placed in administratively down (A/D) state.
Example:

set interfaces geneve gnv0 disable

set interfaces geneve <interface> disable-flow-control

8.3. Interfaces 267

 VyOS Documentation, 发布 1.4.x (sagitta)

Ethernet flow control is a mechanism for temporarily stopping the transmission of data on Ethernet family computer
networks. The goal of this mechanism is to ensure zero packet loss in the presence of network congestion.
The first flow control mechanism, the pause frame, was defined by the IEEE 802.3x standard.
A sending station (computer or network switch) may be transmitting data faster than the other end of the link can
accept it. Using flow control, the receiving station can signal the sender requesting suspension of transmissions
until the receiver catches up.
Use this command to disable the generation of Ethernet flow control (pause frames).
Example:

set interfaces geneve gnv0 disable-flow-control

set interfaces geneve <interface> disable-link-detect

Use this command to direct an interface to not detect any physical state changes on a link, for example, when the
cable is unplugged.
Default is to detects physical link state changes.
Example:

set interfaces geneve gnv0 disable-link-detect

set interfaces geneve <interface> mac <xx:xx:xx:xx:xx:xx>

Configure user defined MAC address on given <interface>.
Example:

set interfaces geneve gnv0 mac '00:01:02:03:04:05'

set interfaces geneve <interface> mtu <mtu>

Configure MTU on given <interface>. It is the size (in bytes) of the largest ethernet frame sent on this link.
Example:

set interfaces geneve gnv0 mtu 9000

set interfaces geneve <interface> ip arp-cache-timeout

Once a neighbor has been found, the entry is considered to be valid for at least for this specifc time. An entry’s
validity will be extended if it receives positive feedback from higher level protocols.
This defaults to 30 seconds.
Example:

set interfaces geneve gnv0 ip arp-cache-timeout 180

set interfaces geneve <interface> ip disable-arp-filter

If set the kernel can respond to arp requests with addresses from other interfaces. This may seem wrong but it
usually makes sense, because it increases the chance of successful communication. IP addresses are owned by the
complete host on Linux, not by particular interfaces. Only for more complex setups like load-balancing, does this
behaviour cause problems.
If not set (default) allows you to have multiple network interfaces on the same subnet, and have the ARPs for
each interface be answered based on whether or not the kernel would route a packet from the ARP’d IP out that
interface (therefore you must use source based routing for this to work).

8.3. Interfaces 268

 VyOS Documentation, 发布 1.4.x (sagitta)

In other words it allows control of which cards (usually 1) will respond to an arp request.
Example:

set interfaces geneve gnv0 ip disable-arp-filter

set interfaces geneve <interface> ip disable-forwarding

Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 for-
warding will be disabled on this interface.

set interfaces geneve gnv0 ip disable-forwarding

set interfaces geneve <interface> ip enable-arp-accept

Define behavior for gratuitous ARP frames who’s IP is not already present in the ARP table. If configured create
new entries in the ARP table.
Both replies and requests type gratuitous arp will trigger the ARP table to be updated, if this setting is on.
If the ARP table already contains the IP address of the gratuitous arp frame, the arp table will be updated regardless
if this setting is on or off.

set interfaces geneve gnv0 ip enable-arp-accept

set interfaces geneve <interface> ip enable-arp-announce

Define different restriction levels for announcing the local source IP address from IP packets in ARP requests sent
on interface.
Use any local address, configured on any interface if this is not set.
If configured, try to avoid local addresses that are not in the target’s subnet for this interface. This mode is useful
when target hosts reachable via this interface require the source IP address in ARP requests to be part of their
logical network configured on the receiving interface. When we generate the request we will check all our subnets
that include the target IP and will preserve the source address if it is from such subnet. If there is no such subnet
we select source address according to the rules for level 2.

set interfaces geneve gnv0 ip enable-arp-announce

set interfaces geneve <interface> ip enable-arp-ignore

Define different modes for sending replies in response to received ARP requests that resolve local target IP ad-
dresses:
If configured, reply only if the target IP address is local address configured on the incoming interface.
If this option is unset (default), reply for any local target IP address, configured on any interface.

set interfaces geneve gnv0 ip enable-arp-ignore

set interfaces geneve <interface> ip enable-proxy-arp

Use this command to enable proxy Address Resolution Protocol (ARP) on this interface. Proxy ARP allows an
Ethernet interface to respond with its own MAC address to ARP requests for destination IP addresses on subnets
attached to other interfaces on the system. Subsequent packets sent to those destination IP addresses are forwarded
appropriately by the system.
Example:

set interfaces geneve gnv0 ip enable-proxy-arp

8.3. Interfaces 269

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces geneve <interface> ip proxy-arp-pvlan

Private VLAN proxy arp. Basically allow proxy arp replies back to the same interface (from which the ARP
request/solicitation was received).
This is done to support (ethernet) switch features, like RFC 3069, where the individual ports are NOT allowed to
communicate with each other, but they are allowed to talk to the upstream router. As described in RFC 3069, it
is possible to allow these hosts to communicate through the upstream router by proxy_arp’ing.

注解: Does not need to be used together with proxy_arp.

This technology is known by different names:

• In RFC 3069 it is called VLAN Aggregation
• Cisco and Allied Telesyn call it Private VLAN
• Hewlett-Packard call it Source-Port filtering or port-isolation
• Ericsson call it MAC-Forced Forwarding (RFC Draft)
set interfaces geneve <interface> ip source-validation <strict | loose |
disable>
Enable policy for source validation by reversed path, as specified in RFC 3704. Current recommended practice
in RFC 3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or
other complicated routing, then loose mode is recommended.
• strict: Each incoming packet is tested against the FIB and if the interface is not the best reverse path the
packet check will fail. By default failed packets are discarded.
• loose: Each incoming packet’s source address is also tested against the FIB and if the source address is not
reachable via any interface the packet check will fail.
• disable: No source validation
set interfaces geneve <interface> ipv6 address autoconf
SLAAC RFC 4862. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using
the Neighbor Discovery Protocol via ICMP 6 router discovery messages. When first connected to a network, a
host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such
a request with a router advertisement packet that contains Internet Layer configuration parameters.

注解: This method automatically disables IPv6 traffic forwarding on the interface in question.

Example:

set interfaces geneve gnv0 ipv6 address autoconf

set interfaces geneve <interface> ipv6 address eui64 <prefix>

EUI-64 as specified in RFC 4291 allows a host to assign iteslf a unique 64-Bit IPv6 address.
Example:

set interfaces geneve gnv0 ipv6 address eui64 2001:db8:beef::/64

set interfaces geneve <interface> ipv6 address no-default-link-local

8.3. Interfaces 270

 VyOS Documentation, 发布 1.4.x (sagitta)

Do not assign a link-local IPv6 address to this interface.

Example:

set interfaces geneve gnv0 ipv6 address no-default-link-local

set interfaces geneve <interface> ipv6 disable-forwarding

Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 for-
warding will be disabled on this interface.
Example:

set interfaces geneve gnv0 ipv6 disable-forwarding

set interfaces geneve <interface> vrf <vrf>

Place interface in given VRF instance.
参见:
There is an entire chapter about how to configure a VRF, please check this for additional information.
Example:

set interfaces geneve gnv0 vrf red

GENEVE options

set interfaces geneve gnv0 remote <address>

Configure GENEVE tunnel far end/remote tunnel endpoint.
set interfaces geneve gnv0 vni <vni>
VNI (Virtual Network Identifier) is an identifier for a unique element of a virtual network. In many situations
this may represent an L2 segment, however, the control plane defines the forwarding semantics of decapsulated
packets. The VNI MAY be used as part of ECMP forwarding decisions or MAY be used as a mechanism to
distinguish between overlapping address spaces contained in the encapsulated packet when load balancing across
CPUs.

8.3.6 L2TPv3

Layer 2 Tunnelling Protocol Version 3 is an IETF standard related to L2TP that can be used as an alternative protocol to
MPLS for encapsulation of multiprotocol Layer 2 communications traffic over IP networks. Like L2TP, L2TPv3 provides
a pseudo-wire service, but scaled to fit carrier requirements.
L2TPv3 can be regarded as being to MPLS what IP is to ATM: a simplified version of the same concept, with much of
the same benefit achieved at a fraction of the effort, at the cost of losing some technical features considered less important
in the market.
In the case of L2TPv3, the features lost are teletraffic engineering features considered important in MPLS. However,
there is no reason these features could not be re-engineered in or on top of L2TPv3 in later products.
The protocol overhead of L2TPv3 is also significantly bigger than MPLS.
L2TPv3 is described in RFC 3921.

8.3. Interfaces 271

 VyOS Documentation, 发布 1.4.x (sagitta)

Configuration

Common interface configuration

set interfaces l2tpv3 <interface> address <address>

Configure interface <interface> with one or more interface addresses.
• address can be specified multiple times as IPv4 and/or IPv6 address, e.g. 192.0.2.1/24 and/or 2001:db8::1/64
Example:

set interfaces l2tpv3 l2tpeth0 address 192.0.2.1/24

set interfaces l2tpv3 l2tpeth0 address 2001:db8::1/64

set interfaces l2tpv3 <interface> description <description>

Set a human readable, descriptive alias for this connection. Alias is used by e.g. the show interfaces
command or SNMP based monitoring tools.
Example:

set interfaces l2tpv3 l2tpeth0 description 'This is an awesome interface running␣

,→on VyOS'

set interfaces l2tpv3 <interface> disable

Disable given <interface>. It will be placed in administratively down (A/D) state.
Example:

set interfaces l2tpv3 l2tpeth0 disable

set interfaces l2tpv3 <interface> disable-flow-control

Ethernet flow control is a mechanism for temporarily stopping the transmission of data on Ethernet family computer
networks. The goal of this mechanism is to ensure zero packet loss in the presence of network congestion.
The first flow control mechanism, the pause frame, was defined by the IEEE 802.3x standard.
A sending station (computer or network switch) may be transmitting data faster than the other end of the link can
accept it. Using flow control, the receiving station can signal the sender requesting suspension of transmissions
until the receiver catches up.
Use this command to disable the generation of Ethernet flow control (pause frames).
Example:

set interfaces l2tpv3 l2tpeth0 disable-flow-control

set interfaces l2tpv3 <interface> disable-link-detect

Use this command to direct an interface to not detect any physical state changes on a link, for example, when the
cable is unplugged.
Default is to detects physical link state changes.
Example:

set interfaces l2tpv3 l2tpeth0 disable-link-detect

set interfaces l2tpv3 <interface> mac <xx:xx:xx:xx:xx:xx>

8.3. Interfaces 272

 VyOS Documentation, 发布 1.4.x (sagitta)

Configure user defined MAC address on given <interface>.

Example:

set interfaces l2tpv3 l2tpeth0 mac '00:01:02:03:04:05'

set interfaces l2tpv3 <interface> mtu <mtu>

Configure MTU on given <interface>. It is the size (in bytes) of the largest ethernet frame sent on this link.
Example:

set interfaces l2tpv3 l2tpeth0 mtu 9000

set interfaces l2tpv3 <interface> ip arp-cache-timeout

Once a neighbor has been found, the entry is considered to be valid for at least for this specifc time. An entry’s
validity will be extended if it receives positive feedback from higher level protocols.
This defaults to 30 seconds.
Example:

set interfaces l2tpv3 l2tpeth0 ip arp-cache-timeout 180

set interfaces l2tpv3 <interface> ip disable-arp-filter

If set the kernel can respond to arp requests with addresses from other interfaces. This may seem wrong but it
usually makes sense, because it increases the chance of successful communication. IP addresses are owned by the
complete host on Linux, not by particular interfaces. Only for more complex setups like load-balancing, does this
behaviour cause problems.
If not set (default) allows you to have multiple network interfaces on the same subnet, and have the ARPs for
each interface be answered based on whether or not the kernel would route a packet from the ARP’d IP out that
interface (therefore you must use source based routing for this to work).
In other words it allows control of which cards (usually 1) will respond to an arp request.
Example:

set interfaces l2tpv3 l2tpeth0 ip disable-arp-filter

set interfaces l2tpv3 <interface> ip disable-forwarding

Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 for-
warding will be disabled on this interface.

set interfaces l2tpv3 l2tpeth0 ip disable-forwarding

set interfaces l2tpv3 <interface> ip enable-arp-accept

Define behavior for gratuitous ARP frames who’s IP is not already present in the ARP table. If configured create
new entries in the ARP table.
Both replies and requests type gratuitous arp will trigger the ARP table to be updated, if this setting is on.
If the ARP table already contains the IP address of the gratuitous arp frame, the arp table will be updated regardless
if this setting is on or off.

set interfaces l2tpv3 l2tpeth0 ip enable-arp-accept

set interfaces l2tpv3 <interface> ip enable-arp-announce

8.3. Interfaces 273

 VyOS Documentation, 发布 1.4.x (sagitta)

Define different restriction levels for announcing the local source IP address from IP packets in ARP requests sent
on interface.
Use any local address, configured on any interface if this is not set.
If configured, try to avoid local addresses that are not in the target’s subnet for this interface. This mode is useful
when target hosts reachable via this interface require the source IP address in ARP requests to be part of their
logical network configured on the receiving interface. When we generate the request we will check all our subnets
that include the target IP and will preserve the source address if it is from such subnet. If there is no such subnet
we select source address according to the rules for level 2.

set interfaces l2tpv3 l2tpeth0 ip enable-arp-announce

set interfaces l2tpv3 <interface> ip enable-arp-ignore

Define different modes for sending replies in response to received ARP requests that resolve local target IP ad-
dresses:
If configured, reply only if the target IP address is local address configured on the incoming interface.
If this option is unset (default), reply for any local target IP address, configured on any interface.

set interfaces l2tpv3 l2tpeth0 ip enable-arp-ignore

set interfaces l2tpv3 <interface> ip enable-proxy-arp

Use this command to enable proxy Address Resolution Protocol (ARP) on this interface. Proxy ARP allows an
Ethernet interface to respond with its own MAC address to ARP requests for destination IP addresses on subnets
attached to other interfaces on the system. Subsequent packets sent to those destination IP addresses are forwarded
appropriately by the system.
Example:

set interfaces l2tpv3 l2tpeth0 ip enable-proxy-arp

set interfaces l2tpv3 <interface> ip proxy-arp-pvlan

Private VLAN proxy arp. Basically allow proxy arp replies back to the same interface (from which the ARP
request/solicitation was received).
This is done to support (ethernet) switch features, like RFC 3069, where the individual ports are NOT allowed to
communicate with each other, but they are allowed to talk to the upstream router. As described in RFC 3069, it
is possible to allow these hosts to communicate through the upstream router by proxy_arp’ing.

注解: Does not need to be used together with proxy_arp.

This technology is known by different names:

• In RFC 3069 it is called VLAN Aggregation
• Cisco and Allied Telesyn call it Private VLAN
• Hewlett-Packard call it Source-Port filtering or port-isolation
• Ericsson call it MAC-Forced Forwarding (RFC Draft)
set interfaces l2tpv3 <interface> ip source-validation <strict | loose |
disable>

8.3. Interfaces 274

 VyOS Documentation, 发布 1.4.x (sagitta)

Enable policy for source validation by reversed path, as specified in RFC 3704. Current recommended practice
in RFC 3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or
other complicated routing, then loose mode is recommended.
• strict: Each incoming packet is tested against the FIB and if the interface is not the best reverse path the
packet check will fail. By default failed packets are discarded.
• loose: Each incoming packet’s source address is also tested against the FIB and if the source address is not
reachable via any interface the packet check will fail.
• disable: No source validation
set interfaces l2tpv3 <interface> ipv6 address autoconf
SLAAC RFC 4862. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using
the Neighbor Discovery Protocol via ICMP 6 router discovery messages. When first connected to a network, a
host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such
a request with a router advertisement packet that contains Internet Layer configuration parameters.

注解: This method automatically disables IPv6 traffic forwarding on the interface in question.

Example:

set interfaces l2tpv3 l2tpeth0 ipv6 address autoconf

set interfaces l2tpv3 <interface> ipv6 address eui64 <prefix>

EUI-64 as specified in RFC 4291 allows a host to assign iteslf a unique 64-Bit IPv6 address.
Example:

set interfaces l2tpv3 l2tpeth0 ipv6 address eui64 2001:db8:beef::/64

set interfaces l2tpv3 <interface> ipv6 address no-default-link-local

Do not assign a link-local IPv6 address to this interface.
Example:

set interfaces l2tpv3 l2tpeth0 ipv6 address no-default-link-local

set interfaces l2tpv3 <interface> ipv6 disable-forwarding

Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 for-
warding will be disabled on this interface.
Example:

set interfaces l2tpv3 l2tpeth0 ipv6 disable-forwarding

set interfaces l2tpv3 <interface> vrf <vrf>

Place interface in given VRF instance.
参见:
There is an entire chapter about how to configure a VRF, please check this for additional information.
Example:

set interfaces l2tpv3 l2tpeth0 vrf red

8.3. Interfaces 275

 VyOS Documentation, 发布 1.4.x (sagitta)

L2TPv3 options

set interfaces l2tpv3 <interface> encapsulation <udp | ip>

Set the encapsulation type of the tunnel. Valid values for encapsulation are: udp, ip.
This defaults to UDP
set interfaces l2tpv3 <interface> local-ip <address>
set the IP address of the local interface to be used for the tunnel.
This address must be the address of a local interface. May be specified as an IPv4 address or an IPv6 address.
set interfaces l2tpv3 <interface> remote-ip <address>
Set the IP address of the remote peer. May be specified as an IPv4 address or an IPv6 address.
set interfaces l2tpv3 <interface> session-id <id>
Set the session id, which is a 32-bit integer value. Uniquely identifies the session being created. The value used
must match the peer_session_id value being used at the peer.
set interfaces l2tpv3 <interface> peer-session-id <id>
Set the peer session id, which is a 32-bit integer value assigned to the session by the peer. The value used must
match the session_id value being used at the peer.
set interfaces l2tpv3 <interface> tunnel-id <id>
Set the tunnel id, which is a 32-bit integer value. Uniquely identifies the tunnel into which the session will be
created.
set interfaces l2tpv3 <interface> peer-tunnel-id <id>
Set the tunnel id, which is a 32-bit integer value. Uniquely identifies the tunnel into which the session will be
created.

Example

Over IP

# show interfaces l2tpv3

l2tpv3 l2tpeth10 {
address 192.168.37.1/27
encapsulation ip
local-ip 192.0.2.1
peer-session-id 100
peer-tunnel-id 200
remote-ip 203.0.113.24
session-id 100
tunnel-id 200
}

Inverse configuration has to be applied to the remote side.

8.3. Interfaces 276

 VyOS Documentation, 发布 1.4.x (sagitta)

Over UDP

UDP mode works better with NAT:

• Set local-ip to your local IP (LAN).
• Add a forwarding rule matching UDP port on your internet router.

# show interfaces l2tpv3

l2tpv3 l2tpeth10 {
address 192.168.37.1/27
destination-port 9001
encapsulation udp
local-ip 192.0.2.1
peer-session-id 100
peer-tunnel-id 200
remote-ip 203.0.113.24
session-id 100
source-port 9000
tunnel-id 200
}

To create more than one tunnel, use distinct UDP ports.

Over IPSec, L2 VPN (bridge)

This is the LAN extension use case. The eth0 port of the distant VPN peers will be directly connected like if there was
a switch between them.
IPSec:

set vpn ipsec ipsec-interfaces <VPN-interface>

set vpn ipsec esp-group test-ESP-1 compression 'disable'
set vpn ipsec esp-group test-ESP-1 lifetime '3600'
set vpn ipsec esp-group test-ESP-1 mode 'transport'
set vpn ipsec esp-group test-ESP-1 pfs 'enable'
set vpn ipsec esp-group test-ESP-1 proposal 1 encryption 'aes128'
set vpn ipsec esp-group test-ESP-1 proposal 1 hash 'sha1'
set vpn ipsec ike-group test-IKE-1 ikev2-reauth 'no'
set vpn ipsec ike-group test-IKE-1 key-exchange 'ikev1'
set vpn ipsec ike-group test-IKE-1 lifetime '3600'
set vpn ipsec ike-group test-IKE-1 proposal 1 dh-group '5'
set vpn ipsec ike-group test-IKE-1 proposal 1 encryption 'aes128'
set vpn ipsec ike-group test-IKE-1 proposal 1 hash 'sha1'
set vpn ipsec site-to-site peer <peer-ip> authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer <peer-ip> authentication pre-shared-secret <pre-
,→shared-key>

set vpn ipsec site-to-site peer <peer-ip> connection-type 'initiate'

set vpn ipsec site-to-site peer <peer-ip> ike-group 'test-IKE-1'
set vpn ipsec site-to-site peer <peer-ip> ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer <peer-ip> local-address <local-ip>
set vpn ipsec site-to-site peer <peer-ip> tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer <peer-ip> tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer <peer-ip> tunnel 1 esp-group 'test-ESP-1'
set vpn ipsec site-to-site peer <peer-ip> tunnel 1 protocol 'l2tp'

Bridge:

8.3. Interfaces 277

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces bridge br0 description 'L2 VPN Bridge'

# remote side in this example:
# set interfaces bridge br0 address '172.16.30.18/30'
set interfaces bridge br0 address '172.16.30.17/30'
set interfaces bridge br0 member interface eth0
set interfaces ethernet eth0 description 'L2 VPN Physical port'

L2TPv3:

set interfaces bridge br0 member interface 'l2tpeth0'

set interfaces l2tpv3 l2tpeth0 description 'L2 VPN Tunnel'
set interfaces l2tpv3 l2tpeth0 destination-port '5000'
set interfaces l2tpv3 l2tpeth0 encapsulation 'ip'
set interfaces l2tpv3 l2tpeth0 local-ip <local-ip>
set interfaces l2tpv3 l2tpeth0 mtu '1500'
set interfaces l2tpv3 l2tpeth0 peer-session-id '110'
set interfaces l2tpv3 l2tpeth0 peer-tunnel-id '10'
set interfaces l2tpv3 l2tpeth0 remote-ip <peer-ip>
set interfaces l2tpv3 l2tpeth0 session-id '110'
set interfaces l2tpv3 l2tpeth0 source-port '5000'
set interfaces l2tpv3 l2tpeth0 tunnel-id '10'

8.3.7 Loopback

The loopback networking interface is a virtual network device implemented entirely in software. All traffic sent to it
“loops back”and just targets services on your local machine.

注解: There can only be one loopback lo interface on the system. If you need multiple interfaces, please use the Dummy
interface type.

提示: A lookback interface is always up, thus it could be used for management traffic or as source/destination for and
IGP like BGP so your internal BGP link is not dependent on physical link states and multiple routes can be chosen to the
destination. A Dummy Interface should always be preferred over a Loopback interface.

Configuration

Common interface configuration

set interfaces loopback <interface> address <address>

Configure interface <interface> with one or more interface addresses.
• address can be specified multiple times as IPv4 and/or IPv6 address, e.g. 192.0.2.1/24 and/or 2001:db8::1/64
Example:

set interfaces loopback lo address 192.0.2.1/24

set interfaces loopback lo address 2001:db8::1/64

set interfaces loopback <interface> description <description>

8.3. Interfaces 278

 VyOS Documentation, 发布 1.4.x (sagitta)

Set a human readable, descriptive alias for this connection. Alias is used by e.g. the show interfaces
command or SNMP based monitoring tools.
Example:

set interfaces loopback lo description 'This is an awesome interface running on␣

,→VyOS'

Operation

show interfaces loopback

Show brief interface information.

vyos@vyos:~$ show interfaces loopback

Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
lo 127.0.0.1/8 u/u
::1/128

show interfaces loopback lo

Show detailed information on given loopback interface lo.

vyos@vyos:~$ show interfaces ethernet eth0

lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default␣
,→qlen 1000

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever

RX: bytes packets errors dropped overrun mcast

300 6 0 0 0 0
TX: bytes packets errors dropped carrier collisions
300 6 0 0 0 0

8.3.8 MACsec

MACsec is an IEEE standard (IEEE 802.1AE) for MAC security, introduced in 2006. It defines a way to establish a
protocol independent connection between two hosts with data confidentiality, authenticity and/or integrity, using GCM-
AES-128. MACsec operates on the Ethernet layer and as such is a layer 2 protocol, which means it’s designed to secure
traffic within a layer 2 network, including DHCP or ARP requests. It does not compete with other security solutions such
as IPsec (layer 3) or TLS (layer 4), as all those solutions are used for their own specific use cases.

8.3. Interfaces 279

 VyOS Documentation, 发布 1.4.x (sagitta)

Configuration

Common interface configuration

set interfaces macsec <interface> address <address | dhcp | dhcpv6>

Configure interface <interface> with one or more interface addresses.
• address can be specified multiple times as IPv4 and/or IPv6 address, e.g. 192.0.2.1/24 and/or 2001:db8::1/64
• dhcp interface address is received by DHCP from a DHCP server on this segment.
• dhcpv6 interface address is received by DHCPv6 from a DHCPv6 server on this segment.
Example:
set interfaces macsec macsec0 address 192.0.2.1/24
set interfaces macsec macsec0 address 2001:db8::1/64
set interfaces macsec macsec0 dhcp
set interfaces macsec macsec0 dhcpv6

set interfaces macsec <interface> description <description>

Set a human readable, descriptive alias for this connection. Alias is used by e.g. the show interfaces
command or SNMP based monitoring tools.
Example:
set interfaces macsec macsec0 description 'This is an awesome interface running␣
,→on VyOS'

set interfaces macsec <interface> disable

Disable given <interface>. It will be placed in administratively down (A/D) state.
Example:
set interfaces macsec macsec0 disable

set interfaces macsec <interface> disable-flow-control

Ethernet flow control is a mechanism for temporarily stopping the transmission of data on Ethernet family computer
networks. The goal of this mechanism is to ensure zero packet loss in the presence of network congestion.
The first flow control mechanism, the pause frame, was defined by the IEEE 802.3x standard.
A sending station (computer or network switch) may be transmitting data faster than the other end of the link can
accept it. Using flow control, the receiving station can signal the sender requesting suspension of transmissions
until the receiver catches up.
Use this command to disable the generation of Ethernet flow control (pause frames).
Example:
set interfaces macsec macsec0 disable-flow-control

set interfaces macsec <interface> disable-link-detect

Use this command to direct an interface to not detect any physical state changes on a link, for example, when the
cable is unplugged.
Default is to detects physical link state changes.
Example:

8.3. Interfaces 280

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces macsec macsec0 disable-link-detect

set interfaces macsec <interface> mac <xx:xx:xx:xx:xx:xx>

Configure user defined MAC address on given <interface>.
Example:

set interfaces macsec macsec0 mac '00:01:02:03:04:05'

set interfaces macsec <interface> mtu <mtu>

Configure MTU on given <interface>. It is the size (in bytes) of the largest ethernet frame sent on this link.
Example:

set interfaces macsec macsec0 mtu 9000

set interfaces macsec <interface> ip arp-cache-timeout

Once a neighbor has been found, the entry is considered to be valid for at least for this specifc time. An entry’s
validity will be extended if it receives positive feedback from higher level protocols.
This defaults to 30 seconds.
Example:

set interfaces macsec macsec0 ip arp-cache-timeout 180

set interfaces macsec <interface> ip disable-arp-filter

If set the kernel can respond to arp requests with addresses from other interfaces. This may seem wrong but it
usually makes sense, because it increases the chance of successful communication. IP addresses are owned by the
complete host on Linux, not by particular interfaces. Only for more complex setups like load-balancing, does this
behaviour cause problems.
If not set (default) allows you to have multiple network interfaces on the same subnet, and have the ARPs for
each interface be answered based on whether or not the kernel would route a packet from the ARP’d IP out that
interface (therefore you must use source based routing for this to work).
In other words it allows control of which cards (usually 1) will respond to an arp request.
Example:

set interfaces macsec macsec0 ip disable-arp-filter

set interfaces macsec <interface> ip disable-forwarding

Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 for-
warding will be disabled on this interface.

set interfaces macsec macsec0 ip disable-forwarding

set interfaces macsec <interface> ip enable-arp-accept

Define behavior for gratuitous ARP frames who’s IP is not already present in the ARP table. If configured create
new entries in the ARP table.
Both replies and requests type gratuitous arp will trigger the ARP table to be updated, if this setting is on.
If the ARP table already contains the IP address of the gratuitous arp frame, the arp table will be updated regardless
if this setting is on or off.

8.3. Interfaces 281

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces macsec macsec0 ip enable-arp-accept

set interfaces macsec <interface> ip enable-arp-announce

Define different restriction levels for announcing the local source IP address from IP packets in ARP requests sent
on interface.
Use any local address, configured on any interface if this is not set.
If configured, try to avoid local addresses that are not in the target’s subnet for this interface. This mode is useful
when target hosts reachable via this interface require the source IP address in ARP requests to be part of their
logical network configured on the receiving interface. When we generate the request we will check all our subnets
that include the target IP and will preserve the source address if it is from such subnet. If there is no such subnet
we select source address according to the rules for level 2.

set interfaces macsec macsec0 ip enable-arp-announce

set interfaces macsec <interface> ip enable-arp-ignore

Define different modes for sending replies in response to received ARP requests that resolve local target IP ad-
dresses:
If configured, reply only if the target IP address is local address configured on the incoming interface.
If this option is unset (default), reply for any local target IP address, configured on any interface.

set interfaces macsec macsec0 ip enable-arp-ignore

set interfaces macsec <interface> ip enable-proxy-arp

Use this command to enable proxy Address Resolution Protocol (ARP) on this interface. Proxy ARP allows an
Ethernet interface to respond with its own MAC address to ARP requests for destination IP addresses on subnets
attached to other interfaces on the system. Subsequent packets sent to those destination IP addresses are forwarded
appropriately by the system.
Example:

set interfaces macsec macsec0 ip enable-proxy-arp

set interfaces macsec <interface> ip proxy-arp-pvlan

Private VLAN proxy arp. Basically allow proxy arp replies back to the same interface (from which the ARP
request/solicitation was received).
This is done to support (ethernet) switch features, like RFC 3069, where the individual ports are NOT allowed to
communicate with each other, but they are allowed to talk to the upstream router. As described in RFC 3069, it
is possible to allow these hosts to communicate through the upstream router by proxy_arp’ing.

注解: Does not need to be used together with proxy_arp.

This technology is known by different names:

• In RFC 3069 it is called VLAN Aggregation
• Cisco and Allied Telesyn call it Private VLAN
• Hewlett-Packard call it Source-Port filtering or port-isolation
• Ericsson call it MAC-Forced Forwarding (RFC Draft)

8.3. Interfaces 282

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces macsec <interface> ip source-validation <strict | loose |

disable>
Enable policy for source validation by reversed path, as specified in RFC 3704. Current recommended practice
in RFC 3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or
other complicated routing, then loose mode is recommended.
• strict: Each incoming packet is tested against the FIB and if the interface is not the best reverse path the
packet check will fail. By default failed packets are discarded.
• loose: Each incoming packet’s source address is also tested against the FIB and if the source address is not
reachable via any interface the packet check will fail.
• disable: No source validation
set interfaces macsec <interface> ipv6 address autoconf
SLAAC RFC 4862. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using
the Neighbor Discovery Protocol via ICMP 6 router discovery messages. When first connected to a network, a
host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such
a request with a router advertisement packet that contains Internet Layer configuration parameters.

注解: This method automatically disables IPv6 traffic forwarding on the interface in question.

Example:

set interfaces macsec macsec0 ipv6 address autoconf

set interfaces macsec <interface> ipv6 address eui64 <prefix>

EUI-64 as specified in RFC 4291 allows a host to assign iteslf a unique 64-Bit IPv6 address.
Example:

set interfaces macsec macsec0 ipv6 address eui64 2001:db8:beef::/64

set interfaces macsec <interface> ipv6 address no-default-link-local

Do not assign a link-local IPv6 address to this interface.
Example:

set interfaces macsec macsec0 ipv6 address no-default-link-local

set interfaces macsec <interface> ipv6 disable-forwarding

Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 for-
warding will be disabled on this interface.
Example:

set interfaces macsec macsec0 ipv6 disable-forwarding

set interfaces macsec <interface> vrf <vrf>

Place interface in given VRF instance.
参见:
There is an entire chapter about how to configure a VRF, please check this for additional information.
Example:

8.3. Interfaces 283

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces macsec macsec0 vrf red

DHCP(v6)
set interfaces macsec <interface> dhcp-options client-id <description>
RFC 2131 states: The client MAY choose to explicitly provide the identifier through the‘client identifier’option.
If the client supplies a ‘client identifier’, the client MUST use the same ‘client identifier’in all subsequent
messages, and the server MUST use that identifier to identify the client.
Example:

set interfaces macsec macsec0 dhcp-options client-id 'foo-bar'

set interfaces macsec <interface> dhcp-options host-name <hostname>

Instead of sending the real system hostname to the DHCP server, overwrite the host-name with this given-value.
Example:

set interfaces macsec macsec0 dhcp-options host-name 'VyOS'

set interfaces macsec <interface> dhcp-options vendor-class-id <vendor-id>

The vendor-class-id option can be used to request a specific class of vendor options from the server.
Example:

set interfaces macsec macsec0 dhcp-options vendor-class-id 'VyOS'

set interfaces macsec <interface> dhcp-options no-default-route

Only request an address from the DHCP server but do not request a default gateway.
Example:

set interfaces macsec macsec0 dhcp-options no-default-route

set interfaces macsec <interface> dhcp-options default-route-distance

<distance>
Set the distance for the default gateway sent by the DHCP server.
Example:

set interfaces macsec macsec0 dhcp-options default-route-distance 220

set interfaces macsec <interface> dhcpv6-options duid <duid>

The DHCP unique identifier (DUID) is used by a client to get an IP address from a DHCPv6 server. It has a 2-byte
DUID type field, and a variable-length identifier field up to 128 bytes. Its actual length depends on its type. The
server compares the DUID with its database and delivers configuration data (address, lease times, DNS servers,
etc.) to the client.

set interfaces macsec macsec0 duid

,→'0e:00:00:01:00:01:27:71:db:f0:00:50:56:bf:c5:6d'

set interfaces macsec <interface> dhcpv6-options parameters-only

This statement specifies dhcp6c to only exchange informational configuration parameters with servers. A list of
DNS server addresses is an example of such parameters. This statement is useful when the client does not need
stateful configuration parameters such as IPv6 addresses or prefixes.

8.3. Interfaces 284

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces macsec macsec0 dhcpv6-options parameters-only

set interfaces macsec <interface> dhcpv6-options rapid-commit

When rapid-commit is specified, dhcp6c will include a rapid-commit option in solicit messages and wait for an
immediate reply instead of advertisements.

set interfaces macsec macsec0 dhcpv6-options rapid-commit

set interfaces macsec <interface> dhcpv6-options temporary

Request only a temporary address and not form an IA_NA (Identity Association for Non-temporary Addresses)
partnership.

set interfaces macsec macsec0 dhcpv6-options temporary

DHCPv6 Prefix Delegation (PD)

VyOS 1.3 (equuleus) supports DHCPv6-PD (RFC 3633). DHCPv6 Prefix Delegation is supported by most ISPs who
provide native IPv6 for consumers on fixed networks.
set interfaces macsec <interface> dhcpv6-options pd <id> length <length>
Some ISPs by default only delegate a /64 prefix. To request for a specific prefix size use this option to request for
a bigger delegation for this pd <id>. This value is in the range from 32 - 64 so you could request up to a /32 prefix
(if your ISP allows this) down to a /64 delegation.
The default value corresponds to 64.
To request a /56 prefix from your ISP use:

set interfaces macsec macsec0 dhcpv6-options pd 0 length 56

set interfaces macsec <interface> dhcpv6-options pd <id> interface <delegatee>

address <address>
Specify the interface address used locally on the interfcae where the prefix has been delegated to. ID must be a
decimal integer.
It will be combined with the delegated prefix and the sla-id to form a complete interface address. The default is to
use the EUI-64 address of the interface.
Example: Delegate a /64 prefix to interface eth8 which will use a local address on this router of
<prefix>::ffff, as the address 65534 will correspond to ffff in hexadecimal notation.

set interfaces macsec macsec0 dhcpv6-options pd 0 interface eth8 address 65534

set interfaces macsec <interface> dhcpv6-options pd <id> interface <delegatee>

sla-id <id>
Specify the identifier value of the site-level aggregator (SLA) on the interface. ID must be a decimal number
greater then 0 which fits in the length of SLA IDs (see below).
Example: If ID is 1 and the client is delegated an IPv6 prefix 2001:db8:ffff::/48, dhcp6c will combine the two
values into a single IPv6 prefix, 2001:db8:ffff:1::/64, and will configure the prefix on the specified interface.

set interfaces macsec macsec0 dhcpv6-options pd 0 interface eth8 sla-id 1

8.3. Interfaces 285

 VyOS Documentation, 发布 1.4.x (sagitta)

MACsec options

set interfaces macsec <interface> security cipher <gcm-aes-128|gcm-aes-256>

Select cipher suite used for cryptographic operations. This setting is mandatory.
set interfaces macsec <interface> security encrypt
MACsec only provides authentication by default, encryption is optional. This command will enable encryption for
all outgoing packets.
set interfaces macsec <interface> source-interface <physical-source>
A physical interface is required to connect this MACsec instance to. Traffic leaving this interfac will now be
authenticated/encrypted.

Key Management

MKA (MACsec Key Agreement protocol) is used to synchronize keys between individual peers.
set interfaces macsec <interface> security mka cak <key>
IEEE 802.1X/MACsec pre-shared key mode. This allows to configure MACsec with a pre-shared key using a
(CAK,CKN) pair.
set interfaces macsec <interface> security mka ckn <key>
CAK Name
set interfaces macsec <interface> security mka priority <priority>
The peer with lower priority will become the key server and start distributing SAKs.

Replay protection

set interfaces macsec <interface> security replay-window <window>

IEEE 802.1X/MACsec replay protection window. This determines a window in which replay is tolerated, to allow
receipt of frames that have been misordered by the network.
• 0: No replay window, strict check
• 1-4294967295: Number of packets that could be misordered

Operation

run generate macsec mka-cak

Generate MKA CAK key

vyos@vyos:~$ generate macsec mka-cak

20693b6e08bfa482703a563898c9e3ad

run generate macsec mka-ckn

Generate MKA CAK key

vyos@vyos:~$ generate macsec mka-ckn

88737efef314ee319b2cbf30210a5f164957d884672c143aefdc0f5f6bc49eb2

8.3. Interfaces 286

 VyOS Documentation, 发布 1.4.x (sagitta)

show interfaces macsec

List all MACsec interfaces

vyos@vyos:~$ show interfaces macsec

17: macsec1: protect on validate strict sc off sa off encrypt on send_sci on end_
,→station off scb off replay off

cipher suite: GCM-AES-128, using ICV length 16

TXSC: 005056bfefaa0001 on SA 0
20: macsec0: protect on validate strict sc off sa off encrypt off send_sci on␣
,→end_station off scb off replay off

cipher suite: GCM-AES-128, using ICV length 16

TXSC: 005056bfefaa0001 on SA 0

show interfaces macsec <interface>

Show specific MACsec interface information

vyos@vyos:~$ show interfaces macsec macsec1

17: macsec1: protect on validate strict sc off sa off encrypt on send_sci on end_
,→station off scb off replay off

cipher suite: GCM-AES-128, using ICV length 16

TXSC: 005056bfefaa0001 on SA 0

Examples

• Two routers connected both via eth1 through an untrusted switch

• R1 has 192.0.2.1/24 & 2001:db8::1/64
• R2 has 192.0.2.2/24 & 2001:db8::2/64
R1

set interfaces macsec macsec1 address '192.0.2.1/24'

set interfaces macsec macsec1 address '2001:db8::1/64'
set interfaces macsec macsec1 security cipher 'gcm-aes-128'
set interfaces macsec macsec1 security encrypt
set interfaces macsec macsec1 security mka cak '232e44b7fda6f8e2d88a07bf78a7aff4'
set interfaces macsec macsec1 security mka ckn
,→'40916f4b23e3d548ad27eedd2d10c6f98c2d21684699647d63d41b500dfe8836'

set interfaces macsec macsec1 source-interface 'eth1'

R2

set interfaces macsec macsec1 address '192.0.2.2/24'

set interfaces macsec macsec1 address '2001:db8::2/64'
set interfaces macsec macsec1 security cipher 'gcm-aes-128'
set interfaces macsec macsec1 security encrypt
set interfaces macsec macsec1 security mka cak '232e44b7fda6f8e2d88a07bf78a7aff4'
set interfaces macsec macsec1 security mka ckn
,→'40916f4b23e3d548ad27eedd2d10c6f98c2d21684699647d63d41b500dfe8836'

set interfaces macsec macsec1 source-interface 'eth1'

Pinging (IPv6) the other host and intercepting the traffic in eth1 will show you the content is encrypted.

8.3. Interfaces 287

 VyOS Documentation, 发布 1.4.x (sagitta)

17:35:44.586668 00:50:56:bf:ef:aa > 00:50:56:b3:ad:d6, ethertype Unknown (0x88e5),␣

,→length 150:

0x0000: 2c00 0000 000a 0050 56bf efaa 0001 d9fb ,......PV.......
0x0010: 920a 8b8d 68ed 9609 29dd e767 25a4 4466 ....h...)..g%.Df
0x0020: 5293 487b 9990 8517 3b15 22c7 ea5c ac83 R.H{....;."..\..
0x0030: 4c6e 13cf 0743 f917 2c4e 694e 87d1 0f09 Ln...C..,NiN....
0x0040: 0f77 5d53 ed75 cfe1 54df 0e5a c766 93cb .w]S.u..T..Z.f..
0x0050: c4f2 6e23 f200 6dfe 3216 c858 dcaa a73b ..n#..m.2..X...;
0x0060: 4dd1 9358 d9e4 ed0e 072f 1acc 31c4 f669 M..X...../..1..i
0x0070: e93a 9f38 8a62 17c6 2857 6ac5 ec11 8b0e .:.8.b..(Wj.....
0x0080: 6b30 92a5 7ccc 720b k0..|.r.

Disabling the encryption on the link by removing security encrypt will show the unencrypted but authenticated
content.

17:37:00.746155 00:50:56:bf:ef:aa > 00:50:56:b3:ad:d6, ethertype Unknown (0x88e5),␣

,→length 150:

0x0000: 2000 0000 0009 0050 56bf efaa 0001 86dd .......PV.......
0x0010: 6009 86f3 0040 3a40 2001 0db8 0000 0000 `....@:@........
0x0020: 0000 0000 0000 0001 2001 0db8 0000 0000 ................
0x0030: 0000 0000 0000 0002 8100 d977 0f30 0003 ...........w.0..
0x0040: 1ca0 c65e 0000 0000 8d93 0b00 0000 0000 ...^............
0x0050: 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f ................
0x0060: 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f .!"#$%&'()*+,-./
0x0070: 3031 3233 3435 3637 87d5 eed3 3a39 d52b 01234567....:9.+
0x0080: a282 c842 5254 ef28 ...BRT.(

8.3.9 OpenVPN

Traditionally hardware routers implement IPsec exclusively due to relative ease of implementing it in hardware and insuf-
ficient CPU power for doing encryption in software. Since VyOS is a software router, this is less of a concern. OpenVPN
has been widely used on UNIX platform for a long time and is a popular option for remote access VPN, though it’s also
capable of site-to-site connections.
Advantages of OpenVPN are:
• It uses a single TCP or UDP connection and does not rely on packet source addresses, so it will work even through
a double NAT: perfect for public hotspots and such
• It’s easy to setup and offers very flexible split tunneling
• There’s a variety of client GUI frontends for any platform
Disadvantages are:
• It’s slower than IPsec due to higher protocol overhead and the fact it runs in user mode while IPsec, on Linux, is
in kernel mode
• None of the operating systems have client software installed by default
In the VyOS CLI, a key point often overlooked is that rather than being configured using the set vpn stanza, OpenVPN is
configured as a network interface using set interfaces openvpn.

8.3. Interfaces 288

 VyOS Documentation, 发布 1.4.x (sagitta)

Site-To-Site

While many are aware of OpenVPN as a Client VPN solution, it is often overlooked as a site-to-site VPN solution due
to lack of support for this mode in many router platforms.
Site-to-site mode supports x.509 but doesn’t require it and can also work with static keys, which is simpler in many
cases. In this example, we’ll configure a simple site-to-site OpenVPN tunnel using a 2048-bit pre-shared key.
First, one of the systems generate the key using the operational command generate openvpn key <filename>.
This will generate a key with the name provided in the /config/auth/ directory. Once generated, you will need to
copy this key to the remote router.
In our example, we used the filename openvpn-1.key which we will reference in our configuration.
• The public IP address of the local side of the VPN will be 198.51.100.10
• The remote will be 203.0.113.11
• The tunnel will use 10.255.1.1 for the local IP and 10.255.1.2 for the remote.
• OpenVPN allows for either TCP or UDP. UDP will provide the lowest latency, while TCP will work better for
lossy connections; generally UDP is preferred when possible.
• The official port for OpenVPN is 1194, which we reserve for client VPN; we will use 1195 for site-to-site VPN.
• The persistent-tunnel directive will allow us to configure tunnel-related attributes, such as firewall policy
as we would on any normal network interface.
• If known, the IP of the remote router can be configured using the remote-host directive; if unknown, it can be
omitted. We will assume a dynamic IP for our remote router.
Local Configuration:

set interfaces openvpn vtun1 mode site-to-site

set interfaces openvpn vtun1 protocol udp
set interfaces openvpn vtun1 persistent-tunnel
set interfaces openvpn vtun1 local-host '198.51.100.10'
set interfaces openvpn vtun1 local-port '1195'
set interfaces openvpn vtun1 remote-port '1195'
set interfaces openvpn vtun1 shared-secret-key-file '/config/auth/openvpn-1.key'
set interfaces openvpn vtun1 local-address '10.255.1.1'
set interfaces openvpn vtun1 remote-address '10.255.1.2'

Remote Configuration:

set interfaces openvpn vtun1 mode site-to-site

set interfaces openvpn vtun1 protocol udp
set interfaces openvpn vtun1 persistent-tunnel
set interfaces openvpn vtun1 remote-host '198.51.100.10'
set interfaces openvpn vtun1 local-port '1195'
set interfaces openvpn vtun1 remote-port '1195'
set interfaces openvpn vtun1 shared-secret-key-file '/config/auth/openvpn-1.key'
set interfaces openvpn vtun1 local-address '10.255.1.2'
set interfaces openvpn vtun1 remote-address '10.255.1.1'

The configurations above will default to using 256-bit AES in GCM mode for encryption (if both sides supports NCP)
and SHA-1 for HMAC authentication. SHA-1 is considered weak, but other hashing algorithms are available, as are
encryption algorithms:
For Encryption:
This sets the cipher when NCP (Negotiable Crypto Parameters) is disabled or OpenVPN version < 2.4.0.

8.3. Interfaces 289

 VyOS Documentation, 发布 1.4.x (sagitta)

vyos@vyos# set interfaces openvpn vtun1 encryption cipher

Possible completions:
des DES algorithm
3des DES algorithm with triple encryption
bf128 Blowfish algorithm with 128-bit key
bf256 Blowfish algorithm with 256-bit key
aes128 AES algorithm with 128-bit key CBC
aes128gcm AES algorithm with 128-bit key GCM
aes192 AES algorithm with 192-bit key CBC
aes192gcm AES algorithm with 192-bit key GCM
aes256 AES algorithm with 256-bit key CBC
aes256gcm AES algorithm with 256-bit key GCM

This sets the accepted ciphers to use when version => 2.4.0 and NCP is enabled (which is default). Default NCP cipher
for versions >= 2.4.0 is aes256gcm. The first cipher in this list is what server pushes to clients.

vyos@vyos# set int open vtun0 encryption ncp-ciphers

Possible completions:
des DES algorithm
3des DES algorithm with triple encryption
aes128 AES algorithm with 128-bit key CBC
aes128gcm AES algorithm with 128-bit key GCM
aes192 AES algorithm with 192-bit key CBC
aes192gcm AES algorithm with 192-bit key GCM
aes256 AES algorithm with 256-bit key CBC
aes256gcm AES algorithm with 256-bit key GCM

For Hashing:

vyos@vyos# set interfaces openvpn vtun1 hash

Possible completions:
md5 MD5 algorithm
sha1 SHA-1 algorithm
sha256 SHA-256 algorithm
sha512 SHA-512 algorithm

If you change the default encryption and hashing algorithms, be sure that the local and remote ends have matching con-
figurations, otherwise the tunnel will not come up.
Static routes can be configured referencing the tunnel interface; for example, the local router will use a network of
10.0.0.0/16, while the remote has a network of 10.1.0.0/16:
Local Configuration:

set protocols static route 10.1.0.0/16 interface vtun1

Remote Configuration:

set protocols static route 10.0.0.0/16 interface vtun1

Firewall policy can also be applied to the tunnel interface for local, in, and out directions and function identically to
ethernet interfaces.
If making use of multiple tunnels, OpenVPN must have a way to distinguish between different tunnels aside from the
pre-shared-key. This is either by referencing IP address or port number. One option is to dedicate a public IP to each
tunnel. Another option is to dedicate a port number to each tunnel (e.g. 1195,1196,1197…).
OpenVPN status can be verified using the show openvpn operational commands. See the built-in help for a complete list
of options.

8.3. Interfaces 290

 VyOS Documentation, 发布 1.4.x (sagitta)

Server

Multi-client server is the most popular OpenVPN mode on routers. It always uses x.509 authentication and therefore
requires a PKI setup. Refer this section Generate X.509 Certificate and Keys to generate a CA certificate, a server
certificate and key, a certificate revocation list, a Diffie-Hellman key exchange parameters file. You do not need client
certificates and keys for the server setup.
In this example we will use the most complicated case: a setup where each client is a router that has its own subnet (think
HQ and branch offices), since simpler setups are subsets of it.
Suppose you want to use 10.23.1.0/24 network for client tunnel endpoints and all client subnets belong to 10.23.0.0/20.
All clients need access to the 192.168.0.0/16 network.
First we need to specify the basic settings. 1194/UDP is the default. The persistent-tunnel option is recom-
mended, it prevents the TUN/TAP device from closing on connection resets or daemon reloads.

注解: Using openvpn-option -reneg-sec can be tricky. This option is used to renegotiate data channel after n seconds.
When used at both server and client, the lower value will trigger the renegotiation. If you set it to 0 on one side of the
connection (to disable it), the chosen value on the other side will determine when the renegotiation will occur.

set interfaces openvpn vtun10 mode server

set interfaces openvpn vtun10 local-port 1194
set interfaces openvpn vtun10 persistent-tunnel
set interfaces openvpn vtun10 protocol udp

Then we need to specify the location of the cryptographic materials. Suppose you keep the files in /config/auth/openvpn

set interfaces openvpn vtun10 tls ca-cert-file /config/auth/openvpn/ca.crt

set interfaces openvpn vtun10 tls cert-file /config/auth/openvpn/server.crt
set interfaces openvpn vtun10 tls key-file /config/auth/openvpn/server.key
set interfaces openvpn vtun10 tls crl-file /config/auth/openvpn/crl.pem
set interfaces openvpn vtun10 tls dh-file /config/auth/openvpn/dh2048.pem

Now we need to specify the server network settings. In all cases we need to specify the subnet for client tunnel endpoints.
Since we want clients to access a specific network behind out router, we will use a push-route option for installing that
route on clients.

set interfaces openvpn vtun10 server push-route 192.168.0.0/16

set interfaces openvpn vtun10 server subnet 10.23.1.0/24

Since it’s a HQ and branch offices setup, we will want all clients to have fixed addresses and we will route traffic to
specific subnets through them. We need configuration for each client to achieve this.

注解: Clients are identified by the CN field of their x.509 certificates, in this example the CN is client0:

set interfaces openvpn vtun10 server client client0 ip 10.23.1.10

set interfaces openvpn vtun10 server client client0 subnet 10.23.2.0/25

OpenVPN will not automatically create routes in the kernel for client subnets when they connect and will only use client-
subnet association internally, so we need to create a route to the 10.23.0.0/20 network ourselves:

set protocols static route 10.23.0.0/20 interface vtun10

8.3. Interfaces 291

 VyOS Documentation, 发布 1.4.x (sagitta)

Generate X.509 Certificate and Keys

OpenVPN ships with a set of scripts called Easy-RSA that can generate the appropriate files needed for an OpenVPN
setup using X.509 certificates. Easy-RSA comes installed by default on VyOS routers.
Copy the Easy-RSA scripts to a new directory to modify the values.

cp -r /usr/share/easy-rsa/ /config/my-easy-rsa-config
cd /config/my-easy-rsa-config

To ensure the consistent use of values when generating the PKI, set default values to be used by the PKI generating scripts.
Rename the vars.example filename to vars

mv vars.example vars

Following is the instance of the file after editing. You may also change other values in the file at your discretion/need,
though for most cases the defaults should be just fine. (do not leave any of these parameters blank)

set_var EASYRSA_DN "org"

set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "California"
set_var EASYRSA_REQ_CITY "San Francisco"
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL "[email protected]"
set_var EASYRSA_REQ_OU "My Organizational Unit"
set_var EASYRSA_KEY_SIZE 2048

init-pki option will create a new pki directory or will delete any previously generated certificates stored in that folder. The
term ‘central’is used to refer server and ‘branch’for client

注解: Remember the“CA Key Passphrase”prompted in build-ca command, as it will be asked in signing the server/client
certificate.

vyos@vyos:/config/my-easy-rsa-config$./easyrsa init-pki
vyos@vyos:/config/my-easy-rsa-config$./easyrsa build-ca
vyos@vyos:/config/my-easy-rsa-config$./easyrsa gen-req central nopass
vyos@vyos:/config/my-easy-rsa-config$./easyrsa sign-req server central
vyos@vyos:/config/my-easy-rsa-config$./easyrsa gen-dh
vyos@vyos:/config/my-easy-rsa-config$./easyrsa build-client-full branch1 nopass

To generate a certificate revocation list for any client, execute these commands:

vyos@vyos:/config/my-easy-rsa-config$./easyrsa revoke client1

vyos@vyos:/config/my-easy-rsa-config$ ./easyrsa gen-crl

Copy the files to /config/auth/openvpn/ to use in OpenVPN tunnel creation

vyos@vyos:/config/my-easy-rsa-config$ sudo mkdir /config/auth/openvpn

vyos@vyos:/config/my-easy-rsa-config$ sudo cp pki/ca.crt /config/auth/openvpn
vyos@vyos:/config/my-easy-rsa-config$ sudo cp pki/dh.pem /config/auth/openvpn
vyos@vyos:/config/my-easy-rsa-config$ sudo cp pki/private/central.key /config/auth/
,→openvpn

vyos@vyos:/config/my-easy-rsa-config$ sudo cp pki/issued/central.crt /config/auth/

,→openvpn

vyos@vyos:/config/my-easy-rsa-config$ sudo cp pki/crl.pem /config/auth/openvpn

8.3. Interfaces 292

 VyOS Documentation, 发布 1.4.x (sagitta)

Additionally, each client needs a copy of ca.crt and its own client key and cert files. The files are plaintext so they may be
copied either manually, or through a remote file transfer tool like scp. Whichever method you use, the files need to end
up in the proper location on each router. For example, Branch 1’s router might have the following files:
vyos@branch1-rtr:$ ls /config/auth/openvpn
ca.crt branch1.crt branch1.key

Client Authentication

LDAP

Enterprise installations usually ship a kind of directory service which is used to have a single password store for all
employees. VyOS and OpenVPN support using LDAP/AD as single user backend.
Authentication is done by using the openvpn-auth-ldap.so plugin which is shipped with every VyOS installation.
A dedicated configuration file is required. It is best practise to store it in /config to survive image updates
set interfaces openvpn vtun0 openvpn-option "--plugin /usr/lib/openvpn/openvpn-auth-
,→ldap.so /config/auth/ldap-auth.config"

The required config file may look like:

<LDAP>
# LDAP server URL
URL ldap://ldap.example.com
# Bind DN (If your LDAP server doesn't support anonymous binds)
BindDN cn=LDAPUser,dc=example,dc=com
# Bind Password password
Password S3cr3t
# Network timeout (in seconds)
Timeout 15
</LDAP>

<Authorization>
# Base DN
BaseDN "ou=people,dc=example,dc=com"
# User Search Filter
SearchFilter "(&(uid=%u)(objectClass=shadowAccount))"
# Require Group Membership - allow all users
RequireGroup false
</Authorization>

Active Directory

Despite the fact that AD is a superset of LDAP

<LDAP>
# LDAP server URL
URL ldap://dc01.example.com
# Bind DN (If your LDAP server doesn’t support anonymous binds)
BindDN CN=LDAPUser,DC=example,DC=com
# Bind Password
Password mysecretpassword
# Network timeout (in seconds)
(下页继续)

8.3. Interfaces 293

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
Timeout 15
# Enable Start TLS
TLSEnable no
# Follow LDAP Referrals (anonymously)
FollowReferrals no
</LDAP>

<Authorization>
# Base DN
BaseDN "DC=example,DC=com"
# User Search Filter, user must be a member of the VPN AD group
SearchFilter "(&(sAMAccountName=%u)(memberOf=CN=VPN,OU=Groups,DC=example,DC=com))"
# Require Group Membership
RequireGroup false # already handled by SearchFilter
<Group>
BaseDN "OU=Groups,DC=example,DC=com"
SearchFilter "(|(cn=VPN))"
MemberAttribute memberOf
</Group>
</Authorization>

If you only want to check if the user account is enabled and can authenticate (against the primary group) the following
snipped is sufficient:

<LDAP>
URL ldap://dc01.example.com
BindDN CN=SA_OPENVPN,OU=ServiceAccounts,DC=example,DC=com
Password ThisIsTopSecret
Timeout 15
TLSEnable no
FollowReferrals no
</LDAP>

<Authorization>
BaseDN "DC=example,DC=com"
SearchFilter "sAMAccountName=%u"
RequireGroup false
</Authorization>

A complete LDAP auth OpenVPN configuration could look like the following example:

vyos@vyos# show interfaces openvpn

openvpn vtun0 {
mode server
openvpn-option "--tun-mtu 1500 --fragment 1300 --mssfix"
openvpn-option "--plugin /usr/lib/openvpn/openvpn-auth-ldap.so /config/auth/ldap-
,→auth.config"

openvpn-option "--push redirect-gateway"

openvpn-option --duplicate-cn
openvpn-option --client-cert-not-required
openvpn-option --comp-lzo
openvpn-option --persist-key
openvpn-option --persist-tun
server {
domain-name example.com
max-connections 5
(下页继续)

8.3. Interfaces 294

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
name-server 203.0.113.0.10
name-server 198.51.100.3
subnet 172.18.100.128/29
}
tls {
ca-cert-file /config/auth/ca.crt
cert-file /config/auth/server.crt
dh-file /config/auth/dh1024.pem
key-file /config/auth/server.key
}
}

Client

VyOS can not only act as an OpenVPN site-to-site or Server for multiple clients. You can indeed also configure any VyOS
OpenVPN interface as an OpenVPN client connecting to a VyOS OpenVPN server or any other OpenVPN server.
Given the following example we have one VyOS router acting as OpenVPN server and another VyOS router acting
as OpenVPN client. The Server also pushes a static client IP address to the OpenVPN client. Remember, clients are
identified using their CN attribute in the SSL certificate.

Server

set interfaces openvpn vtun10 encryption cipher 'aes256'

set interfaces openvpn vtun10 hash 'sha512'
set interfaces openvpn vtun10 local-host '172.18.201.10'
set interfaces openvpn vtun10 local-port '1194'
set interfaces openvpn vtun10 mode 'server'
set interfaces openvpn vtun10 persistent-tunnel
set interfaces openvpn vtun10 protocol 'udp'
set interfaces openvpn vtun10 server client client1 ip '10.10.0.10'
set interfaces openvpn vtun10 server domain-name 'vyos.net'
set interfaces openvpn vtun10 server max-connections '250'
set interfaces openvpn vtun10 server name-server '172.16.254.30'
set interfaces openvpn vtun10 server subnet '10.10.0.0/24'
set interfaces openvpn vtun10 server topology 'subnet'
set interfaces openvpn vtun10 tls ca-cert-file '/config/auth/ca.crt'
set interfaces openvpn vtun10 tls cert-file '/config/auth/server.crt'
set interfaces openvpn vtun10 tls dh-file '/config/auth/dh.pem'
set interfaces openvpn vtun10 tls key-file '/config/auth/server.key'
set interfaces openvpn vtun10 use-lzo-compression

Client

set interfaces openvpn vtun10 encryption cipher 'aes256'

set interfaces openvpn vtun10 hash 'sha512'
set interfaces openvpn vtun10 mode 'client'
set interfaces openvpn vtun10 persistent-tunnel
set interfaces openvpn vtun10 protocol 'udp'
set interfaces openvpn vtun10 remote-host '172.18.201.10'
set interfaces openvpn vtun10 remote-port '1194'
(下页继续)

8.3. Interfaces 295

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
set interfaces openvpn vtun10 tls ca-cert-file '/config/auth/ca.crt'
set interfaces openvpn vtun10 tls cert-file '/config/auth/client1.crt'
set interfaces openvpn vtun10 tls key-file '/config/auth/client1.key'
set interfaces openvpn vtun10 use-lzo-compression

Options

We do not have CLI nodes for every single OpenVPN options. If an option is missing, a feature request should be opened
at Phabricator so all users can benefit from it (see Issues/Feature requests).
If you are a hacker or want to try on your own we support passing raw OpenVPN options to OpenVPN.
set interfaces openvpn vtun10 openvpn-option ‘persistent-key’
Will add persistent-key at the end of the generated OpenVPN configuration. Please use this only as last resort -
things might break and OpenVPN won’t start if you pass invalid options/syntax.
set interfaces openvpn vtun10 openvpn-option ‘push &quot;keepalive 1 10&quot;’
Will add push "keepalive 1 10" to the generated OpenVPN config file.

注解: Sometimes option lines in the generated OpenVPN configurarion require quotes. This is done through a hack on
our config generator. You can pass quotes using the &quot; statement.

Troubleshooting

VyOS provides some operational commands on OpenVPN.

Check status

The following commands let you check tunnel status.

show openvpn client
Use this command to check the tunnel status for OpenVPN client interfaces.
show openvpn server
Use this command to check the tunnel status for OpenVPN server interfaces.
show openvpn site-to-site
Use this command to check the tunnel status for OpenVPN site-to-site interfaces.

8.3. Interfaces 296

 VyOS Documentation, 发布 1.4.x (sagitta)

Reset OpenVPN

The following commands let you reset OpenVPN.

reset openvpn client <text>
Use this command to reset specified OpenVPN client.
reset openvpn interface <interface>
Uset this command to reset the OpenVPN process on a specific interface.

8.3.10 PPPoE

PPP E (Point-to-Point Protocol over Ethernet) is a network protocol for encapsulating PPP frames inside Ethernet frames.
It appeared in 1999, in the context of the boom of DSL as the solution for tunneling packets over the DSL connection
to the ISP (Internet Service Providers) IP network, and from there to the rest of the Internet. A 2005 networking book
noted that “Most DSL providers use PPPoE, which provides authentication, encryption, and compression.”Typical use
of PPPoE involves leveraging the PPP facilities for authenticating the user with a username and password, predominately
via the PAP protocol and less often via CHAP.

Operating Modes

VyOS supports setting up PPPoE in two different ways to a PPPoE internet connection. This is due to most ISPs provide
a modem that is also a wireless router.

Home Users

In this method, the DSL Modem/Router connects to the ISP for you with your credentials preprogrammed into the device.
This gives you an RFC 1918 address, such as 192.168.1.0/24 by default.
For a simple home network using just the ISP’s equipment, this is usually desirable. But if you want to run VyOS as
your firewall and router, this will result in having a double NAT and firewall setup. This results in a few extra layers of
complexity, particularly if you use some NAT or tunnel features.

Business Users

In order to have full control and make use of multiple static public IP addresses, your VyOS will have to initiate the
PPPoE connection and control it. In order for this method to work, you will have to figure out how to make your DSL
Modem/Router switch into a Bridged Mode so it only acts as a DSL Transceiver device to connect between the Ethernet
link of your VyOS and the phone cable. Once your DSL Transceiver is in Bridge Mode, you should get no IP address
from it. Please make sure you connect to the Ethernet Port 1 if your DSL Transeiver has a switch, as some of them only
work this way.
Once you have an Ethernet device connected, i.e. eth0, then you can configure it to open the PPPoE session for you and
your DSL Transceiver (Modem/Router) just acts to translate your messages in a way that vDSL/aDSL understands.

8.3. Interfaces 297

 VyOS Documentation, 发布 1.4.x (sagitta)

Configuration

Common interface configuration

set interfaces pppoe <interface> description <description>

Set a human readable, descriptive alias for this connection. Alias is used by e.g. the show interfaces
command or SNMP based monitoring tools.
Example:

set interfaces pppoe pppoe0 description 'This is an awesome interface running on␣
,→VyOS'

set interfaces pppoe <interface> disable

Disable given <interface>. It will be placed in administratively down (A/D) state.
Example:

set interfaces pppoe pppoe0 disable

set interfaces pppoe <interface> vrf <vrf>

Place interface in given VRF instance.
参见:
There is an entire chapter about how to configure a VRF, please check this for additional information.
Example:

set interfaces pppoe pppoe0 vrf red

PPPoE options

set interfaces pppoe <interface> access-concentrator <name>

Use this command to restrict the PPPoE session on a given access concentrator. Normally, a host sends a PPPoE
initiation packet to start the PPPoE discovery process, a number of access concentrators respond with offer packets
and the host selects one of the responding access concentrators to serve this session.
This command allows you to select a specific access concentrator when you know the access concentrators <name>.
set interfaces pppoe <interface> authentication user <username>
Use this command to set the username for authenticating with a remote PPPoE endpoint. Authentication is optional
from the system’s point of view but most service providers require it.
set interfaces pppoe <interface> authentication password <password>
Use this command to set the password for authenticating with a remote PPPoE endpoint. Authentication is optional
from the system’s point of view but most service providers require it.
set interfaces pppoe <interface> connect-on-demand
When set the interface is enabled for “dial-on-demand”.
Use this command to instruct the system to establish a PPPoE connections automatically once traffic passes through
the interface. A disabled on-demand connection is established at boot time and remains up. If the link fails for
any reason, the link is brought back up immediately.

8.3. Interfaces 298

 VyOS Documentation, 发布 1.4.x (sagitta)

Enabled on-demand PPPoE connections bring up the link only when traffic needs to pass this link. If the link fails
for any reason, the link is brought back up automatically once traffic passes the interface again. If you configure
an on-demand PPPoE connection, you must also configure the idle timeout period, after which an idle PPPoE link
will be disconnected. A non-zero idle timeout will never disconnect the link after it first came up.
set interfaces pppoe <interface> default-route [auto | force | none]
Use this command to specify whether to automatically add a default route pointing to the endpoint of the PPPoE
when the link comes up. The default route is only added if no other default route already exists in the system.
default: A default route to the remote endpoint is automatically added when the link comes up (i.e. auto).
• auto: A default route is added if no other default route (From any source) already exists.
• force: A default route is added after removing all existing default routes.
• none: No default route is installed.

注解: In all modes except ‘none’, all default routes using this interface will be removed when the interface is torn
down - even manually installed static routes.

set interfaces pppoe <interface> idle-timeout <time>

Use this command to set the idle timeout interval to be used with on-demand PPPoE sessions. When an on-
demand connection is established, the link is brought up only when traffic is sent and is disabled when the link is
idle for the interval specified.
If this parameter is not set or 0, an on-demand link will not be taken down when it is idle and after the initial
establishment of the connection. It will stay up forever.
set interfaces pppoe <interface> local-address <address>
Use this command to set the IP address of the local endpoint of a PPPoE session. If it is not set it will be negotiated.
set interfaces pppoe <interface> mtu <mtu>
Configure MTU on given <interface>. It is the size (in bytes) of the largest ethernet frame sent on this link.
set interfaces pppoe <interface> no-peer-dns
Use this command to not install advertised DNS nameservers into the local system.
set interfaces pppoe <interface> remote-address <address>
Use this command to set the IP address of the remote endpoint of a PPPoE session. If it is not set it will be
negotiated.
set interfaces pppoe <interface> service-name <name>
Use this command to specify a service name by which the local PPPoE interface can select access concentrators
to connect with. It will connect to any access concentrator if not set.
set interfaces pppoe <interface> source-interface <source-interface>
Use this command to link the PPPoE connection to a physical interface. Each PPPoE connection must be estab-
lished over a physical interface. Interfaces can be regular Ethernet interfaces, VIFs or bonding interfaces/VIFs.

8.3. Interfaces 299

 VyOS Documentation, 发布 1.4.x (sagitta)

IPv6

set interfaces pppoe <interface> ipv6 address autoconf

Use this command to enable acquisition of IPv6 address using stateless autoconfig (SLAAC).
DHCPv6 Prefix Delegation (PD)
VyOS 1.3 (equuleus) supports DHCPv6-PD (RFC 3633). DHCPv6 Prefix Delegation is supported by most ISPs who
provide native IPv6 for consumers on fixed networks.
set interfaces pppoe <interface> dhcpv6-options pd <id> length <length>
Some ISPs by default only delegate a /64 prefix. To request for a specific prefix size use this option to request for
a bigger delegation for this pd <id>. This value is in the range from 32 - 64 so you could request up to a /32 prefix
(if your ISP allows this) down to a /64 delegation.
The default value corresponds to 64.
To request a /56 prefix from your ISP use:

set interfaces pppoe pppoe0 dhcpv6-options pd 0 length 56

set interfaces pppoe <interface> dhcpv6-options pd <id> interface <delegatee>

address <address>
Specify the interface address used locally on the interfcae where the prefix has been delegated to. ID must be a
decimal integer.
It will be combined with the delegated prefix and the sla-id to form a complete interface address. The default is to
use the EUI-64 address of the interface.
Example: Delegate a /64 prefix to interface eth8 which will use a local address on this router of
<prefix>::ffff, as the address 65534 will correspond to ffff in hexadecimal notation.

set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth8 address 65534

set interfaces pppoe <interface> dhcpv6-options pd <id> interface <delegatee>

sla-id <id>
Specify the identifier value of the site-level aggregator (SLA) on the interface. ID must be a decimal number
greater then 0 which fits in the length of SLA IDs (see below).
Example: If ID is 1 and the client is delegated an IPv6 prefix 2001:db8:ffff::/48, dhcp6c will combine the two
values into a single IPv6 prefix, 2001:db8:ffff:1::/64, and will configure the prefix on the specified interface.

set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth8 sla-id 1

Operation

show interfaces pppoe <interface>

Show detailed information on given <interface>

vyos@vyos:~$ show interfaces pppoe pppoe0

pppoe0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc pfifo_fast␣
,→state UNKNOWN group default qlen 3

link/ppp
inet 192.0.2.1 peer 192.0.2.255/32 scope global pppoe0
(下页继续)

8.3. Interfaces 300

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
valid_lft forever preferred_lft forever

RX: bytes packets errors dropped overrun mcast

7002658233 5064967 0 0 0 0
TX: bytes packets errors dropped carrier collisions
533822843 1620173 0 0 0 0

show interfaces pppoe <interface> queue

Displays queue information for a PPPoE interface.

vyos@vyos:~$ show interfaces pppoe pppoe0 queue

qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1␣
,→1

Sent 534625359 bytes 1626761 pkt (dropped 62, overlimits 0 requeues 0)

backlog 0b 0p requeues 0

Connect/Disconnect

disconnect interface <interface>

Test disconnecting given connection-oriented interface. <interface> can be pppoe0 as example.
connect interface <interface>
Test connecting given connection-oriented interface. <interface> can be pppoe0 as example.

Example

Requirements:
• Your ISPs modem is connected to port eth0 of your VyOS box.
• No VLAN tagging required by your ISP.
• You need your PPPoE credentials from your DSL ISP in order to configure this. The usual username is in the form
of [email protected] but may vary depending on ISP.
• The largest MTU size you can use with DSL is 1492 due to PPPoE overhead. If you are switching from a DHCP
based ISP like cable then be aware that things like VPN links may need to have their MTU sizes adjusted to work
within this limit.
• With the default-route option set to auto, VyOS will only add the default gateway you receive from
your DSL ISP to the routing table if you have no other WAN connections. If you wish to use a dual WAN
connection, change the default-route option to force. You could also install a static route and set the
default-route option to none.
• With the name-server option set to none, VyOS will ignore the nameservers your ISP sens you and thus you
can fully rely on the ones you have configured statically.

注解: Syntax has changed from VyOS 1.2 (crux) and it will be automatically migrated during an upgrade.

8.3. Interfaces 301

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces pppoe pppoe0 default-route 'auto'

set interfaces pppoe pppoe0 mtu 1492
set interfaces pppoe pppoe0 authentication user 'userid'
set interfaces pppoe pppoe0 authentication password 'secret'
set interfaces pppoe pppoe0 source-interface 'eth0'

You should add a firewall to your configuration above as well by assigning it to the pppoe0 itself as shown here:

set interfaces pppoe pppoe0 firewall in name NET-IN

set interfaces pppoe pppoe0 firewall local name NET-LOCAL
set interfaces pppoe pppoe0 firewall out name NET-OUT

VLAN Example

Some recent ISPs require you to build the PPPoE connection through a VLAN interface. One of those ISPs is e.g.
Deutsche Telekom in Germany. VyOS can easily create a PPPoE session through an encapsulated VLAN interface.
The following configuration will run your PPPoE connection through VLAN7 which is the default VLAN for Deutsche
Telekom:

set interfaces pppoe pppoe0 default-route 'auto'

set interfaces pppoe pppoe0 mtu 1492
set interfaces pppoe pppoe0 authentication user 'userid'
set interfaces pppoe pppoe0 authentication password 'secret'
set interfaces pppoe pppoe0 source-interface 'eth0.7'

IPv6 DHCPv6-PD Example

The following configuration will assign a /64 prefix out of a /56 delegation to eth0. The IPv6 address assigned to eth0 will
be <prefix>::ffff/64. If you do not know the prefix size delegated to you, start with sla-len 0.

set interfaces pppoe pppoe0 authentication user vyos

set interfaces pppoe pppoe0 authentication password vyos
set interfaces pppoe pppoe0 dhcpv6-options prefix-delegation interface eth0 address␣
,→65535

set interfaces pppoe pppoe0 dhcpv6-options prefix-delegation interface eth0 sla-id 0

set interfaces pppoe pppoe0 dhcpv6-options prefix-delegation interface eth0 sla-len 8
set interfaces pppoe pppoe0 ipv6 address autoconf
set interfaces pppoe pppoe0 source-interface eth1

8.3.11 Pseudo Ethernet/MACVLAN

Pseudo-Ethernet or MACVLAN interfaces can be seen as subinterfaces to regular ethernet interfaces. Each and every
subinterface is created a different media access control (MAC) address, for a single physical Ethernet port. Pseudo-
Ethernet interfaces have most of their application in virtualized environments,
By using Pseudo-Ethernet interfaces there will be less system overhead compared to running a traditional bridging ap-
proach. Pseudo-Ethernet interfaces can also be used to workaround the general limit of 4096 virtual LANs (VLANs) per
physical Ethernet port, since that limit is with respect to a single MAC address.
Every Virtual Ethernet interfaces behaves like a real Ethernet interface. They can have IPv4/IPv6 addresses configured,
or can request addresses by DHCP/ DHCPv6 and are associated/mapped with a real ethernet port. This also makes

8.3. Interfaces 302

 VyOS Documentation, 发布 1.4.x (sagitta)

Pseudo-Ethernet interfaces interesting for testing purposes. A Pseudo-Ethernet device will inherit characteristics (speed,
duplex, …) from its physical parent (the so called link) interface.
Once created in the system, Pseudo-Ethernet interfaces can be referenced in the exact same way as other Ethernet inter-
faces. Notes about using Pseudo- Ethernet interfaces:
• Pseudo-Ethernet interfaces can not be reached from your internal host. This means that you can not try to ping a
Pseudo-Ethernet interface from the host system on which it is defined. The ping will be lost.
• Loopbacks occurs at the IP level the same way as for other interfaces, ethernet frames are not forwarded between
Pseudo-Ethernet interfaces.
• Pseudo-Ethernet interfaces may not work in environments which expect a NIC (Network Interface Card) to only
have a single address. This applies to: - VMware machines using default settings - Network switches with security
settings allowing only a single MAC address - xDSL modems that try to lear the MAC address of the NIC

Configuration

Common interface configuration

set interfaces pseudo-ethernet <interface> address <address | dhcp | dhcpv6>

Configure interface <interface> with one or more interface addresses.
• address can be specified multiple times as IPv4 and/or IPv6 address, e.g. 192.0.2.1/24 and/or 2001:db8::1/64
• dhcp interface address is received by DHCP from a DHCP server on this segment.
• dhcpv6 interface address is received by DHCPv6 from a DHCPv6 server on this segment.
Example:

set interfaces pseudo-ethernet peth0 address 192.0.2.1/24

set interfaces pseudo-ethernet peth0 address 2001:db8::1/64
set interfaces pseudo-ethernet peth0 dhcp
set interfaces pseudo-ethernet peth0 dhcpv6

set interfaces pseudo-ethernet <interface> description <description>

Set a human readable, descriptive alias for this connection. Alias is used by e.g. the show interfaces
command or SNMP based monitoring tools.
Example:

set interfaces pseudo-ethernet peth0 description 'This is an awesome interface␣

,→running on VyOS'

set interfaces pseudo-ethernet <interface> disable

Disable given <interface>. It will be placed in administratively down (A/D) state.
Example:

set interfaces pseudo-ethernet peth0 disable

set interfaces pseudo-ethernet <interface> disable-flow-control

Ethernet flow control is a mechanism for temporarily stopping the transmission of data on Ethernet family computer
networks. The goal of this mechanism is to ensure zero packet loss in the presence of network congestion.
The first flow control mechanism, the pause frame, was defined by the IEEE 802.3x standard.

8.3. Interfaces 303

 VyOS Documentation, 发布 1.4.x (sagitta)

A sending station (computer or network switch) may be transmitting data faster than the other end of the link can
accept it. Using flow control, the receiving station can signal the sender requesting suspension of transmissions
until the receiver catches up.
Use this command to disable the generation of Ethernet flow control (pause frames).
Example:

set interfaces pseudo-ethernet peth0 disable-flow-control

set interfaces pseudo-ethernet <interface> disable-link-detect

Use this command to direct an interface to not detect any physical state changes on a link, for example, when the
cable is unplugged.
Default is to detects physical link state changes.
Example:

set interfaces pseudo-ethernet peth0 disable-link-detect

set interfaces pseudo-ethernet <interface> mac <xx:xx:xx:xx:xx:xx>

Configure user defined MAC address on given <interface>.
Example:

set interfaces pseudo-ethernet peth0 mac '00:01:02:03:04:05'

set interfaces pseudo-ethernet <interface> mtu <mtu>

Configure MTU on given <interface>. It is the size (in bytes) of the largest ethernet frame sent on this link.
Example:

set interfaces pseudo-ethernet peth0 mtu 9000

set interfaces pseudo-ethernet <interface> ip arp-cache-timeout

Once a neighbor has been found, the entry is considered to be valid for at least for this specifc time. An entry’s
validity will be extended if it receives positive feedback from higher level protocols.
This defaults to 30 seconds.
Example:

set interfaces pseudo-ethernet peth0 ip arp-cache-timeout 180

set interfaces pseudo-ethernet <interface> ip disable-arp-filter

If set the kernel can respond to arp requests with addresses from other interfaces. This may seem wrong but it
usually makes sense, because it increases the chance of successful communication. IP addresses are owned by the
complete host on Linux, not by particular interfaces. Only for more complex setups like load-balancing, does this
behaviour cause problems.
If not set (default) allows you to have multiple network interfaces on the same subnet, and have the ARPs for
each interface be answered based on whether or not the kernel would route a packet from the ARP’d IP out that
interface (therefore you must use source based routing for this to work).
In other words it allows control of which cards (usually 1) will respond to an arp request.
Example:

8.3. Interfaces 304

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces pseudo-ethernet peth0 ip disable-arp-filter

set interfaces pseudo-ethernet <interface> ip disable-forwarding

Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 for-
warding will be disabled on this interface.

set interfaces pseudo-ethernet peth0 ip disable-forwarding

set interfaces pseudo-ethernet <interface> ip enable-arp-accept

Define behavior for gratuitous ARP frames who’s IP is not already present in the ARP table. If configured create
new entries in the ARP table.
Both replies and requests type gratuitous arp will trigger the ARP table to be updated, if this setting is on.
If the ARP table already contains the IP address of the gratuitous arp frame, the arp table will be updated regardless
if this setting is on or off.

set interfaces pseudo-ethernet peth0 ip enable-arp-accept

set interfaces pseudo-ethernet <interface> ip enable-arp-announce

Define different restriction levels for announcing the local source IP address from IP packets in ARP requests sent
on interface.
Use any local address, configured on any interface if this is not set.
If configured, try to avoid local addresses that are not in the target’s subnet for this interface. This mode is useful
when target hosts reachable via this interface require the source IP address in ARP requests to be part of their
logical network configured on the receiving interface. When we generate the request we will check all our subnets
that include the target IP and will preserve the source address if it is from such subnet. If there is no such subnet
we select source address according to the rules for level 2.

set interfaces pseudo-ethernet peth0 ip enable-arp-announce

set interfaces pseudo-ethernet <interface> ip enable-arp-ignore

Define different modes for sending replies in response to received ARP requests that resolve local target IP ad-
dresses:
If configured, reply only if the target IP address is local address configured on the incoming interface.
If this option is unset (default), reply for any local target IP address, configured on any interface.

set interfaces pseudo-ethernet peth0 ip enable-arp-ignore

set interfaces pseudo-ethernet <interface> ip enable-proxy-arp

Use this command to enable proxy Address Resolution Protocol (ARP) on this interface. Proxy ARP allows an
Ethernet interface to respond with its own MAC address to ARP requests for destination IP addresses on subnets
attached to other interfaces on the system. Subsequent packets sent to those destination IP addresses are forwarded
appropriately by the system.
Example:

set interfaces pseudo-ethernet peth0 ip enable-proxy-arp

set interfaces pseudo-ethernet <interface> ip proxy-arp-pvlan

8.3. Interfaces 305

 VyOS Documentation, 发布 1.4.x (sagitta)

Private VLAN proxy arp. Basically allow proxy arp replies back to the same interface (from which the ARP
request/solicitation was received).
This is done to support (ethernet) switch features, like RFC 3069, where the individual ports are NOT allowed to
communicate with each other, but they are allowed to talk to the upstream router. As described in RFC 3069, it
is possible to allow these hosts to communicate through the upstream router by proxy_arp’ing.

注解: Does not need to be used together with proxy_arp.

This technology is known by different names:

• In RFC 3069 it is called VLAN Aggregation
• Cisco and Allied Telesyn call it Private VLAN
• Hewlett-Packard call it Source-Port filtering or port-isolation
• Ericsson call it MAC-Forced Forwarding (RFC Draft)
set interfaces pseudo-ethernet <interface> ip source-validation <strict |
loose | disable>
Enable policy for source validation by reversed path, as specified in RFC 3704. Current recommended practice
in RFC 3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or
other complicated routing, then loose mode is recommended.
• strict: Each incoming packet is tested against the FIB and if the interface is not the best reverse path the
packet check will fail. By default failed packets are discarded.
• loose: Each incoming packet’s source address is also tested against the FIB and if the source address is not
reachable via any interface the packet check will fail.
• disable: No source validation
set interfaces pseudo-ethernet <interface> ipv6 address autoconf
SLAAC RFC 4862. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using
the Neighbor Discovery Protocol via ICMP 6 router discovery messages. When first connected to a network, a
host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such
a request with a router advertisement packet that contains Internet Layer configuration parameters.

注解: This method automatically disables IPv6 traffic forwarding on the interface in question.

Example:

set interfaces pseudo-ethernet peth0 ipv6 address autoconf

set interfaces pseudo-ethernet <interface> ipv6 address eui64 <prefix>

EUI-64 as specified in RFC 4291 allows a host to assign iteslf a unique 64-Bit IPv6 address.
Example:

set interfaces pseudo-ethernet peth0 ipv6 address eui64 2001:db8:beef::/64

set interfaces pseudo-ethernet <interface> ipv6 address no-default-link-local

Do not assign a link-local IPv6 address to this interface.
Example:

8.3. Interfaces 306

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces pseudo-ethernet peth0 ipv6 address no-default-link-local

set interfaces pseudo-ethernet <interface> ipv6 disable-forwarding

Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 for-
warding will be disabled on this interface.
Example:

set interfaces pseudo-ethernet peth0 ipv6 disable-forwarding

set interfaces pseudo-ethernet <interface> vrf <vrf>

Place interface in given VRF instance.
参见:
There is an entire chapter about how to configure a VRF, please check this for additional information.
Example:

set interfaces pseudo-ethernet peth0 vrf red

DHCP(v6)
set interfaces pseudo-ethernet <interface> dhcp-options client-id
<description>
RFC 2131 states: The client MAY choose to explicitly provide the identifier through the‘client identifier’option.
If the client supplies a ‘client identifier’, the client MUST use the same ‘client identifier’in all subsequent
messages, and the server MUST use that identifier to identify the client.
Example:

set interfaces pseudo-ethernet peth0 dhcp-options client-id 'foo-bar'

set interfaces pseudo-ethernet <interface> dhcp-options host-name <hostname>

Instead of sending the real system hostname to the DHCP server, overwrite the host-name with this given-value.
Example:

set interfaces pseudo-ethernet peth0 dhcp-options host-name 'VyOS'

set interfaces pseudo-ethernet <interface> dhcp-options vendor-class-id

<vendor-id>
The vendor-class-id option can be used to request a specific class of vendor options from the server.
Example:

set interfaces pseudo-ethernet peth0 dhcp-options vendor-class-id 'VyOS'

set interfaces pseudo-ethernet <interface> dhcp-options no-default-route

Only request an address from the DHCP server but do not request a default gateway.
Example:

set interfaces pseudo-ethernet peth0 dhcp-options no-default-route

set interfaces pseudo-ethernet <interface> dhcp-options default-route-distance

<distance>

8.3. Interfaces 307

 VyOS Documentation, 发布 1.4.x (sagitta)

Set the distance for the default gateway sent by the DHCP server.
Example:

set interfaces pseudo-ethernet peth0 dhcp-options default-route-distance 220

set interfaces pseudo-ethernet <interface> dhcpv6-options duid <duid>

The DHCP unique identifier (DUID) is used by a client to get an IP address from a DHCPv6 server. It has a 2-byte
DUID type field, and a variable-length identifier field up to 128 bytes. Its actual length depends on its type. The
server compares the DUID with its database and delivers configuration data (address, lease times, DNS servers,
etc.) to the client.

set interfaces pseudo-ethernet peth0 duid

,→'0e:00:00:01:00:01:27:71:db:f0:00:50:56:bf:c5:6d'

set interfaces pseudo-ethernet <interface> dhcpv6-options parameters-only

This statement specifies dhcp6c to only exchange informational configuration parameters with servers. A list of
DNS server addresses is an example of such parameters. This statement is useful when the client does not need
stateful configuration parameters such as IPv6 addresses or prefixes.

set interfaces pseudo-ethernet peth0 dhcpv6-options parameters-only

set interfaces pseudo-ethernet <interface> dhcpv6-options rapid-commit

When rapid-commit is specified, dhcp6c will include a rapid-commit option in solicit messages and wait for an
immediate reply instead of advertisements.

set interfaces pseudo-ethernet peth0 dhcpv6-options rapid-commit

set interfaces pseudo-ethernet <interface> dhcpv6-options temporary

Request only a temporary address and not form an IA_NA (Identity Association for Non-temporary Addresses)
partnership.

set interfaces pseudo-ethernet peth0 dhcpv6-options temporary

DHCPv6 Prefix Delegation (PD)

VyOS 1.3 (equuleus) supports DHCPv6-PD (RFC 3633). DHCPv6 Prefix Delegation is supported by most ISPs who
provide native IPv6 for consumers on fixed networks.
set interfaces pseudo-ethernet <interface> dhcpv6-options pd <id> length
<length>
Some ISPs by default only delegate a /64 prefix. To request for a specific prefix size use this option to request for
a bigger delegation for this pd <id>. This value is in the range from 32 - 64 so you could request up to a /32 prefix
(if your ISP allows this) down to a /64 delegation.
The default value corresponds to 64.
To request a /56 prefix from your ISP use:

set interfaces pseudo-ethernet peth0 dhcpv6-options pd 0 length 56

set interfaces pseudo-ethernet <interface> dhcpv6-options pd <id> interface

<delegatee> address <address>
Specify the interface address used locally on the interfcae where the prefix has been delegated to. ID must be a
decimal integer.

8.3. Interfaces 308

 VyOS Documentation, 发布 1.4.x (sagitta)

It will be combined with the delegated prefix and the sla-id to form a complete interface address. The default is to
use the EUI-64 address of the interface.
Example: Delegate a /64 prefix to interface eth8 which will use a local address on this router of
<prefix>::ffff, as the address 65534 will correspond to ffff in hexadecimal notation.
set interfaces pseudo-ethernet peth0 dhcpv6-options pd 0 interface eth8 address␣
,→65534

set interfaces pseudo-ethernet <interface> dhcpv6-options pd <id> interface

<delegatee> sla-id <id>
Specify the identifier value of the site-level aggregator (SLA) on the interface. ID must be a decimal number
greater then 0 which fits in the length of SLA IDs (see below).
Example: If ID is 1 and the client is delegated an IPv6 prefix 2001:db8:ffff::/48, dhcp6c will combine the two
values into a single IPv6 prefix, 2001:db8:ffff:1::/64, and will configure the prefix on the specified interface.
set interfaces pseudo-ethernet peth0 dhcpv6-options pd 0 interface eth8 sla-id 1

Pseudo Ethernet/MACVLAN options

set interfaces pseudo-ethernet <interface> source-interface <ethX>

Specifies the physical <ethX> Ethernet interface associated with a Pseudo Ethernet <interface>.

VLAN

IEEE 802.1q, often referred to as Dot1q, is the networking standard that supports virtual LANs (VLANs) on an IEEE
802.3 Ethernet network. The standard defines a system of VLAN tagging for Ethernet frames and the accompanying
procedures to be used by bridges and switches in handling such frames. The standard also contains provisions for a
quality-of-service prioritization scheme commonly known as IEEE 802.1p and defines the Generic Attribute Registration
Protocol.
Portions of the network which are VLAN-aware (i.e., IEEE 802.1q conformant) can include VLAN tags. When a frame
enters the VLAN-aware portion of the network, a tag is added to represent the VLAN membership. Each frame must
be distinguishable as being within exactly one VLAN. A frame in the VLAN-aware portion of the network that does not
contain a VLAN tag is assumed to be flowing on the native VLAN.
The standard was developed by IEEE 802.1, a working group of the IEEE 802 standards committee, and continues to be
actively revised. One of the notable revisions is 802.1Q-2014 which incorporated IEEE 802.1aq (Shortest Path Bridging)
and much of the IEEE 802.1d standard.
802.1q VLAN interfaces are represented as virtual sub-interfaces in VyOS. The term used for this is vif.
set interfaces pseudo-ethernet <interface> vif <vlan-id>
Create a new VLAN interface on interface <interface> using the VLAN number provided via <vlan-id>.
You can create multiple VLAN interfaces on a physical interface. The VLAN ID range is from 0 to 4094.

注解: Only 802.1Q-tagged packets are accepted on Ethernet vifs.

set interfaces pseudo-ethernet <interface> vif <vlan-id> address <address |

dhcp | dhcpv6>
Configure interface <interface> with one or more interface addresses.

8.3. Interfaces 309

 VyOS Documentation, 发布 1.4.x (sagitta)

• address can be specified multiple times as IPv4 and/or IPv6 address, e.g. 192.0.2.1/24 and/or 2001:db8::1/64
• dhcp interface address is received by DHCP from a DHCP server on this segment.
• dhcpv6 interface address is received by DHCPv6 from a DHCPv6 server on this segment.
Example:

set interfaces pseudo-ethernet peth0 vif 10 address 192.0.2.1/24

set interfaces pseudo-ethernet peth0 vif 10 address 2001:db8::1/64
set interfaces pseudo-ethernet peth0 vif 10 dhcp
set interfaces pseudo-ethernet peth0 vif 10 dhcpv6

set interfaces pseudo-ethernet <interface> vif <vlan-id> description

<description>
Set a human readable, descriptive alias for this connection. Alias is used by e.g. the show interfaces
command or SNMP based monitoring tools.
Example:

set interfaces pseudo-ethernet peth0 vif 10 description 'This is an awesome␣

,→interface running on VyOS'

set interfaces pseudo-ethernet <interface> vif <vlan-id> disable

Disable given <interface>. It will be placed in administratively down (A/D) state.
Example:

set interfaces pseudo-ethernet peth0 vif 10 disable

set interfaces pseudo-ethernet <interface> vif <vlan-id> disable-link-detect

Use this command to direct an interface to not detect any physical state changes on a link, for example, when the
cable is unplugged.
Default is to detects physical link state changes.
Example:

set interfaces pseudo-ethernet peth0 vif 10 disable-link-detect

set interfaces pseudo-ethernet <interface> vif <vlan-id> mac

<xx:xx:xx:xx:xx:xx>
Configure user defined MAC address on given <interface>.
Example:

set interfaces pseudo-ethernet peth0 vif 10 mac '00:01:02:03:04:05'

set interfaces pseudo-ethernet <interface> vif <vlan-id> mtu <mtu>

Configure MTU on given <interface>. It is the size (in bytes) of the largest ethernet frame sent on this link.
Example:

set interfaces pseudo-ethernet peth0 vif 10 mtu 9000

set interfaces pseudo-ethernet <interface> vif <vlan-id> ip arp-cache-timeout

8.3. Interfaces 310

 VyOS Documentation, 发布 1.4.x (sagitta)

Once a neighbor has been found, the entry is considered to be valid for at least for this specifc time. An entry’s
validity will be extended if it receives positive feedback from higher level protocols.
This defaults to 30 seconds.
Example:

set interfaces pseudo-ethernet peth0 vif 10 ip arp-cache-timeout 180

set interfaces pseudo-ethernet <interface> vif <vlan-id> ip disable-arp-filter

If set the kernel can respond to arp requests with addresses from other interfaces. This may seem wrong but it
usually makes sense, because it increases the chance of successful communication. IP addresses are owned by the
complete host on Linux, not by particular interfaces. Only for more complex setups like load-balancing, does this
behaviour cause problems.
If not set (default) allows you to have multiple network interfaces on the same subnet, and have the ARPs for
each interface be answered based on whether or not the kernel would route a packet from the ARP’d IP out that
interface (therefore you must use source based routing for this to work).
In other words it allows control of which cards (usually 1) will respond to an arp request.
Example:

set interfaces pseudo-ethernet peth0 vif 10 ip disable-arp-filter

set interfaces pseudo-ethernet <interface> vif <vlan-id> ip disable-forwarding

Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 for-
warding will be disabled on this interface.

set interfaces pseudo-ethernet peth0 vif 10 ip disable-forwarding

set interfaces pseudo-ethernet <interface> vif <vlan-id> ip enable-arp-accept

Define behavior for gratuitous ARP frames who’s IP is not already present in the ARP table. If configured create
new entries in the ARP table.
Both replies and requests type gratuitous arp will trigger the ARP table to be updated, if this setting is on.
If the ARP table already contains the IP address of the gratuitous arp frame, the arp table will be updated regardless
if this setting is on or off.

set interfaces pseudo-ethernet peth0 vif 10 ip enable-arp-accept

set interfaces pseudo-ethernet <interface> vif <vlan-id> ip

enable-arp-announce
Define different restriction levels for announcing the local source IP address from IP packets in ARP requests sent
on interface.
Use any local address, configured on any interface if this is not set.
If configured, try to avoid local addresses that are not in the target’s subnet for this interface. This mode is useful
when target hosts reachable via this interface require the source IP address in ARP requests to be part of their
logical network configured on the receiving interface. When we generate the request we will check all our subnets
that include the target IP and will preserve the source address if it is from such subnet. If there is no such subnet
we select source address according to the rules for level 2.

set interfaces pseudo-ethernet peth0 vif 10 ip enable-arp-announce

set interfaces pseudo-ethernet <interface> vif <vlan-id> ip enable-arp-ignore

8.3. Interfaces 311

 VyOS Documentation, 发布 1.4.x (sagitta)

Define different modes for sending replies in response to received ARP requests that resolve local target IP ad-
dresses:
If configured, reply only if the target IP address is local address configured on the incoming interface.
If this option is unset (default), reply for any local target IP address, configured on any interface.

set interfaces pseudo-ethernet peth0 vif 10 ip enable-arp-ignore

set interfaces pseudo-ethernet <interface> vif <vlan-id> ip enable-proxy-arp

Use this command to enable proxy Address Resolution Protocol (ARP) on this interface. Proxy ARP allows an
Ethernet interface to respond with its own MAC address to ARP requests for destination IP addresses on subnets
attached to other interfaces on the system. Subsequent packets sent to those destination IP addresses are forwarded
appropriately by the system.
Example:

set interfaces pseudo-ethernet peth0 vif 10 ip enable-proxy-arp

set interfaces pseudo-ethernet <interface> vif <vlan-id> ip proxy-arp-pvlan

Private VLAN proxy arp. Basically allow proxy arp replies back to the same interface (from which the ARP
request/solicitation was received).
This is done to support (ethernet) switch features, like RFC 3069, where the individual ports are NOT allowed to
communicate with each other, but they are allowed to talk to the upstream router. As described in RFC 3069, it
is possible to allow these hosts to communicate through the upstream router by proxy_arp’ing.

注解: Does not need to be used together with proxy_arp.

This technology is known by different names:

• In RFC 3069 it is called VLAN Aggregation
• Cisco and Allied Telesyn call it Private VLAN
• Hewlett-Packard call it Source-Port filtering or port-isolation
• Ericsson call it MAC-Forced Forwarding (RFC Draft)
set interfaces pseudo-ethernet <interface> vif <vlan-id> ip source-validation
<strict | loose | disable>
Enable policy for source validation by reversed path, as specified in RFC 3704. Current recommended practice
in RFC 3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or
other complicated routing, then loose mode is recommended.
• strict: Each incoming packet is tested against the FIB and if the interface is not the best reverse path the
packet check will fail. By default failed packets are discarded.
• loose: Each incoming packet’s source address is also tested against the FIB and if the source address is not
reachable via any interface the packet check will fail.
• disable: No source validation
set interfaces pseudo-ethernet <interface> vif <vlan-id> ipv6 address autoconf
SLAAC RFC 4862. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using
the Neighbor Discovery Protocol via ICMP 6 router discovery messages. When first connected to a network, a
host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such
a request with a router advertisement packet that contains Internet Layer configuration parameters.

8.3. Interfaces 312

 VyOS Documentation, 发布 1.4.x (sagitta)

注解: This method automatically disables IPv6 traffic forwarding on the interface in question.

Example:

set interfaces pseudo-ethernet peth0 vif 10 ipv6 address autoconf

set interfaces pseudo-ethernet <interface> vif <vlan-id> ipv6 address eui64

<prefix>
EUI-64 as specified in RFC 4291 allows a host to assign iteslf a unique 64-Bit IPv6 address.
Example:

set interfaces pseudo-ethernet peth0 vif 10 ipv6 address eui64 2001:db8:beef::/64

set interfaces pseudo-ethernet <interface> vif <vlan-id> ipv6 address

no-default-link-local
Do not assign a link-local IPv6 address to this interface.
Example:

set interfaces pseudo-ethernet peth0 vif 10 ipv6 address no-default-link-local

set interfaces pseudo-ethernet <interface> vif <vlan-id> ipv6

disable-forwarding
Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 for-
warding will be disabled on this interface.
Example:

set interfaces pseudo-ethernet peth0 vif 10 ipv6 disable-forwarding

set interfaces pseudo-ethernet <interface> vif <vlan-id> vrf <vrf>

Place interface in given VRF instance.
参见:
There is an entire chapter about how to configure a VRF, please check this for additional information.
Example:

set interfaces pseudo-ethernet peth0 vif 10 vrf red

DHCP(v6)
set interfaces pseudo-ethernet <interface> vif <vlan-id> dhcp-options
client-id <description>
RFC 2131 states: The client MAY choose to explicitly provide the identifier through the‘client identifier’option.
If the client supplies a ‘client identifier’, the client MUST use the same ‘client identifier’in all subsequent
messages, and the server MUST use that identifier to identify the client.
Example:

set interfaces pseudo-ethernet peth0 vif 10 dhcp-options client-id 'foo-bar'

set interfaces pseudo-ethernet <interface> vif <vlan-id> dhcp-options

host-name <hostname>

8.3. Interfaces 313

 VyOS Documentation, 发布 1.4.x (sagitta)

Instead of sending the real system hostname to the DHCP server, overwrite the host-name with this given-value.
Example:

set interfaces pseudo-ethernet peth0 vif 10 dhcp-options host-name 'VyOS'

set interfaces pseudo-ethernet <interface> vif <vlan-id> dhcp-options

vendor-class-id <vendor-id>
The vendor-class-id option can be used to request a specific class of vendor options from the server.
Example:

set interfaces pseudo-ethernet peth0 vif 10 dhcp-options vendor-class-id 'VyOS'

set interfaces pseudo-ethernet <interface> vif <vlan-id> dhcp-options

no-default-route
Only request an address from the DHCP server but do not request a default gateway.
Example:

set interfaces pseudo-ethernet peth0 vif 10 dhcp-options no-default-route

set interfaces pseudo-ethernet <interface> vif <vlan-id> dhcp-options

default-route-distance <distance>
Set the distance for the default gateway sent by the DHCP server.
Example:

set interfaces pseudo-ethernet peth0 vif 10 dhcp-options default-route-distance␣

,→220

set interfaces pseudo-ethernet <interface> vif <vlan-id> dhcpv6-options duid

<duid>
The DHCP unique identifier (DUID) is used by a client to get an IP address from a DHCPv6 server. It has a 2-byte
DUID type field, and a variable-length identifier field up to 128 bytes. Its actual length depends on its type. The
server compares the DUID with its database and delivers configuration data (address, lease times, DNS servers,
etc.) to the client.

set interfaces pseudo-ethernet peth0 vif 10 duid

,→'0e:00:00:01:00:01:27:71:db:f0:00:50:56:bf:c5:6d'

set interfaces pseudo-ethernet <interface> vif <vlan-id> dhcpv6-options

parameters-only
This statement specifies dhcp6c to only exchange informational configuration parameters with servers. A list of
DNS server addresses is an example of such parameters. This statement is useful when the client does not need
stateful configuration parameters such as IPv6 addresses or prefixes.

set interfaces pseudo-ethernet peth0 vif 10 dhcpv6-options parameters-only

set interfaces pseudo-ethernet <interface> vif <vlan-id> dhcpv6-options

rapid-commit
When rapid-commit is specified, dhcp6c will include a rapid-commit option in solicit messages and wait for an
immediate reply instead of advertisements.

8.3. Interfaces 314

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces pseudo-ethernet peth0 vif 10 dhcpv6-options rapid-commit

set interfaces pseudo-ethernet <interface> vif <vlan-id> dhcpv6-options

temporary
Request only a temporary address and not form an IA_NA (Identity Association for Non-temporary Addresses)
partnership.

set interfaces pseudo-ethernet peth0 vif 10 dhcpv6-options temporary

DHCPv6 Prefix Delegation (PD)

VyOS 1.3 (equuleus) supports DHCPv6-PD (RFC 3633). DHCPv6 Prefix Delegation is supported by most ISPs who
provide native IPv6 for consumers on fixed networks.
set interfaces pseudo-ethernet <interface> vif <vlan-id> dhcpv6-options pd
<id> length <length>
Some ISPs by default only delegate a /64 prefix. To request for a specific prefix size use this option to request for
a bigger delegation for this pd <id>. This value is in the range from 32 - 64 so you could request up to a /32 prefix
(if your ISP allows this) down to a /64 delegation.
The default value corresponds to 64.
To request a /56 prefix from your ISP use:

set interfaces pseudo-ethernet peth0 vif 10 dhcpv6-options pd 0 length 56

set interfaces pseudo-ethernet <interface> vif <vlan-id> dhcpv6-options pd

<id> interface <delegatee> address <address>
Specify the interface address used locally on the interfcae where the prefix has been delegated to. ID must be a
decimal integer.
It will be combined with the delegated prefix and the sla-id to form a complete interface address. The default is to
use the EUI-64 address of the interface.
Example: Delegate a /64 prefix to interface eth8 which will use a local address on this router of
<prefix>::ffff, as the address 65534 will correspond to ffff in hexadecimal notation.

set interfaces pseudo-ethernet peth0 vif 10 dhcpv6-options pd 0 interface eth8␣

,→address 65534

set interfaces pseudo-ethernet <interface> vif <vlan-id> dhcpv6-options pd

<id> interface <delegatee> sla-id <id>
Specify the identifier value of the site-level aggregator (SLA) on the interface. ID must be a decimal number
greater then 0 which fits in the length of SLA IDs (see below).
Example: If ID is 1 and the client is delegated an IPv6 prefix 2001:db8:ffff::/48, dhcp6c will combine the two
values into a single IPv6 prefix, 2001:db8:ffff:1::/64, and will configure the prefix on the specified interface.

set interfaces pseudo-ethernet peth0 vif 10 dhcpv6-options pd 0 interface eth8␣

,→sla-id 1

8.3. Interfaces 315

 VyOS Documentation, 发布 1.4.x (sagitta)

8.3.12 Tunnel

This article touches on ‘classic’IP tunneling protocols.

GRE is often seen as a one size fits all solution when it comes to classic IP tunneling protocols, and for a good reason.
However, there are more specialized options, and many of them are supported by VyOS. There are also rather obscure
GRE options that can be useful.
All those protocols are grouped under interfaces tunnel in VyOS. Let’s take a closer look at the protocols and
options currently supported by VyOS.

Common interface configuration

set interfaces tunnel <interface> address <address>

Configure interface <interface> with one or more interface addresses.
• address can be specified multiple times as IPv4 and/or IPv6 address, e.g. 192.0.2.1/24 and/or 2001:db8::1/64
Example:

set interfaces tunnel tun0 address 192.0.2.1/24

set interfaces tunnel tun0 address 2001:db8::1/64

set interfaces tunnel <interface> description <description>

Set a human readable, descriptive alias for this connection. Alias is used by e.g. the show interfaces
command or SNMP based monitoring tools.
Example:

set interfaces tunnel tun0 description 'This is an awesome interface running on␣
,→VyOS'

set interfaces tunnel <interface> disable

Disable given <interface>. It will be placed in administratively down (A/D) state.
Example:

set interfaces tunnel tun0 disable

set interfaces tunnel <interface> disable-flow-control

Ethernet flow control is a mechanism for temporarily stopping the transmission of data on Ethernet family computer
networks. The goal of this mechanism is to ensure zero packet loss in the presence of network congestion.
The first flow control mechanism, the pause frame, was defined by the IEEE 802.3x standard.
A sending station (computer or network switch) may be transmitting data faster than the other end of the link can
accept it. Using flow control, the receiving station can signal the sender requesting suspension of transmissions
until the receiver catches up.
Use this command to disable the generation of Ethernet flow control (pause frames).
Example:

set interfaces tunnel tun0 disable-flow-control

set interfaces tunnel <interface> disable-link-detect

8.3. Interfaces 316

 VyOS Documentation, 发布 1.4.x (sagitta)

Use this command to direct an interface to not detect any physical state changes on a link, for example, when the
cable is unplugged.
Default is to detects physical link state changes.
Example:

set interfaces tunnel tun0 disable-link-detect

set interfaces tunnel <interface> mac <xx:xx:xx:xx:xx:xx>

Configure user defined MAC address on given <interface>.
Example:

set interfaces tunnel tun0 mac '00:01:02:03:04:05'

set interfaces tunnel <interface> mtu <mtu>

Configure MTU on given <interface>. It is the size (in bytes) of the largest ethernet frame sent on this link.
Example:

set interfaces tunnel tun0 mtu 9000

set interfaces tunnel <interface> ip arp-cache-timeout

Once a neighbor has been found, the entry is considered to be valid for at least for this specifc time. An entry’s
validity will be extended if it receives positive feedback from higher level protocols.
This defaults to 30 seconds.
Example:

set interfaces tunnel tun0 ip arp-cache-timeout 180

set interfaces tunnel <interface> ip disable-arp-filter

If set the kernel can respond to arp requests with addresses from other interfaces. This may seem wrong but it
usually makes sense, because it increases the chance of successful communication. IP addresses are owned by the
complete host on Linux, not by particular interfaces. Only for more complex setups like load-balancing, does this
behaviour cause problems.
If not set (default) allows you to have multiple network interfaces on the same subnet, and have the ARPs for
each interface be answered based on whether or not the kernel would route a packet from the ARP’d IP out that
interface (therefore you must use source based routing for this to work).
In other words it allows control of which cards (usually 1) will respond to an arp request.
Example:

set interfaces tunnel tun0 ip disable-arp-filter

set interfaces tunnel <interface> ip disable-forwarding

Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 for-
warding will be disabled on this interface.

set interfaces tunnel tun0 ip disable-forwarding

set interfaces tunnel <interface> ip enable-arp-accept

8.3. Interfaces 317

 VyOS Documentation, 发布 1.4.x (sagitta)

Define behavior for gratuitous ARP frames who’s IP is not already present in the ARP table. If configured create
new entries in the ARP table.
Both replies and requests type gratuitous arp will trigger the ARP table to be updated, if this setting is on.
If the ARP table already contains the IP address of the gratuitous arp frame, the arp table will be updated regardless
if this setting is on or off.
set interfaces tunnel tun0 ip enable-arp-accept

set interfaces tunnel <interface> ip enable-arp-announce

Define different restriction levels for announcing the local source IP address from IP packets in ARP requests sent
on interface.
Use any local address, configured on any interface if this is not set.
If configured, try to avoid local addresses that are not in the target’s subnet for this interface. This mode is useful
when target hosts reachable via this interface require the source IP address in ARP requests to be part of their
logical network configured on the receiving interface. When we generate the request we will check all our subnets
that include the target IP and will preserve the source address if it is from such subnet. If there is no such subnet
we select source address according to the rules for level 2.
set interfaces tunnel tun0 ip enable-arp-announce

set interfaces tunnel <interface> ip enable-arp-ignore

Define different modes for sending replies in response to received ARP requests that resolve local target IP ad-
dresses:
If configured, reply only if the target IP address is local address configured on the incoming interface.
If this option is unset (default), reply for any local target IP address, configured on any interface.
set interfaces tunnel tun0 ip enable-arp-ignore

set interfaces tunnel <interface> ip enable-proxy-arp

Use this command to enable proxy Address Resolution Protocol (ARP) on this interface. Proxy ARP allows an
Ethernet interface to respond with its own MAC address to ARP requests for destination IP addresses on subnets
attached to other interfaces on the system. Subsequent packets sent to those destination IP addresses are forwarded
appropriately by the system.
Example:
set interfaces tunnel tun0 ip enable-proxy-arp

set interfaces tunnel <interface> ip proxy-arp-pvlan

Private VLAN proxy arp. Basically allow proxy arp replies back to the same interface (from which the ARP
request/solicitation was received).
This is done to support (ethernet) switch features, like RFC 3069, where the individual ports are NOT allowed to
communicate with each other, but they are allowed to talk to the upstream router. As described in RFC 3069, it
is possible to allow these hosts to communicate through the upstream router by proxy_arp’ing.

注解: Does not need to be used together with proxy_arp.

This technology is known by different names:

• In RFC 3069 it is called VLAN Aggregation

8.3. Interfaces 318

 VyOS Documentation, 发布 1.4.x (sagitta)

• Cisco and Allied Telesyn call it Private VLAN

• Hewlett-Packard call it Source-Port filtering or port-isolation
• Ericsson call it MAC-Forced Forwarding (RFC Draft)
set interfaces tunnel <interface> ip source-validation <strict | loose |
disable>
Enable policy for source validation by reversed path, as specified in RFC 3704. Current recommended practice
in RFC 3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or
other complicated routing, then loose mode is recommended.
• strict: Each incoming packet is tested against the FIB and if the interface is not the best reverse path the
packet check will fail. By default failed packets are discarded.
• loose: Each incoming packet’s source address is also tested against the FIB and if the source address is not
reachable via any interface the packet check will fail.
• disable: No source validation
set interfaces tunnel <interface> ipv6 address autoconf
SLAAC RFC 4862. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using
the Neighbor Discovery Protocol via ICMP 6 router discovery messages. When first connected to a network, a
host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such
a request with a router advertisement packet that contains Internet Layer configuration parameters.

注解: This method automatically disables IPv6 traffic forwarding on the interface in question.

Example:

set interfaces tunnel tun0 ipv6 address autoconf

set interfaces tunnel <interface> ipv6 address eui64 <prefix>

EUI-64 as specified in RFC 4291 allows a host to assign iteslf a unique 64-Bit IPv6 address.
Example:

set interfaces tunnel tun0 ipv6 address eui64 2001:db8:beef::/64

set interfaces tunnel <interface> ipv6 address no-default-link-local

Do not assign a link-local IPv6 address to this interface.
Example:

set interfaces tunnel tun0 ipv6 address no-default-link-local

set interfaces tunnel <interface> ipv6 disable-forwarding

Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 for-
warding will be disabled on this interface.
Example:

set interfaces tunnel tun0 ipv6 disable-forwarding

set interfaces tunnel <interface> vrf <vrf>

8.3. Interfaces 319

 VyOS Documentation, 发布 1.4.x (sagitta)

Place interface in given VRF instance.

参见:
There is an entire chapter about how to configure a VRF, please check this for additional information.
Example:

set interfaces tunnel tun0 vrf red

IPIP

This is one of the simplest types of tunnels, as defined by RFC 2003. It takes an IPv4 packet and sends it as a payload of
another IPv4 packet. For this reason, there are no other configuration options for this kind of tunnel.
An example:

set interfaces tunnel tun0 encapsulation ipip

set interfaces tunnel tun0 source-address 192.0.2.10
set interfaces tunnel tun0 remote 203.0.113.20
set interfaces tunnel tun0 address 192.168.100.200/24

IP6IP6

This is the IPv6 counterpart of IPIP. I’m not aware of an RFC that defines this encapsulation specifically, but it’s a
natural specific case of IPv6 encapsulation mechanisms described in :rfc:2473‘.
It’s not likely that anyone will need it any time soon, but it does exist.
An example:

set interfaces tunnel tun0 encapsulation ip6ip6

set interfaces tunnel tun0 source-address 2001:db8:aa::1
set interfaces tunnel tun0 remote 2001:db8:aa::2
set interfaces tunnel tun0 address 2001:db8:bb::1/64

IPIP6

In the future this is expected to be a very useful protocol (though there are other proposals).
As the name implies, it’s IPv4 encapsulated in IPv6, as simple as that.
An example:

set interfaces tunnel tun0 encapsulation ipip6

set interfaces tunnel tun0 source-address 2001:db8:aa::1
set interfaces tunnel tun0 remote 2001:db8:aa::2
set interfaces tunnel tun0 address 192.168.70.80/24

8.3. Interfaces 320

 VyOS Documentation, 发布 1.4.x (sagitta)

6in4 (SIT)

6in4 uses tunneling to encapsulate IPv6 traffic over IPv4 links as defined in RFC 4213. The 6in4 traffic is sent over
IPv4 inside IPv4 packets whose IP headers have the IP protocol number set to 41. This protocol number is specifically
designated for IPv6 encapsulation, the IPv4 packet header is immediately followed by the IPv6 packet being carried. The
encapsulation overhead is the size of the IPv4 header of 20 bytes, therefore with an MTU of 1500 bytes, IPv6 packets
of 1480 bytes can be sent without fragmentation. This tunneling technique is frequently used by IPv6 tunnel brokers like
Hurricane Electric.
An example:

set interfaces tunnel tun0 encapsulation sit

set interfaces tunnel tun0 source-address 192.0.2.10
set interfaces tunnel tun0 remote 192.0.2.20
set interfaces tunnel tun0 address 2001:db8:bb::1/64

A full example of a Tunnelbroker.net config can be found at here.

Generic Routing Encapsulation (GRE)

A GRE tunnel operates at layer 3 of the OSI model and is repsented by IP protocol 47.The main benefit of a GRE tunnel
is that you are able to carry multiple protocols inside the same tunnel. GRE also supports multicast traffic and supports
routing protocols that leverage multicast to form neighbor adjacencies.
A VyOS GRE tunnel can carry both IPv4 and IPv6 traffic and can also be created over either IPv4 (gre) or IPv6 (ip6gre).

Configuration

A basic configuration requires a tunnel source (source-address), a tunnel destination (remote), an encapsulation type
(gre), and an address (ipv4/ipv6).Below is a basic IPv4 only configuration example taken from a VyOS router and a Cisco
IOS router. The main difference between these two configurations is that VyOS requires you explicitly configure the
encapsulation type. The Cisco router defaults to gre ip otherwise it would have to be configured as well.
VyOS Router:

set interfaces tunnel tun100 address '10.0.0.1/30'

set interfaces tunnel tun100 encapsulation 'gre'
set interfaces tunnel tun100 source-address '198.51.100.2'
set interfaces tunnel tun100 remote '203.0.113.10'

Cisco IOS Router:

interface Tunnel100
ip address 10.0.0.2 255.255.255.252
tunnel source 203.0.113.10
tunnel destination 198.51.100.2

Here is a second example of a dual-stack tunnel over IPv6 between a VyOS router and a Linux host using systemd-
networkd.
VyOS Router:

set interfaces tunnel tun101 address '2001:db8:feed:beef::1/126'

set interfaces tunnel tun101 address '192.168.5.1/30'
set interfaces tunnel tun101 encapsulation 'ip6gre'
(下页继续)

8.3. Interfaces 321

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
set interfaces tunnel tun101 source-address '2001:db8:babe:face::3afe:3'
set interfaces tunnel tun101 remote '2001:db8:9bb:3ce::5'

Linux systemd-networkd:
This requires two files, one to create the device (XXX.netdev) and one to configure the network on the device
(XXX.network)

# cat /etc/systemd/network/gre-example.netdev
[NetDev]
Name=gre-example
Kind=ip6gre
MTUBytes=14180

[Tunnel]
Remote=2001:db8:babe:face::3afe:3

# cat /etc/systemd/network/gre-example.network
[Match]
Name=gre-example

[Network]
Address=2001:db8:feed:beef::2/126

[Address]
Address=192.168.5.2/30

Tunnel keys

GRE is also the only classic protocol that allows creating multiple tunnels with the same source and destination due to
its support for tunnel keys. Despite its name, this feature has nothing to do with security: it’s simply an identifier that
allows routers to tell one tunnel from another.
An example:

set interfaces tunnel tun0 source-address 192.0.2.10

set interfaces tunnel tun0 remote 192.0.2.20
set interfaces tunnel tun0 address 10.40.50.60/24
set interfaces tunnel tun0 parameters ip key 10

set interfaces tunnel tun0 source-address 192.0.2.10

set interfaces tunnel tun0 remote 192.0.2.20
set interfaces tunnel tun0 address 172.16.17.18/24
set interfaces tunnel tun0 parameters ip key 20

8.3. Interfaces 322

 VyOS Documentation, 发布 1.4.x (sagitta)

Troubleshooting

GRE is a well defined standard that is common in most networks. While not inherently difficult to configure there are a
couple of things to keep in mind to make sure the configuration performs as expected. A common cause for GRE tunnels
to fail to come up correctly include ACL or Firewall configurations that are discarding IP protocol 47 or blocking your
source/desintation traffic.
1. Confirm IP connectivity between tunnel source-address and remote:

vyos@vyos:~$ ping 203.0.113.10 interface 198.51.100.2 count 4

PING 203.0.113.10 (203.0.113.10) from 198.51.100.2 : 56(84) bytes of data.
64 bytes from 203.0.113.10: icmp_seq=1 ttl=254 time=0.807 ms
64 bytes from 203.0.113.10: icmp_seq=2 ttl=254 time=1.50 ms
64 bytes from 203.0.113.10: icmp_seq=3 ttl=254 time=0.624 ms
64 bytes from 203.0.113.10: icmp_seq=4 ttl=254 time=1.41 ms

--- 203.0.113.10 ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 3007ms
rtt min/avg/max/mdev = 0.624/1.087/1.509/0.381 ms

2. Confirm the link type has been set to GRE:

vyos@vyos:~$ show interfaces tunnel tun100

tun100@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN␣
,→group default qlen 1000

link/gre 198.51.100.2 peer 203.0.113.10

inet 10.0.0.1/30 brd 10.0.0.3 scope global tun100
valid_lft forever preferred_lft forever
inet6 fe80::5efe:c612:2/64 scope link
valid_lft forever preferred_lft forever

RX: bytes packets errors dropped overrun mcast

2183 27 0 0 0 0
TX: bytes packets errors dropped carrier collisions
836 9 0 0 0 0

3. Confirm IP connectivity across the tunnel:

vyos@vyos:~$ ping 10.0.0.2 interface 10.0.0.1 count 4

PING 10.0.0.2 (10.0.0.2) from 10.0.0.1 : 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=255 time=1.05 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=255 time=1.88 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=255 time=1.98 ms
64 bytes from 10.0.0.2: icmp_seq=4 ttl=255 time=1.98 ms

--- 10.0.0.2 ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 3008ms
rtt min/avg/max/mdev = 1.055/1.729/1.989/0.395 ms

注解: There is also a GRE over IPv6 encapsulation available, it is called: ip6gre.

8.3. Interfaces 323

 VyOS Documentation, 发布 1.4.x (sagitta)

8.3.13 Virtual Tunnel Interface (VTI)

Set Virtual Tunnel Interface

set interfaces vti vti0 address 192.168.2.249/30

set interfaces vti vti0 address 2001:db8:2::249/64

Results in:

vyos@vyos# show interfaces vti

vti vti0 {
address 192.168.2.249/30
address 2001:db8:2::249/64
description "Description"
}

8.3.14 VXLAN

VXLAN is a network virtualization technology that attempts to address the scalability problems associated with large cloud
computing deployments. It uses a VLAN-like encapsulation technique to encapsulate OSI layer 2 Ethernet frames within
layer 4 UDP datagrams, using 4789 as the default IANA-assigned destination UDP port number. VXLAN endpoints,
which terminate VXLAN tunnels and may be either virtual or physical switch ports, are known as VTEP (VXLAN
tunnel endpoints).
VXLAN is an evolution of efforts to standardize on an overlay encapsulation protocol. It increases scalability up to
16 million logical networks and allows for layer 2 adjacency across IP networks. Multicast or unicast with head-end
replication (HER) is used to flood broadcast, unknown unicast, and multicast (BUM) traffic.
The VXLAN specification was originally created by VMware, Arista Networks and Cisco. Other backers of the VXLAN
technology include Huawei, Broadcom, Citrix, Pica8, Big Switch Networks, Cumulus Networks, Dell EMC, Ericsson,
Mellanox, FreeBSD, OpenBSD, Red Hat, Joyent, and Juniper Networks.
VXLAN was officially documented by the IETF in RFC 7348.
If configuring VXLAN in a VyOS virtual machine, ensure that MAC spoofing (Hyper-V) or Forged Transmits (ESX) are
permitted, otherwise forwarded frames may be blocked by the hypervisor.

注解: As VyOS is based on Linux and there was no official IANA port assigned for VXLAN, VyOS uses a default port
of 8472. You can change the port on a per VXLAN interface basis to get it working across multiple vendors.

Configuration

Common interface configuration

set interfaces vxlan <interface> address <address>

Configure interface <interface> with one or more interface addresses.
• address can be specified multiple times as IPv4 and/or IPv6 address, e.g. 192.0.2.1/24 and/or 2001:db8::1/64
Example:

set interfaces vxlan vxlan0 address 192.0.2.1/24

set interfaces vxlan vxlan0 address 2001:db8::1/64

8.3. Interfaces 324

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces vxlan <interface> description <description>

Set a human readable, descriptive alias for this connection. Alias is used by e.g. the show interfaces
command or SNMP based monitoring tools.
Example:

set interfaces vxlan vxlan0 description 'This is an awesome interface running on␣
,→VyOS'

set interfaces vxlan <interface> disable

Disable given <interface>. It will be placed in administratively down (A/D) state.
Example:

set interfaces vxlan vxlan0 disable

set interfaces vxlan <interface> disable-flow-control

Ethernet flow control is a mechanism for temporarily stopping the transmission of data on Ethernet family computer
networks. The goal of this mechanism is to ensure zero packet loss in the presence of network congestion.
The first flow control mechanism, the pause frame, was defined by the IEEE 802.3x standard.
A sending station (computer or network switch) may be transmitting data faster than the other end of the link can
accept it. Using flow control, the receiving station can signal the sender requesting suspension of transmissions
until the receiver catches up.
Use this command to disable the generation of Ethernet flow control (pause frames).
Example:

set interfaces vxlan vxlan0 disable-flow-control

set interfaces vxlan <interface> disable-link-detect

Use this command to direct an interface to not detect any physical state changes on a link, for example, when the
cable is unplugged.
Default is to detects physical link state changes.
Example:

set interfaces vxlan vxlan0 disable-link-detect

set interfaces vxlan <interface> mac <xx:xx:xx:xx:xx:xx>

Configure user defined MAC address on given <interface>.
Example:

set interfaces vxlan vxlan0 mac '00:01:02:03:04:05'

set interfaces vxlan <interface> mtu <mtu>

Configure MTU on given <interface>. It is the size (in bytes) of the largest ethernet frame sent on this link.
Example:

set interfaces vxlan vxlan0 mtu 9000

set interfaces vxlan <interface> ip arp-cache-timeout

8.3. Interfaces 325

 VyOS Documentation, 发布 1.4.x (sagitta)

Once a neighbor has been found, the entry is considered to be valid for at least for this specifc time. An entry’s
validity will be extended if it receives positive feedback from higher level protocols.
This defaults to 30 seconds.
Example:

set interfaces vxlan vxlan0 ip arp-cache-timeout 180

set interfaces vxlan <interface> ip disable-arp-filter

If set the kernel can respond to arp requests with addresses from other interfaces. This may seem wrong but it
usually makes sense, because it increases the chance of successful communication. IP addresses are owned by the
complete host on Linux, not by particular interfaces. Only for more complex setups like load-balancing, does this
behaviour cause problems.
If not set (default) allows you to have multiple network interfaces on the same subnet, and have the ARPs for
each interface be answered based on whether or not the kernel would route a packet from the ARP’d IP out that
interface (therefore you must use source based routing for this to work).
In other words it allows control of which cards (usually 1) will respond to an arp request.
Example:

set interfaces vxlan vxlan0 ip disable-arp-filter

set interfaces vxlan <interface> ip disable-forwarding

Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 for-
warding will be disabled on this interface.

set interfaces vxlan vxlan0 ip disable-forwarding

set interfaces vxlan <interface> ip enable-arp-accept

Define behavior for gratuitous ARP frames who’s IP is not already present in the ARP table. If configured create
new entries in the ARP table.
Both replies and requests type gratuitous arp will trigger the ARP table to be updated, if this setting is on.
If the ARP table already contains the IP address of the gratuitous arp frame, the arp table will be updated regardless
if this setting is on or off.

set interfaces vxlan vxlan0 ip enable-arp-accept

set interfaces vxlan <interface> ip enable-arp-announce

Define different restriction levels for announcing the local source IP address from IP packets in ARP requests sent
on interface.
Use any local address, configured on any interface if this is not set.
If configured, try to avoid local addresses that are not in the target’s subnet for this interface. This mode is useful
when target hosts reachable via this interface require the source IP address in ARP requests to be part of their
logical network configured on the receiving interface. When we generate the request we will check all our subnets
that include the target IP and will preserve the source address if it is from such subnet. If there is no such subnet
we select source address according to the rules for level 2.

set interfaces vxlan vxlan0 ip enable-arp-announce

set interfaces vxlan <interface> ip enable-arp-ignore

8.3. Interfaces 326

 VyOS Documentation, 发布 1.4.x (sagitta)

Define different modes for sending replies in response to received ARP requests that resolve local target IP ad-
dresses:
If configured, reply only if the target IP address is local address configured on the incoming interface.
If this option is unset (default), reply for any local target IP address, configured on any interface.

set interfaces vxlan vxlan0 ip enable-arp-ignore

set interfaces vxlan <interface> ip enable-proxy-arp

Use this command to enable proxy Address Resolution Protocol (ARP) on this interface. Proxy ARP allows an
Ethernet interface to respond with its own MAC address to ARP requests for destination IP addresses on subnets
attached to other interfaces on the system. Subsequent packets sent to those destination IP addresses are forwarded
appropriately by the system.
Example:

set interfaces vxlan vxlan0 ip enable-proxy-arp

set interfaces vxlan <interface> ip proxy-arp-pvlan

Private VLAN proxy arp. Basically allow proxy arp replies back to the same interface (from which the ARP
request/solicitation was received).
This is done to support (ethernet) switch features, like RFC 3069, where the individual ports are NOT allowed to
communicate with each other, but they are allowed to talk to the upstream router. As described in RFC 3069, it
is possible to allow these hosts to communicate through the upstream router by proxy_arp’ing.

注解: Does not need to be used together with proxy_arp.

This technology is known by different names:

• In RFC 3069 it is called VLAN Aggregation
• Cisco and Allied Telesyn call it Private VLAN
• Hewlett-Packard call it Source-Port filtering or port-isolation
• Ericsson call it MAC-Forced Forwarding (RFC Draft)
set interfaces vxlan <interface> ip source-validation <strict | loose |
disable>
Enable policy for source validation by reversed path, as specified in RFC 3704. Current recommended practice
in RFC 3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or
other complicated routing, then loose mode is recommended.
• strict: Each incoming packet is tested against the FIB and if the interface is not the best reverse path the
packet check will fail. By default failed packets are discarded.
• loose: Each incoming packet’s source address is also tested against the FIB and if the source address is not
reachable via any interface the packet check will fail.
• disable: No source validation
set interfaces vxlan <interface> ipv6 address autoconf
SLAAC RFC 4862. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using
the Neighbor Discovery Protocol via ICMP 6 router discovery messages. When first connected to a network, a
host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such
a request with a router advertisement packet that contains Internet Layer configuration parameters.

8.3. Interfaces 327

 VyOS Documentation, 发布 1.4.x (sagitta)

注解: This method automatically disables IPv6 traffic forwarding on the interface in question.

Example:

set interfaces vxlan vxlan0 ipv6 address autoconf

set interfaces vxlan <interface> ipv6 address eui64 <prefix>

EUI-64 as specified in RFC 4291 allows a host to assign iteslf a unique 64-Bit IPv6 address.
Example:

set interfaces vxlan vxlan0 ipv6 address eui64 2001:db8:beef::/64

set interfaces vxlan <interface> ipv6 address no-default-link-local

Do not assign a link-local IPv6 address to this interface.
Example:

set interfaces vxlan vxlan0 ipv6 address no-default-link-local

set interfaces vxlan <interface> ipv6 disable-forwarding

Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 for-
warding will be disabled on this interface.
Example:

set interfaces vxlan vxlan0 ipv6 disable-forwarding

set interfaces vxlan <interface> vrf <vrf>

Place interface in given VRF instance.
参见:
There is an entire chapter about how to configure a VRF, please check this for additional information.
Example:

set interfaces vxlan vxlan0 vrf red

VXLAN specific options

set interfaces vxlan <interface> vni <number>

Each VXLAN segment is identified through a 24-bit segment ID, termed the VNI, This allows up to 16M VXLAN
segments to coexist within the same administrative domain.
set interfaces vxlan <interface> port <port>
Configure port number of remote VXLAN endpoint.

注解: As VyOS is Linux based the default port used is not using 4789 as the default IANA-assigned destination
UDP port number. Instead VyOS uses the Linux default port of 8472.

set interfaces vxlan <interface> source-address <interface>

8.3. Interfaces 328

 VyOS Documentation, 发布 1.4.x (sagitta)

Source IP address used for VXLAN underlay. This is mandatory when using VXLAN via L2VPN/EVPN.

Unicast

set interfaces vxlan <interface> remote <address>

IPv4/IPv6 remote address of the VXLAN tunnel. Alternative to multicast, the remote IPv4/IPv6 address can set
directly.

Multicast

set interfaces vxlan <interface> source-interface <interface>

Interface used for VXLAN underlay. This is mandatory when using VXLAN via a multicast network. VXLAN
traffic will always enter and exit this interface.
set interfaces vxlan <interface> group <address>
Multicast group address for VXLAN interface. VXLAN tunnels can be built either via Multicast or via Unicast.
Both IPv4 and IPv6 multicast is possible.

Multicast VXLAN

Topology: PC4 - Leaf2 - Spine1 - Leaf3 - PC5

PC4 has IP 10.0.0.4/24 and PC5 has IP 10.0.0.5/24, so they believe they are in the same broadcast domain.
Let’s assume PC4 on Leaf2 wants to ping PC5 on Leaf3. Instead of setting Leaf3 as our remote end manually, Leaf2
encapsulates the packet into a UDP-packet and sends it to its designated multicast-address via Spine1. When Spine1
receives this packet it forwards it to all other Leafs who has joined the same multicast-group, in this case Leaf3. When
Leaf3 receives the packet it forwards it, while at the same time learning that PC4 is reachable behind Leaf2, because the
encapsulated packet had Leaf2’s IP-address set as source IP.
PC5 receives the ping echo, responds with an echo reply that Leaf3 receives and this time forwards to Leaf2’s unicast
address directly because it learned the location of PC4 above. When Leaf2 receives the echo reply from PC5 it sees that
it came from Leaf3 and so remembers that PC5 is reachable via Leaf3.
Thanks to this discovery, any subsequent traffic between PC4 and PC5 will not be using the multicast-address between
the Leafs as they both know behind which Leaf the PCs are connected. This saves traffic as less multicast packets sent
reduces the load on the network, which improves scalability when more Leafs are added.
For optimal scalability Multicast shouldn’t be used at all, but instead use BGP to signal all connected devices between
leafs. Unfortunately, VyOS does not yet support this.

Example

The setup is this: Leaf2 - Spine1 - Leaf3

Spine1 is a Cisco IOS router running version 15.4, Leaf2 and Leaf3 is each a VyOS router running 1.2.
This topology was built using GNS3.
Topology:

8.3. Interfaces 329

 VyOS Documentation, 发布 1.4.x (sagitta)

Spine1:
fa0/2 towards Leaf2, IP-address: 10.1.2.1/24
fa0/3 towards Leaf3, IP-address: 10.1.3.1/24

Leaf2:
Eth0 towards Spine1, IP-address: 10.1.2.2/24
Eth1 towards a vlan-aware switch

Leaf3:
Eth0 towards Spine1, IP-address 10.1.3.3/24
Eth1 towards a vlan-aware switch

Spine1 Configuration:
conf t
ip multicast-routing
!
interface fastethernet0/2
ip address 10.1.2.1 255.255.255.0
ip pim sparse-dense-mode
!
interface fastethernet0/3
ip address 10.1.3.1 255.255.255.0
ip pim sparse-dense-mode
!
router ospf 1
network 10.0.0.0 0.255.255.255 area 0

Multicast-routing is required for the leafs to forward traffic between each other in a more scalable way. This also requires
PIM to be enabled towards the Leafs so that the Spine can learn what multicast groups each Leaf expect traffic from.
Leaf2 configuration:
set interfaces ethernet eth0 address '10.1.2.2/24'
set protocols ospf area 0 network '10.0.0.0/8'

! Our first vxlan interface

set interfaces bridge br241 address '172.16.241.1/24'
set interfaces bridge br241 member interface 'eth1.241'
set interfaces bridge br241 member interface 'vxlan241'

set interfaces vxlan vxlan241 group '239.0.0.241'

set interfaces vxlan vxlan241 source-interface 'eth0'
set interfaces vxlan vxlan241 vni '241'

! Our seconds vxlan interface

set interfaces bridge br242 address '172.16.242.1/24'
set interfaces bridge br242 member interface 'eth1.242'
set interfaces bridge br242 member interface 'vxlan242'

set interfaces vxlan vxlan242 group '239.0.0.242'

set interfaces vxlan vxlan242 source-interface 'eth0'
set interfaces vxlan vxlan242 vni '242'

Leaf3 configuration:
set interfaces ethernet eth0 address '10.1.3.3/24'
set protocols ospf area 0 network '10.0.0.0/8'
(下页继续)

8.3. Interfaces 330

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)

! Our first vxlan interface

set interfaces bridge br241 address '172.16.241.1/24'
set interfaces bridge br241 member interface 'eth1.241'
set interfaces bridge br241 member interface 'vxlan241'

set interfaces vxlan vxlan241 group '239.0.0.241'

set interfaces vxlan vxlan241 source-interface 'eth0'
set interfaces vxlan vxlan241 vni '241'

! Our seconds vxlan interface

set interfaces bridge br242 address '172.16.242.1/24'
set interfaces bridge br242 member interface 'eth1.242'
set interfaces bridge br242 member interface 'vxlan242'

set interfaces vxlan vxlan242 group '239.0.0.242'

set interfaces vxlan vxlan242 source-interface 'eth0'
set interfaces vxlan vxlan242 vni '242'

As you can see, Leaf2 and Leaf3 configuration is almost identical. There are lots of commands above, I’ll try to into
more detail below, command descriptions are placed under the command boxes:

set interfaces bridge br241 address '172.16.241.1/24'

This commands creates a bridge that is used to bind traffic on eth1 vlan 241 with the vxlan241-interface. The IP-address
is not required. It may however be used as a default gateway for each Leaf which allows devices on the vlan to reach other
subnets. This requires that the subnets are redistributed by OSPF so that the Spine will learn how to reach it. To do this
you need to change the OSPF network from‘10.0.0.0/8’to‘0.0.0.0/0’to allow 172.16/12-networks to be advertised.

set interfaces bridge br241 member interface 'eth1.241'

set interfaces bridge br241 member interface 'vxlan241'

Binds eth1.241 and vxlan241 to each other by making them both member interfaces of the same bridge.

set interfaces vxlan vxlan241 group '239.0.0.241'

The multicast-group used by all Leafs for this vlan extension. Has to be the same on all Leafs that has this interface.

set interfaces vxlan vxlan241 source-interface 'eth0'

Sets the interface to listen for multicast packets on. Could be a loopback, not yet tested.

set interfaces vxlan vxlan241 vni '241'

Sets the unique id for this vxlan-interface. Not sure how it correlates with multicast-address.

set interfaces vxlan vxlan241 port 12345

The destination port used for creating a VXLAN interface in Linux defaults to its pre-standard value of 8472 to preserve
backwards compatibility. A configuration directive to support a user-specified destination port to override that behavior
is available using the above command.

8.3. Interfaces 331

 VyOS Documentation, 发布 1.4.x (sagitta)

Unicast VXLAN

Alternative to multicast, the remote IPv4 address of the VXLAN tunnel can be set directly. Let’s change the Multicast
example from above:

# leaf2 and leaf3

delete interfaces vxlan vxlan241 group '239.0.0.241'
delete interfaces vxlan vxlan241 source-interface 'eth0'

# leaf2
set interface vxlan vxlan241 remote 10.1.3.3

# leaf3
set interface vxlan vxlan241 remote 10.1.2.2

The default port udp is set to 8472. It can be changed with set interface vxlan <vxlanN> port <port>

8.3.15 WireGuard

WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. See https://www.
wireguard.com for more information.

Configuration

WireGuard requires the generation of a keypair, a private key which will decrypt incoming traffic and a public key, which
the peer(s) will use to encrypt traffic.

Generate keypair

generate wireguard default-keypair

It generates the keypair, that is its public and private part and stores it within VyOS. It will be used per default on
any configured WireGuard interface, even if multiple interfaces are being configured.
show wireguard keypairs pubkey default
It shows the public key which needs to be shared with your peer(s). Your peer will encrypt all traffic to your system
using this public key.

vyos@vyos:~$ show wireguard keypairs pubkey default

hW17UxY7zeydJNPIyo3UtGnBHkzTK/NeBOrDSIU9Tx0=

Generate named keypair

Named keypairs can be used on a interface basis, if configured. If multiple WireGuard interfaces are being configured,
each can have their own keypairs.
The commands below will generate 2 keypairs, which are not related to each other.

vyos@vyos:~$ generate wireguard named-keypairs KP01

vyos@vyos:~$ generate wireguard named-keypairs KP02

8.3. Interfaces 332

 VyOS Documentation, 发布 1.4.x (sagitta)

Interface configuration

The next step is to configure your local side as well as the policy based trusted destination addresses. If you only initiate a
connection, the listen port and address/port is optional, if you however act as a server and endpoints initiate the connections
to your system, you need to define a port your clients can connect to, otherwise it’s randomly chosen and may make it
difficult with firewall rules, since the port may be a different one when you reboot your system.
You will also need the public key of your peer as well as the network(s) you want to tunnel (allowed-ips) to configure a
WireGuard tunnel. The public key below is always the public key from your peer, not your local one.
local side

set interfaces wireguard wg01 address '10.1.0.1/24'

set interfaces wireguard wg01 description 'VPN-to-wg02'
set interfaces wireguard wg01 peer to-wg02 allowed-ips '10.2.0.0/24'
set interfaces wireguard wg01 peer to-wg02 address '192.168.0.142'
set interfaces wireguard wg01 peer to-wg02 port '12345'
set interfaces wireguard wg01 peer to-wg02 pubkey
,→'XMrlPykaxhdAAiSjhtPlvi30NVkvLQliQuKP7AI7CyI='

set interfaces wireguard wg01 port '12345'

set protocols static route 10.2.0.0/24 interface wg01

The last step is to define an interface route for 10.2.0.0/24 to get through the WireGuard interface wg01. Multiple IPs or
networks can be defined and routed, the last check is allowed-ips which either prevents or allows the traffic.

注解: You can not assign the same allowed-ips statement to multiple WireGuard peers. This a a design decission. For
more information please check the WireGuard mailing list.

To use a named key on an interface, the option private-key needs to be set.

set interfaces wireguard wg01 private-key KP01

set interfaces wireguard wg02 private-key KP02

The command run show wireguard keypairs pubkey KP01 will then show the public key, which needs to
be shared with the peer.
remote side

set interfaces wireguard wg01 address '10.2.0.1/24'

set interfaces wireguard wg01 description 'VPN-to-wg01'
set interfaces wireguard wg01 peer to-wg02 allowed-ips '10.1.0.0/24'
set interfaces wireguard wg01 peer to-wg02 address '192.168.0.124'
set interfaces wireguard wg01 peer to-wg02 port '12345'
set interfaces wireguard wg01 peer to-wg02 pubkey
,→'u41jO3OF73Gq1WARMMFG7tOfk7+r8o8AzPxJ1FZRhzk='

set interfaces wireguard wg01 port '12345'

set protocols static route 10.1.0.0/24 interface wg01

Assure that your firewall rules allow the traffic, in which case you have a working VPN using WireGuard

wg01# ping 10.2.0.1

PING 10.2.0.1 (10.2.0.1) 56(84) bytes of data.
64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=1.16 ms
64 bytes from 10.2.0.1: icmp_seq=2 ttl=64 time=1.77 ms

wg02# ping 10.1.0.1

(下页继续)

8.3. Interfaces 333

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
PING 10.1.0.1 (10.1.0.1) 56(84) bytes of data.
64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=4.40 ms
64 bytes from 10.1.0.1: icmp_seq=2 ttl=64 time=1.02 ms

An additional layer of symmetric-key crypto can be used on top of the asymmetric crypto, which is optional.

wg01# run generate wireguard preshared-key

rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc=

Copy the key, as it is not stored on the local file system. Make sure you distribute that key in a safe manner, it’s a
symmetric key, so only you and your peer should have knowledge of its content.

wg01# set interfaces wireguard wg01 peer to-wg02 preshared-key

,→'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc='

wg02# set interfaces wireguard wg01 peer to-wg01 preshared-key

,→'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc='

Road Warrior Example

With WireGuard, a Road Warrior VPN config is similar to a site-to-site VPN. It just lacks the address and port
statements.
In the following example, the IPs for the remote clients are defined in the peers. This would allow the peers to interact
with one another.

wireguard wg0 {
address 10.172.24.1/24
address 2001:DB8:470:22::1/64
description RoadWarrior
peer MacBook {
allowed-ips 10.172.24.30/32
allowed-ips 2001:DB8:470:22::30/128
persistent-keepalive 15
pubkey F5MbW7ye7DsoxdOaixjdrudshjjxN5UdNV+pGFHqehc=
}
peer iPhone {
allowed-ips 10.172.24.20/32
allowed-ips 2001:DB8:470:22::30/128
persistent-keepalive 15
pubkey BknHcLFo8nOo8Dwq2CjaC/TedchKQ0ebxC7GYn7Al00=
}
port 2224
}

The following is the config for the iPhone peer above. It’s important to note that the AllowedIPs setting directs all
IPv4 and IPv6 traffic through the connection.

[Interface]
PrivateKey = ARAKLSDJsadlkfjasdfiowqeruriowqeuasdf=
Address = 10.172.24.20/24, 2001:DB8:470:22::20/64
DNS = 10.0.0.53, 10.0.0.54

[Peer]
PublicKey = RIbtUTCfgzNjnLNPQ/ulkGnnB2vMWHm7l2H/xUfbyjc=
(下页继续)

8.3. Interfaces 334

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 192.0.2.1:2224
PersistentKeepalive = 25

This MacBook peer is doing split-tunneling, where only the subnets local to the server go over the connection.

[Interface]
PrivateKey = 8Iasdfweirousd1EVGUk5XsT+wYFZ9mhPnQhmjzaJE6Go=
Address = 10.172.24.30/24, 2001:DB8:470:22::30/64

[Peer]
PublicKey = RIbtUTCfgzNjnLNPQ/ulkGnnB2vMWHm7l2H/xUfbyjc=
AllowedIPs = 10.172.24.30/24, 2001:DB8:470:22::/64
Endpoint = 192.0.2.1:2224
PersistentKeepalive = 25

Operational commands

Show interface status

vyos@wg01# run show interfaces wireguard wg01

interface: wg1
description: VPN-to-wg01
address: 10.2.0.1/24
public key: RIbtUTCfgzNjnLNPQ/asldkfjhaERDFl2H/xUfbyjc=
private key: (hidden)
listening port: 53665
peer: to-wg02
public key: u41jO3OF73Gq1WARMMFG7tOfk7+r8o8AzPxJ1FZRhzk=
latest handshake: 0:01:20
status: active
endpoint: 192.168.0.124:12345
allowed ips: 10.2.0.0/24
transfer: 42 GB received, 487 MB sent
persistent keepalive: every 15 seconds
RX:
bytes packets errors dropped overrun mcast
45252407916 31192260 0 244493 0 0
TX:
bytes packets errors dropped carrier collisions
511649780 5129601 24465 0 0 0

Show public key of the default key

vyos@wg01# run show wireguard keypair pubkey default

FAXCPb6EbTlSH5200J5zTopt9AYXneBthAySPBLbZwM=

Show public key of a named key

vyos@wg01# run show wireguard keypair pubkey KP01

HUtsu198toEnm1poGoRTyqkUKfKUdyh54f45dtcahDM=

Delete wireguard keypairs

8.3. Interfaces 335

 VyOS Documentation, 发布 1.4.x (sagitta)

vyos@wg01# wireguard keypair default

8.3.16 Wireless LAN (WiFi)

WLAN (Wireless LAN) interface provide 802.11 (a/b/g/n/ac) wireless support (commonly referred to as Wi-Fi) by means
of compatible hardware. If your hardware supports it, VyOS supports multiple logical wireless interfaces per physical
device.
There are three modes of operation for a wireless interface:
• WAP (Wireless Access-Point) provides network access to connecting stations if the physical hardware supports
acting as a WAP
• A station acts as a Wi-Fi client accessing the network through an available WAP
• Monitor, the system passively monitors any kind of wireless traffic
If the system detects an unconfigured wireless device, it will be automatically added the configuration tree, specifying any
detected settings (for example, its MAC address) and configured to run in monitor mode.

Configuration

Common interface configuration

set interfaces wireless <interface> address <address | dhcp | dhcpv6>

Configure interface <interface> with one or more interface addresses.
• address can be specified multiple times as IPv4 and/or IPv6 address, e.g. 192.0.2.1/24 and/or 2001:db8::1/64
• dhcp interface address is received by DHCP from a DHCP server on this segment.
• dhcpv6 interface address is received by DHCPv6 from a DHCPv6 server on this segment.
Example:

set interfaces wireless wlan0 address 192.0.2.1/24

set interfaces wireless wlan0 address 2001:db8::1/64
set interfaces wireless wlan0 dhcp
set interfaces wireless wlan0 dhcpv6

set interfaces wireless <interface> description <description>

Set a human readable, descriptive alias for this connection. Alias is used by e.g. the show interfaces
command or SNMP based monitoring tools.
Example:

set interfaces wireless wlan0 description 'This is an awesome interface running␣

,→on VyOS'

set interfaces wireless <interface> disable

Disable given <interface>. It will be placed in administratively down (A/D) state.
Example:

set interfaces wireless wlan0 disable

8.3. Interfaces 336

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces wireless <interface> disable-flow-control

Ethernet flow control is a mechanism for temporarily stopping the transmission of data on Ethernet family computer
networks. The goal of this mechanism is to ensure zero packet loss in the presence of network congestion.
The first flow control mechanism, the pause frame, was defined by the IEEE 802.3x standard.
A sending station (computer or network switch) may be transmitting data faster than the other end of the link can
accept it. Using flow control, the receiving station can signal the sender requesting suspension of transmissions
until the receiver catches up.
Use this command to disable the generation of Ethernet flow control (pause frames).
Example:

set interfaces wireless wlan0 disable-flow-control

set interfaces wireless <interface> disable-link-detect

Use this command to direct an interface to not detect any physical state changes on a link, for example, when the
cable is unplugged.
Default is to detects physical link state changes.
Example:

set interfaces wireless wlan0 disable-link-detect

set interfaces wireless <interface> mac <xx:xx:xx:xx:xx:xx>

Configure user defined MAC address on given <interface>.
Example:

set interfaces wireless wlan0 mac '00:01:02:03:04:05'

set interfaces wireless <interface> mtu <mtu>

Configure MTU on given <interface>. It is the size (in bytes) of the largest ethernet frame sent on this link.
Example:

set interfaces wireless wlan0 mtu 9000

set interfaces wireless <interface> ip arp-cache-timeout

Once a neighbor has been found, the entry is considered to be valid for at least for this specifc time. An entry’s
validity will be extended if it receives positive feedback from higher level protocols.
This defaults to 30 seconds.
Example:

set interfaces wireless wlan0 ip arp-cache-timeout 180

set interfaces wireless <interface> ip disable-arp-filter

If set the kernel can respond to arp requests with addresses from other interfaces. This may seem wrong but it
usually makes sense, because it increases the chance of successful communication. IP addresses are owned by the
complete host on Linux, not by particular interfaces. Only for more complex setups like load-balancing, does this
behaviour cause problems.

8.3. Interfaces 337

 VyOS Documentation, 发布 1.4.x (sagitta)

If not set (default) allows you to have multiple network interfaces on the same subnet, and have the ARPs for
each interface be answered based on whether or not the kernel would route a packet from the ARP’d IP out that
interface (therefore you must use source based routing for this to work).
In other words it allows control of which cards (usually 1) will respond to an arp request.
Example:
set interfaces wireless wlan0 ip disable-arp-filter

set interfaces wireless <interface> ip disable-forwarding

Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 for-
warding will be disabled on this interface.
set interfaces wireless wlan0 ip disable-forwarding

set interfaces wireless <interface> ip enable-arp-accept

Define behavior for gratuitous ARP frames who’s IP is not already present in the ARP table. If configured create
new entries in the ARP table.
Both replies and requests type gratuitous arp will trigger the ARP table to be updated, if this setting is on.
If the ARP table already contains the IP address of the gratuitous arp frame, the arp table will be updated regardless
if this setting is on or off.
set interfaces wireless wlan0 ip enable-arp-accept

set interfaces wireless <interface> ip enable-arp-announce

Define different restriction levels for announcing the local source IP address from IP packets in ARP requests sent
on interface.
Use any local address, configured on any interface if this is not set.
If configured, try to avoid local addresses that are not in the target’s subnet for this interface. This mode is useful
when target hosts reachable via this interface require the source IP address in ARP requests to be part of their
logical network configured on the receiving interface. When we generate the request we will check all our subnets
that include the target IP and will preserve the source address if it is from such subnet. If there is no such subnet
we select source address according to the rules for level 2.
set interfaces wireless wlan0 ip enable-arp-announce

set interfaces wireless <interface> ip enable-arp-ignore

Define different modes for sending replies in response to received ARP requests that resolve local target IP ad-
dresses:
If configured, reply only if the target IP address is local address configured on the incoming interface.
If this option is unset (default), reply for any local target IP address, configured on any interface.
set interfaces wireless wlan0 ip enable-arp-ignore

set interfaces wireless <interface> ip enable-proxy-arp

Use this command to enable proxy Address Resolution Protocol (ARP) on this interface. Proxy ARP allows an
Ethernet interface to respond with its own MAC address to ARP requests for destination IP addresses on subnets
attached to other interfaces on the system. Subsequent packets sent to those destination IP addresses are forwarded
appropriately by the system.
Example:

8.3. Interfaces 338

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces wireless wlan0 ip enable-proxy-arp

set interfaces wireless <interface> ip proxy-arp-pvlan

Private VLAN proxy arp. Basically allow proxy arp replies back to the same interface (from which the ARP
request/solicitation was received).
This is done to support (ethernet) switch features, like RFC 3069, where the individual ports are NOT allowed to
communicate with each other, but they are allowed to talk to the upstream router. As described in RFC 3069, it
is possible to allow these hosts to communicate through the upstream router by proxy_arp’ing.

注解: Does not need to be used together with proxy_arp.

This technology is known by different names:

• In RFC 3069 it is called VLAN Aggregation
• Cisco and Allied Telesyn call it Private VLAN
• Hewlett-Packard call it Source-Port filtering or port-isolation
• Ericsson call it MAC-Forced Forwarding (RFC Draft)
set interfaces wireless <interface> ip source-validation <strict | loose |
disable>
Enable policy for source validation by reversed path, as specified in RFC 3704. Current recommended practice
in RFC 3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or
other complicated routing, then loose mode is recommended.
• strict: Each incoming packet is tested against the FIB and if the interface is not the best reverse path the
packet check will fail. By default failed packets are discarded.
• loose: Each incoming packet’s source address is also tested against the FIB and if the source address is not
reachable via any interface the packet check will fail.
• disable: No source validation
set interfaces wireless <interface> ipv6 address autoconf
SLAAC RFC 4862. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using
the Neighbor Discovery Protocol via ICMP 6 router discovery messages. When first connected to a network, a
host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such
a request with a router advertisement packet that contains Internet Layer configuration parameters.

注解: This method automatically disables IPv6 traffic forwarding on the interface in question.

Example:

set interfaces wireless wlan0 ipv6 address autoconf

set interfaces wireless <interface> ipv6 address eui64 <prefix>

EUI-64 as specified in RFC 4291 allows a host to assign iteslf a unique 64-Bit IPv6 address.
Example:

set interfaces wireless wlan0 ipv6 address eui64 2001:db8:beef::/64

8.3. Interfaces 339

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces wireless <interface> ipv6 address no-default-link-local

Do not assign a link-local IPv6 address to this interface.
Example:

set interfaces wireless wlan0 ipv6 address no-default-link-local

set interfaces wireless <interface> ipv6 disable-forwarding

Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 for-
warding will be disabled on this interface.
Example:

set interfaces wireless wlan0 ipv6 disable-forwarding

set interfaces wireless <interface> vrf <vrf>

Place interface in given VRF instance.
参见:
There is an entire chapter about how to configure a VRF, please check this for additional information.
Example:

set interfaces wireless wlan0 vrf red

DHCP(v6)
set interfaces wireless <interface> dhcp-options client-id <description>
RFC 2131 states: The client MAY choose to explicitly provide the identifier through the‘client identifier’option.
If the client supplies a ‘client identifier’, the client MUST use the same ‘client identifier’in all subsequent
messages, and the server MUST use that identifier to identify the client.
Example:

set interfaces wireless wlan0 dhcp-options client-id 'foo-bar'

set interfaces wireless <interface> dhcp-options host-name <hostname>

Instead of sending the real system hostname to the DHCP server, overwrite the host-name with this given-value.
Example:

set interfaces wireless wlan0 dhcp-options host-name 'VyOS'

set interfaces wireless <interface> dhcp-options vendor-class-id <vendor-id>

The vendor-class-id option can be used to request a specific class of vendor options from the server.
Example:

set interfaces wireless wlan0 dhcp-options vendor-class-id 'VyOS'

set interfaces wireless <interface> dhcp-options no-default-route

Only request an address from the DHCP server but do not request a default gateway.
Example:

8.3. Interfaces 340

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces wireless wlan0 dhcp-options no-default-route

set interfaces wireless <interface> dhcp-options default-route-distance

<distance>
Set the distance for the default gateway sent by the DHCP server.
Example:

set interfaces wireless wlan0 dhcp-options default-route-distance 220

set interfaces wireless <interface> dhcpv6-options duid <duid>

The DHCP unique identifier (DUID) is used by a client to get an IP address from a DHCPv6 server. It has a 2-byte
DUID type field, and a variable-length identifier field up to 128 bytes. Its actual length depends on its type. The
server compares the DUID with its database and delivers configuration data (address, lease times, DNS servers,
etc.) to the client.

set interfaces wireless wlan0 duid

,→'0e:00:00:01:00:01:27:71:db:f0:00:50:56:bf:c5:6d'

set interfaces wireless <interface> dhcpv6-options parameters-only

This statement specifies dhcp6c to only exchange informational configuration parameters with servers. A list of
DNS server addresses is an example of such parameters. This statement is useful when the client does not need
stateful configuration parameters such as IPv6 addresses or prefixes.

set interfaces wireless wlan0 dhcpv6-options parameters-only

set interfaces wireless <interface> dhcpv6-options rapid-commit

When rapid-commit is specified, dhcp6c will include a rapid-commit option in solicit messages and wait for an
immediate reply instead of advertisements.

set interfaces wireless wlan0 dhcpv6-options rapid-commit

set interfaces wireless <interface> dhcpv6-options temporary

Request only a temporary address and not form an IA_NA (Identity Association for Non-temporary Addresses)
partnership.

set interfaces wireless wlan0 dhcpv6-options temporary

DHCPv6 Prefix Delegation (PD)

VyOS 1.3 (equuleus) supports DHCPv6-PD (RFC 3633). DHCPv6 Prefix Delegation is supported by most ISPs who
provide native IPv6 for consumers on fixed networks.
set interfaces wireless <interface> dhcpv6-options pd <id> length <length>
Some ISPs by default only delegate a /64 prefix. To request for a specific prefix size use this option to request for
a bigger delegation for this pd <id>. This value is in the range from 32 - 64 so you could request up to a /32 prefix
(if your ISP allows this) down to a /64 delegation.
The default value corresponds to 64.
To request a /56 prefix from your ISP use:

set interfaces wireless wlan0 dhcpv6-options pd 0 length 56

8.3. Interfaces 341

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces wireless <interface> dhcpv6-options pd <id> interface

<delegatee> address <address>
Specify the interface address used locally on the interfcae where the prefix has been delegated to. ID must be a
decimal integer.
It will be combined with the delegated prefix and the sla-id to form a complete interface address. The default is to
use the EUI-64 address of the interface.
Example: Delegate a /64 prefix to interface eth8 which will use a local address on this router of
<prefix>::ffff, as the address 65534 will correspond to ffff in hexadecimal notation.

set interfaces wireless wlan0 dhcpv6-options pd 0 interface eth8 address 65534

set interfaces wireless <interface> dhcpv6-options pd <id> interface

<delegatee> sla-id <id>
Specify the identifier value of the site-level aggregator (SLA) on the interface. ID must be a decimal number
greater then 0 which fits in the length of SLA IDs (see below).
Example: If ID is 1 and the client is delegated an IPv6 prefix 2001:db8:ffff::/48, dhcp6c will combine the two
values into a single IPv6 prefix, 2001:db8:ffff:1::/64, and will configure the prefix on the specified interface.

set interfaces wireless wlan0 dhcpv6-options pd 0 interface eth8 sla-id 1

Wireless options

set interfaces wireless <interface> channel <number>

Channel number (IEEE 802.11), for 2.4Ghz (802.11 b/g/n) channels range from 1-14. On 5Ghz (802.11
a/h/j/n/ac) channels available are 0, 34 to 173
set interfaces wireless <interface> country-code <cc>
Country code (ISO/IEC 3166-1). Used to set regulatory domain. Set as needed to indicate country in which
device is operating. This can limit available channels and transmit power.

注解: This option is mandatory in Access-Point mode.

set interfaces wireless <interface> disable-broadcast-ssid

Send empty SSID in beacons and ignore probe request frames that do not specify full SSID, i.e., require stations
to know SSID.
set interfaces wireless <interface> expunge-failing-stations
Disassociate stations based on excessive transmission failures or other indications of connection loss.
This depends on the driver capabilities and may not be available with all drivers.
set interfaces wireless <interface> isolate-stations
Client isolation can be used to prevent low-level bridging of frames between associated stations in the BSS.
By default, this bridging is allowed.
set interfaces wireless <interface> max-stations
Maximum number of stations allowed in station table. New stations will be rejected after the station table is full.
IEEE 802.11 has a limit of 2007 different association IDs, so this number should not be larger than that.

8.3. Interfaces 342

 VyOS Documentation, 发布 1.4.x (sagitta)

This defaults to 2007.

set interfaces wireless <interface> mgmt-frame-protection
Management Frame Protection (MFP) according to IEEE 802.11w
set interfaces wireless <interface> mode <a | b | g | n | ac>
Operation mode of wireless radio.
• a - 802.11a - 54 Mbits/sec
• b - 802.11b - 11 Mbits/sec
• g - 802.11g - 54 Mbits/sec (default)
• n - 802.11n - 600 Mbits/sec
• ac - 802.11ac - 1300 Mbits/sec
set interfaces wireless <interface> physical-device <device>
Wireless hardware device used as underlay radio.
This defaults to phy0.
set interfaces wireless <interface> reduce-transmit-power <number>
Add Power Constraint element to Beacon and Probe Response frames.
This option adds Power Constraint element when applicable and Country element is added. Power Constraint
element is required by Transmit Power Control.
Valid values are 0..255.
set interfaces wireless <interface> ssid <ssid>
SSID to be used in IEEE 802.11 management frames
set interfaces wireless <interface> type <access-point | station | monitor>
Wireless device type for this interface
• access-point - Access-point forwards packets between other nodes
• station - Connects to another access point
• monitor - Passively monitor all packets on the frequency/channel

PPDU

set interfaces wireless <interface> capabilities require-ht

set interfaces wireless <interface> capabilities require-hvt

8.3. Interfaces 343

 VyOS Documentation, 发布 1.4.x (sagitta)

HT (High Throughput) capabilities (802.11n)

set interfaces wireless <interface> capabilities ht 40mhz-incapable

Device is incapable of 40 MHz, do not advertise. This sets [40-INTOLERANT]
set interfaces wireless <interface> capabilities ht auto-powersave
WMM-PS Unscheduled Automatic Power Save Delivery [U-APSD]
set interfaces wireless <interface> capabilities ht channel-set-width <ht20 |
ht40+ | ht40->
Supported channel width set.
• ht40- - Both 20 MHz and 40 MHz with secondary channel below the primary channel
• ht40+ - Both 20 MHz and 40 MHz with secondary channel above the primary channel

注解: There are limits on which channels can be used with HT40- and HT40+. Following table shows the
channels that may be available for HT40- and HT40+ use per IEEE 802.11n Annex J:
Depending on the location, not all of these channels may be available for use!

freq HT40- HT40+

2.4 GHz 5-13 1-7 (1-9 in Europe/Japan)
5 GHz 40,48,56,64 36,44,52,60

注解: 40 MHz channels may switch their primary and secondary channels if needed or creation of 40 MHz
channel maybe rejected based on overlapping BSSes. These changes are done automatically when hostapd is
setting up the 40 MHz channel.

set interfaces wireless <interface> capabilities ht delayed-block-ack

Enable HT-delayed Block Ack [DELAYED-BA]
set interfaces wireless <interface> capabilities ht dsss-cck-40
DSSS/CCK Mode in 40 MHz, this sets [DSSS_CCK-40]
set interfaces wireless <interface> capabilities ht greenfield
This enables the greenfield option which sets the [GF] option
set interfaces wireless <interface> capabilities ht ldpc
Enable LDPC coding capability
set interfaces wireless <interface> capabilities ht lsig-protection
Enable L-SIG TXOP protection capability
set interfaces wireless <interface> capabilities ht max-amsdu <3839 | 7935>
Maximum A-MSDU length 3839 (default) or 7935 octets
set interfaces wireless <interface> capabilities ht short-gi <20 | 40>
Short GI capabilities for 20 and 40 MHz
set interfaces wireless <interface> capabilities ht smps <static | dynamic>

8.3. Interfaces 344

 VyOS Documentation, 发布 1.4.x (sagitta)

Spatial Multiplexing Power Save (SMPS) settings

set interfaces wireless <interface> capabilities ht stbc rx <num>
Enable receiving PPDU using STBC (Space Time Block Coding)
set interfaces wireless <interface> capabilities ht stbc tx
Enable sending PPDU using STBC (Space Time Block Coding)

VHT (Very High Throughput) capabilities (802.11ac)

set interfaces wireless <interface> capabilities vht antenna-count

Number of antennas on this card
set interfaces wireless <interface> capabilities vht antenna-pattern-fixed
Set if antenna pattern does not change during the lifetime of an association
set interfaces wireless <interface> capabilities vht beamform
<single-user-beamformer | single-user-beamformee | multi-user-beamformer |
multi-user-beamformee>
Beamforming capabilities:
• single-user-beamformer - Support for operation as single user beamformer
• single-user-beamformee - Support for operation as single user beamformee
• multi-user-beamformer - Support for operation as single user beamformer
• multi-user-beamformee - Support for operation as single user beamformer
set interfaces wireless <interface> capabilities vht center-channel-freq
<freq-1 | freq-2> <number>
VHT operating channel center frequency - center freq 1 (for use with 80, 80+80 and 160 modes)
VHT operating channel center frequency - center freq 2 (for use with the 80+80 mode)
<number> must be from 34 - 173. For 80 MHz channels it should be channel + 6.
set interfaces wireless <interface> capabilities vht channel-set-width <0 | 1
| 2 | 3>
• 0 - 20 or 40 MHz channel width (default)
• 1 - 80 MHz channel width
• 2 - 160 MHz channel width
• 3 - 80+80 MHz channel width
set interfaces wireless <interface> capabilities vht ldpc
Enable LDPC (Low Density Parity Check) coding capability
set interfaces wireless <interface> capabilities vht link-adaptation
VHT link adaptation capabilities
set interfaces wireless <interface> capabilities vht max-mpdu <value>
Increase Maximum MPDU length to 7991 or 11454 octets (default 3895 octets)
set interfaces wireless <interface> capabilities vht max-mpdu-exp <value>

8.3. Interfaces 345

 VyOS Documentation, 发布 1.4.x (sagitta)

Set the maximum length of A-MPDU pre-EOF padding that the station can receive
set interfaces wireless <interface> capabilities vht short-gi <80 | 160>
Short GI capabilities
set interfaces wireless <interface> capabilities vht stbc rx <num>
Enable receiving PPDU using STBC (Space Time Block Coding)
set interfaces wireless <interface> capabilities vht stbc tx
Enable sending PPDU using STBC (Space Time Block Coding)
set interfaces wireless <interface> capabilities vht tx-powersave
Enable VHT TXOP Power Save Mode
set interfaces wireless <interface> capabilities vht vht-cf
Station supports receiving VHT variant HT Control field

Wireless options (Station/Client)

The example creates a wireless station (commonly referred to as Wi-Fi client) that accesses the network through the WAP
defined in the above example. The default physical device (phy0) is used.
set interfaces wireless wlan0 type station
set interfaces wireless wlan0 address dhcp
set interfaces wireless wlan0 ssid Test
set interfaces wireless wlan0 security wpa

Resulting in
interfaces {
[...]
wireless wlan0 {
address dhcp
security {
wpa {
passphrase "12345678"
}
}
ssid TEST
type station
}

Security

WPA (Wi-Fi Protected Access) and WPA2 Enterprise in combination with 802.1x based authentication can be used to
authenticate users or computers in a domain.
The wireless client (supplicant) authenticates against the RADIUS server (authentication server) using an EAP method
configured on the RADIUS server. The WAP (also referred to as authenticator) role is to send all authentication messages
between the supplicant and the configured authentication server, thus the RADIUS server is responsible for authenticating
the users.
The WAP in this example has the following characteristics:
• IP address 192.168.2.1/24

8.3. Interfaces 346

 VyOS Documentation, 发布 1.4.x (sagitta)

• Network ID (SSID) Enterprise-TEST

• WPA passphrase 12345678
• Use 802.11n protocol
• Wireless channel 1
• RADIUS server at 192.168.3.10 with shared-secret VyOSPassword

set interfaces wireless wlan0 address '192.168.2.1/24'

set interfaces wireless wlan0 type access-point
set interfaces wireless wlan0 channel 1
set interfaces wireless wlan0 mode n
set interfaces wireless wlan0 ssid 'TEST'
set interfaces wireless wlan0 security wpa mode wpa2
set interfaces wireless wlan0 security wpa cipher CCMP
set interfaces wireless wlan0 security wpa radius server 192.168.3.10 key
,→'VyOSPassword'

set interfaces wireless wlan0 security wpa radius server 192.168.3.10 port 1812

Resulting in

interfaces {
[...]
wireless wlan0 {
address 192.168.2.1/24
channel 1
mode n
security {
wpa {
cipher CCMP
mode wpa2
radius {
server 192.168.3.10 {
key 'VyOSPassword'
port 1812
}
}
}
}
ssid "Enterprise-TEST"
type access-point
}
}
system {
[...]
wifi-regulatory-domain DE
}

8.3. Interfaces 347

 VyOS Documentation, 发布 1.4.x (sagitta)

VLAN

Regular VLANs (802.1q)

IEEE 802.1q, often referred to as Dot1q, is the networking standard that supports virtual LANs (VLANs) on an IEEE
802.3 Ethernet network. The standard defines a system of VLAN tagging for Ethernet frames and the accompanying
procedures to be used by bridges and switches in handling such frames. The standard also contains provisions for a
quality-of-service prioritization scheme commonly known as IEEE 802.1p and defines the Generic Attribute Registration
Protocol.
Portions of the network which are VLAN-aware (i.e., IEEE 802.1q conformant) can include VLAN tags. When a frame
enters the VLAN-aware portion of the network, a tag is added to represent the VLAN membership. Each frame must
be distinguishable as being within exactly one VLAN. A frame in the VLAN-aware portion of the network that does not
contain a VLAN tag is assumed to be flowing on the native VLAN.
The standard was developed by IEEE 802.1, a working group of the IEEE 802 standards committee, and continues to be
actively revised. One of the notable revisions is 802.1Q-2014 which incorporated IEEE 802.1aq (Shortest Path Bridging)
and much of the IEEE 802.1d standard.
802.1q VLAN interfaces are represented as virtual sub-interfaces in VyOS. The term used for this is vif.
set interfaces wireless <interface> vif <vlan-id>
Create a new VLAN interface on interface <interface> using the VLAN number provided via <vlan-id>.
You can create multiple VLAN interfaces on a physical interface. The VLAN ID range is from 0 to 4094.

注解: Only 802.1Q-tagged packets are accepted on Ethernet vifs.

set interfaces wireless <interface> vif <vlan-id> address <address | dhcp |

dhcpv6>
Configure interface <interface> with one or more interface addresses.
• address can be specified multiple times as IPv4 and/or IPv6 address, e.g. 192.0.2.1/24 and/or 2001:db8::1/64
• dhcp interface address is received by DHCP from a DHCP server on this segment.
• dhcpv6 interface address is received by DHCPv6 from a DHCPv6 server on this segment.
Example:

set interfaces wireless wlan0 vif 10 address 192.0.2.1/24

set interfaces wireless wlan0 vif 10 address 2001:db8::1/64
set interfaces wireless wlan0 vif 10 dhcp
set interfaces wireless wlan0 vif 10 dhcpv6

set interfaces wireless <interface> vif <vlan-id> description <description>

Set a human readable, descriptive alias for this connection. Alias is used by e.g. the show interfaces
command or SNMP based monitoring tools.
Example:

set interfaces wireless wlan0 vif 10 description 'This is an awesome interface␣

,→running on VyOS'

set interfaces wireless <interface> vif <vlan-id> disable

8.3. Interfaces 348

 VyOS Documentation, 发布 1.4.x (sagitta)

Disable given <interface>. It will be placed in administratively down (A/D) state.

Example:

set interfaces wireless wlan0 vif 10 disable

set interfaces wireless <interface> vif <vlan-id> disable-link-detect

Use this command to direct an interface to not detect any physical state changes on a link, for example, when the
cable is unplugged.
Default is to detects physical link state changes.
Example:

set interfaces wireless wlan0 vif 10 disable-link-detect

set interfaces wireless <interface> vif <vlan-id> mac <xx:xx:xx:xx:xx:xx>

Configure user defined MAC address on given <interface>.
Example:

set interfaces wireless wlan0 vif 10 mac '00:01:02:03:04:05'

set interfaces wireless <interface> vif <vlan-id> mtu <mtu>

Configure MTU on given <interface>. It is the size (in bytes) of the largest ethernet frame sent on this link.
Example:

set interfaces wireless wlan0 vif 10 mtu 9000

set interfaces wireless <interface> vif <vlan-id> ip arp-cache-timeout

Once a neighbor has been found, the entry is considered to be valid for at least for this specifc time. An entry’s
validity will be extended if it receives positive feedback from higher level protocols.
This defaults to 30 seconds.
Example:

set interfaces wireless wlan0 vif 10 ip arp-cache-timeout 180

set interfaces wireless <interface> vif <vlan-id> ip disable-arp-filter

If set the kernel can respond to arp requests with addresses from other interfaces. This may seem wrong but it
usually makes sense, because it increases the chance of successful communication. IP addresses are owned by the
complete host on Linux, not by particular interfaces. Only for more complex setups like load-balancing, does this
behaviour cause problems.
If not set (default) allows you to have multiple network interfaces on the same subnet, and have the ARPs for
each interface be answered based on whether or not the kernel would route a packet from the ARP’d IP out that
interface (therefore you must use source based routing for this to work).
In other words it allows control of which cards (usually 1) will respond to an arp request.
Example:

set interfaces wireless wlan0 vif 10 ip disable-arp-filter

set interfaces wireless <interface> vif <vlan-id> ip disable-forwarding

8.3. Interfaces 349

 VyOS Documentation, 发布 1.4.x (sagitta)

Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 for-
warding will be disabled on this interface.

set interfaces wireless wlan0 vif 10 ip disable-forwarding

set interfaces wireless <interface> vif <vlan-id> ip enable-arp-accept

Define behavior for gratuitous ARP frames who’s IP is not already present in the ARP table. If configured create
new entries in the ARP table.
Both replies and requests type gratuitous arp will trigger the ARP table to be updated, if this setting is on.
If the ARP table already contains the IP address of the gratuitous arp frame, the arp table will be updated regardless
if this setting is on or off.

set interfaces wireless wlan0 vif 10 ip enable-arp-accept

set interfaces wireless <interface> vif <vlan-id> ip enable-arp-announce

Define different restriction levels for announcing the local source IP address from IP packets in ARP requests sent
on interface.
Use any local address, configured on any interface if this is not set.
If configured, try to avoid local addresses that are not in the target’s subnet for this interface. This mode is useful
when target hosts reachable via this interface require the source IP address in ARP requests to be part of their
logical network configured on the receiving interface. When we generate the request we will check all our subnets
that include the target IP and will preserve the source address if it is from such subnet. If there is no such subnet
we select source address according to the rules for level 2.

set interfaces wireless wlan0 vif 10 ip enable-arp-announce

set interfaces wireless <interface> vif <vlan-id> ip enable-arp-ignore

Define different modes for sending replies in response to received ARP requests that resolve local target IP ad-
dresses:
If configured, reply only if the target IP address is local address configured on the incoming interface.
If this option is unset (default), reply for any local target IP address, configured on any interface.

set interfaces wireless wlan0 vif 10 ip enable-arp-ignore

set interfaces wireless <interface> vif <vlan-id> ip enable-proxy-arp

Use this command to enable proxy Address Resolution Protocol (ARP) on this interface. Proxy ARP allows an
Ethernet interface to respond with its own MAC address to ARP requests for destination IP addresses on subnets
attached to other interfaces on the system. Subsequent packets sent to those destination IP addresses are forwarded
appropriately by the system.
Example:

set interfaces wireless wlan0 vif 10 ip enable-proxy-arp

set interfaces wireless <interface> vif <vlan-id> ip proxy-arp-pvlan

Private VLAN proxy arp. Basically allow proxy arp replies back to the same interface (from which the ARP
request/solicitation was received).
This is done to support (ethernet) switch features, like RFC 3069, where the individual ports are NOT allowed to
communicate with each other, but they are allowed to talk to the upstream router. As described in RFC 3069, it
is possible to allow these hosts to communicate through the upstream router by proxy_arp’ing.

8.3. Interfaces 350

 VyOS Documentation, 发布 1.4.x (sagitta)

注解: Does not need to be used together with proxy_arp.

This technology is known by different names:

• In RFC 3069 it is called VLAN Aggregation
• Cisco and Allied Telesyn call it Private VLAN
• Hewlett-Packard call it Source-Port filtering or port-isolation
• Ericsson call it MAC-Forced Forwarding (RFC Draft)
set interfaces wireless <interface> vif <vlan-id> ip source-validation <strict
| loose | disable>
Enable policy for source validation by reversed path, as specified in RFC 3704. Current recommended practice
in RFC 3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or
other complicated routing, then loose mode is recommended.
• strict: Each incoming packet is tested against the FIB and if the interface is not the best reverse path the
packet check will fail. By default failed packets are discarded.
• loose: Each incoming packet’s source address is also tested against the FIB and if the source address is not
reachable via any interface the packet check will fail.
• disable: No source validation
set interfaces wireless <interface> vif <vlan-id> ipv6 address autoconf
SLAAC RFC 4862. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using
the Neighbor Discovery Protocol via ICMP 6 router discovery messages. When first connected to a network, a
host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such
a request with a router advertisement packet that contains Internet Layer configuration parameters.

注解: This method automatically disables IPv6 traffic forwarding on the interface in question.

Example:

set interfaces wireless wlan0 vif 10 ipv6 address autoconf

set interfaces wireless <interface> vif <vlan-id> ipv6 address eui64 <prefix>
EUI-64 as specified in RFC 4291 allows a host to assign iteslf a unique 64-Bit IPv6 address.
Example:

set interfaces wireless wlan0 vif 10 ipv6 address eui64 2001:db8:beef::/64

set interfaces wireless <interface> vif <vlan-id> ipv6 address

no-default-link-local
Do not assign a link-local IPv6 address to this interface.
Example:

set interfaces wireless wlan0 vif 10 ipv6 address no-default-link-local

set interfaces wireless <interface> vif <vlan-id> ipv6 disable-forwarding

8.3. Interfaces 351

 VyOS Documentation, 发布 1.4.x (sagitta)

Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 for-
warding will be disabled on this interface.
Example:

set interfaces wireless wlan0 vif 10 ipv6 disable-forwarding

set interfaces wireless <interface> vif <vlan-id> vrf <vrf>

Place interface in given VRF instance.
参见:
There is an entire chapter about how to configure a VRF, please check this for additional information.
Example:

set interfaces wireless wlan0 vif 10 vrf red

DHCP(v6)
set interfaces wireless <interface> vif <vlan-id> dhcp-options client-id
<description>
RFC 2131 states: The client MAY choose to explicitly provide the identifier through the‘client identifier’option.
If the client supplies a ‘client identifier’, the client MUST use the same ‘client identifier’in all subsequent
messages, and the server MUST use that identifier to identify the client.
Example:

set interfaces wireless wlan0 vif 10 dhcp-options client-id 'foo-bar'

set interfaces wireless <interface> vif <vlan-id> dhcp-options host-name

<hostname>
Instead of sending the real system hostname to the DHCP server, overwrite the host-name with this given-value.
Example:

set interfaces wireless wlan0 vif 10 dhcp-options host-name 'VyOS'

set interfaces wireless <interface> vif <vlan-id> dhcp-options vendor-class-id

<vendor-id>
The vendor-class-id option can be used to request a specific class of vendor options from the server.
Example:

set interfaces wireless wlan0 vif 10 dhcp-options vendor-class-id 'VyOS'

set interfaces wireless <interface> vif <vlan-id> dhcp-options

no-default-route
Only request an address from the DHCP server but do not request a default gateway.
Example:

set interfaces wireless wlan0 vif 10 dhcp-options no-default-route

set interfaces wireless <interface> vif <vlan-id> dhcp-options

default-route-distance <distance>

8.3. Interfaces 352

 VyOS Documentation, 发布 1.4.x (sagitta)

Set the distance for the default gateway sent by the DHCP server.
Example:

set interfaces wireless wlan0 vif 10 dhcp-options default-route-distance 220

set interfaces wireless <interface> vif <vlan-id> dhcpv6-options duid <duid>

The DHCP unique identifier (DUID) is used by a client to get an IP address from a DHCPv6 server. It has a 2-byte
DUID type field, and a variable-length identifier field up to 128 bytes. Its actual length depends on its type. The
server compares the DUID with its database and delivers configuration data (address, lease times, DNS servers,
etc.) to the client.

set interfaces wireless wlan0 vif 10 duid

,→'0e:00:00:01:00:01:27:71:db:f0:00:50:56:bf:c5:6d'

set interfaces wireless <interface> vif <vlan-id> dhcpv6-options

parameters-only
This statement specifies dhcp6c to only exchange informational configuration parameters with servers. A list of
DNS server addresses is an example of such parameters. This statement is useful when the client does not need
stateful configuration parameters such as IPv6 addresses or prefixes.

set interfaces wireless wlan0 vif 10 dhcpv6-options parameters-only

set interfaces wireless <interface> vif <vlan-id> dhcpv6-options rapid-commit

When rapid-commit is specified, dhcp6c will include a rapid-commit option in solicit messages and wait for an
immediate reply instead of advertisements.

set interfaces wireless wlan0 vif 10 dhcpv6-options rapid-commit

set interfaces wireless <interface> vif <vlan-id> dhcpv6-options temporary

Request only a temporary address and not form an IA_NA (Identity Association for Non-temporary Addresses)
partnership.

set interfaces wireless wlan0 vif 10 dhcpv6-options temporary

DHCPv6 Prefix Delegation (PD)

VyOS 1.3 (equuleus) supports DHCPv6-PD (RFC 3633). DHCPv6 Prefix Delegation is supported by most ISPs who
provide native IPv6 for consumers on fixed networks.
set interfaces wireless <interface> vif <vlan-id> dhcpv6-options pd <id>
length <length>
Some ISPs by default only delegate a /64 prefix. To request for a specific prefix size use this option to request for
a bigger delegation for this pd <id>. This value is in the range from 32 - 64 so you could request up to a /32 prefix
(if your ISP allows this) down to a /64 delegation.
The default value corresponds to 64.
To request a /56 prefix from your ISP use:

set interfaces wireless wlan0 vif 10 dhcpv6-options pd 0 length 56

set interfaces wireless <interface> vif <vlan-id> dhcpv6-options pd <id>

interface <delegatee> address <address>

8.3. Interfaces 353

 VyOS Documentation, 发布 1.4.x (sagitta)

Specify the interface address used locally on the interfcae where the prefix has been delegated to. ID must be a
decimal integer.
It will be combined with the delegated prefix and the sla-id to form a complete interface address. The default is to
use the EUI-64 address of the interface.
Example: Delegate a /64 prefix to interface eth8 which will use a local address on this router of
<prefix>::ffff, as the address 65534 will correspond to ffff in hexadecimal notation.

set interfaces wireless wlan0 vif 10 dhcpv6-options pd 0 interface eth8 address␣

,→65534

set interfaces wireless <interface> vif <vlan-id> dhcpv6-options pd <id>

interface <delegatee> sla-id <id>
Specify the identifier value of the site-level aggregator (SLA) on the interface. ID must be a decimal number
greater then 0 which fits in the length of SLA IDs (see below).
Example: If ID is 1 and the client is delegated an IPv6 prefix 2001:db8:ffff::/48, dhcp6c will combine the two
values into a single IPv6 prefix, 2001:db8:ffff:1::/64, and will configure the prefix on the specified interface.

set interfaces wireless wlan0 vif 10 dhcpv6-options pd 0 interface eth8 sla-id 1

QinQ (802.1ad)

IEEE 802.1ad was an Ethernet networking standard informally known as QinQ as an amendment to IEEE standard 802.1q
VLAN interfaces as described above. 802.1ad was incorporated into the base 802.1q standard in 2011. The technique
is also known as provider bridging, Stacked VLANs, or simply QinQ or Q-in-Q. “Q-in-Q”can for supported devices
apply to C-tag stacking on C-tag (Ethernet Type = 0x8100).
The original 802.1q specification allows a single Virtual Local Area Network (VLAN) header to be inserted into an Eth-
ernet frame. QinQ allows multiple VLAN tags to be inserted into a single frame, an essential capability for implementing
Metro Ethernet network topologies. Just as QinQ extends 802.1Q, QinQ itself is extended by other Metro Ethernet
protocols.
In a multiple VLAN header context, out of convenience the term “VLAN tag”or just “tag”for short is often used in
place of“802.1q VLAN header”. QinQ allows multiple VLAN tags in an Ethernet frame; together these tags constitute
a tag stack. When used in the context of an Ethernet frame, a QinQ frame is a frame that has 2 VLAN 802.1q headers
(double-tagged).
In VyOS the terms vif-s and vif-c stand for the ethertype tags that are used.
The inner tag is the tag which is closest to the payload portion of the frame. It is officially called C-TAG (customer tag,
with ethertype 0x8100). The outer tag is the one closer/closest to the Ethernet header, its name is S-TAG (service tag
with Ethernet Type = 0x88a8).
set interfaces wireless <interface> vif-s <vlan-id> vif-c <vlan-id> address
<address | dhcp | dhcpv6>
Configure interface <interface> with one or more interface addresses.
• address can be specified multiple times as IPv4 and/or IPv6 address, e.g. 192.0.2.1/24 and/or 2001:db8::1/64
• dhcp interface address is received by DHCP from a DHCP server on this segment.
• dhcpv6 interface address is received by DHCPv6 from a DHCPv6 server on this segment.
Example:

8.3. Interfaces 354

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces wireless wlan0 vif-s 1000 vif-c 20 address 192.0.2.1/24

set interfaces wireless wlan0 vif-s 1000 vif-c 20 address 2001:db8::1/64
set interfaces wireless wlan0 vif-s 1000 vif-c 20 dhcp
set interfaces wireless wlan0 vif-s 1000 vif-c 20 dhcpv6

set interfaces wireless <interface> vif-s <vlan-id> vif-c <vlan-id>

description <description>
Set a human readable, descriptive alias for this connection. Alias is used by e.g. the show interfaces
command or SNMP based monitoring tools.
Example:

set interfaces wireless wlan0 vif-s 1000 vif-c 20 description 'This is an␣
,→awesome interface running on VyOS'

set interfaces wireless <interface> vif-s <vlan-id> vif-c <vlan-id> disable

Disable given <interface>. It will be placed in administratively down (A/D) state.
Example:

set interfaces wireless wlan0 vif-s 1000 vif-c 20 disable

set interfaces wireless <interface> vif-s <vlan-id> vif-c <vlan-id>

disable-link-detect
Use this command to direct an interface to not detect any physical state changes on a link, for example, when the
cable is unplugged.
Default is to detects physical link state changes.
Example:

set interfaces wireless wlan0 vif-s 1000 vif-c 20 disable-link-detect

set interfaces wireless <interface> vif-s <vlan-id> vif-c <vlan-id> mac

<xx:xx:xx:xx:xx:xx>
Configure user defined MAC address on given <interface>.
Example:

set interfaces wireless wlan0 vif-s 1000 vif-c 20 mac '00:01:02:03:04:05'

set interfaces wireless <interface> vif-s <vlan-id> vif-c <vlan-id> mtu <mtu>
Configure MTU on given <interface>. It is the size (in bytes) of the largest ethernet frame sent on this link.
Example:

set interfaces wireless wlan0 vif-s 1000 vif-c 20 mtu 9000

set interfaces wireless <interface> vif-s <vlan-id> vif-c <vlan-id> ip

arp-cache-timeout
Once a neighbor has been found, the entry is considered to be valid for at least for this specifc time. An entry’s
validity will be extended if it receives positive feedback from higher level protocols.
This defaults to 30 seconds.
Example:

8.3. Interfaces 355

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces wireless wlan0 vif-s 1000 vif-c 20 ip arp-cache-timeout 180

set interfaces wireless <interface> vif-s <vlan-id> vif-c <vlan-id> ip

disable-arp-filter
If set the kernel can respond to arp requests with addresses from other interfaces. This may seem wrong but it
usually makes sense, because it increases the chance of successful communication. IP addresses are owned by the
complete host on Linux, not by particular interfaces. Only for more complex setups like load-balancing, does this
behaviour cause problems.
If not set (default) allows you to have multiple network interfaces on the same subnet, and have the ARPs for
each interface be answered based on whether or not the kernel would route a packet from the ARP’d IP out that
interface (therefore you must use source based routing for this to work).
In other words it allows control of which cards (usually 1) will respond to an arp request.
Example:

set interfaces wireless wlan0 vif-s 1000 vif-c 20 ip disable-arp-filter

set interfaces wireless <interface> vif-s <vlan-id> vif-c <vlan-id> ip

disable-forwarding
Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 for-
warding will be disabled on this interface.

set interfaces wireless wlan0 vif-s 1000 vif-c 20 ip disable-forwarding

set interfaces wireless <interface> vif-s <vlan-id> vif-c <vlan-id> ip

enable-arp-accept
Define behavior for gratuitous ARP frames who’s IP is not already present in the ARP table. If configured create
new entries in the ARP table.
Both replies and requests type gratuitous arp will trigger the ARP table to be updated, if this setting is on.
If the ARP table already contains the IP address of the gratuitous arp frame, the arp table will be updated regardless
if this setting is on or off.

set interfaces wireless wlan0 vif-s 1000 vif-c 20 ip enable-arp-accept

set interfaces wireless <interface> vif-s <vlan-id> vif-c <vlan-id> ip

enable-arp-announce
Define different restriction levels for announcing the local source IP address from IP packets in ARP requests sent
on interface.
Use any local address, configured on any interface if this is not set.
If configured, try to avoid local addresses that are not in the target’s subnet for this interface. This mode is useful
when target hosts reachable via this interface require the source IP address in ARP requests to be part of their
logical network configured on the receiving interface. When we generate the request we will check all our subnets
that include the target IP and will preserve the source address if it is from such subnet. If there is no such subnet
we select source address according to the rules for level 2.

set interfaces wireless wlan0 vif-s 1000 vif-c 20 ip enable-arp-announce

set interfaces wireless <interface> vif-s <vlan-id> vif-c <vlan-id> ip

enable-arp-ignore

8.3. Interfaces 356

 VyOS Documentation, 发布 1.4.x (sagitta)

Define different modes for sending replies in response to received ARP requests that resolve local target IP ad-
dresses:
If configured, reply only if the target IP address is local address configured on the incoming interface.
If this option is unset (default), reply for any local target IP address, configured on any interface.

set interfaces wireless wlan0 vif-s 1000 vif-c 20 ip enable-arp-ignore

set interfaces wireless <interface> vif-s <vlan-id> vif-c <vlan-id> ip

enable-proxy-arp
Use this command to enable proxy Address Resolution Protocol (ARP) on this interface. Proxy ARP allows an
Ethernet interface to respond with its own MAC address to ARP requests for destination IP addresses on subnets
attached to other interfaces on the system. Subsequent packets sent to those destination IP addresses are forwarded
appropriately by the system.
Example:

set interfaces wireless wlan0 vif-s 1000 vif-c 20 ip enable-proxy-arp

set interfaces wireless <interface> vif-s <vlan-id> vif-c <vlan-id> ip

proxy-arp-pvlan
Private VLAN proxy arp. Basically allow proxy arp replies back to the same interface (from which the ARP
request/solicitation was received).
This is done to support (ethernet) switch features, like RFC 3069, where the individual ports are NOT allowed to
communicate with each other, but they are allowed to talk to the upstream router. As described in RFC 3069, it
is possible to allow these hosts to communicate through the upstream router by proxy_arp’ing.

注解: Does not need to be used together with proxy_arp.

This technology is known by different names:

• In RFC 3069 it is called VLAN Aggregation
• Cisco and Allied Telesyn call it Private VLAN
• Hewlett-Packard call it Source-Port filtering or port-isolation
• Ericsson call it MAC-Forced Forwarding (RFC Draft)
set interfaces wireless <interface> vif-s <vlan-id> vif-c <vlan-id> ip
source-validation <strict | loose | disable>
Enable policy for source validation by reversed path, as specified in RFC 3704. Current recommended practice
in RFC 3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or
other complicated routing, then loose mode is recommended.
• strict: Each incoming packet is tested against the FIB and if the interface is not the best reverse path the
packet check will fail. By default failed packets are discarded.
• loose: Each incoming packet’s source address is also tested against the FIB and if the source address is not
reachable via any interface the packet check will fail.
• disable: No source validation
set interfaces wireless <interface> vif-s <vlan-id> vif-c <vlan-id> ipv6
address autoconf

8.3. Interfaces 357

 VyOS Documentation, 发布 1.4.x (sagitta)

SLAAC RFC 4862. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using
the Neighbor Discovery Protocol via ICMP 6 router discovery messages. When first connected to a network, a
host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such
a request with a router advertisement packet that contains Internet Layer configuration parameters.

注解: This method automatically disables IPv6 traffic forwarding on the interface in question.

Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 ipv6 address autoconf

set interfaces wireless <interface> vif-s <vlan-id> vif-c <vlan-id> ipv6

address eui64 <prefix>
EUI-64 as specified in RFC 4291 allows a host to assign iteslf a unique 64-Bit IPv6 address.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 ipv6 address eui64␣
,→2001:db8:beef::/64

set interfaces wireless <interface> vif-s <vlan-id> vif-c <vlan-id> ipv6

address no-default-link-local
Do not assign a link-local IPv6 address to this interface.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 ipv6 address no-default-link-
,→local

set interfaces wireless <interface> vif-s <vlan-id> vif-c <vlan-id> ipv6

disable-forwarding
Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 for-
warding will be disabled on this interface.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 ipv6 disable-forwarding

set interfaces wireless <interface> vif-s <vlan-id> vif-c <vlan-id> vrf <vrf>
Place interface in given VRF instance.
参见:
There is an entire chapter about how to configure a VRF, please check this for additional information.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 vrf red

DHCP(v6)
set interfaces wireless <interface> vif-s <vlan-id> vif-c <vlan-id>
dhcp-options client-id <description>
RFC 2131 states: The client MAY choose to explicitly provide the identifier through the‘client identifier’option.
If the client supplies a ‘client identifier’, the client MUST use the same ‘client identifier’in all subsequent
messages, and the server MUST use that identifier to identify the client.

8.3. Interfaces 358

 VyOS Documentation, 发布 1.4.x (sagitta)

Example:

set interfaces wireless wlan0 vif-s 1000 vif-c 20 dhcp-options client-id 'foo-bar
,→'

set interfaces wireless <interface> vif-s <vlan-id> vif-c <vlan-id>

dhcp-options host-name <hostname>
Instead of sending the real system hostname to the DHCP server, overwrite the host-name with this given-value.
Example:

set interfaces wireless wlan0 vif-s 1000 vif-c 20 dhcp-options host-name 'VyOS'

set interfaces wireless <interface> vif-s <vlan-id> vif-c <vlan-id>

dhcp-options vendor-class-id <vendor-id>
The vendor-class-id option can be used to request a specific class of vendor options from the server.
Example:

set interfaces wireless wlan0 vif-s 1000 vif-c 20 dhcp-options vendor-class-id

,→'VyOS'

set interfaces wireless <interface> vif-s <vlan-id> vif-c <vlan-id>

dhcp-options no-default-route
Only request an address from the DHCP server but do not request a default gateway.
Example:

set interfaces wireless wlan0 vif-s 1000 vif-c 20 dhcp-options no-default-route

set interfaces wireless <interface> vif-s <vlan-id> vif-c <vlan-id>

dhcp-options default-route-distance <distance>
Set the distance for the default gateway sent by the DHCP server.
Example:

set interfaces wireless wlan0 vif-s 1000 vif-c 20 dhcp-options default-route-

,→distance 220

set interfaces wireless <interface> vif-s <vlan-id> vif-c <vlan-id>

dhcpv6-options duid <duid>
The DHCP unique identifier (DUID) is used by a client to get an IP address from a DHCPv6 server. It has a 2-byte
DUID type field, and a variable-length identifier field up to 128 bytes. Its actual length depends on its type. The
server compares the DUID with its database and delivers configuration data (address, lease times, DNS servers,
etc.) to the client.

set interfaces wireless wlan0 vif-s 1000 vif-c 20 duid

,→'0e:00:00:01:00:01:27:71:db:f0:00:50:56:bf:c5:6d'

set interfaces wireless <interface> vif-s <vlan-id> vif-c <vlan-id>

dhcpv6-options parameters-only
This statement specifies dhcp6c to only exchange informational configuration parameters with servers. A list of
DNS server addresses is an example of such parameters. This statement is useful when the client does not need
stateful configuration parameters such as IPv6 addresses or prefixes.

8.3. Interfaces 359

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces wireless wlan0 vif-s 1000 vif-c 20 dhcpv6-options parameters-only

set interfaces wireless <interface> vif-s <vlan-id> vif-c <vlan-id>

dhcpv6-options rapid-commit
When rapid-commit is specified, dhcp6c will include a rapid-commit option in solicit messages and wait for an
immediate reply instead of advertisements.

set interfaces wireless wlan0 vif-s 1000 vif-c 20 dhcpv6-options rapid-commit

set interfaces wireless <interface> vif-s <vlan-id> vif-c <vlan-id>

dhcpv6-options temporary
Request only a temporary address and not form an IA_NA (Identity Association for Non-temporary Addresses)
partnership.

set interfaces wireless wlan0 vif-s 1000 vif-c 20 dhcpv6-options temporary

DHCPv6 Prefix Delegation (PD)

VyOS 1.3 (equuleus) supports DHCPv6-PD (RFC 3633). DHCPv6 Prefix Delegation is supported by most ISPs who
provide native IPv6 for consumers on fixed networks.
set interfaces wireless <interface> vif-s <vlan-id> vif-c <vlan-id>
dhcpv6-options pd <id> length <length>
Some ISPs by default only delegate a /64 prefix. To request for a specific prefix size use this option to request for
a bigger delegation for this pd <id>. This value is in the range from 32 - 64 so you could request up to a /32 prefix
(if your ISP allows this) down to a /64 delegation.
The default value corresponds to 64.
To request a /56 prefix from your ISP use:

set interfaces wireless wlan0 vif-s 1000 vif-c 20 dhcpv6-options pd 0 length 56

set interfaces wireless <interface> vif-s <vlan-id> vif-c <vlan-id>

dhcpv6-options pd <id> interface <delegatee> address <address>
Specify the interface address used locally on the interfcae where the prefix has been delegated to. ID must be a
decimal integer.
It will be combined with the delegated prefix and the sla-id to form a complete interface address. The default is to
use the EUI-64 address of the interface.
Example: Delegate a /64 prefix to interface eth8 which will use a local address on this router of
<prefix>::ffff, as the address 65534 will correspond to ffff in hexadecimal notation.

set interfaces wireless wlan0 vif-s 1000 vif-c 20 dhcpv6-options pd 0 interface␣

,→eth8 address 65534

set interfaces wireless <interface> vif-s <vlan-id> vif-c <vlan-id>

dhcpv6-options pd <id> interface <delegatee> sla-id <id>
Specify the identifier value of the site-level aggregator (SLA) on the interface. ID must be a decimal number
greater then 0 which fits in the length of SLA IDs (see below).
Example: If ID is 1 and the client is delegated an IPv6 prefix 2001:db8:ffff::/48, dhcp6c will combine the two
values into a single IPv6 prefix, 2001:db8:ffff:1::/64, and will configure the prefix on the specified interface.

8.3. Interfaces 360

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces wireless wlan0 vif-s 1000 vif-c 20 dhcpv6-options pd 0 interface␣

,→eth8 sla-id 1

Operation

show interfaces wireless info

Use this command to view operational status and wireless-specific information about all wireless interfaces.
vyos@vyos:~$ show interfaces wireless info
Interface Type SSID Channel
wlan0 access-point VyOS-TEST-0 1

show interfaces wireless detail

Use this command to view operational status and detailes wireless-specific information about all wireless interfaces.
vyos@vyos:~$ show interfaces wireless detail
wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group␣
,→default qlen 1000

link/ether XX:XX:XX:XX:XX:c3 brd XX:XX:XX:XX:XX:ff

inet xxx.xxx.99.254/24 scope global wlan0
valid_lft forever preferred_lft forever
inet6 fe80::xxxx:xxxx:fe54:2fc3/64 scope link
valid_lft forever preferred_lft forever

RX: bytes packets errors dropped overrun mcast

66072 282 0 0 0 0
TX: bytes packets errors dropped carrier collisions
83413 430 0 0 0 0

wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group␣

,→default qlen 1000

link/ether XX:XX:XX:XX:XX:c3 brd XX:XX:XX:XX:XX:ff

inet xxx.xxx.100.254/24 scope global wlan0
valid_lft forever preferred_lft forever
inet6 fe80::xxxx:xxxx:ffff:2ed3/64 scope link
valid_lft forever preferred_lft forever

RX: bytes packets errors dropped overrun mcast

166072 5282 0 0 0 0
TX: bytes packets errors dropped carrier collisions
183413 5430 0 0 0 0

show interfaces wireless <wlanX>

This command shows both status and statistics on the specified wireless interface. The wireless interface identifier can
range from wlan0 to wlan999.
vyos@vyos:~$ show interfaces wireless wlan0
wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group␣
,→default qlen 1000

link/ether XX:XX:XX:XX:XX:c3 brd XX:XX:XX:XX:XX:ff

inet xxx.xxx.99.254/24 scope global wlan0
valid_lft forever preferred_lft forever
inet6 fe80::xxxx:xxxx:fe54:2fc3/64 scope link
valid_lft forever preferred_lft forever
(下页继续)

8.3. Interfaces 361

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)

RX: bytes packets errors dropped overrun mcast

66072 282 0 0 0 0
TX: bytes packets errors dropped carrier collisions
83413 430 0 0 0 0

show interfaces wireless <wlanX> brief

This command gives a brief status overview of a specified wireless interface. The wireless interface identifier can range
from wlan0 to wlan999.

vyos@vyos:~$ show interfaces wireless wlan0 brief

Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
wlan0 192.168.2.254/24 u/u

show interfaces wireless <wlanX> queue

Use this command to view wireless interface queue information. The wireless interface identifier can range from wlan0
to wlan999.

vyos@vyos:~$ show interfaces wireless wlan0 queue

qdisc pfifo_fast 0: root bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
Sent 810323 bytes 6016 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0

show interfaces wireless <wlanX> scan

This command is used to retrieve information about WAP within the range of your wireless interface. This command is
useful on wireless interfaces configured in station mode.

注解: Scanning is not supported on all wireless drivers and wireless hardware. Refer to your driver and wireless hardware
documentation for further details.

vyos@vyos:~$ show interfaces wireless wlan0 scan

Address SSID Channel Signal (dbm)
00:53:3b:88:6e:d8 WLAN-576405 1 -64.00
00:53:3b:88:6e:da Telekom_FON 1 -64.00
00:53:00:f2:c2:a4 BabyView_F2C2A4 6 -60.00
00:53:3b:88:6e:d6 Telekom_FON 100 -72.00
00:53:3b:88:6e:d4 WLAN-576405 100 -71.00
00:53:44:a4:96:ec KabelBox-4DC8 56 -81.00
00:53:d9:7a:67:c2 WLAN-741980 1 -75.00
00:53:7c:99:ce:76 Vodafone Homespot 1 -86.00
00:53:44:a4:97:21 KabelBox-4DC8 1 -78.00
00:53:44:a4:97:21 Vodafone Hotspot 1 -79.00
00:53:44:a4:97:21 Vodafone Homespot 1 -79.00
00:53:86:40:30:da Telekom_FON 1 -86.00
00:53:7c:99:ce:76 Vodafone Hotspot 1 -86.00
00:53:44:46:d2:0b Vodafone Hotspot 1 -87.00

8.3. Interfaces 362

 VyOS Documentation, 发布 1.4.x (sagitta)

Examples

The following example creates a WAP. When configuring multiple WAP interfaces, you must specify unique IP addresses,
channels, Network IDs commonly referred to as SSID (Service Set Identifier), and MAC addresses.
The WAP in this example has the following characteristics:
• IP address 192.168.2.1/24
• Network ID (SSID) TEST
• WPA passphrase 12345678
• Use 802.11n protocol
• Wireless channel 1

set interfaces wireless wlan0 address '192.168.2.1/24'

set interfaces wireless wlan0 type access-point
set interfaces wireless wlan0 channel 1
set interfaces wireless wlan0 mode n
set interfaces wireless wlan0 ssid 'TEST'
set interfaces wireless wlan0 security wpa mode wpa2
set interfaces wireless wlan0 security wpa cipher CCMP
set interfaces wireless wlan0 security wpa passphrase '12345678'

Resulting in

interfaces {
[...]
wireless wlan0 {
address 192.168.2.1/24
channel 1
mode n
security {
wpa {
cipher CCMP
mode wpa2
passphrase "12345678"
}
}
ssid "TEST"
type access-point
}
}
system {
[...]
wifi-regulatory-domain DE
}

To get it to work as a access point with this configuration you will need to set up a DHCP server to work with that network.
You can - of course - also bridge the Wireless interface with any configured bridge (Bridge) on the system.

8.3. Interfaces 363

 VyOS Documentation, 发布 1.4.x (sagitta)

8.3.17 WirelessModem (WWAN)

The wirelessmodem interface provides access (through a wireless modem/wwan) to wireless networks provided by various
cellular providers. VyOS uses the interfaces wirelessmodem subsystem for configuration.

Configuration

Common interface configuration

set interfaces wirelessmodem <interface> description <description>

Set a human readable, descriptive alias for this connection. Alias is used by e.g. the show interfaces
command or SNMP based monitoring tools.
Example:

set interfaces wirelessmodem wlm0 description 'This is an awesome interface␣

,→running on VyOS'

set interfaces wirelessmodem <interface> disable

Disable given <interface>. It will be placed in administratively down (A/D) state.
Example:

set interfaces wirelessmodem wlm0 disable

set interfaces wirelessmodem <interface> vrf <vrf>

Place interface in given VRF instance.
参见:
There is an entire chapter about how to configure a VRF, please check this for additional information.
Example:

set interfaces wirelessmodem wlm0 vrf red

WirelessModem (WWAN) options

set interfaces wirelessmodem <interface> apn <apn>

Every WWAN connection requires an APN (Access Point Name) which is used by the client to dial into the ISPs
network. This is a mandatory parameter. Contact your Service Provider for correct APN.
set interfaces wirelessmodem <interface> backup distance <metric>
Configure metric of the default route added via the Wireless Modem interface. The default metric if not specified
is 10.
set interfaces wirelessmodem <interface> device <tty>
Device identifier of the underlaying physical interface. This is usually a ttyUSB device, if not configured this
defaults to ttyUSB2.
set interfaces wirelessmodem <interface> no-peer-dns
Do not install DNS nameservers received from ISP into system wide nameserver list.

8.3. Interfaces 364

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces wirelessmodem <interface> connect-on-demand

When set the interface is enabled for “dial-on-demand”.
Use this command to instruct the system to establish a PPP connection automatically once traffic passes through
the interface. A disabled on-demand connection is established at boot time and remains up. If the link fails for
any reason, the link is brought back up immediately.

Operation

show interfaces wirelessmodem <interface>

Retrive interface information from given WWAN interface.

vyos@vyos:~$ show interfaces wirelessmodem wlm0

wlm0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master␣
,→black state UNKNOWN group default qlen 3

link/ppp
inet 10.26.238.93 peer 10.64.64.64/32 scope global wlm0
valid_lft forever preferred_lft forever
Description: baaar

RX: bytes packets errors dropped overrun mcast

38 5 0 0 0 0
TX: bytes packets errors dropped carrier collisions
217 8 0 0 0 0

show interfaces wirelessmodem <interface> statistics

Retrive interface statistics from given WWAN interface.

vyos@vyos:~$ show interfaces wirelessmodem wlm0 statistics

IN PACK VJCOMP VJUNC VJERR | OUT PACK VJCOMP VJUNC NON-VJ
38 5 0 0 0 | 217 8 0 0 8

show interfaces wirelessmodem <interface> log

Displays log information for a WWAN interface.

Example

The following example is based on a Sierra Wireless MC7710 miniPCIe card (only the form factor in reality it runs UBS)
and Deutsche Telekom as ISP. The card is assembled into a PC Engines APU4.

set interfaces wirelessmodem wlm0 apn 'internet.telekom'

set interfaces wirelessmodem wlm0 backup distance '100'
set interfaces wirelessmodem wlm0 device 'ttyUSB2'
set interfaces wirelessmodem wlm0 disable
set interfaces wirelessmodem wlm0 no-peer-dns

8.3. Interfaces 365

 VyOS Documentation, 发布 1.4.x (sagitta)

Supported Modules

The following hardware modules have been tested successfully in an PC Engines APU4 board:
• Sierra Wireless AirPrime MC7304 miniPCIe card (LTE)
• Sierra Wireless AirPrime MC7430 miniPCIe card (LTE)
• Sierra Wireless AirPrime MC7455 miniPCIe card (LTE)
• Sierra Wireless AirPrime MC7710 miniPCIe card (LTE)
• Huawei ME909u-521 miniPCIe card (LTE)
• Huawei ME909s-120 miniPCIe card (LTE)

8.4 WAN load balancing

Outbound traffic can be balanced between two or more outbound interfaces. If a path fails, traffic is balanced across the
remaining healthy paths, a recovered path is automatically added back to the routing table and used by the load balancer.
The load balancer automatically adds routes for each path to the routing table and balances traffic across the configured
interfaces, determined by interface health and weight.
In a minimal, configuration the following must be provided:
• a interface with a nexthop
• one rule with a LAN (inbound-interface) and the WAN (interface).
Let’s assume we have two DHCP WAN interfaces and one LAN (eth2):
set load-balancing wan interface-health eth0 nexthop 'dhcp'
set load-balancing wan interface-health eth1 nexthop 'dhcp'
set load-balancing wan rule 1 inbound-interface 'eth2'
set load-balancing wan rule 1 interface eth0
set load-balancing wan rule 1 interface eth1

8.4.1 Balancing Rules

Interfaces, their weight and the type of traffic to be balanced are defined in numbered balancing rule sets. The rule sets are
executed in numerical order against outgoing packets. In case of a match the packet is sent through an interface specified
in the matching rule. If a packet doesn’t match any rule it is sent by using the system routing table. Rule numbers can’
t be changed.
Create a load balancing rule, rule can be a number between 1 and 9999:
vyos@vyos# set load-balancing wan rule 1
Possible completions:
description Description for this rule
> destination Destination
exclude Exclude packets matching this rule from wan load balance
failover Enable failover for packets matching this rule from wan load␣
,→balance

inbound-interface Inbound interface name (e.g., "eth0") [REQUIRED]

+> interface Interface name [REQUIRED]
> limit Enable packet limit for this rule
per-packet-balancing Option to match traffic per-packet instead of the default,␣
,→per-flow
(下页继续)

8.4. WAN load balancing 366

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
protocol Protocol to match
> source Source information

Interface weight

Let’s expand the example from above and add a weight to the interfaces. The bandwidth from eth0 is larger than eth1.
Per default outbound traffic is distributed randomly across available interfaces. Weights can be assigned to interfaces to
influence the balancing.

set load-balancing wan rule 1 interface eth0 weight 2

set load-balancing wan rule 1 interface eth1 weight 1

66% traffic is routed to eth0 and eth1 get 33% of traffic.

Rate limit

A packet rate limit can be set for a rule to apply the rule to traffic above or below a specified threshold. To configure the
rate limiting use:

set load-balancing wan rule <rule> limit <parameter>

• burst: Number of packets allowed to overshoot the limit within period. Default 5.
• period: Time window for rate calculation. Possible values: second (one second), minute (one minute),
hour (one hour). Default is second.
• rate: Number of packets. Default 5.
• threshold: below or above the specified rate limit.

Flow and packet-based balancing

Outgoing traffic is balanced in a flow-based manner. A connection tracking table is used to track flows by their source
address, destination address and port. Each flow is assigned to an interface according to the defined balancing rules and
subsequent packets are sent through the same interface. This has the advantage that packets always arrive in order if links
with different speeds are in use.
Packet-based balancing can lead to a better balance across interfaces when out of order packets are no issue. Per-packet-
based balancing can be set for a balancing rule with:

set load-balancing wan rule <rule> per-packet-balancing

Exclude traffic

To exclude traffic from load balancing, traffic matching an exclude rule is not balanced but routed through the system
routing table instead:

set load-balancing wan rule <rule> exclude

8.4. WAN load balancing 367

 VyOS Documentation, 发布 1.4.x (sagitta)

8.4.2 Health checks

The health of interfaces and paths assigned to the load balancer is periodically checked by sending ICMP packets (ping)
to remote destinations, a TTL test or the execution of a user defined script. If an interface fails the health check it is
removed from the load balancer’s pool of interfaces. To enable health checking for an interface:

vyos@vyos# set load-balancing wan interface-health <interface>

Possible completions:
failure-count Failure count
nexthop Outbound interface nexthop address. Can be 'dhcp or ip address'␣
,→[REQUIRED]

success-count Success count

+> test Rule number

Specify nexthop on the path to destination, ipv4-address can be set to dhcp

set load-balancing wan interface-health <interface> nexthop <ipv4-address>

Set the number of health check failures before an interface is marked as unavailable, range for number is 1 to 10, default
1. Or set the number of successful health checks before an interface is added back to the interface pool, range for number
is 1 to 10, default 1.

set load-balancing wan interface-health <interface> failure-count <number>

set load-balancing wan interface-health <interface> success-count <number>

Each health check is configured in its own test, tests are numbered and processed in numeric order. For multi target health
checking multiple tests can be defined:

vyos@vyos# set load-balancing wan interface-health eth1 test 0

Possible completions:
resp-time Ping response time (seconds)
target Health target address
test-script Path to user defined script
ttl-limit Ttl limit (hop count)
type WLB test type

• resp-time: the maximum response time for ping in seconds. Range 1…30, default 5
• target: the target to be sent ICMP packets to, address can be an IPv4 address or hostname
• test-script: A user defined script must return 0 to be considered successful and non-zero to fail. Scripts are
located in /config/scripts, for different locations the full path needs to be provided
• ttl-limit: For the UDP TTL limit test the hop count limit must be specified. The limit must be shorter than
the path length, an ICMP time expired message is needed to be returned for a successful test. default 1
• type: Specify the type of test. type can be ping, ttl or a user defined script

8.4. WAN load balancing 368

 VyOS Documentation, 发布 1.4.x (sagitta)

8.4.3 Source NAT rules

Per default, interfaces used in a load balancing pool replace the source IP of each outgoing packet with its own address to
ensure that replies arrive on the same interface. This works through automatically generated source NAT (SNAT) rules,
these rules are only applied to balanced traffic. In cases where this behaviour is not desired, the automatic generation of
SNAT rules can be disabled:

set load-balancing wan disable-source-nat

8.4.4 Sticky Connections

Inbound connections to a WAN interface can be improperly handled when the reply is sent back to the client.

Upon reception of an incoming packet, when a response is sent, it might be desired to ensure that it leaves from the same
interface as the inbound one. This can be achieved by enabling sticky connections in the load balancing:

set load-balancing wan sticky-connections inbound

8.4.5 Failover

In failover mode, one interface is set to be the primary interface and other interfaces are secondary or spare. Instead
of balancing traffic across all healthy interfaces, only the primary interface is used and in case of failure, a secondary
interface selected from the pool of available interfaces takes over. The primary interface is selected based on its weight
and health, others become secondary interfaces. Secondary interfaces to take over a failed primary interface are chosen
from the load balancer’s interface pool, depending on their weight and health. Interface roles can also be selected based
on rule order by including interfaces in balancing rules and ordering those rules accordingly. To put the load balancer in
failover mode, create a failover rule:

set load-balancing wan rule <number> failover

8.4. WAN load balancing 369

 VyOS Documentation, 发布 1.4.x (sagitta)

Because existing sessions do not automatically fail over to a new path, the session table can be flushed on each connection
state change:

set load-balancing wan flush-connections

警告: Flushing the session table will cause other connections to fall back from flow-based to packet-based balancing
until each flow is reestablished.

8.4.6 Script execution

A script can be run when an interface state change occurs. Scripts are run from /config/scripts, for a different location
specify the full path:

set load-balancing wan hook script-name

Two environment variables are available:

• WLB_INTERFACE_NAME=[interfacename]: Interface to be monitored
• WLB_INTERFACE_STATE=[ACTIVE|FAILED]: Interface state

警告: Blocking call with no timeout. System will become unresponsive if script does not return!

8.4.7 Handling and monitoring

Show WAN load balancer information including test types and targets. A character at the start of each line depicts the
state of the test
• + successful
• - failed
• a blank indicates that no test has been carried out

vyos@vyos:~$ show wan-load-balance

Interface: eth0
Status: failed
Last Status Change: Tue Jun 11 20:12:19 2019
-Test: ping Target:
Last Interface Success: 55s
Last Interface Failure: 0s
# Interface Failure(s): 5

Interface: eth1
Status: active
Last Status Change: Tue Jun 11 20:06:42 2019
+Test: ping Target:
Last Interface Success: 0s
Last Interface Failure: 6m26s
# Interface Failure(s): 0

Show connection data of load balanced traffic:

8.4. WAN load balancing 370

 VyOS Documentation, 发布 1.4.x (sagitta)

vyos@vyos:~$ show wan-load-balance connection

conntrack v1.4.2 (conntrack-tools): 3 flow entries have been shown.
Type State Src Dst Packets Bytes
tcp TIME_WAIT 10.1.1.13:38040 203.0.113.2:80 203.0.113.2 ␣
,→192.168.188.71

udp 10.1.1.13:41891 198.51.100.3:53 198.51.100.3␣

,→192.168.188.71

udp 10.1.1.13:55437 198.51.100.3:53 198.51.100.3␣

,→192.168.188.71

Restart

restart wan-load-balance

8.5 NAT

8.5.1 NAT44

NAT (Network Address Translation) is a common method of remapping one IP address space into another by modifying
network address information in the IP header of packets while they are in transit across a traffic routing device. The
technique was originally used as a shortcut to avoid the need to readdress every host when a network was moved. It
has become a popular and essential tool in conserving global address space in the face of IPv4 address exhaustion. One
Internet-routable IP address of a NAT gateway can be used for an entire private network.
IP masquerading is a technique that hides an entire IP address space, usually consisting of private IP addresses, behind
a single IP address in another, usually public address space. The hidden addresses are changed into a single (public) IP
address as the source address of the outgoing IP packets so they appear as originating not from the hidden host but from
the routing device itself. Because of the popularity of this technique to conserve IPv4 address space, the term NAT has
become virtually synonymous with IP masquerading.
As network address translation modifies the IP address information in packets, NAT implementations may vary in their
specific behavior in various addressing cases and their effect on network traffic. The specifics of NAT behavior are not
commonly documented by vendors of equipment containing NAT implementations.
The computers on an internal network can use any of the addresses set aside by the IANA (Internet Assigned Numbers
Authority) for private addressing (see RFC 1918). These reserved IP addresses are not in use on the Internet, so an
external machine will not directly route to them. The following addresses are reserved for private use:
• 10.0.0.0 to 10.255.255.255 (CIDR: 10.0.0.0/8)
• 172.16.0.0 to 172.31.255.255 (CIDR: 172.16.0.0/12)
• 192.168.0.0 to 192.168.255.255 (CIDR: 192.168.0.0/16)
If an ISP deploys a CGN (Carrier-grade NAT), and uses RFC 1918 address space to number customer gateways, the risk
of address collision, and therefore routing failures, arises when the customer network already uses an RFC 1918 address
space.
This prompted some ISPs to develop a policy within the ARIN (American Registry for Internet Numbers) to allocate
new private address space for CGNs, but ARIN deferred to the IETF before implementing the policy indicating that the
matter was not a typical allocation issue but a reservation of addresses for technical purposes (per RFC 2860).
IETF published RFC 6598, detailing a shared address space for use in ISP CGN deployments that can handle the same
network prefixes occurring both on inbound and outbound interfaces. ARIN returned address space to the IANA for this
allocation.

8.5. NAT 371

 VyOS Documentation, 发布 1.4.x (sagitta)

The allocated address block is 100.64.0.0/10.

Devices evaluating whether an IPv4 address is public must be updated to recognize the new address space. Allocating
more private IPv4 address space for NAT devices might prolong the transition to IPv6.

Overview

Different NAT Types

SNAT

SNAT (Source Network Address Translation) is the most common form of NAT and is typically referred to simply as
NAT. To be more correct, what most people refer to as NAT is actually the process of PAT (Port Address Translation),
or NAT overload. SNAT is typically used by internal users/private hosts to access the Internet - the source address is
translated and thus kept private.

DNAT

DNAT (Destination Network Address Translation) changes the destination address of packets passing through the router,
while SNAT changes the source address of packets. DNAT is typically used when an external (public) host needs to
initiate a session with an internal (private) host. A customer needs to access a private service behind the routers public
IP. A connection is established with the routers public IP address on a well known port and thus all traffic for this port is
rewritten to address the internal (private) host.

Bidirectional NAT

This is a common scenario where both SNAT and DNAT are configured at the same time. It’s commonly used then
internal (private) hosts need to establish a connection with external resources and external systems need to access internal
(private) resources.

NAT, Routing, Firewall Interaction

There is a very nice picture/explanation in the Vyatta documentation which should be rewritten here.

NAT Ruleset

NAT is configured entirely on a series of so called rules. Rules are numbered and evaluated by the underlying OS in
numerical order! The rule numbers can be changes by utilizing the rename and copy commands.

注解: Changes to the NAT system only affect newly established connections. Already established connections are not
affected.

提示: When designing your NAT ruleset leave some space between consecutive rules for later extension. Your ruleset
could start with numbers 10, 20, 30. You thus can later extend the ruleset and place new rules between existing ones.

Rules will be created for both SNAT and DNAT.

8.5. NAT 372

 VyOS Documentation, 发布 1.4.x (sagitta)

For Bidirectional NAT a rule for both SNAT and DNAT needs to be created.

Traffic Filters

Traffic Filters are used to control which packets will have the defined NAT rules applied. Five different filters can be
applied within a NAT rule.
• outbound-interface - applicable only to SNAT. It configures the interface which is used for the outside traffic that
this translation rule applies to.
Example:

set nat source rule 20 outbound-interface eth0

• inbound-interface - applicable only to DNAT. It configures the interface which is used for the inside traffic the
translation rule applies to.
Example:

set nat destination rule 20 inbound-interface eth1

• protocol - specify which types of protocols this translation rule applies to. Only packets matching the specified
protocol are NATed. By default this applies to all protocols.
Example:
– Set SNAT rule 20 to only NAT TCP and UDP packets
– Set DNAT rule 20 to only NAT UDP packets

set nat source rule 20 protocol tcp_udp

set nat destination rule 20 protocol udp

• source - specifies which packets the NAT translation rule applies to based on the packets source IP address and/or
source port. Only matching packets are considered for NAT.
Example:
– Set SNAT rule 20 to only NAT packets arriving from the 192.0.2.0/24 network
– Set SNAT rule 30 to only NAT packets arriving from the 203.0.113.0/24 network with a source port of 80
and 443

set nat source rule 20 source address 192.0.2.0/24

set nat source rule 30 source address 203.0.113.0/24
set nat source rule 30 source port 80,443

• destination - specify which packets the translation will be applied to, only based on the destination address and/or
port number configured.

注解: If no destination is specified the rule will match on any destination address and port.

Example:
– Configure SNAT rule (40) to only NAT packets with a destination address of 192.0.2.1.

set nat source rule 40 destination address 192.0.2.1

8.5. NAT 373

 VyOS Documentation, 发布 1.4.x (sagitta)

Address Conversion

Every NAT rule has a translation command defined. The address defined for the translation is the address used when the
address information in a packet is replaced.

Source Address

For SNAT rules the packets source address will be replaced with the address specified in the translation command. A port
translation can also be specified and is part of the translation address.

注解: The translation address must be set to one of the available addresses on the configured outbound-interface or it
must be set to masquerade which will use the primary IP address of the outbound-interface as its translation address.

注解: When using NAT for a large number of host systems it recommended that a minimum of 1 IP address is used
to NAT every 256 private host systems. This is due to the limit of 65,000 port numbers available for unique translations
and a reserving an average of 200-300 sessions per host system.

Example:
• Define a discrete source IP address of 100.64.0.1 for SNAT rule 20
• Use address masquerade (the interfaces primary address) on rule 30
• For a large amount of private machines behind the NAT your address pool might to be bigger. Use any address in
the range 100.64.0.10 - 100.64.0.20 on SNAT rule 40 when doing the translation

set nat source rule 20 translation address 100.64.0.1

set nat source rule 30 translation address 'masquerade'
set nat source rule 40 translation address 100.64.0.10-100.64.0.20

Destination Address

For DNAT rules the packets destination address will be replaced by the specified address in the translation address com-
mand.
Example:
• DNAT rule 10 replaces the destination address of an inbound packet with 192.0.2.10

set nat destination rule 10 translation address 192.0.2.10

8.5. NAT 374

 VyOS Documentation, 发布 1.4.x (sagitta)

Configuration Examples

To setup SNAT, we need to know:

• The internal IP addresses we want to translate
• The outgoing interface to perform the translation on
• The external IP address to translate to
In the example used for the Quick Start configuration above, we demonstrate the following configuration:

set nat source rule 100 outbound-interface 'eth0'

set nat source rule 100 source address '192.168.0.0/24'
set nat source rule 100 translation address 'masquerade'

Which generates the following configuration:

rule 100 {
outbound-interface eth0
source {
address 192.168.0.0/24
}
translation {
address masquerade
}
}

In this example, we use masquerade as the translation address instead of an IP address. The masquerade target is
effectively an alias to say “use whatever IP address is on the outgoing interface”, rather than a statically configured IP
address. This is useful if you use DHCP for your outgoing interface and do not know what the external address will be.
When using NAT for a large number of host systems it recommended that a minimum of 1 IP address is used to NAT
every 256 host systems. This is due to the limit of 65,000 port numbers available for unique translations and a reserving
an average of 200-300 sessions per host system.
Example: For an ~8,000 host network a source NAT pool of 32 IP addresses is recommended.
A pool of addresses can be defined by using a hyphen between two IP addresses:

set nat source rule 100 translation address '203.0.113.32-203.0.113.63'

Avoiding “leaky”NAT

Linux netfilter will not NAT traffic marked as INVALID. This often confuses people into thinking that Linux (or specif-
ically VyOS) has a broken NAT implementation because non-NATed traffic is seen leaving an external interface. This
is actually working as intended, and a packet capture of the “leaky”traffic should reveal that the traffic is either an
additional TCP “RST”, “FIN,ACK”, or “RST,ACK”sent by client systems after Linux netfilter considers the
connection closed. The most common is the additional TCP RST some host implementations send after terminating a
connection (which is implementation-specific).
In other words, connection tracking has already observed the connection be closed and has transition the flow to INVALID
to prevent attacks from attempting to reuse the connection.
You can avoid the “leaky”behavior by using a firewall policy that drops “invalid”state packets.
Having control over the matching of INVALID state traffic, e.g. the ability to selectively log, is an important troubleshoot-
ing tool for observing broken protocol behavior. For this reason, VyOS does not globally drop invalid state traffic, instead
allowing the operator to make the determination on how the traffic is handled.

8.5. NAT 375

 VyOS Documentation, 发布 1.4.x (sagitta)

Hairpin NAT/NAT Reflection

A typical problem with using NAT and hosting public servers is the ability for internal systems to reach an internal server
using it’s external IP address. The solution to this is usually the use of split-DNS to correctly point host systems to the
internal address when requests are made internally. Because many smaller networks lack DNS infrastructure, a work-
around is commonly deployed to facilitate the traffic by NATing the request from internal hosts to the source address of
the internal interface on the firewall.
This technique is commonly referred to as NAT Reflection or Hairpin NAT.
Example:
• Redirect Microsoft RDP traffic from the outside (WAN, external) world via DNAT in rule 100 to the internal,
private host 192.0.2.40.
• Redirect Microsoft RDP traffic from the internal (LAN, private) network via DNAT in rule 110 to the internal,
private host 192.0.2.40. We also need a SNAT rule 110 for the reverse path of the traffic. The internal network
192.0.2.0/24 is reachable via interface eth0.10.

set nat destination rule 100 description 'Regular destination NAT from external'
set nat destination rule 100 destination port '3389'
set nat destination rule 100 inbound-interface 'pppoe0'
set nat destination rule 100 protocol 'tcp'
set nat destination rule 100 translation address '192.0.2.40'

set nat destination rule 110 description 'NAT Reflection: INSIDE'

set nat destination rule 110 destination port '3389'
set nat destination rule 110 inbound-interface 'eth0.10'
set nat destination rule 110 protocol 'tcp'
set nat destination rule 110 translation address '192.0.2.40'

set nat source rule 110 description 'NAT Reflection: INSIDE'

set nat source rule 110 destination address '192.0.2.0/24'
set nat source rule 110 outbound-interface 'eth0.10'
set nat source rule 110 protocol 'tcp'
set nat source rule 110 source address '192.0.2.0/24'
set nat source rule 110 translation address 'masquerade'

Which results in a configuration of:

vyos@vyos# show nat

destination {
rule 100 {
description "Regular destination NAT from external"
destination {
port 3389
}
inbound-interface pppoe0
protocol tcp
translation {
address 192.0.2.40
}
}
rule 110 {
description "NAT Reflection: INSIDE"
destination {
port 3389
}
(下页继续)

8.5. NAT 376

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
inbound-interface eth0.10
protocol tcp
translation {
address 192.0.2.40
}
}
}
source {
rule 110 {
description "NAT Reflection: INSIDE"
destination {
address 192.0.2.0/24
}
outbound-interface eth0.10
protocol tcp
source {
address 192.0.2.0/24
}
translation {
address masquerade
}
}
}

Destination NAT

DNAT is typically referred to as a Port Forward. When using VyOS as a NAT router and firewall, a common configu-
ration task is to redirect incoming traffic to a system behind the firewall.
In this example, we will be using the example Quick Start configuration above as a starting point.
To setup a destination NAT rule we need to gather:
• The interface traffic will be coming in on;
• The protocol and port we wish to forward;
• The IP address of the internal system we wish to forward traffic to.
In our example, we will be forwarding web server traffic to an internal web server on 192.168.0.100. HTTP traffic makes
use of the TCP protocol on port 80. For other common port numbers, see: https://en.wikipedia.org/wiki/List_of_TCP_
and_UDP_port_numbers
Our configuration commands would be:
set nat destination rule 10 description 'Port Forward: HTTP to 192.168.0.100'
set nat destination rule 10 destination port '80'
set nat destination rule 10 inbound-interface 'eth0'
set nat destination rule 10 protocol 'tcp'
set nat destination rule 10 translation address '192.168.0.100'

Which would generate the following NAT destination configuration:

nat {
destination {
rule 10 {
description "Port Forward: HTTP to 192.168.0.100"
(下页继续)

8.5. NAT 377

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
destination {
port 80
}
inbound-interface eth0
protocol tcp
translation {
address 192.168.0.100
}
}
}
}

注解: If forwarding traffic to a different port than it is arriving on, you may also configure the translation port using set
nat destination rule [n] translation port.

This establishes our Port Forward rule, but if we created a firewall policy it will likely block the traffic.
It is important to note that when creating firewall rules that the DNAT translation occurs before traffic traverses the
firewall. In other words, the destination address has already been translated to 192.168.0.100.
So in our firewall policy, we want to allow traffic coming in on the outside interface, destined for TCP port 80 and the IP
address of 192.168.0.100.

set firewall name OUTSIDE-IN rule 20 action 'accept'

set firewall name OUTSIDE-IN rule 20 destination address '192.168.0.100'
set firewall name OUTSIDE-IN rule 20 destination port '80'
set firewall name OUTSIDE-IN rule 20 protocol 'tcp'
set firewall name OUTSIDE-IN rule 20 state new 'enable'

This would generate the following configuration:

rule 20 {
action accept
destination {
address 192.168.0.100
port 80
}
protocol tcp
state {
new enable
}
}

注解: If you have configured the INSIDE-OUT policy, you will need to add additional rules to permit inbound NAT
traffic.

8.5. NAT 378

 VyOS Documentation, 发布 1.4.x (sagitta)

1-to-1 NAT

Another term often used for DNAT is 1-to-1 NAT. For a 1-to-1 NAT configuration, both DNAT and SNAT are used to
NAT all traffic from an external IP address to an internal IP address and vice-versa.
Typically, a 1-to-1 NAT rule omits the destination port (all ports) and replaces the protocol with either all or ip.
Then a corresponding SNAT rule is created to NAT outgoing traffic for the internal IP to a reserved external IP. This
dedicates an external IP address to an internal IP address and is useful for protocols which don’t have the notion of ports,
such as GRE.
Here’s an extract of a simple 1-to-1 NAT configuration with one internal and one external interface:

set interfaces ethernet eth0 address '192.168.1.1/24'

set interfaces ethernet eth0 description 'Inside interface'
set interfaces ethernet eth1 address '192.0.2.30/24'
set interfaces ethernet eth1 description 'Outside interface'
set nat destination rule 2000 description '1-to-1 NAT example'
set nat destination rule 2000 destination address '192.0.2.30'
set nat destination rule 2000 inbound-interface 'eth1'
set nat destination rule 2000 translation address '192.168.1.10'
set nat source rule 2000 description '1-to-1 NAT example'
set nat source rule 2000 outbound-interface 'eth1'
set nat source rule 2000 source address '192.168.1.10'
set nat source rule 2000 translation address '192.0.2.30'

Firewall rules are written as normal, using the internal IP address as the source of outbound rules and the destination of
inbound rules.

NAT before VPN

Some application service providers (ASPs) operate a VPN gateway to provide access to their internal resources, and
require that a connecting organisation translate all traffic to the service provider network to a source address provided by
the ASP.

Example Network

Here’s one example of a network environment for an ASP. The ASP requests that all connections from this company
should come from 172.29.41.89 - an address that is assigned by the ASP and not in use at the customer site.

图 1: NAT before VPN Topology

8.5. NAT 379

 VyOS Documentation, 发布 1.4.x (sagitta)

Configuration

The required configuration can be broken down into 4 major pieces:

• A dummy interface for the provider-assigned IP;
• NAT (specifically, Source NAT);
• IPSec IKE and ESP Groups;
• IPSec VPN tunnels.

Dummy interface

The dummy interface allows us to have an equivalent of the Cisco IOS Loopback interface - a router-internal interface
we can use for IP addresses the router must know about, but which are not actually assigned to a real network.
We only need a single step for this interface:

set interfaces dummy dum0 address '172.29.41.89/32'

NAT Configuration

set nat source rule 110 description 'Internal to ASP'

set nat source rule 110 destination address '172.27.1.0/24'
set nat source rule 110 outbound-interface 'any'
set nat source rule 110 source address '192.168.43.0/24'
set nat source rule 110 translation address '172.29.41.89'
set nat source rule 120 description 'Internal to ASP'
set nat source rule 120 destination address '10.125.0.0/16'
set nat source rule 120 outbound-interface 'any'
set nat source rule 120 source address '192.168.43.0/24'
set nat source rule 120 translation address '172.29.41.89'

IPSec IKE and ESP

The ASP has documented their IPSec requirements:

• IKE Phase:
– aes256 Encryption
– sha256 Hashes
• ESP Phase:
– aes256 Encryption
– sha256 Hashes
– DH Group 14
Additionally, we want to use VPNs only on our eth1 interface (the external interface in the image above)

8.5. NAT 380

 VyOS Documentation, 发布 1.4.x (sagitta)

set vpn ipsec ike-group my-ike ikev2-reauth 'no'

set vpn ipsec ike-group my-ike key-exchange 'ikev1'
set vpn ipsec ike-group my-ike lifetime '7800'
set vpn ipsec ike-group my-ike proposal 1 dh-group '14'
set vpn ipsec ike-group my-ike proposal 1 encryption 'aes256'
set vpn ipsec ike-group my-ike proposal 1 hash 'sha256'

set vpn ipsec esp-group my-esp compression 'disable'

set vpn ipsec esp-group my-esp lifetime '3600'
set vpn ipsec esp-group my-esp mode 'tunnel'
set vpn ipsec esp-group my-esp pfs 'disable'
set vpn ipsec esp-group my-esp proposal 1 encryption 'aes256'
set vpn ipsec esp-group my-esp proposal 1 hash 'sha256'

set vpn ipsec ipsec-interfaces interface 'eth1'

IPSec VPN Tunnels

We’ll use the IKE and ESP groups created above for this VPN. Because we need access to 2 different subnets on the far
side, we will need two different tunnels. If you changed the names of the ESP group and IKE group in the previous step,
make sure you use the correct names here too.

set vpn ipsec site-to-site peer 198.51.100.243 authentication mode 'pre-shared-secret'

set vpn ipsec site-to-site peer 198.51.100.243 authentication pre-shared-secret
,→'PASSWORD IS HERE'

set vpn ipsec site-to-site peer 198.51.100.243 connection-type 'initiate'

set vpn ipsec site-to-site peer 198.51.100.243 default-esp-group 'my-esp'
set vpn ipsec site-to-site peer 198.51.100.243 ike-group 'my-ike'
set vpn ipsec site-to-site peer 198.51.100.243 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 198.51.100.243 local-address '203.0.113.46'
set vpn ipsec site-to-site peer 198.51.100.243 tunnel 0 local prefix '172.29.41.89/32'
set vpn ipsec site-to-site peer 198.51.100.243 tunnel 0 remote prefix '172.27.1.0/24'
set vpn ipsec site-to-site peer 198.51.100.243 tunnel 1 local prefix '172.29.41.89/32'
set vpn ipsec site-to-site peer 198.51.100.243 tunnel 1 remote prefix '10.125.0.0/16'

Testing and Validation

If you’ve completed all the above steps you no doubt want to see if it’s all working.
Start by checking for IPSec SAs (Security Associations) with:

$ show vpn ipsec sa

Peer ID / IP Local ID / IP
------------ -------------
198.51.100.243 203.0.113.46

Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto
------ ----- ------------- ------- ---- ----- ------ ------ -----
0 up 0.0/0.0 aes256 sha256 no 1647 3600 all
1 up 0.0/0.0 aes256 sha256 no 865 3600 all

That looks good - we defined 2 tunnels and they’re both up and running.

8.5. NAT 381

 VyOS Documentation, 发布 1.4.x (sagitta)

8.5.2 NAT66(NPTv6)

NPT 6 (IPv6-to-IPv6 Network Prefix Translation) is an address translation technology basedon IPv6 networks, used
to convert an IPv6 address prefix in an IPv6 message into another IPv6address prefix. We call this address translation
method NAT66. Devices that support the NAT66 function are called NAT66 devices, which can provide NAT66 source
and destination address translation functions.

Overview

Different NAT Types

SNAT66

SNPT 6 (Source IPv6-to-IPv6 Network Prefix Translation) The conversion function is mainly used in the following
scenarios:
• A single internal network and external network. Use the NAT66 device to connect a single internal network and
public network, and the hosts in the internal network use IPv6 address prefixes that only support routing within the
local range. When a host in the internal network accesses the external network, the source IPv6 address prefix in
the message will be converted into a global unicast IPv6 address prefix by the NAT66 device.
• Redundancy and load sharing. There are multiple NAT66 devices at the edge of an IPv6 network to another IPv6
network. The path through the NAT66 device to another IPv6 network forms an equivalent route, and traffic can
be load-shared on these NAT66 devices. In this case, you can configure the same source address translation rules
on these NAT66 devices, so that any NAT66 device can handle IPv6 traffic between different sites.
• Multi-homed. In a multi-homed network environment, the NAT66 device connects to an internal network and
simultaneously connects to different external networks. Address translation can be configured on each external
network side interface of the NAT66 device to convert the same internal network address into different external
network addresses, and realize the mapping of the same internal address to multiple external addresses.

DNAT66

The DNPT 6 (Destination IPv6-to-IPv6 Network Prefix Translation) destination address translation function is used in
scenarios where the server in the internal network provides services to the external network, such as providing Web
services or FTP services to the external network. By configuring the mapping relationship between the internal server
address and the external network address on the external network side interface of the NAT66 device, external network
users can access the internal network server through the designated external network address.

Prefix Conversion

Source Prefix

Every SNAT66 rule has a translation command defined. The prefix defined for the translation is the prefix used when the
address information in a packet is replaced.、
The SNAT66 rule replaces the source address of the packet and calculates the converted address using the prefix specified
in the rule.
Example:
• Convert the address prefix of a single fc01::/64 network to fc00::/64
• Output from eth0 network interface

8.5. NAT 382

 VyOS Documentation, 发布 1.4.x (sagitta)

set nat66 source rule 1 outbound-interface 'eth0'

set nat66 source rule 1 source prefix 'fc01::/64'
set nat66 source rule 1 translation address 'fc00::/64'

Destination Prefix

For the DNAT66 rule, the destination address of the packet isreplaced by the address calculated from the specified address
or prefix in the translation address command
Example:
• Convert the address prefix of a single fc00::/64 network to fc01::/64
• Input from eth0 network interface
set nat66 destination rule 1 inbound-interface 'eth0'
set nat66 destination rule 1 destination address 'fc00::/64'
set nat66 destination rule 1 translation address 'fc01::/64'

Configuration Examples

Use the following topology to build a nat66 based isolated network between internal and external networks (dynamic
prefix is not supported):

R1:
set interfaces ethernet eth0 ipv6 address autoconf
set interfaces ethernet eth1 address 'fc01::1/64'
set nat66 destination rule 1 destination address 'fc00:470:f1cd:101::/64'
set nat66 destination rule 1 inbound-interface 'eth0'
(下页继续)

8.5. NAT 383

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
set nat66 destination rule 1 translation address 'fc01::/64'
set nat66 source rule 1 outbound-interface 'eth0'
set nat66 source rule 1 source prefix 'fc01::/64'
set nat66 source rule 1 translation address 'fc00:470:f1cd:101::/64'

R2:

set interfaces bridge br1 address 'fc01::2/64'

set interfaces bridge br1 member interface eth0
set interfaces bridge br1 member interface eth1
set protocols static route6 ::/0 next-hop fc01::1
set service router-advert interface br1 prefix ::/0

8.6 Policy

Routing Policies could be used to tell the router (self or neighbors) what routes and their attributes needs to be put into
the routing table.
There could be a wide range of routing policies. Some examples are below:
• Set some metric to routes learned from a particular neighbor
• Set some attributes (like AS PATH or Community value) to advertised routes to neighbors
• Prefer a specific routing protocol routes over another routing protocol running on the same router

8.6.1 Example

Policy definition:

# Create policy
set policy route-map setmet rule 2 action 'permit'
set policy route-map setmet rule 2 set as-path-prepend '2 2 2'

# Apply policy to BGP

set protocols bgp 1 neighbor 203.0.113.2 address-family ipv4-unicast route-map import
,→'setmet'

set protocols bgp 1 neighbor 203.0.113.2 address-family ipv4-unicast soft-

,→reconfiguration 'inbound'

Using ‘soft-reconfiguration’we get the policy update without bouncing the neighbor.
Routes learned before routing policy applied:

vyos@vos1:~$ show ip bgp

BGP table version is 0, local router ID is 192.168.56.101
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

*> 198.51.100.3/32 203.0.113.2 1 0 2 i < Path

Total number of prefixes 1

8.6. Policy 384

 VyOS Documentation, 发布 1.4.x (sagitta)

Routes learned after routing policy applied:

vyos@vos1:~$ sho ip b
BGP table version is 0, local router ID is 192.168.56.101
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

*> 198.51.100.3/32 203.0.113.2 1 0 2 2 2 2 i

Total number of prefixes 1

vyos@vos1:~$

You now see the longer AS path.

8.7 PBR

PBR (Policy-Based Routing) allowing traffic to be assigned to different routing tables. Traffic can be matched using
standard 5-tuple matching (source address, destination address, protocol, source port, destination port).

8.7.1 Transparent Proxy

The following example will show how VyOS can be used to redirect web traffic to an external transparent proxy:

set policy route FILTER-WEB rule 1000 destination port 80

set policy route FILTER-WEB rule 1000 protocol tcp
set policy route FILTER-WEB rule 1000 set table 100

This creates a route policy called FILTER-WEB with one rule to set the routing table for matching traffic (TCP port 80)
to table ID 100 instead of the default routing table.
To create routing table 100 and add a new default gateway to be used by traffic matching our route policy:

set protocols static table 100 route 0.0.0.0/0 next-hop 10.255.0.2

This can be confirmed using the show ip route table 100 operational command.
Finally, to apply the policy route to ingress traffic on our LAN interface, we use:

set interfaces ethernet eth1 policy route FILTER-WEB

8.7.2 Multiple Uplinks

VyOS Policy-Based Routing (PBR) works by matching source IP address ranges and forwarding the traffic using different
routing tables.
Routing tables that will be used in this example are:
• table 10 Routing table used for VLAN 10 (192.168.188.0/24)
• table 11 Routing table used for VLAN 11 (192.168.189.0/24)
• main Routing table used by VyOS and other interfaces not participating in PBR

8.7. PBR 385

 VyOS Documentation, 发布 1.4.x (sagitta)

图 2: Policy-Based Routing with multiple ISP uplinks (source ./draw.io/pbr_example_1.drawio)

8.7. PBR 386

 VyOS Documentation, 发布 1.4.x (sagitta)

Add default routes for routing table 10 and table 11

set protocols static table 10 route 0.0.0.0/0 next-hop 192.0.2.1

set protocols static table 11 route 0.0.0.0/0 next-hop 192.0.2.2

Add policy route matching VLAN source addresses

set policy route PBR rule 20 set table '10'

set policy route PBR rule 20 description 'Route VLAN10 traffic to table 10'
set policy route PBR rule 20 source address '192.168.188.0/24'

set policy route PBR rule 30 set table '11'

set policy route PBR rule 30 description 'Route VLAN11 traffic to table 11'
set policy route PBR rule 30 source address '192.168.189.0/24'

Apply routing policy to inbound direction of out VLAN interfaces

set interfaces ethernet eth0 vif 10 policy route 'PBR'

set interfaces ethernet eth0 vif 11 policy route 'PBR'

OPTIONAL: Exclude Inter-VLAN traffic (between VLAN10 and VLAN11) from PBR

set policy route PBR rule 10 description 'VLAN10 <-> VLAN11 shortcut'
set policy route PBR rule 10 destination address '192.168.188.0/24'
set policy route PBR rule 10 destination address '192.168.189.0/24'
set policy route PBR rule 10 set table 'main'

These commands allow the VLAN10 and VLAN20 hosts to communicate with each other using the main routing table.

8.7.3 Local route

The following example allows VyOS to use PBR for traffic, which originated from the router itself. That solution for
multiple ISP’s and VyOS router will respond from the same interface that the packet was received. Also, it used, if we
want that one VPN tunnel to be through one provider, and the second through another.
• 203.0.113.0.254 IP addreess on VyOS eth1 from ISP1
• 192.168.2.254 IP addreess on VyOS eth2 from ISP2
• table 10 Routing table used for ISP1
• table 11 Routing table used for ISP2

set policy local-route rule 101 set table '10'

set policy local-route rule 101 source '203.0.113.0.254'
set policy local-route rule 102 set table '11'
set policy local-route rule 102 source '192.0.2.254'
set protocols static table 10 route '0.0.0.0/0' next-hop '203.0.113.0.1'
set protocols static table 11 route '0.0.0.0/0' next-hop '192.0.2.2'

Add multiple source IP in one rule with same priority

set policy local-route rule 101 set table '10'

set policy local-route rule 101 source '203.0.113.0.254'
set policy local-route rule 101 source '203.0.113.0.253'
set policy local-route rule 101 source '198.51.100.0/24'

8.7. PBR 387

 VyOS Documentation, 发布 1.4.x (sagitta)

8.8 Protocols

8.8.1 BFD

BFD (Bidirectional Forwarding Detection) is described and extended by the following RFCs: RFC 5880, RFC 5881 and
RFC 5883.
In the age of very fast networks, a second of unreachability may equal millions of lost packets. The idea behind BFD is
to detect very quickly when a peer is down and take action extremely fast.
BFD sends lots of small UDP packets very quickly to ensures that the peer is still alive.
This allows avoiding the timers defined in BGP and OSPF protocol to expires.

Configure BFD

set protocols bfd peer <address>

Set BFD peer IPv4 address or IPv6 address
set protocols bfd peer <address> echo-mode
Enables the echo transmission mode
set protocols bfd peer <address> multihop
Allow this BFD peer to not be directly connected
set protocols bfd peer <address> source [address <address> | interface
<interface>]
Bind listener to specifid interface/address, mandatory for IPv6
set protocols bfd peer <address> interval echo-interval <10-60000>
The minimal echo receive transmission interval that this system is capable of handling
set protocols bfd peer <address> interval multiplier <2-255>
Remote transmission interval will be multiplied by this value
set protocols bfd peer <address> interval [receive | transmit] <10-60000>
Interval in milliseconds
set protocols bfd peer <address> shutdown
Disable a BFD peer

Enable BFD in BGP

set protocols bgp <asn> neighbor <address> bfd

Enable BFD on a single BGP neighbor
set protocols bgp <asn> peer-group <group> bfd
Enable BFD on a BGP peer group

8.8. Protocols 388

 VyOS Documentation, 发布 1.4.x (sagitta)

Enable BFD in OSPF

set interfaces ethernet <interface> ip ospf bfd

Enable BFD for OSPF on a interface
set interfaces ethernet <interface> ipv6 ospfv3 bfd
Enable BFD for OSPFv3 on a interface

Enable BFD in ISIS

set protocols isis <name> interface <interface> bfd

Enable BFD for ISIS on a interface

Operational Commands

show protocols bfd peer

Show all BFD peers

BFD Peers:
peer 198.51.100.33 vrf default interface eth4.100
ID: 4182341893
Remote ID: 12678929647
Status: up
Uptime: 1 month(s), 16 hour(s), 29 minute(s), 38 second(s)
Diagnostics: ok
Remote diagnostics: ok
Local timers:
Receive interval: 300ms
Transmission interval: 300ms
Echo transmission interval: 50ms
Remote timers:
Receive interval: 300ms
Transmission interval: 300ms
Echo transmission interval: 0ms

peer 198.51.100.55 vrf default interface eth4.101

ID: 4618932327
Remote ID: 3312345688
Status: up
Uptime: 20 hour(s), 16 minute(s), 19 second(s)
Diagnostics: ok
Remote diagnostics: ok
Local timers:
Receive interval: 300ms
Transmission interval: 300ms
Echo transmission interval: 50ms
Remote timers:
Receive interval: 300ms
Transmission interval: 300ms
Echo transmission interval: 0ms

8.8. Protocols 389

 VyOS Documentation, 发布 1.4.x (sagitta)

8.8.2 BGP

BGP (Border Gateway Protocol) is one of the Exterior Gateway Protocols and the de facto standard interdomain routing
protocol. The latest BGP version is 4. BGP-4 is described in RFC 1771 and updated by RFC 4271. RFC 2858 adds
multiprotocol support to BGP.
VyOS makes use of FRR (Free Range Routing) and we would like to thank them for their effort!

Basic Concepts

Autonomous Systems

From RFC 1930:

An AS is a connected group of one or more IP prefixes run by one or more network operators which has a
SINGLE and CLEARLY DEFINED routing policy.
Each AS has an identifying number associated with it called an ASN (Autonomous System Number). This is a two octet
value ranging in value from 1 to 65535. The AS numbers 64512 through 65535 are defined as private AS numbers.
Private AS numbers must not be advertised on the global Internet. The 2-byte AS number range has been exhausted.
4-byte AS numbers are specified in RFC 6793, and provide a pool of 4294967296 AS numbers.
The ASN is one of the essential elements of BGP. BGP is a distance vector routing protocol, and the AS-Path framework
provides distance vector metric and loop detection to BGP.

Address Families

Multiprotocol extensions enable BGP to carry routing information for multiple network layer protocols. BGP supports
an Address Family Identifier (AFI) for IPv4 and IPv6.

Route Selection

The route selection process used by FRR’s BGP implementation uses the following decision criterion, starting at the top
of the list and going towards the bottom until one of the factors can be used.
1. Weight check
Prefer higher local weight routes to lower routes.
2. Local preference check
Prefer higher local preference routes to lower.
3. Local route check
Prefer local routes (statics, aggregates, redistributed) to received routes.
4. AS path length check
Prefer shortest hop-count AS_PATHs.
5. Origin check
Prefer the lowest origin type route. That is, prefer IGP origin routes to EGP, to Incomplete routes.
6. MED check
Where routes with a MED were received from the same AS, prefer the route with the lowest MED.

8.8. Protocols 390

 VyOS Documentation, 发布 1.4.x (sagitta)

7. External check
Prefer the route received from an external, eBGP peer over routes received from other types of peers.
8. IGP cost check
Prefer the route with the lower IGP cost.
9. Multi-path check
If multi-pathing is enabled, then check whether the routes not yet distinguished in preference may be considered
equal. If bgp bestpath as-path multipath-relax is set, all such routes are considered equal, oth-
erwise routes received via iBGP with identical AS_PATHs or routes received from eBGP neighbours in the same
AS are considered equal.
10. Already-selected external check
Where both routes were received from eBGP peers, then prefer the route which is already selected. Note that this
check is not applied if bgp bestpath compare-routerid is configured. This check can prevent some
cases of oscillation.
11. Router-ID check
Prefer the route with the lowest router-ID. If the route has an ORIGINATOR_ID attribute, through iBGP reflection,
then that router ID is used, otherwise the router-ID of the peer the route was received from is used.
12. Cluster-List length check
The route with the shortest cluster-list length is used. The cluster-list reflects the iBGP reflection path the route has
taken.
13. Peer address
Prefer the route received from the peer with the higher transport layer address, as a last-resort tie-breaker.

Capability Negotiation

When adding IPv6 routing information exchange feature to BGP. There were some proposals. IETF (Internet Engineering
Task Force) IDR (Inter Domain Routing) adopted a proposal called Multiprotocol Extension for BGP. The specification
is described in RFC 2283. The protocol does not define new protocols. It defines new attributes to existing BGP. When
it is used exchanging IPv6 routing information it is called BGP-4+. When it is used for exchanging multicast routing
information it is called MBGP.
bgpd supports Multiprotocol Extension for BGP. So if a remote peer supports the protocol, bgpd can exchange IPv6
and/or multicast routing information.
Traditional BGP did not have the feature to detect a remote peer’s capabilities, e.g. whether it can handle prefix types
other than IPv4 unicast routes. This was a big problem using Multiprotocol Extension for BGP in an operational network.
RFC 2842 adopted a feature called Capability Negotiation. bgpd use this Capability Negotiation to detect the remote peer’
s capabilities. If a peer is only configured as an IPv4 unicast neighbor, bgpd does not send these Capability Negotiation
packets (at least not unless other optional BGP features require capability negotiation).
By default, FRR will bring up peering with minimal common capability for the both sides. For example, if the local router
has unicast and multicast capabilities and the remote router only has unicast capability the local router will establish the
connection with unicast only capability. When there are no common capabilities, FRR sends Unsupported Capability
error and then resets the connection.

8.8. Protocols 391

 VyOS Documentation, 发布 1.4.x (sagitta)

BGP Router Configuration

First of all you must configure BGP router with the ASN. The AS number is an identifier for the autonomous system. The
BGP protocol uses the AS number for detecting whether the BGP connection is internal or external. VyOS does not have
a special command to start the BGP process. The BGP process starts when the first neighbor is configured.

Peers Configuration

Defining Peers

set protocols bgp <asn> neighbor <address|interface> remote-as <nasn>

This command creates a new neighbor whose remote-as is <nasn>. The neighbor address can be an IPv4 address
or an IPv6 address or an interface to use for the connection. The command it applicable for peer and peer group.
set protocols bgp <asn> neighbor <address|interface> remote-as internal
Create a peer as you would when you specify an ASN, except that if the peers ASN is different than mine as
specified under the protocols bgp <asn> command the connection will be denied.
set protocols bgp <asn> neighbor <address|interface> remote-as external
Create a peer as you would when you specify an ASN, except that if the peers ASN is the same as mine as specified
under the protocols bgp <asn> command the connection will be denied.
set protocols bgp <asn> neighbor <address|interface> shutdown
This command disable the peer or peer group. To reenable the peer use the delete form of this command.
set protocols bgp <asn> neighbor <address|interface> description <text>
Set description of the peer or peer group.
set protocols bgp <asn> neighbor <address|interface> update-source
<address|interface>
Specify the IPv4 source address to use for the BGP session to this neighbor, may be specified as either an IPv4
address directly or as an interface name.

Capability Negotiation

set protocols bgp <asn> neighbor <address|interface> capability dynamic

This command would allow the dynamic update of capabilities over an established BGP session.
set protocols bgp <asn> neighbor <address|interface> capability
extended-nexthop
Allow bgp to negotiate the extended-nexthop capability with it’s peer. If you are peering over a IPv6 Link-Local
address then this capability is turned on automatically. If you are peering over a IPv6 Global Address then turning
on this command will allow BGP to install IPv4 routes with IPv6 nexthops if you do not have IPv4 configured on
interfaces.
set protocols bgp <asn> neighbor <address|interface> disable-capability-negotiation
Suppress sending Capability Negotiation as OPEN message optional parameter to the peer. This command only
affects the peer is configured other than IPv4 unicast configuration.
When remote peer does not have capability negotiation feature, remote peer will not send any capabilities at all.
In that case, bgp configures the peer with configured capabilities.

8.8. Protocols 392

 VyOS Documentation, 发布 1.4.x (sagitta)

You may prefer locally configured capabilities more than the negotiated capabilities even though remote peer sends
capabilities. If the peer is configured by override-capability, VyOS ignores received capabilities then
override negotiated capabilities with configured values.
Additionally you should keep in mind that this feature fundamentally disables the ability to use widely deployed
BGP features. BGP unnumbered, hostname support, AS4, Addpath, Route Refresh, ORF, Dynamic Capabilities,
and graceful restart.
set protocols bgp <asn> neighbor <address|interface> override-capability
This command allow override the result of Capability Negotiation with local configuration. Ignore remote peer’
s capability value.
set protocols bgp <asn> neighbor <address|interface> strict-capability-match
This command forces strictly compare remote capabilities and local capabilities. If capabilities are different, send
Unsupported Capability error then reset connection.
You may want to disable sending Capability Negotiation OPEN message optional parameter to the peer when
remote peer does not implement Capability Negotiation. Please use disable-capability-negotiation
command to disable the feature.

Peer Parameters

set protocols bgp <asn> neighbor <address|interface> address-family

<ipv4-unicast|ipv6-unicast> allowas-in number <number>
This command accept incoming routes with AS path containing AS number with the same value as the current
system AS. This is used when you want to use the same AS number in your sites, but you can’t connect them
directly.
The number parameter (1-10) configures the amount of accepted occurences of the system AS number in AS path.
This command is only allowed for eBGP peers. It is not applicable for peer groups.
set protocols bgp <asn> neighbor <address|interface> address-family
<ipv4-unicast|ipv6-unicast> as-override
This command override AS number of the originating router with the local AS number.
Usually this configuration is used in PEs (Provider Edge) to replace the incoming customer AS number so the
connected CE ( Customer Edge) can use the same AS number as the other customer sites. This allows customers
of the provider network to use the same AS number across their sites.
This command is only allowed for eBGP peers.
set protocols bgp <asn> neighbor <address|interface> address-family
<ipv4-unicast|ipv6-unicast> attribute-unchanged <as-path|med|next-hop>
This command specifies attributes to be left unchanged for advertisements sent to a peer or peer group.
set protocols bgp <asn> neighbor <address|interface> address-family
<ipv4-unicast|ipv6-unicast> maximum-prefix <number>
This command specifies a maximum number of prefixes we can receive from a given peer. If this number is
exceeded, the BGP session will be destroyed. The number range is 1 to 4294967295.
set protocols bgp <asn> neighbor <address|interface> address-family
<ipv4-unicast|ipv6-unicast> nexthop-self
This command forces the BGP speaker to report itself as the next hop for an advertised route it advertised to a
neighbor.

8.8. Protocols 393

 VyOS Documentation, 发布 1.4.x (sagitta)

set protocols bgp <asn> neighbor <address|interface> address-family

<ipv4-unicast|ipv6-unicast> remove-private-as
This command removes the private ASN of routes that are advertised to the configured peer. It removes only
private ASNs on routes advertised to EBGP peers.
If the AS-Path for the route has only private ASNs, the private ASNs are removed.
If the AS-Path for the route has a private ASN between public ASNs, it is assumed that this is a design choice,
and the private ASN is not removed.
set protocols bgp <asn> neighbor <address|interface> address-family
<ipv4-unicast|ipv6-unicast> soft-reconfiguration inbound
Changes in BGP policies require the BGP session to be cleared. Clearing has a large negative impact on network
operations. Soft reconfiguration enables you to generate inbound updates from a neighbor, change and activate
BGP policies without clearing the BGP session.
This command specifies that route updates received from this neighbor will be stored unmodified, regardless of
the inbound policy. When inbound soft reconfiguration is enabled, the stored updates are processed by the new
policy configuration to create new inbound updates.

注解: Storage of route updates uses memory. If you enable soft reconfiguration inbound for multiple neighbors,
the amount of memory used can become significant.

set protocols bgp <asn> neighbor <address|interface> address-family

<ipv4-unicast|ipv6-unicast> weight <number>
This command specifies a default weight value for the neighbor’s routes. The number range is 1 to 65535.
set protocols bgp <asn> neighbor <address|interface> advertisement-interval
<seconds>
This command specifies the minimum route advertisement interval for the peer. The interval value is 0 to 600
seconds, with the default advertisement interval being 0.
set protocols bgp <asn> neighbor <address|interface> disable-connected-check
This command allows peerings between directly connected eBGP peers using loopback addresses without adjusting
the default TTL of 1.
set protocols bgp <asn> neighbor <address|interface> disable-send-community
<extended|standard>
This command specifies that the community attribute should not be sent in route updates to a peer. By default
community attribute is sent.
set protocols bgp <asn> neighbor <address|interface> ebgp-multihop <number>
This command allows sessions to be established with eBGP neighbors when they are multiple hops away. When
the neighbor is not directly connected and this knob is not enabled, the session will not establish. The number of
hops range is 1 to 255. This command is mutually exclusive with ttl-security hops.
set protocols bgp <asn> neighbor <address|interface> local-as <asn>
[no-prepend] [replace-as]
Specify an alternate AS for this BGP process when interacting with the specified peer or peer group. With no
modifiers, the specified local-as is prepended to the received AS_PATH when receiving routing updates from the
peer, and prepended to the outgoing AS_PATH (after the process local AS) when transmitting local routes to the
peer.
If the no-prepend attribute is specified, then the supplied local-as is not prepended to the received AS_PATH.

8.8. Protocols 394

 VyOS Documentation, 发布 1.4.x (sagitta)

If the replace-as attribute is specified, then only the supplied local-as is prepended to the AS_PATH when
transmitting local-route updates to this peer.

注解: This command is only allowed for eBGP peers.

set protocols bgp <asn> neighbor <address|interface> passive

Configures the BGP speaker so that it only accepts inbound connections from, but does not initiate outbound
connections to the peer or peer group.
set protocols bgp <asn> neighbor <address|interface> password <text>
This command specifies a MD5 password to be used with the tcp socket that is being used to connect to the remote
peer.
set protocols bgp <asn> neighbor <address|interface> ttl-security hops
<number>
This command enforces Generalized TTL Security Mechanism (GTSM), as specified in RFC 5082. With this
command, only neighbors that are the specified number of hops away will be allowed to become neighbors. The
number of hops range is 1 to 254. This command is mutually exclusive with ebgp-multihop.

Peer Groups

Peer groups are used to help improve scaling by generating the same update information to all members of a peer group.
Note that this means that the routes generated by a member of a peer group will be sent back to that originating peer with
the originator identifier attribute set to indicated the originating peer. All peers not associated with a specific peer group
are treated as belonging to a default peer group, and will share updates.
set protocols bgp <asn> peer-group <name>
This command defines a new peer group. You can specify to the group the same parameters that you can specify
for specific neighbors.

注解: If you apply a parameter to an individual neighbor IP address, you override the action defined for a peer
group that includes that IP address.

set protocols bgp <asn> neighbor <address|interface> peer-group <name>

This command bind specific peer to peer group with a given name.

Network Advertisement Configuration

set protocols bgp <asn> address-family <ipv4-unicast|ipv6-unicast> network

<prefix>
This command is used for advertising IPv4 or IPv6 networks.

注解: By default, the BGP prefix is advertised even if it’s not present in the routing table. This behaviour differs
from the implementation of some vendors.

set protocols bgp <asn> parameters network-import-check

8.8. Protocols 395

 VyOS Documentation, 发布 1.4.x (sagitta)

This configuration modifies the behavior of the network statement. If you have this configured the underlying
network must exist in the routing table.
set protocols bgp <asn> neighbor <address|interface> address-family
<ipv4-unicast|ipv6-unicast> default-originate [route-map <name>]
By default, VyOS does not advertise a default route (0.0.0.0/0) even if it is in routing table. When you want to
announce default routes to the peer, use this command. Using optional argument route-map you can inject the
default route to given neighbor only if the conditions in the route map are met.

Route Aggregation Configuration

set protocols bgp <asn> address-family <ipv4-unicast|ipv6-unicast>

aggregate-address <prefix>
This command specifies an aggregate address. The router will also announce longer-prefixes inside of the aggregate
address.
set protocols bgp <asn> address-family <ipv4-unicast|ipv6-unicast>
aggregate-address <prefix> as-set
This command specifies an aggregate address with a mathematical set of autonomous systems. This command
summarizes the AS_PATH attributes of all the individual routes.
set protocols bgp <asn> address-family <ipv4-unicast|ipv6-unicast>
aggregate-address <prefix> summary-only
This command specifies an aggregate address and provides that longer-prefixes inside of the aggregate address are
suppressed before sending BGP updates out to peers.
set protocols bgp <asn> neighbor <address|interface> address-family
<ipv4-unicast|ipv6-unicast> unsuppress-map <name>
This command applies route-map to selectively unsuppress prefixes suppressed by summarisation.

Redistribution Configuration

set protocols bgp <asn> address-family <ipv4-unicast|ipv6-unicast>

redistribute <route source>
This command redistributes routing information from the given route source to the BGP process. There are six
modes available for route source: connected, kernel, ospf, rip, static, table.
set protocols bgp <asn> address-family <ipv4-unicast|ipv6-unicast>
redistribute <route source> metric <number>
This command specifies metric (MED) for redistributed routes. The metric range is 0 to 4294967295. There are
six modes available for route source: connected, kernel, ospf, rip, static, table.
set protocols bgp <asn> address-family <ipv4-unicast|ipv6-unicast>
redistribute <route source> route-map <name>
This command allows to use route map to filter redistributed routes. There are six modes available for route source:
connected, kernel, ospf, rip, static, table.

8.8. Protocols 396

 VyOS Documentation, 发布 1.4.x (sagitta)

General Configuration

Common parameters

set protocols bgp <asn> parameters router-id <id>

This command specifies the router-ID. If router ID is not specified it will use the highest interface IP address.
set protocols bgp <asn> maximum-paths <ebgp|ibgp> <number>
This command defines the maximum number of parallel routes that the BGP can support. In order for BGP to
use the second path, the following attributes have to match: Weight, Local Preference, AS Path (both AS number
and AS path length), Origin code, MED, IGP metric. Also, the next hop address for each path must be different.
set protocols bgp <asn> parameters default no-ipv4-unicast
This command allows the user to specify that IPv4 peering is turned off by default.
set protocols bgp <asn> parameters log-neighbor-changes
This command enable logging neighbor up/down changes and reset reason.
set protocols bgp <asn> parameters no-client-to-client-reflection
This command disables route reflection between route reflector clients. By default, the clients of a
route reflector are not required to be fully meshed and the routes from a client are reflected to other
clients. However, if the clients are fully meshed, route reflection is not required. In this case, use the
no-client-to-client-reflection command to disable client-to-client reflection.
set protocols bgp <asn> parameters no-fast-external-failover
Disable immediate session reset if peer’s connected link goes down.
set protocols bgp <asn> listen range <prefix> peer-group <name>
This command is useful if one desires to loosen the requirement for BGP to have strictly defined neighbors. Specif-
ically what is allowed is for the local router to listen to a range of IPv4 or IPv6 addresses defined by a prefix and
to accept BGP open messages. When a TCP connection (and subsequently a BGP open message) from within
this range tries to connect the local router then the local router will respond and connect with the parameters that
are defined within the peer group. One must define a peer-group for each range that is listed. If no peer-group is
defined then an error will keep you from committing the configuration.
set protocols bgp <asn> listen limit <number>
This command goes hand in hand with the listen range command to limit the amount of BGP neighbors that are
allowed to connect to the local router. The limit range is 1 to 5000.
set protocols bgp <asn> parameters ebgp-requires-policy
This command changes the eBGP behavior of FRR. By default FRR enables RFC 8212 functionality which
affects how eBGP routes are advertised, namely no routes are advertised across eBGP sessions without some sort
of egress route-map/policy in place. In VyOS however we have this RFC functionality disabled by default so that
we can preserve backwards compatibility with older versions of VyOS. With this option one can enable RFC 8212
functionality to operate.

8.8. Protocols 397

 VyOS Documentation, 发布 1.4.x (sagitta)

Administrative Distance

set protocols bgp <asn> parameters distance global <external|internal|local>

<distance>
This command change distance value of BGP. The arguments are the distance values for external routes, internal
routes and local routes respectively. The distance range is 1 to 255.
set protocols bgp <asn> parameters distance prefix <subnet> distance
<distance>
This command sets the administrative distance for a particular route. The distance range is 1 to 255.

注解: Routes with a distance of 255 are effectively disabled and not installed into the kernel.

Timers

set protocols bgp <asn> timers holdtime <seconds>

This command specifies hold-time in seconds. The timer range is 4 to 65535. The default value is 180 second. If
you set value to 0 VyOS will not hold routes.
set protocols bgp <asn> timers keepalive <seconds>
This command specifies keep-alive time in seconds. The timer can range from 4 to 65535. The default value is
60 second.

Route Dampening

When a route fails, a routing update is sent to withdraw the route from the network’s routing tables. When the route is
re-enabled, the change in availability is also advertised. A route that continually fails and returns requires a great deal of
network traffic to update the network about the route’s status.
Route dampening wich described in RFC 2439 enables you to identify routes that repeatedly fail and return. If route
dampening is enabled, an unstable route accumulates penalties each time the route fails and returns. If the accumulated
penalties exceed a threshold, the route is no longer advertised. This is route suppression. Routes that have been suppressed
are re-entered into the routing table only when the amount of their penalty falls below a threshold.
A penalty of 1000 is assessed each time the route fails. When the penalties reach a predefined threshold (suppress-value),
the router stops advertising the route.
Once a route is assessed a penalty, the penalty is decreased by half each time a predefined amount of time elapses (half-
life-time). When the accumulated penalties fall below a predefined threshold (reuse-value), the route is unsuppressed and
added back into the BGP routing table.
No route is suppressed indefinitely. Maximum-suppress-time defines the maximum time a route can be suppressed before
it is re-advertised.
set protocols bgp <asn> parameters dampening half-life <minutes>
This command defines the amount of time in minutes after which a penalty is reduced by half. The timer range is
10 to 45 minutes.
set protocols bgp <asn> parameters dampening re-use <seconds>
This command defines the accumulated penalty amount at which the route is re-advertised. The penalty range is
1 to 20000.

8.8. Protocols 398

 VyOS Documentation, 发布 1.4.x (sagitta)

set protocols bgp <asn> parameters dampening start-suppress-time <seconds>

This command defines the accumulated penalty amount at which the route is suppressed. The penalty range is 1
to 20000.
set protocols bgp <asn> parameters dampening max-suppress-time <seconds>
This command defines the maximum time in minutes that a route is suppressed. The timer range is 1 to 255
minutes.

Route Selection Configuration

set protocols bgp <asn> parameters always-compare-med

This command provides to compare the MED on routes, even when they were received from different neighbouring
ASes. Setting this option makes the order of preference of routes more defined, and should eliminate MED induced
oscillations.
set protocols bgp <asn> parameters bestpath as-path confed
This command specifies that the length of confederation path sets and sequences should be taken into account
during the BGP best path decision process.
set protocols bgp <asn> parameters bestpath as-path multipath-relax
This command specifies that BGP decision process should consider paths of equal AS_PATH length candidates
for multipath computation. Without the knob, the entire AS_PATH must match for multipath computation.
set protocols bgp <asn> parameters bestpath as-path ignore
Ignore AS_PATH length when selecting a route
set protocols bgp <asn> parameters bestpath compare-routerid
Ensure that when comparing routes where both are equal on most metrics, including local-pref, AS_PATH length,
IGP cost, MED, that the tie is broken based on router-ID.
If this option is enabled, then the already-selected check, where already selected eBGP routes are preferred, is
skipped.
If a route has an ORIGINATOR_ID attribute because it has been reflected, that ORIGINATOR_ID will be used.
Otherwise, the router-ID of the peer the route was received from will be used.
The advantage of this is that the route-selection (at this point) will be more deterministic. The disadvantage is that
a few or even one lowest-ID router may attract all traffic to otherwise-equal paths because of this check. It may
increase the possibility of MED or IGP oscillation, unless other measures were taken to avoid these. The exact
behaviour will be sensitive to the iBGP and reflection topology.
set protocols bgp <asn> parameters bestpath med confed
This command specifies that BGP considers the MED when comparing routes originated from different sub-ASs
within the confederation to which this BGP speaker belongs. The default state, where the MED attribute is not
considered.
set protocols bgp <asn> parameters bestpath med missing-as-worst
This command specifies that a route with a MED is always considered to be better than a route without a MED by
causing the missing MED attribute to have a value of infinity. The default state, where the missing MED attribute
is considered to have a value of zero.
set protocols bgp <asn> parameters default local-pref <local-pref value>
This command specifies the default local preference value. The local preference range is 0 to 4294967295.

8.8. Protocols 399

 VyOS Documentation, 发布 1.4.x (sagitta)

set protocols bgp <asn> parameters deterministic-med

This command provides to compare different MED values that advertised by neighbours in the same AS for routes
selection. When this command is enabled, routes from the same autonomous system are grouped together, and
the best entries of each group are compared.
set protocols bgp <asn> address-family ipv4-unicast network <prefix> backdoor
This command allows the router to prefer route to specified prefix learned via IGP through backdoor link instead
of a route to the same prefix learned via EBGP.

Route Filtering Configuration

In order to control and modify routing information that is exchanged between peers you can use route-map, filter-list,
prefix-list, distribute-list.
For inbound updates the order of preference is:
• route-map
• filter-list
• prefix-list, distribute-list
For outbound updates the order of preference is:
• prefix-list, distribute-list
• filter-list
• route-map

注解: The attributes prefix-list and distribute-list are mutually exclusive, and only one
command (distribute-list or prefix-list) can be applied to each inbound or outbound direction for a particular
neighbor.

set protocols bgp <asn> neighbor <address|interface> address-family

<ipv4-unicast|ipv6-unicast> distribute-list <export|import> <number>
This command applys the access list filters named in <number> to the specified BGP neighbor to restrict the routing
information that BGP learns and/or advertises. The arguments export and import specify the direction in
which the access list are applied.
set protocols bgp <asn> neighbor <address|interface> address-family
<ipv4-unicast|ipv6-unicast> prefix-list <export|import> <name>
This command applys the prfefix list filters named in <name> to the specified BGP neighbor to restrict the routing
information that BGP learns and/or advertises. The arguments export and import specify the direction in
which the prefix list are applied.
set protocols bgp <asn> neighbor <address|interface> address-family
<ipv4-unicast|ipv6-unicast> route-map <export|import> <name>
This command applys the route map named in <name> to the specified BGP neighbor to control and modify
routing information that is exchanged between peers. The arguments export and import specify the direction
in which the route map are applied.
set protocols bgp <asn> neighbor <address|interface> address-family
<ipv4-unicast|ipv6-unicast> filter-list <export|import> <name>

8.8. Protocols 400

 VyOS Documentation, 发布 1.4.x (sagitta)

This command applys the AS path access list filters named in <name> to the specified BGP neighbor to restrict
the routing information that BGP learns and/or advertises. The arguments export and import specify the
direction in which the AS path access list are applied.
set protocols bgp <asn> neighbor <address|interface> address-family
<ipv4-unicast|ipv6-unicast> capability orf <receive|send>
This command enables the ORF capability (described in RFC 5291) on the local router, and enables ORF ca-
pability advertisement to the specified BGP peer. The receive keyword configures a router to advertise ORF
receive capabilities. The send keyword configures a router to advertise ORF send capabilities. To advertise a
filter from a sender, you must create an IP prefix list for the specified BGP peer applied in inbound derection.

BGP Scaling Configuration

BGP routers connected inside the same AS through BGP belong to an internal BGP session, or IBGP. In order to pre-
vent routing table loops, IBGP speaker does not advertise IBGP-learned routes to other IBGP speaker (Split Horizon
mechanism). As such, IBGP requires a full mesh of all peers. For large networks, this quickly becomes unscalable.
There are two ways that help us to mitigate the BGPs full-mesh requirement in a network:
• Using BGP route-reflectors
• Using BGP confederation

Route Reflector Configuration

Introducing route reflectors removes the need for the full-mesh. When you configure a route reflector you have to tell
the router whether the other IBGP router is a client or non-client. A client is an IBGP router that the route reflector will
“reflect”routes to, the non-client is just a regular IBGP neighbor. Route reflectors mechanism is described in RFC 4456
and updated by RFC 7606.
set protocols bgp <asn> neighbor <address> address-family
<ipv4-unicast|ipv6-unicast> route-reflector-client
This command specifies the given neighbor as route reflector client.
set protocols bgp <asn> parameters cluster-id <id>
This command specifies cluster ID which identifies a collection of route reflectors and their clients, and is used
by route reflectors to avoid looping. By default cluster ID is set to the BGP router id value, but can be set to an
arbitrary 32-bit value.

Confederation Configuration

A BGP confederation divides our AS into sub-ASes to reduce the number of required IBGP peerings. Within a sub-AS
we still require full-mesh IBGP but between these sub-ASes we use something that looks like EBGP but behaves like
IBGP (called confederation BGP). Confederation mechanism is described in RFC 5065
set protocols bgp <subasn> parameters confederation identifier <asn>
This command specifies a BGP confederation identifier. <asn> is the number of the autonomous system that
internally includes multiple sub-autonomous systems (a confederation). <subasn> is the number sub-autonomous
system inside <asn>.
set protocols bgp <subasn> parameters confederation confederation peers
<nsubasn>

8.8. Protocols 401

 VyOS Documentation, 发布 1.4.x (sagitta)

This command sets other confederations <nsubasn> as members of autonomous system specified by
confederation identifier <asn>.

Operational Mode Commands

Show

show <ip|ipv6> bgp

This command displays all entries in BGP routing table.

BGP table version is 10, local router ID is 10.0.35.3, vrf id 0

Default local pref 100, local AS 65000
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

*> 198.51.100.0/24 10.0.34.4 0 0 65004 i
*> 203.0.113.0/24 10.0.35.5 0 0 65005 i

Displayed 2 routes and 2 total paths

show <ip|ipv6> bgp <address|prefix>

This command displays information about the particular entry in the BGP routing table.

BGP routing table entry for 198.51.100.0/24

Paths: (1 available, best #1, table default)
Advertised to non peer-group peers:
10.0.13.1 10.0.23.2 10.0.34.4 10.0.35.5
65004
10.0.34.4 from 10.0.34.4 (10.0.34.4)
Origin IGP, metric 0, valid, external, best (First path received)
Last update: Wed Jan 6 12:18:53 2021

show ip bgp cidr-only

This command displays routes with classless interdomain routing (CIDR).
show <ip|ipv6> bgp community <value>
This command displays routes that belong to specified BGP communities. Valid value is a community number in
the range from 1 to 4294967200, or AA:NN (autonomous system-community number/2-byte number), no-export,
local-as, or no-advertise.
show <ip|ipv6> bgp community-list <name>
This command displays routes that are permitted by the BGP community list.
show ip bgp dampened-paths
This command displays BGP dampened routes.
show ip bgp flap-statistics
This command displays information about flapping BGP routes.
show ip bgp filter-list <name>

8.8. Protocols 402

 VyOS Documentation, 发布 1.4.x (sagitta)

This command displays BGP routes allowed by by the specified AS Path access list.
show <ip|ipv6> bgp neighbors <address> advertised-routes
This command displays BGP routes advertised to a neighbor.
show <ip|ipv6> bgp neighbors <address> received-routes
This command displays BGP routes originating from the specified BGP neighbor before inbound policy is applied.
To use this command inbound soft reconfiguration must be enabled.
show <ip|ipv6> bgp neighbors <address> routes
This command displays BGP received-routes that are accepted after filtering.
show <ip|ipv6> bgp neighbors <address> dampened-routes
This command displays dampened routes received from BGP neighbor.
show <ip|ipv6> bgp regexp <text>
This command displays information about BGP routes whose AS path matches the specified regular expression.
show <ip|ipv6> bgp summary
This command displays the status of all BGP connections.

IPv4 Unicast Summary:

BGP router identifier 10.0.35.3, local AS number 65000 vrf-id 0
BGP table version 11
RIB entries 5, using 920 bytes of memory
Peers 4, using 82 KiB of memory

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

10.0.13.1 4 65000 148 159 0 0 0 02:16:01 0
10.0.23.2 4 65000 136 143 0 0 0 02:13:21 0
10.0.34.4 4 65004 161 163 0 0 0 02:16:01 1
10.0.35.5 4 65005 162 166 0 0 0 02:16:01 1

Total number of neighbors 4

Reset

reset <ip|ipv6> bgp <address> [soft [in|out]]

This command resets BGP connections to the specified neighbor IP address. With argument soft this command
initiates a soft reset. If you do not specify the in or out options, both inbound and outbound soft reconfiguration
are triggered.
reset ip bgp all
This command resets all BGP connections of given router.
reset ip bgp dampening
This command uses to clear BGP route dampening information and to unsuppress suppressed routes.
reset ip bgp external
This command resets all external BGP peers of given router.
reset ip bgp peer-group <name> [soft [in|out]]

8.8. Protocols 403

 VyOS Documentation, 发布 1.4.x (sagitta)

This command resets BGP connections to the specified peer group. With argument soft this command initiates
a soft reset. If you do not specify the in or out options, both inbound and outbound soft reconfiguration are
triggered.

Configuration Examples

IPv4

A simple eBGP configuration:

Node 1:
set protocols bgp 65534 neighbor 192.168.0.2 ebgp-multihop '2'
set protocols bgp 65534 neighbor 192.168.0.2 remote-as '65535'
set protocols bgp 65534 neighbor 192.168.0.2 update-source '192.168.0.1'
set protocols bgp 65534 address-family ipv4-unicast network '172.16.0.0/16'
set protocols bgp 65534 parameters router-id '192.168.0.1'

Node 2:
set protocols bgp 65535 neighbor 192.168.0.1 ebgp-multihop '2'
set protocols bgp 65535 neighbor 192.168.0.1 remote-as '65534'
set protocols bgp 65535 neighbor 192.168.0.1 update-source '192.168.0.2'
set protocols bgp 65535 address-family ipv4-unicast network '172.17.0.0/16'
set protocols bgp 65535 parameters router-id '192.168.0.2'

Don’t forget, the CIDR declared in the network statement MUST exist in your routing table (dynamic or static), the
best way to make sure that is true is creating a static route:
Node 1:
set protocols static route 172.16.0.0/16 blackhole distance '254'

Node 2:
set protocols static route 172.17.0.0/16 blackhole distance '254'

IPv6

A simple BGP configuration via IPv6.

Node 1:
set protocols bgp 65534 neighbor 2001:db8::2 ebgp-multihop '2'
set protocols bgp 65534 neighbor 2001:db8::2 remote-as '65535'
set protocols bgp 65534 neighbor 2001:db8::2 update-source '2001:db8::1'
set protocols bgp 65534 neighbor 2001:db8::2 address-family ipv6-unicast
set protocols bgp 65534 address-family ipv6-unicast network '2001:db8:1::/48'
set protocols bgp 65534 parameters router-id '10.1.1.1'

Node 2:
set protocols bgp 65535 neighbor 2001:db8::1 ebgp-multihop '2'
set protocols bgp 65535 neighbor 2001:db8::1 remote-as '65534'
set protocols bgp 65535 neighbor 2001:db8::1 update-source '2001:db8::2'
(下页继续)

8.8. Protocols 404

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
set protocols bgp 65535 neighbor 2001:db8::1 address-family ipv6-unicast
set protocols bgp 65535 address-family ipv6-unicast network '2001:db8:2::/48'
set protocols bgp 65535 parameters router-id '10.1.1.2'

Don’t forget, the CIDR declared in the network statement MUST exist in your routing table (dynamic or static), the
best way to make sure that is true is creating a static route:
Node 1:

set protocols static route6 2001:db8:1::/48 blackhole distance '254'

Node 2:

set protocols static route6 2001:db8:2::/48 blackhole distance '254'

Route Filter

Route filter can be applied using a route-map:

Node1:

set policy prefix-list AS65535-IN rule 10 action 'permit'

set policy prefix-list AS65535-IN rule 10 prefix '172.16.0.0/16'
set policy prefix-list AS65535-OUT rule 10 action 'deny'
set policy prefix-list AS65535-OUT rule 10 prefix '172.16.0.0/16'
set policy prefix-list6 AS65535-IN rule 10 action 'permit'
set policy prefix-list6 AS65535-IN rule 10 prefix '2001:db8:2::/48'
set policy prefix-list6 AS65535-OUT rule 10 action 'deny'
set policy prefix-list6 AS65535-OUT rule 10 prefix '2001:db8:2::/48'
set policy route-map AS65535-IN rule 10 action 'permit'
set policy route-map AS65535-IN rule 10 match ip address prefix-list 'AS65535-IN'
set policy route-map AS65535-IN rule 10 match ipv6 address prefix-list 'AS65535-IN'
set policy route-map AS65535-IN rule 20 action 'deny'
set policy route-map AS65535-OUT rule 10 action 'deny'
set policy route-map AS65535-OUT rule 10 match ip address prefix-list 'AS65535-OUT'
set policy route-map AS65535-OUT rule 10 match ipv6 address prefix-list 'AS65535-OUT'
set policy route-map AS65535-OUT rule 20 action 'permit'
set protocols bgp 65534 neighbor 2001:db8::2 address-family ipv4-unicast route-map␣
,→export 'AS65535-OUT'

set protocols bgp 65534 neighbor 2001:db8::2 address-family ipv4-unicast route-map␣

,→import 'AS65535-IN'

set protocols bgp 65534 neighbor 2001:db8::2 address-family ipv6-unicast route-map␣

,→export 'AS65535-OUT'

set protocols bgp 65534 neighbor 2001:db8::2 address-family ipv6-unicast route-map␣

,→import 'AS65535-IN'

Node2:

set policy prefix-list AS65534-IN rule 10 action 'permit'

set policy prefix-list AS65534-IN rule 10 prefix '172.17.0.0/16'
set policy prefix-list AS65534-OUT rule 10 action 'deny'
set policy prefix-list AS65534-OUT rule 10 prefix '172.17.0.0/16'
set policy prefix-list6 AS65534-IN rule 10 action 'permit'
set policy prefix-list6 AS65534-IN rule 10 prefix '2001:db8:1::/48'
set policy prefix-list6 AS65534-OUT rule 10 action 'deny'
(下页继续)

8.8. Protocols 405

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
set policy prefix-list6 AS65534-OUT rule 10 prefix '2001:db8:1::/48'
set policy route-map AS65534-IN rule 10 action 'permit'
set policy route-map AS65534-IN rule 10 match ip address prefix-list 'AS65534-IN'
set policy route-map AS65534-IN rule 10 match ipv6 address prefix-list 'AS65534-IN'
set policy route-map AS65534-IN rule 20 action 'deny'
set policy route-map AS65534-OUT rule 10 action 'deny'
set policy route-map AS65534-OUT rule 10 match ip address prefix-list 'AS65534-OUT'
set policy route-map AS65534-OUT rule 10 match ipv6 address prefix-list 'AS65534-OUT'
set policy route-map AS65534-OUT rule 20 action 'permit'
set protocols bgp 65535 neighbor 2001:db8::1 address-family ipv4-unicast route-map␣
,→export 'AS65534-OUT'

set protocols bgp 65535 neighbor 2001:db8::1 address-family ipv4-unicast route-map␣

,→import 'AS65534-IN'

set protocols bgp 65535 neighbor 2001:db8::1 address-family ipv6-unicast route-map␣

,→export 'AS65534-OUT'

set protocols bgp 65535 neighbor 2001:db8::1 address-family ipv6-unicast route-map␣

,→import 'AS65534-IN'

We could expand on this and also deny link local and multicast in the rule 20 action deny.

8.8.3 Multicast

VyOS facilitates IP Multicast by supporting PIM Sparse Mode, IGMP and IGMP-Proxy.

PIM and IGMP

PIM (Protocol Independent Multicast) must be configured in every interface of every participating router. Every router
must also have the location of the Rendevouz Point manually configured. Then, unidirectional shared trees rooted at the
Rendevouz Point will automatically be built for multicast distribution.
Traffic from multicast sources will go to the Rendezvous Point, and receivers will pull it from a shared tree using IGMP
(Internet Group Management Protocol).
Multicast receivers will talk IGMP to their local router, so, besides having PIM configured in every router, IGMP must
also be configured in any router where there could be a multicast receiver locally connected.
VyOS supports both IGMP version 2 and version 3 (which allows source-specific multicast).

Example

In the following example we can see a basic multicast setup:

8.8. Protocols 406

 VyOS Documentation, 发布 1.4.x (sagitta)

Router 1

set interfaces ethernet eth2 address '172.16.0.2/24'

set interfaces ethernet eth1 address '100.64.0.1/24'
set protocols ospf area 0 network '172.16.0.0/24'
set protocols ospf area 0 network '100.64.0.0/24'
set protocols igmp interface eth1
set protocols pim interface eth1
set protocols pim interface eth2
set protocols pim rp address 172.16.255.1 group '224.0.0.0/4'

Router 3

set interfaces dummy dum0 address '172.16.255.1/24'

set interfaces ethernet eth0 address '172.16.0.1/24'
set interfaces ethernet eth1 address '172.16.1.1/24'
set protocols ospf area 0 network '172.16.0.0/24'
set protocols ospf area 0 network '172.16.255.0/24'
set protocols ospf area 0 network '172.16.1.0/24'
set protocols pim interface dum0
set protocols pim interface eth0
set protocols pim interface eth1
set protocols pim rp address 172.16.255.1 group '224.0.0.0/4'

Router 2

set interfaces ethernet eth1 address '10.0.0.1/24'

set interfaces ethernet eth2 address '172.16.1.2/24'
set protocols ospf area 0 network '10.0.0.0/24'
set protocols ospf area 0 network '172.16.1.0/24'
set protocols pim interface eth1
set protocols pim interface eth2
set protocols pim rp address 172.16.255.1 group '224.0.0.0/4'

8.8. Protocols 407

 VyOS Documentation, 发布 1.4.x (sagitta)

Basic commands

These are the commands for a basic setup.

set protocols pim interface <interface-name>
Use this command to enable PIM in the selected interface so that it can communicate with PIM neighbors.
set protocols pim rp address <address> group <multicast-address/mask-bits>
Use this comand to manually configure a Rendevouz Point for PIM so that join messages can be sent there. Set
the Rendevouz Point address and the matching prefix of group ranges covered. These values must be shared with
every router participating in the PIM network.
set protocols igmp interface eth1
Use this command to configure an interface with IGMP so that PIM can receive IGMP reports and query on the
selected interface. By defaul IGMP version 3 will be used.

Tuning commands

You can also tune multicast with the following commands.

set protocols pim interface <interface> dr-priority <value>
Use this PIM command in the selected interface to set the priority (1-4294967295) you want to influence in the
election of a node to become the Designated Router for a LAN segment. The default priority is 1, set a higher
value to give the router more preference in the DR election process.
set protocols pim int <interface> hello <seconds>
Use this command to configure the PIM hello interval in seconds (1-180) for the selected interface.
set protocols pim rp keep-alive-timer <seconds>
Use this PIM command to modify the the time out value (31-60000 seconds) for an (S,G) flow. 31 seconds is
chosen for a lower bound as some hardware platforms cannot see data flowing in better than 30 second chunks.
set protocols igmp interface <interface> join <multicast-address> source
<IP-address>
Use this command to allow the selected interface join a multicast group defining the multicast address you want
to join and the source IP address too.
set protocols igmp interface <interface query-interval <seconds>
Use this command to configure in the selected interface the IGMP host query interval (1-1800) in seconds that
PIM will use.
set protocols igmp interface <interface query-max-response-time <deciseconds>
Use this command to configure in the selected interface the IGMP query response timeout value (10-250) in
deciseconds. If a report is not returned in the specified time, it will be asumed the (S,G) or (*,G) state has timed
out.
set protocols igmp interface <interface> version <version-number>
Use this command to define in the selected interface whether you choose IGMP version 2 or 3. The default value
is 3.

8.8. Protocols 408

 VyOS Documentation, 发布 1.4.x (sagitta)

IGMP Proxy

IGMP (Internet Group Management Protocol) proxy sends IGMP host messages on behalf of a connected client. The
configuration must define one, and only one upstream interface, and one or more downstream interfaces.

Configuration

set protocols igmp-proxy interface <interface> role <upstream | downstream>

• upstream: The upstream network interface is the outgoing interface which is responsible for communicating
to available multicast data sources. There can only be one upstream interface.
• downstream: Downstream network interfaces are the distribution interfaces to the destination networks,
where multicast clients can join groups and receive multicast data. One or more downstream interfaces must
be configured.
set protocols igmp-proxy interface <interface> alt-subnet <network>
Defines alternate sources for multicasting and IGMP data. The network address must be on the following format
‘a.b.c.d/n’. By default the router will accept data from sources on the same network as configured on an interface.
If the multicast source lies on a remote network, one must define from where traffic should be accepted.
This is especially useful for the upstream interface, since the source for multicast traffic is often from a remote
location.
This option can be supplied multiple times.
set protocols igmp-proxy disable-quickleave
Disables quickleave mode. In this mode the daemon will not send a Leave IGMP message upstream as soon as it
receives a Leave message for any downstream interface. The daemon will not ask for Membership reports on the
downstream interfaces, and if a report is received the group is not joined again upstream.
If it’s vital that the daemon should act exactly as a real multicast client on the upstream interface, this function
should be enabled.
Enabling this function increases the risk of bandwidth saturation.
set protocols igmp-proxy disable
Disable this service.

Example

Interface eth1 LAN is behind NAT. In order to subscribe 10.0.0.0/23 subnet multicast which is in eth0 WAN we need to
configure igmp-proxy.

set protocols igmp-proxy interface eth0 role upstream

set protocols igmp-proxy interface eth0 alt-subnet 10.0.0.0/23
set protocols igmp-proxy interface eth1 role downstream

8.8. Protocols 409

 VyOS Documentation, 发布 1.4.x (sagitta)

Operation

restart igmp-proxy
Restart the IGMP proxy process.

8.8.4 IS-IS

IS-IS (Intermediate System to Intermediate System) is a link-state interior gateway routing protocol which is described
in ISO10589, RFC 1195, RFC 5308. Like OSPF, IS-IS runs the Dijkstra shortest-path first (SPF) algorithm to create a
database of the network’s topology and, from that database, to determine the best (that is, shortest) path to a destination.
The routers exchange topology information with their nearest neighbors. IS-IS runs directly on the data link layer (Layer
2). IS-IS addresses are called NET (Network Entity Titles) and can be 8 to 20 bytes long, but are generally 10 bytes
long.
For example NET (Network Entity Title)

49.0001.1921.6800.1002.00

The IS-IS address consists of three parts:

AFI (Address family authority identifier) 49 The AFI value 49 is what IS-IS uses for private addressing.
Area identifier: 0001 IS-IS area number (Area1)
System identifier: 1921.6800.1002 For system idetifier we recommend to use IP address or MAC
address of the router.
NET selector: 00 Must always be 00, to indicate “this system”.

General Configuration

set protocols isis <name> net <network-entity-title>

This command enables the ISIS process by specifying the ISIS domain with‘name’. ISIS implementation does
not yet support multiple ISIS processes but you must specify the name of ISIS process. This commad also sets
network entity title (NET) provided in ISO format.
set protocols isis <name> interface <interface>
This command activates ISIS adjacency on this interface. Note that the name of ISIS instance must be the same
as the one used to configure the ISIS process.
set protocols isis <name> dynamic-hostname
This command enables support for dynamic hostname. Dynamic hostname mapping determined as described in
RFC 2763, Dynamic Hostname Exchange Mechanism for IS-IS.
set protocols isis <name> level <level-1|level-1-2|level-2>
This command defines the ISIS router behavior:
level-1 Act as a station router only. level-1-2 Act as both a station router and an area router. level-2-only
Act as an area router only.
set protocols isis <name> lsp-mtu <size>
This command configures the maximum size of generated LSPs, in bytes. The size range is 128 to 4352.
set protocols isis <name> metric-style <narrow|transition|wide>

8.8. Protocols 410

 VyOS Documentation, 发布 1.4.x (sagitta)

This command sets old-style (ISO 10589) or new-style packet formats:

narrow Use old style of TLVs with narrow metric. transition Send and accept both styles of TLVs
during transition. wide Use new style of TLVs to carry wider metric.
set protocols isis <name> purge-originator
This command enables RFC 6232 purge originator identification. Enable purge originator identification (POI) by
adding the type, length and value (TLV) with the Intermediate System (IS) identification to the LSPs that do not
contain POI information. If an IS generates a purge, VyOS adds this TLV with the system ID of the IS to the
purge.
set protocols isis <name> set-attached-bit
This command sets ATT bit to 1 in Level1 LSPs. It is described in RFC 3787.
set protocols isis <name> set-overload-bit
This command sets overload bit to avoid any transit traffic through this router. It is described in RFC 3787.
set protocols isis name default-information originate <ipv4|ipv6> level-1
This command will generate a default-route in L1 database.
set protocols isis name default-information originate <ipv4|ipv6> level-2
This command will generate a default-route in L2 database.

Interfaces Configuration

set protocols isis <name> interface <interface> circuit-type

<level-1|level-1-2|level-2-only>
This command specifies circuit type for interface:
level-1 Level-1 only adjacencies are formed. level-1-2 Level-1-2 adjacencies are formed level-2-only
Level-2 only adjacencies are formed
set protocols isis <name> interface <interface> hello-interval <seconds>
This command sets hello interval in seconds on a given interface. The range is 1 to 600.
set protocols isis <name> interface <interface> hello-multiplier <seconds>
This command sets multiplier for hello holding time on a given interface. The range is 2 to 100.
set protocols isis <name> interface <interface> hello-padding
This command configures padding on hello packets to accommodate asymmetrical maximum transfer units
(MTUs) from different hosts as described in RFC 3719. This helps to prevent a premature adjacency Up state
when one routing device’s MTU does not meet the requirements to establish the adjacency.
set protocols isis <name> interface <interface> metric <metric>
This command set default metric for circuit. The metric range is 1 to 16777215 (Max value depend if metric
support narrow or wide value).
set protocols isis <name> interface <interface> network point-to-point
This command specifies network type to ‘Point-to-Point’. The default network type is broadcast.
set protocols isis <name> interface <interface> passive
This command configures the passive mode for this interface.

8.8. Protocols 411

 VyOS Documentation, 发布 1.4.x (sagitta)

set protocols isis <name> interface <interface> password plaintext-password

<text>
This command configures the authentication password for the interface.
set protocols isis <name> interface <interface> priority <number>
This command sets priority for the interface for DIS (Designated Intermediate System) election. The priority
range is 0 to 127.
set protocols isis <name> interface <interface> psnp-interval <number>
This command sets PSNP interval in seconds. The interval range is 0 to 127.
set protocols isis <name> interface <interface> no-three-way-handshake
This command disables Three-Way Handshake for P2P adjacencies which described in RFC 5303. Three-Way
Handshake is enabled by default.

Redistribution Configuration

set protocols isis <name> redistribute ipv4 <route source> level-1

This command redistributes routing information from the given route source into the ISIS database as Level-1.
There are six modes available for route source: bgp, connected, kernel, ospf, rip, static.
set protocols isis <name> redistribute ipv4 <route source> level-2
This command redistributes routing information from the given route source into the ISIS database as Level-2.
There are six modes available for route source: bgp, connected, kernel, ospf, rip, static.
set protocols isis <name> redistribute ipv4 <route source> <level-1|level-2>
metric <number>
This command specifies metric for redistributed routes from the given route source. There are six modes available
for route source: bgp, connected, kernel, ospf, rip, static. The metric range is 1 to 16777215.
set protocols isis <name> redistribute ipv4 <route source> <level-1|level-2>
route-map <name>
This command allows to use route map to filter redistributed routes from the given route source. There are six
modes available for route source: bgp, connected, kernel, ospf, rip, static.

Timers Configuration

set protocols isis <name> lsp-gen-interval <seconds>

This command sets minimum interval in seconds between regenerating same LSP. The interval range is 1 to 120.
set protocols isis <name> lsp-refresh-interval <seconds>
This command sets LSP refresh interval in seconds. IS-IS generates LSPs when the state of a link changes.
However, to ensure that routing databases on all routers remain converged, LSPs in stable networks are generated
on a regular basis even though there has been no change to the state of the links. The interval range is 1 to 65235.
The default value is 900 seconds.
set protocols isis <name> max-lsp-lifetime <seconds>
This command sets LSP maximum LSP lifetime in seconds. The interval range is 350 to 65535. LSPs remain in
a database for 1200 seconds by default. If they are not refreshed by that time, they are deleted. You can change
the LSP refresh interval or the LSP lifetime. The LSP refresh interval should be less than the LSP lifetime or else
LSPs will time out before they are refreshed.

8.8. Protocols 412

 VyOS Documentation, 发布 1.4.x (sagitta)

set protocols isis <name> spf-interval <seconds>

This command sets minimum interval between consecutive SPF calculations in seconds.The interval range is 1 to
120.
set protocols isis <name> spf-delay-ietf holddown <milliseconds>
set protocols isis <name> spf-delay-ietf init-delay <milliseconds>
set protocols isis <name> spf-delay-ietf long-delay <milliseconds>
set protocols isis <name> spf-delay-ietf short-delay <milliseconds>
set protocols isis <name> spf-delay-ietf time-to-learn <milliseconds>
This commands specifies the Finite State Machine (FSM) intended to control the timing of the execution of SPF
calculations in response to IGP events. The process described in RFC 8405.

Configuration Example

Simple IS-IS configuration using 2 nodes and redistributing connected interfaces.

Node 1:

set interfaces dummy dum0 address '203.0.113.1/24'

set interfaces ethernet eth1 address '192.0.2.1/24'

set policy prefix-list EXPORT-ISIS rule 10 action 'permit'

set policy prefix-list EXPORT-ISIS rule 10 prefix '203.0.113.0/24'
set policy route-map EXPORT-ISIS rule 10 action 'permit'
set policy route-map EXPORT-ISIS rule 10 match ip address prefix-list 'EXPORT-ISIS'

set protocols isis FOO interface eth1

set protocols isis FOO net '49.0001.1921.6800.1002.00'
set protocols isis FOO redistribute ipv4 connected level-2 route-map 'EXPORT-ISIS'

Node 2:

set interfaces ethernet eth1 address '192.0.2.2/24'

set protocols isis FOO interface eth1

set protocols isis FOO net '49.0001.1921.6800.2002.00'

Show ip routes on Node2:

vyos@r2:~$ show ip route isis

Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
F - PBR, f - OpenFabric,
> - selected route, * - FIB route, q - queued route, r - rejected route

I 203.0.113.0/24 [115/10] via 192.0.2.1, eth1, 00:03:42

8.8. Protocols 413

 VyOS Documentation, 发布 1.4.x (sagitta)

8.8.5 MPLS

MPLS (Multi-Protocol Label Switching) is a packet forwarding paradigm which differs from regular IP forwarding.
Instead of IP addresses being used to make the decision on finding the exit interface, a router will instead use an exact
match on a 32 bit/4 byte header called the MPLS label. This label is inserted between the ethernet (layer 2) header and
the IP (layer 3) header. One can statically or dynamically assign label allocations, but we will focus on dynamic allocation
of labels using some sort of label distribution protocol (such as the aptly named Label Distribution Protocol / LDP,
Resource Reservation Protocol / RSVP, or Segment Routing through OSPF/ISIS). These protocols allow for the creation
of a unidirectional/unicast path called a labeled switched path (initialized as LSP) throughout the network that operates
very much like a tunnel through the network. An easy way of thinking about how an MPLS LSP actually forwards traffic
throughout a network is to think of a GRE tunnel. They are not the same in how they operate, but they are the same in
how they handle the tunneled packet. It would be good to think of MPLS as a tunneling technology that can be used to
transport many different types of packets, to aid in traffic engineering by allowing one to specify paths throughout the
network (using RSVP or SR), and to generally allow for easier intra/inter network transport of data packets.
For more information on how MPLS label switching works, please go visit Wikipedia (MPLS).

注解: MPLS support in VyOS is not finished yet, and therefore its functionality is limited. Currently there is no support
for MPLS enabled VPN services such as L3VPNs, L2VPNs, and mVPNs. RSVP support is also not present as the
underlying routing stack (FRR) does not implement it. Currently VyOS can be configured as a label switched router
(MPLS P router), in both penultimate and ultimate hop popping operations.

Label Distribution Protocol

The MPLS architecture does not assume a single protocol to create MPLS paths. VyOS supports the Label Distribution
Protocol (LDP) as implemented by FRR, based on RFC 5036.
LDP (Label Distribution Protocol) is a TCP based MPLS signaling protocol that distributes labels creating MPLS label
switched paths in a dynamic manner. LDP is not a routing protocol, as it relies on other routing protocols for forwarding
decisions. LDP cannot bootstrap itself, and therefore relies on said routing protocols for communication with other routers
that use LDP.
In order to allow for LDP on the local router to exchange label advertisements with other routers, a TCP session will be
established between automatically discovered and statically assigned routers. LDP will try to establish a TCP session to
the transport address of other routers. Therefore for LDP to function properly please make sure the transport address
is shown in the routing table and reachable to traffic at all times.
It is highly recommended to use the same address for both the LDP router-id and the discovery transport address, but for
VyOS MPLS LDP to work both parameters must be explicitly set in the configuration.
Another thing to keep in mind with LDP is that much like BGP, it is a protocol that runs on top of TCP. It however does
not have an ability to do something like a refresh capability like BGPs route refresh capability. Therefore one might have
to reset the neighbor for a capability change or a configuration change to work.

8.8. Protocols 414

 VyOS Documentation, 发布 1.4.x (sagitta)

Configuration Options

set protocols mpls ldp interface <interface>

Use this command to enable LDP, and enable MPLS processing on the interface you define.
set protocols mpls ldp router-id <address>
Use this command to configure the IP address used as the LDP router-id of the local device.
set protocols mpls ldp discovery transport-ipv4-address <address>
set protocols mpls ldp discovery transport-ipv6-address <address>
Use this command to set the IPv4 or IPv6 transport-address used by LDP.
set protocols mpls ldp neighbor <address> password <password>
Use this command to configure authentication for LDP peers. Set the IP address of the LDP peer and a password
that should be shared in order to become neighbors.
set protocols mpls ldp neighbor <address> session-holdtime <seconds>
Use this command to configure a specific session hold time for LDP peers. Set the IP address of the LDP peer
and a session hold time that should be configured for it. You may have to reset the neighbor for this to work.
set protocols mpls ldp neighbor <address> ttl-security <disable | hop count>
Use this command to enable, disable, or specify hop count for TTL security for LDP peers. By default the value
is set to 255 (or max TTL).
set protocols mpls ldp discovery hello-ipv4-interval <seconds>
set protocols mpls ldp discovery hello-ipv4-holdtime <seconds>
set protocols mpls ldp discovery hello-ipv6-interval <seconds>
set protocols mpls ldp discovery hello-ipv6-holdtime <seconds>
Use these commands if you would like to set the discovery hello and hold time parameters.
set protocols mpls ldp discovery session-ipv4-holdtime <seconds>
set protocols mpls ldp discovery session-ipv6-holdtime <seconds>
Use this command if you would like to set the TCP session hold time intervals.
set protocols mpls ldp import ipv4 import-filter filter-access-list <access
list number>
set protocols mpls ldp import ipv6 import-filter filter-access-list6 <access
list number>
Use these commands to control the importing of forwarding equivalence classes (FECs) for LDP from neighbors.
This would be useful for example on only accepting the labeled routes that are needed and not ones that are not
needed, such as accepting loopback interfaces and rejecting all others.
set protocols mpls ldp export ipv4 export-filter filter-access-list <access
list number>
set protocols mpls ldp export ipv6 export-filter filter-access-list6 <access
list number>
Use these commands to control the exporting of forwarding equivalence classes (FECs) for LDP to neighbors.
This would be useful for example on only announcing the labeled routes that are needed and not ones that are not
needed, such as announcing loopback interfaces and no others.

8.8. Protocols 415

 VyOS Documentation, 发布 1.4.x (sagitta)

set protocols mpls ldp export ipv4 explicit-null

set protocols mpls ldp export ipv6 explicit-null
Use this command if you would like for the router to advertise FECs with a label of 0 for explicit null operations.
set protocols mpls ldp allocation ipv4 access-list <access list number>
set protocols mpls ldp allocation ipv6 access-list6 <access list number>
Use this command if you would like to control the local FEC allocations for LDP. A good example would be for
your local router to not allocate a label for everything. Just a label for what it’s useful. A good example would
be just a loopback label.
set protocols mpls ldp parameters cisco-interop-tlv
Use this command to use a Cisco non-compliant format to send and interpret the Dual-Stack capability TLV for
IPv6 LDP communications. This is related to RFC 7552.
set protocols mpls ldp parameters ordered-control
Use this command to use ordered label distribution control mode. FRR by default uses independent label distri-
bution control mode for label distribution. This is related to RFC 5036.
set protocols mpls ldp parameters transport-prefer-ipv4
Use this command to prefer IPv4 for TCP peer transport connection for LDP when both an IPv4 and IPv6 LDP
address are configured on the same interface.
set protocols mpls ldp targeted-neighbor ipv4 enable
set protocols mpls ldp targeted-neighbor ipv6 enable
Use this command to enable targeted LDP sessions to the local router. The router will then respond to any sessions
that are trying to connect to it that are not a link local type of TCP connection.
set protocols mpls ldp targeted-neighbor ipv4 address <address>
set protocols mpls ldp targeted-neighbor ipv6 address <address>
Use this command to enable the local router to try and connect with a targeted LDP session to another router.
set protocols mpls ldp targeted-neighbor ipv4 hello-holdtime <seconds>
set protocols mpls ldp targeted-neighbor ipv4 hello-interval <seconds>
set protocols mpls ldp targeted-neighbor ipv6 hello-holdtime <seconds>
set protocols mpls ldp targeted-neighbor ipv6 hello-interval <seconds>
Use these commands if you would like to set the discovery hello and hold time parameters for the targeted LDP
neighbors.

Sample configuration to setup LDP on VyOS

set protocols ospf area 0 network '192.168.255.252/32' <---␣

,→Routing for loopback

set protocols ospf area 0 network '192.168.0.5/32' <---␣

,→Routing for an interface connecting to the network

set protocols ospf parameters router-id '192.168.255.252' <---␣

,→Router ID setting for OSPF

set protocols mpls ldp discovery transport-ipv4-address '192.168.255.252' <---␣

,→Transport address for LDP for TCP sessions to connect to

(下页继续)

8.8. Protocols 416

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
set protocols mpls ldp interface 'eth1' <---␣
,→Enable MPLS and LDP for an interface connecting to network

set protocols mpls ldp interface 'lo' <---␣

,→Enable MPLS and LDP on loopback for future services connectivity

set protocols mpls ldp router-id '192.168.255.252' <---␣

,→Router ID setting for LDP

set interfaces ethernet eth1 address '192.168.0.5/31' <---␣

,→Interface IP for connecting to network

set interfaces loopback lo address '192.168.255.252/32' <---␣

,→Interface loopback IP for router ID and other uses

Operational Mode Commands

When LDP is working, you will be able to see label information in the outcome of show ip route. Besides that
information, there are also specific show commands for LDP:

Show

show mpls ldp binding

Use this command to see the Label Information Base.
show mpls ldp discovery
Use this command to see discovery hello information
show mpls ldp interface
Use this command to see LDP interface information
show mpls ldp neighbor
Use this command to see LDP neighbor information
show mpls ldp neighbor detail
Use this command to see detailed LDP neighbor information

Reset

reset mpls ldp neighbor <IPv4 or IPv6 address>

Use this command to reset an LDP neighbor/TCP session that is established

8.8.6 OSPF

OSPF (Open Shortest Path First) is a routing protocol for Internet Protocol (IP) networks. It uses a link state routing
(LSR) algorithm and falls into the group of interior gateway protocols (IGPs), operating within a single autonomous
system (AS). It is defined as OSPF Version 2 in RFC 2328 (1998) for IPv4. Updates for IPv6 are specified as OSPF
Version 3 in RFC 5340 (2008). OSPF supports the CIDR (Classless Inter-Domain Routing) addressing model.
OSPF is a widely used IGP in large enterprise networks.

8.8. Protocols 417

 VyOS Documentation, 发布 1.4.x (sagitta)

OSPFv2 (IPv4)

Configuration

General

VyOS does not have a special command to start the OSPF process. The OSPF process starts when the first ospf enabled
interface is configured.
set protocols ospf area <number> network <A.B.C.D/M>
This command specifies the OSPF enabled interface(s). If the interface has an address from defined range then
the command enables OSPF on this interface so router can provide network information to the other ospf routers
via this interface.
This command is also used to enable the OSPF process. The area number can be specified in decimal notation in
the range from 0 to 4294967295. Or it can be specified in dotted decimal notation similar to ip address.
set protocols ospf auto-cost reference-bandwidth <number>
This command sets the reference bandwidth for cost calculations, where bandwidth can be in range from 1 to
4294967, specified in Mbits/s. The default is 100Mbit/s (i.e. a link of bandwidth 100Mbit/s or higher will have a
cost of 1. Cost of lower bandwidth links will be scaled with reference to this cost).
set protocols ospf parameters router-id <rid>
This command sets the router-ID of the OSPF process. The router-ID may be an IP address of the router, but
need not be –it can be any arbitrary 32bit number. However it MUST be unique within the entire OSPF domain
to the OSPF speaker –bad things will happen if multiple OSPF speakers are configured with the same router-ID!

Optional

set protocols ospf default-information originate [always] [metric <number>]

[metric-type <1|2>] [route-map <name>]
Originate an AS-External (type-5) LSA describing a default route into all external-routing capable areas, of the
specified metric and metric type. If the always keyword is given then the default is always advertised, even when
there is no default present in the routing table. The argument route-map specifies to advertise the default route
if the route map is satisfied.
set protocols ospf distance global <distance>
This command change distance value of OSPF globally. The distance range is 1 to 255.
set protocols ospf distance ospf <external|inter-area|intra-area> <distance>
This command change distance value of OSPF. The arguments are the distance values for external routes, inter-
area routes and intra-area routes respectively. The distance range is 1 to 255.

注解: Routes with a distance of 255 are effectively disabled and not installed into the kernel.

set protocols ospf log-adjacency-changes [detail]

This command allows to log changes in adjacency. With the optional detail argument, all changes in adjacency
status are shown. Without detail, only changes to full or regressions are shown.
set protocols ospf max-metric router-lsa <administrative|on-shutdown
<seconds>|on-startup <seconds>>

8.8. Protocols 418

 VyOS Documentation, 发布 1.4.x (sagitta)

This enables RFC 3137 support, where the OSPF process describes its transit links in its router-LSA as having
infinite distance so that other routers will avoid calculating transit paths through the router while still being able to
reach networks through the router.
This support may be enabled administratively (and indefinitely) with the administrative command. It may
also be enabled conditionally. Conditional enabling of max-metric router-lsas can be for a period of seconds after
startup with the on-startup <seconds> command and/or for a period of seconds prior to shutdown with
the on-shutdown <seconds> command. The time range is 5 to 86400.
set protocols ospf parameters abr-type <cisco|ibm|shortcut|standard>
This command selects ABR model. OSPF router supports four ABR models:
cisco –a router will be considered as ABR if it has several configured links to the networks in different areas one
of which is a backbone area. Moreover, the link to the backbone area should be active (working). ibm –identical
to “cisco”model but in this case a backbone area link may not be active. standard –router has several active
links to different areas. shortcut –identical to“standard”but in this model a router is allowed to use a connected
areas topology without involving a backbone area for inter-area connections.
Detailed information about “cisco”and “ibm”models differences can be found in RFC 3509. A “shortcut”
model allows ABR to create routes between areas based on the topology of the areas connected to this router but
not using a backbone area in case if non-backbone route will be cheaper. For more information about “shortcut”
model, see ospf-shortcut-abr-02.txt
set protocols ospf parameters rfc1583-compatibility
RFC 2328, the successor to RFC 1583, suggests according to section G.2 (changes) in section 16.4.1 a change to
the path preference algorithm that prevents possible routing loops that were possible in the old version of OSPFv2.
More specifically it demands that inter-area paths and intra-area backbone path are now of equal preference but
still both preferred to external paths.
This command should NOT be set normally.
set protocols ospf passive-interface <interface>
This command specifies interface as passive. Passive interface advertises its address, but does not run the OSPF
protocol (adjacencies are not formed and hello packets are not generated).
set protocols ospf passive-interface default
This command specifies all interfaces as passive by default. Because this command changes the configuration
logic to a default passive; therefore, interfaces where router adjacencies are expected need to be configured with
the passive-interface-exclude command.
set protocols ospf passive-interface-exclude <interface>
This command allows exclude interface from passive state. This command is used if the command
passive-interface default was configured.
set protocols ospf refresh timers <seconds>
The router automatically updates link-state information with its neighbors. Only an obsolete information is updated
which age has exceeded a specific threshold. This parameter changes a threshold value, which by default is 1800
seconds (half an hour). The value is applied to the whole OSPF router. The timer range is 10 to 1800.
set protocols ospf timers throttle spf <delay|initial-holdtime|max-holdtime>
<seconds>
This command sets the initial delay, the initial-holdtime and the maximum-holdtime between when SPF is calcu-
lated and the event which triggered the calculation. The times are specified in milliseconds and must be in the range
of 0 to 600000 milliseconds. delay sets the initial SPF schedule delay in milliseconds. The default value is 200
ms. initial-holdtime sets the minimum hold time between two consecutive SPF calculations. The default

8.8. Protocols 419

 VyOS Documentation, 发布 1.4.x (sagitta)

value is 1000 ms. max-holdtime sets the maximum wait time between two consecutive SPF calculations. The
default value is 10000 ms.

Area Configuration

set protocols ospf area <number> area-type stub

This command specifies the area to be a Stub Area. That is, an area where no router originates routes external
to OSPF and hence an area where all external routes are via the ABR(s). Hence, ABRs for such an area do not
need to pass AS-External LSAs (type-5) or ASBR-Summary LSAs (type-4) into the area. They need only pass
Network-Summary (type-3) LSAs into such an area, along with a default-route summary.
set protocols ospf area <number> area-type stub no-summary
This command specifies the area to be a Totally Stub Area. In addition to stub area limitations this area type
prevents an ABR from injecting Network-Summary (type-3) LSAs into the specified stub area. Only default
summary route is allowed.
set protocols ospf area <number> area-type stub default-cost <number>
This command sets the cost of default-summary LSAs announced to stubby areas. The cost range is 0 to 16777215.
set protocols ospf area <number> area-type nssa
This command specifies the area to be a Not So Stubby Area. External routing information is imported into an
NSSA in Type-7 LSAs. Type-7 LSAs are similar to Type-5 AS-external LSAs, except that they can only be
flooded into the NSSA. In order to further propagate the NSSA external information, the Type-7 LSA must be
translated to a Type-5 AS-external-LSA by the NSSA ABR.
set protocols ospf area <number> area-type nssa no-summary
This command specifies the area to be a NSSA Totally Stub Area. ABRs for such an area do not need to pass
Network-Summary (type-3) LSAs (except the default summary route), ASBR-Summary LSAs (type-4) and AS-
External LSAs (type-5) into the area. But Type-7 LSAs that convert to Type-5 at the NSSA ABR are allowed.
set protocols ospf area <number> area-type nssa default-cost <number>
This command sets the default cost of LSAs announced to NSSA areas. The cost range is 0 to 16777215.
set protocols ospf area <number> area-type nssa translate
<always|candidate|never>
Specifies whether this NSSA border router will unconditionally translate Type-7 LSAs into Type-5 LSAs. When
role is Always, Type-7 LSAs are translated into Type-5 LSAs regardless of the translator state of other NSSA
border routers. When role is Candidate, this router participates in the translator election to determine if it will
perform the translations duties. When role is Never, this router will never translate Type-7 LSAs into Type-5
LSAs.
set protocols ospf area <number> authentication plaintext-password
This command specifies that simple password authentication should be used for the given area. The password must
also be configured on a per-interface basis.
set protocols ospf area <number> authentication md5
This command specify that OSPF packets must be authenticated with MD5 HMACs within the given area. Keying
material must also be configured on a per-interface basis.
set protocols ospf area <number> range <A.B.C.D/M> [cost <number>]

8.8. Protocols 420

 VyOS Documentation, 发布 1.4.x (sagitta)

This command summarizes intra area paths from specified area into one summary-LSA (Type-3) announced to
other areas. This command can be used only in ABR and ONLY router-LSAs (Type-1) and network-LSAs (Type-
2) (i.e. LSAs with scope area) can be summarized. AS-external-LSAs (Type-5) can’t be summarized - their
scope is AS. The optional argument cost specifies the aggregated link metric. The metric range is 0 to 16777215.
set protocols ospf area <number> range <A.B.C.D/M> not-advertise
This command instead of summarizing intra area paths filter them - i.e. intra area paths from this range are not
advertised into other areas. This command makes sense in ABR only.
set protocols ospf area <number> range <A.B.C.D/M> substitute <E.F.G.H/M>
One Type-3 summary-LSA with routing info <E.F.G.H/M> is announced into backbone area if defined area con-
tains at least one intra-area network (i.e. described with router-LSA or network-LSA) from range <A.B.C.D/M>.
This command makes sense in ABR only.
set protocols ospf area <number> shortcut <default|disable|enable>
This parameter allows to“shortcut”routes (non-backbone) for inter-area routes. There are three modes available
for routes shortcutting:
default –this area will be used for shortcutting only if ABR does not have a link to the backbone area or this
link was lost. enable –the area will be used for shortcutting every time the route that goes through it is cheaper.
disable –this area is never used by ABR for routes shortcutting.
set protocols ospf area <number> virtual-link <A.B.C.D>
Provides a backbone area coherence by virtual link establishment.
In general, OSPF protocol requires a backbone area (area 0) to be coherent and fully connected. I.e. any backbone
area router must have a route to any other backbone area router. Moreover, every ABR must have a link to
backbone area. However, it is not always possible to have a physical link to a backbone area. In this case between
two ABR (one of them has a link to the backbone area) in the area (not stub area) a virtual link is organized.
<number> –area identifier through which a virtual link goes. <A.B.C.D> –ABR router-id with which a virtual
link is established. Virtual link must be configured on both routers.
Formally, a virtual link looks like a point-to-point network connecting two ABR from one area one of which
physically connected to a backbone area. This pseudo-network is considered to belong to a backbone area.

Interface Configuration

set protocols ospf interface <interface> authentication plaintext-password

<text>
This command sets OSPF authentication key to a simple password. After setting, all OSPF packets are authenti-
cated. Key has length up to 8 chars.
Simple text password authentication is insecure and deprecated in favour of MD5 HMAC authentication.
set protocols ospf interface <interface> authentication md5 key-id <id>
md5-key <text>
This command specifys that MD5 HMAC authentication must be used on this interface. It sets OSPF authenti-
cation key to a cryptographic password. Key-id identifies secret key used to create the message digest. This ID is
part of the protocol and must be consistent across routers on a link. The key can be long up to 16 chars (larger
strings will be truncated), and is associated with the given key-id.
set protocols ospf interface <interface> bandwidth <number>
This command sets the interface bandwidth for cost calculations, where bandwidth can be in range from 1 to
100000, specified in Mbits/s.

8.8. Protocols 421

 VyOS Documentation, 发布 1.4.x (sagitta)

set protocols ospf interface <interface> cost <number>

This command sets link cost for the specified interface. The cost value is set to router-LSA’s metric field and
used for SPF calculation. The cost range is 1 to 65535.
set protocols ospf interface <interface> dead-interval <number>
Set number of seconds for router Dead Interval timer value used for Wait Timer and Inactivity Timer. This value
must be the same for all routers attached to a common network. The default value is 40 seconds. The interval
range is 1 to 65535.
set protocols ospf interface <interface> hello-multiplier <number>
The hello-multiplier specifies how many Hellos to send per second, from 1 (every second) to 10 (every 100ms).
Thus one can have 1s convergence time for OSPF. If this form is specified, then the hello-interval advertised in
Hello packets is set to 0 and the hello-interval on received Hello packets is not checked, thus the hello-multiplier
need NOT be the same across multiple routers on a common link.
set protocols ospf interface <interface> hello-interval <number>
Set number of seconds for Hello Interval timer value. Setting this value, Hello packet will be sent every timer value
seconds on the specified interface. This value must be the same for all routers attached to a common network.
The default value is 10 seconds. The interval range is 1 to 65535.
set protocols ospf interface <interface> bfd
This command enables BFD on this OSPF link interface.
set protocols ospf interface <interface> mtu-ignore
This command disables check of the MTU value in the OSPF DBD packets. Thus, use of this command allows
the OSPF adjacency to reach the FULL state even though there is an interface MTU mismatch between two OSPF
routers.
set protocols ospf interface <interface> network <type>
This command allows to specify the distribution type for the network connected to this interface:
broadcast –broadcast IP addresses distribution. non-broadcast –address distribution in NBMA networks topol-
ogy. point-to-multipoint –address distribution in point-to-multipoint networks. point-to-point –address distri-
bution in point-to-point networks.
set protocols ospf interface <interface> priority <number>
This command sets Router Priority integer value. The router with the highest priority will be more eligible to
become Designated Router. Setting the value to 0, makes the router ineligible to become Designated Router. The
default value is 1. The interval range is 0 to 255.
set protocols ospf interface <interface> retransmit-interval <number>
This command sets number of seconds for RxmtInterval timer value. This value is used when retransmitting
Database Description and Link State Request packets if acknowledge was not received. The default value is 5
seconds. The interval range is 3 to 65535.
set protocols ospf interface <interface> transmit-delay <number>
This command sets number of seconds for InfTransDelay value. It allows to set and adjust for each interface the
delay interval before starting the synchronizing process of the router’s database with all neighbors. The default
value is 1 seconds. The interval range is 3 to 65535.

8.8. Protocols 422

 VyOS Documentation, 发布 1.4.x (sagitta)

Manual Neighbor Configuration

OSPF routing devices normally discover their neighbors dynamically by listening to the broadcast or multicast hello
packets on the network. Because an NBMA network does not support broadcast (or multicast), the device cannot discover
its neighbors dynamically, so you must configure all the neighbors statically.
set protocols ospf neighbor <A.B.C.D>
This command specifies the IP address of the neighboring device.
set protocols ospf neighbor <A.B.C.D> poll-interval <seconds>
This command specifies the length of time, in seconds, before the routing device sends hello packets out of the
interface before it establishes adjacency with a neighbor. The range is 1 to 65535 seconds. The default value is 60
seconds.
set protocols ospf neighbor <A.B.C.D> priority <number>
This command specifies the router priority value of the nonbroadcast neighbor associated with the IP address
specified. The default is 0. This keyword does not apply to point-to-multipoint interfaces.

Redistribution Configuration

set protocols ospf redistribute <route source>

This command redistributes routing information from the given route source to the OSPF process. There are five
modes available for route source: bgp, connected, kernel, rip, static.
set protocols ospf default-metric <number>
This command specifies the default metric value of redistributed routes. The metric range is 0 to 16777214.
set protocols ospf redistribute <route source> metric <number>
This command specifies metric for redistributed routes from the given route source. There are five modes available
for route source: bgp, connected, kernel, rip, static. The metric range is 1 to 16777214.
set protocols ospf redistribute <route source> metric-type <1|2>
This command specifies metric type for redistributed routes. Difference between two metric types that metric
type 1 is a metric which is “commensurable”with inner OSPF links. When calculating a metric to the external
destination, the full path metric is calculated as a metric sum path of a router which had advertised this link plus the
link metric. Thus, a route with the least summary metric will be selected. If external link is advertised with metric
type 2 the path is selected which lies through the router which advertised this link with the least metric despite of
the fact that internal path to this router is longer (with more cost). However, if two routers advertised an external
link and with metric type 2 the preference is given to the path which lies through the router with a shorter internal
path. If two different routers advertised two links to the same external destimation but with different metric type,
metric type 1 is preferred. If type of a metric left undefined the router will consider these external links to have a
default metric type 2.
set protocols ospf redistribute <route source> route-map <name>
This command allows to use route map to filter redistributed routes from the given route source. There are five
modes available for route source: bgp, connected, kernel, rip, static.

8.8. Protocols 423

 VyOS Documentation, 发布 1.4.x (sagitta)

Operational Mode Commands

show ip ospf neighbor

This command displays the neighbors status.

Neighbor ID Pri State Dead Time Address Interface ␣

,→ RXmtL RqstL DBsmL
10.0.13.1 1 Full/DR 38.365s 10.0.13.1 eth0:10.0.13.3 ␣
,→ 0 0 0
10.0.23.2 1 Full/Backup 39.175s 10.0.23.2 eth1:10.0.23.3 ␣
,→ 0 0 0

show ip ospf neighbor detail

This command displays the neighbors information in a detailed form, not just a summary table.

Neighbor 10.0.13.1, interface address 10.0.13.1

In the area 0.0.0.0 via interface eth0
Neighbor priority is 1, State is Full, 5 state changes
Most recent state change statistics:
Progressive change 11m55s ago
DR is 10.0.13.1, BDR is 10.0.13.3
Options 2 *|-|-|-|-|-|E|-
Dead timer due in 34.854s
Database Summary List 0
Link State Request List 0
Link State Retransmission List 0
Thread Inactivity Timer on
Thread Database Description Retransmision off
Thread Link State Request Retransmission on
Thread Link State Update Retransmission on

Neighbor 10.0.23.2, interface address 10.0.23.2

In the area 0.0.0.1 via interface eth1
Neighbor priority is 1, State is Full, 4 state changes
Most recent state change statistics:
Progressive change 41.193s ago
DR is 10.0.23.3, BDR is 10.0.23.2
Options 2 *|-|-|-|-|-|E|-
Dead timer due in 35.661s
Database Summary List 0
Link State Request List 0
Link State Retransmission List 0
Thread Inactivity Timer on
Thread Database Description Retransmision off
Thread Link State Request Retransmission on
Thread Link State Update Retransmission on

show ip ospf neighbor <A.B.C.D>

This command displays the neighbors information in a detailed form for a neighbor whose IP address is specified.
show ip ospf neighbor <intname>
This command displays the neighbors status for a neighbor on the specified interface.
show ip ospf interface [<intname>]
This command displays state and configuration of OSPF the specified interface, or all interfaces if no interface is
given.

8.8. Protocols 424

 VyOS Documentation, 发布 1.4.x (sagitta)

eth0 is up
ifindex 2, MTU 1500 bytes, BW 4294967295 Mbit <UP,BROADCAST,RUNNING,MULTICAST>
Internet Address 10.0.13.3/24, Broadcast 10.0.13.255, Area 0.0.0.0
MTU mismatch detection: enabled
Router ID 10.0.23.3, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State Backup, Priority 1
Backup Designated Router (ID) 10.0.23.3, Interface Address 10.0.13.3
Multicast group memberships: OSPFAllRouters OSPFDesignatedRouters
Timer intervals configured, Hello 10s, Dead 40s, Wait 40s, Retransmit 5
Hello due in 4.470s
Neighbor Count is 1, Adjacent neighbor count is 1
eth1 is up
ifindex 3, MTU 1500 bytes, BW 4294967295 Mbit <UP,BROADCAST,RUNNING,MULTICAST>
Internet Address 10.0.23.3/24, Broadcast 10.0.23.255, Area 0.0.0.1
MTU mismatch detection: enabled
Router ID 10.0.23.3, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State DR, Priority 1
Backup Designated Router (ID) 10.0.23.2, Interface Address 10.0.23.2
Saved Network-LSA sequence number 0x80000002
Multicast group memberships: OSPFAllRouters OSPFDesignatedRouters
Timer intervals configured, Hello 10s, Dead 40s, Wait 40s, Retransmit 5
Hello due in 4.563s
Neighbor Count is 1, Adjacent neighbor count is 1

show ip ospf route

This command displays the OSPF routing table, as determined by the most recent SPF calculation.

============ OSPF network routing table ============

N IA 10.0.12.0/24 [3] area: 0.0.0.0
via 10.0.13.3, eth0
N 10.0.13.0/24 [1] area: 0.0.0.0
directly attached to eth0
N IA 10.0.23.0/24 [2] area: 0.0.0.0
via 10.0.13.3, eth0
N 10.0.34.0/24 [2] area: 0.0.0.0
via 10.0.13.3, eth0

============ OSPF router routing table =============

R 10.0.23.3 [1] area: 0.0.0.0, ABR
via 10.0.13.3, eth0
R 10.0.34.4 [2] area: 0.0.0.0, ASBR
via 10.0.13.3, eth0

============ OSPF external routing table ===========

N E2 172.16.0.0/24 [2/20] tag: 0
via 10.0.13.3, eth0

The table consists of following data:

OSPF network routing table –includes a list of acquired routes for all accessible networks (or aggregated area ranges)
of OSPF system. “IA”flag means that route destination is in the area to which the router is not connected, i.e. it’s an
inter-area path. In square brackets a summary metric for all links through which a path lies to this network is specified.
“via”prefix defines a router-gateway, i.e. the first router on the way to the destination (next hop). OSPF router routing
table –includes a list of acquired routes to all accessible ABRs and ASBRs. OSPF external routing table –includes a
list of acquired routes that are external to the OSPF process. “E”flag points to the external link metric type (E1 –metric
type 1, E2 –metric type 2). External link metric is printed in the“<metric of the router which advertised the link>/<link
metric>”format.

8.8. Protocols 425

 VyOS Documentation, 发布 1.4.x (sagitta)

show ip ospf border-routers

This command displays a table of paths to area boundary and autonomous system boundary routers.
show ip ospf database
This command displays a summary table with a database contents (LSA).
OSPF Router with ID (10.0.13.1)

Router Link States (Area 0.0.0.0)

Link ID ADV Router Age Seq# CkSum Link count

10.0.13.1 10.0.13.1 984 0x80000005 0xd915 1
10.0.23.3 10.0.23.3 1186 0x80000008 0xfe62 2
10.0.34.4 10.0.34.4 1063 0x80000004 0x4e3f 1

Net Link States (Area 0.0.0.0)

Link ID ADV Router Age Seq# CkSum

10.0.13.1 10.0.13.1 994 0x80000003 0x30bb
10.0.34.4 10.0.34.4 1188 0x80000001 0x9411

Summary Link States (Area 0.0.0.0)

Link ID ADV Router Age Seq# CkSum Route

10.0.12.0 10.0.23.3 1608 0x80000001 0x6ab6 10.0.12.0/24
10.0.23.0 10.0.23.3 981 0x80000003 0xe232 10.0.23.0/24

AS External Link States

Link ID ADV Router Age Seq# CkSum Route

172.16.0.0 10.0.34.4 1063 0x80000001 0xc40d E2 172.16.0.0/24 [0x0]

show ip ospf database <type> [A.B.C.D] [adv-router <A.B.C.D>|self-originate]

This command displays a database contents for a specific link advertisement type.
The type can be the following: asbr-summary, external, network, nssa-external, opaque-area, opaque-as,
opaque-link, router, summary.
[A.B.C.D] –link-state-id. With this specified the command displays portion of the network environment
that is being described by the advertisement. The value entered depends on the advertisement’s LS
type. It must be entered in the form of an IP address.
adv-router <A.B.C.D> –router id, which link advertisements need to be reviewed.
self-originate displays only self-originated LSAs from the local router.
OSPF Router with ID (10.0.13.1)

Router Link States (Area 0.0.0.0)

LS age: 1213
Options: 0x2 : *|-|-|-|-|-|E|-
LS Flags: 0x3
Flags: 0x0
LS Type: router-LSA
Link State ID: 10.0.13.1
Advertising Router: 10.0.13.1
LS Seq Number: 80000009
(下页继续)

8.8. Protocols 426

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
Checksum: 0xd119
Length: 36

Number of Links: 1

Link connected to: a Transit Network

(Link ID) Designated Router address: 10.0.13.1
(Link Data) Router Interface address: 10.0.13.1
Number of TOS metrics: 0
TOS 0 Metric: 1

show ip ospf database max-age

This command displays LSAs in MaxAge list.

Configuration Example

Below you can see a typical configuration using 2 nodes, redistribute loopback address and the node 1 sending the default
route:
Node 1

set interfaces loopback lo address 10.1.1.1/32

set protocols ospf area 0 network 192.168.0.0/24
set protocols ospf default-information originate always
set protocols ospf default-information originate metric 10
set protocols ospf default-information originate metric-type 2
set protocols ospf log-adjacency-changes
set protocols ospf parameters router-id 10.1.1.1
set protocols ospf redistribute connected metric-type 2
set protocols ospf redistribute connected route-map CONNECT

set policy route-map CONNECT rule 10 action permit

set policy route-map CONNECT rule 10 match interface lo

Node 2

set interfaces loopback lo address 10.2.2.2/32

set protocols ospf area 0 network 192.168.0.0/24
set protocols ospf log-adjacency-changes
set protocols ospf parameters router-id 10.2.2.2
set protocols ospf redistribute connected metric-type 2
set protocols ospf redistribute connected route-map CONNECT

set policy route-map CONNECT rule 10 action permit

set policy route-map CONNECT rule 10 match interface lo

8.8. Protocols 427

 VyOS Documentation, 发布 1.4.x (sagitta)

OSPFv3 (IPv6)

Configuration

General

VyOS does not have a special command to start the OSPFv3 process. The OSPFv3 process starts when the first ospf
enabled interface is configured.
set protocols ospfv3 area <number> interface <interface>
This command specifies the OSPFv3 enabled interface. This command is also used to enable the OSPF process.
The area number can be specified in decimal notation in the range from 0 to 4294967295. Or it can be specified
in dotted decimal notation similar to ip address.
set protocols ospfv3 parameters router-id <rid>
This command sets the router-ID of the OSPFv3 process. The router-ID may be an IP address of the router,
but need not be –it can be any arbitrary 32bit number. However it MUST be unique within the entire OSPFv3
domain to the OSPFv3 speaker –bad things will happen if multiple OSPFv3 speakers are configured with the same
router-ID!

Optional

set protocols ospfv3 distance global <distance>

This command change distance value of OSPFv3 globally. The distance range is 1 to 255.
set protocols ospfv3 distance ospfv3 <external|inter-area|intra-area>
<distance>
This command change distance value of OSPFv3. The arguments are the distance values for external routes,
inter-area routes and intra-area routes respectively. The distance range is 1 to 255.

Area Configuration

set protocols ospfv3 area <number> range <prefix>

This command summarizes intra area paths from specified area into one Type-3 Inter-Area Prefix LSA announced
to other areas. This command can be used only in ABR.
set protocols ospfv3 area <number> range <prefix> not-advertise
This command instead of summarizing intra area paths filter them - i.e. intra area paths from this range are not
advertised into other areas. This command makes sense in ABR only.

8.8. Protocols 428

 VyOS Documentation, 发布 1.4.x (sagitta)

Interface Configuration

set interfaces <inttype> <intname> ipv6 ospfv3 cost <number>

This command sets link cost for the specified interface. The cost value is set to router-LSA’s metric field and
used for SPF calculation. The cost range is 1 to 65535.
set interfaces <inttype> <intname> ipv6 ospfv3 dead-interval <number>
Set number of seconds for router Dead Interval timer value used for Wait Timer and Inactivity Timer. This value
must be the same for all routers attached to a common network. The default value is 40 seconds. The interval
range is 1 to 65535.
set interfaces <inttype> <intname> ipv6 ospfv3 hello-interval <number>
Set number of seconds for Hello Interval timer value. Setting this value, Hello packet will be sent every timer value
seconds on the specified interface. This value must be the same for all routers attached to a common network.
The default value is 10 seconds. The interval range is 1 to 65535.
set interfaces <inttype> <intname> ipv6 ospfv3 mtu-ignore
This command disables check of the MTU value in the OSPF DBD packets. Thus, use of this command allows
the OSPF adjacency to reach the FULL state even though there is an interface MTU mismatch between two OSPF
routers.
set interfaces <inttype> <intname> ipv6 ospfv3 network <type>
This command allows to specify the distribution type for the network connected to this interface:
broadcast –broadcast IP addresses distribution. point-to-point –address distribution in point-to-point networks.
set interfaces <inttype> <intname> ipv6 ospfv3 priority <number>
This command sets Router Priority integer value. The router with the highest priority will be more eligible to
become Designated Router. Setting the value to 0, makes the router ineligible to become Designated Router. The
default value is 1. The interval range is 0 to 255.
set interfaces <inttype> <intname> ipv6 ospfv3 passive
This command specifies interface as passive. Passive interface advertises its address, but does not run the OSPF
protocol (adjacencies are not formed and hello packets are not generated).
set interfaces <inttype> <intname> ipv6 ospfv3 retransmit-interval <number>
This command sets number of seconds for RxmtInterval timer value. This value is used when retransmitting
Database Description and Link State Request packets if acknowledge was not received. The default value is 5
seconds. The interval range is 3 to 65535.
set interfaces <inttype> <intname> ipv6 ospfv3 transmit-delay <number>
This command sets number of seconds for InfTransDelay value. It allows to set and adjust for each interface the
delay interval before starting the synchronizing process of the router’s database with all neighbors. The default
value is 1 seconds. The interval range is 3 to 65535.

8.8. Protocols 429

 VyOS Documentation, 发布 1.4.x (sagitta)

Redistribution Configuration

set protocols ospfv3 redistribute <route source>

This command redistributes routing information from the given route source to the OSPFv3 process. There are
five modes available for route source: bgp, connected, kernel, ripng, static.
set protocols ospf redistribute <route source> route-map <name>
This command allows to use route map to filter redistributed routes from given route source. There are five modes
available for route source: bgp, connected, kernel, ripng, static.

Operational Mode Commands

show ipv6 ospfv3 neighbor

This command displays the neighbors status.
show ipv6 ospfv3 neighbor detail
This command displays the neighbors information in a detailed form, not just a summary table.
show ipv6 ospfv3 neighbor <A.B.C.D>
This command displays the neighbors information in a detailed form for a neighbor whose IP address is specified.
show ipv6 ospfv3 neighbor <intname>
This command displays the neighbors status for a neighbor on the specified interface.
show ipv6 ospfv3 interface [prefix]|[<intname> [prefix]]
This command displays state and configuration of OSPF the specified interface, or all interfaces if no interface is
given. Whith the argument prefix this command shows connected prefixes to advertise.
show ipv6 ospfv3 route
This command displays the OSPF routing table, as determined by the most recent SPF calculation.
show ipv6 ospfv3 border-routers
This command displays a table of paths to area boundary and autonomous system boundary routers.
show ipv6 ospfv3 database
This command displays a summary table with a database contents (LSA).
show ipv6 ospfv3 database <type> [A.B.C.D] [adv-router <A.B.C.
D>|self-originate]
This command displays a database contents for a specific link advertisement type.
show ipv6 ospfv3 redistribute
This command displays external information redistributed into OSPFv3

8.8. Protocols 430

 VyOS Documentation, 发布 1.4.x (sagitta)

Configuration Example

A typical configuration using 2 nodes.

Node 1:

set protocols ospfv3 area 0.0.0.0 interface eth1

set protocols ospfv3 area 0.0.0.0 range 2001:db8:1::/64
set protocols ospfv3 parameters router-id 192.168.1.1
set protocols ospfv3 redistribute connected

Node 2:

set protocols ospfv3 area 0.0.0.0 interface eth1

set protocols ospfv3 area 0.0.0.0 range 2001:db8:2::/64
set protocols ospfv3 parameters router-id 192.168.2.1
set protocols ospfv3 redistribute connected

To see the redistributed routes:

show ipv6 ospfv3 redistribute

注解: You cannot easily redistribute IPv6 routes via OSPFv3 on a WireGuard interface link. This requires you to
configure link-local addresses manually on the WireGuard interfaces, see T1483.

Example configuration for WireGuard interfaces:

Node 1

set interfaces wireguard wg01 address 'fe80::216:3eff:fe51:fd8c/64'

set interfaces wireguard wg01 address '192.168.0.1/24'
set interfaces wireguard wg01 peer ospf02 allowed-ips '::/0'
set interfaces wireguard wg01 peer ospf02 allowed-ips '0.0.0.0/0'
set interfaces wireguard wg01 peer ospf02 endpoint '10.1.1.101:12345'
set interfaces wireguard wg01 peer ospf02 pubkey 'ie3...='
set interfaces wireguard wg01 port '12345'
set protocols ospfv3 parameters router-id 192.168.1.1
set protocols ospfv3 area 0.0.0.0 interface 'wg01'
set protocols ospfv3 area 0.0.0.0 interface 'lo'

Node 2

set interfaces wireguard wg01 address 'fe80::216:3eff:fe0a:7ada/64'

set interfaces wireguard wg01 address '192.168.0.2/24'
set interfaces wireguard wg01 peer ospf01 allowed-ips '::/0'
set interfaces wireguard wg01 peer ospf01 allowed-ips '0.0.0.0/0'
set interfaces wireguard wg01 peer ospf01 endpoint '10.1.1.100:12345'
set interfaces wireguard wg01 peer ospf01 pubkey 'NHI...='
set interfaces wireguard wg01 port '12345'
set protocols ospfv3 parameters router-id 192.168.1.2
set protocols ospfv3 area 0.0.0.0 interface 'wg01'
set protocols ospfv3 area 0.0.0.0 interface 'lo'

Status

8.8. Protocols 431

 VyOS Documentation, 发布 1.4.x (sagitta)

vyos@ospf01:~$ sh ipv6 ospfv3 neighbor

Neighbor ID Pri DeadTime State/IfState Duration I/F[State]
192.168.0.2 1 00:00:37 Full/PointToPoint 00:18:03 wg01[PointToPoint]

vyos@ospf02# run sh ipv6 ospfv3 neighbor

Neighbor ID Pri DeadTime State/IfState Duration I/F[State]
192.168.0.1 1 00:00:39 Full/PointToPoint 00:19:44 wg01[PointToPoint]

8.8.7 RIP

RIP (Routing Information Protocol) is a widely deployed interior gateway protocol. RIP was developed in the 1970s
at Xerox Labs as part of the XNS routing protocol. RIP is a distance-vector protocol and is based on the Bellman-
Ford algorithms. As a distance-vector protocol, RIP router send updates to its neighbors periodically, thus allowing the
convergence to a known topology. In each update, the distance to any given network will be broadcast to its neighboring
router.
Supported versions of RIP are:
• RIPv1 as described in RFC 1058
• RIPv2 as described in RFC 2453

General Configuration

set protocols rip network <A.B.C.D/M>

This command enables RIP and sets the RIP enable interface by NETWORK. The interfaces which have addresses
matching with NETWORK are enabled.
set protocols rip interface <interface>
This command specifies a RIP enabled interface by interface name. Both the sending and receiving of RIP packets
will be enabled on the port specified in this command.
set protocols rip neighbor <A.B.C.D>
This command specifies a RIP neighbor. When a neighbor doesn’t understand multicast, this command is used to
specify neighbors. In some cases, not all routers will be able to understand multicasting, where packets are sent to
a network or a group of addresses. In a situation where a neighbor cannot process multicast packets, it is necessary
to establish a direct link between routers.
set protocols rip passive-interface interface <interface>
This command sets the specified interface to passive mode. On passive mode interface, all receiving packets are
processed as normal and VyOS does not send either multicast or unicast RIP packets except to RIP neighbors
specified with neighbor command.
set protocols rip passive-interface interface default
This command specifies all interfaces to passive mode.

8.8. Protocols 432

 VyOS Documentation, 发布 1.4.x (sagitta)

Optional Configuration

set protocols rip default-distance <distance>

This command change distance value of RIP. The distance range is 1 to 255.

注解: Routes with a distance of 255 are effectively disabled and not installed into the kernel.

set protocols rip network-distance <A.B.C.D/M> distance <distance>

This command sets default RIP distance to specified value when the route’s source IP address matches the specified
prefix.
set protocols rip network-distance <A.B.C.D/M> access-list <name>
This command can be used with previous command to sets default RIP distance to specified value when the route’
s source IP address matches the specified prefix and the specified access-list.
set protocols rip default-information originate
This command generate a default route into the RIP.
set protocols rip distribute-list access-list <in|out> <number>
This command can be used to filter the RIP path using access lists. in and out this is the direction in which the
access lists are applied.
set protocols rip distribute-list interface <interface> access-list <in|out>
<number>
This command allows you apply access lists to a chosen interface to filter the RIP path.
set protocols rip distribute-list prefix-list <in|out> <name>
This command can be used to filter the RIP path using prefix lists. in and out this is the direction in which the
prefix lists are applied.
set protocols rip distribute-list interface <interface> prefix-list <in|out>
<name>
This command allows you apply prefix lists to a chosen interface to filter the RIP path.
set protocols rip route <A.B.C.D/M>
This command is specific to FRR and VyOS. The route command makes a static route only inside RIP. This
command should be used only by advanced users who are particularly knowledgeable about the RIP protocol. In
most cases, we recommend creating a static route in VyOS and redistributing it in RIP using redistribute
static.
set protocols rip timers update <seconds>
This command specifies the update timer. Every update timer seconds, the RIP process is awakened to send an
unsolicited response message containing the complete routing table to all neighboring RIP routers. The time range
is 5 to 2147483647. The default value is 30 seconds.
set protocols rip timers timeout <seconds>
This command specifies the timeout timer. Upon expiration of the timeout, the route is no longer valid; however,
it is retained in the routing table for a short time so that neighbors can be notified that the route has been dropped.
The time range is 5 to 2147483647. The default value is 180 seconds.
set protocols rip timers garbage-collection <seconds>

8.8. Protocols 433

 VyOS Documentation, 发布 1.4.x (sagitta)

This command specifies the garbage-collection timer. Upon expiration of the garbage-collection timer, the route
is finally removed from the routing table. The time range is 5 to 2147483647. The default value is 120 seconds.

Redistribution Configuration

set protocols rip redistribute <route source>

This command redistributes routing information from the given route source into the RIP tables. There are five
modes available for route source: bgp, connected, kernel, ospf, static.
set protocols rip redistribute <route source> metric <metric>
This command specifies metric for redistributed routes from the given route source. There are five modes available
for route source: bgp, connected, kernel, ospf, static. The metric range is 1 to 16.
set protocols rip redistribute <route source> route-map <name>
This command allows to use route map to filter redistributed routes from the given route source. There are five
modes available for route source: bgp, connected, kernel, ospf, static.
set protocols rip default-metric <metric>
This command modifies the default metric (hop count) value for redistributed routes. The metric range is 1
to 16. The default value is 1. This command does not affect connected route even if it is redistributed by
redistribute connected. To modify connected route’s metric value, please use redistribute
connected metric.

Interfaces Configuration

set interfaces <inttype> <intname> ip rip authentication plaintext-password

<text>
This command sets the interface with RIP simple password authentication. This command also sets authentication
string. The string must be shorter than 16 characters.
set interfaces <inttype> <intname> ip rip authentication md5 <id> password
<text>
This command sets the interface with RIP MD5 authentication. This command also sets MD5 Key. The key must
be shorter than 16 characters.
set interfaces <inttype> <intname> ip rip split-horizon disable
This command disables split-horizon on the interface. By default, VyOS does not advertise RIP routes out the
interface over which they were learned (split horizon).
set interfaces <inttype> <intname> ip rip split-horizon poison-reverse
This command enables poison-reverse on the interface. If both poison reverse and split horizon are enabled, then
VyOS advertises the learned routes as unreachable over the interface on which the route was learned.

8.8. Protocols 434

 VyOS Documentation, 发布 1.4.x (sagitta)

Operational Mode Commands

show ip rip
This command displays RIP routes.

Codes: R - RIP, C - connected, S - Static, O - OSPF, B - BGP

Sub-codes:
(n) - normal, (s) - static, (d) - default, (r) - redistribute,
(i) - interface

Network Next Hop Metric From Tag Time

C(i) 10.0.12.0/24 0.0.0.0 1 self 0
C(i) 10.0.13.0/24 0.0.0.0 1 self 0
R(n) 10.0.23.0/24 10.0.12.2 2 10.0.12.2 0 02:53

show ip rip status

The command displays current RIP status. It includes RIP timer, filtering, version, RIP enabled interface and RIP
peer information.

Routing Protocol is "rip"

Sending updates every 30 seconds with +/-50%, next due in 11 seconds
Timeout after 180 seconds, garbage collect after 120 seconds
Outgoing update filter list for all interface is not set
Incoming update filter list for all interface is not set
Default redistribution metric is 1
Redistributing:
Default version control: send version 2, receive any version
Interface Send Recv Key-chain
eth0 2 1 2
eth2 2 1 2
Routing for Networks:
10.0.12.0/24
eth0
Routing Information Sources:
Gateway BadPackets BadRoutes Distance Last Update
10.0.12.2 0 0 120 00:00:11
Distance: (default is 120)

Configuration Example

Simple RIP configuration using 2 nodes and redistributing connected interfaces.

Node 1:

set interfaces loopback address 10.1.1.1/32

set protocols rip network 192.168.0.0/24
set protocols rip redistribute connected

Node 2:

set interfaces loopback address 10.2.2.2/32

set protocols rip network 192.168.0.0/24
set protocols rip redistribute connected

8.8. Protocols 435

 VyOS Documentation, 发布 1.4.x (sagitta)

8.8.8 RPKI

There are two types of Network Admins who deal with BGP, those who have created an international incident
and/or outage, and those who are lying
—tweet by EvilMog, 2020-02-21
RPKI (Resource Public Key Infrastructure) is a framework PKI (Public Key Infrastructure) designed to secure the Internet
routing infrastructure. It associates BGP route announcements with the correct originating ASN which BGP routers can
then use to check each route against the corresponding ROA (Route Origin Authorisation) for validity. RPKI is described
in RFC 6480.
A BGP-speaking router like VyOS can retrieve ROA information from RPKI“Relying Party software”(often just called
an “RPKI server”or “RPKI validator”) by using RTR (RPKI to Router) protocol. There are several open source
implementations to choose from, such as NLNetLabs’Routinator (written in Rust), Cloudflare’s GoRTR and OctoRPKI
(written in Go), and RIPE NCC’s RPKI Validator (written in Java). The RTR protocol is described in RFC 8210.

小技巧: If you are new to these routing security technologies then there is an excellent guide to RPKI by NLnet Labs
which will get you up to speed very quickly. Their documentation explains everything from what RPKI is to deploying it
in production (albeit with a focus on using NLnet Labs’tools). It also has some help and operational guidance including
“What can I do about my route having an Invalid state?”

Getting started

First you will need to deploy an RPKI validator for your routers to use. The RIPE NCC helpfully provide some instructions
to get you started with several different options. Once your server is running you can start validating announcements.
Imported prefixes during the validation may have values:
valid The prefix and ASN that originated it match a signed ROA. These are probably trustworthy route
announcements.
invalid The prefix or prefix length and ASN that originated it doesn’t match any existing ROA. This
could be the result of a prefix hijack, or merely a misconfiguration, but should probably be treated as
untrustworthy route announcements.
notfound No ROA exists which covers that prefix. Unfortunately this is the case for about 80% of the IPv4
prefixes which were announced to the DFZ (default-free zone) at the start of 2020 (see more detail in
NLnet Labs’RPKI analytics).

注解: If you are responsible for the global addresses assigned to your network, please make sure that your prefixes have
ROAs associated with them to avoid being notfound by RPKI. For most ASNs this will involve publishing ROAs via
your RIR (Regional Internet Registry) (RIPE NCC, APNIC, ARIN, LACNIC or AFRINIC), and is something you are
encouraged to do whenever you plan to announce addresses into the DFZ.
Particularly large networks may wish to run their own RPKI certificate authority and publication server instead of pub-
lishing ROAs via their RIR. This is a subject far beyond the scope of VyOS’documentation. Consider reading about
Krill if this is a rabbit hole you need or especially want to dive down.

8.8. Protocols 436

 VyOS Documentation, 发布 1.4.x (sagitta)

Features of the Current Implementation

In a nutshell, the current implementation provides the following features:

• The BGP router can connect to one or more RPKI cache servers to receive validated prefix to origin AS mappings.
Advanced failover can be implemented by server sockets with different preference values.
• If no connection to an RPKI cache server can be established after a pre-defined timeout, the router will process
routes without prefix origin validation. It still will try to establish a connection to an RPKI cache server in the
background.
• By default, enabling RPKI does not change best path selection. In particular, invalid prefixes will still be considered
during best path selection. However, the router can be configured to ignore all invalid prefixes.
• Route maps can be configured to match a specific RPKI validation state. This allows the creation of local policies,
which handle BGP routes based on the outcome of the Prefix Origin Validation.
• Updates from the RPKI cache servers are directly applied and path selection is updated accordingly. (Soft recon-
figuration must be enabled for this to work).

Configuration

protocols rpki polling-period <1-86400>

Define the time interval to update the local cache
The default value is 300 seconds.
protocols rpki cache <address> port <port>
Defined the IPv4, IPv6 or FQDN and port number of the caching RPKI caching instance which is used.
This is a mandatory setting.
protocols rpki cache <address> preference <preference>
Multiple RPKI caching instances can be supplied and they need a preference in which their result sets are used.
This is a mandatory setting.

SSH

Connections to the RPKI caching server can not only be established by HTTP/TLS but you can also rely on a secure
SSH session to the server. To enable SSH you first need to create yoursels an SSH client keypair using generate ssh
client-key /config/auth/id_rsa_rpki. Once your key is created you can setup the connection.
protocols rpki cache <address> ssh username <user>
SSH username to establish an SSH connection to the cache server.
protocols rpki cache <address> ssh known-hosts-file <filepath>
Local path that includes the known hosts file.
protocols rpki cache <address> ssh private-key-file <filepath>
Local path that includes the private key file of the router.
protocols rpki cache <address> ssh public-key-file <filepath
Local path that includes the public key file of the router.

8.8. Protocols 437

 VyOS Documentation, 发布 1.4.x (sagitta)

注解: When using SSH, known-hosts-file, private-key-file and public-key-file are mandatory options.

Example

We can build route-maps for import based on these states. Here is a simple RPKI configuration, where routinator is the
RPKI-validating “cache”server with ip 192.0.2.1:

set protocols rpki cache 192.0.2.1 port '3323'

set protocols rpki cache 192.0.2.1 preference '1'

Here is an example route-map to apply to routes learned at import. In this filter we reject prefixes with the state invalid,
and set a higher local-preference if the prefix is RPKI valid rather than merely notfound.

set policy route-map ROUTES-IN rule 10 action 'permit'

set policy route-map ROUTES-IN rule 10 match rpki 'valid'
set policy route-map ROUTES-IN rule 10 set local-preference '300'
set policy route-map ROUTES-IN rule 20 action 'permit'
set policy route-map ROUTES-IN rule 20 match rpki 'notfound'
set policy route-map ROUTES-IN rule 20 set local-preference '125'
set policy route-map ROUTES-IN rule 30 action 'deny'
set policy route-map ROUTES-IN rule 30 match rpki 'invalid'

Once your routers are configured to reject RPKI-invalid prefixes, you can test whether the configuration is working cor-
rectly using the RIPE Labs RPKI Test experimental tool.

8.8.9 Static

Static routes are manually configured routes, which, in general, cannot be updated dynamically from information VyOS
learns about the network topology from other routing protocols. However, if a link fails, the router will remove routes,
including static routes, from the RIPB (Routing Information Base) that used this interface to reach the next hop. In
general, static routes should only be used for very simple network topologies, or to override the behavior of a dynamic
routing protocol for a small number of routes. The collection of all routes the router has learned from its configuration
or from its dynamic routing protocols is stored in the RIB. Unicast routes are directly used to determine the forwarding
table used for unicast packet forwarding.

Static Routes

set protocols static route <subnet> next-hop <address>

Configure next-hop <address> for an IPv4 static route. Multiple static routes can be created.
set protocols static route <subnet> next-hop <address> disable
Disable this IPv4 static route entry.
set protocols static route <subnet> next-hop <address> distance <distance>
Defines next-hop distance for this route, routes with smaller administrative distance are elected prior those with a
higher distance.
Range is 1 to 255, default is 1.

8.8. Protocols 438

 VyOS Documentation, 发布 1.4.x (sagitta)

注解: Routes with a distance of 255 are effectively disabled and not installed into the kernel.

set protocols static route6 <subnet> next-hop <address>

Configure next-hop <address> for an IPv6 static route. Multiple static routes can be created.
set protocols static route6 <subnet> next-hop <address> disable
Disable this IPv6 static route entry.
set protocols static route6 <subnet> next-hop <address> distance <distance>
Defines next-hop distance for this route, routes with smaller administrative distance are elected prior those with a
higher distance.
Range is 1 to 255, default is 1.

注解: Routes with a distance of 255 are effectively disabled and not installed into the kernel.

Interface Routes

set protocols static route <subnet> interface <interface>

Allows you to configure the next-hop interface for an interface-based IPv4 static route. <interface> will be the
next-hop interface where trafic is routed for the given <subnet>.
set protocols static route <subnet> interface <interface> disable
Disables interface-based IPv4 static route.
set protocols static route <subnet> interface <interface> distance <distance>
Defines next-hop distance for this route, routes with smaller administrative distance are elected prior those with a
higher distance.
Range is 1 to 255, default is 1.
set protocols static route6 <subnet> interface <interface>
Allows you to configure the next-hop interface for an interface-based IPv6 static route. <interface> will be the
next-hop interface where trafic is routed for the given <subnet>.
set protocols static route6 <subnet> interface <interface> disable
Disables interface-based IPv6 static route.
set protocols static route6 <subnet> interface <interface> distance <distance>
Defines next-hop distance for this route, routes with smaller administrative distance are elected prior those with a
higher distance.
Range is 1 to 255, default is 1.

8.8. Protocols 439

 VyOS Documentation, 发布 1.4.x (sagitta)

Blackhole

set protocols static route <subnet> blackhole

Use this command to configure a “black-hole”route on the router. A black-hole route is a route for which the
system silently discard packets that are matched. This prevents networks leaking out public interfaces, but it does
not prevent them from being used as a more specific route inside your network.
set protocols static route <subnet> blackhole distance <distance>
Defines blackhole distance for this route, routes with smaller administrative distance are elected prior those with
a higher distance.
set protocols static route6 <subnet> blackhole
Use this command to configure a “black-hole”route on the router. A black-hole route is a route for which the
system silently discard packets that are matched. This prevents networks leaking out public interfaces, but it does
not prevent them from being used as a more specific route inside your network.
set protocols static route6 <subnet> blackhole distance <distance>
Defines blackhole distance for this route, routes with smaller administrative distance are elected prior those with
a higher distance.

Alternate Routing Tables

TBD
Alternate routing tables are used with policy based routing of by utilizing VRF.

8.8.10 ARP

ARP (Address Resolution Protocol) is a communication protocol used for discovering the link layer address, such as a
MAC address, associated with a given internet layer address, typically an IPv4 address. This mapping is a critical function
in the Internet protocol suite. ARP was defined in 1982 by RFC 826 which is Internet Standard STD 37.
In Internet Protocol Version 6 (IPv6) networks, the functionality of ARP is provided by the Neighbor Discovery Protocol
(NDP).
To manipulate or display ARP table entries, the following commands are implemented.

Configure

set protocols static arp <address> hwaddr <mac>

This will configure a static ARP entry always resolving <address> to <mac>.
Example:

set protocols static arp 192.0.2.100 hwaddr 00:53:27:de:23:aa

8.8. Protocols 440

 VyOS Documentation, 发布 1.4.x (sagitta)

Operation

show protocols static arp

Display all known ARP table entries spanning across all interfaces

vyos@vyos:~$ show protocols static arp

Address HWtype HWaddress Flags Mask Iface
10.1.1.1 ether 00:53:00:de:23:2e C eth1
10.1.1.100 ether 00:53:00:de:23:aa CM eth1

show protocols static arp interface eth1

Display all known ARP table entries on a given interface only (eth1):

vyos@vyos:~$ show protocols static arp interface eth1

Address HWtype HWaddress Flags Mask Iface
10.1.1.1 ether 00:53:00:de:23:2e C eth1
10.1.1.100 ether 00:53:00:de:23:aa CM eth1

8.9 Service

8.9.1 UDP Broadcast Relay

Certain vendors use broadcasts to identify their equipment within one ethernet segment. Unfortunately if you split your
network with multiple VLANs you loose the ability of identifying your equipment.
This is where“UDP broadcast relay”comes into play! It will forward received broadcasts to other configured networks.
Every UDP port which will be forward requires one unique ID. Currently we support 99 IDs!

Configuration

set service broadcast-relay id <n> description <description>

A description can be added for each and every unique relay ID. This is useful to distinguish between multiple
different ports/appliactions.
set service broadcast-relay id <n> interface <interface>
The interface used to receive and relay individual broadcast packets. If you want to receive/relay packets on both
eth1 and eth2 both interfaces need to be added.
set service broadcast-relay id <n> port <port>
The UDP port number used by your apllication. It is mandatory for this kind of operation.
set service broadcast-relay id <n> disable
Each broadcast relay instance can be individually disabled without deleting the configured node by using the fol-
lowing command:
set service broadcast-relay disable
In addition you can also disable the whole service without the need to remove it from the current configuration.

8.9. Service 441

 VyOS Documentation, 发布 1.4.x (sagitta)

注解: You can run the UDP broadcast relay service on multiple routers connected to a subnet. There is NO UDP
broadcast relay packet storm!

Example

To forward all broadcast packets received on UDP port 1900 on eth3, eth4 or eth5 to all other interfaces in this configu-
ration.

set service broadcast-relay id 1 description 'SONOS'

set service broadcast-relay id 1 interface 'eth3'
set service broadcast-relay id 1 interface 'eth4'
set service broadcast-relay id 1 interface 'eth5'
set service broadcast-relay id 1 port '1900'

8.9.2 Conntrack

One of the important features built on top of the Netfilter framework is connection tracking. Connection tracking allows
the kernel to keep track of all logical network connections or sessions, and thereby relate all of the packets which may
make up that connection. NAT relies on this information to translate all related packets in the same way, and iptables can
use this information to act as a stateful firewall.
The connection state however is completely independent of any upper-level state, such as TCP’s or SCTP’s state. Part
of the reason for this is that when merely forwarding packets, i.e. no local delivery, the TCP engine may not necessarily
be invoked at all. Even connectionless-mode transmissions such as UDP, IPsec (AH/ESP), GRE and other tunneling
protocols have, at least, a pseudo connection state. The heuristic for such protocols is often based upon a preset timeout
value for inactivity, after whose expiration a Netfilter connection is dropped.
Each Netfilter connection is uniquely identified by a (layer-3 protocol, source address, destination address, layer-4 pro-
tocol, layer-4 key) tuple. The layer-4 key depends on the transport protocol; for TCP/UDP it is the port numbers, for
tunnels it can be their tunnel ID, but otherwise is just zero, as if it were not part of the tuple. To be able to inspect the
TCP port in all cases, packets will be mandatorily defragmented.
It is possible to use either Multicast or Unicast to sync conntrack traffic. Most examples below show Multicast, but unicast
can be specified by using the “peer”keywork after the specificed interface, as in the following example:
set service conntrack-sync interface eth0 peer 192.168.0.250

Configuration

# Protocols only for which local conntrack entries will be synced (tcp, udp, icmp,␣
,→sctp)

set service conntrack-sync accept-protocol

# Queue size for listening to local conntrack events (in MB)

set service conntrack-sync event-listen-queue-size <int>

# Protocol for which expect entries need to be synchronized. (all, ftp, h323, nfs,␣
,→sip, sqlnet)

set service conntrack-sync expect-sync

# Failover mechanism to use for conntrack-sync [REQUIRED]

(下页继续)

8.9. Service 442

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
set service conntrack-sync failover-mechanism

set service conntrack-sync cluster group <string>

set service conntrack-sync vrrp sync-group <1-255>

# IP addresses for which local conntrack entries will not be synced

set service conntrack-sync ignore-address ipv4 <x.x.x.x>

# Interface to use for syncing conntrack entries [REQUIRED]

set service conntrack-sync interface <ifname>

# Multicast group to use for syncing conntrack entries

set service conntrack-sync mcast-group <x.x.x.x>

# Peer to send Unicast UDP conntrack sync entires to, if not using Multicast above
set service conntrack-sync interface <ifname> peer <remote IP of peer>

# Queue size for syncing conntrack entries (in MB)

set service conntrack-sync sync-queue-size <size>

Example

The next example is a simple configuration of conntrack-sync.

图 3: Conntrack Sync Example

First of all, make sure conntrack is enabled by running

8.9. Service 443

 VyOS Documentation, 发布 1.4.x (sagitta)

show conntrack table ipv4

If the table is empty and you have a warning message, it means conntrack is not enabled. To enable conntrack, just create
a NAT or a firewall rule.

set firewall state-policy established action accept

You now should have a conntrack table

$ show conntrack table ipv4

TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED,
FW - FIN WAIT, CW - CLOSE WAIT, LA - LAST ACK,
TW - TIME WAIT, CL - CLOSE, LI - LISTEN

CONN ID Source Destination Protocol TIMEOUT

1015736576 10.35.100.87:58172 172.31.20.12:22 tcp [6] ES 430279
1006235648 10.35.101.221:57483 172.31.120.21:22 tcp [6] ES 413310
1006237088 10.100.68.100 172.31.120.21 icmp [1] 29
1015734848 10.35.100.87:56282 172.31.20.12:22 tcp [6] ES 300
1015734272 172.31.20.12:60286 239.10.10.14:694 udp [17] 29
1006239392 10.35.101.221 172.31.120.21 icmp [1] 29

Now configure conntrack-sync service on router1 and router2

set service conntrack-sync accept-protocol 'tcp,udp,icmp'

set service conntrack-sync event-listen-queue-size '8'
set service conntrack-sync failover-mechanism cluster group 'GROUP'
set service conntrack-sync interface 'eth0'
set service conntrack-sync mcast-group '225.0.0.50'
set service conntrack-sync sync-queue-size '8'

If you are using VRRP, you need to define a VRRP sync-group, and use vrrp sync-group instead of cluster
group.

set high-availablilty vrrp group internal virtual-address ... etc ...

set high-availability vrrp sync-group syncgrp member 'internal'
set service conntrack-sync failover-mechanism vrrp sync-group 'syncgrp'

On the active router, you should have information in the internal-cache of conntrack-sync. The same current active
connections number should be shown in the external-cache of the standby router
On active router run:

$ show conntrack-sync statistics

Main Table Statistics:

cache internal:
current active connections: 10
connections created: 8517 failed: 0
connections updated: 127 failed: 0
connections destroyed: 8507 failed: 0

cache external:
current active connections: 0
connections created: 0 failed: 0
connections updated: 0 failed: 0
(下页继续)

8.9. Service 444

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
connections destroyed: 0 failed: 0

traffic processed:
0 Bytes 0 Pckts

multicast traffic (active device=eth0):

868780 Bytes sent 224136 Bytes recv
20595 Pckts sent 14034 Pckts recv
0 Error send 0 Error recv

message tracking:
0 Malformed msgs 0 Lost msgs

On standby router run:

$ show conntrack-sync statistics

Main Table Statistics:

cache internal:
current active connections: 0
connections created: 0 failed: 0
connections updated: 0 failed: 0
connections destroyed: 0 failed: 0

cache external:
current active connections: 10
connections created: 888 failed: 0
connections updated: 134 failed: 0
connections destroyed: 878 failed: 0

traffic processed:
0 Bytes 0 Pckts

multicast traffic (active device=eth0):

234184 Bytes sent 907504 Bytes recv
14663 Pckts sent 21495 Pckts recv
0 Error send 0 Error recv

message tracking:
0 Malformed msgs 0 Lost msgs

8.9.3 Console Server

Starting of with VyOS 1.3 (equuleus) we added support for running VyOS as an Out-of-Band Management device which
provides remote access by means of SSH to directly attached serial interfaces.
Serial interfaces can be any interface which is directly connected to the CPU or chipset (mostly known as a ttyS interface
in Linux) or any other USB to serial converter (Prolific PL2303 or FTDI FT232/FT4232 based chips).
If you happened to use a Cisco NM-16A - Sixteen Port Async Network Module or NM-32A - Thirty-two Port Async
Network Module - this is your VyOS replacement.
For USB port information please refor to: USB.

8.9. Service 445

 VyOS Documentation, 发布 1.4.x (sagitta)

Configuration

Between computers, the most common configuration used was “8N1”: eight bit characters, with one start bit, one stop
bit, and no parity bit. Thus 10 Baud times are used to send a single character, and so dividing the signalling bit-rate by ten
results in the overall transmission speed in characters per second. This is also the default setting if none of those options
are defined.
set service console-server <device> data-bits [7 | 8]
Configure either seven or eight data bits. This defaults to eight data bits if left unconfigured.
set service console-server <device> description <string>
A user friendly description identifying the connected peripheral.
set service console-server <device> parity [even | odd | none]
Set the parity option for the console. If unset this will default to none.
set service console-server <device> stop-bits [1 | 2]
Configure either one or two stop bits. This defaults to one stop bits if left unconfigured.
set service console-server <device> speed [ 300 | 1200 | 2400 | 4800 | 9600 |
19200 | 38400 | 57600 | 115200 ]

注解: USB to serial converters will handle most of their work in software so you should be carefull with the
selected baudrate as some times they can’t cope with the expected speed.

Remote Access

Each individual configured console-server device can be directly exposed to the outside world. A user can directly connect
via SSH to the configured port.
set service console-server <device> ssh port <port>
Accept SSH connections for the given <device> on TCP port <port>. After successfull authentication the user will
be directly dropped to the connected serial device.

提示: Multiple users can connect to the same serial device but only one is allowed to write to the console port.

Operation

show console-server ports

Show configured serial ports and their respective interface configuration.

vyos@vyos:~$ show console-server ports

usb0b2.4p1.0 on /dev/serial/by-bus/usb0b2.4p1.0@ at 9600n

show console-server user

Show currently connected users.

vyos@vyos:~$ show console-server user

usb0b2.4p1.0 up vyos@localhost

8.9. Service 446

 VyOS Documentation, 发布 1.4.x (sagitta)

connect console-server <device>

Locally connect to serial port identified by <device>.

vyos@vyos-r1:~$ connect console-server usb0b2.4p1.0

[Enter `^Ec?' for help]
[-- MOTD -- VyOS Console Server]

vyos-r2 login:

提示: Multiple users can connect to the same serial device but only one is allowed to write to the console port.

提示: The sequence ^Ec? translates to: Ctrl+E c ?. To quit the session use: Ctrl+E c .

8.9.4 DHCP Relay

If you want your router to forward DHCP requests to an external DHCP server you can configure the system to act as a
DHCP relay agent. The DHCP relay agent works with IPv4 and IPv6 addresses.
All interfaces used for the DHCP relay must be configured.

IPv4 relay

Configuration

set service dhcp-relay interface <interface>

Enable the DHCP relay service on the given interface.
set service dhcp-relay server <server>
Configure IP address of the DHCP <server> which will handle the relayed packets.
set service dhcp-relay relay-options relay-agents-packets discard
The router should discard DHCP packages already containing relay agent information to ensure that only requests
from DHCP clients are forwarded.

Options

set service dhcp-relay relay-options hop-count <count>

Set the maximum hop <count> before packets are discarded. Range 0…255, default 10.
set service dhcp-relay relay-options max-size <size>
Set maximum <size> of DHCP packets including relay agent information. If a DHCP packet size surpasses this
value it will be forwarded without appending relay agent information. Range 64…1400, default 576.
set service dhcp-relay relay-options relay-agents-packet <append | discard |
forward | replace>
Four policies for reforwarding DHCP packets exist:

8.9. Service 447

 VyOS Documentation, 发布 1.4.x (sagitta)

• append: The relay agent is allowed to append its own relay information to a received DHCP packet, disre-
garding relay information already present in the packet.
• discard: Received packets which already contain relay information will be discarded.
• forward: All packets are forwarded, relay information already present will be ignored.
• replace: Relay information already present in a packet is stripped and replaced with the router’s own relay
information set.

Example

• Listen for DHCP requests on interface eth1.

• DHCP server is located at IPv4 address 10.0.1.4.
• Router receives DHCP client requests on eth1 and relays them to the server at 10.0.1.4.

图 4: DHCP relay example

The generated configuration will look like:

show service dhcp-relay

interface eth1
server 10.0.1.4
relay-options {
relay-agents-packets discard
}

8.9. Service 448

 VyOS Documentation, 发布 1.4.x (sagitta)

Operation

restart dhcp relay-agent

Restart DHCP relay service

IPv6 relay

Configuration

set service dhcpv6-relay listen-interface <interface>

Set eth1 to be the listening interface for the DHCPv6 relay.
Multiple interfaces may be specified.
set service dhcpv6-relay upstream-interface <interface> address <server>
Specifies an upstream network <interface> from which replies from <server> and other relay agents will be ac-
cepted.

Options

set service dhcpv6-relay max-hop-count ‘count’

Set maximum hop count before packets are discarded, default: 10
set service dhcpv6-relay use-interface-id-option
If this is set the relay agent will insert the interface ID. This option is set automatically if more than one listening
interfaces are in use.

Example

• DHCPv6 requests are received by the router on listening interface eth1

• Requests are forwarded through eth2 as the upstream interface
• External DHCPv6 server is at 2001:db8::4
The generated configuration will look like:

commit
show service dhcpv6-relay
listen-interface eth1 {
}
upstream-interface eth2 {
address 2001:db8::4
}

8.9. Service 449

 VyOS Documentation, 发布 1.4.x (sagitta)

图 5: DHCPv6 relay example

Operation

restart dhcpv6 relay-agent

Restart DHCPv6 relay agent immediately.

8.9.5 DHCP Server

VyOS uses ISC DHCP server for both IPv4 and IPv6 address assignment.

IPv4 server

The network topology is declared by shared-network-name and the subnet declarations. The DHCP service can serve
multiple shared networks, with each shared network having 1 or more subnets. Each subnet must be present on an
interface. A range can be declared inside a subnet to define a pool of dynamic addresses. Multiple ranges can be defined
and can contain holes. Static mappings can be set to assign “static”addresses to clients based on their MAC address.

Configuration

set service dhcp-server shared-network-name <name> authoritative

This says that this device is the only DHCP server for this network. If other devices are trying to offer DHCP
leases, this machine will send ‘DHCPNAK’to any device trying to request an IP address that is not valid for
this network.
set service dhcp-server shared-network-name <name> subnet <subnet>
default-router <address>
This is a configuration parameter for the <subnet>, saying that as part of the response, tell the client that the default
gateway can be reached at <address>.
set service dhcp-server shared-network-name <name> subnet <subnet> dns-server
<address>

8.9. Service 450

 VyOS Documentation, 发布 1.4.x (sagitta)

This is a configuration parameter for the subnet, saying that as part of the response, tell the client that the DNS
server can be found at <address>.
Multiple DNS servers can be defined.
set service dhcp-server shared-network-name <name> subnet <subnet> lease
<time>
Assign the IP address to this machine for <time> seconds.
The default value is 86400 seconds which corresponds to one day.
set service dhcp-server shared-network-name <name> subnet <subnet> range <n>
start <address>
Create DHCP address range with a range id of <n>. DHCP leases are taken from this pool. The pool starts at
address <address>.
set service dhcp-server shared-network-name <name> subnet <subnet> range <n>
stop <address>
Create DHCP address range with a range id of <n>. DHCP leases are taken from this pool. The pool stops with
address <address>.
set service dhcp-server shared-network-name <name> subnet <subnet> exclude
<address>
Always exclude this address from any defined range. This address will never be assigned by the DHCP server.
This option can be specified multiple times.
set service dhcp-server shared-network-name <name> subnet <subnet> domain-name
<domain-name>
The domain-name parameter should be the domain name that will be appended to the client’s hostname to form
a fully-qualified domain-name (FQDN) (DHCP Option 015).
set service dhcp-server shared-network-name <name> subnet <subnet>
domain-search <domain-name>
The domain-name parameter should be the domain name used when completing DNS request where no full FQDN
is passed. This option can be given multiple times if you need multiple search domains (DHCP Option 119).

Failover

VyOS provides support for DHCP failover. DHCP failover must be configured explicitly by the following statements.
set service dhcp-server shared-network-name <name> subnet <subnet> failover
local-address <address>
Local IP <address> used when communicating to the failover peer.
set service dhcp-server shared-network-name <name> subnet <subnet> failover
peer-address <address>
Remote peer IP <address> of the second DHCP server in this failover cluster.
set service dhcp-server shared-network-name <name> subnet <subnet> failover
name <name>
A generic <name> referencing this sync service.

8.9. Service 451

 VyOS Documentation, 发布 1.4.x (sagitta)

注解: <name> must be identical on both sides!

set service dhcp-server shared-network-name <name> subnet <subnet> failover

status <primary | secondary>
The primary and secondary statements determines whether the server is primary or secondary.

注解: In order for the primary and the secondary DHCP server to keep their lease tables in sync, they must be
able to reach each other on TCP port 647. If you have firewall rules in effect, adjust them accordingly.

提示: The dialogue between failover partners is neither encrypted nor authenticated. Since most DHCP servers
exist within an organisation’s own secure Intranet, this would be an unnecessary overhead. However, if you have
DHCP failover peers whose communications traverse insecure networks, then we recommend that you consider
the use of VPN tunneling between them to ensure that the failover partnership is immune to disruption (accidental
or otherwise) via third parties.

Static mappings

You can specify a static DHCP assignment on a per host basis. You will need the MAC address of the station and your
desired IP address. The address must be inside the subnet definition but can be outside of the range statement.
set service dhcp-server shared-network-name <name> subnet <subnet>
static-mapping <description> mac-address <address>
Create a new DHCP static mapping named <description> which is valid for the host identified by its MAC <ad-
dress>.
set service dhcp-server shared-network-name <name> subnet <subnet>
static-mapping <description> ip-address <address>
Static DHCP IP address assign to host identified by <description>. IP address must be inside the <sub-
net> which is defined but can be outside the dynamic range created with set service dhcp-server
shared-network-name <name> subnet <subnet> range <n>. If no ip-address is specified, an
IP from the dynamic pool is used.
This is useful, for example, in combination with hostfile update.

提示: This is the equivalent of the host block in dhcpd.conf of isc-dhcpd.

8.9. Service 452

 VyOS Documentation, 发布 1.4.x (sagitta)

Options

Setting Op- ISC-DHCP Option Option description Multi

name tion name
num-
ber
client- 1 subnet-mask Specifies the clients subnet mask as per RFC N
prefix- 950. If unset, subnet declaration is used.
length
time-offset 2 time-offset Offset of the client’s subnet in seconds from N
Coordinated Universal Time (UTC)
default- 3 routers IPv4 address of router on the client’s subnet N
router
time- 4 time-servers RFC 868 time server IPv4 address Y
server
dns-server 6 domain-name-servers DNS server IPv4 address Y
domain- 15 domain-name Client domain name Y
name
ip- 19 ip-forwarding Enable IP forwarding on client N
forwarding
ntp-server 42 ntp-servers IP address of NTP server Y
wins- 44 netbios-name-servers NetBIOS over TCP/IP name server Y
server
server- 54 dhcp-server-identifier IP address for DHCP server identifier N
identifier
bootfile- siaddr next-server IPv4 address of next bootstrap server N
server
tftp- 66 tftp-server-name Name or IPv4 address of TFTP server N
server-
name
bootfile- 67 bootfile-name, filename Bootstrap file name N
name
smtp- 69 smtp-server IP address of SMTP server Y
server
pop-server 70 pop-server IP address of POP3 server Y
domain- 119 domain-search Client domain search Y
search
static- 121, rfc3442-static-route, Classless static route N
route 249 windows-static-route
wpad-url 252 wpad-url, wpad-url Web Proxy Autodiscovery (WPAD) URL N
code 252 = text
lease default-lease-time, Lease timeout in seconds (default: 86400) N
max-lease-time
range range DHCP lease range Y
exclude IP address to exclude from DHCP lease Y
range
failover DHCP failover parameters
static- Name of static mapping Y
mapping

Multi: can be specified multiple times.

8.9. Service 453

 VyOS Documentation, 发布 1.4.x (sagitta)

Raw Parameters

Raw parameters can be passed to shared-network-name, subnet and static-mapping:

set service dhcp-server shared-network-name <name> shared-network-parameters

<text> Additional shared-network parameters for DHCP server.
set service dhcp-server shared-network-name <name> subnet <subnet> subnet-parameters
<text> Additional subnet parameters for DHCP server.
set service dhcp-server shared-network-name <name> subnet <subnet> static-mapping
,→<description> static-mapping-parameters

<text> Additional static-mapping parameters for DHCP server.

Will be placed inside the "host" block of the mapping.

These parameters are passed as-is to isc-dhcp’s dhcpd.conf under the configuration node they are defined in. They
are not validated so an error in the raw parameters won’t be caught by vyos’s scripts and will cause dhcpd to fail to
start. Always verify that the parameters are correct before committing the configuration. Refer to isc-dhcp’s dhcpd.conf
manual for more information: https://kb.isc.org/docs/isc-dhcp-44-manual-pages-dhcpdconf
Quotes can be used inside parameter values by replacing all quote characters with the string &quot;. They will be
replaced with literal quote characters when generating dhcpd.conf.

Example

Please see the DHCP/DNS 快速开始 configuration.

Failover

Configuration of a DHCP failover pair

• Setup DHCP failover for network 192.0.2.0/24
• Default gateway and DNS server is at 192.0.2.254
• The primary DHCP server uses address 192.168.189.252
• The secondary DHCP server uses address 192.168.189.253
• DHCP range spans from 192.168.189.10 - 192.168.189.250
Common configuration, valid for both primary and secondary node.

set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 default-

,→router '192.0.2.254'

set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 dns-server

,→'192.0.2.254'

set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 domain-name

,→'vyos.net'

set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 range 0␣

,→start '192.0.2.10'

set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 range 0 stop

,→'192.0.2.250'

Primary

8.9. Service 454

 VyOS Documentation, 发布 1.4.x (sagitta)

set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 failover␣

,→local-address '192.168.189.252'

set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 failover␣

,→name 'NET-VYOS'

set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 failover␣

,→peer-address '192.168.189.253'

set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 failover␣

,→status 'primary'

Secondary
set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 failover␣
,→local-address '192.168.189.253'

set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 failover␣

,→name 'NET-VYOS'

set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 failover␣

,→peer-address '192.168.189.252'

set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 failover␣

,→status 'primary'

Raw Parameters

• Override static-mapping’s dns-server with a custom one that will be sent only to this host.
• An option that takes a quoted string is set by replacing all quote characters with the string &quot; inside the
static-mapping-parameters value. The resulting line in dhcpd.conf will be option pxelinux.configfile
"pxelinux.cfg/01-00-15-17-44-2d-aa";.
set service dhcp-server shared-network-name dhcpexample subnet 192.0.2.0/24 static-
,→mapping example static-mapping-parameters "option domain-name-servers 192.0.2.11,␣
,→192.0.2.12;"

set service dhcp-server shared-network-name dhcpexample subnet 192.0.2.0/24 static-

,→mapping example static-mapping-parameters "option pxelinux.configfile &quot;
,→pxelinux.cfg/01-00-15-17-44-2d-aa&quot;;"

Operation Mode

restart dhcp server

Restart the DHCP server
show dhcp server statistics
Show the DHCP server statistics:
vyos@vyos:~$ show dhcp server statistics
Pool Size Leases Available Usage
----------- ------ -------- ----------- -------
dhcpexample 99 2 97 2%

show dhcp server statistics pool <pool>

Show the DHCP server statistics for the specified pool.
show dhcp server leases
Show statuses of all active leases:

8.9. Service 455

 VyOS Documentation, 发布 1.4.x (sagitta)

vyos@vyos:~$ show dhcp server leases

IP address Hardware address State Lease start Lease expiration ␣
,→ Remaining Pool Hostname
-------------- ------------------ ------- ------------------- -------------------␣
,→ ---------- ----------- ---------
192.0.2.104 00:53:01:dd:ee:ff active 2019/12/05 14:24:23 2019/12/06 02:24:23␣
,→ 6:05:35 dhcpexample test1
192.0.2.115 00:53:01:ae:af:bf active 2019/12/05 18:02:37 2019/12/06 06:02:37␣
,→ 9:43:49 dhcpexample test2

提示: Static mappings aren’t shown. To show all states, use show dhcp server leases state all.

show dhcp server leases pool <pool>

Show only leases in the specified pool.
show dhcp server leases sort <key>
Sort the output by the specified key. Possible keys: ip, hardware_address, state, start, end, remaining, pool,
hostname (default = ip)
show dhcp server leases state <state>
Show only leases with the specified state. Possible states: all, active, free, expired, released, abandoned, reset,
backup (default = active)

IPv6 server

VyOS also provides DHCPv6 server functionality which is described in this section.

Configuration

set service dhcpv6-server preference <preference value>

Clients receiving advertise messages from multiple servers choose the server with the highest preference value.
The range for this value is 0...255.
set service dhcpv6-server shared-network-name <name> subnet <prefix>
lease-time {default | maximum | minimum}
The default lease time for DHCPv6 leases is 24 hours. This can be changed by supplying a default-time,
maximum-time and minimum-time. All values need to be supplied in seconds.
set service dhcpv6-server shared-network-name <name> subnet <prefix>
nis-domain <domain-name>
A NIS (Network Information Service) domain can be set to be used for DHCPv6 clients.
set service dhcpv6-server shared-network-name <name> subnet <prefix>
nisplus-domain <domain-name>
The procedure to specify a NIS+ (Network Information Service Plus) domain is similar to the NIS domain one:
set service dhcpv6-server shared-network-name <name> subnet <prefix>
nis-server <address>
Specify a NIS server address for DHCPv6 clients.

8.9. Service 456

 VyOS Documentation, 发布 1.4.x (sagitta)

set service dhcpv6-server shared-network-name <name> subnet <prefix>

nisplus-server <address>
Specify a NIS+ server address for DHCPv6 clients.
set service dhcpv6-server shared-network-name <name> subnet <prefix>
sip-server <address | fqdn>
Specify a SIP (Session Initiation Protocol) server by IPv6 address of Fully Qualified Domain Name for all DHCPv6
clients.
set service dhcpv6-server shared-network-name <name> subnet <prefix>
sntp-server-address <address>
A SNTP server address can be specified for DHCPv6 clients.

Prefix Delegation

To hand out individual prefixes to your clients the following configuration is used:
set service dhcpv6-server shared-network-name <name> subnet <prefix>
prefix-delegation start <address> prefix-length <length>
Hand out prefixes of size <length> to clients in subnet <prefix> when they request for prefix delegation.
set service dhcpv6-server shared-network-name <name> subnet <prefix>
prefix-delegation start <address> stop <address>
Delegate prefixes from the range indicated by the start and stop qualifier.

Address pools

DHCPv6 address pools must be configured for the system to act as a DHCPv6 server. The following example describes
a common scenario.
Example:
• A shared network named NET1 serves subnet 2001:db8::/64
• It is connected to eth1
• DNS server is located at 2001:db8::ffff
• Address pool shall be 2001:db8::100 through 2001:db8::199.
• Lease time will be left at the default value which is 24 hours
set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 address-
,→range start 2001:db8::100 stop 2001:db8::199

set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 name-server␣

,→2001:db8::ffff

The configuration will look as follows:

show service dhcpv6-server
shared-network-name NET1 {
subnet 2001:db8::/64 {
address-range {
start 2001:db8::100 {
stop 2001:db8::199
(下页继续)

8.9. Service 457

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
}
}
name-server 2001:db8::ffff
}
}

Static mappings

In order to map specific IPv6 addresses to specific hosts static mappings can be created. The following example explains
the process.
Example:
• IPv6 address 2001:db8::101 shall be statically mapped
• Host specific mapping shall be named client1

提示: The identifier is the device’s DUID: colon-separated hex list (as used by isc-dhcp option dhcpv6.client-id). If the
device already has a dynamic lease from the DHCPv6 server, its DUID can be found with show service dhcpv6
server leases. The DUID begins at the 5th octet (after the 4th colon) of IAID_DUID.

set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 static-

,→mapping client1 ipv6-address 2001:db8::101

set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 static-

,→mapping client1 identifier 00:01:00:01:12:34:56:78:aa:bb:cc:dd:ee:ff

The configuration will look as follows:

show service dhcp-server shared-network-name NET1

shared-network-name NET1 {
subnet 2001:db8::/64 {
name-server 2001:db8:111::111
address-range {
start 2001:db8::100 {
stop 2001:db8::199 {
}
}
static-mapping client1 {
ipv6-address 2001:db8::101
identifier 00:01:00:01:12:34:56:78:aa:bb:cc:dd:ee:ff
}
}
}

8.9. Service 458

 VyOS Documentation, 发布 1.4.x (sagitta)

Operation Mode

restart dhcpv6 server

To restart the DHCPv6 server
show dhcpv6 server status
To show the current status of the DHCPv6 server.
show dhcpv6 server leases
Show statuses of all assigned leases:

vyos@vyos:~$ show dhcpv6 server leases

IPv6 address State Last communication Lease expiration Remaining Type ␣
,→ Pool IAID_DUID
------------- ------- -------------------- ------------------- ----------- ------
,→------- ----- --------------------------------------------
2001:db8::101 active 2019/12/05 19:40:10 2019/12/06 07:40:10 11:45:21 non-
,→temporary NET1 98:76:54:32:00:01:00:01:12:34:56:78:aa:bb:cc:dd:ee:ff
2001:db8::102 active 2019/12/05 14:01:23 2019/12/06 02:01:23 6:06:34 non-
,→temporary NET1 87:65:43:21:00:01:00:01:11:22:33:44:fa:fb:fc:fd:fe:ff

提示: Static mappings aren’t shown. To show all states, use show dhcp server leases state all.

show dhcpv6 server leases pool <pool>

Show only leases in the specified pool.
show dhcpv6 server leases sort <key>
Sort the output by the specified key. Possible keys: expires, iaid_duid, ip, last_comm, pool, remaining, state, type
(default = ip)
show dhcpv6 server leases state <state>
Show only leases with the specified state. Possible states: abandoned, active, all, backup, expired, free, released,
reset (default = active)

8.9.6 DNS Forwarding

Configuration

VyOS provides DNS infrastructure for small networks. It is designed to be lightweight and have a small footprint, suitable
for resource constrained routers and firewalls. For this we utilize PowerDNS recursor.
The VyOS DNS forwarder does not require an upstream DNS server. It can serve as a full recursive DNS server - but it
can also forward queries to configurable upstream DNS servers. By not configuring any upstream DNS servers you also
avoid being tracked by the provider of your upstream DNS server.
set service dns forwarding system
Forward incoming DNS queries to the DNS servers configured under the system name-server nodes.
set service dns forwarding name-server <address>
Send all DNS queries to the IPv4/IPv6 DNS server specified under <address>. You can configure multiple name-
servers here.

8.9. Service 459

 VyOS Documentation, 发布 1.4.x (sagitta)

set service dns forwarding domain <domain-name> server <address>

Forward received queries for a particular domain (specified via domain-name) to a given nameserver. Multiple
nameservers can be specified. You can use this feature for a DNS split-horizon configuration.

注解: This also works for reverse-lookup zones (18.172.in-addr.arpa).

set service dns forwarding allow-from <network>

Given the fact that open DNS recursors could be used on DDoS amplification attacks, you must configure the
networks which are allowed to use this recursor. A network of 0.0.0.0/0 or ::/0 would allow all IPv4 and
IPv6 networks to query this server. This is generally a bad idea.
set service dns forwarding dnssec <off | process-no-validate | process |
log-fail | validate>
The PowerDNS recursor has 5 different levels of DNSSEC processing, which can be set with the dnssec setting.
In order from least to most processing, these are:
• off In this mode, no DNSSEC processing takes place. The recursor will not set the DNSSEC OK (DO) bit
in the outgoing queries and will ignore the DO and AD bits in queries.
• process-no-validate In this mode the recursor acts as a“security aware, non-validating”nameserver, meaning
it will set the DO-bit on outgoing queries and will provide DNSSEC related RRsets (NSEC, RRSIG) to clients
that ask for them (by means of a DO-bit in the query), except for zones provided through the auth-zones
setting. It will not do any validation in this mode, not even when requested by the client.
• process When dnssec is set to process the behavior is similar to process-no-validate. However, the recursor
will try to validate the data if at least one of the DO or AD bits is set in the query; in that case, it will set
the AD-bit in the response when the data is validated successfully, or send SERVFAIL when the validation
comes up bogus.
• log-fail In this mode, the recursor will attempt to validate all data it retrieves from authoritative servers,
regardless of the client’s DNSSEC desires, and will log the validation result. This mode can be used to
determine the extra load and amount of possibly bogus answers before turning on full-blown validation. Re-
sponses to client queries are the same as with process.
• validate The highest mode of DNSSEC processing. In this mode, all queries will be validated and will be
answered with a SERVFAIL in case of bogus data, regardless of the client’s request.

注解: The popular Unix/Linux dig tool sets the AD-bit in the query. This might lead to unexpected query
results when testing. Set +noad on the dig command line when this is the case.

注解: The CD-bit is honored correctly for process and validate. For log-fail, failures will be logged too.

set service dns forwarding ignore-hosts-file

Do not use the local /etc/hosts file in name resolution. VyOS DHCP server will use this file to add resolvers
to assigned addresses.
set service dns forwarding max-cache-entries
Maximum number of DNS cache entries. 1 million per CPU core will generally suffice for most installations.
set service dns forwarding negative-ttl

8.9. Service 460

 VyOS Documentation, 发布 1.4.x (sagitta)

A query for which there is authoritatively no answer is cached to quickly deny a record’s existence later on,
without putting a heavy load on the remote server. In practice, caches can become saturated with hundreds of
thousands of hosts which are tried only once. This setting, which defaults to 3600 seconds, puts a maximum on
the amount of time negative entries are cached.
set service dns forwarding listen-address
The local IPv4 or IPv6 addresses to bind the DNS forwarder to. The forwarder will listen on this address for
incoming connections.

Example

A VyOS router with two interfaces - eth0 (WAN) and eth1 (LAN) - is required to implement a split-horizon DNS
configuration for example.com.
In this scenario:
• All DNS requests for example.com must be forwarded to a DNS server at 192.0.2.254 and 2001:db8:cafe::1
• All other DNS requests will be forwarded to a different set of DNS servers at 192.0.2.1, 192.0.2.2, 2001:db8::1:ffff
and 2001:db8::2:ffff
• The VyOS DNS forwarder will only listen for requests on the eth1 (LAN) interface addresses - 192.168.1.254 for
IPv4 and 2001:db8::ffff for IPv6
• The VyOS DNS forwarder will only accept lookup requests from the LAN subnets - 192.168.1.0/24 and
2001:db8::/64

set service dns forwarding domain example.com server 192.0.2.254

set service dns forwarding domain example.com server 2001:db8:cafe::1
set service dns forwarding name-server 192.0.2.1
set service dns forwarding name-server 192.0.2.2
set service dns forwarding name-server 2001:db8::1:ffff
set service dns forwarding name-server 2001:db8::2:ffff
set service dns forwarding listen-address 192.168.1.254
set service dns forwarding listen-address 2001:db8::ffff
set service dns forwarding allow-from 192.168.1.0/24
set service dns forwarding allow-from 2001:db8::/64

Operation

reset dns forwarding <all | domain>

Resets the local DNS forwarding cache database. You can reset the cache for all entries or only for entries to a
specific domain.
restart dns forwarding
Restarts the DNS recursor process. This also invalidates the local DNS forwarding cache.

8.9. Service 461

 VyOS Documentation, 发布 1.4.x (sagitta)

8.9.7 Dynamic DNS

VyOS is able to update a remote DNS record when an interface gets a new IP address. In order to do so, VyOS includes
ddclient, a Perl script written for this only one purpose.
ddclient uses two methods to update a DNS record. The first one will send updates directly to the DNS daemon, in
compliance with RFC 2136. The second one involves a third party service, like DynDNS.com or any other similar
website. This method uses HTTP requests to transmit the new IP address. You can configure both in VyOS.

Configuration

RFC 2136 Based

set service dns dynamic interface <interface> rfc2136 <service-name>

Create new RFC 2136 DNS update configuration which will update the IP address assigned to <interface> on the
service you configured under <service-name>.
set service dns dynamic interface <interface> rfc2136 <service-name> key
<keyfile>
File identified by <keyfile> containing the secret RNDC key shared with remote DNS server.
set service dns dynamic interface <interface> rfc2136 <service-name> server
<server>
Configure the DNS <server> IP/FQDN used when updating this dynamic assignment.
set service dns dynamic interface <interface> rfc2136 <service-name> zone
<zone>
Configure DNS <zone> to be updated.
set service dns dynamic interface <interface> rfc2136 <service-name> record
<record>
Configure DNS <record> which should be updated. This can be set multiple times.
set service dns dynamic interface <interface> rfc2136 <service-name> ttl <ttl>
Configure optional TTL value on the given resource record. This defaults to 600 seconds.

Example

• Register DNS record example.vyos.io on DNS server ns1.vyos.io

• Use auth key file at /config/auth/my.key
• Set TTL to 300 seconds

vyos@vyos# show service dns dynamic

interface eth0.7 {
rfc2136 VyOS-DNS {
key /config/auth/my.key
record example.vyos.io
server ns1.vyos.io
ttl 300
zone vyos.io
(下页继续)

8.9. Service 462

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
}
}

This will render the following ddclient configuration entry:

#
# ddclient configuration for interface "eth0.7":
#
use=if, if=eth0.7

# RFC2136 dynamic DNS configuration for example.vyos.io.vyos.io

server=ns1.vyos.io
protocol=nsupdate
password=/config/auth/my.key
ttl=300
zone=vyos.io
example.vyos.io

注解: You can also keep different DNS zone updated. Just create a new config node: set service dns dynamic
interface <interface> rfc2136 <other-service-name>

HTTP based services

VyOS is also able to use any service relying on protocols supported by ddclient.
To use such a service, one must define a login, password, one or multiple hostnames, protocol and server.
set service dns dynamic interface <interface> service <service> host-name
<hostname>
Setup the dynamic DNS hostname <hostname> associated with the DynDNS provider identified by <service>
when the IP address on interface <interface> changes.
set service dns dynamic interface <interface> service <service> login
<username>
Configure <username> used when authenticating the update request for DynDNS service identified by <service>.
For Namecheap, set the <domain> you wish to update.
set service dns dynamic interface <interface> service <service> password
<password>
Configure <password> used when authenticating the update request for DynDNS service identified by <service>.
set service dns dynamic interface <interface> service <service> protocol
<protocol>
When a custom DynDNS provider is used the protocol used for communicating to the provider must be specified
under <protocol>. See the embedded completion helper for available protocols.
set service dns dynamic interface <interface> service <service> server
<server>
When a custom DynDNS provider is used the <server> where update requests are being sent to must be specified.

8.9. Service 463

 VyOS Documentation, 发布 1.4.x (sagitta)

Example:

Use DynDNS as your preferred provider:

set service dns dynamic interface eth0 service dyndns

set service dns dynamic interface eth0 service dyndns login my-login
set service dns dynamic interface eth0 service dyndns password my-password
set service dns dynamic interface eth0 service dyndns host-name my-dyndns-hostname

注解: Multiple services can be used per interface. Just specify as many services per interface as you like!

Running Behind NAT

By default, ddclient will update a dynamic dns record using the IP address directly attached to the interface. If your VyOS
instance is behind NAT, your record will be updated to point to your internal IP.
ddclient has another way to determine the WAN IP address. This is controlled by:
set service dns dynamic interface <interface> use-web url <url>
Use configured <url> to determine your IP address. ddclient will load <url> and tries to extract your IP address
from the response.
set service dns dynamic interface <interface> use-web skip <pattern>
ddclient will skip any address located before the string set in <pattern>.

8.9.8 HTTP-API

VyOS provide a HTTP API. You can use it to execute op-mode commands, update VyOS, set or delete config.
Please take a look at the VyOS API page for an detailed how-to.

Configuration

set service https api keys id <name> key <apikey>

Set an named api key, every key have the same, full permissions on the system.
set service https api debug
To enable debug messages. Available via show log or monitor log
set service https api port
Set the listen port of the local API, this have non effect of the webserver. The default is port 8080
set service https api strict
Enforce strict path checking
set service https virtual-host <vhost> listen-address
Address to listen for HTTPS requests
set service https virtual-host <vhost> listen-port <1-65535>
Port to listen for HTTPS requests; default 443

8.9. Service 464

 VyOS Documentation, 发布 1.4.x (sagitta)

set service https virtual-host <vhost> server-name <text>

Server names for virtual hosts it ca be exact, wildcard or regex.
set service https api-restrict virtual-host <vhost>
Nginx exposes the local API on all virtual servers, by default Use this to restrict nginx to one or more virtual hosts.
set service https certificates certbot domain-name <text>
Domain name(s) for which to obtain certificate
set service https certificates certbot email
Email address to associate with certificate
set service https certificates system-generated-certificate
Use an automatically generated self-signed certificate
set service https certificates system-generated-certificate lifetime <days>
Lifetime in days; default is 365

Example Configuration

Set an API-KEY is the minimal configuration to get a working API Endpoint.

set service https api keys id MY-HTTPS-API-ID key MY-HTTPS-API-PLAINTEXT-KEY

To use this full configuration we asume a publice accessable hostname.

set service https api keys id MY-HTTPS-API-ID key MY-HTTPS-API-PLAINTEXT-KEY

set service https certificates certbot domain-name rtr01.example.com
set service https certificates certbot email [email protected]
set service https virtual-host rtr01 listen-address 198.51.100.2
set service https virtual-host rtr01 listen-port 11443
set service https virtual-host rtr01 server-name rtr01.example.com
set service https api-restrict virtual-host rtr01.example.com

8.9.9 IPoE Server

VyOS utilizes accel-ppp to provide IP E (Internet Protocol over Ethernet) server functionality. It can be used with local
authentication (mac-address) or a connected RADIUS server.
IPoE is a method of delivering an IP payload over an Ethernet-based access network or an access network using bridged
Ethernet over Asynchronous Transfer Mode (ATM) without using PPPoE. It directly encapsulates the IP datagrams in
Ethernet frames, using the standard RFC 894 encapsulation.
The use of IPoE addresses the disadvantage that PPP is unsuited for multicast delivery to multiple users. Typically, IPoE
uses Dynamic Host Configuration Protocol and Extensible Authentication Protocol to provide the same functionality as
PPPoE, but in a less robust manner.

注解: Please be aware, due to an upstream bug, config changes/commits will restart the ppp daemon and will reset
existing IPoE sessions, in order to become effective.

8.9. Service 465

 VyOS Documentation, 发布 1.4.x (sagitta)

Configuration

IPoE can be configure on different interfaces, it will depend on each specific situation which interface will provide IPoE
to clients. The clients mac address and the incoming interface is being used as control parameter, to authenticate a client.
The example configuration below will assign an IP to the client on the incoming interface eth2 with the client mac ad-
dress 08:00:27:2f:d8:06. Other DHCP discovery requests will be ignored, unless the client mac has been enabled in the
configuration.

set service ipoe-server authentication interface eth2 mac-address 08:00:27:2f:d8:06

set service ipoe-server authentication mode 'local'
set service ipoe-server name-server '10.10.1.1'
set service ipoe-server name-server '10.10.1.2'
set service ipoe-server interface eth2 client-subnet '192.168.0.0/24'

The first address of the parameter client-subnet, will be used as the default gateway. Connected sessions can be
checked via the show ipoe-server sessions command.

vyos@vyos:~$ show ipoe-server sessions

ifname | called-sid | calling-sid | ip | ip6 | ip6-dp | rate-limit |␣

,→state | uptime | sid
-------+------------+-------------------+-------------+-----+--------+------------+---
,→-----+----------+------------------

ipoe0 | eth2 | 08:00:27:2f:d8:06 | 192.168.0.2 | | | |␣

,→active | 00:45:05 | dccc870fd3134612

IPv6 SLAAC and IA-PD

To configure IPv6 assignments for clients, two options need to be configured. A global prefix which is terminated on the
clients cpe and a delegated prefix, the client can use for devices routed via the clients cpe.
IPv6 DNS addresses are optional.

set service ipoe-server authentication interface eth3 mac-address 08:00:27:2F:D8:06

set service ipoe-server authentication mode 'local'
set service ipoe-server client-ipv6-pool delegate '2001:db8:1::/48' delegation-prefix
,→'56'

set service ipoe-server client-ipv6-pool prefix '2001:db8::/48' mask '64'

set service ipoe-server name-server '2001:db8::'
set service ipoe-server name-server '2001:db8:aaa::'
set service ipoe-server name-server '2001:db8:bbb::'
set service ipoe-server interface eth3 client-subnet '192.168.1.0/24'

vyos@ipoe-server# run sh ipoe-server sessions

ifname | called-sid | calling-sid | ip | ip6 ␣
,→ | ip6-dp | rate-limit | state | uptime | sid
-------+------------+-------------------+-------------+-------------------------------
,→--+-----------------+------------+--------+----------+------------------

ipoe0 | eth3 | 08:00:27:2f:d8:06 | 192.168.1.2 | 2001:db8::a00:27ff:fe2f:d806/

,→64 | 2001:db8:1::/56 | | active | 01:02:59 | 4626faf71b12cc25

The clients CPE (Customer Premises Equipment) can now communicate via IPv4 or IPv6. All devices behind
2001:db8::a00:27ff:fe2f:d806/64 can use addresses from 2001:db8:1::/56 and can globally com-
municate without the need of any NAT rules.

8.9. Service 466

 VyOS Documentation, 发布 1.4.x (sagitta)

Automatic VLAN creation

To create VLANs per user during runtime, the following settings are required on a per interface basis. VLAN ID and
VLAN range can be present in the configuration at the same time.

set service ipoe-server interface eth2 network vlan

set service ipoe-server interface eth2 vlan-id 100
set service ipoe-server interface eth2 vlan-id 200
set service ipoe-server interface eth2 vlan-range 1000-2000
set service ipoe-server interface eth2 vlan-range 2500-2700

RADIUS Setup

To use a RADIUS server for authentication and bandwidth-shaping, the following example configuration can be used.

set service ipoe-server authentication mode 'radius'

set service ipoe-server authentication radius server 10.100.100.1 key 'password'

Bandwidth Shaping

Bandwidth rate limits can be set for local users within the configuration or via RADIUS based attributes.

Bandwidth Shaping for local users

The rate-limit is set in kbit/sec.

set service ipoe-server authentication interface eth2 mac-address 08:00:27:2f:d8:06␣

,→rate-limit download '500'

set service ipoe-server authentication interface eth2 mac-address 08:00:27:2f:d8:06␣

,→rate-limit upload '500'

set service ipoe-server authentication mode 'local'

set service ipoe-server name-server '10.10.1.1'
set service ipoe-server name-server '10.10.1.2'
set service ipoe-server interface eth2 client-subnet '192.168.0.0/24'

vyos@vyos# run show ipoe-server sessions

ifname | called-sid | calling-sid | ip | ip6 | ip6-dp | rate-limit |␣

,→state | uptime | sid
-------+------------+-------------------+-------------+-----+--------+------------+---
,→-----+----------+------------------

ipoe0 | eth2 | 08:00:27:2f:d8:06 | 192.168.0.2 | | | 500/500 |␣

,→active | 00:00:05 | dccc870fd31349fb

8.9. Service 467

 VyOS Documentation, 发布 1.4.x (sagitta)

8.9.10 LLDP

LLDP (Link Layer Discovery Protocol) is a vendor-neutral link layer protocol in the Internet Protocol Suite used by
network devices for advertising their identity, capabilities, and neighbors on an IEEE 802 local area network, principally
wired Ethernet. The protocol is formally referred to by the IEEE as Station and Media Access Control Connectivity
Discovery specified in IEEE 802.1AB and IEEE 802.3-2012 section 6 clause 79.
LLDP performs functions similar to several proprietary protocols, such as CDP (Cisco Discovery Protocol), FDP
(Foundry Discovery Protocol), NDP (Nortel Discovery Protocol) and LLTD (Link Layer Topology Discovery).
Information gathered with LLDP is stored in the device as a MIB (Management Information Database) and can be queried
with SNMP (Simple Network Management Protocol) as specified in RFC 2922. The topology of an LLDP-enabled
network can be discovered by crawling the hosts and querying this database. Information that may be retrieved include:
• System Name and Description
• Port name and description
• VLAN name
• IP management address
• System capabilities (switching, routing, etc.)
• MAC/PHY information
• MDI power
• Link aggregation

Configuration

set service lldp

Enable LLDP service
set service lldp management-address <address>
Define IPv4/IPv6 management address transmitted via LLDP. Multiple addresses can be defined. Only addresses
connected to the system will be transmitted.
set service lldp interface <interface>
Enable transmission of LLDP information on given <interface>. You can also say all here so LLDP is turned
on on every interface.
set service lldp interface <interface> disable
Disable transmit of LLDP frames on given <interface>. Useful to exclude certain interfaces from LLDP when
all have been enabled.
set service lldp snmp enable
Enable SNMP queries of the LLDP database
set service lldp legacy-protocols <cdp|edp|fdp|sonmp>
Enable given legacy protocol on this LLDP instance. Legacy protocols include:
• cdp - Listen for CDP for Cisco routers/switches
• edp - Listen for EDP for Extreme routers/switches
• fdp - Listen for FDP for Foundry routers/switches
• sonmp - Listen for SONMP for Nortel routers/switches

8.9. Service 468

 VyOS Documentation, 发布 1.4.x (sagitta)

Operation

show lldp neighbors

Displays information about all neighbors discovered via LLDP.

vyos@vyos:~$ show lldp neighbors

Capability Codes: R - Router, B - Bridge, W - Wlan r - Repeater, S - Station
D - Docsis, T - Telephone, O - Other

Device ID Local Proto Cap Platform Port ID

--------- ----- ----- --- -------- -------
BR2.vyos.net eth0 LLDP R VyOS 1.2.4 eth1
BR3.vyos.net eth0 LLDP RB VyOS 1.2.4 eth2
SW1.vyos.net eth0 LLDP B Cisco IOS Software ␣
,→GigabitEthernet0/6

show lldp neighbors detail

Get detailed information about LLDP neighbors.

vyos@vyos:~$ show lldp neighbors detail

-------------------------------------------------------------------------------
LLDP neighbors:
-------------------------------------------------------------------------------
Interface: eth0, via: LLDP, RID: 28, Time: 0 day, 00:24:33
Chassis:
ChassisID: mac 00:53:00:01:02:c9
SysName: BR2.vyos.net
SysDescr: VyOS 1.3-rolling-201912230217
MgmtIP: 192.0.2.1
MgmtIP: 2001:db8::ffff
Capability: Bridge, on
Capability: Router, on
Capability: Wlan, off
Capability: Station, off
Port:
PortID: mac 00:53:00:01:02:c9
PortDescr: eth0
TTL: 120
PMD autoneg: supported: no, enabled: no
MAU oper type: 10GigBaseCX4 - X copper over 8 pair 100-Ohm balanced cable
VLAN: 201 eth0.201
VLAN: 205 eth0.205
LLDP-MED:
Device Type: Network Connectivity Device
Capability: Capabilities, yes
Capability: Policy, yes
Capability: Location, yes
Capability: MDI/PSE, yes
Capability: MDI/PD, yes
Capability: Inventory, yes
Inventory:
Hardware Revision: None
Software Revision: 4.19.89-amd64-vyos
Firmware Revision: 6.00
Serial Number: VMware-42 1d 83 b9 fe c1 bd b2-7
Manufacturer: VMware, Inc.
(下页继续)

8.9. Service 469

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
Model: VMware Virtual Platform
Asset ID: No Asset Tag
-------------------------------------------------------------------------------

show lldp neighbors interface <interface>

Show LLDP neighbors connected via interface <interface>.
show log lldp
Used for troubleshooting.

8.9.11 mDNS Repeater

Starting with VyOS 1.2 a DNS (Multicast DNS) repeater functionality is provided. Additional information can be
obtained from https://en.wikipedia.org/wiki/Multicast_DNS.
Multicast DNS uses the 224.0.0.251 address, which is “administratively scoped”and does not leave the subnet. It
retransmits mDNS packets from one interface to other interfaces. This enables support for e.g. Apple Airplay devices
across multiple VLANs.
Since the mDNS protocol sends the AA records in the packet itself, the repeater does not need to forge the source address.
Instead, the source address is of the interface that repeats the packet.

Configuration

set service mdns repeater interface <interface>

To enable mDNS repeater you need to configure at least two interfaces. To re-broadcast all incoming mDNS
packets from any interface configured here to any other interface configured under this section.
set service mdns repeater disable
mDNS repeater can be temporarily disabled without deleting the service using

注解: You can not run this in a VRRP setup, if multiple mDNS repeaters are launched in a subnet you will experience
the mDNS packet storm death!

Example

To listen on both eth0 and eth1 mDNS packets and also repeat packets received on eth0 to eth1 (and vice-versa) use the
following commands:

set service mdns repeater interface 'eth0'

set service mdns repeater interface 'eth1'

8.9. Service 470

 VyOS Documentation, 发布 1.4.x (sagitta)

8.9.12 PPPoE Server

VyOS utilizes accel-ppp to provide PPPoE server functionality. It can be used with local authentication or a connected
RADIUS server.

注解: Please be aware, due to an upstream bug, config changes/commits will restart the ppp daemon and will reset
existing PPPoE connections from connected users, in order to become effective.

Configuration

First steps

set service pppoe-server access-concentrator <name>

Use this command to set a name for this PPPoE-server access concentrator.
set service pppoe-server authentication mode <local | radius>
Use this command to define whether your PPPoE clients will locally authenticate in your VyOS system or in
RADIUS server.
set service pppoe-server authentication local-users username <name> password
<password>
Use this command to configure the username and the password of a locally configured user.
set service pppoe-server interface <interface>
Use this command to define the interface the PPPoE server will use to listen for PPPoE clients.
set service pppoe-server gateway-address <address>
Use this command to configure the local gateway IP address.
set service pppoe-server name-server <address>
Use this command to set the IPv4 or IPv6 address of every Doman Name Server you want to configure. They will
be propagated to PPPoE clients.

Client Address Pools

To automatically assign the client an IP address as tunnel endpoint, a client IP pool is needed. The source can be either
RADIUS or a local subnet or IP range definition.
Once the local tunnel endpoint set service pppoe-server gateway-address '10.1.1.2' has been
defined, the client IP pool can be either defined as a range or as subnet using CIDR notation. If the CIDR notation is
used, multiple subnets can be setup which are used sequentially.
Client IP address via IP range definition
set service pppoe-server client-ip-pool start <address>
Use this command to define the first IP address of a pool of addresses to be given to PPPoE clients. It must be
within a /24 subnet.
set service pppoe-server client-ip-pool stop <address>
Use this command to define the last IP address of a pool of addresses to be given to PPPoE clients. It must be
within a /24 subnet.

8.9. Service 471

 VyOS Documentation, 发布 1.4.x (sagitta)

set service pppoe-server client-ip-pool start '10.1.1.100'

set service pppoe-server client-ip-pool stop '10.1.1.111'

Client IP subnets via CIDR notation

set service pppoe-server client-ip-pool subnet <address>
Use this command for every pool of client IP addresses you want to define. The addresses of this pool will be
given to PPPoE clients. You must use CIDR notation and it must be within a /24 subnet.

set service pppoe-server client-ip-pool subnet '10.1.1.0/24'

set service pppoe-server client-ip-pool subnet '10.1.2.0/24'
set service pppoe-server client-ip-pool subnet '10.1.3.0/24'

RADIUS based IP pools (Framed-IP-Address)

To use a radius server, you need to switch to authentication mode RADIUS and then configure it.
set service pppoe-server authentication radius server <address> key <secret>
Use this command to configure the IP address and the shared secret key of your RADIUS server. You can have
multiple RADIUS servers configured if you wish to achieve redundancy.

set service pppoe-server access-concentrator 'ACN'

set service pppoe-server authentication mode 'radius'
set service pppoe-server authentication radius server 10.1.100.1 key 'secret'
set service pppoe-server interface 'eth1'
set service pppoe-server gateway-address '10.1.1.2'

RADIUS provides the IP addresses in the example above via Framed-IP-Address.

RADIUS sessions management DM/CoA
set service pppoe-server authentication radius dynamic-author <key | port |
server>
Use this command to configure Dynamic Authorization Extensions to RADIUS so that you can remotely disconnect
sessions and change some authentication parameters.

set service pppoe-server authentication radius dynamic-author key 'secret123'

set service pppoe-server authentication radius dynamic-author port '3799'
set service pppoe-server authentication radius dynamic-author server '10.1.1.2'

Example, from radius-server send command for disconnect client with username test

root@radius-server:~# echo "User-Name=test" | radclient -x 10.1.1.2:3799

disconnect secret123

You can also use another attributes for identify client for disconnect, like Framed-IP-Address, Acct-Session-Id, etc. Result
commands appears in log.

show log | match Disconnect*

Example for changing rate-limit via RADIUS CoA.

echo "User-Name=test,Filter-Id=5000/4000" | radclient 10.1.1.2:3799 coa

secret123

Filter-Id=5000/4000 (means 5000Kbit down-stream rate and 4000Kbit up-stream rate) If attribute Filter-Id redefined,
replace it in RADIUS CoA request.

8.9. Service 472

 VyOS Documentation, 发布 1.4.x (sagitta)

Automatic VLAN Creation

set service pppoe-server interface <interface> <vlan-id | vlan range> <text>

VLAN’s can be created by accel-ppp on the fly via the use of a Kernel module named vlan_mon, which is
monitoring incoming vlans and creates the necessary VLAN if required and allowed. VyOS supports the use of
either VLAN ID’s or entire ranges, both values can be defined at the same time for an interface. When configured,
the PPPoE will create the necessary VLANs when required. Once the user session has been cancelled and the
VLAN is not needed anymore, VyOS will remove it again.

set service pppoe-server interface eth3 vlan-id 100

set service pppoe-server interface eth3 vlan-id 200
set service pppoe-server interface eth3 vlan-range 500-1000
set service pppoe-server interface eth3 vlan-range 2000-3000

Bandwidth Shaping

Bandwidth rate limits can be set for local users or RADIUS based attributes.

For Local Users

set service pppoe-server authentication local-users username <name> rate-limit

<download | upload>
Use this command to configure a data-rate limit to PPPOoE clients for traffic download or upload. The rate-limit
is set in kbit/sec.

set service pppoe-server access-concentrator 'ACN'

set service pppoe-server authentication local-users username foo password 'bar'
set service pppoe-server authentication local-users username foo rate-limit download
,→'20480'

set service pppoe-server authentication local-users username foo rate-limit upload

,→'10240'

set service pppoe-server authentication mode 'local'

set service pppoe-server client-ip-pool start '10.1.1.100'
set service pppoe-server client-ip-pool stop '10.1.1.111'
set service pppoe-server name-server '10.100.100.1'
set service pppoe-server name-server '10.100.200.1'
set service pppoe-server interface 'eth1'
set service pppoe-server gateway-address '10.1.1.2'

Once the user is connected, the user session is using the set limits and can be displayed via‘show pppoe-server sessions’
.

show pppoe-server sessions

ifname | username | ip | calling-sid | rate-limit | state | uptime ␣
,→| rx-bytes | tx-bytes

-------+----------+------------+-------------------+-------------+--------+----------
,→+----------+----------

ppp0 | foo | 10.1.1.100 | 00:53:00:ba:db:15 | 20480/10240 | active | 00:00:11␣

,→| 214 B | 76 B

8.9. Service 473

 VyOS Documentation, 发布 1.4.x (sagitta)

For RADIUS users

The current attribute ‘Filter-Id’is being used as default and can be setup within RADIUS:
Filter-Id=2000/3000 (means 2000Kbit down-stream rate and 3000Kbit up-stream rate)
The command below enables it, assuming the RADIUS connection has been setup and is working.
set service pppoe-server authentication radius rate-limit enable
Use this command to enable bandwidth shaping via RADIUS.
Other attributes can be used, but they have to be in one of the dictionaries in /usr/share/accel-ppp/radius.

Load Balancing

set service pppoe-server pado-delay <number-of-ms> sessions

<number-of-sessions>
Use this command to enable the delay of PADO (PPPoE Active Discovery Offer) packets, which can be used as
a session balancing mechanism with other PPPoE servers.

set service pppoe-server pado-delay 50 sessions '500'

set service pppoe-server pado-delay 100 sessions '1000'
set service pppoe-server pado-delay 300 sessions '3000'

In the example above, the first 499 sessions connect without delay. PADO packets will be delayed 50 ms for connection
from 500 to 999, this trick allows other PPPoE servers send PADO faster and clients will connect to other servers. Last
command says that this PPPoE server can serve only 3000 clients.

IPv6

IPv6 client’s prefix assignment

set service pppoe-server client-ipv6-pool prefix <address> mask

<number-of-bits>
Use this comand to set the IPv6 address pool from which a PPPoE client will get an IPv6 prefix of your defined
length (mask) to terminate the PPPoE endpoint at their side. The mask length can be set from 48 to 128 bit long,
the default value is 64.

IPv6 Prefix Delegation

set service pppoe-server client-ipv6-pool delegate <address> delegation-prefix

<number-of-bits>
Use this command to configure DHCPv6 Prefix Delegation (RFC3633). You will have to set your IPv6 pool and
the length of the delegation prefix. From the defined IPv6 pool you will be handing out networks of the defined
length (delegation-prefix). The length of the delegation prefix can be set from 32 to 64 bit long.

8.9. Service 474

 VyOS Documentation, 发布 1.4.x (sagitta)

Maintenance mode

set pppoe-server maintenance-mode <enable | disable>

For network maintenance, it’s a good idea to direct users to a backup server so that the primary server can be
safely taken out of service. It’s possible to switch your PPPoE server to maintenance mode where it maintains
already established connections, but refuses new connection attempts.

Checking connections

show pppoe-server sessions

Use this command to locally check the active sessions in the PPPoE server.

show pppoe-server sessions

ifname | username | ip | calling-sid | rate-limit | state | uptime ␣
,→| rx-bytes | tx-bytes

-------+----------+------------+-------------------+-------------+--------+----------
,→+----------+----------

ppp0 | foo | 10.1.1.100 | 00:53:00:ba:db:15 | 20480/10240 | active | 00:00:11␣

,→| 214 B | 76 B

Per default the user session is being replaced if a second authentication request succeeds. Such session requests can be
either denied or allowed entirely, which would allow multiple sessions for a user in the latter case. If it is denied, the
second session is being rejected even if the authentication succeeds, the user has to terminate its first session and can then
authentication again.

vyos@# set service pppoe-server session-control

Possible completions:
disable Disables session control
deny Deny second session authorization

Examples

IPv4

The example below uses ACN as access-concentrator name, assigns an address from the pool 10.1.1.100-111, terminates
at the local endpoint 10.1.1.1 and serves requests only on eth1.

set service pppoe-server access-concentrator 'ACN'

set service pppoe-server authentication local-users username foo password 'bar'
set service pppoe-server authentication mode 'local'
set service pppoe-server client-ip-pool start '10.1.1.100'
set service pppoe-server client-ip-pool stop '10.1.1.111'
set service pppoe-server interface eth1
set service pppoe-server gateway-address '10.1.1.2'
set service pppoe-server name-server '10.100.100.1'
set service pppoe-server name-server '10.100.200.1'

8.9. Service 475

 VyOS Documentation, 发布 1.4.x (sagitta)

Dual-Stack IPv4/IPv6 provisioning with Prefix Delegation

The example below covers a dual-stack configuration via pppoe-server.

set service pppoe-server authentication local-users username test password 'test'

set service pppoe-server authentication mode 'local'
set service pppoe-server client-ip-pool start '192.168.0.1'
set service pppoe-server client-ip-pool stop '192.168.0.10'
set service pppoe-server client-ipv6-pool delegate '2001:db8:8003::/48' delegation-
,→prefix '56'

set service pppoe-server client-ipv6-pool prefix '2001:db8:8002::/48' mask '64'

set service pppoe-server name-server '10.1.1.1'
set service pppoe-server name-server '2001:db8:4860::8888'
set service pppoe-server interface 'eth2'
set service pppoe-server gateway-address '10.100.100.1'

The client, once successfully authenticated, will receive an IPv4 and an IPv6 /64 address to terminate the pppoe endpoint
on the client side and a /56 subnet for the clients internal use.

vyos@pppoe-server:~$ sh pppoe-server sessions

ifname | username | ip | ip6 | ip6-dp | ␣
,→ calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes
--------+----------+-------------+--------------------------+---------------------+---
,→----------------+------------+--------+----------+----------+----------

ppp0 | test | 192.168.0.1 | 2001:db8:8002:0:200::/64 | 2001:db8:8003::1/56 |␣

,→00:53:00:12:42:eb | | active | 00:00:49 | 875 B | 2.1 KiB

8.9.13 Router Advertisements

RA (Router advertisements) are described in RFC 4861#section-4.6.2. They are part of what is known as SLAAC.
Supported interface types:
• bonding
• bridge
• ethernet
• l2tpv3
• openvpn
• pseudo-ethernet
• tunnel
• vxlan
• wireguard
• wireless
• wirelessmodem

8.9. Service 476

 VyOS Documentation, 发布 1.4.x (sagitta)

Enabling Advertisments

set service router-advert interface <interface> ….

Field VyOS Option Description

Cur Hop Limit hop-limit Hop count field of the outgoing RA packets
“Managed address config- managed-flag Tell hosts to use the administered stateful protocol (i.e.
uration”flag DHCP) for autoconfiguration
“Other configuration”flag other-config-flag Tell hosts to use the administered (stateful) protocol (i.e.
DHCP) for autoconfiguration of other (non-address) in-
formation
MTU link-mtu Link MTU value placed in RAs, exluded in RAs if unset
Router Lifetime default-lifetime Lifetime associated with the default router in units of sec-
onds
Reachable Time reachable-time Time, in milliseconds, that a node assumes a neighbor is
reachable after having received a reachability confirma-
tion
Retransmit Timer retrans-timer Time in milliseconds between retransmitted Neighbor
Solicitation messages
Default Router Preference default-preference Preference associated with the default router
Interval interval Min and max intervals between unsolicited multicast RAs
DNSSL dnssl DNS search list to advertise
Name Server name-server Advertise DNS server per https://tools.ietf.org/html/
rfc6106

Advertising a Prefix

set service router-advert interface <interface> prefix 2001:DB8::/32

VyOS Field Description

no-autonomous-flag Prefix can not be used for stateless address auto-configuration
no-on-link-flag Prefix can not be used for on-link determination
preferred-lifetime Time in seconds that the prefix will remain preferred (default 4 hours)
valid-lifetime Time in seconds that the prefix will remain valid (default: 30 days)

8.9. Service 477

 VyOS Documentation, 发布 1.4.x (sagitta)

Disabling Advertisements

To disable advertisements without deleting the configuration:

set service router-advert interface <interface> no-send-advert

Example Configuration

interface eth0.2 {
default-preference high
hop-limit 64
interval {
max 600
}
name-server 2001:db8::1
name-server 2001:db8::2
other-config-flag
prefix 2001:db8:beef:2::/64 {
valid-lifetime 2592000
}
reachable-time 0
retrans-timer 0
}

8.9.14 Salt-Minion

SaltStack is Python-based, open-source software for event-driven IT automation, remote task execution, and configuration
management. Supporting the “infrastructure as code”approach to data center system and network deployment and
management, configuration automation, SecOps orchestration, vulnerability remediation, and hybrid cloud control.

Requirements

To use the Salt-Minion, a running Salt-Master is required. You can find more in the Salt Poject Documentaion

Configuration

set service salt-minion hash <type>

The hash type used when discovering file on master server (default: sha256)
set service salt-minion id <id>
Explicitly declare ID for this minion to use (default: hostname)
set service salt-minion interval <1-1440>
Interval in minutes between updates (default: 60)
set service salt-minion master <hostname | IP>
The hostname or IP address of the master
set service salt-minion master-key <key>
URL with signature of master for auth reply verification
Please take a look in the Automation section to find some usefull Examples.

8.9. Service 478

 VyOS Documentation, 发布 1.4.x (sagitta)

8.9.15 SNMP

SNMP is an Internet Standard protocol for collecting and organizing information about managed devices on IP net-
works and for modifying that information to change device behavior. Devices that typically support SNMP include cable
modems, routers, switches, servers, workstations, printers, and more.
SNMP is widely used in network management for network monitoring. SNMP exposes management data in the form of
variables on the managed systems organized in a management information base (MIB) which describe the system status
and configuration. These variables can then be remotely queried (and, in some circumstances, manipulated) by managing
applications.
Three significant versions of SNMP have been developed and deployed. SNMPv1 is the original version of the protocol.
More recent versions, SNMPv2c and SNMPv3, feature improvements in performance, flexibility and security.
SNMP is a component of the Internet Protocol Suite as defined by the Internet Engineering Task Force (IETF). It consists
of a set of standards for network management, including an application layer protocol, a database schema, and a set of
data objects.

Overview and basic concepts

In typical uses of SNMP, one or more administrative computers called managers have the task of monitoring or managing
a group of hosts or devices on a computer network. Each managed system executes a software component called an agent
which reports information via SNMP to the manager.
An SNMP-managed network consists of three key components:
• Managed devices
• Agent - software which runs on managed devices
• Network management station (NMS) - software which runs on the manager
A managed device is a network node that implements an SNMP interface that allows unidirectional (read-only) or bidi-
rectional (read and write) access to node-specific information. Managed devices exchange node-specific information with
the NMSs. Sometimes called network elements, the managed devices can be any type of device, including, but not limited
to, routers, access servers, switches, cable modems, bridges, hubs, IP telephones, IP video cameras, computer hosts, and
printers.
An agent is a network-management software module that resides on a managed device. An agent has local knowledge of
management information and translates that information to or from an SNMP-specific form.
A network management station executes applications that monitor and control managed devices. NMSs provide the bulk
of the processing and memory resources required for network management. One or more NMSs may exist on any managed
network.

注解: VyOS SNMP supports both IPv4 and IPv6.

8.9. Service 479

 VyOS Documentation, 发布 1.4.x (sagitta)

图 6: Image thankfully borrowed from https://en.wikipedia.org/wiki/File:SNMP_communication_principles_diagram.

PNG which is under the GNU Free Documentation License

SNMP Protocol Versions

VyOS itself supports SNMPv2 (version 2) and SNMPv3 (version 3) where the later is recommended because of improved
security (optional authentication and encryption).

SNMPv2

SNMPv2 is the original and most commonly used version. For authorizing clients, SNMP uses the concept of communi-
ties. Communities may have authorization set to read only (this is most common) or to read and write (this option is not
actively used in VyOS).
SNMP can work synchronously or asynchronously. In synchronous communication, the monitoring system queries the
router periodically. In asynchronous, the router sends notification to the “trap”(the monitoring host).
SNMPv2 does not support any authentication mechanisms, other than client source address, so you should specify ad-
dresses of clients allowed to monitor the router. Note that SNMPv2 also supports no encryption and always sends data
in plain text.

Example

# Define a community
set service snmp community routers authorization ro

# Allow monitoring access from the entire network

set service snmp community routers network 192.0.2.0/24
set service snmp community routers network 2001::db8:ffff:eeee::/64

# Allow monitoring access from specific addresses

set service snmp community routers client 203.0.113.10
set service snmp community routers client 203.0.113.20
(下页继续)

8.9. Service 480

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)

# Define optional router information

set service snmp location "UK, London"
set service snmp contact "[email protected]"

# Trap target if you want asynchronous communication

set service snmp trap-target 203.0.113.10

# Listen only on specific IP addresses (port defaults to 161)

set service snmp listen-address 172.16.254.36 port 161
set service snmp listen-address 2001:db8::f00::1

SNMPv3

SNMPv3 (version 3 of the SNMP protocol) introduced a whole slew of new security related features that have been
missing from the previous versions. Security was one of the biggest weakness of SNMP until v3. Authentication in SNMP
Versions 1 and 2 amounts to nothing more than a password (community string) sent in clear text between a manager and
agent. Each SNMPv3 message contains security parameters which are encoded as an octet string. The meaning of these
security parameters depends on the security model being used.
The securityapproach in v3 targets:
• Confidentiality –Encryption of packets to prevent snooping by an unauthorized source.
• Integrity –Message integrity to ensure that a packet has not been tampered while in transit including an optional
packet replay protection mechanism.
• Authentication –to verify that the message is from a valid source.

Example

• Let SNMP daemon listen only on IP address 192.0.2.1

• Configure new SNMP user named “vyos”with password “vyos12345678”
• New user will use SHA/AES for authentication and privacy
set service snmp listen-address 192.0.2.1
set service snmp location 'VyOS Datacenter'
set service snmp v3 engineid '000000000000000000000002'
set service snmp v3 group default mode 'ro'
set service snmp v3 group default view 'default'
set service snmp v3 user vyos auth plaintext-password 'vyos12345678'
set service snmp v3 user vyos auth type 'sha'
set service snmp v3 user vyos group 'default'
set service snmp v3 user vyos privacy plaintext-password 'vyos12345678'
set service snmp v3 user vyos privacy type 'aes'
set service snmp v3 view default oid 1

After commit the plaintext passwords will be hashed and stored in your configuration. The resulting LCI config will look
like:
vyos@vyos# show service snmp
listen-address 172.18.254.201 {
}
(下页继续)

8.9. Service 481

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
location "Wuerzburg, Dr.-Georg-Fuchs-Str. 8"
v3 {
engineid 000000000000000000000002
group default {
mode ro
view default
}
user vyos {
auth {
encrypted-password 4e52fe55fd011c9c51ae2c65f4b78ca93dcafdfe
type sha
}
group default
privacy {
encrypted-password 4e52fe55fd011c9c51ae2c65f4b78ca93dcafdfe
type aes
}
}
view default {
oid 1 {
}
}
}

You can test the SNMPv3 functionality from any linux based system, just run the following command: snmpwalk -v 3
-u vyos -a SHA -A vyos12345678 -x AES -X vyos12345678 -l authPriv 192.0.2.1 .1

VyOS MIBs

All SNMP MIBs are located in each image of VyOS here: /usr/share/snmp/mibs/
You are be able to download the files using SCP, once the SSH service has been activated like so

scp -r vyos@your_router:/usr/share/snmp/mibs /your_folder/mibs

SNMP Extensions

To extend SNMP agent functionality, custom scripts can be executed every time the agent is being called. This can be
achieved by using arbitrary extensioncommands. The first step is to create a functional script of course, then
upload it to your VyOS instance via the command scp your_script.sh vyos@your_router:/config/
user-data. Once the script is uploaded, it needs to be configured via the command below.

set service snmp script-extensions extension-name my-extension script your_script.sh

commit

The OID .1.3.6.1.4.1.8072.1.3.2.3.1.1.4.116.101.115.116, once called, will contain the output of

the extension.

root@vyos:/home/vyos# snmpwalk -v2c -c public 127.0.0.1 nsExtendOutput1

NET-SNMP-EXTEND-MIB::nsExtendOutput1Line."my-extension" = STRING: hello
NET-SNMP-EXTEND-MIB::nsExtendOutputFull."my-extension" = STRING: hello
NET-SNMP-EXTEND-MIB::nsExtendOutNumLines."my-extension" = INTEGER: 1
NET-SNMP-EXTEND-MIB::nsExtendResult."my-extension" = INTEGER: 0

8.9. Service 482

 VyOS Documentation, 发布 1.4.x (sagitta)

SolarWinds

If you happen to use SolarWinds Orion as NMS you can also use the Device Templates Management. A template for
VyOS can be easily imported.
Create a file named VyOS-1.3.6.1.4.1.44641.ConfigMgmt-Commands using the following content:

<Configuration-Management Device="VyOS" SystemOID="1.3.6.1.4.1.44641">

<Commands>
<Command Name="Reset" Value="set terminal width 0${CRLF}set terminal length 0
,→"/>

<Command Name="Reboot" Value="reboot${CRLF}Yes"/>

<Command Name="EnterConfigMode" Value="configure"/>
<Command Name="ExitConfigMode" Value="commit${CRLF}exit"/>
<Command Name="DownloadConfig" Value="show configuration commands"/>
<Command Name="SaveConfig" Value="commit${CRLF}save"/>
<Command Name="Version" Value="show version"/>
<Command Name="MenuBased" Value="False"/>
<Command Name="VirtualPrompt" Value=":~"/>
</Commands>
</Configuration-Management>

8.9.16 SSH

SSH (Secure Shell) is a cryptographic network protocol for operating network services securely over an unsecured net-
work. The standard TCP port for SSH is 22. The best known example application is for remote login to computer systems
by users.
SSH provides a secure channel over an unsecured network in a client-server architecture, connecting an SSH client appli-
cation with an SSH server. Common applications include remote command-line login and remote command execution,
but any network service can be secured with SSH. The protocol specification distinguishes between two major versions,
referred to as SSH-1 and SSH-2.
The most visible application of the protocol is for access to shell accounts on Unix-like operating systems, but it sees
some limited use on Windows as well. In 2015, Microsoft announced that they would include native support for SSH in
a future release.
SSH was designed as a replacement for Telnet and for unsecured remote shell protocols such as the Berkeley rlogin, rsh,
and rexec protocols. Those protocols send information, notably passwords, in plaintext, rendering them susceptible to
interception and disclosure using packet analysis. The encryption used by SSH is intended to provide confidentiality and
integrity of data over an unsecured network, such as the Internet.

注解: VyOS 1.1 supported login as user root. This has been removed due to tighter security in VyOS 1.2.

参见:
SSH Key Based Authentication

8.9. Service 483

 VyOS Documentation, 发布 1.4.x (sagitta)

Configuration

set service ssh port <port>

Enabling SSH only requires you to specify the port <port> you want SSH to listen on. By default, SSH runs on
port 22.
set service ssh listen-address <address>
Specify IPv4/IPv6 listen address of SSH server. Multiple addresses can be defined.
set service ssh ciphers <cipher>
Define allowed ciphers used for the SSH connection. A number of allowed ciphers can be specified, use multiple
occurrences to allow multiple ciphers.
List of supported ciphers: 3des-cbc, aes128-cbc, aes192-cbc, aes256-cbc, aes128-ctr,
aes192-ctr, aes256-ctr, arcfour128, arcfour256, arcfour, blowfish-cbc,
cast128-cbc
set service ssh disable-password-authentication
Disable password based authentication. Login via SSH keys only. This hardens security!
set service ssh disable-host-validation
Disable the host validation through reverse DNS lookups - can speedup login time when reverse lookup is not
possible.
set service ssh macs <mac>
Specifies the available MAC algorithms. The MAC algorithm is used in protocol version 2 for data integrity
protection. Multiple algorithms can be provided.
List of supported MACs: hmac-md5, hmac-md5-96, hmac-ripemd160, hmac-sha1,
hmac-sha1-96, hmac-sha2-256, hmac-sha2-512, [email protected],
[email protected], [email protected], hmac-md5-96-etm@openssh.
com, [email protected], hmac-sha1-etm@openssh.
com, [email protected], hmac-sha2-256-etm@openssh.
com, [email protected], [email protected],
[email protected]
set service ssh access-control <allow | deny> <group | user> <name>
Add access-control directive to allow or deny users and groups. Directives are processed in the following order of
precedence: deny-users, allow-users, deny-groups and allow-groups.
set service ssh client-keepalive-interval <interval>
Specify timeout interval for keepalive message in seconds.
set service ssh key-exchange <kex>
Specify allowed KEX (Key Exchange) algorithms.
List of supported algorithms: diffie-hellman-group1-sha1, diffie-hellman-group14-sha1,
diffie-hellman-group14-sha256, diffie-hellman-group16-sha512,
diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha1,
diffie-hellman-group-exchange-sha256, ecdh-sha2-nistp256,
ecdh-sha2-nistp384, ecdh-sha2-nistp521, curve25519-sha256 and
[email protected].
set service ssh loglevel <quiet | fatal | error | info | verbose>
Set the sshd log level. The default is info.

8.9. Service 484

 VyOS Documentation, 发布 1.4.x (sagitta)

set service ssh vrf <name>

Specify name of the VRF (Virtual Routing and Forwarding) instance.

Operation

restart ssh
Restart the SSH daemon process, the current session is not affected, only the background daemon is restarted.
generate ssh server-key
Re-generated the public/private keyportion which SSH uses to secure connections.

注解: Already learned known_hosts files of clients need an update as the public key will change.

generate ssh client-key /path/to/private_key

Re-generated a known pub/private keyfile which can be used to connect to other services (e.g. RPKI cache).
Example:

vyos@vyos:~$ generate ssh client-key /config/auth/id_rsa_rpki

Generating public/private rsa key pair.
Your identification has been saved in /config/auth/id_rsa_rpki.
Your public key has been saved in /config/auth/id_rsa_rpki.pub.
The key fingerprint is:
SHA256:XGv2PpdOzVCzpmEzJZga8hTRq7B/ZYL3fXaioLFLS5Q [email protected]
The key's randomart image is:
+---[RSA 2048]----+
| oo |
| ..o |
| . o.o.. o.|
| o+ooo o.o|
| Eo* =.o |
| o = +.o*+ |
| = o *.o.o|
| o * +.o+.+|
| =.. o=.oo|
+----[SHA256]-----+

Two new files /config/auth/id_rsa_rpki and /config/auth/id_rsa_rpki.pub will be cre-

ated.

8.9.17 TFTP Server

TFTP (Trivial File Transfer Protocol) is a simple, lockstep file transfer protocol which allows a client to get a file from or
put a file onto a remote host. One of its primary uses is in the early stages of nodes booting from a local area network.
TFTP has been used for this application because it is very simple to implement.

8.9. Service 485

 VyOS Documentation, 发布 1.4.x (sagitta)

Configuration

set service tftp-server directory <directory>

Enable TFTP service by specifying the <directory> which will be used to serve files.

提示: Choose your directory location carefully or you will loose the content on image upgrades. Any directory
under /config is save at this will be migrated.

set service tftp-server listen-address <address>

Configure the IPv4 or IPv6 listen address of the TFTP server. Multiple IPv4 and IPv6 addresses can be given. There will
be one TFTP server instances listening on each IP address.

注解: Configuring a listen-address is essential for the service to work.

set service tftp-server allow-upload

Optional, if you want to enable uploads, else TFTP server will act as a read-only server.

Example

Provide TFTP server listening on both IPv4 and IPv6 addresses 192.0.2.1 and 2001:db8::1 serving the content
from /config/tftpboot. Uploading via TFTP to this server is disabled.
The resulting configuration will look like:

vyos@vyos# show service

tftp-server {
directory /config/tftpboot
listen-address 2001:db8::1
listen-address 192.0.2.1
}

8.9.18 Webproxy

The proxy service in VyOS is based on Squid and some related modules.
Squid is a caching and forwarding HTTP web proxy. It has a wide variety of uses, including speeding up a web server
by caching repeated requests, caching web, DNS and other computer network lookups for a group of people sharing
network resources, and aiding security by filtering traffic. Although primarily used for HTTP and FTP, Squid includes
limited support for several other protocols including Internet Gopher, SSL,[6] TLS and HTTPS. Squid does not support
the SOCKS protocol.
URL Filtering is provided by SquidGuard.

8.9. Service 486

 VyOS Documentation, 发布 1.4.x (sagitta)

Configuration

set service webproxy append-domain <domain>

Use this command to specify a domain name to be appended to domain-names within URLs that do not include
a dot . the domain is appended.
Example: to be appended is set to vyos.net and the URL received is www/foo.html, the system will use
the generated, final URL of www.vyos.net/foo.html.

set service webproxy append-domain vyos.net

set service webproxy cache-size <size>

The size of the on-disk Proxy cache is user configurable. The Proxies default cache-size is configured to 100 MB.
Unit of this command is MB.

set service webproxy cache-size 1024

set service webproxy default-port <port>

Specify the port used on which the proxy service is listening for requests. This port is the default port used for the
specified listen-address.
Default port is 3128.

set service webproxy default-port 8080

set service webproxy domain-block <domain>

Used to block specific domains by the Proxy. Specifying“vyos.net”will block all access to vyos.net, and specifying
“.xxx”will block all access to URLs having an URL ending on .xxx.

set service webproxy domain-block vyos.net

set service webproxy domain-noncache <domain>

Allow access to sites in a domain without retrieving them from the Proxy cache. Specifying “vyos.net”will
allow access to vyos.net but the pages accessed will not be cached. It useful for working around problems with
“If-Modified-Since”checking at certain sites.

set service webproxy domain-noncache vyos.net

set service webproxy listen-address <address>

Specifies proxy service listening address. The listen address is the IP address on which the web proxy service
listens for client requests.
For security, the listen address should only be used on internal/trusted networks!

set service webproxy listen-address 192.0.2.1

set service webproxy listen-address <address> disable-transparent

Disables web proxy transparent mode at a listening address.
In transparent proxy mode, all traffic arriving on port 80 and destined for the Internet is automatically forwarded
through the proxy. This allows immediate proxy forwarding without configuring client browsers.
Non-transparent proxying requires that the client browsers be configured with the proxy settings before requests
are redirected. The advantage of this is that the client web browser can detect that a proxy is in use and can behave

8.9. Service 487

 VyOS Documentation, 发布 1.4.x (sagitta)

accordingly. In addition, web-transmitted malware can sometimes be blocked by a non-transparent web proxy,
since they are not aware of the proxy settings.

set service webproxy listen-address 192.0.2.1 disable-transparent

set service webproxy listen-address <address> port <port>

Sets the listening port for a listening address. This overrides the default port of 3128 on the specific listen address.

set service webproxy listen-address 192.0.2.1 port 8080

set service webproxy reply-block-mime <mime>

Used to block a specific mime-type.

# block all PDFs

set service webproxy reply-block-mime application/pdf

set service webproxy reply-body-max-size <size>

Specifies the maximum size of a reply body in KB, used to limit the reply size.
All reply sizes are accepted by default.

set service webproxy reply-body-max-size 2048

Authentication

The embedded Squid proxy can use LDAP to authenticate users against a company wide directory. The following con-
figuration is an example of how to use Active Directory as authentication backend. Queries are done via LDAP.
set service webproxy authentication children <number>
Maximum number of authenticator processes to spawn. If you start too few Squid will have to wait for them to
process a backlog of credential verifications, slowing it down. When password verifications are done via a (slow)
network you are likely to need lots of authenticator processes.
This defaults to 5.

set service webproxy authentication children 10

set service webproxy authentication credentials-ttl <time>

Specifies how long squid assumes an externally validated username:password pair is valid for - in other words how
often the helper program is called for that user. Set this low to force revalidation with short lived passwords.
Time is in minutes and defaults to 60.

set service webproxy authentication credentials-ttl 120

set service webproxy authentication method <ldap>

Proxy authentication method, currently only LDAP is supported.

set service webproxy authentication method ldap

set service webproxy authentication realm

Specifies the protection scope (aka realm name) which is to be reported to the client for the authentication scheme.
It is commonly part of the text the user will see when prompted for their username and password.

8.9. Service 488

 VyOS Documentation, 发布 1.4.x (sagitta)

set service webproxy authentication realm "VyOS proxy auth"

LDAP

set service webproxy authentication ldap base-dn <base-dn>

Specifies the base DN under which the users are located.

set service webproxy authentication ldap base-dn DC=vyos,DC=net

set service webproxy authentication ldap bind-dn <bind-dn>

The DN and password to bind as while performing searches.

set service webproxy authentication ldap bind-dn CN=proxyuser,CN=Users,DC=vyos,

,→DC=net

set service webproxy authentication ldap filter-expression <expr>

LDAP search filter to locate the user DN. Required if the users are in a hierarchy below the base DN, or if the
login name is not what builds the user specific part of the users DN.
The search filter can contain up to 15 occurrences of %s which will be replaced by the username, as in“uid=%s”
for RFC 2037 directories. For a detailed description of LDAP search filter syntax see RFC 2254.

set service webproxy authentication ldap filter-expression (cn=%s)

set service webproxy authentication ldap password <password>

The DN and password to bind as while performing searches. As the password needs to be printed in plain text in
your Squid configuration it is strongly recommended to use a account with minimal associated privileges. This to
limit the damage in case someone could get hold of a copy of your Squid configuration file.

set service webproxy authentication ldap password vyos

set service webproxy authentication ldap persistent-connection

Use a persistent LDAP connection. Normally the LDAP connection is only open while validating a username to
preserve resources at the LDAP server. This option causes the LDAP connection to be kept open, allowing it to
be reused for further user validations.
Recommended for larger installations.

set service webproxy authentication ldap persistent-connection

set service webproxy authentication ldap port <port>

Specify an alternate TCP port where the ldap server is listening if other than the default LDAP port 389.

set service webproxy authentication ldap port 389

set service webproxy authentication ldap server <server>

Specify the LDAP server to connect to.

set service webproxy authentication ldap server ldap.vyos.net

set service webproxy authentication ldap use-ssl

8.9. Service 489

 VyOS Documentation, 发布 1.4.x (sagitta)

Use TLS encryption.

set service webproxy authentication ldap use-ssl

set service webproxy authentication ldap username-attribute <attr>

Specifies the name of the DN attribute that contains the username/login. Combined with the base DN to construct
the users DN when no search filter is specified (filter-expression).
Defaults to ‘uid’

注解: This can only be done if all your users are located directly under the same position in the LDAP tree and
the login name is used for naming each user object. If your LDAP tree does not match these criterias or if you
want to filter who are valid users then you need to use a search filter to search for your users DN (filter-expression).

set service webproxy authentication ldap username-attribute uid

set service webproxy authentication ldap version <2 | 3>

LDAP protocol version. Defaults to 3 if not specified.

set service webproxy authentication ldap version 2

URL filtering

set service webproxy url-filtering disable

Disables web filtering without discarding configuration.

set service webproxy url-filtering disable

Operation

Filtering

Update

If you want to use existing blacklists you have to create/download a database first. Otherwise you will not be able to
commit the config changes.
update webproxy blacklists
Download/Update complete blacklist

vyos@vyos:~$ update webproxy blacklists

Warning: No url-filtering blacklist installed
Would you like to download a default blacklist? [confirm][y]
Connecting to ftp.univ-tlse1.fr (193.49.48.249:21)
blacklists.gz 100%␣
,→|***********************************************************************************************

,→17.0M 0:00:00 ETA

Uncompressing blacklist...
Checking permissions...
(下页继续)

8.9. Service 490

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
Skip link for [ads] -> [publicite]
Building DB for [adult/domains] - 2467177 entries
Building DB for [adult/urls] - 67798 entries
Skip link for [aggressive] -> [agressif]
Building DB for [agressif/domains] - 348 entries
Building DB for [agressif/urls] - 36 entries
Building DB for [arjel/domains] - 69 entries
...

Building DB for [webmail/domains] - 374 entries

Building DB for [webmail/urls] - 9 entries

The webproxy daemon must be restarted

Would you like to restart it now? [confirm][y]

[ ok ] Restarting squid (via systemctl): squid.service.

vyos@vyos:~$

update webproxy blacklists category <category>

Download/Update partial blacklist.
Use tab completion to get a list of categories.
• To auto update the blacklist files
set service webproxy url-filtering squidguard auto-update update-hour 23
• To configure blocking add the following to the configuration
set service webproxy url-filtering squidguard block-category ads
set service webproxy url-filtering squidguard block-category malware

Bypassing the webproxy

Some services don’t work correctly when being handled via a web proxy. So sometimes it is useful to bypass a transparent
proxy:
• To bypass the proxy for every request that is directed to a specific destination:
set service webproxy whitelist destination-address 198.51.100.33
set service webproxy whitelist destination-address 192.0.2.0/24
• To bypass the proxy for every request that is coming from a specific source:
set service webproxy whitelist source-address 192.168.1.2
set service webproxy whitelist source-address 192.168.2.0/24
(This can be useful when a called service has many and/or often changing destination addresses - e.g. Netflix.)

8.9. Service 491

 VyOS Documentation, 发布 1.4.x (sagitta)

Examples

vyos@vyos# show service webproxy

authentication {
children 5
credentials-ttl 60
ldap {
base-dn DC=example,DC=local
bind-dn CN=proxyuser,CN=Users,DC=example,DC=local
filter-expression (cn=%s)
password Qwert1234
server ldap.example.local
username-attribute cn
}
method ldap
realm "VyOS Webproxy"
}
cache-size 100
default-port 3128
listen-address 192.168.188.103 {
disable-transparent
}

8.10 System

8.10.1 Serial Console

For the average user a serial console has no advantage over a console offered by a directly attached keyboard and screen.
Serial consoles are much slower, taking up to a second to fill a 80 column by 24 line screen. Serial consoles generally only
support non-proportional ASCII text, with limited support for languages other than English.
There are some scenarios where serial consoles are useful. System administration of remote computers is usually done
using SSH, but there are times when access to the console is the only way to diagnose and correct software failures. Major
upgrades to the installed distribution may also require console access.
set system console device <device>
Defines the specified device as a system console. Available console devices can be (see completion helper):
• ttySN - Serial device name
• ttyUSBX - USB Serial device name
• hvc0 - Xen console
set system console device <device> speed <speed>
The speed (baudrate) of the console device. Supported values are:
• 1200 - 1200 bps
• 2400 - 2400 bps
• 4800 - 4800 bps
• 9600 - 9600 bps
• 19200 - 19,200 bps
• 38400 - 38,400 bps (default for Xen console)

8.10. System 492

 VyOS Documentation, 发布 1.4.x (sagitta)

• 57600 - 57,600 bps

• 115200 - 115,200 bps (default for serial console)

注解: If you use USB to serial converters for connecting to your VyOS appliance please note that most of them
use software emulation without flow control. This means you should start with a common baud rate (most likely
9600 baud) as otherwise you probably can not connect to the device using high speed baud rates as your serial
converter simply can not process this datarate.

8.10.2 Flow Accounting

VyOS supports flow-accounting for both IPv4 and IPv6 traffic. The system acts as a flow exporter, and you are free to
use it with any compatible collector.
Flows can be exported via two different protocols: NetFlow (versions 5, 9 and 10/IPFIX) and sFlow. Additionally, you
may save flows to an in-memory table internally in a router.

警告: You need to disable the in-memory table in production environments! Using IMT (In-Memory Table) may
lead to heavy CPU overloading and unstable flow-accounting behavior.

NetFlow / IPFIX

NetFlow is a feature that was introduced on Cisco routers around 1996 that provides the ability to collect IP network traffic
as it enters or exits an interface. By analyzing the data provided by NetFlow, a network administrator can determine things
such as the source and destination of traffic, class of service, and the causes of congestion. A typical flow monitoring
setup (using NetFlow) consists of three main components:
• exporter: aggregates packets into flows and exports flow records towards one or more flow collectors
• collector: responsible for reception, storage and pre-processing of flow data received from a flow exporter
• application: analyzes received flow data in the context of intrusion detection or traffic profiling, for example
For connectionless protocols as like ICMP and UDP, a flow is considered complete once no more packets for this flow
appear after configurable timeout.
NetFlow is usually enabled on a per-interface basis to limit load on the router components involved in NetFlow, or to
limit the amount of NetFlow records exported.

Configuration

In order for flow accounting information to be collected and displayed for an interface, the interface must be configured
for flow accounting.
set system flow-accounting interface <interface>
Configure and enable collection of flow information for the interface identified by <interface>.
You can configure multiple interfaces which whould participate in flow accounting.

注解: Will be recorded only packets/flows on incoming direction in configured interfaces by default.

8.10. System 493

 VyOS Documentation, 发布 1.4.x (sagitta)

By default, recorded flows will be saved internally and can be listed with the CLI command. You may disable using the
local in-memory table with the command:
set system flow-accounting disable-imt
If you need to sample also egress traffic, you may want to configure egress flow-accounting:
set system flow-accounting enable-egress
Internally, in flow-accounting processes exist a buffer for data exchanging between core process and plugins (each
export target is a separated plugin). If you have high traffic levels or noted some problems with missed records or
stopping exporting, you may try to increase a default buffer size (10 MiB) with the next command:
set system flow-accounting buffer-size <buffer size>
In case, if you need to catch some logs from flow-accounting daemon, you may configure logging facility:
set system flow-accounting syslog-facility <facility>
TBD

Flow Export

In addition to displaying flow accounting information locally, one can also exported them to a collection server.

NetFlow

set system flow-accounting netflow version <version>

There are multiple versions available for the NetFlow data. The <version> used in the exported flow data can be
configured here. The following versions are supported:
• 5 - Most common version, but restricted to IPv4 flows only
• 9 - NetFlow version 9 (default)
• 10 - IPFIX (IP Flow Information Export) as per RFC 3917
set system flow-accounting netflow server <address>
Configure address of NetFlow collector. NetFlow server at <address> can be both listening on an IPv4 or IPv6
address.
set system flow-accounting netflow source-ip <address>
IPv4 or IPv6 source address of NetFlow packets
set system flow-accounting netflow engine-id <id>
NetFlow engine-id which will appear in NetFlow data. The range is 0 to 255.
set system flow-accounting netflow sampling-rate <rate>
Use this command to configure the sampling rate for flow accounting. The system samples one in every <rate>
packets, where <rate> is the value configured for the sampling-rate option. The advantage of sampling every n
packets, where n > 1, allows you to decrease the amount of processing resources required for flow accounting. The
disadvantage of not sampling every packet is that the statistics produced are estimates of actual data flows.
Per default every packet is sampled (that is, the sampling rate is 1).
set system flow-accounting netflow timeout expiry-interval <interval>

8.10. System 494

 VyOS Documentation, 发布 1.4.x (sagitta)

Specifies the interval at which Netflow data will be sent to a collector. As per default, Netflow data will be sent
every 60 seconds.
You may also additionally configure timeouts for different types of connections.
set system flow-accounting netflow max-flows <n>
If you want to change the maximum number of flows, which are tracking simultaneously, you may do this with
this command (default 8192).

sFlow

set system flow-accounting sflow server <address>

Configure address of sFlow collector. sFlow server at <address> can be an IPv4 or IPv6 address. But you cannot
export to both IPv4 and IPv6 collectors at the same time!
set system flow-accounting sflow sampling-rate <rate>
Enable sampling of packets, which will be transmitted to sFlow collectors.
set system flow-accounting sflow agent-address <address>
Configure a sFlow agent address. It can be IPv4 or IPv6 address, but you must set the same protocol, which is
used for sFlow collector addresses. By default, using router-id from BGP or OSPF protocol, or the primary IP
address from the first interface.

Example:

NetFlow v5 example:
set system flow-accounting netflow engine-id 100
set system flow-accounting netflow version 5
set system flow-accounting netflow server 192.168.2.10 port 2055

Operation

Once flow accounting is configured on an interfaces it provides the ability to display captured network traffic information
for all configured interfaces.
show flow-accounting interface <interface>
Show flow accounting information for given <interface>.
vyos@vyos:~$ show flow-accounting interface eth0
IN_IFACE SRC_MAC DST_MAC SRC_IP DST_
,→IP SRC_PORT DST_PORT PROTOCOL TOS PACKETS FLOWS ␣
,→BYTES

---------- ----------------- ----------------- ------------------------ -----

,→---------- ---------- ---------- ---------- ----- --------- ------- ----
,→---

eth0 00:53:01:a8:28:ac ff:ff:ff:ff:ff:ff 192.0.2.2 255.

,→255.255.255 5678 5678 udp 0 1 1 ␣
,→ 178

eth0 00:53:01:b2:2f:34 33:33:ff:00:00:00 fe80::253:01ff:feb2:2f34 ␣

,→ff02::1:ff00:0 0 0 ipv6-icmp 0 2 1␣
,→ 144
(下页继续)

8.10. System 495

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
eth0 00:53:01:1a:b4:53 33:33:ff:00:00:00 fe80::253:01ff:fe1a:b453 ␣
,→ff02::1:ff00:0 0 0 ipv6-icmp 0 1 1␣
,→ 72
eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.
,→0.2.14 40152 22 tcp 16 39 1 ␣
,→2064

eth0 00:53:01:c8:33:af ff:ff:ff:ff:ff:ff 192.0.2.3 255.

,→255.255.255 5678 5678 udp 0 1 1 ␣
,→ 154

eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.

,→0.2.14 40006 22 tcp 16 146 1 ␣
,→9444

eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.

,→0.2.14 0 0 icmp 192 27 1 ␣
,→4455

show flow-accounting interface <interface> host <address>

Show flow accounting information for given <interface> for a specific host only.

vyos@vyos:~$ show flow-accounting interface eth0 host 192.0.2.14

IN_IFACE SRC_MAC DST_MAC SRC_IP DST_IP SRC_
,→PORT DST_PORT PROTOCOL TOS PACKETS FLOWS BYTES
---------- ----------------- ----------------- ----------- ---------- ------
,→---- ---------- ---------- ----- --------- ------- -------
eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 ␣
,→40006 22 tcp 16 197 2 12940
eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 ␣
,→40152 22 tcp 16 94 1 4924
eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 ␣
,→ 0 0 icmp 192 36 1 5877

8.10.3 Host Information

This section describes the system’s host information and how to configure them, it covers the following topics:
• Host name
• Domain
• IP address
• Aliases

Hostname

A hostname is the label (name) assigned to a network device (a host) on a network and is used to distinguish one device
from another on specific networks or over the internet. On the other hand this will be the name which appears on the
command line prompt.
set system host-name <hostname>
Set system hostname. The hostname can be up to 63 characters. A hostname must start and end with a letter or
digit, and have as interior characters only letters, digits, or a hyphen.
The default hostname used is vyos.

8.10. System 496

 VyOS Documentation, 发布 1.4.x (sagitta)

Domain Name

A domain name is the label (name) assigned to a computer network and is thus unique. VyOS appends the domain name
as a suffix to any unqualified name. For example, if you set the domain name example.com, and you would ping the
unqualified name of crux, then VyOS qualifies the name to crux.example.com.
set system domain-name <domain>
Configure system domain name. A domain name must start and end with a letter or digit, and have as interior
characters only letters, digits, or a hyphen.

Static Hostname Mapping

How an IP address is assigned to an interface in Ethernet. This section shows how to statically map an IP address to a
hostname for local (meaning on this VyOS instance) name resolution.
set system static-host-mapping host-name <hostname> inet <address>
Create a static hostname mapping which will always resolve the name <hostname> to IP address <address>.
set system static-host-mapping host-name <hostname> alias <alias>
Create named <alias> for the configured static mapping for <hostname>. Thus the address configured as set
system static-host-mapping host-name <hostname> inet <address> can be reached
via multiple names.
Multiple aliases can pe specified per host-name.

8.10.4 IP

System configuration commands

set system ip disable-forwarding

Use this command to disable IPv4 forwarding on all interfaces.
set system ip arp table-size <number>
Use this command to define the maximum number of entries to keep in the ARP cache (1024, 2048, 4096, 8192,
16384, 32768).
set system ip multipath layer4-hashing
Use this command to use Layer 4 information for IPv4 ECMP hashing.

Operational commands

show commands

See below the different parameters available for the IPv4 show command:
vyos@vyos:~$ show ip
Possible completions:
access-list Show all IP access-lists
as-path-access-list
Show all as-path-access-lists
bgp Show Border Gateway Protocol (BGP) information
(下页继续)

8.10. System 497

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
community-list
Show IP community-lists
extcommunity-list
Show extended IP community-lists
forwarding Show IP forwarding status
groups Show IP multicast group membership
igmp Show IGMP (Internet Group Management Protocol) information
large-community-list
Show IP large-community-lists
multicast Show IP multicast
ospf Show IPv4 Open Shortest Path First (OSPF) routing information
pim Show PIM (Protocol Independent Multicast) information
ports Show IP ports in use by various system services
prefix-list Show all IP prefix-lists
protocol Show IP route-maps per protocol
rip Show Routing Information Protocol (RIP) information
route Show IP routes

reset commands

And the different IPv4 reset commands available:

vyos@vyos:~$ reset ip
Possible completions:
arp Reset Address Resolution Protocol (ARP) cache
bgp Clear Border Gateway Protocol (BGP) statistics or status
igmp IGMP clear commands
multicast IP multicast routing table
route Reset IP route

8.10.5 IPv6

System configuration commands

set system ipv6 disable

Use this command to disable assignment of IPv6 addresses on all interfaces.
set system ipv6 disable-forwarding
Use this command to disable IPv6 forwarding on all interfaces.
set system ipv6 neighbor table-size <number>
Use this command to define the maximum number of entries to keep in the Neighbor cache (1024, 2048, 4096,
8192, 16384, 32768).
set system ipv6 strict-dad
Use this command to disable IPv6 operation on interface when Duplicate Address Detection fails on Link-Local
address.
set system ipv6 multipath layer4-hashing
Use this command to user Layer 4 information for ECMP hashing.

8.10. System 498

 VyOS Documentation, 发布 1.4.x (sagitta)

Operational commands

Show commands

show ipv6 neighbors

Use this command to show IPv6 Neighbor Discovery Protocol information.
show ipv6 groups
Use this command to show IPv6 multicast group membership.
show ipv6 forwarding
Use this command to show IPv6 forwarding status.
show ipv6 route
Use this command to show IPv6 routes.
Check the many parameters available for the show ipv6 route command:

vyos@vyos:~$ show ipv6 route

Possible completions:
<Enter> Execute the current command
<X:X::X:X> Show IPv6 routes of given address or prefix
<X:X::X:X/M>
bgp Show IPv6 BGP routes
cache Show kernel IPv6 route cache
connected Show IPv6 connected routes
forward Show kernel IPv6 route table
isis Show IPv6 ISIS routes
kernel Show IPv6 kernel routes
ospfv3 Show IPv6 OSPF6 routes
ripng Show IPv6 RIPNG routes
static Show IPv6 static routes
summary Show IPv6 routes summary
table Show IP routes in policy table
vrf Show IPv6 routes in VRF

show ipv6 prefix-list

Use this command to show all IPv6 prefix lists
There are different parameters for getting prefix-list information:

vyos@vyos:~$ show ipv6 prefix-list

Possible completions:
<Enter> Execute the current command
<WORD> Show specified IPv6 prefix-list
detail Show detail of IPv6 prefix-lists
summary Show summary of IPv6 prefix-lists

show ipv6 access-list

Use this command to show all IPv6 access lists
You can also specify which IPv6 access-list should be shown:

vyos@vyos:~$ show ipv6 access-list

Possible completions:
(下页继续)

8.10. System 499

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
<Enter> Execute the current command
<text> Show specified IPv6 access-list

show ipv6 bgp

Use this command to show IPv6 Border Gateway Protocol information.
In addition, you can specify many other parameters to get BGP information:

vyos@vyos:~$ show ipv6 bgp

Possible completions:
<Enter> Execute the current command
<X:X::X:X> Show BGP information for given address or prefix
<X:X::X:X/M>
community Show routes matching the communities
community-list
Show routes matching the community-list
filter-list Show routes conforming to the filter-list
large-community
Show routes matching the large-community-list
large-community-list
neighbors Show detailed information on TCP and BGP neighbor connections
prefix-list Show routes matching the prefix-list
regexp Show routes matching the AS path regular expression
route-map Show BGP routes matching the specified route map
summary Show summary of BGP neighbor status

show ipv6 ospfv3

Use this command to get information about OSPFv3.
You can get more specific OSPFv3 information by using the parameters shown below:

vyos@vyos:~$ show ipv6 ospfv3

Possible completions:
<Enter> Execute the current command
area Show OSPFv3 spf-tree information
border-routers
Show OSPFv3 border-router (ABR and ASBR) information
database Show OSPFv3 Link state database information
interface Show OSPFv3 interface information
linkstate Show OSPFv3 linkstate routing information
neighbor Show OSPFv3 neighbor information
redistribute Show OSPFv3 redistribute External information
route Show OSPFv3 routing table information

show ipv6 ripng

Use this command to get information about the RIPNG protocol
show ipv6 ripng status
Use this command to show the status of the RIPNG protocol

8.10. System 500

 VyOS Documentation, 发布 1.4.x (sagitta)

Reset commands

reset ipv6 bgp <address>

Use this command to clear Border Gateway Protocol statistics or status.
reset ipv6 neighbors <address | interface>
Use this command to reset IPv6 Neighbor Discovery Protocol cache for an address or interface.
reset ipv6 route cache
Use this command to flush the kernel IPv6 route cache. An address can be added to flush it only for that route.

8.10.6 System Display (LCD)

The system LCD LCD (Liquid-crystal display) option is for users running VyOS on hardware that features an LCD
display. This is typically a small display built in an 19 inch rack-mountable appliance. Those displays are used to show
runtime data.
To configure your LCD display you must first identify the used hardware, and connectivity of the display to your system.
This can be any serial port (ttySxx) or serial via USB or even old parallel port interfaces.

Configuration

set system lcd device <device>

This is the name of the physical interface used to connect to your LCD display. Tab completion is supported and
it will list you all available serial interface.
For serial via USB port information please refor to: USB.
set system lcd model <model>
This is the LCD model used in your system.
At the time of this writing the following displays are supported:
• Crystalfontz CFA-533
• Crystalfontz CFA-631
• Crystalfontz CFA-633
• Crystalfontz CFA-635

注解: We can’t support all displays from the beginning. If your display type is missing, please create a feature
request via Phabricator.

8.10. System 501

 VyOS Documentation, 发布 1.4.x (sagitta)

8.10.7 User Management

The default VyOS user account (vyos), as well as newly created user accounts, have all capabilities to configure the system.
All accounts have sudo capabilities and therefore can operate as root on the system.
Both local administered and remote administered RADIUS (Remote Authentication Dial-In User Service) accounts are
supported.

Local

set system login user <name> full-name “<string>”

Create new system user with username <name> and real-name specified by <string>.
set system login user <name> authentication plaintext-password <password>
Specify the plaintext password user by user <name> on this system. The plaintext password will be automatically
transferred into a secure hashed password and not saved anywhere in plaintext.
set system login user <name> authentication encrypted-password <password>
Setup encrypted password for given username. This is useful for transferring a hashed password from system to
system.

Key Based Authentication

It is highly recommended to use SSH key authentication. By default there is only one user (vyos), and you can assign
any number of keys to that user. You can generate a ssh key with the ssh-keygen command on your local machine,
which will (by default) save it as ~/.ssh/id_rsa.pub.
Every SSH key comes in three parts:
ssh-rsa AAAAB3NzaC1yc2EAAAABAA...VBD5lKwEWB [email protected]
Only the type (ssh-rsa) and the key (AAAB3N...) are used. Note that the key will usually be several hundred
characters long, and you will need to copy and paste it. Some terminal emulators may accidentally split this over several
lines. Be attentive when you paste it that it only pastes as a single line. The third part is simply an identifier, and is for
your own reference.
set system login user <username> authentication public-keys <identifier> key
<key>
Assign the SSH public key portion <key> identified by per-key <identifier> to the local user <username>.
set system login user <username> authentication public-keys <identifier> type
<type>
Every SSH public key portion referenced by <identifier> requires the configuration of the <type> of public-key
used. This type can be any of:
• ecdsa-sha2-nistp256
• ecdsa-sha2-nistp384
• ecdsa-sha2-nistp521
• ssh-dss
• ssh-ed25519
• ssh-rsa

8.10. System 502

 VyOS Documentation, 发布 1.4.x (sagitta)

注解: You can assign multiple keys to the same user by using a unique identifier per SSH key.

loadkey <username> <location>

SSH keys can not only be specified on the command-line but also loaded for a given user with <username> from
a file pointed to by <location>. Keys can be either loaded from local filesystem or any given remote location using
one of the following URI (Uniform Resource Identifier):
• <file> - Load from file on local filesystem path
• scp://<user>@<host>:/<file> - Load via SCP from remote machine
• sftp://<user>@<host>/<file> - Load via SFTP from remote machine
• ftp://<user>@<host>/<file> - Load via FTP from remote machine
• http://<host>/<file> - Load via HTTP from remote machine
• tftp://<host>/<file> - Load via TFTP from remote machine

Example

In the following example, both User1 and User2 will be able to SSH into VyOS as user vyos using their very own keys.

set system login user vyos authentication public-keys 'User1' key "AAAAB3Nz...KwEW"
set system login user vyos authentication public-keys 'User1' type ssh-rsa
set system login user vyos authentication public-keys 'User2' key "AAAAQ39x...fbV3"
set system login user vyos authentication public-keys 'User2' type ssh-rsa

RADIUS

In large deployments it is not reasonable to configure each user individually on every system. VyOS supports using
RADIUS servers as backend for user authentication.

Configuration

set system login radius server <address> secret <secret>

Specify the <address> of the RADIUS server user with the pre-shared-secret given in <secret>. Multiple servers
can be specified.
set system login radius server <address> port <port>
Configure the discrete port under which the RADIUS server can be reached. This defaults to 1812.
set system login radius server <address> timeout <timeout>
Setup the <timeout> in seconds when querying the RADIUS server.
set system login radius server <address> disable
Temporary disable this RADIUS server. It won’t be queried.
set system login radius source-address <address>

8.10. System 503

 VyOS Documentation, 发布 1.4.x (sagitta)

RADIUS servers could be hardened by only allowing certain IP addresses to connect. As of this the source address
of each RADIUS query can be configured. If this is not set, incoming connections to the RADIUS server will use
the nearest interface address pointing towards the server - making it error prone on e.g. OSPF networks when a
link fails and a backup route is taken.

提示: If you want to have admin users to authenticate via RADIUS it is essential to sent the Cisco-AV-Pair
shell:priv-lvl=15 attribute. Without the attribute you will only get regular, non privilegued, system users.

Login Banner

You are able to set post-login or pre-login banner messages to display certain information for this system.
set system login banner pre-login <message>
Configure <message> which is shown during SSH connect and before a user is logged in.
set system login banner post-login <message>
Configure <message> which is shown after user has logged in to the system.

注解: To create a new line in your login message you need to escape the new line character by using \\n.

8.10.8 System DNS

This section describes configuring DNS on the system, namely:

• DNS name servers
• Domain search order

DNS name servers

set system name-server <address>

Use this command to specify a DNS server for the system to be used for DNS lookups. More than one DNS server
can be added, configuring one at a time. Both IPv4 and IPv6 addresses are supported.

Example

In this example, some OpenNIC servers are used, two IPv4 addresses and two IPv6 addresses:

set system name-server 176.9.37.132

set system name-server 195.10.195.195
set system name-server 2a01:4f8:161:3441::1
set system name-server 2a00:f826:8:2::195

8.10. System 504

 VyOS Documentation, 发布 1.4.x (sagitta)

Domain search order

In order for the system to use and complete unqualified host names, a list can be defined which will be used for domain
searches.
set system domain-search domain <domain>
Use this command to define domains, one at a time, so that the system uses them to complete unqualified host
names. Maximum: 6 entries.

注解: Domain names can include letters, numbers, hyphens and periods with a maximum length of 253 characters.

Example

The system is configured to attempt domain completion in the following order: vyos.io (first), vyos.net (second) and
vyos.network (last):

set system domain-search domain vyos.io

set system domain-search domain vyos.net
set system domain-search domain vyos.network

8.10.9 NTP

NTP (N T P ) is a networking protocol for clock synchronization between computer systems over
packet-switched, variable-latency data networks. In operation since before 1985, NTP is one of the oldest Internet pro-
tocols in current use.
NTP is intended to synchronize all participating computers to within a few milliseconds of UTC (Coordinated Universal
Time). It uses the intersection algorithm, a modified version of Marzullo’s algorithm, to select accurate time servers
and is designed to mitigate the effects of variable network latency. NTP can usually maintain time to within tens of
milliseconds over the public Internet, and can achieve better than one millisecond accuracy in local area networks under
ideal conditions. Asymmetric routes and network congestion can cause errors of 100 ms or more.
The protocol is usually described in terms of a client-server model, but can as easily be used in peer-to-peer relationships
where both peers consider the other to be a potential time source. Implementations send and receive timestamps using
UDP (User Datagram Protocol) on port number 123.
NTP supplies a warning of any impending leap second adjustment, but no information about local time zones or daylight
saving time is transmitted.
The current protocol is version 4 (NTPv4), which is a proposed standard as documented in RFC 5905. It is backward
compatible with version 3, specified in RFC 1305.

8.10. System 505

 VyOS Documentation, 发布 1.4.x (sagitta)

Configuration

set system ntp server <address>

Configure one or more servers for synchronisation. Server name can be either an IP address or FQDN (Fully
Qualified Domain Name).
There are 3 default NTP server set. You are able to change them.
• 0.pool.ntp.org
• 1.pool.ntp.org
• 2.pool.ntp.org
set system ntp server <address> <noselect | pool | preempt | prefer>
Configure one or more attributes to the given NTP server.
• noselect marks the server as unused, except for display purposes. The server is discarded by the selection
algorithm.
• pool mobilizes persistent client mode association with a number of remote servers.
• preempt a preemptable association is expendable.
• prefer marks the server as preferred. All other things being equal, this host will be chosen for synchro-
nization among a set of correctly operating hosts.
set system ntp listen-address <address>
NTP process will only listen on the specified IP address. You must specify the <address> and optionally the
permitted clients. Multiple listen addresses can be configured.
set system ntp allow-clients address <address>
List of networks or client addresses permitted to contact this NTP server.
Multiple networks can be configured.
set system ntp vrf <name>
Specify name of the VRF instance.

8.10.10 Option

This chapter describe the possibilities of advanced system behavior.

General

set system option ctrl-alt-delete <ignore | reboot | poweroff>

Action which will be run once the ctrl-alt-del keystroke is received.
set system option reboot-on-panic
Automatically reboot system on kernel panic after 60 seconds.
set system option startup-beep
Play an audible beep to the system speaker when system is ready.

8.10. System 506

 VyOS Documentation, 发布 1.4.x (sagitta)

HTTP client

set system option http-client source-address <address>

Several commands utilize cURL to initiate transfers. Configure the local source IPv4/IPv6 address used for all
cURL operations.
set system option http-client source-interface <interface>
Several commands utilize curl to initiate transfers. Configure the local source interface used for all CURL opera-
tions.

注解: source-address and source-interface can not be used at the same time.

Keyboard Layout

When starting a VyOS live system (the installation CD) the configured keyboard layout defaults to US. As this might not
suite everyones use case you can adjust the used keyboard layout on the system console.
set system option keyboard-layout <us | fr | de | fi | no | dk>
Change system keyboard layout to given language.
Defaults to us.

注解: Changing the keymap only has an effect on the system console, using SSH or Serial remote access to the
device is not affected as the keyboard layout here corresponds to your access system.

Performance

As more and more routers run on Hypervisors, expecially with a NOS (Network Operating System) as VyOS, it makes
fewer and fewer sense to use static resource bindings like smp-affinity as present in VyOS 1.2 and earlier to pin
certain interrupt handlers to specific CPUs.
We now utilize tuned for dynamic resource balancing based on profiles.
参见:
https://access.redhat.com/sites/default/files/attachments/201501-perf-brief-low-latency-tuning-rhel7-v2.1.pdf
set system option performance < throughput | latency >
Configure one of the predefined system performance profiles.
• throughput: A server profile focused on improving network throughput. This profile favors performance
over power savings by setting intel_pstate and max_perf_pct=100 and increasing kernel network
buffer sizes.
It enables transparent huge pages, and uses cpupower to set the performance cpufreq gov-
ernor. It also sets kernel.sched_min_granularity_ns to 10 us, kernel.
sched_wakeup_granularity_ns to 15 uss, and vm.dirty_ratio to 40%.
• latency: A server profile focused on lowering network latency. This profile favors performance over power
savings by setting intel_pstate and min_perf_pct=100.

8.10. System 507

 VyOS Documentation, 发布 1.4.x (sagitta)

It disables transparent huge pages, and automatic NUMA balancing. It also uses cpupower to set the perfor-
mance cpufreq governor, and requests a cpu_dma_latency value of 1. It also sets busy_read and busy_poll
times to 50 us, and tcp_fastopen to 3.

8.10.11 System Proxy

Some IT environments require the use of a proxy to connect to the Internet. Without this configuration VyOS updates
could not be installed directly by using the add system image command (Update VyOS).
set system proxy url <url>
Set proxy for all connections initiated by VyOS, including HTTP, HTTPS, and FTP (anonymous ftp).
set system proxy port <port>
Configure proxy port if it does not listen to the default port 80.
set system proxy username <username>
Some proxys require/support the “basic”HTTP authentication scheme as per RFC 7617, thus a username can
be configured.
set system proxy password <password>
Some proxys require/support the “basic”HTTP authentication scheme as per RFC 7617, thus a password can
be configured.

8.10.12 Syslog

Per default VyOSs has minimal syslog logging enabled which is stored and rotated locally. Errors will be always logged
to a local file, which includes local7 error messages, emergency messages will be sent to the console, too.
To configure syslog, you need to switch into configuration mode.

Logging

Syslog supports logging to multiple targets, those targets could be a plain file on your VyOS installation itself, a serial
console or a remote syslog server which is reached via IP (Internet Protocol) UDP/TCP.

Console

set system syslog console facility <keyword> level <keyword>

Log syslog messages to /dev/console, for an explanation on Facilities keywords and Severity Level keywords
see tables below.

8.10. System 508

 VyOS Documentation, 发布 1.4.x (sagitta)

Custom File

set system syslog file <filename> facility <keyword> level <keyword>

Log syslog messages to file specified via <filename>, for en explanation on Facilities keywords and Severity Level
keywords see tables below.
set system syslog file <filename> archive size <size>
Syslog will write <size> kilobytes into the file specified by <filename>. After this limit has been reached, the
custom file is “rotated”by logrotate and a new custom file is created.
set system syslog file <filename> archive file <number>
Syslog uses logrotate to rotate logiles after a number of gives bytes. We keep as many as <number> rotated file
before they are deleted on the system.

Remote Host

Logging to a remote host leaves the local logging configuration intact, it can be configured in parallel to a custom file or
console logging. You can log to multiple hosts at the same time, using either TCP or UDP. The default is sending the
messages via port 514/UDP.
set system syslog host <address> facility <keyword> level <keyword>
Log syslog messages to remote host specified by <address>. The address can be specified by either FQDN or IP
address. For en explanation on Facilities keywords and Severity Level keywords see tables below.
set system syslog host <address> facility <keyword> protocol <udp|tcp>
Configure protocol used for communication to remote syslog host. This can be either UDP or TCP.

Local User Account

set system syslog user <username> facility <keyword> level <keyword>

If logging to a local user account is configured, all defined log messages are display on the console if the local
user is logged in, if the user is not logged in, no messages are being displayed. For en explanation on Facilities
keywords and Severity Level keywords see tables below.

Facilities

List of facilities used by syslog. Most facilities names are self explanatory. Facilities local0 - local7 common usage is f.e.
as network logs facilities for nodes and network equipment. Generally it depends on the situation how to classify logs and
put them to facilities. See facilities more as a tool rather than a directive to follow.
Facilities can be adjusted to meet the needs of the user:

8.10. System 509

 VyOS Documentation, 发布 1.4.x (sagitta)

Facility Code Keyword Description

all All facilities
0 kern Kernel messages
1 user User-level messages
2 mail Mail system
3 daemon System daemons
4 auth Security/authentication messages
5 syslog Messages generated internally by syslogd
6 lpr Line printer subsystem
7 news Network news subsystem
8 uucp UUCP subsystem
9 cron Clock daemon
10 security Security/authentication messages
11 ftp FTP daemon
12 ntp NTP subsystem
13 logaudit Log audit
14 logalert Log alert
15 clock clock daemon (note 2)
16 local0 local use 0 (local0)
17 local1 local use 1 (local1)
18 local2 local use 2 (local2)
19 local3 local use 3 (local3)
20 local4 local use 4 (local4)
21 local5 local use 5 (local5)
22 local6 use 6 (local6)
23 local7 local use 7 (local7)

Severity Level

Value Severity Key- Description

word
all Log everything
0 Emer- emerg System is unusable - a panic condition
gency
1 Alert alert Action must be taken immediately - A condition that should be corrected immediately,
such as a corrupted system database.
2 Critical crit Critical conditions - e.g. hard drive errors.
3 Error err Error conditions
4 Warning warn- Warning conditions
ing
5 Notice notice Normal but significant conditions - conditions that are not error conditions, but that may
require special handling.
6 Informa- info Informational messages
tional
7 Debug debug Debug-level messages - Messages that contain information normally of use only when
debugging a program.

8.10. System 510

 VyOS Documentation, 发布 1.4.x (sagitta)

Display Logs

show log [all | authorization | cluster | conntrack-sync | …]

Display log files of given category on the console. Use tab completion to get a list of available categories. Thos
categories could be: all, authorization, cluster, conntrack-sync, dhcp, directory, dns, file, firewall, https, image
lldp, nat, openvpn, snmp, tail, vpn, vrrp
If no option is specified, this defaults to all.
show log image <name> [all | authorization | directory | file <file name> |
tail <lines>]
Log messages from a specified image can be displayed on the console. Details of allowed parameters:

all Display contents of all master log files of the specified image
authorization Display all authorization attempts of the specified image
directory Display list of all user-defined log files of the specified image
file <file name> Display contents of a specified user-defined log file of the specified image
tail Display last lines of the system log of the specified image
<lines> Number of lines to be displayed, default 10

When no options/parameters are used, the contents of the main syslog file are displayed.

提示: Use show log | strip-private if you want to hide private data when sharing your logs.

8.10.13 Task Scheduler

The task scheduler allows you to execute tasks on a given schedule. It makes use of UNIX cron.

注解: All scripts excecuted this way are executed as root user - this may be dangerous. Together with Command Scripting
this can be used for automating (re-)configuration.

set system task-scheduler task <task> interval <interval>

Specify the time interval when <task> should be executed. The interval is specified as number with one of the
following suffixes:
• none - Execution interval in minutes
• m - Execution interval in minutes
• h - Execution interval in hours
• d - Execution interval in days

注解: If suffix is omitted, minutes are implied.

set system task-scheduler task <task> crontab-spec <spec>

Set execution time in common cron time format. A cron <spec> of 30 */6 * * * would execute the <task>
at minute 30 past every 6th hour.
set system task-scheduler task <task> executable path <path>

8.10. System 511

 VyOS Documentation, 发布 1.4.x (sagitta)

Specify absolute <path> to script which will be run when <task> is executed.
set system task-scheduler task <task> executable arguments <args>
Arguments which will be passed to the executable.

8.10.14 Time Zone

Time Zone setting is very important as e.g all your logfile entries will be based on the configured zone. Without proper
time zone configuration it will be very difficult to compare logfiles from different systems.
set system time-zone <timezone>
Specify the systems <timezone> as the Region/Location that best defines your location. For example, specifying
US/Pacific sets the time zone to US Pacific time.
Command completion can be used to list available time zones. The adjustment for daylight time will take place
automatically based on the time of year.

8.10.15 Default Gateway/Route

In the past (VyOS 1.1) used a gateway-address configured under the system tree (set system gateway-address
<address>), this is no longer supported and existing configurations are migrated to the new CLI command.

Configuration

set protocols static route 0.0.0.0/0 next-hop <address>

Specify static route into the routing table sending all non local traffic to the nexthop address <address>.
delete protocols static route 0.0.0.0/0
Delete default route from the system.

Operation

show ip route 0.0.0.0

Show routing table entry for the default route.

vyos@vyos:~$ show ip route 0.0.0.0

Routing entry for 0.0.0.0/0
Known via "static", distance 10, metric 0, best
Last update 09:46:30 ago
* 172.18.201.254, via eth0.201

参见:
Configuration of Static

8.10. System 512

 VyOS Documentation, 发布 1.4.x (sagitta)

8.10.16 Event Handler

Event handler allows you to execute scripts when a string that matches a regex appears in a text stream (e.g. log file).
It uses“feeds”(output of commands, or a named pipes) and“policies”that define what to execute if a regex is matched.

system
event-handler
feed <name>
description <feed description>
policy <policy name>
source
preset
syslog # Use the syslog logs for feed
custom
command <command to execute> # E.g. "tail -f /var/log/somelogfile"
named-pipe <path to a names pipe>
policy <policy name>
description <policy description>
event <event name>
description <event description>
pattern <regex>
run <command to run>

In this small example a script runs every time a login failed and an interface goes down

vyos@vyos# show system event-handler

feed Syslog {
policy MyPolicy
source {
preset syslog
}
}
policy MyPolicy {
description "Test policy"
event BadThingsHappened {
pattern "authentication failure"
pattern "interface \.* index \d+ .* DOWN.*"
run /config/scripts/email-to-admin
}
}

8.11 Traffic Policy

8.11.1 QoS

The generic name of Quality of Service or Traffic Control involves things like shaping traffic, scheduling or dropping
packets, which are the kind of things you may want to play with when you have, for instance, a bandwidth bottleneck in
a link and you want to somehow prioritize some type of traffic over another.
tc is a powerful tool for Traffic Control found at the Linux kernel. However, its configuration is often considered a
cumbersome task. Fortunately, VyOS eases the job through its CLI, while using tc as backend.

8.11. Traffic Policy 513

 VyOS Documentation, 发布 1.4.x (sagitta)

How to make it work

In order to have VyOS Traffic Control working you need to follow 2 steps:
1. Create a traffic policy.
2. Apply the traffic policy to an interface ingress or egress.
But before learning to configure your policy, we will warn you about the different units you can use and also show you
what classes are and how they work, as some policies may require you to configure them.

Units

When configuring your traffic policy, you will have to set data rate values, watch out the units you are managing, it is easy
to get confused with the different prefixes and suffixes you can use. VyOS will always show you the different units you
can use.

Prefixes

They can be decimal prefixes.

kbit (10^3) kilobit per second

mbit (10^6) megabit per second
gbit (10^9) gigabit per second
tbit (10^12) terabit per second

kbps (8*10^3) kilobyte per second

mbps (8*10^6) megabyte per second
gbps (8*10^9) gigabyte per second
tbps (8*10^12) terabyte per second

Or binary prefixes.

kibit (2^10 = 1024) kibibit per second

mibit (2^20 = 1024^2) mebibit per second
gibit (2^30 = 1024^3) gibibit per second
tbit (2^40 = 1024^4) tebibit per second

kibps (1024*8) kibibyte (KiB) per second

mibps (1024^2*8) mebibyte (MiB) per second
gibps (1024^3*8) gibibyte (GiB) per second
tibps (1024^4*8) tebibyte (TiB) per second

Suffixes

A bit is written as bit,

kbit (kilobits per second)

mbit (megabits per second)
gbit (gigabits per second)
tbit (terabits per second)

while a byte is written as a single b.

8.11. Traffic Policy 514

 VyOS Documentation, 发布 1.4.x (sagitta)

kbps (kilobytes per second)

mbps (megabytes per second)
gbps (gigabytes per second)

Classes

In the Creating a traffic policy section you will see that some of the policies use classes. Those policies let you distribute
traffic into different classes according to different parameters you can choose. So, a class is just a specific type of traffic
you select.
The ultimate goal of classifying traffic is to give each class a different treatment.

Matching traffic

In order to define which traffic goes into which class, you define filters (that is, the matching criteria). Packets go through
these matching rules (as in the rules of a firewall) and, if a packet matches the filter, it is assigned to that class.
In VyOS, a class is identified by a number you can choose when configuring it.

注解: The meaning of the Class ID is not the same for every type of policy. Normally policies just need a meaningless
number to identify a class (Class ID), but that does not apply to every policy. The the number of a class in a Priority
Queue it does not only identify it, it also defines its priority.

set traffic-policy <policy> <policy-name> class <class-ID> match <class-matching-rule-

,→name>

In the command above, we set the type of policy we are going to work with and the name we choose for it; a class (so that
we can differentiate some traffic) and an identifiable number for that class; then we configure a matching rule (or filter)
and a name for it.
A class can have multiple match filters:

set traffic-policy shaper MY-SHAPER class 30 match HTTP

set traffic-policy shaper MY-SHAPER class 30 match HTTPs

A match filter can contain multiple criteria and will match traffic if all those criteria are true.
For example:

set traffic-policy shaper MY-SHAPER class 30 match HTTP ip protocol tcp

set traffic-policy shaper MY-SHAPER class 30 match HTTP ip source port 80

This will match TCP traffic with source port 80.

There are many parameters you will be able to use in order to match the traffic you want for a class:
• Ethernet (protocol, destination address or source address)
• Interface name
• IPv4 (DSCP value, maximum packet length, protocol, source address, destination address, source port,
destination port or TCP flags)
• IPv6 (DSCP value, maximum payload length, protocol, source address, destination address, source port,
destination port or TCP flags)

8.11. Traffic Policy 515

 VyOS Documentation, 发布 1.4.x (sagitta)

• Firewall mark
• VLAN ID
When configuring your filter, you can use the Tab key to see the many different parameters you can configure.

vyos@vyos# set traffic-policy shaper MY-SHAPER class 30 match MY-FIRST-FILTER

Possible completions:
description Description for this match
> ether Ethernet header match
interface Interface name for this match
> ip Match IP protocol header
> ipv6 Match IPV6 header
mark Match on mark applied by firewall
vif Virtual Local Area Network (VLAN) ID for this match

As shown in the example above, one of the possibilities to match packets is based on marks done by the firewall, that can
give you a great deal of flexibility.
You can also write a description for a filter:

set traffic-policy shaper MY-SHAPER class 30 match MY-FIRST-FILTER description "My␣

,→filter description"

注解: An IPv4 TCP filter will only match packets with an IPv4 header length of 20 bytes (which is the majority of IPv4
packets anyway).

注解: IPv6 TCP filters will only match IPv6 packets with no header extension, see https://en.wikipedia.org/wiki/IPv6_
packet#Extension_headers

Default

Often you will also have to configure your default traffic in the same way you do with a class. Default can be considered a
class as it behaves like that. It contains any traffic that did not match any of the defined classes, so it is like an open class,
a class without matching filters.

Class treatment

Once a class has a filter configured, you will also have to define what you want to do with the traffic of that class, what
specific Traffic-Control treatment you want to give it. You will have different possibilities depending on the Traffic Policy
you are configuring.

vyos@vyos# set traffic-policy shaper MY-SHAPER class 30

Possible completions:
bandwidth Bandwidth used for this class
burst Burst size for this class (default: 15kb)
ceiling Bandwidth limit for this class
codel-quantum
fq-codel - Number of bytes used as 'deficit' (default 1514)
description Description for this traffic class
flows fq-codel - Number of flows (default 1024)
(下页继续)

8.11. Traffic Policy 516

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
interval fq-codel - Interval (milliseconds) used to measure the delay (default␣
,→100)

+> match Class matching rule name

priority Priority for usage of excess bandwidth
queue-limit Maximum queue size (packets)
queue-type Queue type for this class
set-dscp Change the Differentiated Services (DiffServ) field in the IP header
target fq-codel - Acceptable minimum queue delay (milliseconds)

For instance, with set traffic-policy shaper MY-SHAPER class 30 set-dscp EF you would be
modifying the DSCP field value of packets in that class to Expedite Forwarding.
DSCP values as per RFC 2474 and RFC 4595:

Binary value Configured value Drop rate Description

101110 46 • Expedited forwarding
(EF)
000000 0 • Best effort traffic, de-
fault
001010 10 Low Assured Forward-
ing(AF) 11
001100 12 Medium Assured Forward-
ing(AF) 12
001110 14 High Assured Forward-
ing(AF) 13
010010 18 Low Assured Forward-
ing(AF) 21
010100 20 Medium Assured Forward-
ing(AF) 22
010110 22 High Assured Forward-
ing(AF) 23
011010 26 Low Assured Forward-
ing(AF) 31
011100 28 Medium Assured Forward-
ing(AF) 32
011110 30 High Assured Forward-
ing(AF) 33
100010 34 Low Assured Forward-
ing(AF) 41
100100 36 Medium Assured Forward-
ing(AF) 42
100110 38 High Assured Forward-
ing(AF) 43

8.11. Traffic Policy 517

 VyOS Documentation, 发布 1.4.x (sagitta)

Embedding one policy into another one

Often we need to embed one policy into another one. It is possible to do so on classful policies, by attaching a new policy
into a class. For instance, you might want to apply different policies to the different classes of a Round-Robin policy you
have configured.
A common example is the case of some policies which, in order to be effective, they need to be applied to an interface
that is directly connected where the bottleneck is. If your router is not directly connected to the bottleneck, but some
hop before it, you can emulate the bottleneck by embedding your non-shaping policy into a classful shaping one so that it
takes effect.
You can configure a policy into a class through the queue-type setting.

set traffic-policy shaper FQ-SHAPER bandwidth 4gbit

set traffic-policy shaper FQ-SHAPER default bandwidth 100%
set traffic-policy shaper FQ-SHAPER default queue-type fq-codel

As shown in the last command of the example above, the queue-type setting allows these combinations. You will be able
to use it in many policies.

注解: Some policies already include other embedded policies inside. That is the case of Shaper: each of its classes use
fair-queue unless you change it.

Creating a traffic policy

VyOS lets you control traffic in many different ways, here we will cover every possibility. You can configure as many
policies as you want, but you will only be able to apply one policy per interface and direction (inbound or outbound).
Some policies can be combined, you will be able to embed a different policy that will be applied to a class of the main
policy.

提示: If you are looking for a policy for your outbound traffic but you don’t know which one you need and you
don’t want to go through every possible policy shown here, our bet is that highly likely you are looking for a Shaper
policy and you want to set its queues as FQ-CoDel.

Drop Tail

Queueing discipline: PFIFO (Packet First In First Out).

Applies to: Outbound traffic.

This the simplest queue possible you can apply to your traffic. Traffic must go through a finite queue before it is actually
sent. You must define how many packets that queue can contain.
When a packet is to be sent, it will have to go through that queue, so the packet will be placed at the tail of it. When the
packet completely goes through it, it will be dequeued emptying its place in the queue and being eventually handed to the
NIC to be actually sent out.
Despite the Drop-Tail policy does not slow down packets, if many packets are to be sent, they could get dropped when
trying to get enqueued at the tail. This can happen if the queue has still not been able to release enough packets from its
head.

8.11. Traffic Policy 518

 VyOS Documentation, 发布 1.4.x (sagitta)

This is the policy that requieres the lowest resources for the same amount of traffic. But very likely you do not need it
as you cannot get much from it. Sometimes it is used just to enable logging.
set traffic-policy drop-tail <policy-name> queue-limit <number-of-packets>
Use this command to configure a drop-tail policy (PFIFO). Choose a unique name for this policy and the size of
the queue by setting the number of packets it can contain (maximum 4294967295).

Fair Queue

Queueing discipline: SFQ (Stochastic Fairness Queuing).

Applies to: Outbound traffic.

Fair Queue is a work-conserving scheduler which schedules the transmission of packets based on flows, that is, it balances
traffic distributing it through different sub-queues in order to ensure fairness so that each flow is able to send data in turn,
preventing any single one from drowning out the rest.
set traffic-policy fair-queue <policy-name>
Use this command to create a Fair-Queue policy and give it a name. It is based on the Stochastic Fairness Queueing
and can be applied to outbound traffic.
In order to separate traffic, Fair Queue uses a classifier based on source address, destination address and source port. The
algorithm enqueues packets to hash buckets based on those tree parameters. Each of these buckets should represent a
unique flow. Because multiple flows may get hashed to the same bucket, the hashing algorithm is perturbed at configurable
intervals so that the unfairness lasts only for a short while. Perturbation may however cause some inadvertent packet
reordering to occur. An advisable value could be 10 seconds.
One of the uses of Fair Queue might be the mitigation of Denial of Service attacks.
set traffic-policy fair-queue <policy-name> hash-interval <seconds>`
Use this command to define a Fair-Queue policy, based on the Stochastic Fairness Queueing, and set the number
of seconds at which a new queue algorithm perturbation will occur (maximum 4294967295).
When dequeuing, each hash-bucket with data is queried in a round robin fashion. You can configure the length of the
queue.
set traffic-policy fair-queue <policy-name> queue-limit <limit>
Use this command to define a Fair-Queue policy, based on the Stochastic Fairness Queueing, and set the number
of maximum packets allowed to wait in the queue. Any other packet will be dropped.

注解: Fair Queue is a non-shaping (work-conserving) policy, so it will only be useful if your outgoing interface is really
full. If it is not, VyOS will not own the queue and Fair Queue will have no effect. If there is bandwidth available on the
physical link, you can embed Fair-Queue into a classful shaping policy to make sure it owns the queue.

8.11. Traffic Policy 519

 VyOS Documentation, 发布 1.4.x (sagitta)

FQ-CoDel

Queueing discipline Fair/Flow Queue CoDel.

Applies to: Outbound Traffic.

The FQ-CoDel policy distributes the traffic into 1024 FIFO queues and tries to provide good service between all of them.
It also tries to keep the length of all the queues short.
FQ-CoDel fights bufferbloat and reduces latency without the need of complex configurations. It has become the new
default Queueing Discipline for the interfaces of some GNU/Linux distributions.
It uses a stochastic model to classify incoming packets into different flows and is used to provide a fair share of the
bandwidth to all the flows using the queue. Each flow is managed by the CoDel queuing discipline. Reordering within a
flow is avoided since Codel internally uses a FIFO queue.
FQ-CoDel is based on a modified Deficit Round Robin (DRR) queue scheduler with the CoDel Active Queue Management
(AQM) algorithm operating on each queue.

注解: FQ-Codel is a non-shaping (work-conserving) policy, so it will only be useful if your outgoing interface is really
full. If it is not, VyOS will not own the queue and FQ-Codel will have no effect. If there is bandwidth available on the
physical link, you can embed FQ-Codel into a classful shaping policy to make sure it owns the queue. If you are not sure
if you need to embed your FQ-CoDel policy into a Shaper, do it.

FQ-CoDel is tuned to run ok with its default parameters at 10Gbit speeds. It might work ok too at other speeds without
configuring anything, but here we will explain some cases when you might want to tune its parameters.
When running it at 1Gbit and lower, you may want to reduce the queue-limit to 1000 packets or less. In rates like 10Mbit,
you may want to set it to 600 packets.
If you are using FQ-CoDel embedded into Shaper and you have large rates (100Mbit and above), you may consider
increasing quantum to 8000 or higher so that the scheduler saves CPU.
On low rates (below 40Mbit) you may want to tune quantum down to something like 300 bytes.
At very low rates (below 3Mbit), besides tuning quantum (300 keeps being ok) you may also want to increase target to
something like 15ms and increase interval to something around 150 ms.
set traffic-policy fq-codel <policy name> codel-quantum <bytes>
Use this command to configure an fq-codel policy, set its name and the maximum number of bytes (default: 1514)
to be dequeued from a queue at once.
set traffic-policy fq-codel <policy name> flows <number-of-flows>
Use this command to configure an fq-codel policy, set its name and the number of sub-queues (default: 1024) into
which packets are classified.
set traffic-policy fq-codel <policy name> interval <miliseconds>
Use this command to configure an fq-codel policy, set its name and the time period used by the control loop
of CoDel to detect when a persistent queue is developing, ensuring that the measured minimum delay does not
become too stale (default: 100ms).
set traffic-policy fq-codel <policy-name> queue-limit <number-of-packets>`
Use this command to configure an fq-codel policy, set its name, and define a hard limit on the real queue size.
When this limit is reached, new packets are dropped (default: 10240 packets).
set traffic-policy fq-codel <policy-name> target <miliseconds>`

8.11. Traffic Policy 520

 VyOS Documentation, 发布 1.4.x (sagitta)

Use this command to configure an fq-codel policy, set its name, and define the acceptable minimum stand-
ing/persistent queue delay. This minimum delay is identified by tracking the local minimum queue delay that
packets experience (default: 5ms).

Example

A simple example of an FQ-CoDel policy working inside a Shaper one.

set traffic-policy shaper FQ-CODEL-SHAPER bandwidth 2gbit

set traffic-policy shaper FQ-CODEL-SHAPER default bandwidth 100%
set traffic-policy shaper FQ-CODEL-SHAPER default queue-type fq-codel

Limiter

Queueing discipline: Ingress policer.

Applies to: Inbound traffic.

Limiter is one of those policies that uses classes (Ingress qdisc is actually a classless policy but filters do work in it).
The limiter performs basic ingress policing of traffic flows. Multiple classes of traffic can be defined and traffic limits can
be applied to each class. Although the policer uses a token bucket mechanism internally, it does not have the capability
to delay a packet as a shaping mechanism does. Traffic exceeding the defined bandwidth limits is directly dropped. A
maximum allowed burst can be configured too.
You can configure classes (up to 4090) with different settings and a default policy which will be applied to any traffic not
matching any of the configured classes.

注解: In the case you want to apply some kind of shaping to your inbound traffic, check the ingress-shaping section.

set traffic-policy limiter <policy-name> class <class ID> match <match-name>

description <description>
Use this command to configure an Ingress Policer, defining its name, a class identifier (1-4090), a class matching
rule name and its description.
Once the matching rules are set for a class, you can start configuring how you want matching traffic to behave.
set traffic-policy limiter <policy-name> class <class-ID> bandwidth <rate>
Use this command to configure an Ingress Policer, defining its name, a class identifier (1-4090) and the maximum
allowed bandwidth for this class.
set traffic-policy limiter <policy-name> class <class-ID> burst <burst-size>
Use this command to configure an Ingress Policer, defining its name, a class identifier (1-4090) and the burst size
in bytes for this class (default: 15).
set traffic-policy limiter <policy-name> default bandwidth <rate>
Use this command to configure an Ingress Policer, defining its name and the maximum allowed bandwidth for its
default policy.
set traffic-policy limiter <policy-name> default burst <burst-size>
Use this command to configure an Ingress Policer, defining its name and the burst size in bytes (default: 15) for
its default policy.

8.11. Traffic Policy 521

 VyOS Documentation, 发布 1.4.x (sagitta)

set traffic-policy limiter <policy-name> class <class ID> priority <value>

Use this command to configure an Ingress Policer, defining its name, a class identifier (1-4090), and the priority
(0-20, default 20) in which the rule is evaluated (the lower the number, the higher the priority).

Network Emulator

Queueing discipline: netem (Network Emulator) + TBF (Token Bucket Filter).

Applies to: Outbound traffic.

VyOS Network Emulator policy emulates the conditions you can suffer in a real network. You will be able to configure
things like rate, burst, delay, packet loss, packet corruption or packet reordering.
This could be helpful if you want to test how an application behaves under certain network conditions.
set traffic-policy network-emulator <policy-name> bandwidth <rate>
Use this command to configure the maximum rate at which traffic will be shaped in a Network Emulator policy.
Define the name of the policy and the rate.
set traffic-policy network-emulator <policy-name> burst <burst-size>
Use this command to configure the burst size of the traffic in a Network Emulator policy. Define the name of the
Network Emulator policy and its traffic burst size (it will be configured through the Token Bucket Filter qdisc).
Default:15kb. It will only take effect if you have configured its bandwidth too.
set traffic-policy network-emulator <policy-name> network-delay <delay>
Use this command to configure a Network Emulator policy defining its name and the fixed amount of time you
want to add to all packet going out of the interface. The latency will be added through the Token Bucket Filter
qdisc. It will only take effect if you have configured its bandwidth too. You can use secs, ms and us. Default:
50ms.
set traffic-policy network-emulator <policy-name> packet-corruption <percent>
Use this command to emulate noise in a Network Emulator policy. Set the policy name and the percentage of
corrupted packets you want. A random error will be introduced in a random position for the chosen percent of
packets.
set traffic-policy network-emulator <policy-name> packet-loss <percent>
Use this command to emulate packet-loss conditions in a Network Emulator policy. Set the policy name and the
percentage of loss packets your traffic will suffer.
set traffic-policy network-emulator <policy-name> packet-reordering <percent>
Use this command to emulate packet-reordering conditions in a Network Emulator policy. Set the policy name
and the percentage of reordered packets your traffic will suffer.
set traffic-policy network-emulator <policy-name> queue-limit <limit>
Use this command to define the length of the queue of your Network Emulator policy. Set the policy name and
the maximum number of packets (1-4294967295) the queue may hold queued at a time.

8.11. Traffic Policy 522

 VyOS Documentation, 发布 1.4.x (sagitta)

Priority Queue

Queueing discipline: PRIO.

Applies to: Outbound traffic.

The Priority Queue is a classful scheduling policy. It does not delay packets (Priority Queue is not a shaping policy), it
simply dequeues packets according to their priority.

注解: Priority Queue, as other non-shaping policies, is only useful if your outgoing interface is really full. If it is not,
VyOS will not own the queue and Priority Queue will have no effect. If there is bandwidth available on the physical link,
you can embed Priority Queue into a classful shaping policy to make sure it owns the queue. In that case packets can be
prioritized based on DSCP.

Up to seven queues -defined as classes with different priorities- can be configured. Packets are placed into queues based
on associated match criteria. Packets are transmitted from the queues in priority order. If classes with a higher priority
are being filled with packets continuously, packets from lower priority classes will only be transmitted after traffic volume
from higher priority classes decreases.

注解: In Priority Queue we do not define clases with a meaningless class ID number but with a class priority number
(1-7). The lower the number, the higher the priority.

As with other policies, you can define different type of matching rules for your classes:

vyos@vyos# set traffic-policy priority-queue MY-PRIO class 3 match MY-MATCH-RULE

Possible completions:
description Description for this match
> ether Ethernet header match
interface Interface name for this match
> ip Match IP protocol header
> ipv6 Match IPV6 header
mark Match on mark applied by firewall
vif Virtual Local Area Network (VLAN) ID for this match

As with other policies, you can embed other policies into the classes (and default) of your Priority Queue policy through
the queue-type setting:

vyos@vyos# set traffic-policy priority-queue MY-PRIO class 3 queue-type

Possible completions:
fq-codel Fair Queue Codel
fair-queue Stochastic Fair Queue (SFQ)
drop-tail First-In-First-Out (FIFO)
priority Priority queueing based on DSCP
random-detect
Random Early Detection (RED)

set traffic-policy priority-queue <policy-name> class <class-ID> queue-limit

<limit>`
Use this command to configure a Priority Queue policy, set its name, set a class with a priority from 1 to 7 and
define a hard limit on the real queue size. When this limit is reached, new packets are dropped.

8.11. Traffic Policy 523

 VyOS Documentation, 发布 1.4.x (sagitta)

Random-Detect

Queueing discipline: Generalized Random Early Drop.

Applies to: Outbound traffic.

A simple Random Early Detection (RED) policy would start randomly dropping packets from a queue before it reaches
its queue limit thus avoiding congestion. That is good for TCP connections as the gradual dropping of packets acts as a
signal for the sender to decrease its transmission rate.
In contrast to simple RED, VyOS’Random-Detect uses a Generalized Random Early Detect policy that provides different
virtual queues based on the IP Precedence value so that some virtual queues can drop more packets than others.
This is achieved by using the first three bits of the ToS (Type of Service) field to categorize data streams and, in accordance
with the defined precedence parameters, a decision is made.
IP precedence as defined in RFC 791:

Precedence Priority
7 Network Control
6 Internetwork Control
5 CRITIC/ECP
4 Flash Override
3 Flash
2 Immediate
1 Priority
0 Routine

Random-Detect could be useful for heavy traffic. One use of this algorithm might be to prevent a backbone overload. But
only for TCP (because dropped packets could be retransmitted), not for UDP.
set traffic-policy random-detect <policy-name> bandwidth <bandwidth>
Use this command to configure a Random-Detect policy, set its name and set the available bandwidth for this
policy. It is used for calculating the average queue size after some idle time. It should be set to the bandwidth of
your interface. Random Detect is not a shaping policy, this command will not shape.
set traffic-policy random-detect <policy-name> precedence
<IP-precedence-value> average-packet <bytes>
Use this command to configure a Random-Detect policy and set its name, then state the IP Precedence for the
virtual queue you are configuring and what the size of its average-packet should be (in bytes, default: 1024).

注解: When configuring a Random-Detect policy: the higher the precedence number, the higher the priority.

set traffic-policy random-detect <policy-name> precedence

<IP-precedence-value> mark-probability <value>
Use this command to configure a Random-Detect policy and set its name, then state the IP Precedence for the
virtual queue you are configuring and what its mark (drop) probability will be. Set the probability by giving the N
value of the fraction 1/N (default: 10).
set traffic-policy random-detect <policy-name> precedence
<IP-precedence-value> maximum-threshold <packets>

8.11. Traffic Policy 524

 VyOS Documentation, 发布 1.4.x (sagitta)

Use this command to configure a Random-Detect policy and set its name, then state the IP Precedence for the
virtual queue you are configuring and what its maximum threshold for random detection will be (from 0 to 4096
packets, default: 18). At this size, the marking (drop) probability is maximal.
set traffic-policy random-detect <policy-name> precedence
<IP-precedence-value> minimum-threshold <packets>
Use this command to configure a Random-Detect policy and set its name, then state the IP Precedence for the
virtual queue you are configuring and what its minimum threshold for random detection will be (from 0 to 4096
packets). If this value is exceeded, packets start being eligible for being dropped.
The default values for the minimum-threshold depend on IP precedence:

Precedence default min-threshold

7 16
6 15
5 14
4 13
3 12
2 11
1 10
0 9

set traffic-policy random-detect <policy-name> precedence

<IP-precedence-value> queue-limit <packets>
Use this command to configure a Random-Detect policy and set its name, then name the IP Precedence for the
virtual queue you are configuring and what the maximum size of its queue will be (from 1 to 1-4294967295
packets). Packets are dropped when the current queue length reaches this value.
If the average queue size is lower than the min-threshold, an arriving packet will be placed in the queue.
In the case the average queue size is between min-threshold and max-threshold, then an arriving packet would be either
dropped or placed in the queue, it will depend on the defined mark-probability.
If the current queue size is larger than queue-limit, then packets will be dropped. The average queue size depends on its
former average size and its current one.
If max-threshold is set but min-threshold is not, then **min-threshold is scaled to 50% of max-threshold.
In principle, values must be min-threshold < max-threshold < queue-limit.

Rate Control

Queueing discipline: Tocken Bucket Filter.

Applies to: Outbound traffic.

Rate-Control is a classless policy that limits the packet flow to a set rate. It is a pure shaper, it does not schedule traffic.
Traffic is filtered based on the expenditure of tokens. Tokens roughly correspond to bytes.
Short bursts can be allowed to exceed the limit. On creation, the Rate-Control traffic is stocked with tokens which
correspond to the amount of traffic that can be burst in one go. Tokens arrive at a steady rate, until the bucket is full.
set traffic-policy rate-control <policy-name> bandwidth <rate>
Use this command to configure a Rate-Control policy, set its name and the rate limit you want to have.
set traffic-policy rate-control <policy-name> burst <burst-size>

8.11. Traffic Policy 525

 VyOS Documentation, 发布 1.4.x (sagitta)

Use this command to configure a Rate-Control policy, set its name and the size of the bucket in bytes which will
be available for burst.
As a reference: for 10mbit/s on Intel, you might need at least 10kbyte buffer if you want to reach your configured rate.
A very small buffer will soon start dropping packets.
set traffic-policy rate-control <policy-name> latency
Use this command to configure a Rate-Control policy, set its name and the maximum amount of time a packet
can be queued (default: 50 ms).
Rate-Control is a CPU-friendly policy. You might consider using it when you just simply want to slow traffic down.

Round Robin

Queueing discipline: Deficit Round Robin.

Applies to: Outbound traffic.

The round-robin policy is a classful scheduler that divides traffic in different classes you can configure (up to 4096). You
can embed a new policy into each of those classes (default included).
Each class is assigned a deficit counter (the number of bytes that a flow is allowed to transmit when it is its turn) initialized
to quantum. Quantum is a parameter you configure which acts like a credit of fix bytes the counter receives on each round.
Then the Round-Robin policy starts moving its Round Robin pointer through the queues. If the deficit counter is greater
than the packet’s size at the head of the queue, this packet will be sent and the value of the counter will be decremented
by the packet size. Then, the size of the next packet will be compared to the counter value again, repeating the process.
Once the queue is empty or the value of the counter is insufficient, the Round-Robin pointer will move to the next queue.
If the queue is empty, the value of the deficit counter is reset to 0.
At every round, the deficit counter adds the quantum so that even large packets will have their opportunity to be dequeued.
set traffic-policy round-robin <policy name> class <class-ID> quantum
<packets>
Use this command to configure a Round-Robin policy, set its name, set a class ID, and the quantum for that class.
The deficit counter will add that value each round.
set traffic-policy round-robin <policy name> class <class ID> queue-limit
<packets>
Use this command to configure a Round-Robin policy, set its name, set a class ID, and the queue size in packets.
As with other policies, Round-Robin can embed another policy into a class through the queue-type setting.

vyos@vyos# set traffic-policy round-robin DRR class 10 queue-type

Possible completions:
fq-codel Fair Queue Codel
fair-queue Stochastic Fair Queue (SFQ)
drop-tail First-In-First-Out (FIFO)
priority Priority queueing based on DSCP

8.11. Traffic Policy 526

 VyOS Documentation, 发布 1.4.x (sagitta)

Shaper

Queueing discipline: Hierarchical Token Bucket.

Applies to: Outbound traffic.

The Shaper policy does not guarantee a low delay, but it does guarantee bandwidth to different traffic classes and also lets
you decide how to allocate more traffic once the guarantees are met.
Each class can have a guaranteed part of the total bandwidth defined for the whole policy, so all those shares together
should not be higher than the policy’s whole bandwidth.
If guaranteed traffic for a class is met and there is room for more traffic, the ceiling parameter can be used to set how
much more bandwidth could be used. If guaranteed traffic is met and there are several classes willing to use their ceilings,
the priority parameter will establish the order in which that additional traffic will be allocated. Priority can be any number
from 0 to 7. The lower the number, the higher the priority.
set traffic-policy shaper <policy-name> bandwidth <rate>
Use this command to configure a Shaper policy, set its name and the maximum bandwidth for all combined traffic.
set traffic-policy shaper <policy-name> class <class-ID> bandwidth <rate>
Use this command to configure a Shaper policy, set its name, define a class and set the guaranteed traffic you want
to allocate to that class.
set traffic-policy shaper <policy-name> class <class-ID> burst <bytes>
Use this command to configure a Shaper policy, set its name, define a class and set the size of the tocken bucket
in bytes, which will be available to be sent at ceiling speed (default: 15Kb).
set traffic-policy shaper <policy-name> class <class-ID> ceiling <bandwidth>
Use this command to configure a Shaper policy, set its name, define a class and set the maximum speed possible
for this class. The default ceiling value is the bandwidth value.
set traffic-policy shaper <policy-name> class <class-ID> priority <0-7>
Use this command to configure a Shaper policy, set its name, define a class and set the priority for usage of available
bandwidth once guarantees have been met. The lower the priority number, the higher the priority. The default
priority value is 0, the highest priority.
As with other policies, Shaper can embed other policies into its classes through the queue-type setting and then
configure their parameters.

vyos@vyos# set traffic-policy shaper HTB class 10 queue-type

Possible completions:
fq-codel Fair Queue Codel
fair-queue Stochastic Fair Queue (SFQ)
drop-tail First-In-First-Out (FIFO)
priority Priority queueing based on DSCP
random-detect
Random Early Detection (RED)

vyos@vyos# set traffic-policy shaper HTB class 10

Possible completions:
bandwidth Bandwidth used for this class
burst Burst size for this class (default: 15kb)
ceiling Bandwidth limit for this class
codel-quantum
(下页继续)

8.11. Traffic Policy 527

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
fq-codel - Number of bytes used as 'deficit' (default 1514)
description Description for this traffic class
flows fq-codel - Number of flows (default 1024)
interval fq-codel - Interval (milliseconds) used to measure the delay (default␣
,→100)

+> match Class matching rule name

priority Priority for usage of excess bandwidth
queue-limit Maximum queue size (packets)
queue-type Queue type for this class
set-dscp Change the Differentiated Services (DiffServ) field in the IP header
target fq-codel - Acceptable minimum queue delay (milliseconds)

注解: If you configure a class for VoIP traffic, don’t give it any ceiling, otherwise new VoIP calls could start when the
link is available and get suddenly dropped when other classes start using their assigned bandwidth share.

Example

A simple example of Shaper using priorities.

set traffic-policy shaper MY-HTB bandwidth '50mbit'

set traffic-policy shaper MY-HTB class 10 bandwidth '20%'
set traffic-policy shaper MY-HTB class 10 match DSCP ip dscp 'EF'
set traffic-policy shaper MY-HTB class 10 queue-type 'fq-codel'
set traffic-policy shaper MY-HTB class 20 bandwidth '10%'
set traffic-policy shaper MY-HTB class 20 ceiling '50%'
set traffic-policy shaper MY-HTB class 20 match PORT666 ip destination port '666'
set traffic-policy shaper MY-HTB class 20 priority '3'
set traffic-policy shaper MY-HTB class 20 queue-type 'fair-queue'
set traffic-policy shaper MY-HTB class 30 bandwidth '10%'
set traffic-policy shaper MY-HTB class 30 ceiling '50%'
set traffic-policy shaper MY-HTB class 30 match ADDRESS30 ip source address '192.168.
,→30.0/24'

set traffic-policy shaper MY-HTB class 30 priority '5'

set traffic-policy shaper MY-HTB class 30 queue-type 'fair-queue'
set traffic-policy shaper MY-HTB default bandwidth '10%'
set traffic-policy shaper MY-HTB default ceiling '100%'
set traffic-policy shaper MY-HTB default priority '7'
set traffic-policy shaper MY-HTB default queue-type 'fair-queue'

Applying a traffic policy

Once a traffic-policy is created, you can apply it to an interface:

set interfaces etherhet eth0 traffic-policy out WAN-OUT

You can only apply one policy per interface and direction, but you could reuse a policy on different interfaces and direc-
tions:

set interfaces ethernet eth0 traffic-policy in WAN-IN

set interfaces etherhet eth0 traffic-policy out WAN-OUT
set interfaces etherhet eth1 traffic-policy in LAN-IN
(下页继续)

8.11. Traffic Policy 528

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
set interfaces etherhet eth1 traffic-policy out LAN-OUT
set interfaces ethernet eth2 traffic-policy in LAN-IN
set interfaces ethernet eth2 traffic-policy out LAN-OUT
set interfaces etherhet eth3 traffic-policy in TWO-WAY-POLICY
set interfaces etherhet eth3 traffic-policy out TWO-WAY-POLICY
set interfaces etherhet eth4 traffic-policy in TWO-WAY-POLICY
set interfaces etherhet eth4 traffic-policy out TWO-WAY-POLICY

Getting queueing information

show queueing <interface-type> <interface-name>

Use this command to see the queueing information for an interface. You will be able to see a packet counter (Sent,
Dropped, Overlimit and Backlog) per policy and class configured.

The case of ingress shaping

Applies to: Inbound traffic.

For the ingress traffic of an interface, there is only one policy you can directly apply, a Limiter policy. You cannot apply
a shaping policy directly to the ingress traffic of any interface because shaping only works for outbound traffic.
This workaround lets you apply a shaping policy to the ingress traffic by first redirecting it to an in-between virtual interface
(Intermediate Functional Block). There, in that virtual interface, you will be able to apply any of the policies that work
for outbound traffic, for instance, a shaping one.
That is how it is possible to do the so-called “ingress shaping”.
set traffic-policy shaper MY-INGRESS-SHAPING bandwidth 1000kbit
set traffic-policy shaper MY-INGRESS-SHAPING default bandwidth 1000kbit
set traffic-policy shaper MY-INGRESS-SHAPING default queue-type fair-queue

set interfaces input ifb0 traffic-policy out MY-INGRESS-SHAPING

set interfaces ethernet eth0 redirect ifb0

警告: Do not configure IFB as the first step. First create everything else of your traffic-policy, and then you can
configure IFB. Otherwise you might get the RTNETLINK answer: File exists error, which can be solved
with sudo ip link delete ifb0.

8.12 VPN

8.12.1 IPsec

GRE (Generic Routing Encapsulation), GRE/IPsec (or IPIP/IPsec, SIT/IPsec, or any other stateless tunnel protocol over
IPsec) is the usual way to protect the traffic inside a tunnel.
An advantage of this scheme is that you get a real interface with its own address, which makes it easier to setup static
routes or use dynamic routing protocols without having to modify IPsec policies. The other advantage is that it greatly
simplifies router to router communication, which can be tricky with plain IPsec because the external outgoing address of

8.12. VPN 529

 VyOS Documentation, 发布 1.4.x (sagitta)

the router usually doesn’t match the IPsec policy of typical site-to-site setup and you need to add special configuration for
it, or adjust the source address for outgoing traffic of your applications. GRE/IPsec has no such problem and is completely
transparent for the applications.
GRE/IPIP/SIT and IPsec are widely accepted standards, which make this scheme easy to implement between VyOS and
virtually any other router.
For simplicity we’ll assume that the protocol is GRE, it’s not hard to guess what needs to be changed to make it work
with a different protocol. We assume that IPsec will use pre-shared secret authentication and will use AES128/SHA1 for
the cipher and hash. Adjust this as necessary.

注解: VMware users should ensure that a VMXNET3 adapter is used. E1000 adapters have known issues with GRE
processing.

IPsec policy matching GRE

The first and arguably cleaner option is to make your IPsec policy match GRE packets between external addresses of your
routers. This is the best option if both routers have static external addresses.
Suppose the LEFT router has external address 192.0.2.10 on its eth0 interface, and the RIGHT router is 203.0.113.45
On the LEFT:

# GRE tunnel
set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 local-ip 192.0.2.10
set interfaces tunnel tun0 remote-ip 203.0.113.45
set interfaces tunnel tun0 address 10.10.10.1/30

## IPsec
set vpn ipsec ipsec-interfaces interface eth0

# IKE group
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2'
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes128'
set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1'

# ESP group
set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes128'
set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1'

# IPsec tunnel
set vpn ipsec site-to-site peer 203.0.113.45 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 203.0.113.45 authentication pre-shared-secret␣
,→MYSECRETKEY

set vpn ipsec site-to-site peer 203.0.113.45 ike-group MyIKEGroup

set vpn ipsec site-to-site peer 203.0.113.45 default-esp-group MyESPGroup

set vpn ipsec site-to-site peer 203.0.113.45 local-address 192.0.2.10

# This will match all GRE traffic to the peer

set vpn ipsec site-to-site peer 203.0.113.45 tunnel 1 protocol gre

On the RIGHT, setup by analogy and swap local and remote addresses.

8.12. VPN 530

 VyOS Documentation, 发布 1.4.x (sagitta)

Source tunnel from loopbacks

The scheme above doesn’t work when one of the routers has a dynamic external address though. The classic workaround
for this is to setup an address on a loopback interface and use it as a source address for the GRE tunnel, then setup an
IPsec policy to match those loopback addresses.
We assume that the LEFT router has static 192.0.2.10 address on eth0, and the RIGHT router has a dynamic address on
eth0.
Setting up the GRE tunnel
On the LEFT:

set interfaces loopback lo address 192.168.99.1/32

set interfaces tunnel tun0 encapsulation gre

set interfaces tunnel tun0 address 10.10.10.1/30
set interfaces tunnel tun0 local-ip 192.168.99.1
set interfaces tunnel tun0 remote-ip 192.168.99.2

On the RIGHT:

set interfaces loopback lo address 192.168.99.2/32

set interfaces tunnel tun0 encapsulation gre

set interfaces tunnel tun0 address 10.10.10.2/30
set interfaces tunnel tun0 local-ip 192.168.99.2
set interfaces tunnel tun0 remote-ip 192.168.99.1

Setting up IPSec
However, now you need to make IPsec work with dynamic address on one side. The tricky part is that pre-shared secret
authentication doesn’t work with dynamic address, so we’ll have to use RSA keys.
First, on both routers run the operational command“generate vpn rsa-key bits 2048”. You may choose different length
than 2048 of course.

vyos@left# run generate vpn rsa-key bits 2048

Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key

Your new local RSA key has been generated

The public portion of the key is:

0sAQO2335[long string here]

Then on the opposite router, add the RSA key to your config.

set vpn rsa-keys rsa-key-name LEFT rsa-key KEYGOESHERE

Now you are ready to setup IPsec. You’ll need to use an ID instead of address for the peer on the dynamic side.
On the LEFT (static address):

set vpn rsa-keys rsa-key-name RIGHT rsa-key <PUBLIC KEY FROM THE RIGHT>

set vpn ipsec ipsec-interfaces interface eth0

set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128

set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1
(下页继续)

8.12. VPN 531

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)

set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2

set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128
set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1

set vpn ipsec site-to-site peer @RIGHT authentication mode rsa

set vpn ipsec site-to-site peer @RIGHT authentication rsa-key-name RIGHT
set vpn ipsec site-to-site peer @RIGHT default-esp-group MyESPGroup
set vpn ipsec site-to-site peer @RIGHT ike-group MyIKEGroup
set vpn ipsec site-to-site peer @RIGHT local-address 192.0.2.10
set vpn ipsec site-to-site peer @RIGHT connection-type respond
set vpn ipsec site-to-site peer @RIGHT tunnel 1 local prefix 192.168.99.1/32 #␣
,→Additional loopback address on the local

set vpn ipsec site-to-site peer @RIGHT tunnel 1 remote prefix 192.168.99.2/32 #␣
,→Additional loopback address on the remote

On the RIGHT (dynamic address):

set vpn rsa-keys rsa-key-name LEFT rsa-key <PUBLIC KEY FROM THE LEFT>

set vpn ipsec ipsec-interfaces interface eth0

set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128

set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1

set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2

set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128
set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1

set vpn ipsec site-to-site peer 192.0.2.10 authentication id @RIGHT

set vpn ipsec site-to-site peer 192.0.2.10 authentication mode rsa
set vpn ipsec site-to-site peer 192.0.2.10 authentication rsa-key-name LEFT
set vpn ipsec site-to-site peer 192.0.2.10 authentication remote-id LEFT
set vpn ipsec site-to-site peer 192.0.2.10 connection-type initiate
set vpn ipsec site-to-site peer 192.0.2.10 default-esp-group MyESPGroup
set vpn ipsec site-to-site peer 192.0.2.10 ike-group MyIKEGroup
set vpn ipsec site-to-site peer 192.0.2.10 local-address any
set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 local prefix 192.168.99.2/32 #␣
,→Additional loopback address on the local

set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 remote prefix 192.168.99.1/32 #␣
,→Additional loopback address on the remote

8.12.2 L2TP

VyOS utilizes accel-ppp to provide L2TP server functionality. It can be used with local authentication or a connected
RADIUS server.

8.12. VPN 532

 VyOS Documentation, 发布 1.4.x (sagitta)

L2TP over IPsec

Example for configuring a simple L2TP over IPsec VPN for remote access (works with native Windows and Mac VPN
clients):

set vpn ipsec ipsec-interfaces interface eth0

set vpn ipsec nat-traversal enable
set vpn ipsec nat-networks allowed-network 0.0.0.0/0

set vpn l2tp remote-access outside-address 192.0.2.2

set vpn l2tp remote-access client-ip-pool start 192.168.255.2
set vpn l2tp remote-access client-ip-pool stop 192.168.255.254
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <secret>
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access authentication local-users username test password 'test'

In the example above an external IP of 192.0.2.2 is assumed.

If a local firewall policy is in place on your external interface you will need to allow the ports below:
• UDP port 500 (IKE)
• IP protocol number 50 (ESP)
• UDP port 1701 for IPsec
As well as the below to allow NAT-traversal (when NAT is detected by the VPN client, ESP is encapsulated in UDP for
NAT-traversal):
• UDP port 4500 (NAT-T)
Example:

set firewall name OUTSIDE-LOCAL rule 40 action 'accept'

set firewall name OUTSIDE-LOCAL rule 40 protocol 'esp'
set firewall name OUTSIDE-LOCAL rule 41 action 'accept'
set firewall name OUTSIDE-LOCAL rule 41 destination port '500'
set firewall name OUTSIDE-LOCAL rule 41 protocol 'udp'
set firewall name OUTSIDE-LOCAL rule 42 action 'accept'
set firewall name OUTSIDE-LOCAL rule 42 destination port '4500'
set firewall name OUTSIDE-LOCAL rule 42 protocol 'udp'
set firewall name OUTSIDE-LOCAL rule 43 action 'accept'
set firewall name OUTSIDE-LOCAL rule 43 destination port '1701'
set firewall name OUTSIDE-LOCAL rule 43 ipsec 'match-ipsec'
set firewall name OUTSIDE-LOCAL rule 43 protocol 'udp'

To allow VPN-clients access via your external address, a NAT rule is required:

set nat source rule 110 outbound-interface 'eth0'

set nat source rule 110 source address '192.168.255.0/24'
set nat source rule 110 translation address masquerade

VPN-clients will request configuration parameters, optionally you can DNS parameter to the client.

set vpn l2tp remote-access name-server '198.51.100.8'

set vpn l2tp remote-access name-server '198.51.100.4'

Established sessions can be viewed using the show vpn remote-access operational command, or show l2tp-server ses-
sions

8.12. VPN 533

 VyOS Documentation, 发布 1.4.x (sagitta)

vyos@vyos:~$ show vpn remote-access

ifname | username | calling-sid | ip | rate-limit | type | comp | state ␣
,→| uptime
--------+----------+--------------+---------------+------------+------+------+--------
,→+----------

ppp0 | vyos | 192.168.0.36 | 192.168.255.1 | | l2tp | | active␣

,→| 00:06:13

LNS (L2TP Network Server)

LNS are often used to connect to a LAC (L2TP Access Concentrator).

Below is an example to configure a LNS:

set vpn l2tp remote-access outside-address 192.0.2.2

set vpn l2tp remote-access client-ip-pool start 192.168.255.2
set vpn l2tp remote-access client-ip-pool stop 192.168.255.254
set vpn l2tp remote-access lns shared-secret 'secret'
set vpn l2tp remote-access ccp-disable
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access authentication local-users username test password 'test'

The example above uses 192.0.2.2 as external IP address. A LAC normally requires an authentication password, which is
set in the example configuration to lns shared-secret 'secret'. This setup requires the Compression Control
Protocol (CCP) being disabled, the command set vpn l2tp remote-access ccp-disable accomplishes
that.

Bandwidth Shaping

Bandwidth rate limits can be set for local users or via RADIUS based attributes.

Bandwidth Shaping for local users

The rate-limit is set in kbit/sec.

set vpn l2tp remote-access outside-address 192.0.2.2

set vpn l2tp remote-access client-ip-pool start 192.168.255.2
set vpn l2tp remote-access client-ip-pool stop 192.168.255.254
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access authentication local-users username test password test
set vpn l2tp remote-access authentication local-users username test rate-limit␣
,→download 20480

set vpn l2tp remote-access authentication local-users username test rate-limit upload␣
,→10240

vyos@vyos:~$ show vpn remote-access

ifname | username | calling-sid | ip | rate-limit | type | comp | state ␣
,→| uptime
-------+----------+--------------+---------------+-------------+------+------+--------
,→+-----------

ppp0 | test | 192.168.0.36 | 192.168.255.2 | 20480/10240 | l2tp | | active␣

,→| 00:06:30

8.12. VPN 534

 VyOS Documentation, 发布 1.4.x (sagitta)

RADIUS authentication

To enable RADIUS based authentication, the authentication mode needs to be changed within the configuration. Previous
settings like the local users, still exists within the configuration, however they are not used if the mode has been changed
from local to radius. Once changed back to local, it will use all local accounts again.

set vpn l2tp remote-access authentication mode <local|radius>

Since the RADIUS server would be a single point of failure, multiple RADIUS servers can be setup and will be used
subsequentially.

set vpn l2tp remote-access authentication radius server 10.0.0.1 key 'foo'
set vpn l2tp remote-access authentication radius server 10.0.0.2 key 'foo'

注解: Some RADIUS severs use an access control list which allows or denies queries, make sure to add your VyOS
router to the allowed client list.

RADIUS source address

If you are using OSPF as IGP always the closets interface connected to the RADIUS server is used. With VyOS 1.2 you
can bind all outgoing RADIUS requests to a single source IP e.g. the loopback interface.

set vpn l2tp remote-access authentication radius source-address 10.0.0.3

Above command will use 10.0.0.3 as source IPv4 address for all RADIUS queries on this NAS.

注解: The source-address must be configured on one of VyOS interface. Best proctice would be a loopback or
dummy interface.

RADIUS bandwidth shaping attribute

To enable bandwidth shaping via RADIUS, the option rate-limit needs to be enabled.

set vpn l2tp remote-access authentication radius rate-limit enable

The default RADIUS attribute for rate limiting is Filter-Id, but you may also redefine it.

set vpn l2tp remote-access authentication radius rate-limit attribute Download-Speed

注解: If you set a custom RADIUS attribute you must define it on both dictionaries at RADIUS server and client, which
is the vyos router in our example.

The RADIUS dictionaries in VyOS are located at /usr/share/accel-ppp/radius/

8.12. VPN 535

 VyOS Documentation, 发布 1.4.x (sagitta)

RADIUS advanced features

Received RADIUS attributes have a higher priority than parameters defined within the CLI configuration, refer to the
explanation below.

Allocation clients ip addresses by RADIUS

If the RADIUS server sends the attribute Framed-IP-Address then this IP address will be allocated to the client
and the option ip-pool within the CLI config is being ignored.

Renaming clients interfaces by RADIUS

If the RADIUS server uses the attribute NAS-Port-Id, ppp tunnels will be renamed.

注解: The value of the attribute NAS-Port-Id must be less than 16 characters, otherwise the interface won’t be
renamed.

8.12.3 OpenConnect

OpenConnect-compatible server feature is available from this release. Openconnect VPN supports SSL connection and
offers full network access. SSL VPN network extension connects the end-user system to the corporate network with
access controls based only on network layer information, such as destination IP address and port number. So, it provides
safe communication for all types of device traffic across public networks and private networks, also encrypts the traffic
with SSL protocol.
The remote user will use the openconnect client to connect to the router and will receive an IP address from a VPN pool,
allowing full access to the network.

注解: All certificates should be stored on VyOS under /config/auth. If certificates are not stored in the /config directory
they will not be migrated during a software update.

Configuration

SSL Certificates

We need to generate the certificate which authenticates users who attempt to access the network resource through the SSL
VPN tunnels. The following command will create a self signed certificates and will be stored in the file path /config/auth.

openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout /config/auth/server.
,→key -out /config/auth/server.crt

openssl req -new -x509 -key /config/auth/server.key -out /config/auth/ca.crt

We can also create the certificates using Cerbort which is an easy-to-use client that fetches a certificate from Let’s
Encrypt an open certificate authority launched by the EFF, Mozilla, and others and deploys it to a web server.

sudo certbot certonly --standalone --preferred-challenges http -d <domain name>

8.12. VPN 536

 VyOS Documentation, 发布 1.4.x (sagitta)

Server Configuration

set vpn openconnect authentication local-users username <user> password <pass>

set vpn openconnect authentication mode <local|radius>
set vpn opneconnect network-settings client-ip-settings subnet <subnet>
set vpn openconnect network-settings name-server <address>
set vpn openconnect network-settings name-server <address>
set vpn openconnect ssl ca-cert-file <file>
set vpn openconnect ssl cert-file <file>
set vpn openconnect ssl key-file <file>

Example

Use local user name “user4”with password “SecretPassword”Client IP addresses will be provided from pool
100.64.0.0/24 The Gateway IP Address must be in one of the router´s interfaces.

set vpn openconnect authentication local-users username user4 password 'SecretPassword

,→'

set vpn openconnect authentication mode 'local'

set vpn openconnect network-settings client-ip-settings subnet '100.64.0.0/24'
set vpn openconnect network-settings name-server '10.1.1.1'
set vpn openconnect network-settings name-server '10.1.1.2'
set vpn openconnect ssl ca-cert-file '/config/auth/fullchain.pem'
set vpn openconnect ssl cert-file '/config/auth/cert.pem'
set vpn openconnect ssl key-file '/config/auth/privkey.pem'

Verification

vyos@RTR1:~$ show openconnect-server sessions

interface username ip remote IP RX TX state ␣

,→uptime

----------- ---------- ------------ ------------- -------- -------- --------- -

,→-------

sslvpn0 user4 100.64.0.105 xx.xxx.49.253 127.3 KB 160.0 KB connected ␣

,→12m:28s

注解: It is compatible with Cisco (R) AnyConnect (R) clients.

8.12.4 PPTP-Server

The Point-to-Point Tunneling Protocol (PPTP) has been implemented in VyOS only for backwards compatibility. PPTP
has many well known security issues and you should use one of the many other new VPN implementations.
As per default and if not otherwise defined, mschap-v2 is being used for authentication and mppe 128-bit (stateless) for
encryption. If no gateway-address is set within the configuration, the lowest IP out of the /24 client-ip-pool is being used.
For instance, in the example below it would be 192.168.0.1.

8.12. VPN 537

 VyOS Documentation, 发布 1.4.x (sagitta)

server example

set vpn pptp remote-access authentication local-users username test password 'test'
set vpn pptp remote-access authentication mode 'local'
set vpn pptp remote-access client-ip-pool start '192.168.0.10'
set vpn pptp remote-access client-ip-pool stop '192.168.0.15'
set vpn pptp remote-access gateway-address '10.100.100.1'
set vpn pptp remote-access outside-address '10.1.1.120'

client example (debian 9)

Install the client software via apt and execute pptpsetup to generate the configuration.

apt-get install pptp-linux

pptpsetup --create TESTTUNNEL --server 10.1.1.120 --username test --password test --
,→encrypt

pon TESTTUNNEL

The command pon TESTUNNEL establishes the PPTP tunnel to the remote system.
All tunnel sessions can be checked via:

run sh pptp-server sessions

ifname | username | calling-sid | ip | type | comp | state | uptime
--------+----------+-------------+--------------+------+------+--------+----------
ppp0 | test | 10.1.1.99 | 192.168.0.10 | pptp | mppe | active | 00:00:58

8.12.5 RSA-Keys

RSA can be used for services such as key exchanges and for encryption purposes. To make IPSec work with dynamic
address on one/both sides, we will have to use RSA keys for authentication. They are very fast and easy to setup.
First, on both routers run the operational command“generate vpn rsa-key bits 2048”. You may choose different length
than 2048 of course.

vyos@left# run generate vpn rsa-key bits 2048

Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key

Your new local RSA key has been generated

The public portion of the key is:

0sAQO2335[long string here]

Please note down this public key, as you have to add this RSA key in the opposite router.

set vpn rsa-keys rsa-key-name LEFT rsa-key KEYGOESHERE

Now you are ready to setup IPsec. The key points:

1. Since both routers do not know their effective public addresses, we set the local-address of the peer to “any”.
2. On the initiator, we set the peer address to its public address, but on the responder we only set the id.
3. On the initiator, we need to set the remote-id option so that it can identify IKE traffic from the responder correctly.
4. On the responder, we need to set the local id so that initiator can know who’s talking to it for the point #3 to work.

8.12. VPN 538

 VyOS Documentation, 发布 1.4.x (sagitta)

5. Don’t forget to enable NAT traversal on both sides, “set vpn ipsec nat-traversal enable”.
LEFT SIDE:

set vpn rsa-keys rsa-key-name RIGHT rsa-key <PUBLIC KEY FROM THE RIGHT>

set vpn ipsec ipsec-interfaces interface eth0

set vpn ipsec nat-traversal 'enable'

set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128

set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1

set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2

set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128
set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1

set vpn ipsec site-to-site peer 192.0.2.60 authentication mode rsa

set vpn ipsec site-to-site peer 192.0.2.60 authentication id @LEFT
set vpn ipsec site-to-site peer 192.0.2.60 authentication rsa-key-name RIGHT
set vpn ipsec site-to-site peer 192.0.2.60 authentication remote-id RIGHT
set vpn ipsec site-to-site peer 192.0.2.60 default-esp-group MyESPGroup
set vpn ipsec site-to-site peer 192.0.2.60 ike-group MyIKEGroup
set vpn ipsec site-to-site peer 192.0.2.60 local-address any
set vpn ipsec site-to-site peer 192.0.2.60 connection-type initiate
set vpn ipsec site-to-site peer 192.0.2.60 tunnel 1 local prefix 192.168.99.1/32
set vpn ipsec site-to-site peer 192.0.2.60 tunnel 1 remote prefix 192.168.99.2/32

RIGHT SIDE:

set vpn rsa-keys rsa-key-name LEFT rsa-key <PUBLIC KEY FROM THE LEFT>

set vpn ipsec ipsec-interfaces interface eth0

set vpn ipsec nat-traversal 'enable'

set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128

set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1

set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2

set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128
set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1

set vpn ipsec site-to-site peer @LEFT authentication id @RIGHT

set vpn ipsec site-to-site peer @LEFT authentication mode rsa
set vpn ipsec site-to-site peer @LEFT authentication rsa-key-name LEFT
set vpn ipsec site-to-site peer @LEFT connection-type respond
set vpn ipsec site-to-site peer @LEFT default-esp-group MyESPGroup
set vpn ipsec site-to-site peer @LEFT ike-group MyIKEGroup
set vpn ipsec site-to-site peer @LEFT local-address any
set vpn ipsec site-to-site peer @LEFT tunnel 1 local prefix 192.168.99.2/32
set vpn ipsec site-to-site peer @LEFT tunnel 1 remote prefix 192.168.99.1/32

8.12. VPN 539

 VyOS Documentation, 发布 1.4.x (sagitta)

8.12.6 SSTP

SSTP (Secure Socket Tunneling Protocol) is a form of VPN (Virtual Private Network) tunnel that provides a mechanism
to transport PPP traffic through an SSL/TLS channel. SSL/TLS provides transport-level security with key negotiation,
encryption and traffic integrity checking. The use of SSL/TLS over TCP port 443 allows SSTP to pass through virtually
all firewalls and proxy servers except for authenticated web proxies.
SSTP is available for Linux, BSD, and Windows.
VyOS utilizes accel-ppp to provide SSTP server functionality. We support both local and RADIUS authentication.
As SSTP provides PPP via a SSL/TLS channel the use of either publically signed certificates as well as a private PKI is
required.

注解: All certificates should be stored on VyOS under /config/auth. If certificates are not stored in the /config
directory they will not be migrated during a software update.

Certificates

Self Signed CA

To generate the CA, the server private key and certificates the following commands can be used.

vyos@vyos:~$ mkdir -p /config/user-data/sstp

vyos@vyos:~$ openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout /
,→config/user-data/sstp/server.key -out /config/user-data/sstp/server.crt

Generating a 4096 bit RSA private key

.........................++
...............................................................++
writing new private key to 'server.key'
[...]
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

vyos@vyos:~$ openssl req -new -x509 -key /config/user-data/sstp/server.key -out /

,→config/user-data/sstp/ca.crt

[...]
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

8.12. VPN 540

 VyOS Documentation, 发布 1.4.x (sagitta)

Configuration

set vpn sstp authentication local-users username <user> password <pass>

Create <user> for local authentication on this system. The users password will be set to <pass>.
set vpn sstp authentication local-users username <user> disable
Disable <user> account.
set vpn sstp authentication local-users username <user> static-ip <address>
Assign static IP address to <user> account.
set vpn sstp authentication local-users username <user> rate-limit download
<bandwidth>
Download bandwidth limit in kbit/s for <user>.
set vpn sstp authentication local-users username <user> rate-limit upload
<bandwidth>
Upload bandwidth limit in kbit/s for <user>.
set vpn sstp authentication protocols <pap | chap | mschap | mschap-v2>
Require the peer to authenticate itself using one of the following protocols: pap, chap, mschap, mschap-v2.
set vpn sstp authentication mode <local | radius>
Set authentication backend. The configured authentication backend is used for all queries.
• radius: All authentication queries are handled by a configured RADIUS server.
• local: All authentication queries are handled locally.
set vpn sstp gateway-address <gateway>
Specifies single <gateway> IP address to be used as local address of PPP interfaces.
set vpn sstp client-ip-pool subnet <subnet>
Use <subnet> as the IP pool for all connecting clients.
set vpn sstp client-ipv6-pool prefix <address> mask <number-of-bits>
Use this comand to set the IPv6 address pool from which an SSTP client will get an IPv6 prefix of your defined
length (mask) to terminate the SSTP endpoint at their side. The mask length can be set from 48 to 128 bit long,
the default value is 64.
set vpn sstp client-ipv6-pool delegate <address> delegation-prefix
<number-of-bits>
Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on SSTP. You will have to set your IPv6
pool and the length of the delegation prefix. From the defined IPv6 pool you will be handing out networks of the
defined length (delegation-prefix). The length of the delegation prefix can be set from 32 to 64 bit long.
set vpn sstp name-server <address>
Connected client should use <address> as their DNS server. This command accepts both IPv4 and IPv6 addresses.
Up to two nameservers can be configured for IPv4, up to three for IPv6.
Maximum number of IPv4 nameservers

8.12. VPN 541

 VyOS Documentation, 发布 1.4.x (sagitta)

SSL Certificates

set vpn sstp ssl ca-cert-file <file>

Path to <file> pointing to the certificate authority certificate.
set vpn sstp ssl cert-file <file>
Path to <file> pointing to the servers certificate (public portion).
set vpn sstp ssl key-file <file>
Path to <file> pointing to the servers certificate (private portion).

PPP Settings

set vpn sstp ppp-options lcp-echo-failure <number>

Defines the maximum <number> of unanswered echo requests. Upon reaching the value <number>, the session
will be reset.
set vpn sstp ppp-options lcp-echo-interval <interval>
If this option is specified and is greater than 0, then the PPP module will send LCP pings of the echo request every
<interval> seconds.
set vpn sstp ppp-options lcp-echo-timeout
Specifies timeout in seconds to wait for any peer activity. If this option specified it turns on adaptive lcp echo
functionality and “lcp-echo-failure”is not used.
set vpn sstp ppp-options mppe <require | prefer | deny>
Specifies MPPE (Microsoft Point-to-Point Encryption) negotioation preference.
• require - ask client for mppe, if it rejects drop connection
• prefer - ask client for mppe, if it rejects don’t fail
• deny - deny mppe
Default behavior - don’t ask client for mppe, but allow it if client wants. Please note that RADIUS may override
this option by MS-MPPE-Encryption-Policy attribute.

RADIUS

Server

set vpn sstp authentication radius server <server> port <port>

Configure RADIUS <server> and its required port for authentication requests.
set vpn sstp authentication radius server <server> key <secret>
Configure RADIUS <server> and its required shared <secret> for communicating with the RADIUS server.
set vpn sstp authentication radius server <server> fail-time <time>
Mark RADIUS server as offline for this given <time> in seconds.
set vpn sstp authentication radius server <server> disable
Temporary disable this RADIUS server.

8.12. VPN 542

 VyOS Documentation, 发布 1.4.x (sagitta)

Options

set vpn sstp authentication radius acct-timeout <timeout>

Timeout to wait reply for Interim-Update packets. (default 3 seconds)
set vpn sstp authentication radius dynamic-author server <address>
Specifies IP address for Dynamic Authorization Extension server (DM/CoA)
set vpn sstp authentication radius dynamic-author port <port>
Port for Dynamic Authorization Extension server (DM/CoA)
set vpn sstp authentication radius dynamic-author key <secret>
Secret for Dynamic Authorization Extension server (DM/CoA)
set vpn sstp authentication radius max-try <number>
Maximum number of tries to send Access-Request/Accounting-Request queries
set vpn sstp authentication radius timeout <timeout>
Timeout to wait response from server (seconds)
set vpn sstp authentication radius nas-identifier <identifier>
Value to send to RADIUS server in NAS-Identifier attribute and to be matched in DM/CoA requests.
set vpn sstp authentication radius nas-ip-address <address>
Value to send to RADIUS server in NAS-IP-Address attribute and to be matched in DM/CoA requests. Also
DM/CoA server will bind to that address.
set vpn sstp authentication radius source-address <address>
Source IPv4 address used in all RADIUS server queires.
set vpn sstp authentication radius rate-limit attribute <attribute>
Specifies which RADIUS server attribute contains the rate limit information. The default attribute is Filter-Id.
set vpn sstp authentication radius rate-limit enable
Enables bandwidth shaping via RADIUS.
set vpn sstp authentication radius rate-limit vendor
Specifies the vendor dictionary, dictionary needs to be in /usr/share/accel-ppp/radius.

Example

• Use local user foo with password bar

• Client IP addresses will be provided from pool 192.0.2.0/25

set vpn sstp authentication local-users username vyos password vyos

set vpn sstp authentication mode local
set vpn sstp gateway-address 192.0.2.254
set vpn sstp client-ip-pool subnet 192.0.2.0/25
set vpn sstp name-server 10.0.0.1
set vpn sstp name-server 10.0.0.2
set vpn sstp ssl ca-cert-file /config/auth/ca.crt
(下页继续)

8.12. VPN 543

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
set vpn sstp ssl cert-file /config/auth/server.crt
set vpn sstp ssl key-file /config/auth/server.key

Testing SSTP

Once you have setup your SSTP server there comes the time to do some basic testing. The Linux client used for testing
is called sstpc. sstpc requires a PPP configuration/peer file.
The following PPP configuration tests MSCHAP-v2:

$ cat /etc/ppp/peers/vyos
usepeerdns
#require-mppe
#require-pap
require-mschap-v2
noauth
lock
refuse-pap
refuse-eap
refuse-chap
refuse-mschap
#refuse-mschap-v2
nobsdcomp
nodeflate
debug

You can now“dial”the peer with the follwoing command: sstpc --log-level 4 --log-stderr --user
vyos --password vyos vpn.example.com -- call vyos.
A connection attempt will be shown as:

$ sstpc --log-level 4 --log-stderr --user vyos --password vyos vpn.example.com --␣

,→call vyos

Mar 22 13:29:12 sstpc[12344]: Resolved vpn.example.com to 192.0.2.1

Mar 22 13:29:12 sstpc[12344]: Connected to vpn.example.com
Mar 22 13:29:12 sstpc[12344]: Sending Connect-Request Message
Mar 22 13:29:12 sstpc[12344]: SEND SSTP CRTL PKT(14)
Mar 22 13:29:12 sstpc[12344]: TYPE(1): CONNECT REQUEST, ATTR(1):
Mar 22 13:29:12 sstpc[12344]: ENCAP PROTO(1): 6
Mar 22 13:29:12 sstpc[12344]: RECV SSTP CRTL PKT(48)
Mar 22 13:29:12 sstpc[12344]: TYPE(2): CONNECT ACK, ATTR(1):
Mar 22 13:29:12 sstpc[12344]: CRYPTO BIND REQ(4): 40
Mar 22 13:29:12 sstpc[12344]: Started PPP Link Negotiation
Mar 22 13:29:15 sstpc[12344]: Sending Connected Message
Mar 22 13:29:15 sstpc[12344]: SEND SSTP CRTL PKT(112)
Mar 22 13:29:15 sstpc[12344]: TYPE(4): CONNECTED, ATTR(1):
Mar 22 13:29:15 sstpc[12344]: CRYPTO BIND(3): 104
Mar 22 13:29:15 sstpc[12344]: Connection Established

$ ip addr show ppp0

164: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1452 qdisc fq_codel state␣
,→UNKNOWN group default qlen 3

link/ppp promiscuity 0
inet 100.64.2.2 peer 100.64.1.1/32 scope global ppp0
valid_lft forever preferred_lft forever

8.12. VPN 544

 VyOS Documentation, 发布 1.4.x (sagitta)

pages to sort

8.12.7 DMVPN

DMVPN (Dynamic Multipoint Virtual Private Network) is a dynamic VPN technology originally developed by Cisco.
While their implementation was somewhat proprietary, the underlying technologies are actually standards based. The
three technologies are:
• NHRP (Next Hop Resolution Protocol) RFC 2332
• GRE (Multipoint Generic Routing Encapsulation) RFC 1702
• IPS (IP Security) - too many RFCs to list, but start with RFC 4301
NHRP provides the dynamic tunnel endpoint discovery mechanism (endpoint registration, and endpoint discov-
ery/lookup), mGRE provides the tunnel encapsulation itself, and the IPSec protocols handle the key exchange, and crypto
mechanism.
In short, DMVPN provides the capability for creating a dynamic-mesh VPN network without having to pre-configure
(static) all possible tunnel end-point peers.

注解: DMVPN only automates the tunnel endpoint discovery and setup. A complete solution also incorporates the use
of a routing protocol. BGP is particularly well suited for use with DMVPN.

图 7: Baseline DMVPN topology

Configuration

• Please refer to the Tunnel documentation for the individual tunnel related options.
• Please refer to the IPsec documentation for the individual IPSec related options.
set protocols nhrp tunnel <tunnel> cisco-authentication <secret>
Enables Cisco style authentication on NHRP packets. This embeds the secret plaintext password to the outgoing
NHRP packets. Incoming NHRP packets on this interface are discarded unless the secret password is present.
Maximum length of the secret is 8 characters.
set protocols nhrp tunnel <tunnel> dynamic-map <address> nbma-domain-name
<fqdn>
Specifies that the NBMA (Non-broadcast multiple-access network) addresses of the next hop servers are defined
in the domain name nbma-domain-name. For each A record opennhrp creates a dynamic NHS entry.

8.12. VPN 545

 VyOS Documentation, 发布 1.4.x (sagitta)

Each dynamic NHS will get a peer entry with the configured network address and the discovered NBMA address.
The first registration request is sent to the protocol broadcast address, and the server’s real protocol address is
dynamically detected from the first registration reply.
set protocols nhrp tunnel <tunnel> holding-time <timeout>
Specifies the holding time for NHRP Registration Requests and Resolution Replies sent from this interface or
shortcut-target. The holdtime is specified in seconds and defaults to two hours.
set protocols nhrp tunnel <tunnel> map cisco
If the statically mapped peer is running Cisco IOS, specify the cisco keyword. It is used to fix statically the
Registration Request ID so that a matching Purge Request can be sent if NBMA address has changed. This is to
work around broken IOS which requires Purge Request ID to match the original Registration Request ID.
set protocols nhrp tunnel <tunnel> map nbma-address <address>
Creates static peer mapping of protocol-address to NBMA address.
If the IP prefix mask is present, it directs opennhrp to use this peer as a next hop server when sending Resolution
Requests matching this subnet.
This is also known as the HUBs IP address or FQDN.
set protocols nhrp tunnel <tunnel> map register
The optional parameter register specifies that Registration Request should be sent to this peer on startup.
This option is required when running a DMVPN spoke.
set protocols nhrp tunnel <tunnel> multicast <dynamic | nhs>
Determines how opennhrp daemon should soft switch the multicast traffic. Currently, multicast traffic is captured
by opennhrp daemon using a packet socket, and resent back to proper destinations. This means that multicast
packet sending is CPU intensive.
Specfying nhs makes all multicast packets to be repeated to each statically configured next hop.
Synamic instructs to forward to all peers which we have a direct connection with. Alternatively, you can specify
the directive multiple times for each protocol-address the multicast traffic should be sent to.

警告: It is very easy to misconfigure multicast repeating if you have multiple NHSes.

set protocols nhrp tunnel <tunnel> non-caching

Disables caching of peer information from forwarded NHRP Resolution Reply packets. This can be
used to reduce memory consumption on big NBMA subnets.

注解: Currently does not do much as caching is not implemented.

set protocols nhrp tunnel <tunnel> redirect

Enable sending of Cisco style NHRP Traffic Indication packets. If this is enabled and opennhrp detects a forwarded
packet, it will send a message to the original sender of the packet instructing it to create a direct connection with
the destination. This is basically a protocol independent equivalent of ICMP redirect.
set protocols nhrp tunnel <tunnel> shortcut
Enable creation of shortcut routes.
A received NHRP Traffic Indication will trigger the resolution and establishment of a shortcut route.

8.12. VPN 546

 VyOS Documentation, 发布 1.4.x (sagitta)

set protocols nhrp tunnel <tunnel> shortcut-destination

This instructs opennhrp to reply with authorative answers on NHRP Resolution Requests destinied to addresses in
this interface (instead of forwarding the packets). This effectively allows the creation of shortcut routes to subnets
located on the interface.
When specified, this should be the only keyword for the interface.
set protocols nhrp tunnel <tunnel> shortcut-target <address>
Defines an off-NBMA network prefix for which the GRE interface will act as a gateway. This an alternative to
defining local interfaces with shortcut-destination flag.
set protocols nhrp tunnel <tunnel> shortcut-target <address> holding-time
<timeout>
Specifies the holding time for NHRP Registration Requests and Resolution Replies sent from this interface or
shortcut-target. The holdtime is specified in seconds and defaults to two hours.

Example

This blueprint uses VyOS as the DMVPN Hub and Cisco (7206VXR) and VyOS as multiple spoke sites. The lab was
build using EVE-NG (Emulated Virtual Environment NG).

图 8: DMVPN example network

Each node (Hub and Spoke) uses an IP address from the network 172.16.253.128/29.
The below referenced IP address 192.0.2.1 is used as example address representing a global unicast address under which
the HUB can be contacted by each and every individual spoke.

8.12. VPN 547

 VyOS Documentation, 发布 1.4.x (sagitta)

Configuration

Hub

set interfaces ethernet eth0 address 192.0.2.1/24

set interfaces tunnel tun100 address '172.16.253.134/29'

set interfaces tunnel tun100 encapsulation 'gre'
set interfaces tunnel tun100 local-ip '192.0.2.1'
set interfaces tunnel tun100 multicast 'enable'
set interfaces tunnel tun100 parameters ip key '1'

set protocols nhrp tunnel tun100 cisco-authentication 'secret'

set protocols nhrp tunnel tun100 holding-time '300'
set protocols nhrp tunnel tun100 multicast 'dynamic'
set protocols nhrp tunnel tun100 redirect
set protocols nhrp tunnel tun100 shortcut

set vpn ipsec esp-group ESP-HUB compression 'disable'

set vpn ipsec esp-group ESP-HUB lifetime '1800'
set vpn ipsec esp-group ESP-HUB mode 'transport'
set vpn ipsec esp-group ESP-HUB pfs 'dh-group2'
set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1'
set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des'
set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5'
set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no'
set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1'
set vpn ipsec ike-group IKE-HUB lifetime '3600'
set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '2'
set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128'
set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1'

set vpn ipsec ipsec-interfaces interface 'eth0'

set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'

set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret'
set vpn ipsec profile NHRPVPN bind tunnel 'tun100'
set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB'
set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB'

注解: Setting this up on AWS will require a“Custom Protocol Rule”for protocol number“47”(GRE) Allow Rule in
TWO places. Firstly on the VPC Network ACL, and secondly on the security group network ACL attached to the EC2
instance. This has been tested as working for the official AMI image on the AWS Marketplace. (Locate the correct VPC
and security group by navigating through the details pane below your EC2 instance in the AWS console).

8.12. VPN 548

 VyOS Documentation, 发布 1.4.x (sagitta)

Spoke

The individual spoke configurations only differ in the local IP address on the tun10 interface. See the above diagram
for the individual IP addresses.

spoke01-spoke04

crypto keyring DMVPN

pre-shared-key address 192.0.2.1 key secret
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 30 periodic
crypto isakmp profile DMVPN
keyring DMVPN
match identity address 192.0.2.1 255.255.255.255
!
crypto ipsec transform-set DMVPN-AES256 esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN
set security-association idle-time 720
set transform-set DMVPN-AES256
set isakmp-profile DMVPN
!
interface Tunnel10
! individual spoke tunnel IP must change
ip address 172.16.253.129 255.255.255.248
no ip redirects
ip nhrp authentication secret
ip nhrp map 172.16.253.134 192.0.2.1
ip nhrp map multicast 192.0.2.1
ip nhrp network-id 1
ip nhrp holdtime 600
ip nhrp nhs 172.16.253.134
ip nhrp registration timeout 75
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 1
!
interface FastEthernet0/0
ip address dhcp
duplex half

8.12. VPN 549

 VyOS Documentation, 发布 1.4.x (sagitta)

spoke05

VyOS can also run in DMVPN spoke mode.

set interfaces ethernet eth0 address 'dhcp'

set interfaces tunnel tun100 address '172.16.253.133/29'

set interfaces tunnel tun100 local-ip 0.0.0.0
set interfaces tunnel tun100 encapsulation 'gre'
set interfaces tunnel tun100 multicast 'enable'
set interfaces tunnel tun100 parameters ip key '1'

set protocols nhrp tunnel tun100 cisco-authentication 'secret'

set protocols nhrp tunnel tun100 holding-time '300'
set protocols nhrp tunnel tun100 map 172.16.253.134/29 nbma-address '192.0.2.1'
set protocols nhrp tunnel tun100 map 172.16.253.134/29 register
set protocols nhrp tunnel tun100 multicast 'nhs'
set protocols nhrp tunnel tun100 redirect
set protocols nhrp tunnel tun100 shortcut

set vpn ipsec esp-group ESP-HUB compression 'disable'

set vpn ipsec esp-group ESP-HUB lifetime '1800'
set vpn ipsec esp-group ESP-HUB mode 'transport'
set vpn ipsec esp-group ESP-HUB pfs 'dh-group2'
set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1'
set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des'
set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5'
set vpn ipsec ike-group IKE-HUB close-action 'none'
set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no'
set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1'
set vpn ipsec ike-group IKE-HUB lifetime '3600'
set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '2'
set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128'
set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1'

set vpn ipsec ipsec-interfaces interface 'eth0'

set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'

set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret'
set vpn ipsec profile NHRPVPN bind tunnel 'tun100'
set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB'
set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB'

8.12. VPN 550

 VyOS Documentation, 发布 1.4.x (sagitta)

8.12.8 Site-to-Site

Site-to-site mode provides a way to add remote peers, which could be configured to exchange encrypted information
between them and VyOS itself or connected/routed networks.
To configure site-to-site connection you need to add peers with the set vpn ipsec site-to-site command.
You can identify a remote peer with:
• IPv4 or IPv6 address. This mode is easiest for configuration and mostly used when a peer has a public static IP
address;
• Hostname. This mode is similar to IP address, only you define DNS name instead of an IP. Could be used when a
peer has a public IP address and DNS name, but an IP address could be changed from time to time;
• Remote ID of the peer. In this mode, there is no predefined remote address nor DNS name of the peer. This mode
is useful when a peer doesn’t have a publicly available IP address (NAT between it and VyOS), or IP address
could be changed.
Each site-to-site peer has the next options:
• authentication - configure authentication between VyOS and a remote peer. Suboptions:
• id - ID for the local VyOS router. If defined, during the authentication it will be send to remote peer;
• mode - mode for authentication between VyOS and remote peer:
• pre-shared-secret - use predefined shared secret phrase, must be the same for local and remote
side;
• rsa - use simple shared RSA key. The key must be defined in the set vpn rsa-keys section;
• x509 - use certificates infrastructure for authentication.
• pre-shared-secret - predefined shared secret. Used if configured mode
pre-shared-secret;
• remote-id - define an ID for remote peer, instead of using peer name or address. Useful in case if
the remote peer is behind NAT or if mode x509 is used;
• rsa-key-name - shared RSA key for authentication. The key must be defined in the set vpn
rsa-keys section;
• use-x509-id - use local ID from x509 certificate. Cannot be used when id is defined;
• x509 - options for x509 authentication mode:
• ca-cert-file - CA certificate file. Using for authenticating remote peer;
• cert-file - certificate file, which will be used for authenticating local router on remote
peer;
• crl-file - file with the Certificate Revocation List. Using to check if a certificate for the
remote peer is valid or revoked;
• key - a private key, which will be used for authenticating local router on remote peer:
• file - path to the key file;
• password - passphrase private key, if needed.
• connection-type - how to handle this connection process. Possible variants:
• initiate - do initial connection to remote peer immediately after configuring and after boot. In this mode
the connection will not be restarted in case of disconnection, therefore should be used only together with DPD or
another session tracking methods;

8.12. VPN 551

 VyOS Documentation, 发布 1.4.x (sagitta)

• respond - do not try to initiate a connection to a remote peer. In this mode, the IPSec session will be established
only after initiation from a remote peer. Could be useful when there is no direct connectivity to the peer due to
firewall or NAT in the middle of the local and remote side.
• default-esp-group - ESP group to use by default for traffic encryption. Might be overwritten by individual
settings for tunnel or VTI interface binding;
• description - description for this peer;
• dhcp-interface - use an IP address, received from DHCP for IPSec connection with this peer, instead of
local-address;
• force-encapsulation - force encapsulation of ESP into UDP datagrams. Useful in case if between local
and remote side is firewall or NAT, which not allows passing plain ESP packets between them;
• ike-group - IKE group to use for key exchanges;
• ikev2-reauth - reauthenticate remote peer during the rekeying process. Can be used only with IKEv2:
• yes - create a new IKE_SA from the scratch and try to recreate all IPsec SAs;
• no - rekey without uninstalling the IPsec SAs;
• inherit - use default behavior for the used IKE group.
• local-address - local IP address for IPSec connection with this peer. If defined any, then an IP address
which configured on interface with default route will be used;
• tunnel - define criteria for traffic to be matched for encrypting and send it to a peer:
• disable - disable this tunnel;
• esp-group - define ESP group for encrypt traffic, defined by this tunnel;
• local - define a local source for match traffic, which should be encrypted and send to this peer:
• port - define port. Have effect only when used together with prefix;
• prefix - IP network at local side.
• protocol - define the protocol for match traffic, which should be encrypted and send to this peer;
• remote - define the remote destination for match traffic, which should be encrypted and send to this
peer:
• port - define port. Have effect only when used together with prefix;
• prefix - IP network at remote side.
• vti - use a VTI interface for traffic encryption. Any traffic, which will be send to VTI interface will be encrypted
and send to this peer. Using VTI makes IPSec configuration much flexible and easier in complex situation, and
allows to dynamically add/delete remote networks, reachable via a peer, as in this mode router don’t need to create
additional SA/policy for each remote network:
• bind - select a VTI interface to bind to this peer;
• esp-group - define ESP group for encrypt traffic, passed this VTI interface.

8.12. VPN 552

 VyOS Documentation, 发布 1.4.x (sagitta)

Examples:

IKEv1

Example:
• WAN interface on eth1
• left subnet: 192.168.0.0/24 site1, server side (i.e. locality, actually there is no client or server roles)
• left local_ip: 198.51.100.3 # server side WAN IP
• right subnet: 10.0.0.0/24 site2,remote office side
• right local_ip: 203.0.113.2 # remote office side WAN IP

# server config
set vpn ipsec esp-group office-srv-esp compression 'disable'
set vpn ipsec esp-group office-srv-esp lifetime '1800'
set vpn ipsec esp-group office-srv-esp mode 'tunnel'
set vpn ipsec esp-group office-srv-esp pfs 'enable'
set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'
set vpn ipsec ike-group office-srv-ike ikev2-reauth 'no'
set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
set vpn ipsec ike-group office-srv-ike lifetime '3600'
set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret
,→'SomePreSharedKey'

set vpn ipsec site-to-site peer 203.0.113.2 ike-group 'office-srv-ike'

set vpn ipsec site-to-site peer 203.0.113.2 local-address '198.51.100.3'
set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 esp-group 'office-srv-esp'
set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 local prefix '192.168.0.0/24'
set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 remote prefix '10.0.0.0/21'

# remote office config

set vpn ipsec esp-group office-srv-esp compression 'disable'
set vpn ipsec esp-group office-srv-esp lifetime '1800'
set vpn ipsec esp-group office-srv-esp mode 'tunnel'
set vpn ipsec esp-group office-srv-esp pfs 'enable'
set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'
set vpn ipsec ike-group office-srv-ike ikev2-reauth 'no'
set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
set vpn ipsec ike-group office-srv-ike lifetime '3600'
set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec site-to-site peer 198.51.100.3 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 198.51.100.3 authentication pre-shared-secret
,→'SomePreSharedKey'

set vpn ipsec site-to-site peer 198.51.100.3 ike-group 'office-srv-ike'

set vpn ipsec site-to-site peer 198.51.100.3 local-address '203.0.113.2'
set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 allow-nat-networks 'disable'
(下页继续)

8.12. VPN 553

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 esp-group 'office-srv-esp'
set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 local prefix '10.0.0.0/21'
set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 remote prefix '192.168.0.0/24'

Show status of new setup:

vyos@srv-gw0:~$ show vpn ike sa

Peer ID / IP Local ID / IP
------------ -------------
203.0.113.2 198.51.100.3
State Encrypt Hash D-H Grp NAT-T A-Time L-Time
----- ------- ---- ------- ----- ------ ------
up aes256 sha1 5 no 734 3600

vyos@srv-gw0:~$ show vpn ipsec sa

Peer ID / IP Local ID / IP
------------ -------------
203.0.113.2 198.51.100.3
Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto
------ ----- ------------- ------- ---- ----- ------ ------ -----
0 up 7.5M/230.6K aes256 sha1 no 567 1800 all

If there is SNAT rules on eth1, need to add exclude rule

# server side
set nat source rule 10 destination address '10.0.0.0/24'
set nat source rule 10 'exclude'
set nat source rule 10 outbound-interface 'eth1'
set nat source rule 10 source address '192.168.0.0/24'

# remote office side

set nat source rule 10 destination address '192.168.0.0/24'
set nat source rule 10 'exclude'
set nat source rule 10 outbound-interface 'eth1'
set nat source rule 10 source address '10.0.0.0/24'

To allow traffic to pass through to clients, you need to add the following rules. (if you used the default configuration at
the top of this page)

# server side
set firewall name OUTSIDE-LOCAL rule 32 action 'accept'
set firewall name OUTSIDE-LOCAL rule 32 source address '10.0.0.0/24'

# remote office side

set firewall name OUTSIDE-LOCAL rule 32 action 'accept'
set firewall name OUTSIDE-LOCAL rule 32 source address '192.168.0.0/24'

8.12. VPN 554

 VyOS Documentation, 发布 1.4.x (sagitta)

IKEv2

Imagine the following topology

图 9: IPSec IKEv2 site2site VPN (source ./draw.io/vpn_s2s_ikev2.drawio)

注解: Don’t get confused about the used /31 tunnel subnet. RFC 3021 gives you additional information for using /31
subnets on point-to-point links.

left
set interfaces vti vti10 address '10.0.0.2/31'

set vpn ipsec esp-group ESP_DEFAULT compression 'disable'

set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no'
(下页继续)

8.12. VPN 555

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
set vpn ipsec ike-group IKEv2_DEFAULT mobike 'disable'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth0.201'
set vpn ipsec site-to-site peer 172.18.202.10 authentication id '172.18.201.10'
set vpn ipsec site-to-site peer 172.18.202.10 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 172.18.202.10 authentication pre-shared-secret
,→'secretkey'

set vpn ipsec site-to-site peer 172.18.202.10 authentication remote-id '172.18.202.10'

set vpn ipsec site-to-site peer 172.18.202.10 connection-type 'initiate'
set vpn ipsec site-to-site peer 172.18.202.10 ike-group 'IKEv2_DEFAULT'
set vpn ipsec site-to-site peer 172.18.202.10 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 172.18.202.10 local-address '172.18.201.10'
set vpn ipsec site-to-site peer 172.18.202.10 vti bind 'vti10'
set vpn ipsec site-to-site peer 172.18.202.10 vti esp-group 'ESP_DEFAULT'

right

set interfaces vti vti10 address '10.0.0.3/31'

set vpn ipsec esp-group ESP_DEFAULT compression 'disable'

set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no'
set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
set vpn ipsec ike-group IKEv2_DEFAULT mobike 'disable'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth0.202'
set vpn ipsec site-to-site peer 172.18.201.10 authentication id '172.18.202.10'
set vpn ipsec site-to-site peer 172.18.201.10 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 172.18.201.10 authentication pre-shared-secret
,→'secretkey'

set vpn ipsec site-to-site peer 172.18.201.10 authentication remote-id '172.18.201.10'

set vpn ipsec site-to-site peer 172.18.201.10 connection-type 'initiate'
set vpn ipsec site-to-site peer 172.18.201.10 ike-group 'IKEv2_DEFAULT'
set vpn ipsec site-to-site peer 172.18.201.10 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 172.18.201.10 local-address '172.18.202.10'
set vpn ipsec site-to-site peer 172.18.201.10 vti bind 'vti10'
set vpn ipsec site-to-site peer 172.18.201.10 vti esp-group 'ESP_DEFAULT'

8.12. VPN 556

 VyOS Documentation, 发布 1.4.x (sagitta)

8.13 VRF

VRF devices combined with ip rules provides the ability to create virtual routing and forwarding domains (aka VRFs,
VRF-lite to be specific) in the Linux network stack. One use case is the multi-tenancy problem where each tenant has
their own unique routing tables and in the very least need different default gateways.

警告: VRFs are an “needs testing”feature. If you think things should be different then they are implemented and
handled right now - please feedback via a task created in Phabricator.

8.13.1 Configuration

A VRF device is created with an associated route table. Network interfaces are then enslaved to a VRF device.
set vrf name <name>
Create new VRF instance with <name>. The name is used when placing individual interfaces into the VRF.
set vrf name <name> table <id>
Configure use routing table <id> used by VRF <name>.

注解: A routing table ID can not be modified once it is assigned. It can only be changed by deleting and re-adding
the VRF instance.

set vrf bind-to-all

By default the scope of the port bindings for unbound sockets is limited to the default VRF. That is, it will not be
matched by packets arriving on interfaces enslaved to a VRF and processes may bind to the same port if they bind
to a VRF.
TCP & UDP services running in the default VRF context (ie., not bound to any VRF device) can work across all
VRF domains by enabling this option.

Interfaces

When VRFs are used it is not only mandatory to create a VRF but also the VRF itself needs to be assigned to an interface.
set interfaces <dummy | ethernet | bonding | bridge | pppoe> <interface> vrf
<name>
Assign interface identified by <interface> to VRF named <name>.

Routing

Static

Static routes are manually configured routes, which, in general, cannot be updated dynamically from information VyOS
learns about the network topology from other routing protocols. However, if a link fails, the router will remove routes,
including static routes, from the RIPB that used this interface to reach the next hop. In general, static routes should only
be used for very simple network topologies, or to override the behavior of a dynamic routing protocol for a small number
of routes. The collection of all routes the router has learned from its configuration or from its dynamic routing protocols is
stored in the RIB. Unicast routes are directly used to determine the forwarding table used for unicast packet forwarding.

8.13. VRF 557

 VyOS Documentation, 发布 1.4.x (sagitta)

Static Routes

set protocols vrf <name> static route <subnet> next-hop <address>

Configure next-hop <address> for an IPv4 static route in the VRF identified by <name>. Multiple static routes
can be created.
set protocols vrf <name> static route <subnet> next-hop <address> disable
Disable IPv4 static route entry in the VRF identified by <name>
set protocols vrf <name> static route <subnet> next-hop <address> distance
<distance>
Defines next-hop distance for this route, routes with smaller administrative distance are elected prior those with a
higher distance.
Range is 1 to 255, default is 1.
set protocols vrf <name> static route6 <subnet> next-hop <address>
Configure next-hop <address> for an IPv6 static route in the VRF identified by <name>. Multiple IPv6 static
routes can be created.
set protocols vrf <name> static route6 <subnet> next-hop <address> disable
Disable IPv6 static route entry in the VRF identified by <name>.
set protocols vrf <name> static route6 <subnet> next-hop <address> distance
<distance>
Defines next-hop distance for this route, routes with smaller administrative distance are elected prior those with a
higher distance.
Range is 1 to 255, default is 1.

注解: Routes with a distance of 255 are effectively disabled and not installed into the kernel.

Leaking

set protocols vrf <name> static route <subnet> next-hop <address> vrf <default
| vrf-name>
Use this command if you have shared services or routes that should be shared between multiple VRF instances.
This will add an IPv4 route to VRF <name> routing table to reach a <subnet> via a next-hop gatewys <address>
in a different VRF or leak it into the default VRF.
set protocols vrf <name> static route6 <subnet> next-hop <address> vrf
<default | vrf-name>
Use this command if you have shared services or routes that should be shared between multiple VRF instances.
This will add an IPv6 route to VRF <name> routing table to reach a <subnet> via a next-hop gatewys <address>
in a different VRF or leak it into the default VRF.

8.13. VRF 558

 VyOS Documentation, 发布 1.4.x (sagitta)

Interface Routes

set protocols vrf <name> static route <subnet> interface <interface>

Allows you to configure the next-hop interface for an interface-based IPv4 static route. <interface> will be the
next-hop interface where trafic is routed for the given <subnet>.
set protocols vrf <name> static route <subnet> interface <interface> disable
Disables interface-based IPv4 static route.
set protocols vrf <name> static route <subnet> interface <interface> distance
<distance>
Defines next-hop distance for this route, routes with smaller administrative distance are elected prior those with a
higher distance.
Range is 1 to 255, default is 1.
set protocols vrf <name> static route6 <subnet> interface <interface>
Allows you to configure the next-hop interface for an interface-based IPv6 static route. <interface> will be the
next-hop interface where trafic is routed for the given <subnet>.
set protocols vrf <name> static route6 <subnet> interface <interface> disable
Disables interface-based IPv6 static route.
set protocols vrf <name> static route6 <subnet> interface <interface> distance
<distance>
Defines next-hop distance for this route, routes with smaller administrative distance are elected prior those with a
higher distance.
Range is 1 to 255, default is 1.

Blackhole

set protocols vrf <name> static route <subnet> blackhole

Use this command to configure a “black-hole”route on the router. A black-hole route is a route for which the
system silently discard packets that are matched. This prevents networks leaking out public interfaces, but it does
not prevent them from being used as a more specific route inside your network.
set protocols vrf <name> static route <subnet> blackhole distance <distance>
Defines blackhole distance for this route, routes with smaller administrative distance are elected prior those with
a higher distance.
set protocols vrf <name> static route6 <subnet> blackhole
Use this command to configure a “black-hole”route on the router. A black-hole route is a route for which the
system silently discard packets that are matched. This prevents networks leaking out public interfaces, but it does
not prevent them from being used as a more specific route inside your network.
set protocols vrf <name> static route6 <subnet> blackhole distance <distance>
Defines blackhole distance for this route, routes with smaller administrative distance are elected prior those with
a higher distance.

8.13. VRF 559

 VyOS Documentation, 发布 1.4.x (sagitta)

8.13.2 Operation

It is not sufficient to only configure a VRF but VRFs must be maintained, too. For VR Fmaintenance the followin
operational commands are in place.
show vrf
List VRFs that have been created

vyos@vyos:~$ show vrf

VRF name state mac address flags ␣
,→interfaces

-------- ----- ----------- ----- --------

,→--

blue up 00:53:12:d8:74:24 noarp,master,up,lower_up dum200,

,→eth0.302

red up 00:53:de:02:df:aa noarp,master,up,lower_up dum100,

,→eth0.300,bond0.100,peth0

注解: Command should probably be extended to list also the real interfaces assigned to this one VRF to get a
better overview.

show vrf <name>

vyos@vyos:~$ show vrf name blue

VRF name state mac address flags ␣
,→interfaces

-------- ----- ----------- ----- --------

,→--

blue up 00:53:12:d8:74:24 noarp,master,up,lower_up dum200,

,→eth0.302

show ip route vrf <name>

Display IPv4 routing table for VRF identified by <name>.

vyos@vyos:~$ show ip route vrf blue

Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
F - PBR, f - OpenFabric,
> - selected route, * - FIB route, q - queued route, r - rejected route

VRF blue:
K 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), 00:00:50
S>* 172.16.0.0/16 [1/0] via 192.0.2.1, dum1, 00:00:02
C>* 192.0.2.0/24 is directly connected, dum1, 00:00:06

show ipv6 route vrf <name>

Display IPv6 routing table for VRF identified by <name>.

vyos@vyos:~$ show ipv6 route vrf red

Codes: K - kernel route, C - connected, S - static, R - RIPng,
O - OSPFv3, I - IS-IS, B - BGP, N - NHRP, T - Table,
v - VNC, V - VNC-Direct, A - Babel, D - SHARP, F - PBR,
f - OpenFabric,
(下页继续)

8.13. VRF 560

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
> - selected route, * - FIB route, q - queued route, r - rejected route

VRF red:
K ::/0 [255/8192] unreachable (ICMP unreachable), 00:43:20
C>* 2001:db8::/64 is directly connected, dum1, 00:02:19
C>* fe80::/64 is directly connected, dum1, 00:43:19
K>* ff00::/8 [0/256] is directly connected, dum1, 00:43:19

ping <host> vrf <name>

The ping command is used to test whether a network host is reachable or not.
Ping uses ICMP protocol’s mandatory ECHO_REQUEST datagram to elicit an ICMP ECHO_RESPONSE from
a host or gateway. ECHO_REQUEST datagrams (pings) will have an IP and ICMP header, followed by “struct
timeval”and an arbitrary number of pad bytes used to fill out the packet.
When doing fault isolation with ping, your should first run it on the local host, to verify that the local network
interface is up and running. Then, continue with hosts and gateways further down the road towards your destination.
Round-trip times and packet loss statistics are computed.
Duplicate packets are not included in the packet loss calculation, although the round-trip time of these packets is
used in calculating the minimum/ average/maximum round-trip time numbers.
Ping command can be interrupted at any given time using <Ctrl>+c- A brief statistic is shown afterwards.

vyos@vyos:~$ ping 192.0.2.1 vrf red

PING 192.0.2.1 (192.0.2.1) 56(84) bytes of data.
64 bytes from 192.0.2.1: icmp_seq=1 ttl=64 time=0.070 ms
64 bytes from 192.0.2.1: icmp_seq=2 ttl=64 time=0.078 ms
^C
--- 192.0.2.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 4ms
rtt min/avg/max/mdev = 0.070/0.074/0.078/0.004 ms

traceroute vrf <name> [ipv4 | ipv6] <host>

Displays the route packets take to a network host utilizing VRF instance identified by <name>. When using the
IPv4 or IPv6 option, display the route packets take to the for the given hosts IP address family. This option is
useful when the host specified is a hostname rather than an IP address.

8.14 Zone Policy

In zone-based policy, interfaces are assigned to zones, and inspection policy is applied to traffic moving between the
zones and acted on according to firewall rules. A Zone is a group of interfaces that have similar functions or features. It
establishes the security borders of a network. A zone defines a boundary where traffic is subjected to policy restrictions
as it crosses to another region of a network.
Key Points:
• A zone must be configured before an interface is assigned to it and an interface can be assigned to only a single
zone.
• All traffic to and from an interface within a zone is permitted.
• All traffic between zones is affected by existing policies
• Traffic cannot flow between zone member interface and any interface that is not a zone member.

8.14. Zone Policy 561

 VyOS Documentation, 发布 1.4.x (sagitta)

• You need 2 separate firewalls to define traffic: one for each direction.
Example: LAN Network is given SSH access to VyOS box.
Firewall rules:

set firewall name lan-local default-action 'drop'

set firewall name lan-local rule 1 action 'accept'
set firewall name lan-local rule 1 state established 'enable'
set firewall name lan-local rule 1 state related 'enable'
set firewall name lan-local rule 2 action 'drop'
set firewall name lan-local rule 2 state invalid 'enable'
set firewall name lan-local rule 2 log enable
set firewall name lan-local rule 100 action 'accept'
set firewall name lan-local rule 100 destination port '22'
set firewall name lan-local rule 100 log 'enable'
set firewall name lan-local rule 100 protocol 'tcp'
set firewall name local-lan default-action 'drop'
set firewall name local-lan rule 1 action 'accept'
set firewall name local-lan rule 1 state established 'enable'
set firewall name local-lan rule 1 state related 'enable'
set firewall name local-lan rule 2 action 'drop'
set firewall name local-lan rule 2 state invalid 'enable'
set firewall name local-lan rule 2 log enable
set firewall name local-lan rule 100 action 'accept'
set firewall name local-lan rule 100 destination address '192.168.0.0/24'
set firewall name local-lan rule 100 log 'enable'
set firewall name local-lan rule 100 protocol 'tcp'

Zone-policy Config:

set zone-policy zone lan default-action 'drop'

set zone-policy zone lan description 'Local Area Network'
set zone-policy zone lan interface 'eth2'
set zone-policy zone lan from local firewall name 'lan-local'
set zone-policy zone local default-action 'drop'
set zone-policy zone local description 'system-defined zone'
set zone-policy zone local from lan firewall name 'local-lan'
set zone-policy zone local local-zone

A detailed zone-based policy example is written in the Configuration-Blueprints section.

8.14. Zone Policy 562

 CHAPTER 9

Operation Mode

9.1 Information

VyOS features a rich set of operational level commands to retrieve arbitrary information about your running system.

9.1.1 Hardware

USB

In the past serial interface have been defined as ttySx and ttyUSBx where x was an instance number of the serial interface.
It was discovered that from system boot to system boot the mapping of USB based serial interfaces will differ, depending
which driver was loaded first by the operating system. This will become rather painful if you not only have serial interfaces
for a console server connected but in addition also a serial backed WirelessModem (WWAN).
To overcome this issue and the fact that in almost 50% of all cheap USB to serial converters there is no serial number
programmed, the USB to serial interface is now directly identified by the USB root bridge and bus it connects to. This
somehow mimics the new network interface definitions we see in recend Linux distributions.
For additional details you can refer to https://phabricator.vyos.net/T2490.
show hardware usb
Retrieve a tree like representation of all connected USB devices.

注解: If a device is unplugged and re-plugged it will receive a new Port, Dev, If identification.

vyos@vyos:~$ show hardware usb

/: Bus 03.Port 1: Dev 1, Class=root_hub, Driver=ehci-pci/2p, 480M
|__ Port 1: Dev 2, If 0, Class=Hub, Driver=hub/4p, 480M
|__ Port 3: Dev 4, If 0, Class=Vendor Specific Class, Driver=qcserial,␣
,→480M

(下页继续)

563
 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
|__ Port 3: Dev 4, If 2, Class=Vendor Specific Class, Driver=qcserial,␣
,→480M
|__ Port 3: Dev 4, If 3, Class=Vendor Specific Class, Driver=qcserial,␣
,→480M
|__ Port 3: Dev 4, If 8, Class=Vendor Specific Class, Driver=qmi_wwan,␣
480M
,→

/: Bus 02.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/2p, 5000M

/: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/2p, 480M
|__ Port 1: Dev 2, If 0, Class=Vendor Specific Class, Driver=pl2303, 12M
|__ Port 2: Dev 3, If 0, Class=Hub, Driver=hub/4p, 480M
|__ Port 4: Dev 5, If 2, Class=Vendor Specific Class, Driver=ftdi_sio,␣
,→480M
|__ Port 4: Dev 5, If 0, Class=Vendor Specific Class, Driver=ftdi_sio,␣
,→480M
|__ Port 4: Dev 5, If 3, Class=Vendor Specific Class, Driver=ftdi_sio,␣
,→480M
|__ Port 4: Dev 5, If 1, Class=Vendor Specific Class, Driver=ftdi_sio,␣
,→480M
|__ Port 3: Dev 4, If 0, Class=Hub, Driver=hub/4p, 480M
|__ Port 3: Dev 6, If 0, Class=Hub, Driver=hub/4p, 480M
|__ Port 4: Dev 8, If 2, Class=Vendor Specific Class,␣
,→Driver=ftdi_sio, 480M

|__ Port 4: Dev 8, If 0, Class=Vendor Specific Class,␣

,→Driver=ftdi_sio, 480M

|__ Port 4: Dev 8, If 3, Class=Vendor Specific Class,␣

,→Driver=ftdi_sio, 480M

|__ Port 4: Dev 8, If 1, Class=Vendor Specific Class,␣

,→Driver=ftdi_sio, 480M

|__ Port 4: Dev 7, If 3, Class=Vendor Specific Class, Driver=ftdi_

,→sio, 480M

|__ Port 4: Dev 7, If 1, Class=Vendor Specific Class, Driver=ftdi_

,→sio, 480M

|__ Port 4: Dev 7, If 2, Class=Vendor Specific Class, Driver=ftdi_

,→sio, 480M

|__ Port 4: Dev 7, If 0, Class=Vendor Specific Class, Driver=ftdi_

,→sio, 480M

show hardware usb serial

Retrieve a list and description of all connected USB serial devices. The device name displayed, e.g. usb0b2.4p1.0
can be directly used when accessing the serial console as console-server device.
vyos@vyos$ show hardware usb serial
Device Model Vendor
------ ------ ------
usb0b1.3p1.0 MC7710 Sierra Wireless, Inc.
usb0b1.3p1.2 MC7710 Sierra Wireless, Inc.
usb0b1.3p1.3 MC7710 Sierra Wireless, Inc.
usb0b1p1.0 USB-Serial_Controller_D Prolific Technology, Inc.
usb0b2.3.3.4p1.0 Quad_RS232-HS Future Technology Devices International, Ltd
usb0b2.3.3.4p1.1 Quad_RS232-HS Future Technology Devices International, Ltd
usb0b2.3.3.4p1.2 Quad_RS232-HS Future Technology Devices International, Ltd
usb0b2.3.3.4p1.3 Quad_RS232-HS Future Technology Devices International, Ltd
usb0b2.3.4p1.0 Quad_RS232-HS Future Technology Devices International, Ltd
usb0b2.3.4p1.1 Quad_RS232-HS Future Technology Devices International, Ltd
usb0b2.3.4p1.2 Quad_RS232-HS Future Technology Devices International, Ltd
usb0b2.3.4p1.3 Quad_RS232-HS Future Technology Devices International, Ltd
(下页继续)

9.1. Information 564

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
usb0b2.4p1.0 Quad_RS232-HS Future Technology Devices International, Ltd
usb0b2.4p1.1 Quad_RS232-HS Future Technology Devices International, Ltd
usb0b2.4p1.2 Quad_RS232-HS Future Technology Devices International, Ltd
usb0b2.4p1.3 Quad_RS232-HS Future Technology Devices International, Ltd

9.2 Boot Options

警告: This function may be highly disruptive. It may cause major service interruption, so make sure you really need
it and verify your input carefully.

VyOS has several kernel command line options to modify the normal boot process. To add an option, select the desired
image in GRUB menu at load time, press e, edit the first line, and press Ctrl-x to boot when ready.

9.2.1 Specify custom config file

Tells the system to use specified file instead of /config/config.boot. If specified file does not exist or is not
readable, fall back to default config. No additional verification is performed, so make sure you specify a valid config file.

vyos-config=/path/to/file

To load the factory default config, use:

vyos-config=/opt/vyatta/etc/config.boot.default

9.2. Boot Options 565

 VyOS Documentation, 发布 1.4.x (sagitta)

9.2.2 Disable specific boot process steps

These options disable some boot steps. Make sure you understand the boot process well before using them!
no-vyos-migrate Do not perform config migration.
no-vyos-firewall Do not initialize default firewall chains, renders any firewall configuration unusable.

9.2. Boot Options 566

 CHAPTER 10

VyOS Automation

• Saltstack
• startup scripts

10.1 VyOS API

for configuration and enabling the API see HTTP-API

10.1.1 Authentication

All Endpoint only listen on HTTP POST requests and the API KEY must set as key in the formdata.
Below see one example or curl and one for python. In the following, the documentation is reduced to curl.

curl --location --request POST 'https://vyos/retrieve' \

--form data='{"op": "showConfig", "path": []}' \
--form key='MY-HTTPS-API-PLAINTEXT-KEY'

import requests
url = "https://vyos/retrieve"
payload={'data': '{"op": "showConfig", "path": []}',
'key': 'MY-HTTPS-API-PLAINTEXT-KEY'
}
headers = {}
response = requests.request("POST", url, headers=headers, data=payload)
print(response.text)

567
 VyOS Documentation, 发布 1.4.x (sagitta)

10.1.2 API Endpoints

/retrieve

With the retrieve endpoint you get parts or the whole configuration.
To get the whole configuration, pass an empty list to the path field

curl --location --request POST 'https://vyos/retrieve' \

--form data='{"op": "showConfig", "path": []}' \
--form key='MY-HTTPS-API-PLAINTEXT-KEY'

response (shorted)
{
"success": true,
"data": {
"interfaces": {
"ethernet": {
"eth0": {
"address": "dhcp",
"duplex": "auto",
"hw-id": "50:00:00:01:00:00",
"speed": "auto"
},
"eth1": {
"duplex": "auto",
"hw-id": "50:00:00:01:00:01",
"speed": "auto"
...
},
"error": null
}

only get a part of the configuration, for example system syslog.

curl -k --location --request POST 'https://vyos/retrieve' \

--form data='{"op": "showConfig", "path": ["system", "syslog"]}' \
--form key='MY-HTTPS-API-PLAINTEXT-KEY'

response:
{
"success": true,
"data": {
"global": {
"facility": {
"all": {
"level": "info"
},
"protocols": {
"level": "debug"
}
}
}
},
"error": null
}

10.1. VyOS API 568

 VyOS Documentation, 发布 1.4.x (sagitta)

if you just want the Value of a multi-valued node, use the returnValues operation.
for example get the addresses of a dum0 interface

curl -k --location --request POST 'https://vyos/retrieve' \

--form data='{"op": "returnValues", "path": ["interfaces","dummy","dum0","address"]}'␣
,→\

--form key='MY-HTTPS-API-PLAINTEXT-KEY'

respone:
{
"success": true,
"data": [
"10.10.10.10/24",
"10.10.10.11/24",
"10.10.10.12/24"
],
"error": null
}

/image

To add or delete an image, use the /image endpoint.

add an image

curl -k --location --request POST 'https://vyos/image' \

--form data='{"op": "add", "url": "https://downloads.vyos.io/rolling/current/amd64/
,→vyos-rolling-latest.iso"}' \

--form key='MY-HTTPS-API-PLAINTEXT-KEY'

respone (shorted):
{
"success": true,
"data": "Trying to fetch ISO file from https://downloads.vyos.io/rolling-latest.
,→iso\n

...
Setting up grub configuration...\nDone.\n",
"error": null
}

delete an image, for example 1.3-rolling-202006070117

curl -k --location --request POST 'https://vyos/image' \

--form data='{"op": "delete", "name": "1.3-rolling-202006070117"}' \
--form key='MY-HTTPS-API-PLAINTEXT-KEY'

response:
{
"success": true,
"data": "Deleting the \"1.3-rolling-202006070117\" image...\nDone\n",
"error": null
}

10.1. VyOS API 569

 VyOS Documentation, 发布 1.4.x (sagitta)

/show

The /show endpoint is to show everthing in operational mode

for example which images are installed

curl -k --location --request POST 'https://vyos/show' \

--form data='{"op": "show", "path": ["system", "image"]}' \
--form key='MY-HTTPS-API-PLAINTEXT-KEY'

response:
{
"success": true,
"data": "The system currently has the following image(s) installed:\n\n
1: 1.4-rolling-202102280559 (default boot)\n
2: 1.4-rolling-202102230218\n
3: 1.3-beta-202102210443\n\n",
"error": null
}

/generate

to run a generate command use the

curl -k --location --request POST 'https://vyos/generate' \

--form data='{"op": "generate", "path": ["wireguard", "default-keypair"]}' \
--form key='MY-HTTPS-API-PLAINTEXT-KEY'

response:
{
"success": true,
"data": "",
"error": null
}

/configure

You can pass a set, delete or comment command to the /configure endpoint.
set a single command

curl -k --location --request POST 'https://vyos/configure' \

--form data='{"op": "set", "path": ["interfaces", "dummy", "dum1", "address", "10.11.
,→0.1/32"]}' \

--form key='MY-HTTPS-API-PLAINTEXT-KEY'

response:
{
"success": true,
"data": null,
"error": null
}

delete a single command

10.1. VyOS API 570

 VyOS Documentation, 发布 1.4.x (sagitta)

curl -k --location --request POST 'https://vyos/configure' \

--form data='{"op": "delete", "path": ["interfaces", "dummy", "dum1", "address", "10.
,→11.0.1/32"]}' \

--form key='MY-HTTPS-API-PLAINTEXT-KEY'

response:
{
"success": true,
"data": null,
"error": null
}

The API push every request to a session and commit it. But some of VyOS components like DHCP and PPPoE Servers,
IPSec, VXLAN, and other tunnels require full configuration for commit. The Endpoint will process multiple commands
when you pass them as a list to the data field.
curl -k --location --request POST 'https://vyos/configure' \
--form data='[{"op": "set","path":["interfaces","vxlan","vxlan1","remote","203.0.113.
,→99"]}, {"op": "set","path":["interfaces","vxlan","vxlan1","vni","1"]}]' \

--form key='MY-HTTPS-API-PLAINTEXT-KEY'

response:
{
"success": true,
"data": null,
"error": null
}

/config-file

The endpoint /config-file is to save or load a configuration.

Save a running configuration to the startup configuration. When you don’t specify the file when saving, it saves to
/config/config.boot.
curl -k --location --request POST 'https://vyos/config-file' \
--form data='{"op": "save"}' \
--form key='MY-HTTPS-API-PLAINTEXT-KEY'

response:
{
"success": true,
"data": "Saving configuration to '/config/config.boot'...\nDone\n",
"error": null
}

Save a running configuration to a file.

curl -k --location --request POST 'https://vyos/config-file' \
--form data='{"op": "save", "file": "/config/test.config"}' \
--form key='MY-HTTPS-API-PLAINTEXT-KEY'

response:
{
"success": true,
"data": "Saving configuration to '/config/test.config'...\nDone\n",
(下页继续)

10.1. VyOS API 571

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
"error": null
}

To Load a configuration file.

curl -k --location --request POST 'https://vyos/config-file' \
--form data='{"op": "load", "file": "/config/test.config"}' \
--form key='MY-HTTPS-API-PLAINTEXT-KEY'

response:
{
"success": true,
"data": null,
"error": null
}

10.2 Ansible

VyOS supports configuration via ansible. Need to install ansible and python3-paramiko module
Structure of files
.
├── ansible.cfg
├── files
│ └── id_rsa_docker.pub
├── hosts
└── main.yml

10.2.1 File contents

ansible.cfg
[defaults]
host_key_checking = no
retry_files_enabled = False
ANSIBLE_INVENTORY_UNPARSED_FAILED = true

id_rsa_docker.pub. Needs to declare only public key exactly.

AAAAB3NzaC1yc2EAAAADAQABAAABAQCoDgfhQJuJRFWJijHn7ZinZ3NWp4hWVrt7HFcvn0kgtP/5PeCtMt

hosts
[vyos_hosts]
r11 ansible_ssh_host=192.0.2.11

[vyos_hosts:vars]
ansible_python_interpreter=/usr/bin/python3
ansible_user=vyos
ansible_ssh_pass=vyos
ansible_network_os=vyos
ansible_connection=network_cli

10.2. Ansible 572

 VyOS Documentation, 发布 1.4.x (sagitta)

main.yml

---

- hosts: r11

connection: network_cli
gather_facts: 'no'

tasks:
- name: Configure remote r11
vyos_config:
lines:
- set system host-name r11
- set system name-server 203.0.113.254
- set service ssh disable-host-validation
- set system login user vyos authentication public-keys docker@work type␣
,→ssh-rsa

- set system login user vyos authentication public-keys docker@work key "{{␣
,→lookup('file', 'id_rsa_docker.pub') }}"

- set system time-zone America/Los_Angeles

- set interfaces ethernet eth0 description WAN

10.2.2 Run ansible

$ ansible-playbook -i hosts main.yml

PLAY [r11]␣
,→***************************************************************************************************

TASK [Configure remote r11]␣

,→***************************************************************************************************

changed: [r11]

PLAY RECAP␣
,→***************************************************************************************************

r11 : ok=1 changed=1 unreachable=0 failed=0 ␣

,→skipped=0 rescued=0 ignored=0

10.3 Command Scripting

VyOS supports executing configuration and operational commands non-interactively from shell scripts.
To include VyOS specific functions and aliases you need to source /opt/vyatta/etc/functions/
script-template files at the top of your script.

#!/bin/vbash
source /opt/vyatta/etc/functions/script-template
exit

10.3. Command Scripting 573

 VyOS Documentation, 发布 1.4.x (sagitta)

10.3.1 Run configuration commands

Configuration commands are executed just like from a normal config session. For example, if you want to disable a BGP
peer on VRRP transition to backup:

#!/bin/vbash
source /opt/vyatta/etc/functions/script-template
configure
set protocols bgp 65536 neighbor 192.168.2.1 shutdown
commit
exit

10.3.2 Run operational commands

Unlike a normal configuration sessions, all operational commands must be prepended with run, even if you haven’t
created a session with configure.

#!/bin/vbash
source /opt/vyatta/etc/functions/script-template
run show interfaces
exit

10.3.3 Other script language

If you want to script the configs in a language other than bash you can have your script output commands and then source
them in a bash script.
Here is a simple example:

#!/usr/bin/env python
print "delete firewall group address-group somehosts"
print "set firewall group address-group somehosts address '192.0.2.3'"
print "set firewall group address-group somehosts address '203.0.113.55'"

#!/bin/vbash
source /opt/vyatta/etc/functions/script-template
configure
source < /config/scripts/setfirewallgroup.py
commit

10.3.4 Executing Configuration Scripts

There is a pitfall when working with configuration scripts. It is tempting to call configuration scripts with “sudo”(i.e.,
temporary root permissions), because that’s the common way on most Linux platforms to call system commands.
On VyOS this will cause the following problem: After modifying the configuration via script like this once, it is not
possible to manually modify the config anymore:

sudo ./myscript.sh # Modifies config

configure
set ... # Any configuration parameter

10.3. Command Scripting 574

 VyOS Documentation, 发布 1.4.x (sagitta)

This will result in the following error message: Set failed If this happens, a reboot is required to be able to edit the
config manually again.
To avoid these problems, the proper way is to call a script with the vyattacfg group, e.g., by using the sg (switch
group) command:

sg vyattacfg -c ./myscript.sh

To make sure that a script is not accidentally called without the vyattacfg group, the script can be safeguarded like
this:

if [ "$(id -g -n)" != 'vyattacfg' ] ; then

exec sg vyattacfg -c "/bin/vbash $(readlink -f $0) $@"
fi

10.3.5 Postconfig on boot

The /config/scripts/vyos-postconfig-bootup.script script is called on boot after the VyOS config-

uration is fully applied.
Any modifications done to work around unfixed bugs and implement enhancements which are not complete in the VyOS
system can be placed here.
The default file looks like this:

#!/bin/sh
# This script is executed at boot time after VyOS configuration is fully
# applied. Any modifications required to work around unfixed bugs or use
# services not available through the VyOS CLI system can be placed here.

提示: For configuration/upgrade management issues, modification of this script should be the last option. Always try to
find solutions based on CLI commands first.

10.3. Command Scripting 575

 CHAPTER 11

Troubleshooting

Sometimes things break or don’t work as expected. This section describes several troubleshooting tools provided by
VyOS that can help when something goes wrong.

11.1 Connectivity Tests

11.1.1 Basic Connectivity Tests

Verifying connectivity can be done with the familiar ping and traceroute commands. The options for each are shown (the
options for each command were displayed using the built-in help as described in the 命令行接口 section and are omitted
from the output here):
ping <destination>
Send ICMP echo requests to destination host. There are multiple options to ping, inkl. VRF support.

vyos@vyos:~$ ping 10.1.1.1

Possible completions:
<Enter> Execute the current command
adaptive Ping options
allow-broadcast
audible
bypass-route
count
deadline
flood
interface
interval
mark
no-loopback
numeric
pattern
quiet
(下页继续)

576
 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
record-route
size
timestamp
tos
ttl
verbose
vrf

traceroute <destination>
Trace path to target.

vyos@vyos:~$ traceroute
Possible completions:
<hostname> Track network path to specified node
<x.x.x.x>
<h:h:h:h:h:h:h:h>
ipv4 Track network path to <hostname|IPv4 address>
ipv6 Track network path to <hostname|IPv6 address>

11.1.2 Advanced Connectivity Tests

monitor traceroute <destination>

However, another helper is available which combines ping and traceroute into a single tool. An example of its
output is shown:

vyos@vyos:~$ mtr 10.62.212.12

My traceroute [v0.85]
vyos (0.0.0.0)
Keys: Help Display mode Restart statistics Order of fields quit
Packets Pings
Host Loss% Snt Last Avg Best Wrst StDev
1. 10.11.110.4 0.0% 34 0.5 0.5 0.4 0.8 0.1
2. 10.62.255.184 0.0% 34 1.1 1.0 0.9 1.4 0.1
3. 10.62.255.71 0.0% 34 1.4 1.4 1.3 2.0 0.1
4. 10.62.212.12 0.0% 34 1.6 1.6 1.6 1.7 0.0

注解: The output consumes the screen and will replace your command prompt.

Several options are available for changing the display output. Press h to invoke the built in help system. To quit,
just press q and you’ll be returned to the VyOS command prompt.

11.1. Connectivity Tests 577

 VyOS Documentation, 发布 1.4.x (sagitta)

11.1.3 IPv6 Topology Discovery

IPv6 uses different techniques to discover its Neighbors/topology.

Router Discovery

force ipv6-rd interface <interface> [address <ipv6-address>]

Discover routers via eth0.
Example:

vyos@vyos:~$ force ipv6-rd interface eth0

Soliciting ff02::2 (ff02::2) on eth0...

Hop limit : 60 ( 0x3c)

Stateful address conf. : No
Stateful other conf. : No
Mobile home agent : No
Router preference : high
Neighbor discovery proxy : No
Router lifetime : 1800 (0x00000708) seconds
Reachable time : unspecified (0x00000000)
Retransmit time : unspecified (0x00000000)
Prefix : 240e:fe:8ca7:ea01::/64
On-link : Yes
Autonomous address conf.: Yes
Valid time : 2592000 (0x00278d00) seconds
Pref. time : 14400 (0x00003840) seconds
Prefix : fc00:470:f1cd:101::/64
On-link : Yes
Autonomous address conf.: Yes
Valid time : 2592000 (0x00278d00) seconds
Pref. time : 14400 (0x00003840) seconds
Recursive DNS server : fc00:470:f1cd::ff00
DNS server lifetime : 600 (0x00000258) seconds
Source link-layer address: 00:98:2B:F8:3F:11
from fe80::298:2bff:fef8:3f11

Neighbor Discovery

force ipv6-nd interface <interface> address <ipv6-address>

Example:

vyos@vyos:~$ force ipv6-nd interface eth0 address fc00:470:f1cd:101::1

Soliciting fc00:470:f1cd:101::1 (fc00:470:f1cd:101::1) on eth0...

Target link-layer address: 00:98:2B:F8:3F:11 from fc00:470:f1cd:101::1

11.1. Connectivity Tests 578

 VyOS Documentation, 发布 1.4.x (sagitta)

11.2 Interface names

If you find the names of your interfaces have changed, this could be because your MAC addresses have changed.
• For example, you have a VyOS VM with 4 Ethernet interfaces named eth0, eth1, eth2 and eth3. Then, you migrate
your VyOS VM to a different host and find your interfaces now are eth4, eth5, eth6 and eth7.
One way to fix this issue taking control of the MAC addresses is:
Log into VyOS and run this command to display your interface settings.

show interfaces detail

Take note of MAC addresses.

Now, in order to update a MAC address in the configuration, run this command specifying the interface name and
MAC address you want.

set interfaces eth0 hw-id 00:0c:29:da:a4:fe

If it is a VM, go into the settings of the host and set the MAC address to the settings found in the config.boot file.
You can also set the MAC to static if the host allows so.
• Another example could be when cloning VyOS VMs in GNS3 and you get into the same issue: interface names
have changed.
And a more generic way to fix it is just deleting every MAC address at the configuration file of the cloned machine.
They will be correctly regenerated automatically.

11.3 Monitoring

VyOS features several monitoring tools.

vyos@vyos:~$ monitor
Possible completions:
bandwidth Monitor interface bandwidth in real time
bandwidth-test
Initiate or wait for bandwidth test
cluster Monitor clustering service
command Monitor an operational mode command (refreshes every 2 seconds)
conntrack-sync
Monitor conntrack-sync
content-inspection
Monitor Content-Inspection
dhcp Monitor Dynamic Host Control Protocol (DHCP)
dns Monitor a Domain Name Service (DNS) daemon
firewall Monitor Firewall
https Monitor the Secure Hypertext Transfer Protocol (HTTPS) service
lldp Monitor Link Layer Discovery Protocol (LLDP) daemon
log Monitor last lines of messages file
nat Monitor network address translation (NAT)
ndp Monitor the NDP information received by the router through the device
openvpn Monitor OpenVPN
protocol Monitor routing protocols
snmp Monitor Simple Network Management Protocol (SNMP) daemon
stop-all Stop all current background monitoring processes
(下页继续)

11.2. Interface names 579

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
traceroute Monitor the path to a destination in realtime
traffic Monitor traffic dumps
vpn Monitor VPN
vrrp Monitor Virtual Router Redundancy Protocol (VRRP)
webproxy Monitor Webproxy service

11.3.1 Traffic Dumps

To monitor interface traffic, issue the monitor traffic interface <name> command, replacing <name> with
your chosen interface.

vyos@vyos:~$ monitor traffic interface eth0

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
15:54:28.581601 IP 192.168.0.1 > vyos: ICMP echo request, id 1870, seq 3848, length 64
15:54:28.581660 IP vyos > 192.168.0.1: ICMP echo reply, id 1870, seq 3848, length 64
15:54:29.583399 IP 192.168.0.1 > vyos: ICMP echo request, id 1870, seq 3849, length 64
15:54:29.583454 IP vyos > 192.168.0.1: ICMP echo reply, id 1870, seq 3849, length 64
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel
vyos@vyos:~$

To quit monitoring, press Ctrl-c and you’ll be returned to the VyOS command prompt.
Traffic can be filtered and saved.

vyos@vyos:~$ monitor traffic interface eth0

Possible completions:
<Enter> Execute the current command
filter Monitor traffic matching filter conditions
save Save traffic dump from an interface to a file

11.3.2 Interface Bandwidth Usage

to take a quick view on the used bandwidth of an interface use the monitor bandwidth command

vyos@vyos:~$ monitor bandwidth interface eth0

show the following:

B (RX Bytes/second)
198.00 .|....|.....................................................
165.00 .|....|.....................................................
132.00 ||..|.|.....................................................
99.00 ||..|.|.....................................................
66.00 |||||||.....................................................
33.00 |||||||.....................................................
1 5 10 15 20 25 30 35 40 45 50 55 60

KiB (TX Bytes/second)

3.67 ......|.....................................................
(下页继续)

11.3. Monitoring 580

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
3.06 ......|.....................................................
2.45 ......|.....................................................
1.84 ......|.....................................................
1.22 ......|.....................................................
0.61 :::::||.....................................................
1 5 10 15 20 25 30 35 40 45 50 55 60

11.3.3 Interface Performance

To take a look on the network bandwidth between two nodes, the monitor bandwidth-test command is used to
run iperf.

vyos@vyos:~$ monitor bandwidth-test

Possible completions:
accept Wait for bandwidth test connections (port TCP/5001)
initiate Initiate a bandwidth test

• The accept command opens a listening iperf server on TCP Port 5001
• The initiate command connects to that server to perform the test.

vyos@vyos:~$ monitor bandwidth-test initiate

Possible completions:
<hostname> Initiate a bandwidth test to specified host (port TCP/5001)
<x.x.x.x>
<h:h:h:h:h:h:h:h>

11.3.4 Monitor command

The monitor command command allows you to repeatedly run a command to view a continuously refreshed output.
The command is run and output every 2 seconds, allowing you to monitor the output continuously without having to re-run
the command. This can be useful to follow routing adjacency formation.

vyos@router:~$ monitor command "show interfaces"

Will clear the screen and show you the output of show interfaces every 2 seconds.

Every 2.0s: /opt/vyatta/bin/vyatta-op-cmd-wrapper Sun Mar 26 02:49:46 2019

Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down

Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 192.168.1.1/24 u/u
eth0.5 198.51.100.4/24 u/u WAN
lo 127.0.0.1/8 u/u
::1/128
vti0 172.25.254.2/30 u/u
vti1 172.25.254.9/30 u/u

11.3. Monitoring 581

 VyOS Documentation, 发布 1.4.x (sagitta)

11.4 Terminal/Console

Sometimes you need to clear counters or statistics to troubleshoot better.

To do this use the clear command in Operational mode.
to clear the console output

vyos@vyos:~$ clear console

to clear interface counters

# clear all interfaces

vyos@vyos:~$ clear interface ethernet counters
# clear specific interface
vyos@vyos:~$ clear interface ehternet eth0 counters

The command follow the same logic as the set command in configuration mode.

# clear all counters of a interface type

vyos@vyos:~$ clear interface <interface_type> counters
# clear counter of a interface in interface_type
vyos@vyos:~$ clear interface <interface_type> <interace_name> counters

to clear counters on firewall rulesets or single rules

vyos@vyos:~$ clear firewall name <ipv4 ruleset name> counters

vyos@vyos:~$ clear firewall name <ipv4 ruleset name> rule <rule#> counters

vyos@vyos:~$ clear firewall ipv6-name <ipv6 ruleset name> counters

vyos@vyos:~$ clear firewall ipv6-name <ipv6 ruleset name> rule <rule#> counters

11.5 System Information

11.5.1 Boot Steps

VyOS 1.2 uses Debian Jessie as the base Linux operating system. Jessie was the first version of Debian that uses systemd
as the default init system.
These are the boot steps for VyOS 1.2
1. The BIOS loads Grub (or isolinux for the Live CD)
2. Grub then starts the Linux boot and loads the Linux Kernel /boot/vmlinuz
3. Kernel Launches Systemd /lib/systemd/systemd
4. Systemd loads the VyOS service file /lib/systemd/system/vyos-router.service
5. The service file launches the VyOS router init script /usr/libexec/vyos/init/vyos-router - this is
part of the vyatta-cfg Debian package
1. Starts FRR - successor to GNU Zebra and Quagga
2. Initialises the boot configuration file - copies over config.boot.default if there is no configu-
ration
3. Runs the configuration migration, if the configuration is for an older version of VyOS

11.4. Terminal/Console 582

 VyOS Documentation, 发布 1.4.x (sagitta)

4. Runs The pre-config script, if there is one /config/scripts/vyos-preconfig-bootup.

script
5. If the config file was upgraded, runs any post upgrade scripts /config/scripts/
post-upgrade.d
6. Starts rl-system and firewall
7. Mounts the /boot partition
8. The boot configuration file is then applied by /opt/vyatta/sbin/
vyatta-boot-config-loader/opt/vyatta/etc/config/config.boot
1. The config loader script writes log entries to /var/log/vyatta-config-loader.log
9. Runs telinit q to tell the init system to reload /etc/inittab
10. Finally it runs the post-config script /config/scripts/vyos-postconfig-bootup.
script

11.5. System Information 583

 CHAPTER 12

配置蓝图

本章包含各种配置举例:

12.1 通过 GRE 网桥的 DHCP 中继

12.1.1 图

584
 VyOS Documentation, 发布 1.4.x (sagitta)

12.1.2 配置

DHCP 服务器

set interfaces ethernet eth0 address '10.0.2.1/24'

set interfaces loopback lo address '192.168.3.3/24'
set interfaces tunnel tun100 address '172.16.0.2/30'
set interfaces tunnel tun100 encapsulation 'gretap'
set interfaces tunnel tun100 local-ip '10.0.2.1'
set interfaces tunnel tun100 remote-ip '192.168.0.1'
set protocols ospf area 0 network '192.168.3.0/24'
set protocols ospf area 0 network '10.0.2.0/24'
set protocols ospf parameters router-id '192.168.3.3'
set protocols static route 10.0.1.2/32 interface tun100
set service dhcp-server shared-network-name asdf authoritative
set service dhcp-server shared-network-name asdf subnet 192.168.3.0/24 range 0 start
,→'192.168.3.30'

set service dhcp-server shared-network-name asdf subnet 192.168.3.0/24 range 0 stop

,→'192.168.3.40'

set service dhcp-server shared-network-name asdf subnet 10.0.1.0/24 default-router

,→'10.0.1.2'

set service dhcp-server shared-network-name asdf subnet 10.0.1.0/24 range 0 start '10.
,→0.1.200'

set service dhcp-server shared-network-name asdf subnet 10.0.1.0/24 range 0 stop '10.
,→0.1.210'

set service dhcp-server shared-network-name asdf subnet 10.2.1.0/24 range 0 start '10.
,→2.1.222'

set service dhcp-server shared-network-name asdf subnet 10.2.1.0/24 range 0 stop '10.
,→2.1.233'

set service dhcp-server shared-network-name asdf subnet 172.16.0.0/30 range 0 start

,→'172.16.0.1'

set service dhcp-server shared-network-name asdf subnet 172.16.0.0/30 range 0 stop

,→'172.16.0.2'

中间路由器

set interfaces ethernet eth0 address '192.168.0.2/24'

set interfaces ethernet eth1 address '10.0.2.2/24'
set protocols ospf area 0 network '192.168.0.0/24'
set protocols ospf area 0 network '10.0.2.0/24'
set protocols ospf parameters router-id '192.168.0.2'

DHCP 代理

set interfaces ethernet eth0 address '10.0.1.2/24'

set interfaces ethernet eth1 address '192.168.0.1/24'
set interfaces loopback lo address '10.100.100.1'
set interfaces tunnel tun100 address '172.16.0.1/30'
set interfaces tunnel tun100 encapsulation 'gretap'
set interfaces tunnel tun100 local-ip '192.168.0.1'
set interfaces tunnel tun100 remote-ip '10.0.2.1'
set protocols ospf area 0 network '10.0.1.0/24'
set protocols ospf area 0 network '192.168.0.0/24'
(下页继续)

12.1. 通过 GRE 网桥的 DHCP 中继 585

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
set protocols ospf area 0 network '10.100.100.0/24'
set protocols ospf parameters router-id '10.100.100.1'
set protocols static route 192.168.3.3/32 interface tun100
set service dhcp-relay interface 'eth0'
set service dhcp-relay interface 'tun100'
set service dhcp-relay server '192.168.3.3'

12.2 Zone-Policy 例子

12.2.1 本地 IPv4 和 IPv6

我们有三个网络。

WAN - 172.16.10.0/24, 2001:0DB8:0:9999::0/64

LAN - 192.168.100.0/24, 2001:0DB8:0:AAAA::0/64
DMZ - 192.168.200.0/24, 2001:0DB8:0:BBBB::0/64

这个具体的例子是一个路由器在棍子上，但非常容易适应无论你有多少网卡:
• Internet - 192.168.200.100 - TCP/80
• Internet - 192.168.200.100 - TCP/443
• Internet - 192.168.200.100 - TCP/25
• Internet - 192.168.200.100 - TCP/53
• VyOS 可作为 DHCP、DNS 转发器、NAT、路由器和防火墙。
• 192.168.200.200/2001:0DB8:0:BBBB::200 是内部/外部 DNS、web 和 mail (SMTP/IMAP) 服务器。
• 192.168.100.10/2001:0DB8:0:AAAA::10 为管理员控制台。它可以 SSH 到 VyOS。
• LAN 和 DMZ 主机有基本的出站访问:Web、FTP、SSH。
• LAN 可以访问 DMZ 资源。
• DMZ 不能访问 LAN 资源。
• 入站 WAN 连接到 DMZ 主机。

12.2. Zone-Policy 例子 586

 VyOS Documentation, 发布 1.4.x (sagitta)

VyOS 接口被分配了他们各自网络的。1/:1 地址。WAN 在 VLAN 10 上，LAN 在 VLAN 20 上，DMZ 在 VLAN

30 上。
它看起来是这样的:

interfaces {
ethernet eth0 {
duplex auto
hw-id 00:53:ed:6e:2a:92
smp_affinity auto
speed auto
vif 10 {
address 172.16.10.1/24
address 2001:db8:0:9999::1/64
}
vif 20 {
address 192.168.100.1/24
address 2001:db8:0:AAAA::1/64
(下页继续)

12.2. Zone-Policy 例子 587

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
}
vif 30 {
address 192.168.200.1/24
address 2001:db8:0:BBBB::1/64
}
}
loopback lo {
}
}

12.2.2 Zones Basics

每个接口都被分配到一个安全区域。接口可以是物理的，也可以是虚拟的，如隧道 (VPN、PPTP、GRE 等)，

并且被完全相同的对待。
从 A 区域到 b 区域的交通流就是我所说的区域对方向。如。A->B 和 B->A 是两个区域对目的地。
规则集是根据每个区域对-方向创建的。
我将规则集命名为表示它们所代表的区域对方向。如。ZoneA-ZoneB 或 ZoneB-ZoneA。LAN-DMZ DMZ-LAN。
在 VyOS 中，必须有唯一的规则集名称。如果出现重叠，我将在 v6 规则集的末尾添加一个“-6”
。如。LAN-DMZ
LAN-DMZ-6。这允许每个自动完成和唯一性。
在本例中，我们有 4 个区域。LAN, WAN, DMZ, Local。本地区域是防火墙本身。
如果您的计算机在 LAN 上，并且您需要 SSH 到您的 VyOS 框中，那么您需要一条规则在 LAN- local 规则集
中允许它。如果您想从 VyOS 框访问一个网页，您需要一条规则在 Local-LAN 规则集中允许它。
在规则中，保持它们名称的一致性是有好处的。随着规则数量的增加，你的一致性越强，你的生活就会越轻
松。

Rule 1 - State Established, Related

Rule 2 - State Invalid
Rule 100 - ICMP
Rule 200 - Web
Rule 300 - FTP
Rule 400 - NTP
Rule 500 - SMTP
Rule 600 - DNS
Rule 700 - DHCP
Rule 800 - SSH
Rule 900 - IMAPS

前两条规则用于处理 VyOS 和 iptables 的特性。

区域和规则集都有一个默认的动作语句。使用 zone-policy 时，缺省动作由 zone-policy 语句设置，由规则 10000
表示。
记录接受和拒绝的流量是很好的做法。当您试图排除连接问题时，它可以为您节省大量的麻烦。
要将日志记录添加到默认规则，执行以下操作:

set firewall name <ruleSet> enable-default-log

默认情况下，iptables 不允许已建立会话的流量返回，因此必须显式允许返回。为此，我向每个规则集添加了
两条规则。1 允许建立的和相关的状态包通过，规则 2 丢弃并记录无效的状态包。我们将已建立的/相关的规
则放在顶部，因为网络上的绝大多数流量都已建立，而无效规则是为了防止无效状态包被错误地与其他规则

12.2. Zone-Policy 例子 588

 VyOS Documentation, 发布 1.4.x (sagitta)

匹配。在高容量环境中，先列出最匹配的规则可以减少 CPU 负载。注意: 我已经提交了一个 bug，将此添加

为默认操作。
“需要注意的是，您不希望将日志记录添加到已建立的状态规则中，因为您将记录每个会话的入站和出站包，
而不仅仅是会话的启动。你的日志在很短的时间内就会非常庞大。”
在 VyOS 中，在将接口应用到 zone-policy 之前，必须先创建接口，在将其应用到 zone-policy 之前，必须创建
规则集。
我首先创建/配置接口。为每个区域对方向 (zone-pair-direction) 构建规则集，其中至少包括三种状态规则。然
后设置 zone- policy。
区域不允许默认的 accept 动作; 要么放弃，要么拒绝。记住这一点非常重要，因为如果您将接口应用到一个
区域并提交，任何活动的连接都将被删除。具体来说，如果您通过 SSH 进入 VyOS，并添加本地或连接到某
个区域的接口，并且没有允许 SSH 和已建立会话的规则集，那么您将无法连接。
下面是在 IPv4 和 IPv6 中为这个例子创建的规则 (可能不完整)。如果没有指定 IP 地址，则不显示源/目的地
址。

WAN – DMZ:192.168.200.200 – tcp/80

WAN – DMZ:192.168.200.200 – tcp/443
WAN – DMZ:192.168.200.200 – tcp/25
WAN – DMZ:192.168.200.200 – tcp/53
WAN – DMZ:2001:0DB8:0:BBBB::200 – tcp/80
WAN – DMZ:2001:0DB8:0:BBBB::200 – tcp/443
WAN – DMZ:2001:0DB8:0:BBBB::200 – tcp/25
WAN – DMZ:2001:0DB8:0:BBBB::200 – tcp/53

DMZ - Local - tcp/53

DMZ - Local - tcp/123
DMZ - Local - tcp/67,68

LAN - Local - tcp/53

LAN - Local - tcp/123
LAN - Local - tcp/67,68
LAN:192.168.100.10 - Local - tcp/22
LAN:2001:0DB8:0:AAAA::10 - Local - tcp/22

LAN - WAN - tcp/80

LAN - WAN - tcp/443
LAN - WAN - tcp/22
LAN - WAN - tcp/20,21

DMZ - WAN - tcp/80

DMZ - WAN - tcp/443
DMZ - WAN - tcp/22
DMZ - WAN - tcp/20,21
DMZ - WAN - tcp/53
DMZ - WAN - udp/53

Local - WAN - tcp/80

Local - WAN - tcp/443
Local - WAN - tcp/20,21

Local - DMZ - tcp/25

Local - DMZ - tcp/67,68
Local - DMZ - tcp/53
Local - DMZ - udp/53

(下页继续)

12.2. Zone-Policy 例子 589

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
Local - LAN - tcp/67,68

LAN - DMZ - tcp/80

LAN - DMZ - tcp/443
LAN - DMZ - tcp/993
LAN:2001:0DB8:0:AAAA::10 - DMZ:2001:0DB8:0:BBBB::200 - tcp/22
LAN:192.168.100.10 - DMZ:192.168.200.200 - tcp/22

因为我们有 4 个区域，所以需要设置以下规则集。
Lan-wan
Lan-local
Lan-dmz
Wan-lan
Wan-local
Wan-dmz
Local-lan
Local-wan
Local-dmz
Dmz-lan
Dmz-wan
Dmz-local

即使这两个区域永远不会通信，创建区域对-方向规则集并设置 enable-default-log 也是一个好主意。这将允许

您记录访问网络的尝试。如果没有它，您将永远看不到连接尝试。
这是三个基本规则的一个例子。
name wan-lan {
default-action drop
enable-default-log
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
}

下面是一个 IPv6 DMZ-WAN 规则集的例子。

ipv6-name dmz-wan-6 {
default-action drop
enable-default-log
rule 1 {
action accept
state {
established enable
related enable
(下页继续)

12.2. Zone-Policy 例子 590

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
rule 100 {
action accept
log enable
protocol ipv6-icmp
}
rule 200 {
action accept
destination {
port 80,443
}
log enable
protocol tcp
}
rule 300 {
action accept
destination {
port 20,21
}
log enable
protocol tcp
}
rule 500 {
action accept
destination {
port 25
}
log enable
protocol tcp
source {
address 2001:db8:0:BBBB::200
}
}
rule 600 {
action accept
destination {
port 53
}
log enable
protocol tcp_udp
source {
address 2001:db8:0:BBBB::200
}
}
rule 800 {
action accept
destination {
port 22
}

(下页继续)

12.2. Zone-Policy 例子 591

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
log enable
protocol tcp
}
}

构建了所有规则集之后，就需要创建 zone-policy。
首先为每个区域设置接口和缺省动作。

set zone-policy zone dmz default-action drop

set zone-policy zone dmz interface eth0.30

在本例中，我们正在设置 v6 规则集，该规则集表示来自 LAN 的、目的地为 DMZ 的流量。由于 zone-policy

防火墙的语法有点笨拙，所以我把它向后考虑，以保持它的清晰。

set zone-policy zone dmz from lan firewall ipv6-name lan-dmz-6

DMZ-LAN 策略是 LAN-DMZ。一次堆砌一堆时，您会感到有节奏。

最后，您将获得类似此配置的内容。我删除了防火墙，接口和区域策略部分中的所有内容。它足够长了。

12.2.3 IPv6 隧道

如果您使用的是来自 HE.net 或其他网站的 IPv6 隧道，则除了具有两个 WAN 接口外，其基础是相同的。一

个针对 v4，另一个针对 v6。
您将拥有 5 个区域而不是 4 个区域，并且可以在隧道接口与 LAN / DMZ 区域（而不是 WAN）之间配置 v6
规则集。
LAN, WAN, DMZ, local and TUN (隧道)
v6 对将是：

lan-tun
lan-local
lan-dmz
tun-lan
tun-local
tun-dmz
local-lan
local-tun
local-dmz
dmz-lan
dmz-tun
dmz-local

请注意，没有人会去 WAN，因为 WAN 上没有 v6 地址。

您必须在 wan-local 规则集上添加几个规则，以允许使用协议 41。
就像是：

rule 400 {
action accept
destination {
address 172.16.10.1
}
(下页继续)

12.2. Zone-Policy 例子 592

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
log enable
protocol 41
source {
address ip.of.tunnel.broker
}
}

12.3 BGP IPv6 未编号，带有扩展的 nexthop

一般信息可在BGP chapter。

12.3.1 配置

• 路由器 A

set protocols bgp 64496 address-family ipv4-unicast redistribute connected

set protocols bgp 64496 address-family ipv6-unicast redistribute connected
set protocols bgp 64496 neighbor eth1 interface v6only
set protocols bgp 64496 neighbor eth1 interface v6only peer-group 'fabric'
set protocols bgp 64496 neighbor eth2 interface v6only
set protocols bgp 64496 neighbor eth2 interface v6only peer-group 'fabric'
set protocols bgp 64496 parameters bestpath as-path multipath-relax
set protocols bgp 64496 parameters bestpath compare-routerid
set protocols bgp 64496 parameters default no-ipv4-unicast
set protocols bgp 64496 parameters router-id '192.168.0.1'
set protocols bgp 64496 peer-group fabric address-family ipv4-unicast
set protocols bgp 64496 peer-group fabric address-family ipv6-unicast
set protocols bgp 64496 peer-group fabric capability extended-nexthop
set protocols bgp 64496 peer-group fabric remote-as 'external'

• 路由器 B

set protocols bgp 64499 address-family ipv4-unicast redistribute connected

set protocols bgp 64499 address-family ipv6-unicast redistribute connected
set protocols bgp 64499 neighbor eth1 interface v6only
set protocols bgp 64499 neighbor eth1 interface v6only peer-group 'fabric'
set protocols bgp 64499 neighbor eth2 interface v6only
set protocols bgp 64499 neighbor eth2 interface v6only peer-group 'fabric'
set protocols bgp 64499 parameters bestpath as-path multipath-relax
set protocols bgp 64499 parameters bestpath compare-routerid
set protocols bgp 64499 parameters default no-ipv4-unicast
set protocols bgp 64499 parameters router-id '192.168.0.2'
set protocols bgp 64499 peer-group fabric address-family ipv4-unicast
set protocols bgp 64499 peer-group fabric address-family ipv6-unicast
set protocols bgp 64499 peer-group fabric capability extended-nexthop
set protocols bgp 64499 peer-group fabric remote-as 'external'

12.3. BGP IPv6 未编号，带有扩展的 nexthop 593

 VyOS Documentation, 发布 1.4.x (sagitta)

12.3.2 结果

• 路由器 A

vyos@vyos:~$ show interfaces

Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 198.51.100.34/24 u/u
eth1 - u/u
eth2 - u/u
lo 127.0.0.1/8 u/u
192.168.0.1/32
::1/128

vyos@vyos:~$ show ip route

Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
F - PBR, f - OpenFabric,
> - selected route, * - FIB route

S>* 0.0.0.0/0 [210/0] via 198.51.100.34, eth0, 03:21:53

C>* 198.51.100.0/24 is directly connected, eth0, 03:21:53
C>* 192.168.0.1/32 is directly connected, lo, 03:21:56
B>* 192.168.0.2/32 [20/0] via fe80::a00:27ff:fe3b:7ed2, eth2, 00:05:07
* via fe80::a00:27ff:fe7b:4000, eth1, 00:05:07

vyos@vyos:~$ ping 192.168.0.2

PING 192.168.0.2 (192.168.0.2) 56(84) bytes of data.
64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=0.575 ms
64 bytes from 192.168.0.2: icmp_seq=2 ttl=64 time=0.628 ms
64 bytes from 192.168.0.2: icmp_seq=3 ttl=64 time=0.581 ms
64 bytes from 192.168.0.2: icmp_seq=4 ttl=64 time=0.682 ms
64 bytes from 192.168.0.2: icmp_seq=5 ttl=64 time=0.597 ms

--- 192.168.0.2 ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 4086ms
rtt min/avg/max/mdev = 0.575/0.612/0.682/0.047 ms

vyos@vyos:~$ show ip bgp summary

IPv4 Unicast Summary:

BGP router identifier 192.168.0.1, local AS number 65020 vrf-id 0
BGP table version 4
RIB entries 5, using 800 bytes of memory
Peers 2, using 41 KiB of memory
Peer groups 1, using 64 bytes of memory

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

eth1 4 64499 13 13 0 0 0 00:05:33 2
eth2 4 64499 13 14 0 0 0 00:05:29 2

Total number of neighbors 2

• 路由器 B

12.3. BGP IPv6 未编号，带有扩展的 nexthop 594

 VyOS Documentation, 发布 1.4.x (sagitta)

vyos@vyos:~$ show interfaces

Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 198.51.100.33/24 u/u
eth1 - u/u
eth2 - u/u
lo 127.0.0.1/8 u/u
192.168.0.2/32
::1/128

vyos@vyos:~$ show ip route

Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
F - PBR, f - OpenFabric,
> - selected route, * - FIB route

S>* 0.0.0.0/0 [210/0] via 198.51.100.33, eth0, 00:44:08

C>* 198.51.100.0/24 is directly connected, eth0, 00:44:09
B>* 192.168.0.1/32 [20/0] via fe80::a00:27ff:fe2d:205d, eth1, 00:06:18
* via fe80::a00:27ff:fe93:e142, eth2, 00:06:18
C>* 192.168.0.2/32 is directly connected, lo, 00:44:11

vyos@vyos:~$ ping 192.168.0.1

PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=0.427 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=0.471 ms
64 bytes from 192.168.0.1: icmp_seq=3 ttl=64 time=0.782 ms
64 bytes from 192.168.0.1: icmp_seq=4 ttl=64 time=0.715 ms

--- 192.168.0.1 ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 3051ms
rtt min/avg/max/mdev = 0.427/0.598/0.782/0.155 ms

vyos@vyos:~$ show ip bgp summary

IPv4 Unicast Summary:
BGP router identifier 192.168.0.2, local AS number 65021 vrf-id 0
BGP table version 4
RIB entries 5, using 800 bytes of memory
Peers 2, using 41 KiB of memory
Peer groups 1, using 64 bytes of memory

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

eth1 4 64496 14 14 0 0 0 00:06:40 2
eth2 4 64496 14 14 0 0 0 00:06:37 2

Total number of neighbors 2

12.3. BGP IPv6 未编号，带有扩展的 nexthop 595

 VyOS Documentation, 发布 1.4.x (sagitta)

12.4 OSPF unnumbered with ECMP

一般信息可以在:ref:‘routing-ospf‘章节中找到。

12.4.1 配置

• 路由器 A

set interfaces ethernet eth0 address '10.0.0.1/24'

set interfaces ethernet eth1 address '192.168.0.1/32'
set interfaces ethernet eth1 ip ospf authentication md5 key-id 1 md5-key 'yourpassword
,→'

set interfaces ethernet eth1 ip ospf network 'point-to-point'

set interfaces ethernet eth2 address '192.168.0.1/32'
set interfaces ethernet eth2 ip ospf authentication md5 key-id 1 md5-key 'yourpassword
,→'

set interfaces ethernet eth2 ip ospf network 'point-to-point'

set interfaces loopback lo address '192.168.0.1/32'
set protocols ospf area 0.0.0.0 authentication 'md5'
set protocols ospf area 0.0.0.0 network '192.168.0.1/32'
set protocols ospf parameters router-id '192.168.0.1'
set protocols ospf redistribute connected

• 路由器 B

set interfaces ethernet eth0 address '10.0.0.2/24'

set interfaces ethernet eth1 address '192.168.0.2/32'
set interfaces ethernet eth1 ip ospf authentication md5 key-id 1 md5-key 'yourpassword
,→'

set interfaces ethernet eth1 ip ospf network 'point-to-point'

set interfaces ethernet eth2 address '192.168.0.2/32'
set interfaces ethernet eth2 ip ospf authentication md5 key-id 1 md5-key 'yourpassword
,→'

set interfaces ethernet eth2 ip ospf network 'point-to-point'

set interfaces loopback lo address '192.168.0.2/32'
set protocols ospf area 0.0.0.0 authentication 'md5'
set protocols ospf area 0.0.0.0 network '192.168.0.2/32'
set protocols ospf parameters router-id '192.168.0.2'
set protocols ospf redistribute connected

12.4.2 结果

• 路由器 A

vyos@vyos:~$ show interfaces

Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 10.0.0.1/24 u/u
eth1 192.168.0.1/32 u/u
eth2 192.168.0.1/32 u/u
lo 127.0.0.1/8 u/u
192.168.0.1/32
::1/128

12.4. OSPF unnumbered with ECMP 596

 VyOS Documentation, 发布 1.4.x (sagitta)

vyos@vyos:~$ show ip route

Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
F - PBR, f - OpenFabric,
> - selected route, * - FIB route, q - queued route, r - rejected route

S>* 0.0.0.0/0 [210/0] via 10.0.0.254, eth0, 00:57:34

O 10.0.0.0/24 [110/20] via 192.168.0.2, eth1 onlink, 00:13:21
via 192.168.0.2, eth2 onlink, 00:13:21
C>* 10.0.0.0/24 is directly connected, eth0, 00:57:35
O 192.168.0.1/32 [110/0] is directly connected, lo, 00:48:53
C * 192.168.0.1/32 is directly connected, eth2, 00:56:31
C * 192.168.0.1/32 is directly connected, eth1, 00:56:31
C>* 192.168.0.1/32 is directly connected, lo, 00:57:36
O>* 192.168.0.2/32 [110/1] via 192.168.0.2, eth1 onlink, 00:29:03
* via 192.168.0.2, eth2 onlink, 00:29:03

• 路由器 B

vyos@vyos:~$ show interfaces

Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 10.0.0.2/24 u/u
eth1 192.168.0.2/32 u/u
eth2 192.168.0.2/32 u/u
lo 127.0.0.1/8 u/u
192.168.0.2/32
::1/128

vyos@vyos:~$ show ip route

Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
F - PBR, f - OpenFabric,
> - selected route, * - FIB route, q - queued route, r - rejected route

S>* 0.0.0.0/0 [210/0] via 10.0.0.254, eth0, 00:57:34

O 10.0.0.0/24 [110/20] via 192.168.0.1, eth1 onlink, 00:13:21
via 192.168.0.1, eth2 onlink, 00:13:21
C>* 10.0.0.0/24 is directly connected, eth0, 00:57:35
O 192.168.0.2/32 [110/0] is directly connected, lo, 00:48:53
C * 192.168.0.2/32 is directly connected, eth2, 00:56:31
C * 192.168.0.2/32 is directly connected, eth1, 00:56:31
C>* 192.168.0.2/32 is directly connected, lo, 00:57:36
O>* 192.168.0.1/32 [110/1] via 192.168.0.1, eth1 onlink, 00:29:03
* via 192.168.0.1, eth2 onlink, 00:29:03

12.4. OSPF unnumbered with ECMP 597

 VyOS Documentation, 发布 1.4.x (sagitta)

12.5 基于路由的站点到站点 VPN 到 Azure（IKEv2/IPsec 上的 BGP）

本指南展示了一个使用 VTI 和 BGP 进行动态路由更新的 IKEv2 到 Azure 的站点到站点 VPN 路由示例。

有关冗余/有源配置，请参阅

12.5.1 先决条件

• 一对在启用 BGP 的主动-被动配置中部署的 Azure VNet 网关

• 部署在 Azure 中的本地网络网关，表示 Vyos 设备，与下面的 Vyos 设置匹配，除了地址空间，它只需要
Vyos 专用 IP，在本例中为 10.10.0.5/32
• 部署在 Azure 中的连接资源，用于链接 Azure VNet 网关和表示 Vyos 设备的本地网络网关。

12.5.2 例

WAN 接口 eth0
本地地址空间 10.10.0.0/16
Azure 地址空间 10.0.0.0/16
Vyos 公共 IP 198.51.100.3
Vyos 私有 IP 10.10.0.5
Azure VNet 网关公共 IP 203.0.113.2
Azure VNet 网关 BGP IP 10.0.0.4
预共享密钥 ch00s3-4-s3cur3-psk
Vyos ASN 64499
Azure ASN 65540

12.5.3 Vyos 配置

• 配置 IKE 和 ESP 设置，以匹配 Azure 支持的子集：

set vpn ipsec esp-group AZURE compression 'disable'

set vpn ipsec esp-group AZURE lifetime '3600'
set vpn ipsec esp-group AZURE mode 'tunnel'
set vpn ipsec esp-group AZURE pfs 'dh-group2'
set vpn ipsec esp-group AZURE proposal 1 encryption 'aes256'
set vpn ipsec esp-group AZURE proposal 1 hash 'sha1'

set vpn ipsec ike-group AZURE dead-peer-detection action 'restart'

set vpn ipsec ike-group AZURE dead-peer-detection interval '15'
set vpn ipsec ike-group AZURE dead-peer-detection timeout '30'
set vpn ipsec ike-group AZURE ikev2-reauth 'yes'
set vpn ipsec ike-group AZURE key-exchange 'ikev2'
set vpn ipsec ike-group AZURE lifetime '28800'
set vpn ipsec ike-group AZURE proposal 1 dh-group '2'
set vpn ipsec ike-group AZURE proposal 1 encryption 'aes256'
set vpn ipsec ike-group AZURE proposal 1 hash 'sha1'

• 在 eth0 上启用 IPsec

12.5. 基于路由的站点到站点 VPN 到 Azure（IKEv2/IPsec 上的 BGP） 598

 VyOS Documentation, 发布 1.4.x (sagitta)

set vpn ipsec ipsec-interfaces interface 'eth0'

• 使用虚拟 IP 地址配置 VTI

set interfaces vti vti1 address '10.10.1.5/32'

set interfaces vti vti1 description 'Azure Tunnel'

• 夹紧 VTI 的 MSS 至 1350 以避免 PMTU 黑洞。

set firewall options interface vti1 adjust-mss 1350

• 配置 VPN 隧道

set vpn ipsec site-to-site peer 203.0.113.2 authentication id '198.51.100.3'

set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret 'ch00s3-
,→4-s3cur3-psk'

set vpn ipsec site-to-site peer 203.0.113.2 authentication remote-id '203.0.113.2'

set vpn ipsec site-to-site peer 203.0.113.2 connection-type 'respond'
set vpn ipsec site-to-site peer 203.0.113.2 description 'AZURE PRIMARY TUNNEL'
set vpn ipsec site-to-site peer 203.0.113.2 ike-group 'AZURE'
set vpn ipsec site-to-site peer 203.0.113.2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 203.0.113.2 local-address '10.10.0.5'
set vpn ipsec site-to-site peer 203.0.113.2 vti bind 'vti1'
set vpn ipsec site-to-site peer 203.0.113.2 vti esp-group 'AZURE'

• 重要提示：添加一个接口路由以到达 Azure 的 BGP 侦听器

set protocols static route 10.0.0.4/32 interface vti1

• 配置 BGP 设置

set protocols bgp 64499 neighbor 10.0.0.4 remote-as '65540'

set protocols bgp 64499 neighbor 10.0.0.4 address-family ipv4-unicast soft-
,→reconfiguration 'inbound'
set protocols bgp 64499 neighbor 10.0.0.4 timers holdtime '30'
set protocols bgp 64499 neighbor 10.0.0.4 timers keepalive '10'

• 重要提示：禁用连接检查

set protocols bgp 64499 neighbor 10.0.0.4 disable-connected-check

12.6 到 Azure 的基于路由的冗余站点到站点 VPN（IKEv2/IPsec 上的

BGP）

本指南展示了一个基于 IKEv2 站点到站点 VPN 到 Azure 的冗余（主动）路由的示例，使用 VTI 和 BGP 进行

动态路由更新。

12.6. 到 Azure 的基于路由的冗余站点到站点 VPN（IKEv2/IPsec 上的 BGP） 599

 VyOS Documentation, 发布 1.4.x (sagitta)

12.6.1 先决条件

• 一对 Azure VNet 网关，部署在启用 BGP 的活动配置中。

• 部署在 Azure 中的本地网络网关，表示 Vyos 设备，与下面的 Vyos 设置匹配，除了地址空间，它只需要
Vyos 专用 IP，在本例中为 10.10.0.5/32
• 部署在 Azure 中的连接资源，用于链接 Azure VNet 网关和表示 Vyos 设备的本地网络网关。

12.6.2 例

WAN 接口 eth0
本地地址空间 10.10.0.0/16
Azure 地址空间 10.0.0.0/16
Vyos 公共 IP 198.51.100.3
Vyos 私有 IP 10.10.0.5
Azure VNet 网关 1 公用 IP 203.0.113.2
Azure VNet 网关 2 公共 IP 203.0.113.3
Azure VNet 网关 BGP IP 10.0.0.4,10.0.0.5
预共享密钥 ch00s3-4-s3cur3-psk
Vyos ASN 64499
Azure ASN 65540

12.6.3 Vyos 配置

• 配置 IKE 和 ESP 设置，以匹配 Azure 支持的子集：

set vpn ipsec esp-group AZURE compression 'disable'

set vpn ipsec esp-group AZURE lifetime '3600'
set vpn ipsec esp-group AZURE mode 'tunnel'
set vpn ipsec esp-group AZURE pfs 'dh-group2'
set vpn ipsec esp-group AZURE proposal 1 encryption 'aes256'
set vpn ipsec esp-group AZURE proposal 1 hash 'sha1'

set vpn ipsec ike-group AZURE dead-peer-detection action 'restart'

set vpn ipsec ike-group AZURE dead-peer-detection interval '15'
set vpn ipsec ike-group AZURE dead-peer-detection timeout '30'
set vpn ipsec ike-group AZURE ikev2-reauth 'yes'
set vpn ipsec ike-group AZURE key-exchange 'ikev2'
set vpn ipsec ike-group AZURE lifetime '28800'
set vpn ipsec ike-group AZURE proposal 1 dh-group '2'
set vpn ipsec ike-group AZURE proposal 1 encryption 'aes256'
set vpn ipsec ike-group AZURE proposal 1 hash 'sha1'

• 在 eth0 上启用 IPsec

set vpn ipsec ipsec-interfaces interface 'eth0'

• 配置两个 VTI，每个 VTI 都有一个虚拟 IP 地址

set interfaces vti vti1 address '10.10.1.5/32'

set interfaces vti vti1 description 'Azure Primary Tunnel'

(下页继续)

12.6. 到 Azure 的基于路由的冗余站点到站点 VPN（IKEv2/IPsec 上的 BGP） 600

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
set interfaces vti vti2 address '10.10.1.6/32'
set interfaces vti vti2 description 'Azure Secondary Tunnel'

• 夹紧 VTI 的 MSS 至 1350 以避免 PMTU 黑洞。

set firewall options interface vti1 adjust-mss 1350

set firewall options interface vti2 adjust-mss 1350

• 配置 VPN 隧道

set vpn ipsec site-to-site peer 203.0.113.2 authentication id '198.51.100.3'

set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret 'ch00s3-
,→4-s3cur3-psk'

set vpn ipsec site-to-site peer 203.0.113.2 authentication remote-id '203.0.113.2'

set vpn ipsec site-to-site peer 203.0.113.2 connection-type 'respond'
set vpn ipsec site-to-site peer 203.0.113.2 description 'AZURE PRIMARY TUNNEL'
set vpn ipsec site-to-site peer 203.0.113.2 ike-group 'AZURE'
set vpn ipsec site-to-site peer 203.0.113.2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 203.0.113.2 local-address '10.10.0.5'
set vpn ipsec site-to-site peer 203.0.113.2 vti bind 'vti1'
set vpn ipsec site-to-site peer 203.0.113.2 vti esp-group 'AZURE'

set vpn ipsec site-to-site peer 203.0.113.3 authentication id '198.51.100.3'

set vpn ipsec site-to-site peer 203.0.113.3 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 203.0.113.3 authentication pre-shared-secret 'ch00s3-
,→4-s3cur3-psk'

set vpn ipsec site-to-site peer 203.0.113.3 authentication remote-id '203.0.113.3'

set vpn ipsec site-to-site peer 203.0.113.3 connection-type 'respond'
set vpn ipsec site-to-site peer 203.0.113.3 description 'AZURE SECONDARY TUNNEL'
set vpn ipsec site-to-site peer 203.0.113.3 ike-group 'AZURE'
set vpn ipsec site-to-site peer 203.0.113.3 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 203.0.113.3 local-address '10.10.0.5'
set vpn ipsec site-to-site peer 203.0.113.3 vti bind 'vti2'
set vpn ipsec site-to-site peer 203.0.113.3 vti esp-group 'AZURE'

• 重要提示：添加接口路由，以访问 Azure 的 BGP 侦听器

set protocols static route 10.0.0.4/32 interface vti1

set protocols static route 10.0.0.5/32 interface vti2

• 配置 BGP 设置

set protocols bgp 64499 neighbor 10.0.0.4 remote-as '65540'

set protocols bgp 64499 neighbor 10.0.0.4 address-family ipv4-unicast soft-
,→reconfiguration 'inbound'
set protocols bgp 64499 neighbor 10.0.0.4 timers holdtime '30'
set protocols bgp 64499 neighbor 10.0.0.4 timers keepalive '10'

set protocols bgp 64499 neighbor 10.0.0.5 remote-as '65540'

set protocols bgp 64499 neighbor 10.0.0.5 address-family ipv4-unicast soft-
,→reconfiguration 'inbound'
set protocols bgp 64499 neighbor 10.0.0.5 timers holdtime '30'
set protocols bgp 64499 neighbor 10.0.0.5 timers keepalive '10'

• 重要提示：禁用连接检查，否则从 Azure 学习的路由将不会导入路由表。

12.6. 到 Azure 的基于路由的冗余站点到站点 VPN（IKEv2/IPsec 上的 BGP） 601

 VyOS Documentation, 发布 1.4.x (sagitta)

set protocols bgp 64499 neighbor 10.0.0.4 disable-connected-check

set protocols bgp 64499 neighbor 10.0.0.5 disable-connected-check

12.7 Tunnelbroker.net (IPv6)

本指南介绍了为 IPv6 隧道设置 https://www.tunnelbroker.net/的过程。

12.7.1 先决条件

• 一个公共的、可路由的 IPv4 地址。这并不一定需要是静态的，但是当/如果您的 IP 地址更改时，您将

需要更新隧道端点，这可以通过一个脚本和一个计划任务来完成。
• 在 https://www.tunnelbroker.net/帐户
• 请求”正常通道”。为了获得最佳响应时间，您需要选择离物理位置最近的位置。

12.7.2 设置初始隧道

建立初始 IPv6 隧道。将隧道信息页面中的字段替换为下面的字段。

conf
set interfaces tunnel tun0 address Client_IPv6_from_Tunnelbroker # This will be␣
,→your VyOS install's public IPv6 address

set interfaces tunnel tun0 description 'HE.NET IPv6 Tunnel'

set interfaces tunnel tun0 encapsulation 'sit'
set interfaces tunnel tun0 local-ip Client_IPv4_from_Tunnelbroker # This is your␣
,→public IP

set interfaces tunnel tun0 mtu '1472'

set interfaces tunnel tun0 multicast 'disable'
set interfaces tunnel tun0 remote-ip Server_IPv4_from_Tunnelbroker # This is the IP␣
,→of the Tunnelbroker server

set protocols static route6 ::/0 interface tun0 # Tell all traffic to go over this␣
,→tunnel

commit

如果您的广域网连接是通过 PPPoE，您可能需要将上述隧道的 MTU 设置为低于 1472。

在这一点上你应该能够 ping 一个 IPv6 地址，尝试 ping 谷歌:
ping6 -c2 2001:4860:4860::8888

64 bytes from 2001:4860:4860::8888: icmp_seq=1 ttl=57 time=21.7 ms

64 bytes from 2001:4860:4860::8888: icmp_seq=2 ttl=57 time=21.1 ms

--- 2001:4860:4860::8888 ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 21.193/21.459/21.726/0.304 ms

假设 ping 通成功，则需要添加 DNS 服务器。一些选项:

set system name-server 2001:4860:4860::8888 # Google
set system name-server 2001:4860:4860::8844 # Google
set system name-server 2606:4700:4700::1111 # Cloudflare
(下页继续)

12.7. Tunnelbroker.net (IPv6) 602

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
set system name-server 2606:4700:4700::1001 # Cloudflare
commit

你现在应该能够通过 IPv6 DNS 名称 ping 一些东西:

# ping6 -c2 one.one.one.one

PING one.one.one.one(one.one.one.one) 56 data bytes
64 bytes from one.one.one.one: icmp_seq=1 ttl=58 time=16.8 ms
64 bytes from one.one.one.one: icmp_seq=2 ttl=58 time=17.4 ms

--- one.one.one.one ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 16.880/17.153/17.426/0.273 ms

假设一切正常，您可以继续进行客户机配置

12.7.3 局域网配置

在这一点上，您的 VyOS 安装应该具有完全的 IPv6，但现在您的局域网设备需要访问。

有了 Tunnelbroker.net，你有两个选择:
• 路由/64。这是默认的赋值。在 IPv6-land 中，它适用于单个”LAN”，在某种程度上相当于 a /24。例
子:2001:470:xxxx: xxxx::/64
• 路由/48。这是你可以通过点击 Tunnelbroker.net 隧道配置中的”Assign /48”链接来请求的。它允许您拥
有多达 65000 个局域网。例如:2001:470:xxxx:: / 48
与 IPv4 不同的是，IPv6 并不是被设计成小于/64 的碎片。因此，如果您希望拥有多个 lan、vlan、DMZ 等，您
将希望忽略分配的/64，并请求/48 并使用它。

12.7.4 单独的局域网设置

单一的局域网设置，eth1 是您的局域网接口。使用/64(所有的 xxxx 都应该替换为来自 ‘routing /64‘隧道的信

息):

set interfaces ethernet eth1 address '2001:470:xxxx:xxxx::1/64'

set service router-advert interface eth1 name-server '2001:4860:4860::8888'
set service router-advert interface eth1 name-server '2001:4860:4860::8844'
set service router-advert interface eth1 prefix 2001:470:xxxx:xxxx::/64

请注意，“autonomous-flag”和“on-link-flag”是默认启用的，
“valid-lifetime”和“preferred-lifetime”的默认值
分别为 30 天和 4 小时。
这实现了一些事情:
• 设置局域网接口的 IP 地址
• 使路由器广告。这是 DHCP 的 IPv6 替代方案 (尽管 DHCPv6 仍然可以使用)。使用 RAs，您的设备将自
动找到路由和 DNS 所需的信息。

12.7. Tunnelbroker.net (IPv6) 603

 VyOS Documentation, 发布 1.4.x (sagitta)

12.7.5 多个局域网/ DMZ 设置

在这里，您使用 ‘Routed /48‘信息。这允许你为每个接口、局域网甚至设备分配不同的/64。或者你可以把你的

网络分成更小的块，如/56 或/60。
这些地址的格式:
• 2001:470:xxxx::/48: 整个子网。xxxx 应该来自 Tunnelbroker。
• 2001:470:xxxx:1::/64: 适用于局域网的子网
• 2001:470:xxxx:2::/64: 另一个子网
• 2001:470:xxxx:ffff:/64: 最后一个可用的/64 子网。
在上面的例子中，1,2 和 ffff 都是由你选择的。您可以使用 1-ffff(1-65535)。
所以，当你的 LAN 是 eth1，你的 DMZ 是 eth2，你的摄像头在 eth3 上，等等:

set interfaces ethernet eth1 address '2001:470:xxxx:1::1/64'

set service router-advert interface eth1 name-server '2001:4860:4860::8888'
set service router-advert interface eth1 name-server '2001:4860:4860::8844'
set service router-advert interface eth1 prefix 2001:470:xxxx:1::/64

set interfaces ethernet eth2 address '2001:470:xxxx:2::1/64'

set service router-advert interface eth2 name-server '2001:4860:4860::8888'
set service router-advert interface eth2 name-server '2001:4860:4860::8844'
set service router-advert interface eth2 prefix 2001:470:xxxx:2::/64

set interfaces ethernet eth3 address '2001:470:xxxx:3::1/64'

set service router-advert interface eth3 name-server '2001:4860:4860::8888'
set service router-advert interface eth3 name-server '2001:4860:4860::8844'
set service router-advert interface eth3 prefix 2001:470:xxxx:3::/64

请注意，“autonomous-flag”和“on-link-flag”是默认启用的，
“valid-lifetime”和“preferred-lifetime”的默认值
分别为 30 天和 4 小时。

12.7.6 防火墙

最后，不要忘记:ref:firewall。用法是相同的，除了用 ‘set firewall ipv6-name name‘代替 ‘set firewall ipv6-name name‘。

类似地，要附加防火墙，您可以使用 ‘set interfaces ethernet eth0 firewall in ipv6-name‘或 ‘set zone-policy zone
LOCAL from WAN firewall ipv6-name‘

12.8 高可用性演练

本文档将引导您完成两台 VyOS 机器的完整 HA 设置。本设计以虚拟机为主路由器，物理机为备份，采用

VRRP、BGP、OSPF 和 conntrack 共享。
本文档的目的是指导您完成所有设置，以便您和您能够重新启动任何计算机，并且不会丢失超过几秒的连
接。

12.8. 高可用性演练 604

 VyOS Documentation, 发布 1.4.x (sagitta)

12.8.1 设计

这是基于现实生活，在生产设计。其中一个复杂的问题是确保网络中有冗余数据。我们使用一对 Cisco Nexus

交换机，并使用跨它们的虚拟端口通道来实现这一点。这是一个额外的好处，还允许完全开关故障而不停
机。如何实现这一点留给读者练习，但我们的设置在这里有记录。

演练建议

commit 命令隐含在每个节之后。如果你犯了一个错误，commit 会警告你，你可以在做太多事情之前纠正

它。请确保你早承诺，多承诺。
如果您正在阅读本文档，强烈建议您完成整个文档，只执行 virtual router1 步骤，然后回来在备份硬件路由器
上再次阅读。
这样可以确保你不会跑得太快，或者错过一步。不过，现在在硬件路由器上配置固定 IP 地址和默认路由将
使您的生活更轻松。

示例网络

在本文档中，我们的上游提供商为我们分配了 203.0.113.0/24，我们正在 VLAN100 上发布。

他们想让我们从路由器 192.0.2.21 和 192.0.2.22 在 192.0.2.11 和 192.0.2.12 上建立一个 BGP 会话。他们是 AS
65550，我们是 AS65551。
我们的路由器将有一个 203.0.113.1 的浮动 IP 地址，并使用.2 和.3 作为它们的固定 IP。
我们将使用 10.200.201.0/24 作为 VLAN201 上的“内部”网络。
当流量来自 10.200.201.0/24 网络时，它将被伪装成 203.0.113.1
对于站点之间的连接，我们正在运行一个到两个远程路由器的 WireGuard 链接，并在这些链接上使用 OSPF
来分发路由。该远程站点预计将从 10.201.0.0/16 中的任何内容发送流量

VLANs

我们将使用以下 VLAN：
• 50: 上游，使用他们分配的 192.0.2.0/24 网络。
• 100:“公共”网络，使用我们的 203.0.113.0/24 网络。
• 201:“内部”网络，使用 10.200.201.0/24

硬件

• 交换机 1（Nexus 10gb 交换机）

• 交换机 2（Nexus 10gb 交换机）
• compute1 (VMware ESXi 6.5)
• compute2 (VMware ESXi 6.5)
• compute3 (VMware ESXi 6.5)
• 路由器 2（随机 1RU 机器，带 4 个 NIC）
请注意，router1 是一个在其中一个计算节点上运行的 VM。

12.8. 高可用性演练 605

 VyOS Documentation, 发布 1.4.x (sagitta)

网络布线

• 从数据中心-这连接到两个交换机上的端口 1，并标记为 VLAN 50

• Cisco VPC 交叉连接-端口 39 和 40 连接在每个交换机之间
• 硬件路由器-每个交换机的端口 8
• compute1 - 交换机的端口 9
• compute2 - 交换机的端口 10
• compute3 - 交换机的端口 11
这就忽略了额外的带外管理网络，它应该在完全不同的交换机上，并且在机架中有不同的馈送，超出了这个
范围。

注解: Our implementation uses VMware’s Distributed Port Groups, which allows VMware to use LACP. This is a
part of the ENTERPRISE licence, and is not available on a Free licence. If you are implementing this and do not have
access to DPGs, you should not use VMware, and use some other virtualization platform instead.

12.8.2 基本设置（通过控制台）

创建 router1 虚拟机，使其能够承受虚拟机主机故障或网络链接故障。使用 VMware，这是通过启用 vSphere

DRS、vSphere 可用性和创建使用 LACP 的分布式端口组来实现的。
许多其他虚拟机监控程序都会这样做，我希望本文档能够扩展到文档中，说明如何为其他人执行此操作。
创建一个“所有 VLAN”网络组，将所有集群流量传递到 VM。将此网络组作为 eth0 附加到路由器 1。

注解: VMware: 必须禁用此端口组的安全性。确保启用了 “Promiscuous Mode“、MAC address changes``和

``Forged transmits。所有这些都将作为故障转移的一部分来完成。

硬件路由器上的键合

在硬件路由器上创建 LACP 绑定。我们假设 eth0 和 eth1 连接到两个交换机上的端口 8，并且这些端口配置为

端口通道。

set interfaces bonding bond0 description 'Switch Port-Channel'

set interfaces bonding bond0 hash-policy 'layer2'
set interfaces bonding bond0 member interface 'eth0'
set interfaces bonding bond0 member interface 'eth1'
set interfaces bonding bond0 mode '802.3ad'

12.8. 高可用性演练 606

 VyOS Documentation, 发布 1.4.x (sagitta)

分配外部 IP 地址

VLAN 100 和 201 将具有浮动 IP 地址，但是 VLAN50 没有，因为这是直接与上游通信。在 vlan50 上创建我

们的 IP 地址。
对于硬件路由器，将 “eth0“替换为 “bond0“。由于（几乎）每个命令都是相同的，除非需要在不同的主机上执
行不同的操作，否则不会指定此命令。

set interfaces ethernet eth0 vif 50 address '192.0.2.21/24'

在这种情况下，硬件路由器具有不同的 IP，因此

set interfaces ethernet bond0 vif 50 address '192.0.2.22/24'

添加（临时）默认路由

假设上游提供的路由器能够充当默认路由器，并将其作为静态路由添加。

set protocols static route 0.0.0.0/0 next-hop 192.0.2.11

commit
save

启用 SSH

启用 SSH，这样您现在就可以 SSH 到路由器，而不是使用控制台。

set service ssh

commit
save

此时，您应该能够通过 SSH 连接到这两个控制台，并且不再需要访问控制台（除非您破坏了某些东西！）

12.8.3 VRRP 配置

我们正在设置 VRRP，这样当一台机器返回服务时它就不会发生故障，并且它优先考虑 router1 而不是 router2。

内部网络

它的浮动 IP 地址为 10.200.201.1/24，使用虚拟路由器 ID 201。它们之间的区别是接口名、hello 源地址和对

等地址。
路由器 1

set interfaces ethernet eth0 vif 201 address 10.200.201.2/24

set high-availability vrrp group int hello-source-address '10.200.201.2'
set high-availability vrrp group int interface 'eth0.201'
set high-availability vrrp group int peer-address '10.200.201.3'
set high-availability vrrp group int no-preempt
set high-availability vrrp group int priority '200'
set high-availability vrrp group int virtual-address '10.200.201.1/24'
set high-availability vrrp group int vrid '201'

路由器 2

12.8. 高可用性演练 607

 VyOS Documentation, 发布 1.4.x (sagitta)

set interfaces ethernet bond0 vif 201 address 10.200.201.3/24

set high-availability vrrp group int hello-source-address '10.200.201.3'
set high-availability vrrp group int interface 'bond0.201'
set high-availability vrrp group int peer-address '10.200.201.2'
set high-availability vrrp group int no-preempt
set high-availability vrrp group int priority '100'
set high-availability vrrp group int virtual-address '10.200.201.1/24'
set high-availability vrrp group int vrid '201'

公共网络

它的浮动 IP 地址为 203.0.113.1/24，使用虚拟路由器 ID 113。虚拟路由器 ID 只是一个介于 1 和 254 之间的随

机数，可以设置为您想要的任何值。最佳实践建议您在整个企业范围内保持它们的独特性。
路由器 1

set interfaces ethernet eth0 vif 100 address 203.0.113.2/24

set high-availability vrrp group public hello-source-address '203.0.113.2'
set high-availability vrrp group public interface 'eth0.100'
set high-availability vrrp group public peer-address '203.0.113.3'
set high-availability vrrp group public no-preempt
set high-availability vrrp group public priority '200'
set high-availability vrrp group public virtual-address '203.0.113.1/24'
set high-availability vrrp group public vrid '113'

路由器 2

set interfaces ethernet bond0 vif 100 address 203.0.113.3/24

set high-availability vrrp group public hello-source-address '203.0.113.3'
set high-availability vrrp group public interface 'bond0.100'
set high-availability vrrp group public peer-address '203.0.113.2'
set high-availability vrrp group public no-preempt
set high-availability vrrp group public priority '100'
set high-availability vrrp group public virtual-address '203.0.113.1/24'
set high-availability vrrp group public vrid '113'

创建 VRRP 同步组

同步组用于复制连接跟踪。它需要分配给一个随机的 VRRP 组，我们正在使用 VRRP 组 “int“创建一个名为

“sync“的同步组 “

set high-availability vrrp sync-group sync member 'int'

测试

此时，当运行 “show interfaces“时，您应该能够看到这两个 IP 地址，并且 “show vrrp“应该在主状态下显示这两

个接口（在 router2 上显示从状态）。

vyos@router1:~$ show vrrp

Name Interface VRID State Last Transition
-------- ----------- ------ ------- -----------------
int eth0.201 201 MASTER 100s
(下页继续)

12.8. 高可用性演练 608

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
public eth0.100 113 MASTER 200s
vyos@router1:~$

您应该能够 ping 到和从您分配的所有 ip。

12.8.4 NAT 和 conntrack 同步

来自 10.200.201.0/24 的伪装流量，该流量指向公共接口。

注解: 我们明确排除了主要的上游网络，这样 BGP 或 OSPF 流量就不会意外地被 NAT。

set nat source rule 10 destination address '!192.0.2.0/24'

set nat source rule 10 outbound-interface 'eth0.50'
set nat source rule 10 source address '10.200.201.0/24'
set nat source rule 10 translation address '203.0.113.1'

配置 conntrack 同步并禁用帮助程序

大多数 conntrack 模块会导致更多的问题，尤其是在复杂的网络中。默认情况下关闭它们，如果以后需要打

开它们，可以这样做。

set system conntrack modules ftp disable

set system conntrack modules gre disable
set system conntrack modules nfs disable
set system conntrack modules pptp disable
set system conntrack modules sip disable
set system conntrack modules tftp disable

现在启用节点之间的复制。将硬件路由器上的 eth0.201 替换为 bond0.201。

set service conntrack-sync accept-protocol 'tcp,udp,icmp'

set service conntrack-sync event-listen-queue-size '8'
set service conntrack-sync failover-mechanism vrrp sync-group 'sync'
set service conntrack-sync interface eth0.201
set service conntrack-sync mcast-group '224.0.0.50'
set service conntrack-sync sync-queue-size '8'

测试

最简单的测试方法是使用命令 show conntrack sync statistics 查看备用硬件路由器上的连接跟踪统计数据。数字

应该非常接近主路由器上的数字。
当两个路由器都启动时，您应该能够建立一个从 NAT’ed 机器到 internet 的连接，重新启动活动机器，并且
该连接应该被保留，并且不会退出。

12.8. 高可用性演练 609

 VyOS Documentation, 发布 1.4.x (sagitta)

12.8.5 基于 Wireguard 的 OSPF

由于其设计，Wireguard 没有向上或向下链接的概念。这使得在网络传输中使用它变得复杂和简单，而对于
可靠的状态检测，您需要在链路中断时使用一些东西来检测。
如果您使用路由协议本身，您可以同时解决两个问题。这只是一个基本的例子，是作为一个起点提供的。

配置 Wireguard

有很多关于设置 Wireguard 的说明和文档。您需要记住的唯一重要的一点是，每个 OSPF 连接只能使用一个

WireGuard 接口。
对于点到点链接，我们使用 10.254.60/24 中的小/30。
路由器 1
用其他路由器的 IP 地址替换 203.0.113.3。

set interfaces wireguard wg01 address '10.254.60.1/30'

set interfaces wireguard wg01 description 'router1-to-offsite1'
set interfaces wireguard wg01 ip ospf authentication md5 key-id 1 md5-key
,→'i360KoCwUGZvPq7e'

set interfaces wireguard wg01 ip ospf cost '11'

set interfaces wireguard wg01 ip ospf dead-interval '5'
set interfaces wireguard wg01 ip ospf hello-interval '1'
set interfaces wireguard wg01 ip ospf network 'point-to-point'
set interfaces wireguard wg01 ip ospf priority '1'
set interfaces wireguard wg01 ip ospf retransmit-interval '5'
set interfaces wireguard wg01 ip ospf transmit-delay '1'
set interfaces wireguard wg01 peer OFFSITE1 allowed-ips '0.0.0.0/0'
set interfaces wireguard wg01 peer OFFSITE1 endpoint '203.0.113.3:50001'
set interfaces wireguard wg01 peer OFFSITE1 persistent-keepalive '15'
set interfaces wireguard wg01 peer OFFSITE1 pubkey 'GEFMOWzAyau42/
,→HwdwfXnrfHdIISQF8YHj35rOgSZ0o='

set interfaces wireguard wg01 port '50001'

场外 1
这是连接回 router1 的静态 IP，而不是浮动 IP。

set interfaces wireguard wg01 address '10.254.60.2/30'

set interfaces wireguard wg01 description 'offsite1-to-router1'
set interfaces wireguard wg01 ip ospf authentication md5 key-id 1 md5-key
,→'i360KoCwUGZvPq7e'

set interfaces wireguard wg01 ip ospf cost '11'

set interfaces wireguard wg01 ip ospf dead-interval '5'
set interfaces wireguard wg01 ip ospf hello-interval '1'
set interfaces wireguard wg01 ip ospf network 'point-to-point'
set interfaces wireguard wg01 ip ospf priority '1'
set interfaces wireguard wg01 ip ospf retransmit-interval '5'
set interfaces wireguard wg01 ip ospf transmit-delay '1'
set interfaces wireguard wg01 peer ROUTER1 allowed-ips '0.0.0.0/0'
set interfaces wireguard wg01 peer ROUTER1 endpoint '192.0.2.21:50001'
set interfaces wireguard wg01 peer ROUTER1 persistent-keepalive '15'
set interfaces wireguard wg01 peer ROUTER1 pubkey 'CKwMV3ZaLntMule2Kd3G7UyVBR7zE8/
,→qoZgLb82EE2Q='

set interfaces wireguard wg01 port '50001'

12.8. 高可用性演练 610

 VyOS Documentation, 发布 1.4.x (sagitta)

测试 WireGuard

确保可以从两个路由器 ping 10.254.60.1 和.2。

Create Export Filter

我们只想出口我们知道我们应该出口的网络。始终将路由筛选器（导入和导出）白名单。一个好的经验法则
是 **“如果您不是网络的默认路由器，不要将其发布为”**。这意味着我们明确不想发布 192.0.2.0/24 网络
（但确实要宣传 10.200.201.0 和 203.0.113.0，这是我们的默认路由）
。此筛选器应用于 “redistribute connected“中。
如果我们要宣传它，远程机器将通过默认路由看到 192.0.2.21 可用，建立连接，然后 OSPF 会说“192.0.2.0/24
通过此隧道可用”，此时隧道将中断，OSPF 将丢弃路由，然后 192.0.2.0/24 将通过默认情况再次访问。这叫
“拍打” 。
set policy access-list 150 description 'Outbound OSPF Redistribution'
set policy access-list 150 rule 10 action 'permit'
set policy access-list 150 rule 10 destination any
set policy access-list 150 rule 10 source inverse-mask '0.0.0.255'
set policy access-list 150 rule 10 source network '10.200.201.0'
set policy access-list 150 rule 20 action 'permit'
set policy access-list 150 rule 20 destination any
set policy access-list 150 rule 20 source inverse-mask '0.0.0.255'
set policy access-list 150 rule 20 source network '203.0.113.0'
set policy access-list 150 rule 100 action 'deny'
set policy access-list 150 rule 100 destination any
set policy access-list 150 rule 100 source any

创建导入筛选器

我们只想导入我们知道的网络。我们的 OSPF 对等机应该只在 10.201.0.0/16 范围内的广告网络。请注意，这

是反向匹配。您在访问列表 100 中拒绝接受路由。
set policy access-list 100 description 'Inbound OSPF Routes from Peers'
set policy access-list 100 rule 10 action 'deny'
set policy access-list 100 rule 10 destination any
set policy access-list 100 rule 10 source inverse-mask '0.0.255.255'
set policy access-list 100 rule 10 source network '10.201.0.0'
set policy access-list 100 rule 100 action 'permit'
set policy access-list 100 rule 100 destination any
set policy access-list 100 rule 100 source any
set policy route-map PUBOSPF rule 100 action 'deny'
set policy route-map PUBOSPF rule 100 match ip address access-list '100'
set policy route-map PUBOSPF rule 500 action 'permit'

启用 OSPF

每个路由器 ** 都必须 ** 有一个唯一的路由器 id。之所以使用“参考带宽”

，是因为在最初设计 OSPF 时，链
路速度超过 1gbit 的想法是闻所未闻的，而且它不能正确扩展。
set protocols ospf area 0.0.0.0 authentication 'md5'
set protocols ospf area 0.0.0.0 network '10.254.60.0/24'
set protocols ospf auto-cost reference-bandwidth '10000'
set protocols ospf log-adjacency-changes
set protocols ospf parameters abr-type 'cisco'
(下页继续)

12.8. 高可用性演练 611

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
set protocols ospf parameters router-id '10.254.60.2'
set protocols ospf route-map PUBOSPF

测试 OSPF

当您在两个路由器上都启用了 OSPF 时，您应该可以通过命令 “show ip OSPF neighbor“看到对方。状态必须为

“Full”或“2-Way”，如果不是，则表示主机之间存在网络连接问题。这通常是由 NAT 或 MTU 问题引起的。
在 “show ip route“的输出中不应该看到任何新路由（除非这是第二遍）

12.8.6 广告连接路由

需要提醒的是，只发布你作为默认路由器的路由。这就是为什么我们不宣布 192.0.2.0/24 网络，因为如果宣

布进入 OSPF，其他路由器将尝试连接到该网络通过隧道连接到该网络!

set protocols ospf access-list 150 export 'connected'

set protocols ospf redistribute connected

现在您应该能够看到另一台主机上发布的网络。

重复的配置

在这个桥上，你现在需要创建所有四个路由器之间的 X 链接。每个链接使用不同的/30。

优先级

设置从链路的开销值为 200。这意味着除非主链接断开，否则它们不会被使用。

set interfaces wireguard wg01 ip ospf cost '10'

set interfaces wireguard wg02 ip ospf cost '200'

这将在 “show ip route“中可见。

12.8.7 BGP

BGP 是一种极其复杂的网络协议。这里提供了一个示例。

注解: 路由器 id 必须是唯一的。

路由器 1
“redistribute ospf“命令纯粹是作为如何扩展的一个例子。在本演练中，它将被 BGPOUT 规则 10000 过滤，因
为它不是 203.0.113.0/24。

set policy prefix-list BGPOUT description 'BGP Export List'

set policy prefix-list BGPOUT rule 10 action 'deny'
set policy prefix-list BGPOUT rule 10 description 'Do not advertise short masks'
set policy prefix-list BGPOUT rule 10 ge '25'
set policy prefix-list BGPOUT rule 10 prefix '0.0.0.0/0'
(下页继续)

12.8. 高可用性演练 612

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
set policy prefix-list BGPOUT rule 100 action 'permit'
set policy prefix-list BGPOUT rule 100 description 'Our network'
set policy prefix-list BGPOUT rule 100 prefix '203.0.113.0/24'
set policy prefix-list BGPOUT rule 10000 action 'deny'
set policy prefix-list BGPOUT rule 10000 prefix '0.0.0.0/0'
set policy route-map BGPOUT description 'BGP Export Filter'
set policy route-map BGPOUT rule 10 action 'permit'
set policy route-map BGPOUT rule 10 match ip address prefix-list 'BGPOUT'
set policy route-map BGPOUT rule 10000 action 'deny'
set policy route-map BGPPREPENDOUT description 'BGP Export Filter'
set policy route-map BGPPREPENDOUT rule 10 action 'permit'
set policy route-map BGPPREPENDOUT rule 10 set as-path-prepend '65551 65551 65551'
set policy route-map BGPPREPENDOUT rule 10 match ip address prefix-list 'BGPOUT'
set policy route-map BGPPREPENDOUT rule 10000 action 'deny'
set protocols bgp 65551 address-family ipv4-unicast network 192.0.2.0/24
set protocols bgp 65551 address-family ipv4-unicast redistribute connected metric '50'
set protocols bgp 65551 address-family ipv4-unicast redistribute ospf metric '50'
set protocols bgp 65551 neighbor 192.0.2.11 address-family ipv4-unicast route-map␣
,→export 'BGPOUT'

set protocols bgp 65551 neighbor 192.0.2.11 address-family ipv4-unicast soft-

,→reconfiguration inbound

set protocols bgp 65551 neighbor 192.0.2.11 remote-as '65550'

set protocols bgp 65551 neighbor 192.0.2.11 update-source '192.0.2.21'
set protocols bgp 65551 parameters router-id '192.0.2.21'

路由器 2
这是相同的，但是使用 BGPPREPENDOUT route-map 来发布更长的路径。

12.9 WAN 负载均衡器示例

12.9.1 例 1: 负载均匀分配

本例中使用的设置如下图所示:

12.9. WAN 负载均衡器示例 613

 VyOS Documentation, 发布 1.4.x (sagitta)

概述

• 所有来自 eth2 的流量都在路由器的 eth0 和 eth1 之间进行均衡。

• ping 将被发送到四个目标进行健康测试 (33.44.55.66、44.55.66.77、55.66.77.88 和 66.77.88.99)。
• 所有发送的数据包都被分配为指定接口的源地址 (SNAT)。
• eth0 设置为 5 次 ping 失败后从负载均衡器接口池移除，eth1 设置为 4 次 ping 失败后被移除。

12.9. WAN 负载均衡器示例 614

 VyOS Documentation, 发布 1.4.x (sagitta)

创建到 ping 目标的静态路由

创建静态路由，通过两个 isp 到达 ping 目标，并提交更改:

set protocols static route 33.44.55.66/32 next-hop 11.22.33.1

set protocols static route 44.55.66.77/32 next-hop 11.22.33.1
set protocols static route 55.66.77.88/32 next-hop 22.33.44.1
set protocols static route 66.77.88.99/32 next-hop 22.33.44.1

配置负载均衡器

使用上述参数配置广域网负载均衡器:

set load-balancing wan interface-health eth0 failure-count 5

set load-balancing wan interface-health eth0 nexthop 11.22.33.1
set load-balancing wan interface-health eth0 test 10 type ping
set load-balancing wan interface-health eth0 test 10 target 33.44.55.66
set load-balancing wan interface-health eth0 test 20 type ping
set load-balancing wan interface-health eth0 test 20 target 44.55.66.77
set load-balancing wan interface-health eth1 failure-count 4
set load-balancing wan interface-health eth1 nexthop 22.33.44.1
set load-balancing wan interface-health eth1 test 10 type ping
set load-balancing wan interface-health eth1 test 10 target 55.66.77.88
set load-balancing wan interface-health eth1 test 20 type ping
set load-balancing wan interface-health eth1 test 20 target 66.77.88.99
set load-balancing wan rule 10 inbound-interface eth2
set load-balancing wan rule 10 interface eth0
set load-balancing wan rule 10 interface eth1

12.9.2 例 2: 基于接口权重的故障切换

本例使用 failover 模式。

概述

在本例中，eth0 是主要接口，eth1 是提供简单故障转移功能的辅助接口。如果 eth0 故障，则 eth1 接管。

创建基于接口权重的配置

配置步骤与前面的示例相同，除了第 10 条规则，因此我们保留配置，删除第 10 条规则，并为故障转移模式

添加一条新规则:

delete load-balancing wan rule 10

set load-balancing wan rule 10 failover
set load-balancing wan rule 10 inbound-interface eth2
set load-balancing wan rule 10 interface eth0 weight 10
set load-balancing wan rule 10 interface eth1 weight 1

12.9. WAN 负载均衡器示例 615

 VyOS Documentation, 发布 1.4.x (sagitta)

12.9.3 例 3: 基于规则顺序的故障转移

前面的示例使用故障转移命令在 eth0 失败时通过 eth1 发送通信。在本例中，故障转移功能是由规则顺序提

供的。

概述

将创建两条规则，第一条规则将来自 eth2 的流量引导到 eth0，第二条规则将流量引导到 eth1。如果 eth0 失

败，则跳过第一个规则，第二个规则匹配，将流量引导到 eth1。

创建基于规则顺序的配置

我们保留前面示例中的配置，删除规则 10 并创建两个新规则，如下所述:

delete load-balancing wan rule 10

set load-balancing wan rule 10 inbound-interface eth2
set load-balancing wan rule 10 interface eth0
set load-balancing wan rule 20 inbound-interface eth2
set load-balancing wan rule 20 interface eth1

12.9.4 例 4: 基于规则顺序优先级的流量的故障转移

在二级链路速度较低且只承载高优先级流量的情况下，流量优先级规则顺序是有用的。本例假设 eth1 连接的

连接比 eth0 慢，因此应该优先处理 VoIP 流量。

概述

在二级链路速度较低且只承载高优先级流量的情况下，流量优先级规则顺序是有用的。本例假设 eth1 连接的

连接比 eth0 慢，因此应该优先处理 VoIP 流量。

创建基于规则顺序的低速从链路配置

我们保留前面示例中的配置，删除规则 20 并创建一个新的规则，如下所示:

delete load-balancing wan rule 20

set load-balancing wan rule 20 inbound-interface eth2
set load-balancing wan rule 20 interface eth1
set load-balancing wan rule 20 destination port sip
set load-balancing wan rule 20 protocol tcp
set protocols static route 0.0.0.0/0 next-hop 11.22.33.1

12.9. WAN 负载均衡器示例 616

 VyOS Documentation, 发布 1.4.x (sagitta)

12.9.5 例 5: 排除负载分担

在这个例子中，两个 LAN 接口存在于不同的子网中，而不是像前面的例子一样存在于一个子网中:

为第二个接口添加规则

根据前面的示例，另一个来自第二个接口 eth3 的流量规则可以添加到负载均衡器中。但是，打算在 LAN 子

网之间流动的通信也将发送到 eth0 和 eth1。为了防止这种情况发生，需要另一条规则。本子网间的流量不能
进入负载均衡器。它还排除本地源数据包 (具有负载均衡的 web 缓存所必需的)。eth+ 是所有以太网接口的别
名:

set load-balancing wan rule 5 exclude

set load-balancing wan rule 5 inbound-interface eth+
set load-balancing wan rule 5 destination address 10.0.0.0/8

12.9. WAN 负载均衡器示例 617

 VyOS Documentation, 发布 1.4.x (sagitta)

12.10 家庭网络 PPPoE IPv6 基本配置

本文档主要介绍 PPPoE 与 DHCPv6-PD + SLAAC 的基本搭建，搭建一个典型的家庭网络。用户可以按照这

里描述的步骤快速设置工作网络，并以此作为起点进一步配置或微调其他设置。
要实现这一点，您的 ISP 必须支持 DHCPv6-PD。如果您不确定，请联系您的 ISP 获取更多信息。

12.10.1 网络拓扑

12.10.2 配置

PPPoE 安装

set interfaces pppoe pppoe0 authentication password <YOUR PASSWORD>

set interfaces pppoe pppoe0 authentication user <YOUR USERNAME>
set interfaces pppoe pppoe0 service-name <YOUR SERVICENAME>
set interfaces pppoe pppoe0 source-interface 'eth0'

• 用 ISP 提供的凭据填写 “password“和 “user“。

• service-name 可以是任意字符串。

DHCPv6-PD 安装

ISP 在配置地址时，除了为 WAN 接口分配地址外，还提供了一个前缀，允许路由器配置 LAN 接口和其他连

接 LAN 的节点的地址，称为前缀委派 (prefix delegation)。

set interfaces pppoe pppoe0 ipv6 address autoconf

set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth1 address '100'

• 这里我们使用 prefix 来配置 eth1 (LAN) 的地址，以形成 “<prefix>::64“，其中 “<prefix>::64“是地址 100 的

十六进制。
• 对于家庭网络用户，ISP 通常只提供/64 前缀，因此不需要设置 SLA ID 和前缀长度。参见:ref:‘pppoe-
interface‘获取更多信息。

12.10. 家庭网络 PPPoE IPv6 基本配置 618

 VyOS Documentation, 发布 1.4.x (sagitta)

路由器广告

我们需要在局域网中启用路由器广告功能，使 PC 能够接收到前缀并使用 SLAAC 自动配置地址。

set service router-advert interface eth1 link-mtu '1492'

set service router-advert interface eth1 name-server <NAME SERVER>
set service router-advert interface eth1 prefix ::/64 valid-lifetime '172800'

• 由于 PPPoE 报文头的开销，在 advertisement 中将 MTU 设置为 1492。

• 在通告中设置 DNS 服务器地址，使客户端可以通过 RDNSS 选项获取。大多数操作系统 (Windows、
Linux、Mac) 应该已经支持它了。
• 这里我们将前缀设置为 “::/64“，以表示发布 LAN 接口分配的任何/64 前缀。
• 由于一些网络服务供应商每 2~3 天就会断开连续的连接，所以我们将“有效-寿命”设置为 2 天，以允
许电脑逐步淘汰旧的地址。

基本的防火墙

要有基本的保护，同时保持 IPv6 网络功能，我们需要:

• 允许路由器和局域网的所有建立和相关的通信
• 允许所有的 icmpv6 包为路由器和局域网
• 允许 DHCPv6 报文进入路由器

set firewall ipv6-name WAN_IN default-action 'drop'

set firewall ipv6-name WAN_IN rule 10 action 'accept'
set firewall ipv6-name WAN_IN rule 10 state established 'enable'
set firewall ipv6-name WAN_IN rule 10 state related 'enable'
set firewall ipv6-name WAN_IN rule 20 action 'accept'
set firewall ipv6-name WAN_IN rule 20 protocol 'icmpv6'
set firewall ipv6-name WAN_LOCAL default-action 'drop'
set firewall ipv6-name WAN_LOCAL rule 10 action 'accept'
set firewall ipv6-name WAN_LOCAL rule 10 state established 'enable'
set firewall ipv6-name WAN_LOCAL rule 10 state related 'enable'
set firewall ipv6-name WAN_LOCAL rule 20 action 'accept'
set firewall ipv6-name WAN_LOCAL rule 20 protocol 'icmpv6'
set firewall ipv6-name WAN_LOCAL rule 30 action 'accept'
set firewall ipv6-name WAN_LOCAL rule 30 destination port '546'
set firewall ipv6-name WAN_LOCAL rule 30 protocol 'udp'
set firewall ipv6-name WAN_LOCAL rule 30 source port '547'
set interfaces pppoe pppoe0 firewall in ipv6-name 'WAN_IN'
set interfaces pppoe pppoe0 firewall local ipv6-name 'WAN_LOCAL'

说明为了让路由器能够接收 ISP 的 DHCPv6 响应，需要允许源端口号为 547(服务器)、目的端口号为 546(客

户端) 的报文通过。

12.10. 家庭网络 PPPoE IPv6 基本配置 619

 CHAPTER 13

Contributing

13.1 Build VyOS

13.1.1 Prerequisites

There are different ways you can build VyOS.

Building using a Docker container, although not the only way, is the easiest way as all dependencies are managed for you.
However, you can also set up your own build machine and run a Native Build.

注解: Starting with VyOS 1.2 the release model of VyOS has changed. VyOS is now free as in speech, but not as
in beer. This means that while VyOS is still an open source project, the release ISOs are no longer free and can only be
obtained via subscription, or by contributing to the community.
The source code remains public and an ISO can be built using the process outlined in this chapter.

This will guide you though the process of building a VyOS ISO using Docker. This process has been tested on clean
installs of Debian Jessie, Stretch, and Buster.

Docker

Installing Docker and prerequisites:

$ sudo apt-get update

$ sudo apt-get install -y apt-transport-https ca-certificates curl gnupg2 software-
,→properties-common

$ curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -

$ sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian
,→$(lsb_release -cs) stable"

$ sudo apt-get update

$ sudo apt-get install -y docker-ce

620
 VyOS Documentation, 发布 1.4.x (sagitta)

To be able to use Docker without sudo, the current non-root user must be added to the docker group by calling: sudo
usermod -aG docker yourusername.

提示: Doing so grants privileges equivalent to the root user! It is recommended to remove the non-root user from the
docker group after building the VyOS ISO. See also Docker as non-root.

注解: The build process needs to be built on a local file system, building on SMB or NFS shares will result in the container
failing to build properly! VirtualBox Drive Share is also not an option as block device operations are not implemented
and the drive is always mounted as “nodev”

Build Container

The container can built by hand or by fetching the pre-built one from DockerHub. Using the pre-built containers from
the VyOS DockerHub organisation will ensure that the container is always up-to-date. A rebuild is triggered once the
container changes (please note this will take 2-3 hours after pushing to the vyos-build repository).

Dockerhub

To manually download the container from DockerHub, run:

$ docker pull vyos/vyos-build:crux # For VyOS 1.2

$ docker pull vyos/vyos-build:current # For rolling release

Build from source

The container can also be built directly from source:

# For VyOS 1.2 (crux)

$ git clone -b crux --single-branch https://github.com/vyos/vyos-build
# For VyOS 1.3 (equuleus, current)
$ git clone -b current --single-branch https://github.com/vyos/vyos-build

$ cd vyos-build
$ docker build -t vyos/vyos-build:crux docker # For VyOS 1.2
$ docker build -t vyos/vyos-build:current docker # For rolling release

注解: Since VyOS has switched to Debian (10) Buster in its current branch, you will require individual container for
current and crux builds.

13.1. Build VyOS 621

 VyOS Documentation, 发布 1.4.x (sagitta)

Tips and Tricks

You can create yourself some handy Bash aliases to always launch the latest - per release train (current or crux) - container.
Add the following to your .bash_aliases file:

alias vybld='docker pull vyos/vyos-build:current && docker run --rm -it \

-v "$(pwd)":/vyos \
-v "$HOME/.gitconfig":/etc/gitconfig \
-v "$HOME/.bash_aliases":/home/vyos_bld/.bash_aliases \
-v "$HOME/.bashrc":/home/vyos_bld/.bashrc \
-w /vyos --privileged --sysctl net.ipv6.conf.lo.disable_ipv6=0 \
-e GOSU_UID=$(id -u) -e GOSU_GID=$(id -g) \
vyos/vyos-build:current bash'

alias vybld_crux='docker pull vyos/vyos-build:crux && docker run --rm -it \

-v "$(pwd)":/vyos \
-v "$HOME/.gitconfig":/etc/gitconfig \
-v "$HOME/.bash_aliases":/home/vyos_bld/.bash_aliases \
-v "$HOME/.bashrc":/home/vyos_bld/.bashrc \
-w /vyos --privileged --sysctl net.ipv6.conf.lo.disable_ipv6=0 \
-e GOSU_UID=$(id -u) -e GOSU_GID=$(id -g) \
vyos/vyos-build:crux bash'

Now you are prepared with two new aliases vybld and vybld_crux to spawn your development containers in your
current working directory.

Native Build

To build VyOS natively you require a properly configured build host with the following Debian versions installed:
• Debian Jessie for VyOS 1.2 (crux)
• Debian Buster for VyOS 1.3 (equuleus, current) - aka the rolling release
To start, clone the repository to your local machine:

# For VyOS 1.2 (crux)

$ git clone -b crux --single-branch https://github.com/vyos/vyos-build

# For VyOS 1.3 (equuleus, current)

$ git clone -b current --single-branch https://github.com/vyos/vyos-build

For the packages required, you can refer to the docker/Dockerfile file in the repository. The ./configure
script will also warn you if any dependencies are missing.
Once you have the required dependencies installed, you may proceed with the steps described in Build ISO.

13.1. Build VyOS 622

 VyOS Documentation, 发布 1.4.x (sagitta)

13.1.2 Build ISO

Now as you are aware of the prerequisites we can continue and build our own ISO from source. For this we have to fetch
the latest source code from GitHub. Please note as this will differ for both current and crux.
# For VyOS 1.2 (crux)
$ git clone -b crux --single-branch https://github.com/vyos/vyos-build

# For VyOS 1.3 (equuleus, current)

$ git clone -b current --single-branch https://github.com/vyos/vyos-build

Now a fresh build of the VyOS ISO can begin. Change directory to the vyos-build directory and run:
$ cd vyos-build
# For VyOS 1.2 (crux)
$ docker run --rm -it --privileged -v $(pwd):/vyos -w /vyos vyos/vyos-build:crux bash

# For VyOS 1.3 (equuleus, current)

$ docker run --rm -it --privileged -v $(pwd):/vyos -w /vyos vyos/vyos-build:current␣
,→bash

Start the build:

vyos_bld@d4220bb519a0:/vyos# ./configure --architecture amd64 --build-by "j.
,→[email protected]"

vyos_bld@d4220bb519a0:/vyos# sudo make iso

When the build is successful, the resulting iso can be found inside the build directory as
live-image-[architecture].hybrid.iso.
Good luck!

提示: Attempting to use the Docker build image on MacOS will fail as Docker does not expose all the filesystem feature
required to the container. Building within a VirtualBox server on Mac however possible.

提示: Building VyOS on Windows WSL2 with Docker integrated into WSL2 will work like a charm. No problems are
known so far!

Customize

This ISO can be customized with the following list of configure options. The full and current list can be generated with
./configure --help:
$ ./configure --help
usage: configure [-h] [--architecture ARCHITECTURE] [--build-by BUILD_BY]
[--debian-mirror DEBIAN_MIRROR]
[--debian-security-mirror DEBIAN_SECURITY_MIRROR]
[--pbuilder-debian-mirror PBUILDER_DEBIAN_MIRROR]
[--vyos-mirror VYOS_MIRROR] [--build-type BUILD_TYPE]
[--version VERSION] [--build-comment BUILD_COMMENT] [--debug]
[--custom-apt-entry CUSTOM_APT_ENTRY]
[--custom-apt-key CUSTOM_APT_KEY]
[--custom-package CUSTOM_PACKAGE]
(下页继续)

13.1. Build VyOS 623

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)

optional arguments:
-h, --help show this help message and exit
--architecture ARCHITECTURE
Image target architecture (amd64 or i386 or armhf)
--build-by BUILD_BY Builder identifier (e.g. [email protected])
--debian-mirror DEBIAN_MIRROR
Debian repository mirror for ISO build
--debian-security-mirror DEBIAN_SECURITY_MIRROR
Debian security updates mirror
--pbuilder-debian-mirror PBUILDER_DEBIAN_MIRROR
Debian repository mirror for pbuilder env bootstrap
--vyos-mirror VYOS_MIRROR
VyOS package mirror
--build-type BUILD_TYPE
Build type, release or development
--version VERSION Version number (release builds only)
--build-comment BUILD_COMMENT
Optional build comment
--debug Enable debug output
--custom-apt-entry CUSTOM_APT_ENTRY
Custom APT entry
--custom-apt-key CUSTOM_APT_KEY
Custom APT key file
--custom-package CUSTOM_PACKAGE
Custom package to install from repositories

ISO Build Issues

There are (rare) situations where building an ISO image is not possible at all due to a broken package feed in the back-
ground. APT is not very good at reporting the root cause of the issue. Your ISO build will likely fail with a more or less
similar looking error message:

The following packages have unmet dependencies:

vyos-1x : Depends: accel-ppp but it is not installable
E: Unable to correct problems, you have held broken packages.
P: Begin unmounting filesystems...
P: Saving caches...
Reading package lists...
Building dependency tree...
Reading state information...
Del frr-pythontools 7.5-20210215-00-g8a5d3b7cd-0 [38.9 kB]
Del accel-ppp 1.12.0-95-g59f8e1b [475 kB]
Del frr 7.5-20210215-00-g8a5d3b7cd-0 [2671 kB]
Del frr-snmp 7.5-20210215-00-g8a5d3b7cd-0 [55.1 kB]
Del frr-rpki-rtrlib 7.5-20210215-00-g8a5d3b7cd-0 [37.3 kB]
make: *** [Makefile:30: iso] Error 1
(10:13) vyos_bld ece068908a5b:/vyos [current] #

To debug the build process and gain additional information of what could be the root cause wou need to chroot into the
build directry. This is explained in the following step by step procedure:

vyos_bld ece068908a5b:/vyos [current] # sudo chroot build/chroot /bin/bash

We now need to mount some required, volatile filesystems

13.1. Build VyOS 624

 VyOS Documentation, 发布 1.4.x (sagitta)

(live)root@ece068908a5b:/# mount -t proc none /proc

(live)root@ece068908a5b:/# mount -t sysfs none /sys
(live)root@ece068908a5b:/# mount -t devtmpfs none /dev

We now are free to run any command we would like to use for debugging, e.g. re-installing the failed package after
updating the repository.

(live)root@ece068908a5b:/# apt-get update; apt-get install vyos-1x

Get:1 file:/root/packages ./ InRelease
Ign:1 file:/root/packages ./ InRelease
Get:2 file:/root/packages ./ Release [1235 B]
Get:2 file:/root/packages ./ Release [1235 B]
Get:3 file:/root/packages ./ Release.gpg
Ign:3 file:/root/packages ./ Release.gpg
Hit:4 http://repo.powerdns.com/debian buster-rec-43 InRelease
Hit:5 http://repo.saltstack.com/py3/debian/10/amd64/archive/3002.2 buster InRelease
Hit:6 http://deb.debian.org/debian bullseye InRelease
Hit:7 http://deb.debian.org/debian buster InRelease
Hit:8 http://deb.debian.org/debian-security buster/updates InRelease
Hit:9 http://deb.debian.org/debian buster-updates InRelease
Hit:10 http://deb.debian.org/debian buster-backports InRelease
Hit:11 http://dev.packages.vyos.net/repositories/current current InRelease
Reading package lists... Done
N: Download is performed unsandboxed as root as file '/root/packages/./InRelease'␣
,→couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)

Reading package lists... Done

Building dependency tree
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:

vyos-1x : Depends: accel-ppp but it is not installable
E: Unable to correct problems, you have held broken packages.

Now it’s time to fix the package mirror and rerun the last step until the package installation succeeds again!

Linux Kernel

The Linux kernel used by VyOS is heavily tied to the ISO build process. The file data/defaults.json hosts a JSON
definition of the kernel version used kernel_version and the kernel_flavor of the kernel which represents the
kernel’s LOCAL_VERSION. Both together form the kernel version variable in the system:

vyos@vyos:~$ uname -r
4.19.146-amd64-vyos

Other packages (e.g. vyos-1x) add dependencies to the ISO build procedure on e.g. the wireguard-modules package
which itself adds a dependency on the kernel version used due to the module it ships. This may change (for WireGuard)
in future kernel releases but as long as we have out-of-tree modules.
• WireGuard
• Accel-PPP

13.1. Build VyOS 625

 VyOS Documentation, 发布 1.4.x (sagitta)

• Intel NIC drivers

• Inter QAT
Each of those modules holds a dependency on the kernel version and if you are lucky enough to receive an ISO build error
which sounds like:

I: Create initramfs if it does not exist.

Extra argument '4.19.146-amd64-vyos'
Usage: update-initramfs {-c|-d|-u} [-k version] [-v] [-b directory]
Options:
-k version Specify kernel version or 'all'
-c Create a new initramfs
-u Update an existing initramfs
-d Remove an existing initramfs
-b directory Set alternate boot directory
-v Be verbose
See update-initramfs(8) for further details.
E: config/hooks/live/17-gen_initramfs.chroot failed (exit non-zero). You should check␣
,→for errors.

The most obvious reasons could be:

• vyos-build repo is outdated, please git pull to update to the latest release kernel version from us.
• You have your own custom kernel *.deb packages in the packages folder but neglected to create all required out-of
tree modules like Accel-PPP, WireGuard, Intel QAT, Intel NIC

Building The Kernel

The kernel build is quite easy, most of the required steps can be found in the vyos-build/packages/
linux-kernel/Jenkinsfile but we will walk you through it.
Clone the kernel source to vyos-build/packages/linux-kernel/:

$ cd vyos-build/packages/linux-kernel/
$ git clone https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Check out the required kernel version - see vyos-build/data/defaults.json file (example uses kernel
4.19.146):

$ cd vyos-build/packages/linux-kernel/linux
$ git checkout v4.19.146
Checking out files: 100% (61536/61536), done.
Note: checking out 'v4.19.146'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:

git checkout -b <new-branch-name>

HEAD is now at 015e94d0e37b Linux 4.19.146

13.1. Build VyOS 626

 VyOS Documentation, 发布 1.4.x (sagitta)

Now we can use the helper script build-kernel.sh which does all the necessary voodoo by apply-
ing required patches from the vyos-build/packages/linux-kernel/patches folder, copying our kernel configuration
x86_64_vyos_defconfig to the right location, and finally building the Debian packages.

注解: Building the kernel will take some time depending on the speed and quantity of your CPU/cores and disk speed.
Expect 20 minutes (or even longer) on lower end hardware.

(18:59) vyos_bld 412374ca36b8:/vyos/vyos-build/packages/linux-kernel [current] # ./

,→build-kernel.sh

I: Copy Kernel config (x86_64_vyos_defconfig) to Kernel Source

I: Apply Kernel patch: /vyos/vyos-build/packages/linux-kernel/patches/kernel/0001-
,→VyOS-Add-linkstate-IP-device-attribute.patch

patching file Documentation/networking/ip-sysctl.txt

patching file include/linux/inetdevice.h
patching file include/linux/ipv6.h
patching file include/uapi/linux/ip.h
patching file include/uapi/linux/ipv6.h
patching file net/ipv4/devinet.c
Hunk #1 succeeded at 2319 (offset 1 line).
patching file net/ipv6/addrconf.c
patching file net/ipv6/route.c
I: Apply Kernel patch: /vyos/vyos-build/packages/linux-kernel/patches/kernel/0002-
,→VyOS-add-inotify-support-for-stackable-filesystems-o.patch

patching file fs/notify/inotify/Kconfig

patching file fs/notify/inotify/inotify_user.c
patching file fs/overlayfs/super.c
Hunk #2 succeeded at 1713 (offset 9 lines).
Hunk #3 succeeded at 1739 (offset 9 lines).
Hunk #4 succeeded at 1762 (offset 9 lines).
patching file include/linux/inotify.h
I: Apply Kernel patch: /vyos/vyos-build/packages/linux-kernel/patches/kernel/0003-RFC-
,→builddeb-add-linux-tools-package-with-perf.patch

patching file scripts/package/builddeb

I: make x86_64_vyos_defconfig
HOSTCC scripts/basic/fixdep
HOSTCC scripts/kconfig/conf.o
YACC scripts/kconfig/zconf.tab.c
LEX scripts/kconfig/zconf.lex.c
HOSTCC scripts/kconfig/zconf.tab.o
HOSTLD scripts/kconfig/conf
#
# configuration written to .config
#
I: Generate environment file containing Kernel variable
I: Build Debian Kernel package
UPD include/config/kernel.release
/bin/sh ./scripts/package/mkdebian
dpkg-buildpackage -r"fakeroot -u" -a$(cat debian/arch) -b -nc -uc
dpkg-buildpackage: info: source package linux-4.19.146-amd64-vyos
dpkg-buildpackage: info: source version 4.19.146-1
dpkg-buildpackage: info: source distribution buster
dpkg-buildpackage: info: source changed by vyos_bld <[email protected]>
dpkg-buildpackage: info: host architecture amd64
dpkg-buildpackage: warning: debian/rules is not executable; fixing that
dpkg-source --before-build .
debian/rules build
(下页继续)

13.1. Build VyOS 627

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
make KERNELRELEASE=4.19.146-amd64-vyos ARCH=x86 KBUILD_BUILD_VERSION=1 KBUILD_
,→SRC=

SYSTBL arch/x86/include/generated/asm/syscalls_32.h

...

dpkg-shlibdeps: warning: binaries to analyze should already be installed in their␣

,→package's directory

dpkg-shlibdeps: warning: binaries to analyze should already be installed in their␣

,→package's directory

dpkg-shlibdeps: warning: binaries to analyze should already be installed in their␣

,→package's directory

dpkg-shlibdeps: warning: binaries to analyze should already be installed in their␣

,→package's directory

dpkg-shlibdeps: warning: binaries to analyze should already be installed in their␣

,→package's directory

dpkg-shlibdeps: warning: binaries to analyze should already be installed in their␣

,→package's directory

dpkg-shlibdeps: warning: binaries to analyze should already be installed in their␣

,→package's directory

dpkg-shlibdeps: warning: binaries to analyze should already be installed in their␣

,→package's directory

dpkg-shlibdeps: warning: binaries to analyze should already be installed in their␣

,→package's directory

dpkg-shlibdeps: warning: binaries to analyze should already be installed in their␣

,→package's directory

dpkg-shlibdeps: warning: binaries to analyze should already be installed in their␣

,→package's directory

dpkg-shlibdeps: warning: binaries to analyze should already be installed in their␣

,→package's directory

dpkg-shlibdeps: warning: package could avoid a useless dependency if /vyos/vyos-build/

,→packages/linux-kernel/linux/debian/toolstmp/usr/bin/trace /vyos/vyos-build/packages/

,→linux-kernel/linux/debian/toolstmp/usr/bin/perf were not linked against libcrypto.

,→so.1.1 (they use none of the library's symbols)

dpkg-shlibdeps: warning: package could avoid a useless dependency if /vyos/vyos-build/

,→packages/linux-kernel/linux/debian/toolstmp/usr/bin/trace /vyos/vyos-build/packages/

,→linux-kernel/linux/debian/toolstmp/usr/bin/perf were not linked against libcrypt.so.

,→1 (they use none of the library's symbols)

dpkg-deb: building package 'linux-tools-4.19.146-amd64-vyos' in '../linux-tools-4.19.

,→146-amd64-vyos_4.19.146-1_amd64.deb'.

dpkg-genbuildinfo --build=binary
dpkg-genchanges --build=binary >../linux-4.19.146-amd64-vyos_4.19.146-1_amd64.changes
dpkg-genchanges: warning: package linux-image-4.19.146-amd64-vyos-dbg in control file␣
,→but not in files list

dpkg-genchanges: info: binary-only upload (no source code included)

dpkg-source --after-build .
dpkg-buildpackage: info: binary-only upload (no source included)

In the end you will be presented with the kernel binary packages which you can then use in your custom ISO build process,
by placing all the *.deb files in the vyos-build/packages folder where they will be used automatically when building VyOS
as documented above.

13.1. Build VyOS 628

 VyOS Documentation, 发布 1.4.x (sagitta)

Firmware

If you upgrade your kernel or include new drivers you may need new firmware. Build a new vyos-linux-firmware
package with the included helper scripts.

$ cd vyos-build/packages/linux-kernel
$ git clone https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.
,→git

$ ./build-linux-firmware.sh
$ cp vyos-linux-firmware_*.deb ../

This tries to automatically detect which blobs are needed based on which drivers were built. If it fails to find the correct files
you can add them manually to vyos-build/packages/linux-kernel/build-linux-firmware.sh:

ADD_FW_FILES="iwlwifi* ath11k/QCA6390/*/*.bin"

Building Out-Of-Tree Modules

Building the kernel is one part, but now you also need to build the required out-of-tree modules so everything is lined
up and the ABIs match. To do so, you can again take a look at vyos-build/packages/linux-kernel/
Jenkinsfile to see all of the required modules and their selected versions. We will show you how to build all the
current required modules.

WireGuard

First, clone the source code and check out the appropriate version by running:

$ cd vyos-build/packages/linux-kernel
$ git clone https://salsa.debian.org/debian/wireguard-linux-compat.git
$ cd wireguard-linux-compat
$ git checkout debian/1.0.20200712-1_bpo10+1

We again make use of a helper script and some patches to make the build work. Just run the following command:

$ cd vyos-build/packages/linux-kernel
$ ./build-wireguard-modules.sh
I: Apply WireGuard patch: /vyos/packages/linux-kernel/patches/wireguard-linux-compat/
,→0001-Debian-build-wireguard-modules-package.patch

patching file debian/control

patching file debian/rules
I: Build Debian WireGuard package
dpkg-buildpackage: info: source package wireguard-linux-compat
dpkg-buildpackage: info: source version 1.0.20200712-1~bpo10+1
dpkg-buildpackage: info: source distribution buster-backports
dpkg-buildpackage: info: source changed by Unit 193 <[email protected]>
dpkg-buildpackage: info: host architecture amd64
dpkg-source --before-build .
dpkg-source: info: using patch list from debian/patches/series
dpkg-source: info: applying 0001-Makefile-do-not-use-git-to-get-version-number.patch
dpkg-source: info: applying 0002-Avoid-trying-to-compile-on-debian-5.5-kernels-Closes.
,→patch

...
(下页继续)

13.1. Build VyOS 629

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)

dpkg-genchanges: info: binary-only upload (no source code included)

debian/rules clean
dh clean
dh_clean
dpkg-source --after-build .
dpkg-source: info: unapplying 0002-Avoid-trying-to-compile-on-debian-5.5-kernels-
,→Closes.patch

dpkg-source: info: unapplying 0001-Makefile-do-not-use-git-to-get-version-number.patch

dpkg-buildpackage: info: binary-only upload (no source included)

After compiling the packages you will find yourself the newly generated *.deb binaries in vyos-build/packages/
linux-kernel from which you can copy them to the vyos-build/packages folder for inclusion during the ISO
build.

Accel-PPP

First, clone the source code and check out the appropriate version by running:

$ cd vyos-build/packages/linux-kernel
$ git clone https://github.com/accel-ppp/accel-ppp.git

We again make use of a helper script and some patches to make the build work. Just run the following command:

$ ./build-accel-ppp.sh
I: Build Accel-PPP Debian package
CMake Deprecation Warning at CMakeLists.txt:3 (cmake_policy):
The OLD behavior for policy CMP0003 will be removed from a future version
of CMake.

The cmake-policies(7) manual explains that the OLD behaviors of all

policies are deprecated and that a policy should be set to OLD only under
specific short-term circumstances. Projects should be ported to the NEW
behavior and not rely on setting a policy to OLD.

-- The C compiler identification is GNU 8.3.0

...

CPack: Create package using DEB

CPack: Install projects
CPack: - Run preinstall target for: accel-ppp
CPack: - Install project: accel-ppp
CPack: Create package
CPack: - package: /vyos/vyos-build/packages/linux-kernel/accel-ppp/build/accel-ppp.
,→deb generated.

After compiling the packages you will find yourself the newly generated *.deb binaries in vyos-build/packages/
linux-kernel from which you can copy them to the vyos-build/packages folder for inclusion during the ISO
build.

13.1. Build VyOS 630

 VyOS Documentation, 发布 1.4.x (sagitta)

Intel NIC

The Intel NIC drivers do not come from a Git repository, instead we just fetch the tarballs from our mirror and compile
them.
Simply use our wrapper script to build all of the driver modules.
./build-intel-drivers.sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 490k 100 490k 0 0 648k 0 --:--:-- --:--:-- --:--:-- 648k
I: Compile Kernel module for Intel ixgbe driver

...

I: Building Debian package vyos-intel-iavf

Doing `require 'backports'` is deprecated and will not load any backport in the next␣
,→major release.

Require just the needed backports instead, or 'backports/latest'.

Debian packaging tools generally labels all files in /etc as config files, as␣
,→mandated by policy, so fpm defaults to this behavior for deb packages. You can␣

,→disable this default behavior with --deb-no-default-config-files flag {:level=>

,→:warn}

Created package {:path=>"vyos-intel-iavf_4.0.1-0_amd64.deb"}

I: Cleanup iavf source

After compiling the packages you will find yourself the newly generated *.deb binaries in vyos-build/packages/
linux-kernel from which you can copy them to the vyos-build/packages folder for inclusion during the ISO
build.

Intel QAT

The Intel QAT (Quick Assist Technology) drivers do not come from a Git repository, instead we just fetch the tarballs
from 01.org, Intel’s open-source website.
Simply use our wrapper script to build all of the driver modules.
$ ./build-intel-qat.sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 5065k 100 5065k 0 0 1157k 0 0:00:04 0:00:04 --:--:-- 1157k
I: Compile Kernel module for Intel qat driver
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes

...

I: Building Debian package vyos-intel-qat

Doing `require 'backports'` is deprecated and will not load any backport in the next␣
,→major release.

Require just the needed backports instead, or 'backports/latest'.

Debian packaging tools generally labels all files in /etc as config files, as␣
,→mandated by policy, so fpm defaults to this behavior for deb packages. You can␣

,→disable this default behavior with --deb-no-default-config-files flag {:level=>

,→:warn}
(下页继续)

13.1. Build VyOS 631

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
Created package {:path=>"vyos-intel-qat_1.7.l.4.9.0-00008-0_amd64.deb"}
I: Cleanup qat source

After compiling the packages you will find yourself the newly generated *.deb binaries in vyos-build/packages/
linux-kernel from which you can copy them to the vyos-build/packages folder for inclusion during the ISO
build.

Packages

If you are brave enough to build yourself an ISO image containing any modified package from our GitHub organisation -
this is the place to be.
Any“modified”package may refer to an altered version of e.g. vyos-1x package that you would like to test before filing
a pull request on GitHub.
Building an ISO with any customized package is in no way different then building a regular (customized or not) ISO
image. Simply place your modified *.deb package inside the packages folder within vyos-build. The build process will
then pickup your custom package and integrate it into your ISO.

Troubleshooting

Debian APT is not very verbose when it comes to errors. If your ISO build breaks for whatever reason and you suspect
it’s a problem with APT dependencies or installation you can add this small patch which increases the APT verbosity
during ISO build.

diff --git i/scripts/live-build-config w/scripts/live-build-config

index 1b3b454..3696e4e 100755
--- i/scripts/live-build-config
+++ w/scripts/live-build-config
@@ -57,7 +57,8 @@ lb config noauto \
--firmware-binary false \
--updates true \
--security true \
- --apt-options "--yes -oAcquire::Check-Valid-Until=false" \
+ --apt-options "--yes -oAcquire::Check-Valid-Until=false -
,→oDebug::BuildDeps=true -oDebug::pkgDepCache::AutoInstall=true \

+ -oDebug::pkgDepCache::Marker=true -
,→oDebug::pkgProblemResolver=true -oDebug::Acquire::gpgv=true" \

--apt-indices false
"${@}"
"""

Virtualization Platforms

QEMU

Run following command after building the ISO image.

$ make qemu

13.1. Build VyOS 632

 VyOS Documentation, 发布 1.4.x (sagitta)

VMware

Run following command after building the QEMU image.

$ make vmware

13.1.3 Packages

VyOS itself comes with a bunch of packages that are specific to our system and thus cannot be found in any Debian
mirror. Those packages can be found at the VyOS GitHub project in their source format can easily be compiled into a
custom Debian (*.deb) package.
The easiest way to compile your package is with the above mentioned Docker container, it includes all required depen-
dencies for all VyOS related packages.
Assume we want to build the vyos-1x package on our own and modify it to our needs. We first need to clone the repository
from GitHub.

$ git clone https://github.com/vyos/vyos-1x

Build

Launch Docker container and build package

# For VyOS 1.3 (equuleus, current)

$ docker run --rm -it --privileged -v $(pwd):/vyos -w /vyos vyos/vyos-build:current␣
,→bash

# Change to source directory

$ cd vyos-1x

# Build DEB
$ dpkg-buildpackage -uc -us -tc -b

After a minute or two you will find the generated DEB packages next to the vyos-1x source directory:

# ls -al ../vyos-1x*.deb
-rw-r--r-- 1 vyos_bld vyos_bld 567420 Aug 3 12:01 ../vyos-1x_1.3dev0-1847-gb6dcb0a8_
,→all.deb

-rw-r--r-- 1 vyos_bld vyos_bld 3808 Aug 3 12:01 ../vyos-1x-vmware_1.3dev0-1847-

,→gb6dcb0a8_amd64.deb

Install

To take your newly created package on a test drive you can simply SCP it to a running VyOS instance and install the new
*.deb package over the current running one.
Just install using the following commands:

vyos@vyos:~$ dpkg --install /tmp/vyos-1x_1.3dev0-1847-gb6dcb0a8_all.deb

(Reading database ... 58209 files and directories currently installed.)
Preparing to unpack .../vyos-1x_1.3dev0-1847-gb6dcb0a8_all.deb ...
Unpacking vyos-1x (1.3dev0-1847-gb6dcb0a8) over (1.3dev0-1847-gb6dcb0a8) ...
(下页继续)

13.1. Build VyOS 633

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
Setting up vyos-1x (1.3dev0-1847-gb6dcb0a8) ...
Processing triggers for rsyslog (8.1901.0-1) ...

You can also place the generated *.deb into your ISO build environment to include it in a custom iso, see Linux Kernel
for more information.

警告: Any packages in the packages directory will be added to the iso during build, replacing the upstream ones.
Make sure you delete them (both the source directories and built deb packages) if you want to build an iso from purely
upstream packages.

13.2 Development

All VyOS source code is hosted on GitHub under the VyOS organization which can be found here: https://github.com/
vyos
Our code is split into several modules. VyOS is composed of multiple individual packages, some of them are forks of
upstream packages and are periodically synced with upstream, so keeping the whole source under a single repository
would be very inconvenient and slow. There is now an ongoing effort to consolidate all VyOS-specific framework/config
packages into vyos-1x package, but the basic structure is going to stay the same, just with fewer and fewer packages while
the base code is rewritten from Perl/BASH into Python using and XML based interface definition for the CLI.
The repository that contains all the ISO build scripts is: https://github.com/vyos/vyos-build
The README.md file will guide you to use the this top level repository.

13.2.1 Submit a Patch

Patches are always more than welcome. To have a clean and easy to maintain repository we have some guidelines when
working with Git. A clean repository eases the automatic generation of a changelog file.
A good approach for writing commit messages is actually to have a look at the file(s) history by invoking git log
path/to/file.txt.

Prepare patch/commit

In a big system, such as VyOS, that is comprised of multiple components, it’s impossible to keep track of all the changes
and bugs/feature requests in one’s head. We use a bugtracker known as Phabricator for it (“issue tracker”would be a
better term, but this one stuck).
The information is used in three ways:
• Keep track of the progress (what we’ve already done in this branch and what we still need to do).
• Prepare release notes for upcoming releases
• Help future maintainers of VyOS (it could be you!) to find out why certain things have been changed in the codebase
or why certain features have been added
To make this approach work, every change must be associated with a task number (prefixed with T) and a component. If
there is no bug report/feature request for the changes you are going to make, you have to create a Phabricator task first.
Once there is an entry in Phabricator, you should reference its id in your commit message, as shown below:
• ddclient: T1030: auto create runtime directories

13.2. Development 634

 VyOS Documentation, 发布 1.4.x (sagitta)

• Jenkins: add current Git commit ID to build description

If there is no Phabricator reference in the commits of your pull request, we have to ask you to amend the commit message.
Otherwise we will have to reject it.

Writing good commit messages

The format should be and is inspired by: https://git-scm.com/book/ch5-2.html It is also worth reading https://chris.
beams.io/posts/git-commit/
• A single, short, summary of the commit (recommended 50 characters or less, not exceeding 80 characters) con-
taining a prefix of the changed component and the corresponding Phabricator reference e.g. snmp: T1111: or
ethernet: T2222: - multiple components could be concatenated as in snmp: ethernet: T3333
• In some contexts, the first line is treated as the subject of an email and the rest of the text as the body. The blank
line separating the summary from the body is critical (unless you omit the body entirely); tools like rebase can get
confused if you run the two together.
• Followed by a message which describes all the details like:
– What/why/how something has been changed, makes everyone’s life easier when working with git bisect
– All text of the commit message should be wrapped at 72 characters if possible which makes reading commit
logs easier with git log on a standard terminal (which happens to be 80x25)
– If applicable a reference to a previous commit should be made linking those commits nicely when brows-
ing the history: After commit abcd12ef ("snmp: this is a headline") a Python
import statement is missing, throwing the following exception: ABCDEF
• Always use the -x option to the git cherry-pick command when back or forward porting an individual com-
mit. This automatically appends the line: (cherry picked from commit <ID>) to the original authors
commit message making it easier when bisecting problems.
• Every change set must be consistent (self containing)! Do not fix multiple bugs in a single commit. If you already
worked on multiple fixes in the same file use git add –patch to only add the parts related to the one issue into your
upcoming commit.
Limits:
• We only accept bugfixes in packages other than https://github.com/vyos/vyos-1x as no new functionality should
use the old style templates (node.def and Perl/BASH code. Use the new style XML/Python interface instead.
Please submit your patches using the well-known GitHub pull-request against our repositories found in the VyOS GitHub
organisation at https://github.com/vyos

Determinine source package

Suppose you want to make a change in the webproxy script but yet you do not know which of the many VyOS packages
ship this file. You can determine the VyOS package name in question by using Debian’s dpkg -S command of your
running VyOS installation.

vyos@vyos:~ dpkg -S /opt/vyatta/sbin/vyatta-update-webproxy.pl

vyatta-webproxy: /opt/vyatta/sbin/vyatta-update-webproxy.pl

This means the file in question (/opt/vyatta/sbin/vyatta-update-webproxy.pl) is located in the

vyatta-webproxy package which can be found here: https://github.com/vyos/vyatta-webproxy

13.2. Development 635

 VyOS Documentation, 发布 1.4.x (sagitta)

Fork Repository and submit Patch

Forking the repository and submitting a GitHub pull-request is the preferred way of submitting your changes to VyOS.
You can fork any VyOS repository to your very own GitHub account by just appending /fork to any repository’s
URL on GitHub. To e.g. fork the vyos-1x repository, open the following URL in your favourite browser: https:
//github.com/vyos/vyos-1x/fork
You then can proceed with cloning your fork or add a new remote to your local repository:
• Clone: git clone https://github.com/<user>/vyos-1x.git
• Fork: git remote add myfork https://github.com/<user>/vyos-1x.git
In order to record you as the author of the fix please identify yourself to Git by setting up your name and email. This can
be done local for this one and only repository git config or globally using git config --global.

git config --global user.name "J. Random Hacker"

git config --global user.email "[email protected]"

Make your changes and save them. Do the following for all changes files to record them in your created Git commit:
• Add file to Git index using git add myfile, or for a whole directory: git add somedir/*
• Commit the changes by calling git commit. Please use a meaningful commit headline (read above) and don’
t forget to reference the Phabricator ID.
• Submit the patch git push and create the GitHub pull-request.

Attach patch to Phabricator task

Follow the above steps on how to“Fork repository to submit a Patch”. Instead of uploading“pushing”your changes to
GitHub you can export the patches/ commits and send it to [email protected] or attach it directly to the bug (preferred
over email)
• Export last commit to patch file: git format-patch or export the last two commits into its appropriate patch
files: git format-patch -2

13.2.2 Coding Guidelines

Like any other project we have some small guidelines about our source code, too. The rules we have are not there to
punish you - the rules are in place to help us all. By having a consistent coding style it becomes very easy for new and
also longtime contributors to navigate through the sources and all the implied logic of any one source file..
Python 3 shall be used. How long can we keep Python 2 alive anyway? No considerations for Python 2 compatibility
should be taken at any time.

Formatting

• Python: Tabs shall not be used. Every indentation level should be 4 spaces
• XML: Tabs shall not be used. Every indentation level should be 2 spaces

注解: There are extensions to e.g. VIM (xmllint) which will help you to get your indention levels correct. Add to follow-
ing to your .vimrc file: au FileType xml setlocal equalprg=xmllint\ --format\ --recover\
-\ 2>/dev/null now you can call the linter using gg=G in command mode.

13.2. Development 636

 VyOS Documentation, 发布 1.4.x (sagitta)

Text generation

Template processor should be used for generating config files. Built-in string formatting may be used for simple line-
oriented formats where every line is self-contained, such as iptables rules. Template processor must be used for structured,
multi-line formats such as those used by ISC DHCPd.
The default template processor for VyOS code is Jinja2.

Summary

When modifying the source code, remember these rules of the legacy elimination campaign:
• No new features in Perl
• No old style command definitions
• No code incompatible with Python3

13.2.3 Python

The switch to the Python programming language for new code is not merely a change of the language, but a chance to
rethink and improve the programming approach.
Let’s face it: VyOS is full of spaghetti code where logic for reading the VyOS config, generating daemon configs, and
restarting processes is all mixed up.
Python (or any other language, for that matter) does not provide automatic protection from bad design, so we need to also
devise design guidelines and follow them to keep the system extensible and maintainable.
But we are here to assist you and want to guide you through how you can become a good VyOS contributor. The rules we
have are not there to punish you - the rules are in place to help us all. What does it mean? By having a consistent coding
style it becomes very easy for new contributors and also longtime contributors to navigate through the sources and all the
implied logic of the spaghetti code.
Please use the following template as good starting point when developing new modules or even rewrite a whole bunch of
code in the new style XML/Pyhon interface.

Configuration Script Structure and Behaviour

Your configuration script or operation mode script which is also written in Python3 should have a line break on 80
characters. This seems to be a bit odd nowadays but as some people also work remotely or program using vi(m) this is a
fair good standard which I hope we can rely on.
In addition this also helps when browsing the GitHub codebase on a mobile device if you happen to be a crazy scientist.

#!/usr/bin/env python3
#
# Copyright (C) 2020 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
(下页继续)

13.2. Development 637

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.

import sys

from vyos.config import Config

from vyos import ConfigError

def get_config():
if config:
conf = config
else:
conf = Config()

# Base path to CLI nodes

base = ['...', '...']
# Convert the VyOS config to an abstract internal representation
config_data = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_
,→key=True)

return config_data

def verify(config):
# Verify that configuration is valid
if invalid:
raise ConfigError("Descriptive message")
return True

def generate(config):
# Generate daemon configs
pass

def apply(config):
# Apply the generated configs to the live system
pass

try:
c = get_config()
verify(c)
generate(c)
apply(c)
except ConfigError as e:
print(e)
sys.exit(1)

The get_config() function must convert the VyOS config to an abstract, internal representation. No other function
is allowed to call the vyos.config. Config object method directly. The rationale for it is that when config reads
are mixed with other logic, it’s very hard to change the config syntax since you need to weed out every occurrence of
the old syntax. If syntax-specific code is confined to a single function, the rest of the code can be left untouched as long
as the internal representation remains compatible.
Another advantage is testability of the code. Mocking the entire config subsystem is hard, while constructing an internal
representation by hand is way simpler.
The verify() function takes your internal representation of the config and checks if it’s valid, otherwise it must raise
ConfigError with an error message that describes the problem and possibly suggests how to fix it. It must not make

13.2. Development 638

 VyOS Documentation, 发布 1.4.x (sagitta)

any changes to the system. The rationale for it is again testability and, in the future when the config backend is ready
and every script is rewritten in this fashion, ability to execute commit dry run (“commit test”like in JunOS) and abort
commit before making any changes to the system if an error is found in any component.
The generate() function generates config files for system components.
The apply() function applies the generated configuration to the live system. It should use non-disruptive reload when-
ever possible. It may execute disruptive operations such as daemon process restart if a particular component does not
support non-disruptive reload, or when the expected service degradation is minimal (for example, in case of auxiliary ser-
vices such as LLDPd). In case of high impact services such as VPN daemon and routing protocols, when non- disruptive
reload is supported for some but not all types of configuration changes, scripts authors should make effort to determine
if a configuration change can be done in a non-disruptive way and only resort to disruptive restart if it cannot be avoided.
Unless absolutely necessary, configuration scripts should not modify the active configuration of system components di-
rectly. Whenever at all possible, scripts should generate a configuration file or files that can be applied with a single
command such as reloading a service through systemd init. Inserting statements one by one is particularly discouraged,
for example, when configuring netfilter rules, saving them to a file and loading it with iptables-restore should always be
preferred to executing iptables directly.
The apply() and generate() functions may raise ConfigError if, for example, the daemon failed to start
with the updated config. It shouldn’t be a substitute for proper config checking in the verify() function. All reasonable
effort should be made to verify that generated configuration is valid and will be accepted by the daemon, including, when
necessary, cross- checks with other VyOS configuration subtrees.
Exceptions, including VyOSError (which is raised by vyos.config.Config on improper config operations, such
as trying to use list_nodes() on a non-tag node) should not be silenced or caught and re-raised as config error. Sure
this will not look pretty on user’s screen, but it will make way better bug reports, and help users (and most VyOS users
are IT professionals) do their own debugging as well.
For easy orientation we suggest you take a look on the ntp.py or interfaces-bonding.py (for tag nodes) im-
plementation. Both files can be found in the vyos-1x repository.

13.2.4 XML (used for CLI definitions)

The bash (or better vbash) completion in VyOS is defined in templates. Templates are text files (called node.def) stored
in a directory tree. The directory names define the command names, and template files define the command behaviour.
Before VyOS 1.2 (crux) this files were created by hand. After a complex redesign process the new style template are
automatically generated from a XML input file.
XML interface definitions for VyOS come with a RelaxNG schema and are located in the vyos-1x module. This schema is
a slightly modified schema from VyConf alias VyOS 2.0 So VyOS 1.2.x interface definitions will be reusable in Nextgen
VyOS Versions with very minimal changes.
The great thing about schemas is not only that people can know the complete grammar for certain, but also that it can be
automatically verified. The scripts/build-command-templates script that converts the XML definitions to old style templates
also verifies them against the schema, so a bad definition will cause the package build to fail. I do agree that the format is
verbose, but there is no other format now that would allow this. Besides, a specialized XML editor can alleviate the issue
with verbosity.
Example:

<?xml version="1.0"?>
<!-- Cron configuration -->
<interfaceDefinition>
<node name="system">
<children>
<node name="task-scheduler">
(下页继续)

13.2. Development 639

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
<properties>
<help>Task scheduler settings</help>
</properties>
<children>
<tagNode name="task" owner="${vyos_conf_scripts_dir}/task_scheduler.py">
<properties>
<help>Scheduled task</help>
<valueHelp>
<format>&lt;string&gt;</format>
<description>Task name</description>
</valueHelp>
<priority>999</priority>
</properties>
<children>
<leafNode name="crontab-spec">
<properties>
<help>UNIX crontab time specification string</help>
</properties>
</leafNode>
<leafNode name="interval">
<properties>
<help>Execution interval</help>
<valueHelp>
<format>&lt;minutes&gt;</format>
<description>Execution interval in minutes</description>
</valueHelp>
<valueHelp>
<format>&lt;minutes&gt;m</format>
<description>Execution interval in minutes</description>
</valueHelp>
<valueHelp>
<format>&lt;hours&gt;h</format>
<description>Execution interval in hours</description>
</valueHelp>
<valueHelp>
<format>&lt;days&gt;d</format>
<description>Execution interval in days</description>
</valueHelp>
<constraint>
<regex>[1-9]([0-9]*)([mhd]{0,1})</regex>
</constraint>
</properties>
</leafNode>
<node name="executable">
<properties>
<help>Executable path and arguments</help>
</properties>
<children>
<leafNode name="path">
<properties>
<help>Path to executable</help>
</properties>
</leafNode>
<leafNode name="arguments">
<properties>
<help>Arguments passed to the executable</help>

(下页继续)

13.2. Development 640

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)
</properties>
</leafNode>
</children>
</node>
</children>
</tagNode>
</children>
</node>
</children>
</node>
</interfaceDefinition>

Command definitions are purely declarative, and cannot contain any logic. All logic for generating config files for target
applications, restarting services and so on is implemented in configuration scripts instead.

GNU Preprocessor

XML interface definition files use the xml.in file extension which was implemented in T1843. XML interface definitions
tend to have a lot of duplicated code in areas such as:
• VIF (incl. VIF-S/VIF-C)
• Address
• Description
• Enabled/Disabled
Instead of supplying all those XML nodes multiple times there are now include files with predefined features. Brief
overview:
• IPv4, IPv6 and DHCP(v6) address assignment
• IPv4, IPv6 address assignment
• VLAN (VIF) definition
• MAC address assignment
All interface definition XML input files (.in suffix) will be sent to the GCC preprocess and the output is stored in
the build/interface-definitions folder. The previously mentioned scripts/build-command-templates script operates on the
build/interface-definitions folder to generate all required CLI nodes.

$ make interface_definitions
install -d -m 0755 build/interface-definitions
install -d -m 0755 build/op-mode-definitions
Generating build/interface-definitions/intel_qat.xml from interface-definitions/intel_
,→qat.xml.in

Generating build/interface-definitions/interfaces-bonding.xml from interface-

,→definitions/interfaces-bonding.xml.in

Generating build/interface-definitions/cron.xml from interface-definitions/cron.xml.in

Generating build/interface-definitions/pppoe-server.xml from interface-definitions/
,→pppoe-server.xml.in

Generating build/interface-definitions/mdns-repeater.xml from interface-definitions/

,→mdns-repeater.xml.in

Generating build/interface-definitions/tftp-server.xml from interface-definitions/

,→tftp-server.xml.in

[...]

13.2. Development 641

 VyOS Documentation, 发布 1.4.x (sagitta)

Guidelines

Use of numbers

Use of numbers in command names should be avoided unless a number is a part of a protocol name or similar. Thus,
protocols ospfv3 is perfectly fine, but something like server-1 is questionable at best.

Help String

To ensure uniform look and feel, and improve readability, we should follow a set of guidelines consistently.

Capitalization and punctuation

The first word of every help string must be capitalized. There must not be a period at the end of help strings.
Rationale: this seems to be the unwritten standard in network device CLIs, and a good aesthetic compromise.
Examples:
• Good: “Frobnication algorithm”
• Bad: “frobnication algorithm”
• Bad: “Frobnication algorithm.”
• Horrible: “frobnication algorithm.”

Use of abbreviations and acronyms

Abbreviations and acronyms must be capitalized.

Examples:
• Good: “TCP connection timeout”
• Bad: “tcp connection timeout”
• Horrible: “Tcp connection timeout”
Acronyms also must be capitalized to visually distinguish them from normal words:
Examples:
• Good: RADIUS (as in remote authentication for dial-in user services)
• Bad: radius (unless it’s about the distance between a center of a circle and any of its points)
Some abbreviations are traditionally written in mixed case. Generally, if it contains words “over”or “version”, the
letter should be lowercase. If there’s an accepted spelling (especially if defined by an RFC or another standard), it must
be followed.
Examples:
• Good: PPPoE, IPsec
• Bad: PPPOE, IPSEC
• Bad: pppoe, ipsec

13.2. Development 642

 VyOS Documentation, 发布 1.4.x (sagitta)

Use of verbs

Verbs should be avoided. If a verb can be omitted, omit it.

Examples:
• Good: “TCP connection timeout”
• Bad: “Set TCP connection timeout”
If a verb is essential, keep it. For example, in the help text of set system ipv6 disable-forwarding,
“Disable IPv6 forwarding on all interfaces”is a perfectly justified wording.

Prefer infinitives

Verbs, when they are necessary, should be in their infinitive form.

Examples:
• Good: “Disable IPv6 forwarding”
• Bad: “Disables IPv6 forwarding”

13.2. Development 643

 VyOS Documentation, 发布 1.4.x (sagitta)

Migrating old CLI

Old concept/syntax New syntax Notes

mynode/node.def <node name=”mynode”> Leaf nodes (nodes with values) use <leafNode> tag in-
</node> stead
mynode/node.tag , tag: <tagNode name=”myn-
ode> </node>
help: My node <properties> <help>My
node</help>
val_help: <format>; some <properties> <valueHelp> Do not add angle brackets around the format, they will be
string <format> format </for- inserted automatically
mat> <description> some
string </description>
syntax:expression: pattern <properties> <constraint> <constraintErrorMessage> will be displayed on failure
<regex> …
syntax:expression: None Use regex
$VAR(@) in “foo”,
“bar”, “baz”
syntax:expression: exec … <properties> <constraint> “${vyos_libexecdir}/validators/foo bar $VAR(@)”will
<validator> <name =”foo” be executed, <constraintErrorMessage> will be displayed
argument=”bar”> on failure
syntax:expression: (arith- None External arithmetic validator may be added if there’s
metic expression) demand, complex validation is better left to commit-time
scripts
priority: 999 <properties> <prior- Please leave a comment explaining why the priority was
ity>999</priority> chosen (e.g. “after interfaces are configured”)
multi: <properties> <multi/> Only applicable to leaf nodes
allowed: echo foo bar <properties> <comple-
tionHelp> <list> foo bar
</list>
allowed: cli-shell-api <properties> <comple-
listNodes vpn ipsec tionHelp> <path> vpn
esp-group ipsec esp-group </path>
…
allowed: /path/to/script <properties> <com-
pletionHelp> <script>
/path/to/script </script> …
default: None Move default values to scripts
commit:expression: None All commit time checks should be in the verify() function
of the script
begin:/create:/delete: None All logic should be in the scripts

13.2. Development 644

 VyOS Documentation, 发布 1.4.x (sagitta)

13.2.5 Continuous Integration

VyOS makes use of Jenkins as our Continuous Integration (CI) service. Our CI server is publicly accessible here: https:
//ci.vyos.net. You can get a brief overview of all required components shipped in a VyOS ISO.
To build our modules we utilize a CI/CD Pipeline script. Each and every VyOS component comes with it’s own
Jenkinsfile which is (more or less) a copy. The Pipeline utilizes the Docker container from the Build ISO section -
but instead of building it from source on every run, we rather always fetch a fresh copy (if needed) from Dockerhub.
Each module is build on demand if a new commit on the branch in question is found. After a successful run the resulting
Debian Package(s) will be deployed to our Debian repository which is used during build time. It is located here: http:
//dev.packages.vyos.net/repositories/.

13.3 Documentation

VyOS documentation is written in reStructuredText and generated to Read the Docs pages with Sphinx, as per the Python
tradition, as well as PDF files for offline use through LaTeX.
We welcome all sorts of contributions to the documentation. Not just new additions but also corrections to existing
documentation.

13.3.1 Guidelines

There are a few things to keep in mind when contributing to the documentation, for the sake of consistency and readability.
Take a look at the Documentation page for an intricate explanation of the documentation process.
The following is a quick summary of the rules:
• Use American English at all times. It’s always a good idea to run your text through a grammar and spell checker,
such as Grammarly.
• Don’t forget to update index.rst when adding a new node.
• Try not to exceed 80 characters per line, but don’t break URLs over this.
• Properly quote commands, filenames and brief code snippets with double backticks.
• Use literal blocks for longer snippets.
• Leave a newline before and after a header.
• Indent with two spaces.
• When in doubt, follow the style of existing documentation.
And finally, remember that the reStructuredText files aren’t exclusively for generating HTML and PDF. They should be
human-readable and easily perused from a console.

13.3. Documentation 645

 VyOS Documentation, 发布 1.4.x (sagitta)

13.3.2 Building

The source is kept in the Git repository https://github.com/vyos/vyos-documentation

You can follow the instructions in the README to build and test your changes.
You can either install Sphinx (and TeX Live for PDF output) and build the documentation locally, or use the Dockerfile
to build it in a container.

13.4 Issues/Feature requests

13.4.1 Bug Report/Issue

Issues or bugs are found in any software project. VyOS is not an exception.
All issues should be reported to the developers. This lets the developers know what is not working properly. Without this
sort of feedback every developer will believe that everything is working correctly.

I have found a bug, what should I do?

When you believe you have found a bug, it is always a good idea to verify the issue prior to opening a bug request.
• Consult the documentation to ensure that you have configured your system correctly
• Get community support via Slack or our Forum

Ensure the problem is reproducible

When you are able to verify that it is actually a bug, spend some time to document how to reproduce the issue. This
documentation can be invaluable.
When you wish to have a developer fix a bug that you found, helping them reproduce the issue is beneficial to everyone.
Be sure to include information about the hardware you are using, commands that you were running, any other activities
that you may have been doing at the time. This additional information can be very useful.
• What were you attempting to achieve?
• What was the configuration prior to the change?
• What commands did you use? Use e.g. run show configuration commands

Include output

The output you get when you find a bug can provide lots of information. If you get an error message on the screen,
copy it exactly. Having the exact message can provide detail that the developers can use. Like wise if you have any log
messages that also are from the time of the issue, include those. They may also contain information that is helpful for the
development team.

13.4. Issues/Feature requests 646

 VyOS Documentation, 发布 1.4.x (sagitta)

Report a Bug

In order to open up a bug-report/feature request you need to create yourself an account on VyOS Phabricator. On the left
side of the specific project (VyOS 1.2 or VyOS 1.3) you will find quick-links for opening a bug-report/feature request.
• Provide as much information as you can
• Which version of VyOS are you using? run show version
• How can we reproduce this Bug?

13.4.2 Feature Request

You have an idea of how to make VyOS better or you are in need of a specific feature which all users of VyOS would
benefit from? To send a feature request please search Phabricator if there is already a request pending. You can enhance
it or if you don’t find one, create a new one by use the quick link in the left side under the specific project.

13.5 Upstream packages

Many base system packages are pulled straight from Debian’s main and contrib repositories, but there are exceptions.
This chapter lists those exceptions and gives you a brief overview what we have done on those packages. If you only want
to build yourself a fresh ISO you can completely skip this chapter. It may become interesting once you have a VyOS deep
dive.

13.5.1 vyos-netplug

Due to issues in the upstream version that sometimes set interfaces down, a modified version is used.
The source is located at https://github.com/vyos/vyos-netplug
In the future, we may switch to using systemd infrastructure instead. Building it doesn’t require a special procedure.

13.5.2 keepalived

Keepalived normally isn’t updated to newer feature releases between Debian versions, so we are building it from source.
Debian does keep their package in git, but it’s upstream tarball imported into git without its original commit history.
To be able to merge new tags in, we keep a fork of the upstream repository with packaging files imported from Debian at
https://github.com/vyos/keepalived-upstream

13.5.3 strongswan

Our StrongSWAN build differs from the upstream:

• strongswan-nm package build is disabled since we don’t use NetworkManager
• Patches for DMVPN are merged in
The source is at https://github.com/vyos/vyos-strongswan
DMVPN patches are added by this commit: https://github.com/vyos/vyos-strongswan/commit/
1cf12b0f2f921bfc51affa3b81226

13.5. Upstream packages 647

 VyOS Documentation, 发布 1.4.x (sagitta)

Our op mode scripts use the python-vici module, which is not included in Debian’s build, and isn’t quite easy to integrate
in that build. For this reason we debianize that module by hand now, using this procedure:
0. Install https://pypi.org/project/stdeb/
1. cd vyos-strongswan
2. ./configure –enable-python-eggs
3. cd src/libcharon/plugins/vici/python
4. make
5. python3 setup.py –command-packages=stdeb.command bdist_deb
The package ends up in deb_dist dir.

13.5.4 mdns-repeater

This package doesn’t exist in Debian. A debianized fork is kept at https://github.com/vyos/mdns-repeater

No special build procedure is required.

13.5.5 udp-broadcast-relay

This package doesn’t exist in Debian. A debianized fork is kept at https://github.com/vyos/udp-broadcast-relay

No special build procedure is required.

13.5.6 hvinfo

A fork with packaging changes for VyOS is kept at https://github.com/vyos/hvinfo

The original repo is at https://github.com/dmbaturin/hvinfo
It’s an Ada program and requires GNAT and gprbuild for building, dependencies are properly specified so just follow
debuild’s suggestions.

13.5. Upstream packages 648

 CHAPTER 14

Debugging

There are two flags available to aid in debugging configuration scripts. Since configuration loading issues will manifest
during boot, the flags are passed as kernel boot parameters.

14.1 ISO image build

When having trouble compiling your own ISO image or debugging Jenkins issues you can follow the steps at ISO Build
Issues.

14.2 System Startup

The system startup can be debugged (like loading in the configuration file from /config/config.boot. This can
be achieve by extending the Kernel command-line in the bootloader.

14.2.1 Kernel

• vyos-debug - Adding the parameter to the linux boot line will produce timing results for the execution of
scripts during commit. If one is seeing an unexpected delay during manual or boot commit, this may be useful
in identifying bottlenecks. The internal flag is VYOS_DEBUG, and is found in vyatta-cfg. Output is directed to
/var/log/vyatta/cfg-stdout.log.
• vyos-config-debug - During development, coding errors can lead to a commit failure on boot, possibly result-
ing in a failed initialization of the CLI. In this circumstance, the kernel boot parameter vyos-config-debug
will ensure access to the system as user vyos, and will log a Python stack trace to the file /tmp/
boot-config-trace. File boot-config-trace will generate only if config loaded with a failure status.

649
 VyOS Documentation, 发布 1.4.x (sagitta)

14.3 Live System

A number of flags can be set up to change the behaviour of VyOS at runtime. These flags can be toggled using either
environment variables or creating files.
For each feature, a file called vyos.feature.debug can be created to toggle the feature on. If a parameter is required
it can be placed inside the file as its first line.
The file can be placed in /tmp for one time debugging (as the file will be removed on reboot) or placed in ‘/config’to
stay permanently.
For example, /tmp/vyos.ifconfig.debug can be created to enable interface debugging.
It is also possible to set up the debugging using environment variables. In that case, the name will be (in uppercase)
VYOS_FEATURE_DEBUG.
For example running, export VYOS_IFCONFIG_DEBUG="" on your vbash, will have the same effect as touch
/tmp/vyos.ifconfig.debug.
• ifconfig - Once set, all commands used, and their responses received from the OS, will be presented on the
screen for inspection.
• command - Once set, all commands used, and their responses received from the OS, will be presented on the
screen for inspection.
• developer - Should a command fail, instead of printing a message to the user explaining how to report issues, the
python interpreter will start a PBD post-mortem session to allow the developer to debug the issue. As the debugger
will wait from input from the developer, it has the capacity to prevent a router to boot and therefore should only be
permanently set up on production if you are ready to see the OS fail to boot.
• log - In some rare cases, it may be useful to see what the OS is doing, including during boot. This option sends
all commands used by VyOS to a file. The default file is /tmp/full-log but it can be changed.

注解: In order to retrieve the debug output on the command-line you need to disable vyos-configd in addition.
This can be run either one-time by calling sudo systemctl stop vyos-configd or make this reboot-safe by
calling sudo systemctl disable vyos-configd.

14.3.1 FRR

Recent versions use the vyos.frr framework. The Python class is located inside our vyos-1x:python/vyos/
frr.py. It comes with an embedded debugging/ (print style) debugger as vyos.ifconfig does.
To enable debugging just run: $ touch /tmp/vyos.frr.debug

14.3.2 Debugging Python Code with PDB

Sometimes it might be useful to debug Python code interactively on the live system rather than a IDE. This can be achieved
using pdb.
Let us assume you want to debug a Python script that is called by an op-mode command. After you found the script by
looking up the op-mode-defitions you can edit the script in the live system using e.g. vi: vi /usr/libexec/vyos/
op_mode/show_xyz.py
Insert the following statement right before the section where you want to investigate a problem (e.g. a statement you see
in a backtrace): import pdb; pdb.set_trace() Optionally you can surrounded this statement by an if which
only triggers under the condition you are interested in.

14.3. Live System 650

 VyOS Documentation, 发布 1.4.x (sagitta)

Once you run show xyz and your condition is triggered you should be dropped into the python debugger:

> /usr/libexec/vyos/op_mode/show_nat_translations.py(109)process()
-> rule_type = rule.get('type', '')
(Pdb)

You can type help to get an overview of the available commands, and help command to get more information on
each command.
Useful commands are:
• examine variables using pp(var)
• contine execution using cont
• get a backtrace using bt

14.3.3 Config Migration Scripts

When writing a new configuration migrator it may happen that you see an error when you try to invoke it manually on a
development system. This error will look like:

vyos@vyos:~$ /opt/vyatta/etc/config-migrate/migrate/ssh/0-to-1 /tmp/config.boot

Traceback (most recent call last):
File "/opt/vyatta/etc/config-migrate/migrate/ssh/0-to-1", line 31, in <module>
config = ConfigTree(config_file)
File "/usr/lib/python3/dist-packages/vyos/configtree.py", line 134, in __init__
raise ValueError("Failed to parse config: {0}".format(msg))
ValueError: Failed to parse config: Syntax error on line 240, character 1: Invalid␣
,→syntax.

The reason is that the configuration migration backend is rewritten and uses a new form of “magic string”which is
applied on demand when real config migration is run on boot. When runnint individual migrators for testing, you need to
convert the “magic string”on your own by:

vyos@vyos:~$ /usr/libexec/vyos/run-config-migration.py --virtual --set-vintage vyos /

,→tmp/config.boot

14.3.4 Configuration Error on System Boot

Beeing brave and running the latest rolling releases will sometimes trigger bugs due to corner cases we missed in our
design. Those bugs should be filed via Phabricator but you can help us to narrow doen the issue. Login to your VyOS
system and change into configuration mode by typing configure. Now re-load your boot configuration by simply
typing load followed by return.
You shoudl now see a Python backtrace which will help us to handle the issue, please attach it to the Phabricator task.

14.3. Live System 651

 VyOS Documentation, 发布 1.4.x (sagitta)

14.3.5 Boot Timing

During the migration and extensive rewrite of functionality from Perl into Python a significant increase in the overall
system boottime was noticed. The system boot time can be analysed and a graph can be generated in the end which shows
in detail who called whom during the system startup phase.
This is done by utilizing the systemd-bootchart package which is now installed by default on the VyOS 1.3 (equ-
uleus) branch. The configuration is also versioned so we get comparable results. systemd-bootchart is configured
using this file: bootchart.conf
To enable boot time graphing change the Kernel commandline and add the folowing string: init=/usr/lib/
systemd/systemd-bootchart
This can also be done permanently by changing /boot/grub/grub.cfg.

14.4 Priorities

VyOS CLI is all about priorities. Every CLI node has a corresponding node.def file and possibly an attached script
that is executed when the node is present. Nodes can have a priority, and on system bootup - or any other commit to the
config all scripts are executed from lowest to higest priority. This is good as this gives a deterministic behavior.
To debug issues in priorities or to see what’s going on in the background you can use the /opt/vyatta/sbin/
priority.pl script which lists to you the execution order of the scripts.

14.4. Priorities 652

 CHAPTER 15

Documentation

As most software projects we also have a lack in documentation. We encourage every VyOS user to help us improve our
documentation. This will not only be beneficial for you (when reading something up) but also for the whole world.
If you are willing to contribute to our documentation this is the definite guide how to do so.

注解: In contrast to submitting code patches, there is no requirement that you open up a Phabricator task prior to
submitting a Pull-Request to the documentation.

15.1 Forking Workflow

The Forking Workflow is fundamentally different than other popular Git workflows. Instead of using a single server-side
repository to act as the “central”codebase, it gives every developer their own server-side repository. This means that
each contributor has not one, but two Git repositories: a private local one and a public server-side one.
The main advantage of the Forking Workflow is that contributions can be integrated without the need for everybody to
push to a single central repository. Developers push to their own server-side repositories, and only the project maintainer
can push to the official repository. This allows the maintainer to accept commits from any developer without giving them
write access to the official codebase.

注解: Updates to our documentation should be delivered by a GitHub pull-request. This requires you already have a
GitHub account.

• Fork this project on GitHub https://github.com/vyos/vyos-documentation/fork

• Clone fork to local machine, then change to that directory $ cd vyos-documentation
• Install the requirements $ pip install -r requirements.txt (or something similar)
• Create new branch for your work, use a descriptive name of your work: $ git checkout -b
<branch-name>

653
 VyOS Documentation, 发布 1.4.x (sagitta)

• Make all your changes - please keep our commit rules in mind (Prepare patch/commit). This mainly applies to
proper commit messages describing your change (how and why). Please check out the documentation of Sphinx-
doc or reStructuredText if you are not familiar with it. This is used for writing our docs. Additional directives how
to write in RST can be obtained from reStructuredTextDirectives.
• Check your changes by locally building the documentation $ make html. Sphinx will build the html files in the
docs/_build folder. We provide you with a Docker container for an easy to use user experience. Check the
README.md file of this repository.
• View modified files by calling $ git status. You will get an overview of all files modified by you. You can
add individual files to the Git Index in the next step.
• Add modified files to Git index $ git add path/to/filename or add all unstaged files $ git add ..
All files added to the Git index will be part of you following Git commit.
• Commit your changes with the message, $ git commit -m "<commit message>" or use $ git
commit -v to have your configured editor launched. You can type in a commit message. Again please make
yourself comfortable with out rules (Prepare patch/commit).
• Push commits to your GitHub project: $ git push -u origin <branch-name>
• Submit pull-request. In GitHub visit the main repository and you should see a banner suggesting to make a pull
request. Fill out the form and describe what you do.
• Once pull resquests have been approved, you may want to locally update your forked repository too. First you’
ll have to add a second remote called upstream which points to our main repository. $ git remote add
upstream https://github.com/vyos/vyos-documentation.git
Check your configured remote repositories:

$ git remote -v
origin https://github.com/<username>/vyos-documentation.git (fetch)
origin https://github.com/<username>/vyos.documentation.git (push)
upstream https://github.com/vyos/vyos-documentation.git (fetch)
upstream https://github.com/vyos/vyos-documentation.git (push)

Your remote repo on Github is called origin, while the original repo you have forked is called upstream. Now
you can locally update your forked repo.

$ git fetch upstream

$ git checkout master
$ git merge upstream/master

• If you want to update your fork on GitHub, too use the following: $ git push origin master

15.2 Style Guide

15.2.1 Formating and Sphinxmarkup

TOC Level

We use the following syntax for Headlines.

#####
Title
#####
(下页继续)

15.2. Style Guide 654

 VyOS Documentation, 发布 1.4.x (sagitta)

(续上页)

********
Chapters
********

Sections
========

Subsections
-----------

Subsubsections
^^^^^^^^^^^^^^

Paragraphs
""""""""""

Address space

Note the following RFCs (RFC 5737, RFC 3849, RFC 5389 and RFC 7042), which describe the reserved public IP
addresses and autonomous system numbers for the documentation:
• 192.0.2.0/24
• 198.51.100.0/24
• 203.0.113.0/24
• 2001:db8::/32
• 16bit ASN: 64496 - 64511
• 32bit ASN: 65536 - 65551
• Unicast MAC Addresses: 00-53-00 to 00-53-FF
• Multicast MAC-Addresses: 90-10-00 to 90-10-FF
Please don’t use other public address space.

Line length

Limit all lines to a maximum of 80 characters.

Except in .. code-block:: because it will use the html tag <pre> which have the save line format as in the rst file.

Autolinter

Each GitHub Pull request will automatically lint against the Address space and line length.
Sometimes it is necessary to provide real IP Addresses like in the 配置蓝图. For this please use the sphinx comment
syntax .. stop_vyoslinter to stop the linter and .. start_vyoslinter to start.

15.2. Style Guide 655

 VyOS Documentation, 发布 1.4.x (sagitta)

Custom Sphinx-doc Markup

When writing the documentation custom commands have been developed. Please make yourself comfortable with those
commands as this eases the way we render the documentation.

cfgcmd

When documenting CLI commands use the .. cfgcmd:: directive for all configuration mode commands. An expla-
nation of the described command should be added below this statement. Replace all variable contents with <value> or
somthing similar.
With those custom commands it will be possible to render them in a more descriptive way in the resulting HTML/PDF
manual.

.. cfgcmd:: protocols static arp <ipaddress> hwaddr <macaddress>

This will configure a static ARP entry always resolving `192.0.2.100` to

`00:53:27:de:23:aa`.

For a inline configuration level command use :cfgcmd:

:cfgcmd:`set interface ethernet eth0`

opcmd

When documenting operational level command use the .. opcmd:: directive. An explanation of the described com-
mand should be added below this statement.
With those custom commands it will be possible to render them in a more descriptive way in the resulting HTML/PDF
manual.

.. opcmd:: show protocols static arp

Display all known ARP table entries spanning across all interfaces

For a inline operational level command use :opcmd:

:opcmd:`add system image`

cmdinclude

To minimize redundancy there is a special include directive. It include a txt file and replace the {{ var0 }} - {{
var9 }} with the correct value

.. cmdinclude:: /_include/interface-address.txt
:var0: ethernet
:var1: eth1

the content of interface-address.txt looks like this

15.2. Style Guide 656

 VyOS Documentation, 发布 1.4.x (sagitta)

.. cfgcmd:: set interfaces {{ var0 }} <interface> address <address | dhcp |

dhcpv6>

Configure interface `<interface>` with one or more interface

addresses.

* **address** can be specified multiple times as IPv4 and/or IPv6

address, e.g. 192.0.2.1/24 and/or 2001:db8::1/64
* **dhcp** interface address is received by DHCP from a DHCP server
on this segment.
* **dhcpv6** interface address is received by DHCPv6 from a DHCPv6
server on this segment.

Example:

.. code-block:: none

set interfaces {{ var0 }} {{ var1 }} address 192.0.2.1/24

set interfaces {{ var0 }} {{ var1 }} address 192.0.2.2/24
set interfaces {{ var0 }} {{ var1 }} address 2001:db8::ffff/64
set interfaces {{ var0 }} {{ var1 }} address 2001:db8:100::ffff/64

vytask

When referencing to VyOS Phabricator Tasks, there is a custom Sphinx Markup command called vytask which auto-
matically renders to a proper Phabricator URL. This is heavily used in the Changelog section.

* :vytask:`T1605` Fixed regression in L2TP/IPsec server

* :vytask:`T1613` Netflow/sFlow captures IPv6 traffic correctly

15.2.2 Page content

The documentation have 3 different types of pages, the same kind of pages must have the same structure to achieve a
recognition factor.
All RST files must follow the same TOC Level syntax and have to start with

#####
Titel
#####

Configuration mode pages

A configuration mode folder and article covers a specific level of a command. The exact level depends on the command.
This should provide stability for URLs used in the forum or blogpost.
For example:
• set zone-policy is written in zone-policy/index.rst
• set interfaces ethernet is written in interfaces/ethernet.rst
The article starts with a short intruducing about the command or the technologie. Please include some helpfull links or
background informations.

15.2. Style Guide 657

 VyOS Documentation, 发布 1.4.x (sagitta)

After this a optional section follows. Some commands have requirements like the compatible hardware (e.g. Wifi) or
some commands you have to set before. For example it is recommended to set a route-map before configure bgp.
In the configuration part of the page all possible confiuration options should be documented. Use .. cfgcmd:: like
described above.
Related Operation command must be documented in the next part of the article. Use ::opcmd.. for these commands.
If there some troubleshooting guides releated to the commands. Explain it in the next optional part.

Operation mode pages

Operation mode commands, which didn’t fit in a related configuraton mode command must documented in this part of
the documentation.
General concepts for troubleshooting belong here as well as detailed process descriptions.

Anything else

Anything else what is not a configuration or a operation command have no predefined structure.

15.2. Style Guide 658

 CHAPTER 16

Coverage

Overview over all commands, which are documented in the .. cfgcmd:: or .. opcmd:: Directives.
The build process take all xml definition files from vyos-1x and extract each leaf command or executable command.
After this the commands are compare and shown in the following two tables. The script compare only the fixed part of a
command. All varables or values will be erase and then compare:
for example there are these two commands:
• documentation: interfaces ethernet <interface> address <address | dhcp |
dhcpv6>`
• xml: interface ethernet <ethernet> address <address>
Now the script earse all in between < and > and simply compare the strings.
There are 2 kind of problems:
Not documented yet
• A XML command are not found in .. cfgcmd:: or .. opcmd:: Commands
• The command should be documented
Nothing found in XML Definitions
• .. cfgcmd:: or .. opcmd:: Command are not found in a XML command
• Maybe the command where changed in the XML Definition, or the feature is not anymore in VyOS
• Some commands are not yet translated to XML

659
 VyOS Documentation, 发布 1.4.x (sagitta)

16.1 Configuration Commands

1360/3352 in Docs 2928/3352 in XML Command

set
Nothing found in XML Definitions
comment <config node>
"comment text"
Nothing found in XML Definitions
commit
Nothing found in XML Definitions
commit-confirm
<minutes>
Nothing found in XML Definitions
compare <saved | N> <M>
Nothing found in XML Definitions
copy
Nothing found in XML Definitions
delete
Nothing found in XML Definitions
delete protocols static
route 0.0.0.0/0
Nothing found in XML Definitions
exit [discard]
Nothing found in XML Definitions
set firewall all-ping
[enable | disable]
Nothing found in XML Definitions
set firewall
broadcast-ping [enable |
disable]
Nothing found in XML Definitions
set firewall group
address-group <name>
address [address |
address range]
Nothing found in XML Definitions
set firewall group
address-group <name>
description <text>
Nothing found in XML Definitions
set firewall group
ipv6-address-group
<name> address
<address>
Nothing found in XML Definitions
set firewall group
ipv6-address-group
<name> description
<text>
Nothing found in XML Definitions
下页继续

16.1. Configuration Commands 660

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set firewall group
ipv6-network-group
<name> description
<text>
Nothing found in XML Definitions
set firewall group
ipv6-network-group
<name> network <CIDR>
Nothing found in XML Definitions
set firewall group
network-group <name>
description <text>
Nothing found in XML Definitions
set firewall group
network-group <name>
network <CIDR>
Nothing found in XML Definitions
set firewall group
port-group <name>
description <text>
Nothing found in XML Definitions
set firewall group
port-group <name> port
[portname | portnumber |
startport-endport]
Nothing found in XML Definitions
set firewall
ip-src-route [enable
| disable]
Nothing found in XML Definitions
set firewall ipv6-name
<name> default-action
[drop | reject | accept]
Nothing found in XML Definitions
set firewall ipv6-name
<name> description
<text>
Nothing found in XML Definitions
set firewall
ipv6-name <name>
enable-default-log
Nothing found in XML Definitions
set firewall ipv6-name
<name> rule <1-9999>
action [drop | reject |
accept]
Nothing found in XML Definitions
set firewall ipv6-name
<name> rule <1-9999>
description <text>
Nothing found in XML Definitions
下页继续

16.1. Configuration Commands 661

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set firewall ipv6-name
<name> rule <1-9999>
destination address
[address | addressrange
| CIDR]
Nothing found in XML Definitions
set firewall ipv6-name
<name> rule <1-9999>
destination group
address-group <name>
Nothing found in XML Definitions
set firewall ipv6-name
<name> rule <1-9999>
destination group
network-group <name>
Nothing found in XML Definitions
set firewall ipv6-name
<name> rule <1-9999>
destination group
port-group <name>
Nothing found in XML Definitions
set firewall ipv6-name
<name> rule <1-9999>
destination port
[1-65535 | portname |
start-end]
Nothing found in XML Definitions
set firewall ipv6-name
<name> rule <1-9999>
disable
Nothing found in XML Definitions
set firewall ipv6-name
<name> rule <1-9999> log
[disable | enable]
Nothing found in XML Definitions
set firewall ipv6-name
<name> rule <1-9999>
protocol [<text> |
<0-255> | all | tcp_udp]
Nothing found in XML Definitions
set firewall ipv6-name
<name> rule <1-9999>
source address [address
| addressrange | CIDR]
Nothing found in XML Definitions
set firewall
ipv6-name <name> rule
<1-9999> source group
address-group <name>
Nothing found in XML Definitions
下页继续

16.1. Configuration Commands 662

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set firewall
ipv6-name <name> rule
<1-9999> source group
network-group <name>
Nothing found in XML Definitions
set firewall ipv6-name
<name> rule <1-9999>
source group port-group
<name>
Nothing found in XML Definitions
set firewall ipv6-name
<name> rule <1-9999>
source mac-address
<mac-address>
Nothing found in XML Definitions
set firewall ipv6-name
<name> rule <1-9999>
source port [1-65535 |
portname | start-end]
Nothing found in XML Definitions
set firewall ipv6-name
<name> rule <1-9999>
state [established |
invalid | new | related]
[enable | disable ]
Nothing found in XML Definitions
set firewall ipv6-name
<name> rule <1-9999> tcp
flags <text>
Nothing found in XML Definitions
set firewall
ipv6-receive-redirects
[enable | disable]
Nothing found in XML Definitions
set firewall
ipv6-src-route [enable |
disable]
Nothing found in XML Definitions
set firewall
log-martians [enable
| disable]
Nothing found in XML Definitions
set firewall name <name>
default-action [drop
| reject | accept]
Nothing found in XML Definitions
set firewall name <name>
description <text>
Nothing found in XML Definitions
下页继续

16.1. Configuration Commands 663

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set firewall name <name>
enable-default-log
Nothing found in XML Definitions
set firewall name <name>
rule <1-9999> action
[drop | reject | accept]
Nothing found in XML Definitions
set firewall name
<name> rule <1-9999>
description <text>
Nothing found in XML Definitions
set firewall name
<name> rule <1-9999>
destination address
[address | addressrange
| CIDR]
Nothing found in XML Definitions
set firewall name
<name> rule <1-9999>
destination group
address-group <name>
Nothing found in XML Definitions
set firewall name
<name> rule <1-9999>
destination group
network-group <name>
Nothing found in XML Definitions
set firewall name
<name> rule <1-9999>
destination group
port-group <name>
Nothing found in XML Definitions
set firewall name
<name> rule <1-9999>
destination port
[1-65535 | portname |
start-end]
Nothing found in XML Definitions
set firewall name <name>
rule <1-9999> disable
Nothing found in XML Definitions
set firewall name
<name> rule <1-9999>
log [disable | enable]
Nothing found in XML Definitions
set firewall name <name>
rule <1-9999> protocol
[<text> | <0-255> | all
| tcp_udp]
Nothing found in XML Definitions
下页继续

16.1. Configuration Commands 664

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set firewall name <name>
rule <1-9999> source
address [address |
addressrange | CIDR]
Nothing found in XML Definitions
set firewall name <name>
rule <1-9999> source
group address-group
<name>
Nothing found in XML Definitions
set firewall name <name>
rule <1-9999> source
group network-group
<name>
Nothing found in XML Definitions
set firewall name <name>
rule <1-9999> source
group port-group <name>
Nothing found in XML Definitions
set firewall name
<name> rule <1-9999>
source mac-address
<mac-address>
Nothing found in XML Definitions
set firewall name <name>
rule <1-9999> source
port [1-65535 | portname
| start-end]
Nothing found in XML Definitions
set firewall name <name>
rule <1-9999> state
[established | invalid |
new | related] [enable |
disable ]
Nothing found in XML Definitions
set firewall name <name>
rule <1-9999> tcp flags
<text>
Nothing found in XML Definitions
set firewall
options interface
<interface> adjust-mss
<number-of-bytes>
------------------
firewall-options.xml.in:
firewall options interface <interface>
adjust-mss
下页继续

16.1. Configuration Commands 665

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set firewall
options interface
<interface> adjust-mss6
<number-of-bytes>
------------------
firewall-options.xml.in:
firewall options interface <interface>
adjust-mss6
Not documented yet
------------------
firewall-options.xml.in:
firewall options interface <interface>
disable
set firewall
receive-redirects
[enable | disable]
Nothing found in XML Definitions
set firewall
send-redirects [enable |
disable]
Nothing found in XML Definitions
set firewall
source-validation
[strict | loose |
disable]
Nothing found in XML Definitions
set firewall
state-policy established
action [accept | drop |
reject]
Nothing found in XML Definitions
set firewall
state-policy established
log enable
Nothing found in XML Definitions
set firewall
state-policy invalid
action [accept | drop |
reject]
Nothing found in XML Definitions
set firewall
state-policy invalid
log enable
Nothing found in XML Definitions
set firewall
state-policy related
action [accept | drop |
reject]
Nothing found in XML Definitions
下页继续

16.1. Configuration Commands 666

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set firewall
state-policy related
log enable
Nothing found in XML Definitions
set firewall syn-cookies
[enable | disable]
Nothing found in XML Definitions
set firewall
twa-hazards-protection
[enable | disable]
Nothing found in XML Definitions
Not documented yet
------------------
vrrp.xml.in:
high-availability vrrp group <group>
advertise-interval
Not documented yet
------------------
vrrp.xml.in:
high-availability vrrp group <group>
authentication password
Not documented yet
------------------
vrrp.xml.in:
high-availability vrrp group <group>
authentication type
Not documented yet
------------------
vrrp.xml.in:
high-availability vrrp group <group>
description
Not documented yet
------------------
vrrp.xml.in:
high-availability vrrp group <group>
disable
Not documented yet
------------------
vrrp.xml.in:
high-availability vrrp group <group>
health-check failure-count
Not documented yet
------------------
vrrp.xml.in:
high-availability vrrp group <group>
health-check interval
Not documented yet
------------------
vrrp.xml.in:
high-availability vrrp group <group>
health-check script
下页继续

16.1. Configuration Commands 667

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrrp.xml.in:
high-availability vrrp group <group>
hello-source-address
Not documented yet
------------------
vrrp.xml.in:
high-availability vrrp group <group>
interface
Not documented yet
------------------
vrrp.xml.in:
high-availability vrrp group <group>
no-preempt
Not documented yet
------------------
vrrp.xml.in:
high-availability vrrp group <group>
peer-address
Not documented yet
------------------
vrrp.xml.in:
high-availability vrrp group <group>
preempt-delay
Not documented yet
------------------
vrrp.xml.in:
high-availability vrrp group <group>
priority
Not documented yet
------------------
vrrp.xml.in:
high-availability vrrp group <group>
rfc3768-compatibility
Not documented yet
------------------
vrrp.xml.in:
high-availability vrrp group <group>
transition-script backup
Not documented yet
------------------
vrrp.xml.in:
high-availability vrrp group <group>
transition-script fault
Not documented yet
------------------
vrrp.xml.in:
high-availability vrrp group <group>
transition-script master
下页继续

16.1. Configuration Commands 668

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrrp.xml.in:
high-availability vrrp group <group>
transition-script mode-force
Not documented yet
------------------
vrrp.xml.in:
high-availability vrrp group <group>
transition-script stop
Not documented yet
------------------
vrrp.xml.in:
high-availability vrrp group <group>
virtual-address
Not documented yet
------------------
vrrp.xml.in:
high-availability vrrp group <group>
virtual-address-excluded
Not documented yet
------------------
vrrp.xml.in:
high-availability vrrp group <group>
vrid
Not documented yet
------------------
vrrp.xml.in:
high-availability vrrp sync-group
<sync-group> member
Not documented yet
------------------
vrrp.xml.in:
high-availability vrrp sync-group
<sync-group> transition-script
backup
Not documented yet
------------------
vrrp.xml.in:
high-availability vrrp sync-group
<sync-group> transition-script fault
Not documented yet
------------------
vrrp.xml.in:
high-availability vrrp sync-group
<sync-group> transition-script
master
下页继续

16.1. Configuration Commands 669

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrrp.xml.in:
high-availability vrrp sync-group
<sync-group> transition-script stop
set interface ethernet
<ethN> firewall [in |
out | local] [name |
ipv6-name] <rule-set>
Nothing found in XML Definitions
set interfaces bond
<interface> address
<address | dhcp |
dhcpv6>
Nothing found in XML Definitions
set interfaces bond
<interface> description
<description>
Nothing found in XML Definitions
set interfaces bond
<interface> dhcp-options
client-id <description>
Nothing found in XML Definitions
set interfaces bond
<interface> dhcp-options
default-route-distance
<distance>
Nothing found in XML Definitions
set interfaces bond
<interface> dhcp-options
host-name <hostname>
Nothing found in XML Definitions
set interfaces bond
<interface> dhcp-options
no-default-route
Nothing found in XML Definitions
set interfaces bond
<interface> dhcp-options
vendor-class-id
<vendor-id>
Nothing found in XML Definitions
set interfaces
bond <interface>
dhcpv6-options duid
<duid>
Nothing found in XML Definitions
set interfaces
bond <interface>
dhcpv6-options
parameters-only
Nothing found in XML Definitions
下页继续

16.1. Configuration Commands 670

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
bond <interface>
dhcpv6-options pd <id>
interface <delegatee>
address <address>
Nothing found in XML Definitions
set interfaces
bond <interface>
dhcpv6-options pd <id>
interface <delegatee>
sla-id <id>
Nothing found in XML Definitions
set interfaces
bond <interface>
dhcpv6-options pd <id>
length <length>
Nothing found in XML Definitions
set interfaces
bond <interface>
dhcpv6-options
rapid-commit
Nothing found in XML Definitions
set interfaces
bond <interface>
dhcpv6-options
temporary
Nothing found in XML Definitions
set interfaces bond
<interface> disable
Nothing found in XML Definitions
set interfaces
bond <interface>
disable-flow-control
Nothing found in XML Definitions
set interfaces
bond <interface>
disable-link-detect
Nothing found in XML Definitions
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> ad-
dress
set interfaces bonding
<interface> arp-monitor
interval <time>
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> arp-
monitor interval
下页继续

16.1. Configuration Commands 671

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces bonding
<interface> arp-monitor
target <address>
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> arp-
monitor target
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> de-
scription
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> dhcp-
options client-id
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> dhcp-
options default-route-distance
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> dhcp-
options host-name
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> dhcp-
options no-default-route
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> dhcp-
options reject
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> dhcp-
options vendor-class-id
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding>
dhcpv6-options duid
下页继续

16.1. Configuration Commands 672

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding>
dhcpv6-options parameters-only
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding>
dhcpv6-options pd <pd> interface
<interface> address
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding>
dhcpv6-options pd <pd> interface
<interface> sla-id
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding>
dhcpv6-options pd <pd> length
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding>
dhcpv6-options rapid-commit
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding>
dhcpv6-options temporary
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> dis-
able
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding>
disable-link-detect
set interfaces bonding
<interface> hash-policy
<policy>
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> hash-
policy
下页继续

16.1. Configuration Commands 673

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> ip arp-
cache-timeout
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> ip
disable-arp-filter
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> ip
disable-forwarding
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> ip
enable-arp-accept
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> ip
enable-arp-announce
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> ip
enable-arp-ignore
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> ip
enable-proxy-arp
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> ip
proxy-arp-pvlan
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> ip
source-validation
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> ipv6
address autoconf
下页继续

16.1. Configuration Commands 674

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> ipv6
address eui64
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> ipv6
address no-default-link-local
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> ipv6
disable-forwarding
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> ipv6
dup-addr-detect-transmits
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> mac
set interfaces bonding
<interface> member
interface <member>
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> mem-
ber interface
set interfaces bonding
<interface> min-links
<0-16>
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> min-
links
set interfaces
bonding <interface>
mirror egress
<monitor-interface>
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> mirror
egress
下页继续

16.1. Configuration Commands 675

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
bonding <interface>
mirror ingress
<monitor-interface>
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> mirror
ingress
set interfaces bonding
<interface> mode <802.
3ad | active-backup |
broadcast | round-robin
| transmit-load-balance
| adaptive-load-balance
| xor-hash>
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> mode
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> mtu
set interfaces bonding
<interface> primary
<interface>
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> pri-
mary
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> address
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> description
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> dhcp-options client-id
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> dhcp-options default-route-
distance
下页继续

16.1. Configuration Commands 676

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> dhcp-options host-name
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-
s <vif-s> dhcp-options no-default-
route
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> dhcp-options reject
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> dhcp-options vendor-class-id
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> dhcpv6-options duid
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> dhcpv6-options parameters-
only
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> dhcpv6-options pd <pd> in-
terface <interface> address
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> dhcpv6-options pd <pd> in-
terface <interface> sla-id
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-
s <vif-s> dhcpv6-options pd <pd>
length
下页继续

16.1. Configuration Commands 677

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> dhcpv6-options rapid-
commit
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> dhcpv6-options temporary
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> disable
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> disable-link-detect
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> ip arp-cache-timeout
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> ip disable-arp-filter
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> ip disable-forwarding
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> ip enable-arp-accept
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> ip enable-arp-announce
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> ip enable-arp-ignore
下页继续

16.1. Configuration Commands 678

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> ip enable-proxy-arp
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> ip proxy-arp-pvlan
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> ip source-validation
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> ipv6 address autoconf
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> ipv6 address eui64
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> ipv6 address no-default-link-
local
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> ipv6 disable-forwarding
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding>
vif-s <vif-s> ipv6 dup-addr-detect-
transmits
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> mac
下页继续

16.1. Configuration Commands 679

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> mtu
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> protocol
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> vif-c <vif-c> address
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> vif-c <vif-c> description
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> vif-c <vif-c> dhcp-options
client-id
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> vif-c <vif-c> dhcp-options
default-route-distance
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> vif-c <vif-c> dhcp-options
host-name
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> vif-c <vif-c> dhcp-options
no-default-route
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> vif-c <vif-c> dhcp-options
reject
下页继续

16.1. Configuration Commands 680

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> vif-c <vif-c> dhcp-options
vendor-class-id
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> vif-c <vif-c> dhcpv6-options
duid
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> vif-c <vif-c> dhcpv6-options
parameters-only
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> vif-c <vif-c> dhcpv6-options
pd <pd> interface <interface> ad-
dress
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> vif-c <vif-c> dhcpv6-options
pd <pd> interface <interface> sla-id
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> vif-c <vif-c> dhcpv6-options
pd <pd> length
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> vif-c <vif-c> dhcpv6-options
rapid-commit
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> vif-c <vif-c> dhcpv6-options
temporary
下页继续

16.1. Configuration Commands 681

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> vif-c <vif-c> disable
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> vif-c <vif-c> disable-link-
detect
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> vif-c <vif-c> ip arp-cache-
timeout
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> vif-c <vif-c> ip disable-arp-
filter
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-
s <vif-s> vif-c <vif-c> ip disable-
forwarding
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> vif-c <vif-c> ip enable-arp-
accept
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> vif-c <vif-c> ip enable-arp-
announce
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> vif-c <vif-c> ip enable-arp-
ignore
下页继续

16.1. Configuration Commands 682

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-
s <vif-s> vif-c <vif-c> ip enable-
proxy-arp
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> vif-c <vif-c> ip proxy-arp-
pvlan
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-
s <vif-s> vif-c <vif-c> ip source-
validation
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> vif-c <vif-c> ipv6 address
autoconf
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> vif-c <vif-c> ipv6 address
eui64
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> vif-c <vif-c> ipv6 address
no-default-link-local
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> vif-c <vif-c> ipv6 disable-
forwarding
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> vif-c <vif-c> ipv6 dup-addr-
detect-transmits
下页继续

16.1. Configuration Commands 683

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> vif-c <vif-c> mac
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> vif-c <vif-c> mtu
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> vif-c <vif-c> vrf
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif-s
<vif-s> vrf
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif
<vif> address
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif
<vif> description
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif
<vif> dhcp-options client-id
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif
<vif> dhcp-options default-route-
distance
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif
<vif> dhcp-options host-name
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif
<vif> dhcp-options no-default-route
下页继续

16.1. Configuration Commands 684

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif
<vif> dhcp-options reject
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif
<vif> dhcp-options vendor-class-id
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif
<vif> dhcpv6-options duid
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif
<vif> dhcpv6-options parameters-
only
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif
<vif> dhcpv6-options pd <pd> inter-
face <interface> address
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif
<vif> dhcpv6-options pd <pd> inter-
face <interface> sla-id
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif
<vif> dhcpv6-options pd <pd>
length
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif
<vif> dhcpv6-options rapid-commit
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif
<vif> dhcpv6-options temporary
下页继续

16.1. Configuration Commands 685

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif
<vif> disable
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif
<vif> disable-link-detect
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif
<vif> egress-qos
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif
<vif> ingress-qos
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif
<vif> ip arp-cache-timeout
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif
<vif> ip disable-arp-filter
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif
<vif> ip disable-forwarding
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif
<vif> ip enable-arp-accept
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif
<vif> ip enable-arp-announce
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif
<vif> ip enable-arp-ignore
下页继续

16.1. Configuration Commands 686

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif
<vif> ip enable-proxy-arp
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif
<vif> ip proxy-arp-pvlan
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif
<vif> ip source-validation
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif
<vif> ipv6 address autoconf
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif
<vif> ipv6 address eui64
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif
<vif> ipv6 address no-default-link-
local
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif
<vif> ipv6 disable-forwarding
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding>
vif <vif> ipv6 dup-addr-detect-
transmits
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif
<vif> mac
下页继续

16.1. Configuration Commands 687

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif
<vif> mtu
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vif
<vif> vrf
Not documented yet
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> vrf
set interfaces bonding
<interface> xdp
------------------
interfaces-bonding.xml.in:
interfaces bonding <bonding> xdp
set interfaces bond
<interface> ip
arp-cache-timeout
Nothing found in XML Definitions
set interfaces bond
<interface> ip
disable-arp-filter
Nothing found in XML Definitions
set interfaces bond
<interface> ip
disable-forwarding
Nothing found in XML Definitions
set interfaces bond
<interface> ip
enable-arp-accept
Nothing found in XML Definitions
set interfaces bond
<interface> ip
enable-arp-announce
Nothing found in XML Definitions
set interfaces bond
<interface> ip
enable-arp-ignore
Nothing found in XML Definitions
set interfaces bond
<interface> ip
enable-proxy-arp
Nothing found in XML Definitions
set interfaces bond
<interface> ip
proxy-arp-pvlan
Nothing found in XML Definitions
下页继续

16.1. Configuration Commands 688

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces bond
<interface> ip
source-validation
<strict | loose |
disable>
Nothing found in XML Definitions
set interfaces bond
<interface> ipv6 address
autoconf
Nothing found in XML Definitions
set interfaces bond
<interface> ipv6 address
eui64 <prefix>
Nothing found in XML Definitions
set interfaces bond
<interface> ipv6 address
no-default-link-local
Nothing found in XML Definitions
set interfaces bond
<interface> ipv6
disable-forwarding
Nothing found in XML Definitions
set interfaces bond
<interface> mac
<xx:xx:xx:xx:xx:xx>
Nothing found in XML Definitions
set interfaces bond
<interface> mtu <mtu>
Nothing found in XML Definitions
set interfaces bond
<interface> vif
<vlan-id>
Nothing found in XML Definitions
set interfaces bond
<interface> vif
<vlan-id> address
<address | dhcp |
dhcpv6>
Nothing found in XML Definitions
set interfaces bond
<interface> vif
<vlan-id> description
<description>
Nothing found in XML Definitions
set interfaces bond
<interface> vif
<vlan-id> dhcp-options
client-id <description>
Nothing found in XML Definitions
下页继续

16.1. Configuration Commands 689

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces bond
<interface> vif
<vlan-id> dhcp-options
default-route-distance
<distance>
Nothing found in XML Definitions
set interfaces bond
<interface> vif
<vlan-id> dhcp-options
host-name <hostname>
Nothing found in XML Definitions
set interfaces bond
<interface> vif
<vlan-id> dhcp-options
no-default-route
Nothing found in XML Definitions
set interfaces bond
<interface> vif
<vlan-id> dhcp-options
vendor-class-id
<vendor-id>
Nothing found in XML Definitions
set interfaces bond
<interface> vif
<vlan-id> dhcpv6-options
duid <duid>
Nothing found in XML Definitions
set interfaces bond
<interface> vif
<vlan-id> dhcpv6-options
parameters-only
Nothing found in XML Definitions
set interfaces bond
<interface> vif
<vlan-id> dhcpv6-options
pd <id> interface
<delegatee> address
<address>
Nothing found in XML Definitions
set interfaces bond
<interface> vif
<vlan-id> dhcpv6-options
pd <id> interface
<delegatee> sla-id <id>
Nothing found in XML Definitions
set interfaces bond
<interface> vif
<vlan-id> dhcpv6-options
pd <id> length <length>
Nothing found in XML Definitions
下页继续

16.1. Configuration Commands 690

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces bond
<interface> vif
<vlan-id> dhcpv6-options
rapid-commit
Nothing found in XML Definitions
set interfaces bond
<interface> vif
<vlan-id> dhcpv6-options
temporary
Nothing found in XML Definitions
set interfaces bond
<interface> vif
<vlan-id> disable
Nothing found in XML Definitions
set interfaces
bond <interface>
vif <vlan-id>
disable-link-detect
Nothing found in XML Definitions
set interfaces
bond <interface>
vif <vlan-id> ip
arp-cache-timeout
Nothing found in XML Definitions
set interfaces
bond <interface>
vif <vlan-id> ip
disable-arp-filter
Nothing found in XML Definitions
set interfaces
bond <interface>
vif <vlan-id> ip
disable-forwarding
Nothing found in XML Definitions
set interfaces
bond <interface>
vif <vlan-id> ip
enable-arp-accept
Nothing found in XML Definitions
set interfaces
bond <interface>
vif <vlan-id> ip
enable-arp-announce
Nothing found in XML Definitions
set interfaces
bond <interface>
vif <vlan-id> ip
enable-arp-ignore
Nothing found in XML Definitions
下页继续

16.1. Configuration Commands 691

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
bond <interface>
vif <vlan-id> ip
enable-proxy-arp
Nothing found in XML Definitions
set interfaces
bond <interface>
vif <vlan-id> ip
proxy-arp-pvlan
Nothing found in XML Definitions
set interfaces
bond <interface>
vif <vlan-id> ip
source-validation
<strict | loose |
disable>
Nothing found in XML Definitions
set interfaces bond
<interface> vif
<vlan-id> ipv6 address
autoconf
Nothing found in XML Definitions
set interfaces bond
<interface> vif
<vlan-id> ipv6 address
eui64 <prefix>
Nothing found in XML Definitions
set interfaces bond
<interface> vif
<vlan-id> ipv6 address
no-default-link-local
Nothing found in XML Definitions
set interfaces
bond <interface>
vif <vlan-id> ipv6
disable-forwarding
Nothing found in XML Definitions
set interfaces
bond <interface>
vif <vlan-id> mac
<xx:xx:xx:xx:xx:xx>
Nothing found in XML Definitions
set interfaces bond
<interface> vif
<vlan-id> mtu <mtu>
Nothing found in XML Definitions
set interfaces bond
<interface> vif
<vlan-id> vrf <vrf>
Nothing found in XML Definitions
下页继续

16.1. Configuration Commands 692

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces bond
<interface> vrf <vrf>
Nothing found in XML Definitions
set interfaces bridge
<interface> address
<address | dhcp |
dhcpv6>
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> address
set interfaces bridge
<interface> aging
<time>
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> aging
set interfaces bridge
<interface> description
<description>
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> descrip-
tion
set interfaces bridge
<interface> dhcp-options
client-id <description>
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> dhcp-
options client-id
set interfaces bridge
<interface> dhcp-options
default-route-distance
<distance>
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> dhcp-
options default-route-distance
set interfaces bridge
<interface> dhcp-options
host-name <hostname>
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> dhcp-
options host-name
下页继续

16.1. Configuration Commands 693

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces bridge
<interface> dhcp-options
no-default-route
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> dhcp-
options no-default-route
Not documented yet
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> dhcp-
options reject
set interfaces bridge
<interface> dhcp-options
vendor-class-id
<vendor-id>
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> dhcp-
options vendor-class-id
set interfaces
bridge <interface>
dhcpv6-options duid
<duid>
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> dhcpv6-
options duid
set interfaces
bridge <interface>
dhcpv6-options
parameters-only
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> dhcpv6-
options parameters-only
set interfaces
bridge <interface>
dhcpv6-options pd <id>
interface <delegatee>
address <address>
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> dhcpv6-
options pd <pd> interface <inter-
face> address
下页继续

16.1. Configuration Commands 694

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
bridge <interface>
dhcpv6-options pd <id>
interface <delegatee>
sla-id <id>
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> dhcpv6-
options pd <pd> interface <inter-
face> sla-id
set interfaces
bridge <interface>
dhcpv6-options pd <id>
length <length>
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> dhcpv6-
options pd <pd> length
set interfaces
bridge <interface>
dhcpv6-options
rapid-commit
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> dhcpv6-
options rapid-commit
set interfaces
bridge <interface>
dhcpv6-options
temporary
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> dhcpv6-
options temporary
set interfaces bridge
<interface> disable
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> disable
set interfaces
bridge <interface>
disable-flow-control
Nothing found in XML Definitions
set interfaces
bridge <interface>
disable-link-detect
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> disable-
link-detect
下页继续

16.1. Configuration Commands 695

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces bridge
<interface> enable-vlan
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> enable-
vlan
set interfaces
bridge <interface>
forwarding-delay
<delay>
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge>
forwarding-delay
set interfaces bridge
<interface> hello-time
<interval>
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> hello-time
set interfaces bridge
<interface> igmp
querier
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> igmp
querier
set interfaces
bridge <interface> ip
arp-cache-timeout
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> ip arp-
cache-timeout
set interfaces
bridge <interface> ip
disable-arp-filter
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> ip disable-
arp-filter
set interfaces
bridge <interface> ip
disable-forwarding
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> ip disable-
forwarding
下页继续

16.1. Configuration Commands 696

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
bridge <interface> ip
enable-arp-accept
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> ip enable-
arp-accept
set interfaces
bridge <interface> ip
enable-arp-announce
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> ip enable-
arp-announce
set interfaces
bridge <interface> ip
enable-arp-ignore
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> ip enable-
arp-ignore
set interfaces
bridge <interface> ip
enable-proxy-arp
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> ip enable-
proxy-arp
set interfaces
bridge <interface> ip
proxy-arp-pvlan
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> ip proxy-
arp-pvlan
set interfaces
bridge <interface>
ip source-validation
<strict | loose |
disable>
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> ip source-
validation
set interfaces bridge
<interface> ipv6 address
autoconf
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> ipv6 ad-
dress autoconf
下页继续

16.1. Configuration Commands 697

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces bridge
<interface> ipv6 address
eui64 <prefix>
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> ipv6 ad-
dress eui64
set interfaces bridge
<interface> ipv6 address
no-default-link-local
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> ipv6 ad-
dress no-default-link-local
set interfaces bridge
<interface> ipv6
disable-forwarding
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> ipv6
disable-forwarding
Not documented yet
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> ipv6 dup-
addr-detect-transmits
set interfaces bridge
<interface> mac
<xx:xx:xx:xx:xx:xx>
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> mac
set interfaces bridge
<interface> max-age
<time>
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> max-age
set interfaces bridge
<interface> member
interface <member>
Nothing found in XML Definitions
set interfaces bridge
<interface> member
interface <member>
allowed-vlan <vlan-id>
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> member
interface <interface> allowed-vlan
下页继续

16.1. Configuration Commands 698

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces bridge
<interface> member
interface <member> cost
<cost>
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> member
interface <interface> cost
Not documented yet
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> member
interface <interface> isolated
set interfaces bridge
<interface> member
interface <member>
native-vlan <vlan-id>
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> member
interface <interface> native-vlan
set interfaces bridge
<interface> member
interface <member>
priority <priority>
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> member
interface <interface> priority
set interfaces
bridge <interface>
mirror egress
<monitor-interface>
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> mirror
egress
set interfaces
bridge <interface>
mirror ingress
<monitor-interface>
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> mirror
ingress
set interfaces bridge
<interface> mtu <mtu>
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> mtu
下页继续

16.1. Configuration Commands 699

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> priority
set interfaces bridge
<interface> stp
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> stp
set interfaces bridge
<interface> vif
<vlan-id>
Nothing found in XML Definitions
set interfaces bridge
<interface> vif
<vlan-id> address
<address | dhcp |
dhcpv6>
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> vif <vif>
address
set interfaces bridge
<interface> vif
<vlan-id> description
<description>
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> vif <vif>
description
set interfaces bridge
<interface> vif
<vlan-id> dhcp-options
client-id <description>
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> vif <vif>
dhcp-options client-id
set interfaces bridge
<interface> vif
<vlan-id> dhcp-options
default-route-distance
<distance>
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> vif <vif>
dhcp-options default-route-distance
下页继续

16.1. Configuration Commands 700

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces bridge
<interface> vif
<vlan-id> dhcp-options
host-name <hostname>
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> vif <vif>
dhcp-options host-name
set interfaces bridge
<interface> vif
<vlan-id> dhcp-options
no-default-route
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> vif <vif>
dhcp-options no-default-route
Not documented yet
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> vif <vif>
dhcp-options reject
set interfaces bridge
<interface> vif
<vlan-id> dhcp-options
vendor-class-id
<vendor-id>
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> vif <vif>
dhcp-options vendor-class-id
set interfaces bridge
<interface> vif
<vlan-id> dhcpv6-options
duid <duid>
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> vif <vif>
dhcpv6-options duid
set interfaces bridge
<interface> vif
<vlan-id> dhcpv6-options
parameters-only
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> vif <vif>
dhcpv6-options parameters-only
下页继续

16.1. Configuration Commands 701

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces bridge
<interface> vif
<vlan-id> dhcpv6-options
pd <id> interface
<delegatee> address
<address>
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> vif <vif>
dhcpv6-options pd <pd> interface
<interface> address
set interfaces bridge
<interface> vif
<vlan-id> dhcpv6-options
pd <id> interface
<delegatee> sla-id <id>
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> vif <vif>
dhcpv6-options pd <pd> interface
<interface> sla-id
set interfaces bridge
<interface> vif
<vlan-id> dhcpv6-options
pd <id> length <length>
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> vif <vif>
dhcpv6-options pd <pd> length
set interfaces bridge
<interface> vif
<vlan-id> dhcpv6-options
rapid-commit
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> vif <vif>
dhcpv6-options rapid-commit
set interfaces bridge
<interface> vif
<vlan-id> dhcpv6-options
temporary
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> vif <vif>
dhcpv6-options temporary
下页继续

16.1. Configuration Commands 702

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces bridge
<interface> vif
<vlan-id> disable
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> vif <vif>
disable
set interfaces
bridge <interface>
vif <vlan-id>
disable-link-detect
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> vif <vif>
disable-link-detect
Not documented yet
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> vif <vif>
egress-qos
Not documented yet
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> vif <vif>
ingress-qos
set interfaces
bridge <interface>
vif <vlan-id> ip
arp-cache-timeout
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> vif <vif>
ip arp-cache-timeout
set interfaces
bridge <interface>
vif <vlan-id> ip
disable-arp-filter
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> vif <vif>
ip disable-arp-filter
set interfaces
bridge <interface>
vif <vlan-id> ip
disable-forwarding
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> vif <vif>
ip disable-forwarding
下页继续

16.1. Configuration Commands 703

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
bridge <interface>
vif <vlan-id> ip
enable-arp-accept
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> vif <vif>
ip enable-arp-accept
set interfaces
bridge <interface>
vif <vlan-id> ip
enable-arp-announce
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> vif <vif>
ip enable-arp-announce
set interfaces
bridge <interface>
vif <vlan-id> ip
enable-arp-ignore
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> vif <vif>
ip enable-arp-ignore
set interfaces
bridge <interface>
vif <vlan-id> ip
enable-proxy-arp
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> vif <vif>
ip enable-proxy-arp
set interfaces
bridge <interface>
vif <vlan-id> ip
proxy-arp-pvlan
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> vif <vif>
ip proxy-arp-pvlan
set interfaces
bridge <interface>
vif <vlan-id> ip
source-validation
<strict | loose |
disable>
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> vif <vif>
ip source-validation
下页继续

16.1. Configuration Commands 704

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces bridge
<interface> vif
<vlan-id> ipv6 address
autoconf
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> vif <vif>
ipv6 address autoconf
set interfaces bridge
<interface> vif
<vlan-id> ipv6 address
eui64 <prefix>
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> vif <vif>
ipv6 address eui64
set interfaces bridge
<interface> vif
<vlan-id> ipv6 address
no-default-link-local
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> vif <vif>
ipv6 address no-default-link-local
set interfaces
bridge <interface>
vif <vlan-id> ipv6
disable-forwarding
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> vif <vif>
ipv6 disable-forwarding
Not documented yet
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> vif <vif>
ipv6 dup-addr-detect-transmits
set interfaces
bridge <interface>
vif <vlan-id> mac
<xx:xx:xx:xx:xx:xx>
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> vif <vif>
mac
下页继续

16.1. Configuration Commands 705

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces bridge
<interface> vif
<vlan-id> mtu <mtu>
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> vif <vif>
mtu
set interfaces bridge
<interface> vif
<vlan-id> vrf <vrf>
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> vif <vif>
vrf
set interfaces bridge
<interface> vrf <vrf>
------------------
interfaces-bridge.xml.in:
interfaces bridge <bridge> vrf
set interfaces dummy
<interface> address
<address>
------------------
interfaces-dummy.xml.in:
interfaces dummy <dummy> address
set interfaces dummy
<interface> description
<description>
------------------
interfaces-dummy.xml.in:
interfaces dummy <dummy> de-
scription
set interfaces dummy
<interface> disable
------------------
interfaces-dummy.xml.in:
interfaces dummy <dummy> disable
Not documented yet
------------------
interfaces-dummy.xml.in:
interfaces dummy <dummy> ip
source-validation
set interfaces dummy
<interface> vrf <vrf>
------------------
interfaces-dummy.xml.in:
interfaces dummy <dummy> vrf
下页继续

16.1. Configuration Commands 706

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces ethernet
<interface> address
<address | dhcp |
dhcpv6>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> ad-
dress
set interfaces ethernet
<interface> description
<description>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> de-
scription
set interfaces ethernet
<interface> dhcp-options
client-id <description>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> dhcp-
options client-id
set interfaces ethernet
<interface> dhcp-options
default-route-distance
<distance>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> dhcp-
options default-route-distance
set interfaces ethernet
<interface> dhcp-options
host-name <hostname>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> dhcp-
options host-name
set interfaces ethernet
<interface> dhcp-options
no-default-route
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> dhcp-
options no-default-route
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> dhcp-
options reject
下页继续

16.1. Configuration Commands 707

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces ethernet
<interface> dhcp-options
vendor-class-id
<vendor-id>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> dhcp-
options vendor-class-id
set interfaces
ethernet <interface>
dhcpv6-options duid
<duid>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet>
dhcpv6-options duid
set interfaces
ethernet <interface>
dhcpv6-options
parameters-only
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet>
dhcpv6-options parameters-only
set interfaces
ethernet <interface>
dhcpv6-options pd <id>
interface <delegatee>
address <address>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet>
dhcpv6-options pd <pd> interface
<interface> address
set interfaces
ethernet <interface>
dhcpv6-options pd <id>
interface <delegatee>
sla-id <id>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet>
dhcpv6-options pd <pd> interface
<interface> sla-id
下页继续

16.1. Configuration Commands 708

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
ethernet <interface>
dhcpv6-options pd <id>
length <length>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet>
dhcpv6-options pd <pd> length
set interfaces
ethernet <interface>
dhcpv6-options
rapid-commit
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet>
dhcpv6-options rapid-commit
set interfaces
ethernet <interface>
dhcpv6-options
temporary
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet>
dhcpv6-options temporary
set interfaces ethernet
<interface> disable
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> dis-
able
set interfaces
ethernet <interface>
disable-flow-control
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet>
disable-flow-control
set interfaces
ethernet <interface>
disable-link-detect
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet>
disable-link-detect
set interfaces ethernet
<interface> duplex <auto
| full | half>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> duplex
下页继续

16.1. Configuration Commands 709

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces ethernet
<interface> eapol
ca-cert-file <file>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> eapol
ca-cert-file
set interfaces ethernet
<interface> eapol
cert-file <file>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> eapol
cert-file
set interfaces ethernet
<interface> eapol
key-file <file>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> eapol
key-file
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> hw-id
set interfaces
ethernet <interface>
ip arp-cache-timeout
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> ip arp-
cache-timeout
set interfaces
ethernet <interface>
ip disable-arp-filter
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> ip
disable-arp-filter
set interfaces
ethernet <interface>
ip disable-forwarding
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> ip
disable-forwarding
下页继续

16.1. Configuration Commands 710

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
ethernet <interface>
ip enable-arp-accept
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> ip
enable-arp-accept
set interfaces
ethernet <interface>
ip enable-arp-announce
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> ip
enable-arp-announce
set interfaces
ethernet <interface>
ip enable-arp-ignore
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> ip
enable-arp-ignore
set interfaces
ethernet <interface>
ip enable-proxy-arp
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> ip
enable-proxy-arp
set interfaces ethernet
<interface> ip ospf bfd
Nothing found in XML Definitions
set interfaces
ethernet <interface>
ip proxy-arp-pvlan
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> ip
proxy-arp-pvlan
set interfaces
ethernet <interface>
ip source-validation
<strict | loose |
disable>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> ip
source-validation
下页继续

16.1. Configuration Commands 711

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces ethernet
<interface> ipv6 address
autoconf
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> ipv6
address autoconf
set interfaces ethernet
<interface> ipv6 address
eui64 <prefix>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> ipv6
address eui64
set interfaces ethernet
<interface> ipv6 address
no-default-link-local
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> ipv6
address no-default-link-local
set interfaces ethernet
<interface> ipv6
disable-forwarding
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> ipv6
disable-forwarding
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> ipv6
dup-addr-detect-transmits
set interfaces ethernet
<interface> ipv6 ospfv3
bfd
Nothing found in XML Definitions
set interfaces ethernet
<interface> mac
<xx:xx:xx:xx:xx:xx>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> mac
set interfaces ethernet
<interface> mirror
<interface>
Nothing found in XML Definitions
下页继续

16.1. Configuration Commands 712

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
ethernet <interface>
mirror egress
<monitor-interface>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> mirror
egress
set interfaces
ethernet <interface>
mirror ingress
<monitor-interface>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> mirror
ingress
set interfaces ethernet
<interface> mtu <mtu>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> mtu
set interfaces ethernet
<interface> offload <gro
| gso | sg | tso | ufo |
rps>
Nothing found in XML Definitions
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> of-
fload gro
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> of-
fload gso
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> of-
fload rps
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> of-
fload sg
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> of-
fload tso
下页继续

16.1. Configuration Commands 713

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> of-
fload ufo
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> ring-
buffer rx
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> ring-
buffer tx
set interfaces ethernet
<interface> speed <auto
| 10 | 100 | 1000 | 2500
| 5000 | 10000 | 25000 |
40000 | 50000 | 100000>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> speed
set interfaces ethernet
<interface> vif
<vlan-id>
Nothing found in XML Definitions
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> address
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> description
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> dhcp-options client-id
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> dhcp-options default-route-
distance
下页继续

16.1. Configuration Commands 714

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> dhcp-options host-name
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-
s <vif-s> dhcp-options no-default-
route
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> dhcp-options reject
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> dhcp-options vendor-class-id
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> dhcpv6-options duid
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> dhcpv6-options parameters-
only
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> dhcpv6-options pd <pd> in-
terface <interface> address
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> dhcpv6-options pd <pd> in-
terface <interface> sla-id
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-
s <vif-s> dhcpv6-options pd <pd>
length
下页继续

16.1. Configuration Commands 715

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> dhcpv6-options rapid-
commit
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> dhcpv6-options temporary
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> disable
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> disable-link-detect
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> ip arp-cache-timeout
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> ip disable-arp-filter
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> ip disable-forwarding
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> ip enable-arp-accept
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> ip enable-arp-announce
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> ip enable-arp-ignore
下页继续

16.1. Configuration Commands 716

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> ip enable-proxy-arp
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> ip proxy-arp-pvlan
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> ip source-validation
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> ipv6 address autoconf
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> ipv6 address eui64
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> ipv6 address no-default-link-
local
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> ipv6 disable-forwarding
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet>
vif-s <vif-s> ipv6 dup-addr-detect-
transmits
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> mac
下页继续

16.1. Configuration Commands 717

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> mtu
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> protocol
set interfaces ethernet
<interface> vif-s
<vlan-id> vif-c
<vlan-id> address
<address | dhcp |
dhcpv6>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> vif-c <vif-c> address
set interfaces ethernet
<interface> vif-s
<vlan-id> vif-c
<vlan-id> description
<description>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> vif-c <vif-c> description
set interfaces ethernet
<interface> vif-s
<vlan-id> vif-c
<vlan-id> dhcp-options
client-id <description>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> vif-c <vif-c> dhcp-options
client-id
set interfaces ethernet
<interface> vif-s
<vlan-id> vif-c
<vlan-id> dhcp-options
default-route-distance
<distance>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> vif-c <vif-c> dhcp-options
default-route-distance
下页继续

16.1. Configuration Commands 718

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces ethernet
<interface> vif-s
<vlan-id> vif-c
<vlan-id> dhcp-options
host-name <hostname>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> vif-c <vif-c> dhcp-options
host-name
set interfaces ethernet
<interface> vif-s
<vlan-id> vif-c
<vlan-id> dhcp-options
no-default-route
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> vif-c <vif-c> dhcp-options
no-default-route
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> vif-c <vif-c> dhcp-options
reject
set interfaces ethernet
<interface> vif-s
<vlan-id> vif-c
<vlan-id> dhcp-options
vendor-class-id
<vendor-id>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> vif-c <vif-c> dhcp-options
vendor-class-id
set interfaces ethernet
<interface> vif-s
<vlan-id> vif-c
<vlan-id> dhcpv6-options
duid <duid>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> vif-c <vif-c> dhcpv6-options
duid
下页继续

16.1. Configuration Commands 719

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces ethernet
<interface> vif-s
<vlan-id> vif-c
<vlan-id> dhcpv6-options
parameters-only
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> vif-c <vif-c> dhcpv6-options
parameters-only
set interfaces ethernet
<interface> vif-s
<vlan-id> vif-c
<vlan-id> dhcpv6-options
pd <id> interface
<delegatee> address
<address>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> vif-c <vif-c> dhcpv6-options
pd <pd> interface <interface> ad-
dress
set interfaces ethernet
<interface> vif-s
<vlan-id> vif-c
<vlan-id> dhcpv6-options
pd <id> interface
<delegatee> sla-id <id>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> vif-c <vif-c> dhcpv6-options
pd <pd> interface <interface> sla-id
set interfaces ethernet
<interface> vif-s
<vlan-id> vif-c
<vlan-id> dhcpv6-options
pd <id> length <length>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> vif-c <vif-c> dhcpv6-options
pd <pd> length
下页继续

16.1. Configuration Commands 720

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces ethernet
<interface> vif-s
<vlan-id> vif-c
<vlan-id> dhcpv6-options
rapid-commit
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> vif-c <vif-c> dhcpv6-options
rapid-commit
set interfaces ethernet
<interface> vif-s
<vlan-id> vif-c
<vlan-id> dhcpv6-options
temporary
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> vif-c <vif-c> dhcpv6-options
temporary
set interfaces ethernet
<interface> vif-s
<vlan-id> vif-c
<vlan-id> disable
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> vif-c <vif-c> disable
set interfaces
ethernet <interface>
vif-s <vlan-id>
vif-c <vlan-id>
disable-link-detect
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> vif-c <vif-c> disable-link-
detect
set interfaces
ethernet <interface>
vif-s <vlan-id>
vif-c <vlan-id> ip
arp-cache-timeout
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> vif-c <vif-c> ip arp-cache-
timeout
下页继续

16.1. Configuration Commands 721

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
ethernet <interface>
vif-s <vlan-id>
vif-c <vlan-id> ip
disable-arp-filter
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> vif-c <vif-c> ip disable-arp-
filter
set interfaces
ethernet <interface>
vif-s <vlan-id>
vif-c <vlan-id> ip
disable-forwarding
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-
s <vif-s> vif-c <vif-c> ip disable-
forwarding
set interfaces
ethernet <interface>
vif-s <vlan-id>
vif-c <vlan-id> ip
enable-arp-accept
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> vif-c <vif-c> ip enable-arp-
accept
set interfaces
ethernet <interface>
vif-s <vlan-id>
vif-c <vlan-id> ip
enable-arp-announce
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> vif-c <vif-c> ip enable-arp-
announce
set interfaces
ethernet <interface>
vif-s <vlan-id>
vif-c <vlan-id> ip
enable-arp-ignore
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> vif-c <vif-c> ip enable-arp-
ignore
下页继续

16.1. Configuration Commands 722

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
ethernet <interface>
vif-s <vlan-id>
vif-c <vlan-id> ip
enable-proxy-arp
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-
s <vif-s> vif-c <vif-c> ip enable-
proxy-arp
set interfaces
ethernet <interface>
vif-s <vlan-id>
vif-c <vlan-id> ip
proxy-arp-pvlan
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> vif-c <vif-c> ip proxy-arp-
pvlan
set interfaces
ethernet <interface>
vif-s <vlan-id>
vif-c <vlan-id> ip
source-validation
<strict | loose |
disable>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-
s <vif-s> vif-c <vif-c> ip source-
validation
set interfaces ethernet
<interface> vif-s
<vlan-id> vif-c
<vlan-id> ipv6 address
autoconf
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> vif-c <vif-c> ipv6 address
autoconf
下页继续

16.1. Configuration Commands 723

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces ethernet
<interface> vif-s
<vlan-id> vif-c
<vlan-id> ipv6 address
eui64 <prefix>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> vif-c <vif-c> ipv6 address
eui64
set interfaces ethernet
<interface> vif-s
<vlan-id> vif-c
<vlan-id> ipv6 address
no-default-link-local
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> vif-c <vif-c> ipv6 address
no-default-link-local
set interfaces
ethernet <interface>
vif-s <vlan-id>
vif-c <vlan-id> ipv6
disable-forwarding
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> vif-c <vif-c> ipv6 disable-
forwarding
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> vif-c <vif-c> ipv6 dup-addr-
detect-transmits
set interfaces
ethernet <interface>
vif-s <vlan-id>
vif-c <vlan-id> mac
<xx:xx:xx:xx:xx:xx>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> vif-c <vif-c> mac
下页继续

16.1. Configuration Commands 724

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces ethernet
<interface> vif-s
<vlan-id> vif-c
<vlan-id> mtu <mtu>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> vif-c <vif-c> mtu
set interfaces ethernet
<interface> vif-s
<vlan-id> vif-c
<vlan-id> vrf <vrf>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> vif-c <vif-c> vrf
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif-s
<vif-s> vrf
set interfaces ethernet
<interface> vif
<vlan-id> address
<address | dhcp |
dhcpv6>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif
<vif> address
set interfaces ethernet
<interface> vif
<vlan-id> description
<description>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif
<vif> description
set interfaces ethernet
<interface> vif
<vlan-id> dhcp-options
client-id <description>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif
<vif> dhcp-options client-id
下页继续

16.1. Configuration Commands 725

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces ethernet
<interface> vif
<vlan-id> dhcp-options
default-route-distance
<distance>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif
<vif> dhcp-options default-route-
distance
set interfaces ethernet
<interface> vif
<vlan-id> dhcp-options
host-name <hostname>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif
<vif> dhcp-options host-name
set interfaces ethernet
<interface> vif
<vlan-id> dhcp-options
no-default-route
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif
<vif> dhcp-options no-default-route
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif
<vif> dhcp-options reject
set interfaces ethernet
<interface> vif
<vlan-id> dhcp-options
vendor-class-id
<vendor-id>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif
<vif> dhcp-options vendor-class-id
set interfaces ethernet
<interface> vif
<vlan-id> dhcpv6-options
duid <duid>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif
<vif> dhcpv6-options duid
下页继续

16.1. Configuration Commands 726

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces ethernet
<interface> vif
<vlan-id> dhcpv6-options
parameters-only
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif
<vif> dhcpv6-options parameters-
only
set interfaces ethernet
<interface> vif
<vlan-id> dhcpv6-options
pd <id> interface
<delegatee> address
<address>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif
<vif> dhcpv6-options pd <pd> inter-
face <interface> address
set interfaces ethernet
<interface> vif
<vlan-id> dhcpv6-options
pd <id> interface
<delegatee> sla-id <id>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif
<vif> dhcpv6-options pd <pd> inter-
face <interface> sla-id
set interfaces ethernet
<interface> vif
<vlan-id> dhcpv6-options
pd <id> length <length>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif
<vif> dhcpv6-options pd <pd>
length
set interfaces ethernet
<interface> vif
<vlan-id> dhcpv6-options
rapid-commit
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif
<vif> dhcpv6-options rapid-commit
下页继续

16.1. Configuration Commands 727

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces ethernet
<interface> vif
<vlan-id> dhcpv6-options
temporary
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif
<vif> dhcpv6-options temporary
set interfaces ethernet
<interface> vif
<vlan-id> disable
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif
<vif> disable
set interfaces
ethernet <interface>
vif <vlan-id>
disable-link-detect
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif
<vif> disable-link-detect
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif
<vif> egress-qos
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif
<vif> ingress-qos
set interfaces
ethernet <interface>
vif <vlan-id> ip
arp-cache-timeout
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif
<vif> ip arp-cache-timeout
set interfaces
ethernet <interface>
vif <vlan-id> ip
disable-arp-filter
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif
<vif> ip disable-arp-filter
下页继续

16.1. Configuration Commands 728

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
ethernet <interface>
vif <vlan-id> ip
disable-forwarding
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif
<vif> ip disable-forwarding
set interfaces
ethernet <interface>
vif <vlan-id> ip
enable-arp-accept
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif
<vif> ip enable-arp-accept
set interfaces
ethernet <interface>
vif <vlan-id> ip
enable-arp-announce
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif
<vif> ip enable-arp-announce
set interfaces
ethernet <interface>
vif <vlan-id> ip
enable-arp-ignore
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif
<vif> ip enable-arp-ignore
set interfaces
ethernet <interface>
vif <vlan-id> ip
enable-proxy-arp
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif
<vif> ip enable-proxy-arp
set interfaces
ethernet <interface>
vif <vlan-id> ip
proxy-arp-pvlan
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif
<vif> ip proxy-arp-pvlan
下页继续

16.1. Configuration Commands 729

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
ethernet <interface>
vif <vlan-id> ip
source-validation
<strict | loose |
disable>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif
<vif> ip source-validation
set interfaces ethernet
<interface> vif
<vlan-id> ipv6 address
autoconf
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif
<vif> ipv6 address autoconf
set interfaces ethernet
<interface> vif
<vlan-id> ipv6 address
eui64 <prefix>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif
<vif> ipv6 address eui64
set interfaces ethernet
<interface> vif
<vlan-id> ipv6 address
no-default-link-local
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif
<vif> ipv6 address no-default-link-
local
set interfaces
ethernet <interface>
vif <vlan-id> ipv6
disable-forwarding
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif
<vif> ipv6 disable-forwarding
Not documented yet
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet>
vif <vif> ipv6 dup-addr-detect-
transmits
下页继续

16.1. Configuration Commands 730

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
ethernet <interface>
vif <vlan-id> mac
<xx:xx:xx:xx:xx:xx>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif
<vif> mac
set interfaces ethernet
<interface> vif
<vlan-id> mtu <mtu>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif
<vif> mtu
set interfaces ethernet
<interface> vif
<vlan-id> vrf <vrf>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vif
<vif> vrf
set interfaces ethernet
<interface> vrf <vrf>
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> vrf
set interfaces ethernet
<interface> xdp
------------------
interfaces-ethernet.xml.in:
interfaces ethernet <ethernet> xdp
set interfaces geneve
<interface> address
<address>
------------------
interfaces-geneve.xml.in:
interfaces geneve <geneve> address
set interfaces geneve
<interface> description
<description>
------------------
interfaces-geneve.xml.in:
interfaces geneve <geneve> descrip-
tion
set interfaces geneve
<interface> disable
------------------
interfaces-geneve.xml.in:
interfaces geneve <geneve> disable
下页继续

16.1. Configuration Commands 731

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
geneve <interface>
disable-flow-control
Nothing found in XML Definitions
set interfaces
geneve <interface>
disable-link-detect
Nothing found in XML Definitions
set interfaces geneve
gnv0 remote <address>
Nothing found in XML Definitions
set interfaces geneve
gnv0 vni <vni>
Nothing found in XML Definitions
set interfaces
geneve <interface> ip
arp-cache-timeout
------------------
interfaces-geneve.xml.in:
interfaces geneve <geneve> ip arp-
cache-timeout
set interfaces
geneve <interface> ip
disable-arp-filter
------------------
interfaces-geneve.xml.in:
interfaces geneve <geneve> ip
disable-arp-filter
set interfaces
geneve <interface> ip
disable-forwarding
------------------
interfaces-geneve.xml.in:
interfaces geneve <geneve> ip
disable-forwarding
set interfaces
geneve <interface> ip
enable-arp-accept
------------------
interfaces-geneve.xml.in:
interfaces geneve <geneve> ip
enable-arp-accept
set interfaces
geneve <interface> ip
enable-arp-announce
------------------
interfaces-geneve.xml.in:
interfaces geneve <geneve> ip
enable-arp-announce
下页继续

16.1. Configuration Commands 732

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
geneve <interface> ip
enable-arp-ignore
------------------
interfaces-geneve.xml.in:
interfaces geneve <geneve> ip
enable-arp-ignore
set interfaces
geneve <interface> ip
enable-proxy-arp
------------------
interfaces-geneve.xml.in:
interfaces geneve <geneve> ip
enable-proxy-arp
set interfaces
geneve <interface> ip
proxy-arp-pvlan
------------------
interfaces-geneve.xml.in:
interfaces geneve <geneve> ip proxy-
arp-pvlan
set interfaces
geneve <interface>
ip source-validation
<strict | loose |
disable>
------------------
interfaces-geneve.xml.in:
interfaces geneve <geneve> ip
source-validation
set interfaces geneve
<interface> ipv6 address
autoconf
------------------
interfaces-geneve.xml.in:
interfaces geneve <geneve> ipv6 ad-
dress autoconf
set interfaces geneve
<interface> ipv6 address
eui64 <prefix>
------------------
interfaces-geneve.xml.in:
interfaces geneve <geneve> ipv6 ad-
dress eui64
set interfaces geneve
<interface> ipv6 address
no-default-link-local
------------------
interfaces-geneve.xml.in:
interfaces geneve <geneve> ipv6 ad-
dress no-default-link-local
下页继续

16.1. Configuration Commands 733

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces geneve
<interface> ipv6
disable-forwarding
------------------
interfaces-geneve.xml.in:
interfaces geneve <geneve> ipv6
disable-forwarding
Not documented yet
------------------
interfaces-geneve.xml.in:
interfaces geneve <geneve> ipv6
dup-addr-detect-transmits
set interfaces geneve
<interface> mac
<xx:xx:xx:xx:xx:xx>
------------------
interfaces-geneve.xml.in:
interfaces geneve <geneve> mac
set interfaces geneve
<interface> mtu <mtu>
------------------
interfaces-geneve.xml.in:
interfaces geneve <geneve> mtu
Not documented yet
------------------
interfaces-geneve.xml.in:
interfaces geneve <geneve> parame-
ters ip dont-fragment
Not documented yet
------------------
interfaces-geneve.xml.in:
interfaces geneve <geneve> parame-
ters ip tos
Not documented yet
------------------
interfaces-geneve.xml.in:
interfaces geneve <geneve> parame-
ters ip ttl
Not documented yet
------------------
interfaces-geneve.xml.in:
interfaces geneve <geneve> parame-
ters ipv6 flowlabel
Not documented yet
------------------
interfaces-geneve.xml.in:
interfaces geneve <geneve> remote
Not documented yet
------------------
interfaces-geneve.xml.in:
interfaces geneve <geneve> vni
下页继续

16.1. Configuration Commands 734

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces geneve
<interface> vrf <vrf>
Nothing found in XML Definitions
set interfaces <inttype>
<intname> ip rip
authentication md5 <id>
password <text>
Nothing found in XML Definitions
set interfaces
<inttype> <intname>
ip rip authentication
plaintext-password
<text>
Nothing found in XML Definitions
set interfaces <inttype>
<intname> ip rip
split-horizon disable
Nothing found in XML Definitions
set interfaces
<inttype> <intname>
ip rip split-horizon
poison-reverse
Nothing found in XML Definitions
set interfaces <inttype>
<intname> ipv6 ospfv3
cost <number>
Nothing found in XML Definitions
set interfaces <inttype>
<intname> ipv6 ospfv3
dead-interval <number>
Nothing found in XML Definitions
set interfaces <inttype>
<intname> ipv6 ospfv3
hello-interval <number>
Nothing found in XML Definitions
set interfaces <inttype>
<intname> ipv6 ospfv3
mtu-ignore
Nothing found in XML Definitions
set interfaces <inttype>
<intname> ipv6 ospfv3
network <type>
Nothing found in XML Definitions
set interfaces <inttype>
<intname> ipv6 ospfv3
passive
Nothing found in XML Definitions
set interfaces <inttype>
<intname> ipv6 ospfv3
priority <number>
Nothing found in XML Definitions
下页继续

16.1. Configuration Commands 735

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces <inttype>
<intname> ipv6 ospfv3
retransmit-interval
<number>
Nothing found in XML Definitions
set interfaces <inttype>
<intname> ipv6 ospfv3
transmit-delay <number>
Nothing found in XML Definitions
set interfaces l2tpv3
<interface> address
<address>
------------------
interfaces-l2tpv3.xml.in:
interfaces l2tpv3 <l2tpv3> address
set interfaces l2tpv3
<interface> description
<description>
------------------
interfaces-l2tpv3.xml.in:
interfaces l2tpv3 <l2tpv3> descrip-
tion
Not documented yet
------------------
interfaces-l2tpv3.xml.in:
interfaces l2tpv3 <l2tpv3>
destination-port
set interfaces l2tpv3
<interface> disable
------------------
interfaces-l2tpv3.xml.in:
interfaces l2tpv3 <l2tpv3> disable
set interfaces
l2tpv3 <interface>
disable-flow-control
Nothing found in XML Definitions
set interfaces
l2tpv3 <interface>
disable-link-detect
Nothing found in XML Definitions
set interfaces
l2tpv3 <interface>
encapsulation <udp |
ip>
------------------
interfaces-l2tpv3.xml.in:
interfaces l2tpv3 <l2tpv3> encapsu-
lation
下页继续

16.1. Configuration Commands 736

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
l2tpv3 <interface> ip
arp-cache-timeout
------------------
interfaces-l2tpv3.xml.in:
interfaces l2tpv3 <l2tpv3> ip arp-
cache-timeout
set interfaces
l2tpv3 <interface> ip
disable-arp-filter
------------------
interfaces-l2tpv3.xml.in:
interfaces l2tpv3 <l2tpv3> ip disable-
arp-filter
set interfaces
l2tpv3 <interface> ip
disable-forwarding
------------------
interfaces-l2tpv3.xml.in:
interfaces l2tpv3 <l2tpv3> ip disable-
forwarding
set interfaces
l2tpv3 <interface> ip
enable-arp-accept
------------------
interfaces-l2tpv3.xml.in:
interfaces l2tpv3 <l2tpv3> ip enable-
arp-accept
set interfaces
l2tpv3 <interface> ip
enable-arp-announce
------------------
interfaces-l2tpv3.xml.in:
interfaces l2tpv3 <l2tpv3> ip enable-
arp-announce
set interfaces
l2tpv3 <interface> ip
enable-arp-ignore
------------------
interfaces-l2tpv3.xml.in:
interfaces l2tpv3 <l2tpv3> ip enable-
arp-ignore
set interfaces
l2tpv3 <interface> ip
enable-proxy-arp
------------------
interfaces-l2tpv3.xml.in:
interfaces l2tpv3 <l2tpv3> ip enable-
proxy-arp
下页继续

16.1. Configuration Commands 737

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
l2tpv3 <interface> ip
proxy-arp-pvlan
------------------
interfaces-l2tpv3.xml.in:
interfaces l2tpv3 <l2tpv3> ip proxy-
arp-pvlan
set interfaces
l2tpv3 <interface>
ip source-validation
<strict | loose |
disable>
------------------
interfaces-l2tpv3.xml.in:
interfaces l2tpv3 <l2tpv3> ip source-
validation
set interfaces l2tpv3
<interface> ipv6 address
autoconf
------------------
interfaces-l2tpv3.xml.in:
interfaces l2tpv3 <l2tpv3> ipv6 ad-
dress autoconf
set interfaces l2tpv3
<interface> ipv6 address
eui64 <prefix>
------------------
interfaces-l2tpv3.xml.in:
interfaces l2tpv3 <l2tpv3> ipv6 ad-
dress eui64
set interfaces l2tpv3
<interface> ipv6 address
no-default-link-local
------------------
interfaces-l2tpv3.xml.in:
interfaces l2tpv3 <l2tpv3> ipv6 ad-
dress no-default-link-local
set interfaces l2tpv3
<interface> ipv6
disable-forwarding
------------------
interfaces-l2tpv3.xml.in:
interfaces l2tpv3 <l2tpv3> ipv6
disable-forwarding
Not documented yet
------------------
interfaces-l2tpv3.xml.in:
interfaces l2tpv3 <l2tpv3> ipv6 dup-
addr-detect-transmits
下页继续

16.1. Configuration Commands 738

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces l2tpv3
<interface> local-ip
<address>
Nothing found in XML Definitions
set interfaces l2tpv3
<interface> mac
<xx:xx:xx:xx:xx:xx>
Nothing found in XML Definitions
set interfaces l2tpv3
<interface> mtu <mtu>
------------------
interfaces-l2tpv3.xml.in:
interfaces l2tpv3 <l2tpv3> mtu
set interfaces
l2tpv3 <interface>
peer-session-id <id>
------------------
interfaces-l2tpv3.xml.in:
interfaces l2tpv3 <l2tpv3> peer-
session-id
set interfaces
l2tpv3 <interface>
peer-tunnel-id <id>
------------------
interfaces-l2tpv3.xml.in:
interfaces l2tpv3 <l2tpv3> peer-
tunnel-id
Not documented yet
------------------
interfaces-l2tpv3.xml.in:
interfaces l2tpv3 <l2tpv3> remote
set interfaces l2tpv3
<interface> remote-ip
<address>
Nothing found in XML Definitions
set interfaces l2tpv3
<interface> session-id
<id>
------------------
interfaces-l2tpv3.xml.in:
interfaces l2tpv3 <l2tpv3> session-id
Not documented yet
------------------
interfaces-l2tpv3.xml.in:
interfaces l2tpv3 <l2tpv3> source-
address
Not documented yet
------------------
interfaces-l2tpv3.xml.in:
interfaces l2tpv3 <l2tpv3> source-
port
下页继续

16.1. Configuration Commands 739

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces l2tpv3
<interface> tunnel-id
<id>
------------------
interfaces-l2tpv3.xml.in:
interfaces l2tpv3 <l2tpv3> tunnel-id
set interfaces l2tpv3
<interface> vrf <vrf>
Nothing found in XML Definitions
set interfaces loopback
<interface> address
<address>
------------------
interfaces-loopback.xml.in:
interfaces loopback <loopback> ad-
dress
set interfaces loopback
<interface> description
<description>
------------------
interfaces-loopback.xml.in:
interfaces loopback <loopback> de-
scription
Not documented yet
------------------
interfaces-loopback.xml.in:
interfaces loopback <loopback> ip
source-validation
set interfaces macsec
<interface> address
<address | dhcp |
dhcpv6>
------------------
interfaces-macsec.xml.in:
interfaces macsec <macsec> address
set interfaces macsec
<interface> description
<description>
------------------
interfaces-macsec.xml.in:
interfaces macsec <macsec> descrip-
tion
set interfaces macsec
<interface> dhcp-options
client-id <description>
Nothing found in XML Definitions
set interfaces macsec
<interface> dhcp-options
default-route-distance
<distance>
Nothing found in XML Definitions
下页继续

16.1. Configuration Commands 740

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces macsec
<interface> dhcp-options
host-name <hostname>
Nothing found in XML Definitions
set interfaces macsec
<interface> dhcp-options
no-default-route
Nothing found in XML Definitions
set interfaces macsec
<interface> dhcp-options
vendor-class-id
<vendor-id>
Nothing found in XML Definitions
set interfaces
macsec <interface>
dhcpv6-options duid
<duid>
Nothing found in XML Definitions
set interfaces
macsec <interface>
dhcpv6-options
parameters-only
Nothing found in XML Definitions
set interfaces
macsec <interface>
dhcpv6-options pd <id>
interface <delegatee>
address <address>
Nothing found in XML Definitions
set interfaces
macsec <interface>
dhcpv6-options pd <id>
interface <delegatee>
sla-id <id>
Nothing found in XML Definitions
set interfaces
macsec <interface>
dhcpv6-options pd <id>
length <length>
Nothing found in XML Definitions
set interfaces
macsec <interface>
dhcpv6-options
rapid-commit
Nothing found in XML Definitions
set interfaces
macsec <interface>
dhcpv6-options
temporary
Nothing found in XML Definitions
下页继续

16.1. Configuration Commands 741

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces macsec
<interface> disable
------------------
interfaces-macsec.xml.in:
interfaces macsec <macsec> disable
set interfaces
macsec <interface>
disable-flow-control
Nothing found in XML Definitions
set interfaces
macsec <interface>
disable-link-detect
Nothing found in XML Definitions
set interfaces
macsec <interface> ip
arp-cache-timeout
------------------
interfaces-macsec.xml.in:
interfaces macsec <macsec> ip arp-
cache-timeout
set interfaces
macsec <interface> ip
disable-arp-filter
------------------
interfaces-macsec.xml.in:
interfaces macsec <macsec> ip
disable-arp-filter
set interfaces
macsec <interface> ip
disable-forwarding
------------------
interfaces-macsec.xml.in:
interfaces macsec <macsec> ip
disable-forwarding
set interfaces
macsec <interface> ip
enable-arp-accept
------------------
interfaces-macsec.xml.in:
interfaces macsec <macsec> ip
enable-arp-accept
set interfaces
macsec <interface> ip
enable-arp-announce
------------------
interfaces-macsec.xml.in:
interfaces macsec <macsec> ip
enable-arp-announce
下页继续

16.1. Configuration Commands 742

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
macsec <interface> ip
enable-arp-ignore
------------------
interfaces-macsec.xml.in:
interfaces macsec <macsec> ip
enable-arp-ignore
set interfaces
macsec <interface> ip
enable-proxy-arp
------------------
interfaces-macsec.xml.in:
interfaces macsec <macsec> ip
enable-proxy-arp
set interfaces
macsec <interface> ip
proxy-arp-pvlan
------------------
interfaces-macsec.xml.in:
interfaces macsec <macsec> ip
proxy-arp-pvlan
set interfaces
macsec <interface>
ip source-validation
<strict | loose |
disable>
------------------
interfaces-macsec.xml.in:
interfaces macsec <macsec> ip
source-validation
set interfaces macsec
<interface> ipv6 address
autoconf
------------------
interfaces-macsec.xml.in:
interfaces macsec <macsec> ipv6 ad-
dress autoconf
set interfaces macsec
<interface> ipv6 address
eui64 <prefix>
------------------
interfaces-macsec.xml.in:
interfaces macsec <macsec> ipv6 ad-
dress eui64
set interfaces macsec
<interface> ipv6 address
no-default-link-local
------------------
interfaces-macsec.xml.in:
interfaces macsec <macsec> ipv6 ad-
dress no-default-link-local
下页继续

16.1. Configuration Commands 743

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces macsec
<interface> ipv6
disable-forwarding
------------------
interfaces-macsec.xml.in:
interfaces macsec <macsec> ipv6
disable-forwarding
Not documented yet
------------------
interfaces-macsec.xml.in:
interfaces macsec <macsec> ipv6
dup-addr-detect-transmits
set interfaces macsec
<interface> mac
<xx:xx:xx:xx:xx:xx>
Nothing found in XML Definitions
set interfaces macsec
<interface> mtu <mtu>
------------------
interfaces-macsec.xml.in:
interfaces macsec <macsec> mtu
set interfaces
macsec <interface>
security cipher
<gcm-aes-128|gcm-aes-256>
------------------
interfaces-macsec.xml.in:
interfaces macsec <macsec> security
cipher
set interfaces macsec
<interface> security
encrypt
------------------
interfaces-macsec.xml.in:
interfaces macsec <macsec> security
encrypt
set interfaces macsec
<interface> security mka
cak <key>
------------------
interfaces-macsec.xml.in:
interfaces macsec <macsec> security
mka cak
set interfaces macsec
<interface> security mka
ckn <key>
------------------
interfaces-macsec.xml.in:
interfaces macsec <macsec> security
mka ckn
下页继续

16.1. Configuration Commands 744

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces macsec
<interface> security mka
priority <priority>
------------------
interfaces-macsec.xml.in:
interfaces macsec <macsec> security
mka priority
set interfaces macsec
<interface> security
replay-window <window>
------------------
interfaces-macsec.xml.in:
interfaces macsec <macsec> security
replay-window
set interfaces
macsec <interface>
source-interface
<physical-source>
------------------
interfaces-macsec.xml.in:
interfaces macsec <macsec> source-
interface
set interfaces macsec
<interface> vrf <vrf>
------------------
interfaces-macsec.xml.in:
interfaces macsec <macsec> vrf
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn> au-
thentication password
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn> au-
thentication username
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn> de-
scription
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn>
device-type
下页继续

16.1. Configuration Commands 745

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn> dis-
able
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn> en-
cryption cipher
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn> en-
cryption disable-ncp
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn> en-
cryption ncp-ciphers
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn> hash
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn> ipv6
address autoconf
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn> ipv6
address eui64
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn> ipv6
address no-default-link-local
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn> ipv6
disable-forwarding
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn> ipv6
dup-addr-detect-transmits
下页继续

16.1. Configuration Commands 746

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn> keep-
alive failure-count
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn> keep-
alive interval
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn>
local-address <local-address>
subnet-mask
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn> local-
host
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn> local-
port
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn> mode
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn>
openvpn-option
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn>
persistent-tunnel
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn> pro-
tocol
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn>
remote-address
下页继续

16.1. Configuration Commands 747

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn>
remote-host
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn>
remote-port
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn>
replace-default-route local
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn>
server client-ip-pool disable
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn>
server client-ip-pool start
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn>
server client-ip-pool stop
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn>
server client-ip-pool subnet-mask
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn>
server client-ipv6-pool base
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn>
server client-ipv6-pool disable
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn>
server client <client> disable
下页继续

16.1. Configuration Commands 748

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn>
server client <client> ip
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn>
server client <client> push-route
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn>
server client <client> subnet
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn>
server domain-name
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn>
server max-connections
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn>
server name-server
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn>
server push-route
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn>
server reject-unconfigured-clients
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn>
server subnet
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn>
server topology
下页继续

16.1. Configuration Commands 749

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn>
shared-secret-key-file
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn> tls
auth-file
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn> tls ca-
cert-file
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn> tls
cert-file
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn> tls
crl-file
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn> tls
crypt-file
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn> tls
dh-file
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn> tls
key-file
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn> tls
role
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn> tls tls-
version-min
下页继续

16.1. Configuration Commands 750

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn> use-
lzo-compression
Not documented yet
------------------
interfaces-openvpn.xml.in:
interfaces openvpn <openvpn> vrf
set interfaces openvpn
vtun10 openvpn-option
'persistent-key'
Nothing found in XML Definitions
set interfaces openvpn
vtun10 openvpn-option
'push &quot;keepalive 1
10&quot;'
Nothing found in XML Definitions
set interfaces
pppoe <interface>
access-concentrator
<name>
------------------
interfaces-pppoe.xml.in:
interfaces pppoe <pppoe> access-
concentrator
set interfaces
pppoe <interface>
authentication password
<password>
------------------
interfaces-pppoe.xml.in:
interfaces pppoe <pppoe> authenti-
cation password
set interfaces
pppoe <interface>
authentication user
<username>
------------------
interfaces-pppoe.xml.in:
interfaces pppoe <pppoe> authenti-
cation user
set interfaces
pppoe <interface>
connect-on-demand
------------------
interfaces-pppoe.xml.in:
interfaces pppoe <pppoe> connect-
on-demand
下页继续

16.1. Configuration Commands 751

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-pppoe.xml.in:
interfaces pppoe <pppoe> default-
route
set interfaces
pppoe <interface>
default-route [auto |
force | none]
Nothing found in XML Definitions
set interfaces pppoe
<interface> description
<description>
------------------
interfaces-pppoe.xml.in:
interfaces pppoe <pppoe> descrip-
tion
Not documented yet
------------------
interfaces-pppoe.xml.in:
interfaces pppoe <pppoe> dhcpv6-
options duid
Not documented yet
------------------
interfaces-pppoe.xml.in:
interfaces pppoe <pppoe> dhcpv6-
options parameters-only
set interfaces
pppoe <interface>
dhcpv6-options pd <id>
interface <delegatee>
address <address>
------------------
interfaces-pppoe.xml.in:
interfaces pppoe <pppoe> dhcpv6-
options pd <pd> interface <inter-
face> address
set interfaces
pppoe <interface>
dhcpv6-options pd <id>
interface <delegatee>
sla-id <id>
------------------
interfaces-pppoe.xml.in:
interfaces pppoe <pppoe> dhcpv6-
options pd <pd> interface <inter-
face> sla-id
下页继续

16.1. Configuration Commands 752

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
pppoe <interface>
dhcpv6-options pd <id>
length <length>
------------------
interfaces-pppoe.xml.in:
interfaces pppoe <pppoe> dhcpv6-
options pd <pd> length
Not documented yet
------------------
interfaces-pppoe.xml.in:
interfaces pppoe <pppoe> dhcpv6-
options rapid-commit
Not documented yet
------------------
interfaces-pppoe.xml.in:
interfaces pppoe <pppoe> dhcpv6-
options temporary
set interfaces pppoe
<interface> disable
------------------
interfaces-pppoe.xml.in:
interfaces pppoe <pppoe> disable
set interfaces pppoe
<interface> idle-timeout
<time>
------------------
interfaces-pppoe.xml.in:
interfaces pppoe <pppoe> idle-
timeout
Not documented yet
------------------
interfaces-pppoe.xml.in:
interfaces pppoe <pppoe> ip source-
validation
set interfaces pppoe
<interface> ipv6 address
autoconf
------------------
interfaces-pppoe.xml.in:
interfaces pppoe <pppoe> ipv6 ad-
dress autoconf
set interfaces
pppoe <interface>
local-address <address>
------------------
interfaces-pppoe.xml.in:
interfaces pppoe <pppoe> local-
address
下页继续

16.1. Configuration Commands 753

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces pppoe
<interface> mtu <mtu>
------------------
interfaces-pppoe.xml.in:
interfaces pppoe <pppoe> mtu
set interfaces pppoe
<interface> no-peer-dns
------------------
interfaces-pppoe.xml.in:
interfaces pppoe <pppoe> no-peer-
dns
set interfaces
pppoe <interface>
remote-address
<address>
------------------
interfaces-pppoe.xml.in:
interfaces pppoe <pppoe> remote-
address
set interfaces pppoe
<interface> service-name
<name>
------------------
interfaces-pppoe.xml.in:
interfaces pppoe <pppoe> service-
name
set interfaces
pppoe <interface>
source-interface
<source-interface>
------------------
interfaces-pppoe.xml.in:
interfaces pppoe <pppoe> source-
interface
set interfaces pppoe
<interface> vrf <vrf>
------------------
interfaces-pppoe.xml.in:
interfaces pppoe <pppoe> vrf
set interfaces
pseudo-ethernet
<interface> address
<address | dhcp |
dhcpv6>
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> address
下页继续

16.1. Configuration Commands 754

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
pseudo-ethernet
<interface> description
<description>
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> description
set interfaces
pseudo-ethernet
<interface> dhcp-options
client-id <description>
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> dhcp-options client-id
set interfaces
pseudo-ethernet
<interface> dhcp-options
default-route-distance
<distance>
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> dhcp-options default-
route-distance
set interfaces
pseudo-ethernet
<interface> dhcp-options
host-name <hostname>
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> dhcp-options host-name
set interfaces
pseudo-ethernet
<interface> dhcp-options
no-default-route
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> dhcp-options no-default-
route
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> dhcp-options reject
下页继续

16.1. Configuration Commands 755

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
pseudo-ethernet
<interface> dhcp-options
vendor-class-id
<vendor-id>
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> dhcp-options vendor-class-
id
set interfaces
pseudo-ethernet
<interface>
dhcpv6-options duid
<duid>
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> dhcpv6-options duid
set interfaces
pseudo-ethernet
<interface>
dhcpv6-options
parameters-only
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet
<pseudo-ethernet> dhcpv6-options
parameters-only
set interfaces
pseudo-ethernet
<interface>
dhcpv6-options pd <id>
interface <delegatee>
address <address>
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> dhcpv6-options pd <pd>
interface <interface> address
set interfaces
pseudo-ethernet
<interface>
dhcpv6-options pd <id>
interface <delegatee>
sla-id <id>
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> dhcpv6-options pd <pd>
interface <interface> sla-id
下页继续

16.1. Configuration Commands 756

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
pseudo-ethernet
<interface>
dhcpv6-options pd <id>
length <length>
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> dhcpv6-options pd <pd>
length
set interfaces
pseudo-ethernet
<interface>
dhcpv6-options
rapid-commit
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> dhcpv6-options rapid-
commit
set interfaces
pseudo-ethernet
<interface>
dhcpv6-options
temporary
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> dhcpv6-options temporary
set interfaces
pseudo-ethernet
<interface> disable
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> disable
set interfaces
pseudo-ethernet
<interface>
disable-flow-control
Nothing found in XML Definitions
set interfaces
pseudo-ethernet
<interface>
disable-link-detect
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> disable-link-detect
下页继续

16.1. Configuration Commands 757

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
pseudo-ethernet
<interface> ip
arp-cache-timeout
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> ip arp-cache-timeout
set interfaces
pseudo-ethernet
<interface> ip
disable-arp-filter
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> ip disable-arp-filter
set interfaces
pseudo-ethernet
<interface> ip
disable-forwarding
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> ip disable-forwarding
set interfaces
pseudo-ethernet
<interface> ip
enable-arp-accept
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> ip enable-arp-accept
set interfaces
pseudo-ethernet
<interface> ip
enable-arp-announce
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> ip enable-arp-announce
set interfaces
pseudo-ethernet
<interface> ip
enable-arp-ignore
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> ip enable-arp-ignore
下页继续

16.1. Configuration Commands 758

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
pseudo-ethernet
<interface> ip
enable-proxy-arp
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> ip enable-proxy-arp
set interfaces
pseudo-ethernet
<interface> ip
proxy-arp-pvlan
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> ip proxy-arp-pvlan
set interfaces
pseudo-ethernet
<interface> ip
source-validation
<strict | loose |
disable>
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> ip source-validation
set interfaces
pseudo-ethernet
<interface> ipv6 address
autoconf
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> ipv6 address autoconf
set interfaces
pseudo-ethernet
<interface> ipv6 address
eui64 <prefix>
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> ipv6 address eui64
set interfaces
pseudo-ethernet
<interface> ipv6 address
no-default-link-local
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> ipv6 address no-default-
link-local
下页继续

16.1. Configuration Commands 759

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
pseudo-ethernet
<interface> ipv6
disable-forwarding
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> ipv6 disable-forwarding
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> ipv6 dup-addr-detect-
transmits
set interfaces
pseudo-ethernet
<interface> mac
<xx:xx:xx:xx:xx:xx>
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> mac
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> mode
set interfaces
pseudo-ethernet
<interface> mtu <mtu>
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> mtu
set interfaces
pseudo-ethernet
<interface>
source-interface <ethX>
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> source-interface
set interfaces
pseudo-ethernet
<interface> vif
<vlan-id>
Nothing found in XML Definitions
下页继续

16.1. Configuration Commands 760

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> address
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> description
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> dhcp-options
client-id
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> dhcp-options
default-route-distance
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> dhcp-options
host-name
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> dhcp-options
no-default-route
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> dhcp-options
reject
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> dhcp-options
vendor-class-id
下页继续

16.1. Configuration Commands 761

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> dhcpv6-
options duid
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> dhcpv6-
options parameters-only
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> dhcpv6-
options pd <pd> interface <inter-
face> address
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> dhcpv6-
options pd <pd> interface <inter-
face> sla-id
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> dhcpv6-
options pd <pd> length
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> dhcpv6-
options rapid-commit
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> dhcpv6-
options temporary
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> disable
下页继续

16.1. Configuration Commands 762

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> disable-link-
detect
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> ip arp-cache-
timeout
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> ip disable-
arp-filter
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> ip disable-
forwarding
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> ip enable-arp-
accept
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> ip enable-arp-
announce
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> ip enable-arp-
ignore
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> ip enable-
proxy-arp
下页继续

16.1. Configuration Commands 763

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> ip proxy-arp-
pvlan
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> ip source-
validation
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> ipv6 address
autoconf
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> ipv6 address
eui64
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> ipv6 address
no-default-link-local
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> ipv6 disable-
forwarding
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> ipv6 dup-
addr-detect-transmits
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> mac
下页继续

16.1. Configuration Commands 764

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> mtu
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> protocol
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> vif-c <vif-c>
address
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> vif-c <vif-c>
description
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> vif-c <vif-c>
dhcp-options client-id
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> vif-c <vif-c>
dhcp-options default-route-distance
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> vif-c <vif-c>
dhcp-options host-name
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> vif-c <vif-c>
dhcp-options no-default-route
下页继续

16.1. Configuration Commands 765

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> vif-c <vif-c>
dhcp-options reject
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> vif-c <vif-c>
dhcp-options vendor-class-id
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> vif-c <vif-c>
dhcpv6-options duid
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> vif-c <vif-c>
dhcpv6-options parameters-only
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> vif-c <vif-
c> dhcpv6-options pd <pd> interface
<interface> address
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> vif-c <vif-
c> dhcpv6-options pd <pd> interface
<interface> sla-id
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> vif-c <vif-c>
dhcpv6-options pd <pd> length
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> vif-c <vif-c>
dhcpv6-options rapid-commit
下页继续

16.1. Configuration Commands 766

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> vif-c <vif-c>
dhcpv6-options temporary
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> vif-c <vif-c>
disable
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> vif-c <vif-c>
disable-link-detect
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> vif-c <vif-c>
ip arp-cache-timeout
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> vif-c <vif-c>
ip disable-arp-filter
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> vif-c <vif-c>
ip disable-forwarding
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> vif-c <vif-c>
ip enable-arp-accept
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> vif-c <vif-c>
ip enable-arp-announce
下页继续

16.1. Configuration Commands 767

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> vif-c <vif-c>
ip enable-arp-ignore
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> vif-c <vif-c>
ip enable-proxy-arp
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> vif-c <vif-c>
ip proxy-arp-pvlan
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> vif-c <vif-c>
ip source-validation
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> vif-c <vif-c>
ipv6 address autoconf
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> vif-c <vif-c>
ipv6 address eui64
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> vif-c <vif-c>
ipv6 address no-default-link-local
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> vif-c <vif-c>
ipv6 disable-forwarding
下页继续

16.1. Configuration Commands 768

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> vif-c <vif-c>
ipv6 dup-addr-detect-transmits
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> vif-c <vif-c>
mac
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> vif-c <vif-c>
mtu
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> vif-c <vif-c>
vrf
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif-s <vif-s> vrf
set interfaces
pseudo-ethernet
<interface> vif
<vlan-id> address
<address | dhcp |
dhcpv6>
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif <vif> address
set interfaces
pseudo-ethernet
<interface> vif
<vlan-id> description
<description>
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif <vif> description
下页继续

16.1. Configuration Commands 769

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
pseudo-ethernet
<interface> vif
<vlan-id> dhcp-options
client-id <description>
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif <vif> dhcp-options
client-id
set interfaces
pseudo-ethernet
<interface> vif
<vlan-id> dhcp-options
default-route-distance
<distance>
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif <vif> dhcp-options
default-route-distance
set interfaces
pseudo-ethernet
<interface> vif
<vlan-id> dhcp-options
host-name <hostname>
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif <vif> dhcp-options
host-name
set interfaces
pseudo-ethernet
<interface> vif
<vlan-id> dhcp-options
no-default-route
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif <vif> dhcp-options no-
default-route
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif <vif> dhcp-options re-
ject
下页继续

16.1. Configuration Commands 770

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
pseudo-ethernet
<interface> vif
<vlan-id> dhcp-options
vendor-class-id
<vendor-id>
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif <vif> dhcp-options
vendor-class-id
set interfaces
pseudo-ethernet
<interface> vif
<vlan-id> dhcpv6-options
duid <duid>
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif <vif> dhcpv6-options
duid
set interfaces
pseudo-ethernet
<interface> vif
<vlan-id> dhcpv6-options
parameters-only
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif <vif> dhcpv6-options
parameters-only
set interfaces
pseudo-ethernet
<interface> vif
<vlan-id> dhcpv6-options
pd <id> interface
<delegatee> address
<address>
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif <vif> dhcpv6-options
pd <pd> interface <interface> ad-
dress
下页继续

16.1. Configuration Commands 771

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
pseudo-ethernet
<interface> vif
<vlan-id> dhcpv6-options
pd <id> interface
<delegatee> sla-id <id>
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif <vif> dhcpv6-options
pd <pd> interface <interface> sla-id
set interfaces
pseudo-ethernet
<interface> vif
<vlan-id> dhcpv6-options
pd <id> length <length>
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif <vif> dhcpv6-options
pd <pd> length
set interfaces
pseudo-ethernet
<interface> vif
<vlan-id> dhcpv6-options
rapid-commit
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif <vif> dhcpv6-options
rapid-commit
set interfaces
pseudo-ethernet
<interface> vif
<vlan-id> dhcpv6-options
temporary
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif <vif> dhcpv6-options
temporary
set interfaces
pseudo-ethernet
<interface> vif
<vlan-id> disable
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif <vif> disable
下页继续

16.1. Configuration Commands 772

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
pseudo-ethernet
<interface>
vif <vlan-id>
disable-link-detect
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif <vif> disable-link-
detect
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif <vif> egress-qos
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif <vif> ingress-qos
set interfaces
pseudo-ethernet
<interface> vif
<vlan-id> ip
arp-cache-timeout
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif <vif> ip arp-cache-
timeout
set interfaces
pseudo-ethernet
<interface> vif
<vlan-id> ip
disable-arp-filter
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif <vif> ip disable-arp-
filter
set interfaces
pseudo-ethernet
<interface> vif
<vlan-id> ip
disable-forwarding
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif <vif> ip disable-
forwarding
下页继续

16.1. Configuration Commands 773

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
pseudo-ethernet
<interface> vif
<vlan-id> ip
enable-arp-accept
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif <vif> ip enable-arp-
accept
set interfaces
pseudo-ethernet
<interface> vif
<vlan-id> ip
enable-arp-announce
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif <vif> ip enable-arp-
announce
set interfaces
pseudo-ethernet
<interface> vif
<vlan-id> ip
enable-arp-ignore
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif <vif> ip enable-arp-
ignore
set interfaces
pseudo-ethernet
<interface> vif
<vlan-id> ip
enable-proxy-arp
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif <vif> ip enable-proxy-
arp
set interfaces
pseudo-ethernet
<interface> vif
<vlan-id> ip
proxy-arp-pvlan
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif <vif> ip proxy-arp-
pvlan
下页继续

16.1. Configuration Commands 774

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
pseudo-ethernet
<interface> vif
<vlan-id> ip
source-validation
<strict | loose |
disable>
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif <vif> ip source-
validation
set interfaces
pseudo-ethernet
<interface> vif
<vlan-id> ipv6 address
autoconf
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif <vif> ipv6 address au-
toconf
set interfaces
pseudo-ethernet
<interface> vif
<vlan-id> ipv6 address
eui64 <prefix>
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif <vif> ipv6 address
eui64
set interfaces
pseudo-ethernet
<interface> vif
<vlan-id> ipv6 address
no-default-link-local
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif <vif> ipv6 address no-
default-link-local
下页继续

16.1. Configuration Commands 775

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
pseudo-ethernet
<interface> vif
<vlan-id> ipv6
disable-forwarding
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif <vif> ipv6 disable-
forwarding
Not documented yet
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif <vif> ipv6 dup-addr-
detect-transmits
set interfaces
pseudo-ethernet
<interface> vif
<vlan-id> mac
<xx:xx:xx:xx:xx:xx>
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif <vif> mac
set interfaces
pseudo-ethernet
<interface> vif
<vlan-id> mtu <mtu>
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif <vif> mtu
set interfaces
pseudo-ethernet
<interface> vif
<vlan-id> vrf <vrf>
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vif <vif> vrf
set interfaces
pseudo-ethernet
<interface> vrf <vrf>
------------------
interfaces-pseudo-ethernet.xml.in:
interfaces pseudo-ethernet <pseudo-
ethernet> vrf
下页继续

16.1. Configuration Commands 776

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-tunnel.xml.in:
interfaces tunnel <tunnel> 6rd-prefix
Not documented yet
------------------
interfaces-tunnel.xml.in:
interfaces tunnel <tunnel> 6rd-relay-
prefix
set interfaces tunnel
<interface> address
<address>
------------------
interfaces-tunnel.xml.in:
interfaces tunnel <tunnel> address
set interfaces tunnel
<interface> description
<description>
------------------
interfaces-tunnel.xml.in:
interfaces tunnel <tunnel> descrip-
tion
Not documented yet
------------------
interfaces-tunnel.xml.in:
interfaces tunnel <tunnel> dhcp-
interface
set interfaces tunnel
<interface> disable
------------------
interfaces-tunnel.xml.in:
interfaces tunnel <tunnel> disable
set interfaces
tunnel <interface>
disable-flow-control
Nothing found in XML Definitions
set interfaces
tunnel <interface>
disable-link-detect
------------------
interfaces-tunnel.xml.in:
interfaces tunnel <tunnel> disable-
link-detect
Not documented yet
------------------
interfaces-tunnel.xml.in:
interfaces tunnel <tunnel> encapsu-
lation
下页继续

16.1. Configuration Commands 777

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
tunnel <interface> ip
arp-cache-timeout
------------------
interfaces-tunnel.xml.in:
interfaces tunnel <tunnel> ip arp-
cache-timeout
set interfaces
tunnel <interface> ip
disable-arp-filter
------------------
interfaces-tunnel.xml.in:
interfaces tunnel <tunnel> ip disable-
arp-filter
set interfaces
tunnel <interface> ip
disable-forwarding
------------------
interfaces-tunnel.xml.in:
interfaces tunnel <tunnel> ip disable-
forwarding
set interfaces
tunnel <interface> ip
enable-arp-accept
------------------
interfaces-tunnel.xml.in:
interfaces tunnel <tunnel> ip enable-
arp-accept
set interfaces
tunnel <interface> ip
enable-arp-announce
------------------
interfaces-tunnel.xml.in:
interfaces tunnel <tunnel> ip enable-
arp-announce
set interfaces
tunnel <interface> ip
enable-arp-ignore
------------------
interfaces-tunnel.xml.in:
interfaces tunnel <tunnel> ip enable-
arp-ignore
set interfaces
tunnel <interface> ip
enable-proxy-arp
------------------
interfaces-tunnel.xml.in:
interfaces tunnel <tunnel> ip enable-
proxy-arp
下页继续

16.1. Configuration Commands 778

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
tunnel <interface> ip
proxy-arp-pvlan
------------------
interfaces-tunnel.xml.in:
interfaces tunnel <tunnel> ip proxy-
arp-pvlan
set interfaces
tunnel <interface>
ip source-validation
<strict | loose |
disable>
------------------
interfaces-tunnel.xml.in:
interfaces tunnel <tunnel> ip source-
validation
set interfaces tunnel
<interface> ipv6 address
autoconf
------------------
interfaces-tunnel.xml.in:
interfaces tunnel <tunnel> ipv6 ad-
dress autoconf
set interfaces tunnel
<interface> ipv6 address
eui64 <prefix>
------------------
interfaces-tunnel.xml.in:
interfaces tunnel <tunnel> ipv6 ad-
dress eui64
set interfaces tunnel
<interface> ipv6 address
no-default-link-local
------------------
interfaces-tunnel.xml.in:
interfaces tunnel <tunnel> ipv6 ad-
dress no-default-link-local
set interfaces tunnel
<interface> ipv6
disable-forwarding
------------------
interfaces-tunnel.xml.in:
interfaces tunnel <tunnel> ipv6
disable-forwarding
Not documented yet
------------------
interfaces-tunnel.xml.in:
interfaces tunnel <tunnel> ipv6 dup-
addr-detect-transmits
下页继续

16.1. Configuration Commands 779

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces tunnel
<interface> mac
<xx:xx:xx:xx:xx:xx>
Nothing found in XML Definitions
set interfaces tunnel
<interface> mtu <mtu>
------------------
interfaces-tunnel.xml.in:
interfaces tunnel <tunnel> mtu
Not documented yet
------------------
interfaces-tunnel.xml.in:
interfaces tunnel <tunnel> multicast
Not documented yet
------------------
interfaces-tunnel.xml.in:
interfaces tunnel <tunnel> parame-
ters erspan direction
Not documented yet
------------------
interfaces-tunnel.xml.in:
interfaces tunnel <tunnel> parame-
ters erspan hw-id
Not documented yet
------------------
interfaces-tunnel.xml.in:
interfaces tunnel <tunnel> parame-
ters erspan index
Not documented yet
------------------
interfaces-tunnel.xml.in:
interfaces tunnel <tunnel> parame-
ters erspan version
Not documented yet
------------------
interfaces-tunnel.xml.in:
interfaces tunnel <tunnel> parame-
ters ip key
Not documented yet
------------------
interfaces-tunnel.xml.in:
interfaces tunnel <tunnel> parame-
ters ip no-pmtu-discovery
Not documented yet
------------------
interfaces-tunnel.xml.in:
interfaces tunnel <tunnel> parame-
ters ip tos
下页继续

16.1. Configuration Commands 780

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-tunnel.xml.in:
interfaces tunnel <tunnel> parame-
ters ip ttl
Not documented yet
------------------
interfaces-tunnel.xml.in:
interfaces tunnel <tunnel> parame-
ters ipv6 encaplimit
Not documented yet
------------------
interfaces-tunnel.xml.in:
interfaces tunnel <tunnel> parame-
ters ipv6 flowlabel
Not documented yet
------------------
interfaces-tunnel.xml.in:
interfaces tunnel <tunnel> parame-
ters ipv6 hoplimit
Not documented yet
------------------
interfaces-tunnel.xml.in:
interfaces tunnel <tunnel> parame-
ters ipv6 tclass
Not documented yet
------------------
interfaces-tunnel.xml.in:
interfaces tunnel <tunnel> remote
Not documented yet
------------------
interfaces-tunnel.xml.in:
interfaces tunnel <tunnel> source-
address
Not documented yet
------------------
interfaces-tunnel.xml.in:
interfaces tunnel <tunnel> source-
interface
set interfaces tunnel
<interface> vrf <vrf>
------------------
interfaces-tunnel.xml.in:
interfaces tunnel <tunnel> vrf
set interfaces <dummy
| ethernet | bonding
| bridge | pppoe>
<interface> vrf <name>
Nothing found in XML Definitions
下页继续

16.1. Configuration Commands 781

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces vxlan
<interface> address
<address>
------------------
interfaces-vxlan.xml.in:
interfaces vxlan <vxlan> address
set interfaces vxlan
<interface> description
<description>
------------------
interfaces-vxlan.xml.in:
interfaces vxlan <vxlan> description
set interfaces vxlan
<interface> disable
------------------
interfaces-vxlan.xml.in:
interfaces vxlan <vxlan> disable
set interfaces
vxlan <interface>
disable-flow-control
Nothing found in XML Definitions
set interfaces
vxlan <interface>
disable-link-detect
Nothing found in XML Definitions
set interfaces vxlan
<interface> group
<address>
------------------
interfaces-vxlan.xml.in:
interfaces vxlan <vxlan> group
set interfaces
vxlan <interface> ip
arp-cache-timeout
------------------
interfaces-vxlan.xml.in:
interfaces vxlan <vxlan> ip arp-
cache-timeout
set interfaces
vxlan <interface> ip
disable-arp-filter
------------------
interfaces-vxlan.xml.in:
interfaces vxlan <vxlan> ip disable-
arp-filter
下页继续

16.1. Configuration Commands 782

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
vxlan <interface> ip
disable-forwarding
------------------
interfaces-vxlan.xml.in:
interfaces vxlan <vxlan> ip disable-
forwarding
set interfaces
vxlan <interface> ip
enable-arp-accept
------------------
interfaces-vxlan.xml.in:
interfaces vxlan <vxlan> ip enable-
arp-accept
set interfaces
vxlan <interface> ip
enable-arp-announce
------------------
interfaces-vxlan.xml.in:
interfaces vxlan <vxlan> ip enable-
arp-announce
set interfaces
vxlan <interface> ip
enable-arp-ignore
------------------
interfaces-vxlan.xml.in:
interfaces vxlan <vxlan> ip enable-
arp-ignore
set interfaces
vxlan <interface> ip
enable-proxy-arp
------------------
interfaces-vxlan.xml.in:
interfaces vxlan <vxlan> ip enable-
proxy-arp
set interfaces
vxlan <interface> ip
proxy-arp-pvlan
------------------
interfaces-vxlan.xml.in:
interfaces vxlan <vxlan> ip proxy-
arp-pvlan
set interfaces vxlan
<interface> ip
source-validation
<strict | loose |
disable>
------------------
interfaces-vxlan.xml.in:
interfaces vxlan <vxlan> ip source-
validation
下页继续

16.1. Configuration Commands 783

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces vxlan
<interface> ipv6 address
autoconf
------------------
interfaces-vxlan.xml.in:
interfaces vxlan <vxlan> ipv6 ad-
dress autoconf
set interfaces vxlan
<interface> ipv6 address
eui64 <prefix>
------------------
interfaces-vxlan.xml.in:
interfaces vxlan <vxlan> ipv6 ad-
dress eui64
set interfaces vxlan
<interface> ipv6 address
no-default-link-local
------------------
interfaces-vxlan.xml.in:
interfaces vxlan <vxlan> ipv6 ad-
dress no-default-link-local
set interfaces vxlan
<interface> ipv6
disable-forwarding
------------------
interfaces-vxlan.xml.in:
interfaces vxlan <vxlan> ipv6
disable-forwarding
Not documented yet
------------------
interfaces-vxlan.xml.in:
interfaces vxlan <vxlan> ipv6 dup-
addr-detect-transmits
set interfaces vxlan
<interface> mac
<xx:xx:xx:xx:xx:xx>
------------------
interfaces-vxlan.xml.in:
interfaces vxlan <vxlan> mac
set interfaces vxlan
<interface> mtu <mtu>
------------------
interfaces-vxlan.xml.in:
interfaces vxlan <vxlan> mtu
Not documented yet
------------------
interfaces-vxlan.xml.in:
interfaces vxlan <vxlan> parameters
ip dont-fragment
下页继续

16.1. Configuration Commands 784

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-vxlan.xml.in:
interfaces vxlan <vxlan> parameters
ip tos
Not documented yet
------------------
interfaces-vxlan.xml.in:
interfaces vxlan <vxlan> parameters
ip ttl
Not documented yet
------------------
interfaces-vxlan.xml.in:
interfaces vxlan <vxlan> parameters
ipv6 flowlabel
Not documented yet
------------------
interfaces-vxlan.xml.in:
interfaces vxlan <vxlan> parameters
nolearning
set interfaces vxlan
<interface> port <port>
------------------
interfaces-vxlan.xml.in:
interfaces vxlan <vxlan> port
set interfaces vxlan
<interface> remote
<address>
------------------
interfaces-vxlan.xml.in:
interfaces vxlan <vxlan> remote
set interfaces
vxlan <interface>
source-address
<interface>
------------------
interfaces-vxlan.xml.in:
interfaces vxlan <vxlan> source-
address
set interfaces
vxlan <interface>
source-interface
<interface>
------------------
interfaces-vxlan.xml.in:
interfaces vxlan <vxlan> source-
interface
下页继续

16.1. Configuration Commands 785

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces vxlan
<interface> vni
<number>
------------------
interfaces-vxlan.xml.in:
interfaces vxlan <vxlan> vni
set interfaces vxlan
<interface> vrf <vrf>
Nothing found in XML Definitions
Not documented yet
------------------
interfaces-wireguard.xml.in:
interfaces wireguard <wireguard>
address
Not documented yet
------------------
interfaces-wireguard.xml.in:
interfaces wireguard <wireguard>
description
Not documented yet
------------------
interfaces-wireguard.xml.in:
interfaces wireguard <wireguard>
disable
Not documented yet
------------------
interfaces-wireguard.xml.in:
interfaces wireguard <wireguard>
fwmark
Not documented yet
------------------
interfaces-wireguard.xml.in:
interfaces wireguard <wireguard> ip
arp-cache-timeout
Not documented yet
------------------
interfaces-wireguard.xml.in:
interfaces wireguard <wireguard> ip
disable-arp-filter
Not documented yet
------------------
interfaces-wireguard.xml.in:
interfaces wireguard <wireguard> ip
disable-forwarding
Not documented yet
------------------
interfaces-wireguard.xml.in:
interfaces wireguard <wireguard> ip
enable-arp-accept
下页继续

16.1. Configuration Commands 786

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-wireguard.xml.in:
interfaces wireguard <wireguard> ip
enable-arp-announce
Not documented yet
------------------
interfaces-wireguard.xml.in:
interfaces wireguard <wireguard> ip
enable-arp-ignore
Not documented yet
------------------
interfaces-wireguard.xml.in:
interfaces wireguard <wireguard> ip
enable-proxy-arp
Not documented yet
------------------
interfaces-wireguard.xml.in:
interfaces wireguard <wireguard> ip
proxy-arp-pvlan
Not documented yet
------------------
interfaces-wireguard.xml.in:
interfaces wireguard <wireguard> ip
source-validation
Not documented yet
------------------
interfaces-wireguard.xml.in:
interfaces wireguard <wireguard>
ipv6 address autoconf
Not documented yet
------------------
interfaces-wireguard.xml.in:
interfaces wireguard <wireguard>
ipv6 address eui64
Not documented yet
------------------
interfaces-wireguard.xml.in:
interfaces wireguard <wireguard>
ipv6 address no-default-link-local
Not documented yet
------------------
interfaces-wireguard.xml.in:
interfaces wireguard <wireguard>
ipv6 disable-forwarding
Not documented yet
------------------
interfaces-wireguard.xml.in:
interfaces wireguard <wireguard>
ipv6 dup-addr-detect-transmits
下页继续

16.1. Configuration Commands 787

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-wireguard.xml.in:
interfaces wireguard <wireguard>
mtu
Not documented yet
------------------
interfaces-wireguard.xml.in:
interfaces wireguard <wireguard>
peer <peer> address
Not documented yet
------------------
interfaces-wireguard.xml.in:
interfaces wireguard <wireguard>
peer <peer> allowed-ips
Not documented yet
------------------
interfaces-wireguard.xml.in:
interfaces wireguard <wireguard>
peer <peer> disable
Not documented yet
------------------
interfaces-wireguard.xml.in:
interfaces wireguard <wireguard>
peer <peer> persistent-keepalive
Not documented yet
------------------
interfaces-wireguard.xml.in:
interfaces wireguard <wireguard>
peer <peer> port
Not documented yet
------------------
interfaces-wireguard.xml.in:
interfaces wireguard <wireguard>
peer <peer> preshared-key
Not documented yet
------------------
interfaces-wireguard.xml.in:
interfaces wireguard <wireguard>
peer <peer> pubkey
Not documented yet
------------------
interfaces-wireguard.xml.in:
interfaces wireguard <wireguard>
port
Not documented yet
------------------
interfaces-wireguard.xml.in:
interfaces wireguard <wireguard>
private-key
下页继续

16.1. Configuration Commands 788

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-wireguard.xml.in:
interfaces wireguard <wireguard>
vrf
set interfaces wireless
<interface> address
<address | dhcp |
dhcpv6>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> ad-
dress
set interfaces wireless
<interface> capabilities
ht 40mhz-incapable
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> capa-
bilities ht 40mhz-incapable
set interfaces wireless
<interface> capabilities
ht auto-powersave
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> capa-
bilities ht auto-powersave
set interfaces wireless
<interface> capabilities
ht channel-set-width
<ht20 | ht40+ | ht40->
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> capa-
bilities ht channel-set-width
set interfaces wireless
<interface> capabilities
ht delayed-block-ack
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> capa-
bilities ht delayed-block-ack
set interfaces wireless
<interface> capabilities
ht dsss-cck-40
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> capa-
bilities ht dsss-cck-40
下页继续

16.1. Configuration Commands 789

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces wireless
<interface> capabilities
ht greenfield
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> capa-
bilities ht greenfield
set interfaces wireless
<interface> capabilities
ht ldpc
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> capa-
bilities ht ldpc
set interfaces wireless
<interface> capabilities
ht lsig-protection
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> capa-
bilities ht lsig-protection
set interfaces wireless
<interface> capabilities
ht max-amsdu <3839 |
7935>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> capa-
bilities ht max-amsdu
set interfaces wireless
<interface> capabilities
ht short-gi <20 | 40>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> capa-
bilities ht short-gi
set interfaces wireless
<interface> capabilities
ht smps <static |
dynamic>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> capa-
bilities ht smps
set interfaces wireless
<interface> capabilities
ht stbc rx <num>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> capa-
bilities ht stbc rx
下页继续

16.1. Configuration Commands 790

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces wireless
<interface> capabilities
ht stbc tx
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> capa-
bilities ht stbc tx
set interfaces wireless
<interface> capabilities
require-ht
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> capa-
bilities require-ht
set interfaces wireless
<interface> capabilities
require-hvt
Nothing found in XML Definitions
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> capa-
bilities require-vht
set interfaces wireless
<interface> capabilities
vht antenna-count
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> capa-
bilities vht antenna-count
set interfaces
wireless <interface>
capabilities vht
antenna-pattern-fixed
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> capa-
bilities vht antenna-pattern-fixed
set interfaces wireless
<interface> capabilities
vht beamform
<single-user-beamformer
| single-user-beamformee
| multi-user-beamformer
| multi-user-beamformee>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> capa-
bilities vht beamform
下页继续

16.1. Configuration Commands 791

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces wireless
<interface> capabilities
vht center-channel-freq
<freq-1 | freq-2>
<number>
Nothing found in XML Definitions
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> capa-
bilities vht center-channel-freq freq-
1
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> capa-
bilities vht center-channel-freq freq-
2
set interfaces wireless
<interface> capabilities
vht channel-set-width <0
| 1 | 2 | 3>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> capa-
bilities vht channel-set-width
set interfaces wireless
<interface> capabilities
vht ldpc
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> capa-
bilities vht ldpc
set interfaces wireless
<interface> capabilities
vht link-adaptation
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> capa-
bilities vht link-adaptation
set interfaces wireless
<interface> capabilities
vht max-mpdu <value>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> capa-
bilities vht max-mpdu
下页继续

16.1. Configuration Commands 792

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces wireless
<interface> capabilities
vht max-mpdu-exp
<value>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> capa-
bilities vht max-mpdu-exp
set interfaces wireless
<interface> capabilities
vht short-gi <80 | 160>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> capa-
bilities vht short-gi
set interfaces wireless
<interface> capabilities
vht stbc rx <num>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> capa-
bilities vht stbc rx
set interfaces wireless
<interface> capabilities
vht stbc tx
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> capa-
bilities vht stbc tx
set interfaces wireless
<interface> capabilities
vht tx-powersave
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> capa-
bilities vht tx-powersave
set interfaces wireless
<interface> capabilities
vht vht-cf
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> capa-
bilities vht vht-cf
set interfaces wireless
<interface> channel
<number>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> chan-
nel
下页继续

16.1. Configuration Commands 793

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces wireless
<interface> country-code
<cc>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless>
country-code
set interfaces wireless
<interface> description
<description>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> de-
scription
set interfaces wireless
<interface> dhcp-options
client-id <description>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> dhcp-
options client-id
set interfaces wireless
<interface> dhcp-options
default-route-distance
<distance>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> dhcp-
options default-route-distance
set interfaces wireless
<interface> dhcp-options
host-name <hostname>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> dhcp-
options host-name
set interfaces wireless
<interface> dhcp-options
no-default-route
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> dhcp-
options no-default-route
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> dhcp-
options reject
下页继续

16.1. Configuration Commands 794

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces wireless
<interface> dhcp-options
vendor-class-id
<vendor-id>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> dhcp-
options vendor-class-id
set interfaces
wireless <interface>
dhcpv6-options duid
<duid>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless>
dhcpv6-options duid
set interfaces
wireless <interface>
dhcpv6-options
parameters-only
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless>
dhcpv6-options parameters-only
set interfaces
wireless <interface>
dhcpv6-options pd <id>
interface <delegatee>
address <address>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless>
dhcpv6-options pd <pd> interface
<interface> address
set interfaces
wireless <interface>
dhcpv6-options pd <id>
interface <delegatee>
sla-id <id>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless>
dhcpv6-options pd <pd> interface
<interface> sla-id
下页继续

16.1. Configuration Commands 795

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
wireless <interface>
dhcpv6-options pd <id>
length <length>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless>
dhcpv6-options pd <pd> length
set interfaces
wireless <interface>
dhcpv6-options
rapid-commit
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless>
dhcpv6-options rapid-commit
set interfaces
wireless <interface>
dhcpv6-options
temporary
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless>
dhcpv6-options temporary
set interfaces wireless
<interface> disable
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> disable
set interfaces
wireless <interface>
disable-broadcast-ssid
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless>
disable-broadcast-ssid
set interfaces
wireless <interface>
disable-flow-control
Nothing found in XML Definitions
set interfaces
wireless <interface>
disable-link-detect
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless>
disable-link-detect
下页继续

16.1. Configuration Commands 796

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
wireless <interface>
expunge-failing-stations
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless>
expunge-failing-stations
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> hw-id
set interfaces
wireless <interface>
ip arp-cache-timeout
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> ip arp-
cache-timeout
set interfaces
wireless <interface>
ip disable-arp-filter
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> ip
disable-arp-filter
set interfaces
wireless <interface>
ip disable-forwarding
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> ip
disable-forwarding
set interfaces
wireless <interface>
ip enable-arp-accept
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> ip
enable-arp-accept
set interfaces
wireless <interface>
ip enable-arp-announce
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> ip
enable-arp-announce
下页继续

16.1. Configuration Commands 797

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
wireless <interface>
ip enable-arp-ignore
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> ip
enable-arp-ignore
set interfaces
wireless <interface>
ip enable-proxy-arp
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> ip
enable-proxy-arp
set interfaces
wireless <interface>
ip proxy-arp-pvlan
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> ip
proxy-arp-pvlan
set interfaces
wireless <interface>
ip source-validation
<strict | loose |
disable>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> ip
source-validation
set interfaces wireless
<interface> ipv6 address
autoconf
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> ipv6
address autoconf
set interfaces wireless
<interface> ipv6 address
eui64 <prefix>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> ipv6
address eui64
set interfaces wireless
<interface> ipv6 address
no-default-link-local
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> ipv6
address no-default-link-local
下页继续

16.1. Configuration Commands 798

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces wireless
<interface> ipv6
disable-forwarding
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> ipv6
disable-forwarding
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> ipv6
dup-addr-detect-transmits
set interfaces
wireless <interface>
isolate-stations
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless>
isolate-stations
set interfaces wireless
<interface> mac
<xx:xx:xx:xx:xx:xx>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> mac
set interfaces wireless
<interface> max-stations
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> max-
stations
set interfaces
wireless <interface>
mgmt-frame-protection
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> mgmt-
frame-protection
set interfaces wireless
<interface> mode <a | b
| g | n | ac>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> mode
set interfaces
wirelessmodem
<interface> apn <apn>
------------------
interfaces-wirelessmodem.xml.in:
interfaces wirelessmodem <wireless-
modem> apn
下页继续

16.1. Configuration Commands 799

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
wirelessmodem
<interface> backup
distance <metric>
------------------
interfaces-wirelessmodem.xml.in:
interfaces wirelessmodem <wireless-
modem> backup distance
set interfaces
wirelessmodem
<interface>
connect-on-demand
------------------
interfaces-wirelessmodem.xml.in:
interfaces wirelessmodem <wireless-
modem> connect-on-demand
set interfaces
wirelessmodem
<interface> description
<description>
------------------
interfaces-wirelessmodem.xml.in:
interfaces wirelessmodem <wireless-
modem> description
set interfaces
wirelessmodem
<interface> device
<tty>
------------------
interfaces-wirelessmodem.xml.in:
interfaces wirelessmodem <wireless-
modem> device
set interfaces
wirelessmodem
<interface> disable
------------------
interfaces-wirelessmodem.xml.in:
interfaces wirelessmodem <wireless-
modem> disable
Not documented yet
------------------
interfaces-wirelessmodem.xml.in:
interfaces wirelessmodem <wireless-
modem> disable-link-detect
Not documented yet
------------------
interfaces-wirelessmodem.xml.in:
interfaces wirelessmodem <wireless-
modem> ip arp-cache-timeout
下页继续

16.1. Configuration Commands 800

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-wirelessmodem.xml.in:
interfaces wirelessmodem <wireless-
modem> ip disable-arp-filter
Not documented yet
------------------
interfaces-wirelessmodem.xml.in:
interfaces wirelessmodem <wireless-
modem> ip disable-forwarding
Not documented yet
------------------
interfaces-wirelessmodem.xml.in:
interfaces wirelessmodem <wireless-
modem> ip enable-arp-accept
Not documented yet
------------------
interfaces-wirelessmodem.xml.in:
interfaces wirelessmodem <wireless-
modem> ip enable-arp-announce
Not documented yet
------------------
interfaces-wirelessmodem.xml.in:
interfaces wirelessmodem <wireless-
modem> ip enable-arp-ignore
Not documented yet
------------------
interfaces-wirelessmodem.xml.in:
interfaces wirelessmodem <wireless-
modem> ip enable-proxy-arp
Not documented yet
------------------
interfaces-wirelessmodem.xml.in:
interfaces wirelessmodem <wireless-
modem> ip proxy-arp-pvlan
Not documented yet
------------------
interfaces-wirelessmodem.xml.in:
interfaces wirelessmodem <wireless-
modem> ip source-validation
Not documented yet
------------------
interfaces-wirelessmodem.xml.in:
interfaces wirelessmodem <wireless-
modem> ipv6 address autoconf
Not documented yet
------------------
interfaces-wirelessmodem.xml.in:
interfaces wirelessmodem <wireless-
modem> ipv6 address eui64
下页继续

16.1. Configuration Commands 801

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-wirelessmodem.xml.in:
interfaces wirelessmodem <wireless-
modem> ipv6 address no-default-
link-local
Not documented yet
------------------
interfaces-wirelessmodem.xml.in:
interfaces wirelessmodem <wireless-
modem> ipv6 disable-forwarding
Not documented yet
------------------
interfaces-wirelessmodem.xml.in:
interfaces wirelessmodem <wire-
lessmodem> ipv6 dup-addr-detect-
transmits
Not documented yet
------------------
interfaces-wirelessmodem.xml.in:
interfaces wirelessmodem <wireless-
modem> mtu
set interfaces
wirelessmodem
<interface> no-peer-dns
------------------
interfaces-wirelessmodem.xml.in:
interfaces wirelessmodem <wireless-
modem> no-peer-dns
set interfaces
wirelessmodem
<interface> vrf <vrf>
------------------
interfaces-wirelessmodem.xml.in:
interfaces wirelessmodem <wireless-
modem> vrf
set interfaces wireless
<interface> mtu <mtu>
Nothing found in XML Definitions
set interfaces
wireless <interface>
physical-device
<device>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless>
physical-device
下页继续

16.1. Configuration Commands 802

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
wireless <interface>
reduce-transmit-power
<number>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless>
reduce-transmit-power
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> secu-
rity wep key
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> secu-
rity wpa cipher
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> secu-
rity wpa group-cipher
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> secu-
rity wpa mode
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> secu-
rity wpa passphrase
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> secu-
rity wpa radius server <server> ac-
counting
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> secu-
rity wpa radius server <server> dis-
able
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> secu-
rity wpa radius server <server> key
下页继续

16.1. Configuration Commands 803

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> secu-
rity wpa radius server <server> port
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> secu-
rity wpa radius source-address
set interfaces wireless
<interface> ssid <ssid>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> ssid
set interfaces wireless
<interface> type
<access-point | station
| monitor>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> type
set interfaces wireless
<interface> vif
<vlan-id>
Nothing found in XML Definitions
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> address
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> description
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> dhcp-options client-id
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> dhcp-options default-route-
distance
下页继续

16.1. Configuration Commands 804

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> dhcp-options host-name
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-
s <vif-s> dhcp-options no-default-
route
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> dhcp-options reject
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> dhcp-options vendor-class-id
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> dhcpv6-options duid
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> dhcpv6-options parameters-
only
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> dhcpv6-options pd <pd> in-
terface <interface> address
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> dhcpv6-options pd <pd> in-
terface <interface> sla-id
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-
s <vif-s> dhcpv6-options pd <pd>
length
下页继续

16.1. Configuration Commands 805

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> dhcpv6-options rapid-
commit
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> dhcpv6-options temporary
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> disable
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> disable-link-detect
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> ip arp-cache-timeout
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> ip disable-arp-filter
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> ip disable-forwarding
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> ip enable-arp-accept
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> ip enable-arp-announce
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> ip enable-arp-ignore
下页继续

16.1. Configuration Commands 806

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> ip enable-proxy-arp
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> ip proxy-arp-pvlan
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> ip source-validation
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> ipv6 address autoconf
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> ipv6 address eui64
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> ipv6 address no-default-link-
local
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> ipv6 disable-forwarding
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> ipv6 dup-addr-detect-
transmits
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> mac
下页继续

16.1. Configuration Commands 807

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> mtu
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> protocol
set interfaces wireless
<interface> vif-s
<vlan-id> vif-c
<vlan-id> address
<address | dhcp |
dhcpv6>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> vif-c <vif-c> address
set interfaces wireless
<interface> vif-s
<vlan-id> vif-c
<vlan-id> description
<description>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> vif-c <vif-c> description
set interfaces wireless
<interface> vif-s
<vlan-id> vif-c
<vlan-id> dhcp-options
client-id <description>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> vif-c <vif-c> dhcp-options
client-id
set interfaces wireless
<interface> vif-s
<vlan-id> vif-c
<vlan-id> dhcp-options
default-route-distance
<distance>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> vif-c <vif-c> dhcp-options
default-route-distance
下页继续

16.1. Configuration Commands 808

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces wireless
<interface> vif-s
<vlan-id> vif-c
<vlan-id> dhcp-options
host-name <hostname>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> vif-c <vif-c> dhcp-options
host-name
set interfaces wireless
<interface> vif-s
<vlan-id> vif-c
<vlan-id> dhcp-options
no-default-route
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> vif-c <vif-c> dhcp-options
no-default-route
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> vif-c <vif-c> dhcp-options
reject
set interfaces wireless
<interface> vif-s
<vlan-id> vif-c
<vlan-id> dhcp-options
vendor-class-id
<vendor-id>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> vif-c <vif-c> dhcp-options
vendor-class-id
set interfaces wireless
<interface> vif-s
<vlan-id> vif-c
<vlan-id> dhcpv6-options
duid <duid>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> vif-c <vif-c> dhcpv6-options
duid
下页继续

16.1. Configuration Commands 809

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces wireless
<interface> vif-s
<vlan-id> vif-c
<vlan-id> dhcpv6-options
parameters-only
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> vif-c <vif-c> dhcpv6-options
parameters-only
set interfaces wireless
<interface> vif-s
<vlan-id> vif-c
<vlan-id> dhcpv6-options
pd <id> interface
<delegatee> address
<address>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> vif-c <vif-c> dhcpv6-options
pd <pd> interface <interface> ad-
dress
set interfaces wireless
<interface> vif-s
<vlan-id> vif-c
<vlan-id> dhcpv6-options
pd <id> interface
<delegatee> sla-id <id>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> vif-c <vif-c> dhcpv6-options
pd <pd> interface <interface> sla-id
set interfaces wireless
<interface> vif-s
<vlan-id> vif-c
<vlan-id> dhcpv6-options
pd <id> length <length>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> vif-c <vif-c> dhcpv6-options
pd <pd> length
下页继续

16.1. Configuration Commands 810

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces wireless
<interface> vif-s
<vlan-id> vif-c
<vlan-id> dhcpv6-options
rapid-commit
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> vif-c <vif-c> dhcpv6-options
rapid-commit
set interfaces wireless
<interface> vif-s
<vlan-id> vif-c
<vlan-id> dhcpv6-options
temporary
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> vif-c <vif-c> dhcpv6-options
temporary
set interfaces wireless
<interface> vif-s
<vlan-id> vif-c
<vlan-id> disable
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> vif-c <vif-c> disable
set interfaces
wireless <interface>
vif-s <vlan-id>
vif-c <vlan-id>
disable-link-detect
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> vif-c <vif-c> disable-link-
detect
set interfaces
wireless <interface>
vif-s <vlan-id>
vif-c <vlan-id> ip
arp-cache-timeout
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> vif-c <vif-c> ip arp-cache-
timeout
下页继续

16.1. Configuration Commands 811

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
wireless <interface>
vif-s <vlan-id>
vif-c <vlan-id> ip
disable-arp-filter
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> vif-c <vif-c> ip disable-arp-
filter
set interfaces
wireless <interface>
vif-s <vlan-id>
vif-c <vlan-id> ip
disable-forwarding
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-
s <vif-s> vif-c <vif-c> ip disable-
forwarding
set interfaces
wireless <interface>
vif-s <vlan-id>
vif-c <vlan-id> ip
enable-arp-accept
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> vif-c <vif-c> ip enable-arp-
accept
set interfaces
wireless <interface>
vif-s <vlan-id>
vif-c <vlan-id> ip
enable-arp-announce
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> vif-c <vif-c> ip enable-arp-
announce
set interfaces
wireless <interface>
vif-s <vlan-id>
vif-c <vlan-id> ip
enable-arp-ignore
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> vif-c <vif-c> ip enable-arp-
ignore
下页继续

16.1. Configuration Commands 812

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
wireless <interface>
vif-s <vlan-id>
vif-c <vlan-id> ip
enable-proxy-arp
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-
s <vif-s> vif-c <vif-c> ip enable-
proxy-arp
set interfaces
wireless <interface>
vif-s <vlan-id>
vif-c <vlan-id> ip
proxy-arp-pvlan
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> vif-c <vif-c> ip proxy-arp-
pvlan
set interfaces
wireless <interface>
vif-s <vlan-id>
vif-c <vlan-id> ip
source-validation
<strict | loose |
disable>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-
s <vif-s> vif-c <vif-c> ip source-
validation
set interfaces wireless
<interface> vif-s
<vlan-id> vif-c
<vlan-id> ipv6 address
autoconf
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> vif-c <vif-c> ipv6 address
autoconf
下页继续

16.1. Configuration Commands 813

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces wireless
<interface> vif-s
<vlan-id> vif-c
<vlan-id> ipv6 address
eui64 <prefix>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> vif-c <vif-c> ipv6 address
eui64
set interfaces wireless
<interface> vif-s
<vlan-id> vif-c
<vlan-id> ipv6 address
no-default-link-local
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> vif-c <vif-c> ipv6 address
no-default-link-local
set interfaces
wireless <interface>
vif-s <vlan-id>
vif-c <vlan-id> ipv6
disable-forwarding
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> vif-c <vif-c> ipv6 disable-
forwarding
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> vif-c <vif-c> ipv6 dup-addr-
detect-transmits
set interfaces
wireless <interface>
vif-s <vlan-id>
vif-c <vlan-id> mac
<xx:xx:xx:xx:xx:xx>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> vif-c <vif-c> mac
下页继续

16.1. Configuration Commands 814

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces wireless
<interface> vif-s
<vlan-id> vif-c
<vlan-id> mtu <mtu>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> vif-c <vif-c> mtu
set interfaces wireless
<interface> vif-s
<vlan-id> vif-c
<vlan-id> vrf <vrf>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> vif-c <vif-c> vrf
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif-s
<vif-s> vrf
set interfaces wireless
<interface> vif
<vlan-id> address
<address | dhcp |
dhcpv6>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif
<vif> address
set interfaces wireless
<interface> vif
<vlan-id> description
<description>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif
<vif> description
set interfaces wireless
<interface> vif
<vlan-id> dhcp-options
client-id <description>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif
<vif> dhcp-options client-id
下页继续

16.1. Configuration Commands 815

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces wireless
<interface> vif
<vlan-id> dhcp-options
default-route-distance
<distance>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif
<vif> dhcp-options default-route-
distance
set interfaces wireless
<interface> vif
<vlan-id> dhcp-options
host-name <hostname>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif
<vif> dhcp-options host-name
set interfaces wireless
<interface> vif
<vlan-id> dhcp-options
no-default-route
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif
<vif> dhcp-options no-default-route
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif
<vif> dhcp-options reject
set interfaces wireless
<interface> vif
<vlan-id> dhcp-options
vendor-class-id
<vendor-id>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif
<vif> dhcp-options vendor-class-id
set interfaces wireless
<interface> vif
<vlan-id> dhcpv6-options
duid <duid>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif
<vif> dhcpv6-options duid
下页继续

16.1. Configuration Commands 816

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces wireless
<interface> vif
<vlan-id> dhcpv6-options
parameters-only
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif
<vif> dhcpv6-options parameters-
only
set interfaces wireless
<interface> vif
<vlan-id> dhcpv6-options
pd <id> interface
<delegatee> address
<address>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif
<vif> dhcpv6-options pd <pd> inter-
face <interface> address
set interfaces wireless
<interface> vif
<vlan-id> dhcpv6-options
pd <id> interface
<delegatee> sla-id <id>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif
<vif> dhcpv6-options pd <pd> inter-
face <interface> sla-id
set interfaces wireless
<interface> vif
<vlan-id> dhcpv6-options
pd <id> length <length>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif
<vif> dhcpv6-options pd <pd>
length
set interfaces wireless
<interface> vif
<vlan-id> dhcpv6-options
rapid-commit
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif
<vif> dhcpv6-options rapid-commit
下页继续

16.1. Configuration Commands 817

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces wireless
<interface> vif
<vlan-id> dhcpv6-options
temporary
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif
<vif> dhcpv6-options temporary
set interfaces wireless
<interface> vif
<vlan-id> disable
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif
<vif> disable
set interfaces
wireless <interface>
vif <vlan-id>
disable-link-detect
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif
<vif> disable-link-detect
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif
<vif> egress-qos
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif
<vif> ingress-qos
set interfaces
wireless <interface>
vif <vlan-id> ip
arp-cache-timeout
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif
<vif> ip arp-cache-timeout
set interfaces
wireless <interface>
vif <vlan-id> ip
disable-arp-filter
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif
<vif> ip disable-arp-filter
下页继续

16.1. Configuration Commands 818

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
wireless <interface>
vif <vlan-id> ip
disable-forwarding
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif
<vif> ip disable-forwarding
set interfaces
wireless <interface>
vif <vlan-id> ip
enable-arp-accept
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif
<vif> ip enable-arp-accept
set interfaces
wireless <interface>
vif <vlan-id> ip
enable-arp-announce
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif
<vif> ip enable-arp-announce
set interfaces
wireless <interface>
vif <vlan-id> ip
enable-arp-ignore
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif
<vif> ip enable-arp-ignore
set interfaces
wireless <interface>
vif <vlan-id> ip
enable-proxy-arp
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif
<vif> ip enable-proxy-arp
set interfaces
wireless <interface>
vif <vlan-id> ip
proxy-arp-pvlan
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif
<vif> ip proxy-arp-pvlan
下页继续

16.1. Configuration Commands 819

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
wireless <interface>
vif <vlan-id> ip
source-validation
<strict | loose |
disable>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif
<vif> ip source-validation
set interfaces wireless
<interface> vif
<vlan-id> ipv6 address
autoconf
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif
<vif> ipv6 address autoconf
set interfaces wireless
<interface> vif
<vlan-id> ipv6 address
eui64 <prefix>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif
<vif> ipv6 address eui64
set interfaces wireless
<interface> vif
<vlan-id> ipv6 address
no-default-link-local
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif
<vif> ipv6 address no-default-link-
local
set interfaces
wireless <interface>
vif <vlan-id> ipv6
disable-forwarding
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif
<vif> ipv6 disable-forwarding
Not documented yet
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless>
vif <vif> ipv6 dup-addr-detect-
transmits
下页继续

16.1. Configuration Commands 820

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set interfaces
wireless <interface>
vif <vlan-id> mac
<xx:xx:xx:xx:xx:xx>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif
<vif> mac
set interfaces wireless
<interface> vif
<vlan-id> mtu <mtu>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif
<vif> mtu
set interfaces wireless
<interface> vif
<vlan-id> vrf <vrf>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vif
<vif> vrf
set interfaces wireless
<interface> vrf <vrf>
------------------
interfaces-wireless.xml.in:
interfaces wireless <wireless> vrf
load <URI>
Nothing found in XML Definitions
loadkey <username>
<location>
Nothing found in XML Definitions
Not documented yet
------------------
nat66.xml.in:
nat66 destination rule <rule> de-
scription
Not documented yet
------------------
nat66.xml.in:
nat66 destination rule <rule> destina-
tion address
Not documented yet
------------------
nat66.xml.in:
nat66 destination rule <rule> disable
Not documented yet
------------------
nat66.xml.in:
nat66 destination rule <rule>
inbound-interface
下页继续

16.1. Configuration Commands 821

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
nat66.xml.in:
nat66 destination rule <rule> log
Not documented yet
------------------
nat66.xml.in:
nat66 destination rule <rule> transla-
tion address
Not documented yet
------------------
nat66.xml.in:
nat66 source rule <rule> description
Not documented yet
------------------
nat66.xml.in:
nat66 source rule <rule> disable
Not documented yet
------------------
nat66.xml.in:
nat66 source rule <rule> log
Not documented yet
------------------
nat66.xml.in:
nat66 source rule <rule> outbound-
interface
Not documented yet
------------------
nat66.xml.in:
nat66 source rule <rule> source pre-
fix
Not documented yet
------------------
nat66.xml.in:
nat66 source rule <rule> translation
address
Not documented yet
------------------
nat.xml.in:
nat destination rule <rule> descrip-
tion
Not documented yet
------------------
nat.xml.in:
nat destination rule <rule> destina-
tion address
Not documented yet
------------------
nat.xml.in:
nat destination rule <rule> destina-
tion port
下页继续

16.1. Configuration Commands 822

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
nat.xml.in:
nat destination rule <rule> disable
Not documented yet
------------------
nat.xml.in:
nat destination rule <rule> exclude
Not documented yet
------------------
nat.xml.in:
nat destination rule <rule> inbound-
interface
Not documented yet
------------------
nat.xml.in:
nat destination rule <rule> log
Not documented yet
------------------
nat.xml.in:
nat destination rule <rule> protocol
Not documented yet
------------------
nat.xml.in:
nat destination rule <rule> source ad-
dress
Not documented yet
------------------
nat.xml.in:
nat destination rule <rule> source
port
Not documented yet
------------------
nat.xml.in:
nat destination rule <rule> translation
address
Not documented yet
------------------
nat.xml.in:
nat destination rule <rule> translation
port
Not documented yet
------------------
nat.xml.in:
nat source rule <rule> description
Not documented yet
------------------
nat.xml.in:
nat source rule <rule> destination ad-
dress
下页继续

16.1. Configuration Commands 823

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
nat.xml.in:
nat source rule <rule> destination
port
Not documented yet
------------------
nat.xml.in:
nat source rule <rule> disable
Not documented yet
------------------
nat.xml.in:
nat source rule <rule> exclude
Not documented yet
------------------
nat.xml.in:
nat source rule <rule> log
Not documented yet
------------------
nat.xml.in:
nat source rule <rule> outbound-
interface
Not documented yet
------------------
nat.xml.in:
nat source rule <rule> protocol
Not documented yet
------------------
nat.xml.in:
nat source rule <rule> source address
Not documented yet
------------------
nat.xml.in:
nat source rule <rule> source port
Not documented yet
------------------
nat.xml.in:
nat source rule <rule> translation ad-
dress
Not documented yet
------------------
nat.xml.in:
nat source rule <rule> translation
port
Not documented yet
------------------
policy-lists.xml.in:
npolicy access-list6 <access-list6>
description
下页继续

16.1. Configuration Commands 824

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
policy-lists.xml.in:
npolicy access-list6 <access-list6>
rule <rule> action
Not documented yet
------------------
policy-lists.xml.in:
npolicy access-list6 <access-list6>
rule <rule> description
Not documented yet
------------------
policy-lists.xml.in:
npolicy access-list6 <access-list6>
rule <rule> source any
Not documented yet
------------------
policy-lists.xml.in:
npolicy access-list6 <access-list6>
rule <rule> source exact-match
Not documented yet
------------------
policy-lists.xml.in:
npolicy access-list6 <access-list6>
rule <rule> source network
Not documented yet
------------------
policy-lists.xml.in:
npolicy access-list <access-list> de-
scription
Not documented yet
------------------
policy-lists.xml.in:
npolicy access-list <access-list> rule
<rule> action
Not documented yet
------------------
policy-lists.xml.in:
npolicy access-list <access-list> rule
<rule> description
Not documented yet
------------------
policy-lists.xml.in:
npolicy access-list <access-list> rule
<rule> destination any
Not documented yet
------------------
policy-lists.xml.in:
npolicy access-list <access-list> rule
<rule> destination host
下页继续

16.1. Configuration Commands 825

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
policy-lists.xml.in:
npolicy access-list <access-list> rule
<rule> destination inverse-mask
Not documented yet
------------------
policy-lists.xml.in:
npolicy access-list <access-list> rule
<rule> destination network
Not documented yet
------------------
policy-lists.xml.in:
npolicy access-list <access-list> rule
<rule> source any
Not documented yet
------------------
policy-lists.xml.in:
npolicy access-list <access-list> rule
<rule> source host
Not documented yet
------------------
policy-lists.xml.in:
npolicy access-list <access-list> rule
<rule> source inverse-mask
Not documented yet
------------------
policy-lists.xml.in:
npolicy access-list <access-list> rule
<rule> source network
Not documented yet
------------------
policy-lists.xml.in:
npolicy as-path-list <as-path-list>
description
Not documented yet
------------------
policy-lists.xml.in:
npolicy as-path-list <as-path-list>
rule <rule> action
Not documented yet
------------------
policy-lists.xml.in:
npolicy as-path-list <as-path-list>
rule <rule> description
Not documented yet
------------------
policy-lists.xml.in:
npolicy as-path-list <as-path-list>
rule <rule> regex
下页继续

16.1. Configuration Commands 826

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
policy-lists.xml.in:
npolicy community-list
<community-list> description
Not documented yet
------------------
policy-lists.xml.in:
npolicy community-list
<community-list> rule <rule>
action
Not documented yet
------------------
policy-lists.xml.in:
npolicy community-list
<community-list> rule <rule>
description
Not documented yet
------------------
policy-lists.xml.in:
npolicy community-list
<community-list> rule <rule>
regex
Not documented yet
------------------
policy-lists.xml.in:
npolicy extcommunity-list
<extcommunity-list> description
Not documented yet
------------------
policy-lists.xml.in:
npolicy extcommunity-list
<extcommunity-list> rule <rule>
action
Not documented yet
------------------
policy-lists.xml.in:
npolicy extcommunity-list
<extcommunity-list> rule <rule>
description
Not documented yet
------------------
policy-lists.xml.in:
npolicy extcommunity-list
<extcommunity-list> rule <rule>
regex
Not documented yet
------------------
policy-lists.xml.in:
npolicy large-community-list <large-
community-list> description
下页继续

16.1. Configuration Commands 827

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
policy-lists.xml.in:
npolicy large-community-list <large-
community-list> rule <rule> action
Not documented yet
------------------
policy-lists.xml.in:
npolicy large-community-list <large-
community-list> rule <rule> descrip-
tion
Not documented yet
------------------
policy-lists.xml.in:
npolicy large-community-list <large-
community-list> rule <rule> regex
Not documented yet
------------------
policy-lists.xml.in:
npolicy prefix-list6 <prefix-list6> de-
scription
Not documented yet
------------------
policy-lists.xml.in:
npolicy prefix-list6 <prefix-list6>
rule <rule> action
Not documented yet
------------------
policy-lists.xml.in:
npolicy prefix-list6 <prefix-list6>
rule <rule> description
Not documented yet
------------------
policy-lists.xml.in:
npolicy prefix-list6 <prefix-list6>
rule <rule> ge
Not documented yet
------------------
policy-lists.xml.in:
npolicy prefix-list6 <prefix-list6>
rule <rule> le
Not documented yet
------------------
policy-lists.xml.in:
npolicy prefix-list6 <prefix-list6>
rule <rule> prefix
Not documented yet
------------------
policy-lists.xml.in:
npolicy prefix-list <prefix-list> de-
scription
下页继续

16.1. Configuration Commands 828

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
policy-lists.xml.in:
npolicy prefix-list <prefix-list> rule
<rule> action
Not documented yet
------------------
policy-lists.xml.in:
npolicy prefix-list <prefix-list> rule
<rule> description
Not documented yet
------------------
policy-lists.xml.in:
npolicy prefix-list <prefix-list> rule
<rule> ge
Not documented yet
------------------
policy-lists.xml.in:
npolicy prefix-list <prefix-list> rule
<rule> le
Not documented yet
------------------
policy-lists.xml.in:
npolicy prefix-list <prefix-list> rule
<rule> prefix
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> de-
scription
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> action
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> set aggregator as
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> set aggregator ip
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> set as-path-exclude
下页继续

16.1. Configuration Commands 829

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> set as-path-prepend
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> set atomic-aggregate
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> set bgp-extcommunity-rt
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> call
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> set comm-list comm-list
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> set comm-list delete
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> set community
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> continue
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> description
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> set distance
下页继续

16.1. Configuration Commands 830

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> set extcommunity-rt
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> set extcommunity-soo
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> set ip-next-hop
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> set ipv6-next-hop global
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> set ipv6-next-hop local
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> set large-community
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> set local-preference
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> match as-path
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map>
rule <rule> match community
community-list
下页继续

16.1. Configuration Commands 831

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map>
rule <rule> match community
exact-match
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> match extcommunity
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> match interface
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> match ip address access-list
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> match ip address prefix-list
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> match ip nexthop access-list
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> match ip nexthop prefix-list
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> match ip route-source access-
list
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> match ip route-source prefix-
list
下页继续

16.1. Configuration Commands 832

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> match ipv6 address access-list
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> match ipv6 address prefix-list
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> match ipv6 nexthop
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map>
rule <rule> match large-community
large-community-list
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> match local-preference
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> match metric
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> match origin
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> match peer
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> match rpki
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> match tag
下页继续

16.1. Configuration Commands 833

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> set metric
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> set metric-type
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> on-match goto
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> on-match next
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> set origin
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> set originator-id
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> set src
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> set table
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> set tag
Not documented yet
------------------
policy-lists.xml.in:
npolicy route-map <route-map> rule
<rule> set weight
下页继续

16.1. Configuration Commands 834

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
policy-local-route.xml.in:
policy local-route rule <rule> source
Not documented yet
------------------
policy-local-route.xml.in:
policy local-route rule <rule> set ta-
ble
set protocols bfd peer
<address>
Nothing found in XML Definitions
set protocols bfd peer
<address> echo-mode
------------------
protocols-bfd.xml.in:
protocols bfd peer <peer> echo-
mode
set protocols bfd peer
<address> interval
[receive | transmit]
<10-60000>
Nothing found in XML Definitions
set protocols bfd
peer <address>
interval echo-interval
<10-60000>
------------------
protocols-bfd.xml.in:
protocols bfd peer <peer> interval
echo-interval
set protocols bfd peer
<address> interval
multiplier <2-255>
------------------
protocols-bfd.xml.in:
protocols bfd peer <peer> interval
multiplier
Not documented yet
------------------
protocols-bfd.xml.in:
protocols bfd peer <peer> interval re-
ceive
Not documented yet
------------------
protocols-bfd.xml.in:
protocols bfd peer <peer> interval
transmit
下页继续

16.1. Configuration Commands 835

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set protocols bfd peer
<address> multihop
------------------
protocols-bfd.xml.in:
protocols bfd peer <peer> multihop
Not documented yet
------------------
protocols-bfd.xml.in:
protocols bfd peer <peer> profile
set protocols bfd peer
<address> shutdown
------------------
protocols-bfd.xml.in:
protocols bfd peer <peer> shutdown
set protocols bfd
peer <address> source
[address <address> |
interface <interface>]
Nothing found in XML Definitions
Not documented yet
------------------
protocols-bfd.xml.in:
protocols bfd peer <peer> source ad-
dress
Not documented yet
------------------
protocols-bfd.xml.in:
protocols bfd peer <peer> source in-
terface
Not documented yet
------------------
protocols-bfd.xml.in:
protocols bfd profile <profile> echo-
mode
Not documented yet
------------------
protocols-bfd.xml.in:
protocols bfd profile <profile> inter-
val echo-interval
Not documented yet
------------------
protocols-bfd.xml.in:
protocols bfd profile <profile> inter-
val multiplier
Not documented yet
------------------
protocols-bfd.xml.in:
protocols bfd profile <profile> inter-
val receive
下页继续

16.1. Configuration Commands 836

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-bfd.xml.in:
protocols bfd profile <profile> inter-
val transmit
Not documented yet
------------------
protocols-bfd.xml.in:
protocols bfd profile <profile> shut-
down
set protocols bgp
<asn> address-family
<ipv4-unicast|ipv6-unicast>
aggregate-address
<prefix>
Nothing found in XML Definitions
set protocols bgp
<asn> address-family
<ipv4-unicast|ipv6-unicast>
aggregate-address
<prefix> as-set
Nothing found in XML Definitions
set protocols bgp
<asn> address-family
<ipv4-unicast|ipv6-unicast>
aggregate-address
<prefix> summary-only
Nothing found in XML Definitions
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family
ipv4-unicast aggregate-address
<aggregate-address> as-set
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family
ipv4-unicast aggregate-address
<aggregate-address> summary-only
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family ipv4-
unicast maximum-paths ebgp
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family ipv4-
unicast maximum-paths ibgp
下页继续

16.1. Configuration Commands 837

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set protocols bgp
<asn> address-family
ipv4-unicast network
<prefix> backdoor
------------------
protocols-bgp.xml.in:
protocols bgp address-family ipv4-
unicast network <network> back-
door
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family ipv4-
unicast network <network> route-
map
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family ipv4-
unicast redistribute connected metric
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family ipv4-
unicast redistribute connected route-
map
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family ipv4-
unicast redistribute isis metric
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family ipv4-
unicast redistribute isis route-map
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family ipv4-
unicast redistribute kernel metric
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family ipv4-
unicast redistribute kernel route-map
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family ipv4-
unicast redistribute ospf metric
下页继续

16.1. Configuration Commands 838

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family ipv4-
unicast redistribute ospf route-map
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family ipv4-
unicast redistribute rip metric
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family ipv4-
unicast redistribute rip route-map
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family ipv4-
unicast redistribute static metric
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family ipv4-
unicast redistribute static route-map
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family ipv4-
unicast redistribute table
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family
ipv6-unicast aggregate-address
<aggregate-address> as-set
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family
ipv6-unicast aggregate-address
<aggregate-address> summary-only
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family ipv6-
unicast maximum-paths ebgp
下页继续

16.1. Configuration Commands 839

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family ipv6-
unicast maximum-paths ibgp
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family ipv6-
unicast network <network> path-
limit
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family ipv6-
unicast network <network> route-
map
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family ipv6-
unicast redistribute connected metric
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family ipv6-
unicast redistribute connected route-
map
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family ipv6-
unicast redistribute kernel metric
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family ipv6-
unicast redistribute kernel route-map
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family ipv6-
unicast redistribute ospfv3 metric
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family ipv6-
unicast redistribute ospfv3 route-
map
下页继续

16.1. Configuration Commands 840

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family ipv6-
unicast redistribute ripng metric
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family ipv6-
unicast redistribute ripng route-map
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family ipv6-
unicast redistribute static metric
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family ipv6-
unicast redistribute static route-map
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family ipv6-
unicast redistribute table
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family l2vpn-
evpn advertise-all-vni
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family l2vpn-
evpn advertise-default-gw
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family l2vpn-
evpn advertise-pip
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family l2vpn-
evpn advertise-svi-ip
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family l2vpn-
evpn advertise ipv4 unicast route-
map
下页继续

16.1. Configuration Commands 841

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family l2vpn-
evpn advertise ipv6 unicast route-
map
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family l2vpn-
evpn flooding disable
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family l2vpn-
evpn flooding head-end-replication
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family l2vpn-
evpn rd
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family l2vpn-
evpn route-target both
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family l2vpn-
evpn route-target export
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family l2vpn-
evpn route-target import
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family l2vpn-
evpn rt-auto-derive
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family l2vpn-
evpn vni <vni> advertise-default-gw
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family l2vpn-
evpn vni <vni> advertise-svi-ip
下页继续

16.1. Configuration Commands 842

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family l2vpn-
evpn vni <vni> rd
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family l2vpn-
evpn vni <vni> route-target both
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family l2vpn-
evpn vni <vni> route-target export
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp address-family l2vpn-
evpn vni <vni> route-target import
set protocols bgp
<asn> address-family
<ipv4-unicast|ipv6-unicast>
network <prefix>
Nothing found in XML Definitions
set protocols bgp
<asn> address-family
<ipv4-unicast|ipv6-unicast>
redistribute <route
source>
Nothing found in XML Definitions
set protocols bgp
<asn> address-family
<ipv4-unicast|ipv6-unicast>
redistribute <route
source> metric <number>
Nothing found in XML Definitions
set protocols bgp
<asn> address-family
<ipv4-unicast|ipv6-unicast>
redistribute <route
source> route-map
<name>
Nothing found in XML Definitions
set protocols bgp <asn>
listen limit <number>
------------------
protocols-bgp.xml.in:
protocols bgp listen limit
下页继续

16.1. Configuration Commands 843

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set protocols bgp <asn>
listen range <prefix>
peer-group <name>
------------------
protocols-bgp.xml.in:
protocols bgp listen range <range>
peer-group
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp local-as
set protocols bgp
<asn> maximum-paths
<ebgp|ibgp> <number>
Nothing found in XML Definitions
set protocols bgp
<asn> neighbor
<address|interface>
address-family
<ipv4-unicast|ipv6-unicast>
allowas-in number
<number>
Nothing found in XML Definitions
set protocols bgp
<asn> neighbor
<address|interface>
address-family
<ipv4-unicast|ipv6-unicast>
as-override
Nothing found in XML Definitions
set protocols bgp
<asn> neighbor
<address|interface>
address-family
<ipv4-unicast|ipv6-unicast>
attribute-unchanged
<as-path|med|next-hop>
Nothing found in XML Definitions
set protocols bgp
<asn> neighbor
<address|interface>
address-family
<ipv4-unicast|ipv6-unicast>
capability orf
<receive|send>
Nothing found in XML Definitions
下页继续

16.1. Configuration Commands 844

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set protocols bgp
<asn> neighbor
<address|interface>
address-family
<ipv4-unicast|ipv6-unicast>
default-originate
[route-map <name>]
Nothing found in XML Definitions
set protocols bgp
<asn> neighbor
<address|interface>
address-family
<ipv4-unicast|ipv6-unicast>
distribute-list
<export|import>
<number>
Nothing found in XML Definitions
set protocols bgp
<asn> neighbor
<address|interface>
address-family
<ipv4-unicast|ipv6-unicast>
filter-list
<export|import> <name>
Nothing found in XML Definitions
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family ipv4-unicast addpath-
tx-all
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family ipv4-unicast addpath-
tx-per-as
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family ipv4-unicast allowas-
in number
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neigh-
bor> address-family ipv4-unicast
as-override
下页继续

16.1. Configuration Commands 845

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neigh-
bor> address-family ipv4-unicast
attribute-unchanged as-path
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neigh-
bor> address-family ipv4-unicast
attribute-unchanged med
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neigh-
bor> address-family ipv4-unicast
attribute-unchanged next-hop
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family ipv4-unicast capabil-
ity orf prefix-list receive
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family ipv4-unicast capabil-
ity orf prefix-list send
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family ipv4-unicast default-
originate route-map
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family ipv4-unicast disable-
send-community extended
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family ipv4-unicast disable-
send-community standard
下页继续

16.1. Configuration Commands 846

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neigh-
bor> address-family ipv4-unicast
distribute-list export
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neigh-
bor> address-family ipv4-unicast
distribute-list import
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family ipv4-unicast filter-list
export
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family ipv4-unicast filter-list
import
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neigh-
bor> address-family ipv4-unicast
maximum-prefix
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family ipv4-unicast nexthop-
self force
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family ipv4-unicast prefix-
list export
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family ipv4-unicast prefix-
list import
下页继续

16.1. Configuration Commands 847

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family ipv4-unicast remove-
private-as
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family ipv4-unicast route-
map export
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family ipv4-unicast route-
map import
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family ipv4-unicast route-
reflector-client
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family ipv4-unicast route-
server-client
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neigh-
bor> address-family ipv4-unicast
soft-reconfiguration inbound
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neigh-
bor> address-family ipv4-unicast
unsuppress-map
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family ipv4-unicast weight
下页继续

16.1. Configuration Commands 848

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family ipv6-unicast addpath-
tx-all
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family ipv6-unicast addpath-
tx-per-as
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family ipv6-unicast allowas-
in number
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neigh-
bor> address-family ipv6-unicast
as-override
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neigh-
bor> address-family ipv6-unicast
attribute-unchanged as-path
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neigh-
bor> address-family ipv6-unicast
attribute-unchanged med
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neigh-
bor> address-family ipv6-unicast
attribute-unchanged next-hop
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family ipv6-unicast capabil-
ity orf prefix-list receive
下页继续

16.1. Configuration Commands 849

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family ipv6-unicast capabil-
ity orf prefix-list send
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family ipv6-unicast default-
originate route-map
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family ipv6-unicast disable-
send-community extended
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family ipv6-unicast disable-
send-community standard
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neigh-
bor> address-family ipv6-unicast
distribute-list export
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neigh-
bor> address-family ipv6-unicast
distribute-list import
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family ipv6-unicast filter-list
export
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family ipv6-unicast filter-list
import
下页继续

16.1. Configuration Commands 850

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neigh-
bor> address-family ipv6-unicast
maximum-prefix
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family ipv6-unicast nexthop-
local unchanged
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family ipv6-unicast nexthop-
self force
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family ipv6-unicast prefix-
list export
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family ipv6-unicast prefix-
list import
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family ipv6-unicast remove-
private-as
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family ipv6-unicast route-
map export
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family ipv6-unicast route-
map import
下页继续

16.1. Configuration Commands 851

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family ipv6-unicast route-
reflector-client
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family ipv6-unicast route-
server-client
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neigh-
bor> address-family ipv6-unicast
soft-reconfiguration inbound
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neigh-
bor> address-family ipv6-unicast
unsuppress-map
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family ipv6-unicast weight
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family l2vpn-evpn allowas-
in number
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family l2vpn-evpn attribute-
unchanged as-path
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family l2vpn-evpn attribute-
unchanged med
下页继续

16.1. Configuration Commands 852

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family l2vpn-evpn attribute-
unchanged next-hop
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
address-family l2vpn-evpn nexthop-
self force
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neigh-
bor> address-family l2vpn-evpn
route-map export
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neigh-
bor> address-family l2vpn-evpn
route-map import
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neigh-
bor> address-family l2vpn-evpn
route-reflector-client
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neigh-
bor> address-family l2vpn-evpn
route-server-client
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neigh-
bor> address-family l2vpn-evpn
soft-reconfiguration inbound
set protocols bgp
<asn> neighbor
<address|interface>
address-family
<ipv4-unicast|ipv6-unicast>
maximum-prefix <number>
Nothing found in XML Definitions
下页继续

16.1. Configuration Commands 853

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set protocols bgp
<asn> neighbor
<address|interface>
address-family
<ipv4-unicast|ipv6-unicast>
nexthop-self
Nothing found in XML Definitions
set protocols bgp
<asn> neighbor
<address|interface>
address-family
<ipv4-unicast|ipv6-unicast>
prefix-list
<export|import> <name>
Nothing found in XML Definitions
set protocols bgp
<asn> neighbor
<address|interface>
address-family
<ipv4-unicast|ipv6-unicast>
remove-private-as
Nothing found in XML Definitions
set protocols bgp
<asn> neighbor
<address|interface>
address-family
<ipv4-unicast|ipv6-unicast>
route-map
<export|import> <name>
Nothing found in XML Definitions
set protocols bgp <asn>
neighbor <address>
address-family
<ipv4-unicast|ipv6-unicast>
route-reflector-client
Nothing found in XML Definitions
set protocols bgp
<asn> neighbor
<address|interface>
address-family
<ipv4-unicast|ipv6-unicast>
soft-reconfiguration
inbound
Nothing found in XML Definitions
set protocols bgp
<asn> neighbor
<address|interface>
address-family
<ipv4-unicast|ipv6-unicast>
unsuppress-map <name>
Nothing found in XML Definitions
下页继续

16.1. Configuration Commands 854

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set protocols bgp
<asn> neighbor
<address|interface>
address-family
<ipv4-unicast|ipv6-unicast>
weight <number>
Nothing found in XML Definitions
set protocols bgp
<asn> neighbor
<address|interface>
advertisement-interval
<seconds>
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
advertisement-interval
set protocols bgp <asn>
neighbor <address> bfd
Nothing found in XML Definitions
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
bfd check-control-plane-failure
set protocols bgp
<asn> neighbor
<address|interface>
capability dynamic
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
capability dynamic
set protocols bgp
<asn> neighbor
<address|interface>
capability
extended-nexthop
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
capability extended-nexthop
set protocols bgp
<asn> neighbor
<address|interface>
description <text>
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
description
下页继续

16.1. Configuration Commands 855

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set protocols bgp
<asn> neighbor
<address|interface>
disable-capability-negotiation
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
disable-capability-negotiation
set protocols bgp
<asn> neighbor
<address|interface>
disable-connected-check
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
disable-connected-check
set protocols bgp
<asn> neighbor
<address|interface>
disable-send-community
<extended|standard>
Nothing found in XML Definitions
set protocols bgp
<asn> neighbor
<address|interface>
ebgp-multihop <number>
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
ebgp-multihop
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
interface peer-group
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
interface remote-as
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
interface v6only peer-group
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
interface v6only remote-as
下页继续

16.1. Configuration Commands 856

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set protocols bgp
<asn> neighbor
<address|interface>
local-as <asn>
[no-prepend]
[replace-as]
Nothing found in XML Definitions
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
local-as <local-as> no-prepend
set protocols bgp
<asn> neighbor
<address|interface>
override-capability
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
override-capability
set protocols bgp
<asn> neighbor
<address|interface>
passive
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
passive
set protocols bgp
<asn> neighbor
<address|interface>
password <text>
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
password
set protocols bgp
<asn> neighbor
<address|interface>
peer-group <name>
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
peer-group
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
port
下页继续

16.1. Configuration Commands 857

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set protocols bgp
<asn> neighbor
<address|interface>
remote-as <nasn>
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
remote-as
set protocols bgp
<asn> neighbor
<address|interface>
remote-as external
Nothing found in XML Definitions
set protocols bgp
<asn> neighbor
<address|interface>
remote-as internal
Nothing found in XML Definitions
set protocols bgp
<asn> neighbor
<address|interface>
shutdown
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
shutdown
set protocols bgp
<asn> neighbor
<address|interface>
strict-capability-match
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
strict-capability-match
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
timers connect
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
timers holdtime
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
timers keepalive
下页继续

16.1. Configuration Commands 858

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set protocols bgp
<asn> neighbor
<address|interface>
ttl-security hops
<number>
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
ttl-security hops
set protocols bgp
<asn> neighbor
<address|interface>
update-source
<address|interface>
------------------
protocols-bgp.xml.in:
protocols bgp neighbor <neighbor>
update-source
set protocols bgp
<asn> parameters
always-compare-med
------------------
protocols-bgp.xml.in:
protocols bgp parameters always-
compare-med
set protocols bgp <asn>
parameters bestpath
as-path confed
------------------
protocols-bgp.xml.in:
protocols bgp parameters bestpath
as-path confed
set protocols bgp <asn>
parameters bestpath
as-path ignore
------------------
protocols-bgp.xml.in:
protocols bgp parameters bestpath
as-path ignore
set protocols bgp <asn>
parameters bestpath
as-path multipath-relax
------------------
protocols-bgp.xml.in:
protocols bgp parameters bestpath
as-path multipath-relax
下页继续

16.1. Configuration Commands 859

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set protocols bgp <asn>
parameters bestpath
compare-routerid
------------------
protocols-bgp.xml.in:
protocols bgp parameters bestpath
compare-routerid
set protocols bgp <asn>
parameters bestpath med
confed
------------------
protocols-bgp.xml.in:
protocols bgp parameters bestpath
med confed
set protocols bgp <asn>
parameters bestpath med
missing-as-worst
------------------
protocols-bgp.xml.in:
protocols bgp parameters bestpath
med missing-as-worst
set protocols bgp <asn>
parameters cluster-id
<id>
------------------
protocols-bgp.xml.in:
protocols bgp parameters cluster-id
set protocols bgp
<subasn> parameters
confederation
confederation peers
<nsubasn>
Nothing found in XML Definitions
set protocols bgp
<subasn> parameters
confederation identifier
<asn>
------------------
protocols-bgp.xml.in:
protocols bgp parameters confedera-
tion identifier
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp parameters confedera-
tion peers
下页继续

16.1. Configuration Commands 860

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set protocols bgp <asn>
parameters dampening
half-life <minutes>
------------------
protocols-bgp.xml.in:
protocols bgp parameters dampening
half-life
set protocols bgp <asn>
parameters dampening
max-suppress-time
<seconds>
------------------
protocols-bgp.xml.in:
protocols bgp parameters dampening
max-suppress-time
set protocols bgp <asn>
parameters dampening
re-use <seconds>
------------------
protocols-bgp.xml.in:
protocols bgp parameters dampening
re-use
set protocols bgp <asn>
parameters dampening
start-suppress-time
<seconds>
------------------
protocols-bgp.xml.in:
protocols bgp parameters dampening
start-suppress-time
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp parameters default
local-pref
set protocols bgp <asn>
parameters default
local-pref <local-pref
value>
Nothing found in XML Definitions
set protocols bgp <asn>
parameters default
no-ipv4-unicast
------------------
protocols-bgp.xml.in:
protocols bgp parameters default no-
ipv4-unicast
下页继续

16.1. Configuration Commands 861

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set protocols bgp
<asn> parameters
deterministic-med
------------------
protocols-bgp.xml.in:
protocols bgp parameters
deterministic-med
set protocols bgp
<asn> parameters
distance global
<external|internal|local>
<distance>
Nothing found in XML Definitions
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp parameters distance
global external
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp parameters distance
global internal
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp parameters distance
global local
set protocols bgp <asn>
parameters distance
prefix <subnet> distance
<distance>
------------------
protocols-bgp.xml.in:
protocols bgp parameters distance
prefix <prefix> distance
set protocols bgp
<asn> parameters
ebgp-requires-policy
------------------
protocols-bgp.xml.in:
protocols bgp parameters ebgp-
requires-policy
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp parameters graceful-
restart stalepath-time
下页继续

16.1. Configuration Commands 862

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp parameters graceful-
shutdown
set protocols bgp
<asn> parameters
log-neighbor-changes
------------------
protocols-bgp.xml.in:
protocols bgp parameters log-
neighbor-changes
set protocols bgp
<asn> parameters
network-import-check
------------------
protocols-bgp.xml.in:
protocols bgp parameters network-
import-check
set protocols bgp
<asn> parameters
no-client-to-client-reflection
------------------
protocols-bgp.xml.in:
protocols bgp parameters no-client-
to-client-reflection
set protocols bgp
<asn> parameters
no-fast-external-failover
------------------
protocols-bgp.xml.in:
protocols bgp parameters no-fast-
external-failover
set protocols bgp <asn>
parameters router-id
<id>
------------------
protocols-bgp.xml.in:
protocols bgp parameters router-id
set protocols bgp <asn>
peer-group <name>
Nothing found in XML Definitions
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv4-unicast
addpath-tx-all
下页继续

16.1. Configuration Commands 863

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv4-unicast
addpath-tx-per-as
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv4-unicast
allowas-in number
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv4-unicast
as-override
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv4-unicast
attribute-unchanged as-path
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv4-unicast
attribute-unchanged med
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv4-unicast
attribute-unchanged next-hop
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv4-unicast
capability orf prefix-list receive
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv4-unicast
capability orf prefix-list send
下页继续

16.1. Configuration Commands 864

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv4-unicast
default-originate route-map
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv4-unicast
disable-send-community extended
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv4-unicast
disable-send-community standard
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv4-unicast
distribute-list export
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv4-unicast
distribute-list import
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv4-unicast
filter-list export
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv4-unicast
filter-list import
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv4-unicast
maximum-prefix
下页继续

16.1. Configuration Commands 865

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv4-unicast
nexthop-self force
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv4-unicast
prefix-list export
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv4-unicast
prefix-list import
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv4-unicast
remove-private-as
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv4-unicast
route-map export
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv4-unicast
route-map import
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv4-unicast
route-reflector-client
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv4-unicast
route-server-client
下页继续

16.1. Configuration Commands 866

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv4-unicast
soft-reconfiguration inbound
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv4-unicast
unsuppress-map
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv4-unicast
weight
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv6-unicast
addpath-tx-all
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv6-unicast
addpath-tx-per-as
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv6-unicast
allowas-in number
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv6-unicast
as-override
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv6-unicast
attribute-unchanged as-path
下页继续

16.1. Configuration Commands 867

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv6-unicast
attribute-unchanged med
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv6-unicast
attribute-unchanged next-hop
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv6-unicast
capability orf prefix-list receive
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv6-unicast
capability orf prefix-list send
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv6-unicast
default-originate route-map
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv6-unicast
disable-send-community extended
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv6-unicast
disable-send-community standard
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv6-unicast
distribute-list export
下页继续

16.1. Configuration Commands 868

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv6-unicast
distribute-list import
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv6-unicast
filter-list export
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv6-unicast
filter-list import
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv6-unicast
maximum-prefix
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv6-unicast
nexthop-local unchanged
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv6-unicast
nexthop-self force
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv6-unicast
prefix-list export
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv6-unicast
prefix-list import
下页继续

16.1. Configuration Commands 869

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv6-unicast
remove-private-as
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv6-unicast
route-map export
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv6-unicast
route-map import
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv6-unicast
route-reflector-client
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv6-unicast
route-server-client
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv6-unicast
soft-reconfiguration inbound
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv6-unicast
unsuppress-map
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family ipv6-unicast
weight
下页继续

16.1. Configuration Commands 870

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family l2vpn-evpn
allowas-in number
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family l2vpn-evpn
attribute-unchanged as-path
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family l2vpn-evpn
attribute-unchanged med
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family l2vpn-evpn
attribute-unchanged next-hop
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family l2vpn-evpn
nexthop-self force
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family l2vpn-evpn
route-map export
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family l2vpn-evpn
route-map import
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family l2vpn-evpn
route-reflector-client
下页继续

16.1. Configuration Commands 871

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family l2vpn-evpn
route-server-client
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> address-family l2vpn-evpn
soft-reconfiguration inbound
set protocols bgp <asn>
peer-group <group> bfd
Nothing found in XML Definitions
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> bfd check-control-plane-
failure
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> capability dynamic
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> capability extended-nexthop
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> description
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> disable-capability-
negotiation
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> disable-connected-check
下页继续

16.1. Configuration Commands 872

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> ebgp-multihop
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> local-as <local-as> no-
prepend
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> override-capability
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> passive
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> password
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> remote-as
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> shutdown
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> ttl-security hops
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp peer-group <peer-
group> update-source
Not documented yet
------------------
protocols-bgp.xml.in:
protocols bgp route-map
下页继续

16.1. Configuration Commands 873

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set protocols bgp
<asn> timers holdtime
<seconds>
------------------
protocols-bgp.xml.in:
protocols bgp timers holdtime
set protocols bgp
<asn> timers keepalive
<seconds>
------------------
protocols-bgp.xml.in:
protocols bgp timers keepalive
set protocols igmp-proxy
disable
------------------
igmp-proxy.xml.in:
protocols igmp-proxy disable
set protocols igmp-proxy
disable-quickleave
------------------
igmp-proxy.xml.in:
protocols igmp-proxy disable-
quickleave
set protocols igmp-proxy
interface <interface>
alt-subnet <network>
------------------
igmp-proxy.xml.in:
protocols igmp-proxy interface <in-
terface> alt-subnet
set protocols igmp-proxy
interface <interface>
role <upstream |
downstream>
------------------
igmp-proxy.xml.in:
protocols igmp-proxy interface <in-
terface> role
Not documented yet
------------------
igmp-proxy.xml.in:
protocols igmp-proxy interface <in-
terface> threshold
Not documented yet
------------------
igmp-proxy.xml.in:
protocols igmp-proxy interface <in-
terface> whitelist
下页继续

16.1. Configuration Commands 874

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set protocols igmp
interface <interface
query-interval
<seconds>
Nothing found in XML Definitions
set protocols igmp
interface <interface
query-max-response-time
<deciseconds>
Nothing found in XML Definitions
set protocols igmp
interface eth1
Nothing found in XML Definitions
set protocols igmp
interface <interface>
join <multicast-address>
source <IP-address>
------------------
protocols-igmp.xml.in:
protocols igmp interface <interface>
join <join> source
Not documented yet
------------------
protocols-igmp.xml.in:
protocols igmp interface <interface>
query-interval
Not documented yet
------------------
protocols-igmp.xml.in:
protocols igmp interface <interface>
query-max-response-time
set protocols
igmp interface
<interface> version
<version-number>
------------------
protocols-igmp.xml.in:
protocols igmp interface <interface>
version
set protocols isis
<name> set-attached-bit
------------------
protocols-isis.xml.in:
protocols isis set-attached-bit
set protocols isis
<name> set-overload-bit
------------------
protocols-isis.xml.in:
protocols isis set-overload-bit
下页继续

16.1. Configuration Commands 875

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis area-password md5
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis area-password
plaintext-password
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis default-information
originate ipv4 level-1
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis default-information
originate ipv4 level-2
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis default-information
originate ipv6 level-1
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis default-information
originate ipv6 level-2
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis domain-password
plaintext-password
set protocols isis
<name> dynamic-hostname
------------------
protocols-isis.xml.in:
protocols isis dynamic-hostname
set protocols isis
<name> interface
<interface>
Nothing found in XML Definitions
set protocols isis
<name> interface
<interface> bfd
------------------
protocols-isis.xml.in:
protocols isis interface <interface>
bfd
下页继续

16.1. Configuration Commands 876

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set protocols isis
<name> interface
<interface> circuit-type
<level-1|level-1-2|level-2-only>
------------------
protocols-isis.xml.in:
protocols isis interface <interface>
circuit-type
set protocols isis
<name> interface
<interface>
hello-interval
<seconds>
------------------
protocols-isis.xml.in:
protocols isis interface <interface>
hello-interval
set protocols isis
<name> interface
<interface>
hello-multiplier
<seconds>
------------------
protocols-isis.xml.in:
protocols isis interface <interface>
hello-multiplier
set protocols isis
<name> interface
<interface>
hello-padding
------------------
protocols-isis.xml.in:
protocols isis interface <interface>
hello-padding
set protocols isis
<name> interface
<interface> metric
<metric>
------------------
protocols-isis.xml.in:
protocols isis interface <interface>
metric
set protocols isis
<name> interface
<interface> network
point-to-point
------------------
protocols-isis.xml.in:
protocols isis interface <interface>
network point-to-point
下页继续

16.1. Configuration Commands 877

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set protocols isis
<name> interface
<interface>
no-three-way-handshake
------------------
protocols-isis.xml.in:
protocols isis interface <interface>
no-three-way-handshake
set protocols isis
<name> interface
<interface> passive
------------------
protocols-isis.xml.in:
protocols isis interface <interface>
passive
set protocols isis
<name> interface
<interface> password
plaintext-password
<text>
------------------
protocols-isis.xml.in:
protocols isis interface <interface>
password plaintext-password
set protocols isis
<name> interface
<interface> priority
<number>
------------------
protocols-isis.xml.in:
protocols isis interface <interface>
priority
set protocols isis
<name> interface
<interface>
psnp-interval <number>
------------------
protocols-isis.xml.in:
protocols isis interface <interface>
psnp-interval
set protocols
isis <name> level
<level-1|level-1-2|level-2>
------------------
protocols-isis.xml.in:
protocols isis level
下页继续

16.1. Configuration Commands 878

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set protocols isis
<name> lsp-gen-interval
<seconds>
------------------
protocols-isis.xml.in:
protocols isis lsp-gen-interval
set protocols isis
<name> lsp-mtu <size>
------------------
protocols-isis.xml.in:
protocols isis lsp-mtu
set protocols
isis <name>
lsp-refresh-interval
<seconds>
------------------
protocols-isis.xml.in:
protocols isis lsp-refresh-interval
set protocols isis
<name> max-lsp-lifetime
<seconds>
------------------
protocols-isis.xml.in:
protocols isis max-lsp-lifetime
set protocols isis
<name> metric-style
<narrow|transition|wide>
------------------
protocols-isis.xml.in:
protocols isis metric-style
set protocols isis name
default-information
originate <ipv4|ipv6>
level-1
Nothing found in XML Definitions
set protocols isis name
default-information
originate <ipv4|ipv6>
level-2
Nothing found in XML Definitions
set protocols
isis <name> net
<network-entity-title>
------------------
protocols-isis.xml.in:
protocols isis net
set protocols isis
<name> purge-originator
------------------
protocols-isis.xml.in:
protocols isis purge-originator
下页继续

16.1. Configuration Commands 879

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set protocols isis
<name> redistribute ipv4
<route source> level-1
Nothing found in XML Definitions
set protocols isis
<name> redistribute ipv4
<route source> level-2
Nothing found in XML Definitions
set protocols isis
<name> redistribute
ipv4 <route source>
<level-1|level-2> metric
<number>
Nothing found in XML Definitions
set protocols isis
<name> redistribute
ipv4 <route source>
<level-1|level-2>
route-map <name>
Nothing found in XML Definitions
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis redistribute ipv4 bgp
level-1 metric
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis redistribute ipv4 bgp
level-1 route-map
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis redistribute ipv4 bgp
level-2 metric
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis redistribute ipv4 bgp
level-2 route-map
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis redistribute ipv4 con-
nected level-1 metric
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis redistribute ipv4 con-
nected level-1 route-map
下页继续

16.1. Configuration Commands 880

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis redistribute ipv4 con-
nected level-2 metric
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis redistribute ipv4 con-
nected level-2 route-map
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis redistribute ipv4 kernel
level-1 metric
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis redistribute ipv4 kernel
level-1 route-map
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis redistribute ipv4 kernel
level-2 metric
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis redistribute ipv4 kernel
level-2 route-map
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis redistribute ipv4 ospf
level-1 metric
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis redistribute ipv4 ospf
level-1 route-map
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis redistribute ipv4 ospf
level-2 metric
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis redistribute ipv4 ospf
level-2 route-map
下页继续

16.1. Configuration Commands 881

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis redistribute ipv4 rip
level-1 metric
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis redistribute ipv4 rip
level-1 route-map
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis redistribute ipv4 rip
level-2 metric
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis redistribute ipv4 rip
level-2 route-map
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis redistribute ipv4 static
level-1 metric
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis redistribute ipv4 static
level-1 route-map
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis redistribute ipv4 static
level-2 metric
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis redistribute ipv4 static
level-2 route-map
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis route-map
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis segment-routing enable
下页继续

16.1. Configuration Commands 882

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis segment-routing
global-block high-label-value
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis segment-routing
global-block low-label-value
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis segment-routing
maximum-label-depth
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis segment-routing prefix
<prefix> absolute explicit-null
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis segment-routing prefix
<prefix> absolute no-php-flag
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis segment-routing prefix
<prefix> absolute value
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis segment-routing prefix
<prefix> index explicit-null
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis segment-routing prefix
<prefix> index no-php-flag
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis segment-routing prefix
<prefix> index value
下页继续

16.1. Configuration Commands 883

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set protocols isis
<name> spf-delay-ietf
holddown <milliseconds>
------------------
protocols-isis.xml.in:
protocols isis spf-delay-ietf hold-
down
set protocols isis
<name> spf-delay-ietf
init-delay
<milliseconds>
------------------
protocols-isis.xml.in:
protocols isis spf-delay-ietf init-delay
set protocols isis
<name> spf-delay-ietf
long-delay
<milliseconds>
------------------
protocols-isis.xml.in:
protocols isis spf-delay-ietf long-
delay
set protocols isis
<name> spf-delay-ietf
short-delay
<milliseconds>
------------------
protocols-isis.xml.in:
protocols isis spf-delay-ietf short-
delay
set protocols isis
<name> spf-delay-ietf
time-to-learn
<milliseconds>
------------------
protocols-isis.xml.in:
protocols isis spf-delay-ietf time-to-
learn
set protocols isis
<name> spf-interval
<seconds>
------------------
protocols-isis.xml.in:
protocols isis spf-interval
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis traffic-engineering ad-
dress
下页继续

16.1. Configuration Commands 884

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-isis.xml.in:
protocols isis traffic-engineering en-
able
Not documented yet
------------------
protocols-mpls.xml.in:
protocols mpls interface
Not documented yet
------------------
protocols-mpls.xml.in:
protocols mpls ldp allocation ipv4
access-list
set protocols mpls
ldp allocation ipv4
access-list <access list
number>
Nothing found in XML Definitions
Not documented yet
------------------
protocols-mpls.xml.in:
protocols mpls ldp allocation ipv6
access-list6
set protocols mpls
ldp allocation ipv6
access-list6 <access
list number>
Nothing found in XML Definitions
set protocols mpls
ldp discovery
hello-ipv4-holdtime
<seconds>
------------------
protocols-mpls.xml.in:
protocols mpls ldp discovery hello-
ipv4-holdtime
set protocols mpls
ldp discovery
hello-ipv4-interval
<seconds>
------------------
protocols-mpls.xml.in:
protocols mpls ldp discovery hello-
ipv4-interval
下页继续

16.1. Configuration Commands 885

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set protocols mpls
ldp discovery
hello-ipv6-holdtime
<seconds>
------------------
protocols-mpls.xml.in:
protocols mpls ldp discovery hello-
ipv6-holdtime
set protocols mpls
ldp discovery
hello-ipv6-interval
<seconds>
------------------
protocols-mpls.xml.in:
protocols mpls ldp discovery hello-
ipv6-interval
set protocols mpls
ldp discovery
session-ipv4-holdtime
<seconds>
------------------
protocols-mpls.xml.in:
protocols mpls ldp discovery session-
ipv4-holdtime
set protocols mpls
ldp discovery
session-ipv6-holdtime
<seconds>
------------------
protocols-mpls.xml.in:
protocols mpls ldp discovery session-
ipv6-holdtime
set protocols mpls
ldp discovery
transport-ipv4-address
<address>
------------------
protocols-mpls.xml.in:
protocols mpls ldp discovery
transport-ipv4-address
set protocols mpls
ldp discovery
transport-ipv6-address
<address>
------------------
protocols-mpls.xml.in:
protocols mpls ldp discovery
transport-ipv6-address
下页继续

16.1. Configuration Commands 886

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set protocols mpls
ldp export ipv4
explicit-null
------------------
protocols-mpls.xml.in:
protocols mpls ldp export ipv4
explicit-null
Not documented yet
------------------
protocols-mpls.xml.in:
protocols mpls ldp export ipv4
export-filter filter-access-list
set protocols mpls
ldp export ipv4
export-filter
filter-access-list
<access list number>
Nothing found in XML Definitions
Not documented yet
------------------
protocols-mpls.xml.in:
protocols mpls ldp export ipv4
export-filter neighbor-access-list
set protocols mpls
ldp export ipv6
explicit-null
------------------
protocols-mpls.xml.in:
protocols mpls ldp export ipv6
explicit-null
Not documented yet
------------------
protocols-mpls.xml.in:
protocols mpls ldp export ipv6
export-filter filter-access-list6
set protocols mpls
ldp export ipv6
export-filter
filter-access-list6
<access list number>
Nothing found in XML Definitions
Not documented yet
------------------
protocols-mpls.xml.in:
protocols mpls ldp export ipv6
export-filter neighbor-access-list6
Not documented yet
------------------
protocols-mpls.xml.in:
protocols mpls ldp import ipv4
import-filter filter-access-list
下页继续

16.1. Configuration Commands 887

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set protocols mpls
ldp import ipv4
import-filter
filter-access-list
<access list number>
Nothing found in XML Definitions
Not documented yet
------------------
protocols-mpls.xml.in:
protocols mpls ldp import ipv4
import-filter neighbor-access-list
Not documented yet
------------------
protocols-mpls.xml.in:
protocols mpls ldp import ipv6
import-filter filter-access-list6
set protocols mpls
ldp import ipv6
import-filter
filter-access-list6
<access list number>
Nothing found in XML Definitions
Not documented yet
------------------
protocols-mpls.xml.in:
protocols mpls ldp import ipv6
import-filter neighbor-access-list6
set protocols mpls ldp
interface <interface>
------------------
protocols-mpls.xml.in:
protocols mpls ldp interface
set protocols mpls
ldp neighbor <address>
password <password>
------------------
protocols-mpls.xml.in:
protocols mpls ldp neighbor <neigh-
bor> password
set protocols mpls ldp
neighbor <address>
session-holdtime
<seconds>
------------------
protocols-mpls.xml.in:
protocols mpls ldp neighbor <neigh-
bor> session-holdtime
下页继续

16.1. Configuration Commands 888

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-mpls.xml.in:
protocols mpls ldp neighbor <neigh-
bor> ttl-security
set protocols mpls ldp
neighbor <address>
ttl-security <disable
| hop count>
Nothing found in XML Definitions
set protocols mpls
ldp parameters
cisco-interop-tlv
------------------
protocols-mpls.xml.in:
protocols mpls ldp parameters cisco-
interop-tlv
set protocols mpls
ldp parameters
ordered-control
------------------
protocols-mpls.xml.in:
protocols mpls ldp parameters
ordered-control
set protocols mpls
ldp parameters
transport-prefer-ipv4
------------------
protocols-mpls.xml.in:
protocols mpls ldp parameters
transport-prefer-ipv4
set protocols mpls ldp
router-id <address>
------------------
protocols-mpls.xml.in:
protocols mpls ldp router-id
set protocols mpls ldp
targeted-neighbor ipv4
address <address>
------------------
protocols-mpls.xml.in:
protocols mpls ldp targeted-neighbor
ipv4 address
set protocols mpls ldp
targeted-neighbor ipv4
enable
------------------
protocols-mpls.xml.in:
protocols mpls ldp targeted-neighbor
ipv4 enable
下页继续

16.1. Configuration Commands 889

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set protocols mpls
ldp targeted-neighbor
ipv4 hello-holdtime
<seconds>
------------------
protocols-mpls.xml.in:
protocols mpls ldp targeted-neighbor
ipv4 hello-holdtime
set protocols mpls
ldp targeted-neighbor
ipv4 hello-interval
<seconds>
------------------
protocols-mpls.xml.in:
protocols mpls ldp targeted-neighbor
ipv4 hello-interval
set protocols mpls ldp
targeted-neighbor ipv6
address <address>
------------------
protocols-mpls.xml.in:
protocols mpls ldp targeted-neighbor
ipv6 address
set protocols mpls ldp
targeted-neighbor ipv6
enable
------------------
protocols-mpls.xml.in:
protocols mpls ldp targeted-neighbor
ipv6 enable
set protocols mpls
ldp targeted-neighbor
ipv6 hello-holdtime
<seconds>
------------------
protocols-mpls.xml.in:
protocols mpls ldp targeted-neighbor
ipv6 hello-holdtime
set protocols mpls
ldp targeted-neighbor
ipv6 hello-interval
<seconds>
------------------
protocols-mpls.xml.in:
protocols mpls ldp targeted-neighbor
ipv6 hello-interval
Not documented yet
------------------
protocols-mpls.xml.in:
protocols mpls parameters
maximum-ttl
下页继续

16.1. Configuration Commands 890

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-mpls.xml.in:
protocols mpls parameters no-
propagate-ttl
set protocols nhrp
tunnel <tunnel>
cisco-authentication
<secret>
Nothing found in XML Definitions
set protocols nhrp
tunnel <tunnel>
dynamic-map <address>
nbma-domain-name <fqdn>
Nothing found in XML Definitions
set protocols nhrp
tunnel <tunnel>
holding-time <timeout>
Nothing found in XML Definitions
set protocols nhrp
tunnel <tunnel> map
cisco
Nothing found in XML Definitions
set protocols nhrp
tunnel <tunnel> map
nbma-address <address>
Nothing found in XML Definitions
set protocols nhrp
tunnel <tunnel> map
register
Nothing found in XML Definitions
set protocols nhrp
tunnel <tunnel>
multicast <dynamic |
nhs>
Nothing found in XML Definitions
set protocols nhrp
tunnel <tunnel>
non-caching
Nothing found in XML Definitions
set protocols nhrp
tunnel <tunnel> redirect
Nothing found in XML Definitions
set protocols nhrp
tunnel <tunnel> shortcut
Nothing found in XML Definitions
set protocols nhrp
tunnel <tunnel>
shortcut-destination
Nothing found in XML Definitions
下页继续

16.1. Configuration Commands 891

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set protocols nhrp
tunnel <tunnel>
shortcut-target
<address>
Nothing found in XML Definitions
set protocols nhrp
tunnel <tunnel>
shortcut-target
<address> holding-time
<timeout>
Nothing found in XML Definitions
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf access-list <access-
list> export
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf area <area> area-type
normal
set protocols ospf area
<number> area-type nssa
Nothing found in XML Definitions
set protocols ospf area
<number> area-type nssa
default-cost <number>
------------------
protocols-ospf.xml.in:
protocols ospf area <area> area-type
nssa default-cost
set protocols ospf area
<number> area-type nssa
no-summary
------------------
protocols-ospf.xml.in:
protocols ospf area <area> area-type
nssa no-summary
set protocols ospf area
<number> area-type
nssa translate
<always|candidate|never>
------------------
protocols-ospf.xml.in:
protocols ospf area <area> area-type
nssa translate
set protocols ospf area
<number> area-type stub
Nothing found in XML Definitions
下页继续

16.1. Configuration Commands 892

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set protocols ospf area
<number> area-type stub
default-cost <number>
------------------
protocols-ospf.xml.in:
protocols ospf area <area> area-type
stub default-cost
set protocols ospf area
<number> area-type stub
no-summary
------------------
protocols-ospf.xml.in:
protocols ospf area <area> area-type
stub no-summary
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf area <area> authenti-
cation
set protocols ospf area
<number> authentication
md5
Nothing found in XML Definitions
set protocols ospf area
<number> authentication
plaintext-password
Nothing found in XML Definitions
set protocols ospf area
<number> network <A.B.C.
D/M>
------------------
protocols-ospf.xml.in:
protocols ospf area <area> network
set protocols ospf area
<number> range <A.B.C.D/
M> [cost <number>]
Nothing found in XML Definitions
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf area <area> range
<range> cost
set protocols ospf area
<number> range <A.B.C.D/
M> not-advertise
------------------
protocols-ospf.xml.in:
protocols ospf area <area> range
<range> not-advertise
下页继续

16.1. Configuration Commands 893

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set protocols ospf area
<number> range <A.B.C.D/
M> substitute <E.F.G.H/
M>
------------------
protocols-ospf.xml.in:
protocols ospf area <area> range
<range> substitute
set protocols ospf
area <number> shortcut
<default|disable|enable>
------------------
protocols-ospf.xml.in:
protocols ospf area <area> shortcut
set protocols ospf area
<number> virtual-link
<A.B.C.D>
Nothing found in XML Definitions
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf area <area> virtual-
link <virtual-link> authentication
md5 key-id <key-id> md5-key
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf area <area> virtual-
link <virtual-link> authentication
plaintext-password
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf area <area> virtual-
link <virtual-link> dead-interval
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf area <area> virtual-
link <virtual-link> hello-interval
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf area <area> virtual-
link <virtual-link> retransmit-
interval
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf area <area> virtual-
link <virtual-link> transmit-delay
下页继续

16.1. Configuration Commands 894

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set protocols
ospf auto-cost
reference-bandwidth
<number>
------------------
protocols-ospf.xml.in:
protocols ospf auto-cost reference-
bandwidth
set protocols ospf
default-information
originate [always]
[metric <number>]
[metric-type <1|2>]
[route-map <name>]
Nothing found in XML Definitions
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf default-information
originate always
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf default-information
originate metric
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf default-information
originate metric-type
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf default-information
originate route-map
set protocols ospf
default-metric <number>
------------------
protocols-ospf.xml.in:
protocols ospf default-metric
set protocols ospf
distance global
<distance>
------------------
protocols-ospf.xml.in:
protocols ospf distance global
set protocols ospf
distance ospf
<external|inter-area|intra-area>
<distance>
Nothing found in XML Definitions
下页继续

16.1. Configuration Commands 895

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf distance ospf external
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf distance ospf inter-
area
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf distance ospf intra-
area
set protocols ospf
interface <interface>
authentication md5
key-id <id> md5-key
<text>
------------------
protocols-ospf.xml.in:
protocols ospf interface <interface>
authentication md5 key-id <key-id>
md5-key
set protocols ospf
interface <interface>
authentication
plaintext-password
<text>
------------------
protocols-ospf.xml.in:
protocols ospf interface <interface>
authentication plaintext-password
set protocols ospf
interface <interface>
bandwidth <number>
------------------
protocols-ospf.xml.in:
protocols ospf interface <interface>
bandwidth
set protocols ospf
interface <interface>
bfd
------------------
protocols-ospf.xml.in:
protocols ospf interface <interface>
bfd
下页继续

16.1. Configuration Commands 896

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set protocols ospf
interface <interface>
cost <number>
------------------
protocols-ospf.xml.in:
protocols ospf interface <interface>
cost
set protocols ospf
interface <interface>
dead-interval <number>
------------------
protocols-ospf.xml.in:
protocols ospf interface <interface>
dead-interval
set protocols ospf
interface <interface>
hello-interval <number>
------------------
protocols-ospf.xml.in:
protocols ospf interface <interface>
hello-interval
set protocols ospf
interface <interface>
hello-multiplier
<number>
------------------
protocols-ospf.xml.in:
protocols ospf interface <interface>
hello-multiplier
set protocols ospf
interface <interface>
mtu-ignore
------------------
protocols-ospf.xml.in:
protocols ospf interface <interface>
mtu-ignore
set protocols ospf
interface <interface>
network <type>
------------------
protocols-ospf.xml.in:
protocols ospf interface <interface>
network
set protocols ospf
interface <interface>
priority <number>
------------------
protocols-ospf.xml.in:
protocols ospf interface <interface>
priority
下页继续

16.1. Configuration Commands 897

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set protocols ospf
interface <interface>
retransmit-interval
<number>
------------------
protocols-ospf.xml.in:
protocols ospf interface <interface>
retransmit-interval
set protocols ospf
interface <interface>
transmit-delay <number>
------------------
protocols-ospf.xml.in:
protocols ospf interface <interface>
transmit-delay
set protocols ospf
log-adjacency-changes
[detail]
Nothing found in XML Definitions
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf log-adjacency-
changes detail
set protocols ospf
max-metric router-lsa
<administrative|on-shutdown
<seconds>|on-startup
<seconds>>
Nothing found in XML Definitions
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf max-metric router-lsa
administrative
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf max-metric router-lsa
on-shutdown
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf max-metric router-lsa
on-startup
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf mpls-te enable
下页继续

16.1. Configuration Commands 898

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf mpls-te router-address
set protocols ospf
neighbor <A.B.C.D>
Nothing found in XML Definitions
set protocols ospf
neighbor <A.B.C.D>
poll-interval <seconds>
------------------
protocols-ospf.xml.in:
protocols ospf neighbor <neighbor>
poll-interval
set protocols ospf
neighbor <A.B.C.D>
priority <number>
------------------
protocols-ospf.xml.in:
protocols ospf neighbor <neighbor>
priority
set protocols ospf
parameters abr-type
<cisco|ibm|shortcut|standard>
------------------
protocols-ospf.xml.in:
protocols ospf parameters abr-type
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf parameters opaque-lsa
set protocols
ospf parameters
rfc1583-compatibility
------------------
protocols-ospf.xml.in:
protocols ospf parameters rfc1583-
compatibility
set protocols ospf
parameters router-id
<rid>
------------------
protocols-ospf.xml.in:
protocols ospf parameters router-id
set protocols ospf
passive-interface
<interface>
------------------
protocols-ospf.xml.in:
protocols ospf passive-interface
下页继续

16.1. Configuration Commands 899

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set protocols ospf
passive-interface-exclude
<interface>
------------------
protocols-ospf.xml.in:
protocols ospf passive-interface-
exclude
set protocols ospf
passive-interface
default
Nothing found in XML Definitions
set protocols ospf
redistribute <route
source>
Nothing found in XML Definitions
set protocols ospf
redistribute <route
source> metric <number>
Nothing found in XML Definitions
set protocols ospf
redistribute <route
source> metric-type
<1|2>
Nothing found in XML Definitions
set protocols ospf
redistribute <route
source> route-map
<name>
Nothing found in XML Definitions
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf redistribute bgp met-
ric
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf redistribute bgp
metric-type
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf redistribute bgp route-
map
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf redistribute connected
metric
下页继续

16.1. Configuration Commands 900

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf redistribute connected
metric-type
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf redistribute connected
route-map
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf redistribute isis metric
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf redistribute isis
metric-type
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf redistribute isis route-
map
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf redistribute kernel
metric
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf redistribute kernel
metric-type
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf redistribute kernel
route-map
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf redistribute rip metric
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf redistribute rip
metric-type
下页继续

16.1. Configuration Commands 901

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf redistribute rip route-
map
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf redistribute static met-
ric
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf redistribute static
metric-type
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf redistribute static
route-map
set protocols ospf
refresh timers
<seconds>
------------------
protocols-ospf.xml.in:
protocols ospf refresh timers
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf route-map
set protocols ospf
timers throttle spf
<delay|initial-holdtime|max-holdtime>
<seconds>
Nothing found in XML Definitions
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf timers throttle spf de-
lay
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf timers throttle spf
initial-holdtime
Not documented yet
------------------
protocols-ospf.xml.in:
protocols ospf timers throttle spf
max-holdtime
下页继续

16.1. Configuration Commands 902

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-ospfv3.xml.in:
protocols ospfv3 area <area> export-
list
Not documented yet
------------------
protocols-ospfv3.xml.in:
protocols ospfv3 area <area> import-
list
set protocols ospfv3
area <number> interface
<interface>
------------------
protocols-ospfv3.xml.in:
protocols ospfv3 area <area> inter-
face
set protocols ospfv3
area <number> range
<prefix>
Nothing found in XML Definitions
Not documented yet
------------------
protocols-ospfv3.xml.in:
protocols ospfv3 area <area> range
<range> advertise
set protocols ospfv3
area <number> range
<prefix> not-advertise
------------------
protocols-ospfv3.xml.in:
protocols ospfv3 area <area> range
<range> not-advertise
set protocols ospfv3
distance global
<distance>
------------------
protocols-ospfv3.xml.in:
protocols ospfv3 distance global
set protocols ospfv3
distance ospfv3
<external|inter-area|intra-area>
<distance>
Nothing found in XML Definitions
Not documented yet
------------------
protocols-ospfv3.xml.in:
protocols ospfv3 distance ospfv3 ex-
ternal
下页继续

16.1. Configuration Commands 903

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-ospfv3.xml.in:
protocols ospfv3 distance ospfv3
inter-area
Not documented yet
------------------
protocols-ospfv3.xml.in:
protocols ospfv3 distance ospfv3
intra-area
Not documented yet
------------------
protocols-ospfv3.xml.in:
protocols ospfv3 interface <inter-
face> bfd
Not documented yet
------------------
protocols-ospfv3.xml.in:
protocols ospfv3 interface <inter-
face> cost
Not documented yet
------------------
protocols-ospfv3.xml.in:
protocols ospfv3 interface <inter-
face> dead-interval
Not documented yet
------------------
protocols-ospfv3.xml.in:
protocols ospfv3 interface <inter-
face> hello-interval
Not documented yet
------------------
protocols-ospfv3.xml.in:
protocols ospfv3 interface <inter-
face> ifmtu
Not documented yet
------------------
protocols-ospfv3.xml.in:
protocols ospfv3 interface <inter-
face> instance-id
Not documented yet
------------------
protocols-ospfv3.xml.in:
protocols ospfv3 interface <inter-
face> mtu-ignore
Not documented yet
------------------
protocols-ospfv3.xml.in:
protocols ospfv3 interface <inter-
face> network
下页继续

16.1. Configuration Commands 904

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-ospfv3.xml.in:
protocols ospfv3 interface <inter-
face> passive
Not documented yet
------------------
protocols-ospfv3.xml.in:
protocols ospfv3 interface <inter-
face> priority
Not documented yet
------------------
protocols-ospfv3.xml.in:
protocols ospfv3 interface <inter-
face> retransmit-interval
Not documented yet
------------------
protocols-ospfv3.xml.in:
protocols ospfv3 interface <inter-
face> transmit-delay
set protocols ospfv3
parameters router-id
<rid>
------------------
protocols-ospfv3.xml.in:
protocols ospfv3 parameters router-
id
set protocols ospfv3
redistribute <route
source>
Nothing found in XML Definitions
Not documented yet
------------------
protocols-ospfv3.xml.in:
protocols ospfv3 redistribute bgp
route-map
Not documented yet
------------------
protocols-ospfv3.xml.in:
protocols ospfv3 redistribute con-
nected route-map
Not documented yet
------------------
protocols-ospfv3.xml.in:
protocols ospfv3 redistribute kernel
route-map
Not documented yet
------------------
protocols-ospfv3.xml.in:
protocols ospfv3 redistribute ripng
route-map
下页继续

16.1. Configuration Commands 905

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-ospfv3.xml.in:
protocols ospfv3 redistribute static
route-map
Not documented yet
------------------
protocols-ospfv3.xml.in:
protocols ospfv3 route-map
set protocols
pim interface
<interface-name>
Nothing found in XML Definitions
set protocols pim
interface <interface>
dr-priority <value>
------------------
protocols-pim.xml.in:
protocols pim interface <interface>
dr-priority
Not documented yet
------------------
protocols-pim.xml.in:
protocols pim interface <interface>
hello
set protocols pim
int <interface> hello
<seconds>
Nothing found in XML Definitions
set protocols pim rp
address <address> group
<multicast-address/
mask-bits>
------------------
protocols-pim.xml.in:
protocols pim rp address <address>
group
set protocols pim
rp keep-alive-timer
<seconds>
------------------
protocols-pim.xml.in:
protocols pim rp keep-alive-timer
set protocols rip
default-distance
<distance>
------------------
protocols-rip.xml.in:
protocols rip default-distance
下页继续

16.1. Configuration Commands 906

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set protocols rip
default-information
originate
------------------
protocols-rip.xml.in:
protocols rip default-information
originate
set protocols rip
default-metric <metric>
------------------
protocols-rip.xml.in:
protocols rip default-metric
set protocols rip
distribute-list
access-list <in|out>
<number>
Nothing found in XML Definitions
Not documented yet
------------------
protocols-rip.xml.in:
protocols rip distribute-list access-
list in
Not documented yet
------------------
protocols-rip.xml.in:
protocols rip distribute-list access-
list out
set protocols rip
distribute-list
interface <interface>
access-list <in|out>
<number>
Nothing found in XML Definitions
Not documented yet
------------------
protocols-rip.xml.in:
protocols rip distribute-list interface
<interface> access-list in
Not documented yet
------------------
protocols-rip.xml.in:
protocols rip distribute-list interface
<interface> access-list out
set protocols rip
distribute-list
interface <interface>
prefix-list <in|out>
<name>
Nothing found in XML Definitions
下页继续

16.1. Configuration Commands 907

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-rip.xml.in:
protocols rip distribute-list interface
<interface> prefix-list in
Not documented yet
------------------
protocols-rip.xml.in:
protocols rip distribute-list interface
<interface> prefix-list out
set protocols rip
distribute-list
prefix-list <in|out>
<name>
Nothing found in XML Definitions
Not documented yet
------------------
protocols-rip.xml.in:
protocols rip distribute-list prefix-list
in
Not documented yet
------------------
protocols-rip.xml.in:
protocols rip distribute-list prefix-list
out
set protocols rip
interface <interface>
Nothing found in XML Definitions
Not documented yet
------------------
protocols-rip.xml.in:
protocols rip interface <interface>
authentication md5 <md5> password
Not documented yet
------------------
protocols-rip.xml.in:
protocols rip interface <interface>
authentication plaintext-password
Not documented yet
------------------
protocols-rip.xml.in:
protocols rip interface <interface>
split-horizon disable
Not documented yet
------------------
protocols-rip.xml.in:
protocols rip interface <interface>
split-horizon poison-reverse
下页继续

16.1. Configuration Commands 908

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set protocols rip
neighbor <A.B.C.D>
------------------
protocols-rip.xml.in:
protocols rip neighbor
set protocols rip
network <A.B.C.D/M>
------------------
protocols-rip.xml.in:
protocols rip network
set protocols rip
network-distance <A.
B.C.D/M> access-list
<name>
------------------
protocols-rip.xml.in:
protocols rip network-distance
<network-distance> access-list
set protocols rip
network-distance <A.
B.C.D/M> distance
<distance>
------------------
protocols-rip.xml.in:
protocols rip network-distance
<network-distance> distance
Not documented yet
------------------
protocols-ripng.xml.in:
protocols ripng aggregate-address
Not documented yet
------------------
protocols-ripng.xml.in:
protocols ripng default-information
originate
Not documented yet
------------------
protocols-ripng.xml.in:
protocols ripng default-metric
Not documented yet
------------------
protocols-ripng.xml.in:
protocols ripng distribute-list access-
list in
Not documented yet
------------------
protocols-ripng.xml.in:
protocols ripng distribute-list access-
list out
下页继续

16.1. Configuration Commands 909

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-ripng.xml.in:
protocols ripng distribute-list inter-
face <interface> access-list in
Not documented yet
------------------
protocols-ripng.xml.in:
protocols ripng distribute-list inter-
face <interface> access-list out
Not documented yet
------------------
protocols-ripng.xml.in:
protocols ripng distribute-list inter-
face <interface> prefix-list in
Not documented yet
------------------
protocols-ripng.xml.in:
protocols ripng distribute-list inter-
face <interface> prefix-list out
Not documented yet
------------------
protocols-ripng.xml.in:
protocols ripng distribute-list prefix-
list in
Not documented yet
------------------
protocols-ripng.xml.in:
protocols ripng distribute-list prefix-
list out
Not documented yet
------------------
protocols-ripng.xml.in:
protocols ripng interface <interface>
split-horizon disable
Not documented yet
------------------
protocols-ripng.xml.in:
protocols ripng interface <interface>
split-horizon poison-reverse
Not documented yet
------------------
protocols-ripng.xml.in:
protocols ripng network
Not documented yet
------------------
protocols-ripng.xml.in:
protocols ripng passive-interface
下页继续

16.1. Configuration Commands 910

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-ripng.xml.in:
protocols ripng redistribute bgp met-
ric
Not documented yet
------------------
protocols-ripng.xml.in:
protocols ripng redistribute bgp
route-map
Not documented yet
------------------
protocols-ripng.xml.in:
protocols ripng redistribute con-
nected metric
Not documented yet
------------------
protocols-ripng.xml.in:
protocols ripng redistribute con-
nected route-map
Not documented yet
------------------
protocols-ripng.xml.in:
protocols ripng redistribute kernel
metric
Not documented yet
------------------
protocols-ripng.xml.in:
protocols ripng redistribute kernel
route-map
Not documented yet
------------------
protocols-ripng.xml.in:
protocols ripng redistribute ospfv3
metric
Not documented yet
------------------
protocols-ripng.xml.in:
protocols ripng redistribute ospfv3
route-map
Not documented yet
------------------
protocols-ripng.xml.in:
protocols ripng redistribute static
metric
Not documented yet
------------------
protocols-ripng.xml.in:
protocols ripng redistribute static
route-map
下页继续

16.1. Configuration Commands 911

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-ripng.xml.in:
protocols ripng route
Not documented yet
------------------
protocols-ripng.xml.in:
protocols ripng route-map
Not documented yet
------------------
protocols-ripng.xml.in:
protocols ripng timers garbage-
collection
Not documented yet
------------------
protocols-ripng.xml.in:
protocols ripng timers timeout
Not documented yet
------------------
protocols-ripng.xml.in:
protocols ripng timers update
Not documented yet
------------------
protocols-rip.xml.in:
protocols rip passive-interface
set protocols rip
passive-interface
interface <interface>
Nothing found in XML Definitions
set protocols rip
passive-interface
interface default
Nothing found in XML Definitions
set protocols rip
redistribute <route
source>
Nothing found in XML Definitions
set protocols rip
redistribute <route
source> metric <metric>
Nothing found in XML Definitions
set protocols rip
redistribute <route
source> route-map
<name>
Nothing found in XML Definitions
Not documented yet
------------------
protocols-rip.xml.in:
protocols rip redistribute bgp metric
下页继续

16.1. Configuration Commands 912

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-rip.xml.in:
protocols rip redistribute bgp route-
map
Not documented yet
------------------
protocols-rip.xml.in:
protocols rip redistribute connected
metric
Not documented yet
------------------
protocols-rip.xml.in:
protocols rip redistribute connected
route-map
Not documented yet
------------------
protocols-rip.xml.in:
protocols rip redistribute isis metric
Not documented yet
------------------
protocols-rip.xml.in:
protocols rip redistribute isis route-
map
Not documented yet
------------------
protocols-rip.xml.in:
protocols rip redistribute kernel met-
ric
Not documented yet
------------------
protocols-rip.xml.in:
protocols rip redistribute kernel
route-map
Not documented yet
------------------
protocols-rip.xml.in:
protocols rip redistribute ospf metric
Not documented yet
------------------
protocols-rip.xml.in:
protocols rip redistribute ospf route-
map
Not documented yet
------------------
protocols-rip.xml.in:
protocols rip redistribute static met-
ric
下页继续

16.1. Configuration Commands 913

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-rip.xml.in:
protocols rip redistribute static route-
map
set protocols rip route
<A.B.C.D/M>
------------------
protocols-rip.xml.in:
protocols rip route
set protocols rip timers
garbage-collection
<seconds>
------------------
protocols-rip.xml.in:
protocols rip timers garbage-
collection
set protocols rip timers
timeout <seconds>
------------------
protocols-rip.xml.in:
protocols rip timers timeout
set protocols rip timers
update <seconds>
------------------
protocols-rip.xml.in:
protocols rip timers update
protocols rpki cache
<address> port <port>
------------------
protocols-rpki.xml.in:
protocols rpki cache <cache> port
protocols rpki cache
<address> preference
<preference>
------------------
protocols-rpki.xml.in:
protocols rpki cache <cache> prefer-
ence
protocols rpki
cache <address> ssh
known-hosts-file
<filepath>
------------------
protocols-rpki.xml.in:
protocols rpki cache <cache> ssh
known-hosts-file
下页继续

16.1. Configuration Commands 914

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
protocols rpki
cache <address> ssh
private-key-file
<filepath>
------------------
protocols-rpki.xml.in:
protocols rpki cache <cache> ssh
private-key-file
Not documented yet
------------------
protocols-rpki.xml.in:
protocols rpki cache <cache> ssh
public-key-file
protocols rpki
cache <address> ssh
public-key-file
<filepath
Nothing found in XML Definitions
protocols rpki cache
<address> ssh username
<user>
------------------
protocols-rpki.xml.in:
protocols rpki cache <cache> ssh
username
protocols rpki
polling-period
<1-86400>
------------------
protocols-rpki.xml.in:
protocols rpki polling-period
set protocols static arp
<address> hwaddr <mac>
------------------
protocols-static-arp.xml.in:
protocols static arp <arp> hwaddr
Not documented yet
------------------
protocols-multicast.xml.in:
protocols static multicast interface-
route <interface-route> next-hop-
interface <next-hop-interface>
distance
Not documented yet
------------------
protocols-multicast.xml.in:
protocols static multicast route
<route> next-hop <next-hop>
distance
下页继续

16.1. Configuration Commands 915

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-static.xml.in:
protocols static route-map
set protocols static
route 0.0.0.0/0 next-hop
<address>
Nothing found in XML Definitions
set protocols static
route6 <subnet>
blackhole
Nothing found in XML Definitions
set protocols static
route6 <subnet>
blackhole distance
<distance>
------------------
protocols-static.xml.in:
protocols static route6 <route6>
blackhole distance
Not documented yet
------------------
protocols-static.xml.in:
protocols static route6 <route6>
blackhole tag
set protocols static
route6 <subnet>
interface <interface>
Nothing found in XML Definitions
set protocols static
route6 <subnet>
interface <interface>
disable
------------------
protocols-static.xml.in:
protocols static route6 <route6> in-
terface <interface> disable
set protocols static
route6 <subnet>
interface <interface>
distance <distance>
------------------
protocols-static.xml.in:
protocols static route6 <route6> in-
terface <interface> distance
Not documented yet
------------------
protocols-static.xml.in:
protocols static route6 <route6> in-
terface <interface> vrf
下页继续

16.1. Configuration Commands 916

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set protocols static
route6 <subnet> next-hop
<address>
Nothing found in XML Definitions
set protocols static
route6 <subnet> next-hop
<address> disable
------------------
protocols-static.xml.in:
protocols static route6 <route6>
next-hop <next-hop> disable
set protocols static
route6 <subnet> next-hop
<address> distance
<distance>
------------------
protocols-static.xml.in:
protocols static route6 <route6>
next-hop <next-hop> distance
Not documented yet
------------------
protocols-static.xml.in:
protocols static route6 <route6>
next-hop <next-hop> interface
Not documented yet
------------------
protocols-static.xml.in:
protocols static route6 <route6>
next-hop <next-hop> vrf
set protocols static
route <subnet> blackhole
Nothing found in XML Definitions
set protocols static
route <subnet> blackhole
distance <distance>
------------------
protocols-static.xml.in:
protocols static route <route> black-
hole distance
Not documented yet
------------------
protocols-static.xml.in:
protocols static route <route> black-
hole tag
Not documented yet
------------------
protocols-static.xml.in:
protocols static route <route> dhcp-
interface
下页继续

16.1. Configuration Commands 917

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set protocols static
route <subnet> interface
<interface>
Nothing found in XML Definitions
set protocols static
route <subnet> interface
<interface> disable
------------------
protocols-static.xml.in:
protocols static route <route> inter-
face <interface> disable
set protocols static
route <subnet> interface
<interface> distance
<distance>
------------------
protocols-static.xml.in:
protocols static route <route> inter-
face <interface> distance
Not documented yet
------------------
protocols-static.xml.in:
protocols static route <route> inter-
face <interface> vrf
set protocols static
route <subnet> next-hop
<address>
Nothing found in XML Definitions
set protocols static
route <subnet> next-hop
<address> disable
------------------
protocols-static.xml.in:
protocols static route <route> next-
hop <next-hop> disable
set protocols static
route <subnet> next-hop
<address> distance
<distance>
------------------
protocols-static.xml.in:
protocols static route <route> next-
hop <next-hop> distance
Not documented yet
------------------
protocols-static.xml.in:
protocols static route <route> next-
hop <next-hop> interface
下页继续

16.1. Configuration Commands 918

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-static.xml.in:
protocols static route <route> next-
hop <next-hop> vrf
Not documented yet
------------------
protocols-static.xml.in:
protocols static table <table> route6
<route6> blackhole distance
Not documented yet
------------------
protocols-static.xml.in:
protocols static table <table> route6
<route6> blackhole tag
Not documented yet
------------------
protocols-static.xml.in:
protocols static table <table> route6
<route6> interface <interface> dis-
able
Not documented yet
------------------
protocols-static.xml.in:
protocols static table <table> route6
<route6> interface <interface> dis-
tance
Not documented yet
------------------
protocols-static.xml.in:
protocols static table <table> route6
<route6> interface <interface> vrf
Not documented yet
------------------
protocols-static.xml.in:
protocols static table <table> route6
<route6> next-hop <next-hop> dis-
able
Not documented yet
------------------
protocols-static.xml.in:
protocols static table <table> route6
<route6> next-hop <next-hop> dis-
tance
Not documented yet
------------------
protocols-static.xml.in:
protocols static table <table> route6
<route6> next-hop <next-hop> inter-
face
下页继续

16.1. Configuration Commands 919

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-static.xml.in:
protocols static table <table> route6
<route6> next-hop <next-hop> vrf
Not documented yet
------------------
protocols-static.xml.in:
protocols static table <table> route
<route> blackhole distance
Not documented yet
------------------
protocols-static.xml.in:
protocols static table <table> route
<route> blackhole tag
Not documented yet
------------------
protocols-static.xml.in:
protocols static table <table> route
<route> dhcp-interface
Not documented yet
------------------
protocols-static.xml.in:
protocols static table <table> route
<route> interface <interface> disable
Not documented yet
------------------
protocols-static.xml.in:
protocols static table <table> route
<route> interface <interface> dis-
tance
Not documented yet
------------------
protocols-static.xml.in:
protocols static table <table> route
<route> interface <interface> vrf
Not documented yet
------------------
protocols-static.xml.in:
protocols static table <table> route
<route> next-hop <next-hop> dis-
able
Not documented yet
------------------
protocols-static.xml.in:
protocols static table <table> route
<route> next-hop <next-hop> dis-
tance
下页继续

16.1. Configuration Commands 920

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
protocols-static.xml.in:
protocols static table <table> route
<route> next-hop <next-hop> inter-
face
Not documented yet
------------------
protocols-static.xml.in:
protocols static table <table> route
<route> next-hop <next-hop> vrf
set protocols vrf <name>
static route6 <subnet>
blackhole
Nothing found in XML Definitions
set protocols vrf <name>
static route6 <subnet>
blackhole distance
<distance>
Nothing found in XML Definitions
set protocols vrf <name>
static route6 <subnet>
interface <interface>
Nothing found in XML Definitions
set protocols vrf <name>
static route6 <subnet>
interface <interface>
disable
Nothing found in XML Definitions
set protocols vrf <name>
static route6 <subnet>
interface <interface>
distance <distance>
Nothing found in XML Definitions
set protocols vrf <name>
static route6 <subnet>
next-hop <address>
Nothing found in XML Definitions
set protocols vrf <name>
static route6 <subnet>
next-hop <address>
disable
Nothing found in XML Definitions
set protocols vrf <name>
static route6 <subnet>
next-hop <address>
distance <distance>
Nothing found in XML Definitions
下页继续

16.1. Configuration Commands 921

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set protocols vrf <name>
static route6 <subnet>
next-hop <address> vrf
<default | vrf-name>
Nothing found in XML Definitions
set protocols vrf <name>
static route <subnet>
blackhole
Nothing found in XML Definitions
set protocols vrf <name>
static route <subnet>
blackhole distance
<distance>
Nothing found in XML Definitions
set protocols vrf <name>
static route <subnet>
interface <interface>
Nothing found in XML Definitions
set protocols vrf <name>
static route <subnet>
interface <interface>
disable
Nothing found in XML Definitions
set protocols vrf <name>
static route <subnet>
interface <interface>
distance <distance>
Nothing found in XML Definitions
set protocols vrf <name>
static route <subnet>
next-hop <address>
Nothing found in XML Definitions
set protocols vrf <name>
static route <subnet>
next-hop <address>
disable
Nothing found in XML Definitions
set protocols vrf <name>
static route <subnet>
next-hop <address>
distance <distance>
Nothing found in XML Definitions
set protocols vrf <name>
static route <subnet>
next-hop <address> vrf
<default | vrf-name>
Nothing found in XML Definitions
rename
Nothing found in XML Definitions
rollback <N>
Nothing found in XML Definitions
下页继续

16.1. Configuration Commands 922

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
run
Nothing found in XML Definitions
save
Nothing found in XML Definitions
set service
broadcast-relay disable
------------------
bcast-relay.xml.in:
service broadcast-relay disable
Not documented yet
------------------
bcast-relay.xml.in:
service broadcast-relay id <id> ad-
dress
set service
broadcast-relay id
<n> description
<description>
------------------
bcast-relay.xml.in:
service broadcast-relay id <id> de-
scription
set service
broadcast-relay id <n>
disable
------------------
bcast-relay.xml.in:
service broadcast-relay id <id> dis-
able
set service
broadcast-relay id <n>
interface <interface>
------------------
bcast-relay.xml.in:
service broadcast-relay id <id> inter-
face
set service
broadcast-relay id <n>
port <port>
------------------
bcast-relay.xml.in:
service broadcast-relay id <id> port
set service
console-server <device>
data-bits [7 | 8]
Nothing found in XML Definitions
set service
console-server <device>
description <string>
Nothing found in XML Definitions
下页继续

16.1. Configuration Commands 923

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
service_console-server.xml.in:
service console-server device <de-
vice> data-bits
Not documented yet
------------------
service_console-server.xml.in:
service console-server device <de-
vice> description
Not documented yet
------------------
service_console-server.xml.in:
service console-server device <de-
vice> parity
Not documented yet
------------------
service_console-server.xml.in:
service console-server device <de-
vice> speed
Not documented yet
------------------
service_console-server.xml.in:
service console-server device <de-
vice> ssh port
Not documented yet
------------------
service_console-server.xml.in:
service console-server device <de-
vice> stop-bits
set service
console-server <device>
parity [even | odd |
none]
Nothing found in XML Definitions
set service
console-server <device>
speed [ 300 | 1200 |
2400 | 4800 | 9600 |
19200 | 38400 | 57600 |
115200 ]
Nothing found in XML Definitions
set service
console-server <device>
ssh port <port>
Nothing found in XML Definitions
set service
console-server <device>
stop-bits [1 | 2]
Nothing found in XML Definitions
下页继续

16.1. Configuration Commands 924

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set service dhcp-relay
interface <interface>
------------------
dhcp-relay.xml.in:
service dhcp-relay interface
set service dhcp-relay
relay-options hop-count
<count>
------------------
dhcp-relay.xml.in:
service dhcp-relay relay-options hop-
count
set service dhcp-relay
relay-options max-size
<size>
------------------
dhcp-relay.xml.in:
service dhcp-relay relay-options
max-size
set service dhcp-relay
relay-options
relay-agents-packet
<append | discard |
forward | replace>
Nothing found in XML Definitions
Not documented yet
------------------
dhcp-relay.xml.in:
service dhcp-relay relay-options
relay-agents-packets
set service dhcp-relay
relay-options
relay-agents-packets
discard
Nothing found in XML Definitions
set service dhcp-relay
server <server>
------------------
dhcp-relay.xml.in:
service dhcp-relay server
Not documented yet
------------------
dhcp-server.xml.in:
service dhcp-server disable
Not documented yet
------------------
dhcp-server.xml.in:
service dhcp-server dynamic-dns-
update
下页继续

16.1. Configuration Commands 925

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
dhcp-server.xml.in:
service dhcp-server global-
parameters
Not documented yet
------------------
dhcp-server.xml.in:
service dhcp-server host-decl-name
Not documented yet
------------------
dhcp-server.xml.in:
service dhcp-server hostfile-update
Not documented yet
------------------
dhcp-server.xml.in:
service dhcp-server listen-address
set service dhcp-server
shared-network-name
<name> authoritative
------------------
dhcp-server.xml.in:
service dhcp-server shared-network-
name <shared-network-name> au-
thoritative
Not documented yet
------------------
dhcp-server.xml.in:
service dhcp-server shared-network-
name <shared-network-name> de-
scription
Not documented yet
------------------
dhcp-server.xml.in:
service dhcp-server shared-network-
name <shared-network-name> dis-
able
Not documented yet
------------------
dhcp-server.xml.in:
service dhcp-server shared-network-
name <shared-network-name>
shared-network-parameters
Not documented yet
------------------
dhcp-server.xml.in:
service dhcp-server shared-network-
name <shared-network-name> sub-
net <subnet> bootfile-name
下页继续

16.1. Configuration Commands 926

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
dhcp-server.xml.in:
service dhcp-server shared-network-
name <shared-network-name> sub-
net <subnet> bootfile-server
Not documented yet
------------------
dhcp-server.xml.in:
service dhcp-server shared-network-
name <shared-network-name> sub-
net <subnet> client-prefix-length
set service dhcp-server
shared-network-name
<name> subnet <subnet>
default-router
<address>
------------------
dhcp-server.xml.in:
service dhcp-server shared-network-
name <shared-network-name> sub-
net <subnet> default-router
set service dhcp-server
shared-network-name
<name> subnet <subnet>
dns-server <address>
------------------
dhcp-server.xml.in:
service dhcp-server shared-network-
name <shared-network-name> sub-
net <subnet> dns-server
set service dhcp-server
shared-network-name
<name> subnet
<subnet> domain-name
<domain-name>
------------------
dhcp-server.xml.in:
service dhcp-server shared-network-
name <shared-network-name> sub-
net <subnet> domain-name
set service dhcp-server
shared-network-name
<name> subnet
<subnet> domain-search
<domain-name>
------------------
dhcp-server.xml.in:
service dhcp-server shared-network-
name <shared-network-name> sub-
net <subnet> domain-search
下页继续

16.1. Configuration Commands 927

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set service dhcp-server
shared-network-name
<name> subnet <subnet>
exclude <address>
------------------
dhcp-server.xml.in:
service dhcp-server shared-network-
name <shared-network-name> sub-
net <subnet> exclude
set service dhcp-server
shared-network-name
<name> subnet <subnet>
failover local-address
<address>
------------------
dhcp-server.xml.in:
service dhcp-server shared-network-
name <shared-network-name> sub-
net <subnet> failover local-address
set service dhcp-server
shared-network-name
<name> subnet <subnet>
failover name <name>
------------------
dhcp-server.xml.in:
service dhcp-server shared-network-
name <shared-network-name> sub-
net <subnet> failover name
set service dhcp-server
shared-network-name
<name> subnet <subnet>
failover peer-address
<address>
------------------
dhcp-server.xml.in:
service dhcp-server shared-network-
name <shared-network-name> sub-
net <subnet> failover peer-address
set service dhcp-server
shared-network-name
<name> subnet <subnet>
failover status <primary
| secondary>
------------------
dhcp-server.xml.in:
service dhcp-server shared-network-
name <shared-network-name> sub-
net <subnet> failover status
下页继续

16.1. Configuration Commands 928

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
dhcp-server.xml.in:
service dhcp-server shared-network-
name <shared-network-name> sub-
net <subnet> ip-forwarding
set service dhcp-server
shared-network-name
<name> subnet <subnet>
lease <time>
------------------
dhcp-server.xml.in:
service dhcp-server shared-network-
name <shared-network-name> sub-
net <subnet> lease
Not documented yet
------------------
dhcp-server.xml.in:
service dhcp-server shared-network-
name <shared-network-name> sub-
net <subnet> ntp-server
Not documented yet
------------------
dhcp-server.xml.in:
service dhcp-server shared-network-
name <shared-network-name> sub-
net <subnet> pop-server
set service dhcp-server
shared-network-name
<name> subnet <subnet>
range <n> start
<address>
------------------
dhcp-server.xml.in:
service dhcp-server shared-network-
name <shared-network-name> sub-
net <subnet> range <range> start
set service dhcp-server
shared-network-name
<name> subnet <subnet>
range <n> stop
<address>
------------------
dhcp-server.xml.in:
service dhcp-server shared-network-
name <shared-network-name> sub-
net <subnet> range <range> stop
下页继续

16.1. Configuration Commands 929

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
dhcp-server.xml.in:
service dhcp-server shared-network-
name <shared-network-name> sub-
net <subnet> server-identifier
Not documented yet
------------------
dhcp-server.xml.in:
service dhcp-server shared-network-
name <shared-network-name> sub-
net <subnet> smtp-server
Not documented yet
------------------
dhcp-server.xml.in:
service dhcp-server shared-network-
name <shared-network-name> sub-
net <subnet> static-mapping <static-
mapping> disable
set service dhcp-server
shared-network-name
<name> subnet <subnet>
static-mapping
<description> ip-address
<address>
------------------
dhcp-server.xml.in:
service dhcp-server shared-network-
name <shared-network-name> sub-
net <subnet> static-mapping <static-
mapping> ip-address
set service dhcp-server
shared-network-name
<name> subnet <subnet>
static-mapping
<description>
mac-address <address>
------------------
dhcp-server.xml.in:
service dhcp-server shared-network-
name <shared-network-name> sub-
net <subnet> static-mapping <static-
mapping> mac-address
Not documented yet
------------------
dhcp-server.xml.in:
service dhcp-server shared-network-
name <shared-network-name>
subnet <subnet> static-mapping
<static-mapping> static-mapping-
parameters
下页继续

16.1. Configuration Commands 930

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
dhcp-server.xml.in:
service dhcp-server shared-network-
name <shared-network-name> sub-
net <subnet> static-route destination-
subnet
Not documented yet
------------------
dhcp-server.xml.in:
service dhcp-server shared-network-
name <shared-network-name> sub-
net <subnet> static-route router
Not documented yet
------------------
dhcp-server.xml.in:
service dhcp-server shared-network-
name <shared-network-name> sub-
net <subnet> subnet-parameters
Not documented yet
------------------
dhcp-server.xml.in:
service dhcp-server shared-network-
name <shared-network-name> sub-
net <subnet> tftp-server-name
Not documented yet
------------------
dhcp-server.xml.in:
service dhcp-server shared-network-
name <shared-network-name> sub-
net <subnet> time-offset
Not documented yet
------------------
dhcp-server.xml.in:
service dhcp-server shared-network-
name <shared-network-name> sub-
net <subnet> time-server
Not documented yet
------------------
dhcp-server.xml.in:
service dhcp-server shared-network-
name <shared-network-name> sub-
net <subnet> wins-server
Not documented yet
------------------
dhcp-server.xml.in:
service dhcp-server shared-network-
name <shared-network-name> sub-
net <subnet> wpad-url
下页继续

16.1. Configuration Commands 931

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set service dhcpv6-relay
listen-interface
<interface>
Nothing found in XML Definitions
Not documented yet
------------------
dhcpv6-relay.xml.in:
service dhcpv6-relay listen-interface
<listen-interface> address
Not documented yet
------------------
dhcpv6-relay.xml.in:
service dhcpv6-relay max-hop-count
set service dhcpv6-relay
max-hop-count 'count'
Nothing found in XML Definitions
set service dhcpv6-relay
upstream-interface
<interface> address
<server>
------------------
dhcpv6-relay.xml.in:
service dhcpv6-relay upstream-
interface <upstream-interface>
address
set service dhcpv6-relay
use-interface-id-option
------------------
dhcpv6-relay.xml.in:
service dhcpv6-relay use-interface-
id-option
Not documented yet
------------------
dhcpv6-server.xml.in:
service dhcpv6-server disable
Not documented yet
------------------
dhcpv6-server.xml.in:
service dhcpv6-server global-
parameters name-server
Not documented yet
------------------
dhcpv6-server.xml.in:
service dhcpv6-server preference
set service
dhcpv6-server preference
<preference value>
Nothing found in XML Definitions
下页继续

16.1. Configuration Commands 932

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
dhcpv6-server.xml.in:
service dhcpv6-server shared-
network-name <shared-network-
name> common-options domain-
search
Not documented yet
------------------
dhcpv6-server.xml.in:
service dhcpv6-server shared-
network-name <shared-network-
name> common-options info-
refresh-time
Not documented yet
------------------
dhcpv6-server.xml.in:
service dhcpv6-server shared-
network-name <shared-network-
name> common-options name-
server
Not documented yet
------------------
dhcpv6-server.xml.in:
service dhcpv6-server shared-
network-name <shared-network-
name> disable
Not documented yet
------------------
dhcpv6-server.xml.in:
service dhcpv6-server shared-
network-name <shared-network-
name> subnet <subnet> address-
range prefix <prefix> temporary
Not documented yet
------------------
dhcpv6-server.xml.in:
service dhcpv6-server shared-
network-name <shared-network-
name> subnet <subnet> address-
range start <start> stop
Not documented yet
------------------
dhcpv6-server.xml.in:
service dhcpv6-server shared-
network-name <shared-network-
name> subnet <subnet> domain-
search
下页继续

16.1. Configuration Commands 933

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
dhcpv6-server.xml.in:
service dhcpv6-server shared-
network-name <shared-network-
name> subnet <subnet> lease-time
default
Not documented yet
------------------
dhcpv6-server.xml.in:
service dhcpv6-server shared-
network-name <shared-network-
name> subnet <subnet> lease-time
maximum
Not documented yet
------------------
dhcpv6-server.xml.in:
service dhcpv6-server shared-
network-name <shared-network-
name> subnet <subnet> lease-time
minimum
set service
dhcpv6-server
shared-network-name
<name> subnet <prefix>
lease-time {default |
maximum | minimum}
Nothing found in XML Definitions
Not documented yet
------------------
dhcpv6-server.xml.in:
service dhcpv6-server shared-
network-name <shared-network-
name> subnet <subnet> name-server
set service
dhcpv6-server
shared-network-name
<name> subnet
<prefix> nis-domain
<domain-name>
------------------
dhcpv6-server.xml.in:
service dhcpv6-server shared-
network-name <shared-network-
name> subnet <subnet> nis-domain
下页继续

16.1. Configuration Commands 934

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set service
dhcpv6-server
shared-network-name
<name> subnet <prefix>
nis-server <address>
------------------
dhcpv6-server.xml.in:
service dhcpv6-server shared-
network-name <shared-network-
name> subnet <subnet> nis-server
set service
dhcpv6-server
shared-network-name
<name> subnet <prefix>
nisplus-domain
<domain-name>
------------------
dhcpv6-server.xml.in:
service dhcpv6-server shared-
network-name <shared-network-
name> subnet <subnet> nisplus-
domain
set service
dhcpv6-server
shared-network-name
<name> subnet <prefix>
nisplus-server
<address>
------------------
dhcpv6-server.xml.in:
service dhcpv6-server shared-
network-name <shared-network-
name> subnet <subnet> nisplus-
server
set service
dhcpv6-server
shared-network-name
<name> subnet <prefix>
prefix-delegation start
<address> prefix-length
<length>
------------------
dhcpv6-server.xml.in:
service dhcpv6-server shared-
network-name <shared-network-
name> subnet <subnet> prefix-
delegation start <start> prefix-length
下页继续

16.1. Configuration Commands 935

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set service
dhcpv6-server
shared-network-name
<name> subnet <prefix>
prefix-delegation
start <address> stop
<address>
------------------
dhcpv6-server.xml.in:
service dhcpv6-server shared-
network-name <shared-network-
name> subnet <subnet> prefix-
delegation start <start> stop
set service
dhcpv6-server
shared-network-name
<name> subnet <prefix>
sip-server <address |
fqdn>
------------------
dhcpv6-server.xml.in:
service dhcpv6-server shared-
network-name <shared-network-
name> subnet <subnet> sip-server
Not documented yet
------------------
dhcpv6-server.xml.in:
service dhcpv6-server shared-
network-name <shared-network-
name> subnet <subnet> sntp-server
set service
dhcpv6-server
shared-network-name
<name> subnet <prefix>
sntp-server-address
<address>
Nothing found in XML Definitions
Not documented yet
------------------
dhcpv6-server.xml.in:
service dhcpv6-server shared-
network-name <shared-network-
name> subnet <subnet> static-
mapping <static-mapping> disable
Not documented yet
------------------
dhcpv6-server.xml.in:
service dhcpv6-server shared-
network-name <shared-network-
name> subnet <subnet> static-
mapping <static-mapping> identifier
下页继续

16.1. Configuration Commands 936

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
dhcpv6-server.xml.in:
service dhcpv6-server shared-
network-name <shared-network-
name> subnet <subnet> static-
mapping <static-mapping> ipv6-
address
set service dns dynamic
interface <interface>
rfc2136 <service-name>
Nothing found in XML Definitions
set service dns dynamic
interface <interface>
rfc2136 <service-name>
key <keyfile>
------------------
dns-dynamic.xml.in:
service dns dynamic interface <inter-
face> rfc2136 <rfc2136> key
set service dns dynamic
interface <interface>
rfc2136 <service-name>
record <record>
------------------
dns-dynamic.xml.in:
service dns dynamic interface <inter-
face> rfc2136 <rfc2136> record
set service dns dynamic
interface <interface>
rfc2136 <service-name>
server <server>
------------------
dns-dynamic.xml.in:
service dns dynamic interface <inter-
face> rfc2136 <rfc2136> server
set service dns dynamic
interface <interface>
rfc2136 <service-name>
ttl <ttl>
------------------
dns-dynamic.xml.in:
service dns dynamic interface <inter-
face> rfc2136 <rfc2136> ttl
下页继续

16.1. Configuration Commands 937

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set service dns dynamic
interface <interface>
rfc2136 <service-name>
zone <zone>
------------------
dns-dynamic.xml.in:
service dns dynamic interface <inter-
face> rfc2136 <rfc2136> zone
set service dns dynamic
interface <interface>
service <service>
host-name <hostname>
------------------
dns-dynamic.xml.in:
service dns dynamic interface <inter-
face> service <service> host-name
set service dns dynamic
interface <interface>
service <service> login
<username>
------------------
dns-dynamic.xml.in:
service dns dynamic interface <inter-
face> service <service> login
set service dns dynamic
interface <interface>
service <service>
password <password>
------------------
dns-dynamic.xml.in:
service dns dynamic interface <inter-
face> service <service> password
set service dns dynamic
interface <interface>
service <service>
protocol <protocol>
------------------
dns-dynamic.xml.in:
service dns dynamic interface <inter-
face> service <service> protocol
set service dns dynamic
interface <interface>
service <service> server
<server>
------------------
dns-dynamic.xml.in:
service dns dynamic interface <inter-
face> service <service> server
下页继续

16.1. Configuration Commands 938

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
dns-dynamic.xml.in:
service dns dynamic interface <inter-
face> service <service> zone
set service dns dynamic
interface <interface>
use-web skip <pattern>
------------------
dns-dynamic.xml.in:
service dns dynamic interface <inter-
face> use-web skip
set service dns dynamic
interface <interface>
use-web url <url>
------------------
dns-dynamic.xml.in:
service dns dynamic interface <inter-
face> use-web url
set service dns
forwarding allow-from
<network>
------------------
dns-forwarding.xml.in:
service dns forwarding allow-from
Not documented yet
------------------
dns-forwarding.xml.in:
service dns forwarding cache-size
Not documented yet
------------------
dns-forwarding.xml.in:
service dns forwarding dhcp
set service dns
forwarding dnssec <off
| process-no-validate
| process | log-fail |
validate>
------------------
dns-forwarding.xml.in:
service dns forwarding dnssec
Not documented yet
------------------
dns-forwarding.xml.in:
service dns forwarding domain <do-
main> addnta
Not documented yet
------------------
dns-forwarding.xml.in:
service dns forwarding domain <do-
main> recursion-desired
下页继续

16.1. Configuration Commands 939

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set service dns
forwarding domain
<domain-name> server
<address>
------------------
dns-forwarding.xml.in:
service dns forwarding domain <do-
main> server
set service
dns forwarding
ignore-hosts-file
------------------
dns-forwarding.xml.in:
service dns forwarding ignore-hosts-
file
set service
dns forwarding
listen-address
------------------
dns-forwarding.xml.in:
service dns forwarding listen-address
set service
dns forwarding
max-cache-entries
Nothing found in XML Definitions
set service dns
forwarding name-server
<address>
------------------
dns-forwarding.xml.in:
service dns forwarding name-server
set service dns
forwarding negative-ttl
------------------
dns-forwarding.xml.in:
service dns forwarding negative-ttl
Not documented yet
------------------
dns-forwarding.xml.in:
service dns forwarding source-
address
set service dns
forwarding system
------------------
dns-forwarding.xml.in:
service dns forwarding system
下页继续

16.1. Configuration Commands 940

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set service https
api-restrict
virtual-host <vhost>
------------------
https.xml.in:
service https api-restrict virtual-host
set service https api
debug
------------------
https.xml.in:
service https api debug
set service https api
keys id <name> key
<apikey>
------------------
https.xml.in:
service https api keys id <id> key
set service https api
port
------------------
https.xml.in:
service https api port
set service https api
strict
------------------
https.xml.in:
service https api strict
set service https
certificates certbot
domain-name <text>
------------------
https.xml.in:
service https certificates certbot
domain-name
set service https
certificates certbot
email
------------------
https.xml.in:
service https certificates certbot
email
set service https
certificates
system-generated-certificate
Nothing found in XML Definitions
下页继续

16.1. Configuration Commands 941

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set service https
certificates
system-generated-certificate
lifetime <days>
------------------
https.xml.in:
service https certificates system-
generated-certificate lifetime
set service https
virtual-host <vhost>
listen-address
------------------
https.xml.in:
service https virtual-host <virtual-
host> listen-address
set service https
virtual-host <vhost>
listen-port <1-65535>
------------------
https.xml.in:
service https virtual-host <virtual-
host> listen-port
set service https
virtual-host <vhost>
server-name <text>
------------------
https.xml.in:
service https virtual-host <virtual-
host> server-name
Not documented yet
------------------
service-ids-ddos-protection.xml.in:
service ids ddos-protection alert-
script
Not documented yet
------------------
service-ids-ddos-protection.xml.in:
service ids ddos-protection direction
Not documented yet
------------------
service-ids-ddos-protection.xml.in:
service ids ddos-protection listen-
interface
Not documented yet
------------------
service-ids-ddos-protection.xml.in:
service ids ddos-protection mode
mirror
下页继续

16.1. Configuration Commands 942

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
service-ids-ddos-protection.xml.in:
service ids ddos-protection network
Not documented yet
------------------
service-ids-ddos-protection.xml.in:
service ids ddos-protection threshold
fps
Not documented yet
------------------
service-ids-ddos-protection.xml.in:
service ids ddos-protection threshold
mbps
Not documented yet
------------------
service-ids-ddos-protection.xml.in:
service ids ddos-protection threshold
pps
Not documented yet
------------------
service_ipoe-server.xml.in:
service ipoe-server authentication
interface <interface> mac-address
<mac-address> rate-limit download
Not documented yet
------------------
service_ipoe-server.xml.in:
service ipoe-server authentication
interface <interface> mac-address
<mac-address> rate-limit upload
Not documented yet
------------------
service_ipoe-server.xml.in:
service ipoe-server authentication
interface <interface> mac-address
<mac-address> vlan-id
Not documented yet
------------------
service_ipoe-server.xml.in:
service ipoe-server authentication
mode
Not documented yet
------------------
service_ipoe-server.xml.in:
service ipoe-server authentication ra-
dius acct-interim-jitter
下页继续

16.1. Configuration Commands 943

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
service_ipoe-server.xml.in:
service ipoe-server authentication ra-
dius acct-timeout
Not documented yet
------------------
service_ipoe-server.xml.in:
service ipoe-server authentication ra-
dius dynamic-author key
Not documented yet
------------------
service_ipoe-server.xml.in:
service ipoe-server authentication ra-
dius dynamic-author port
Not documented yet
------------------
service_ipoe-server.xml.in:
service ipoe-server authentication ra-
dius dynamic-author server
Not documented yet
------------------
service_ipoe-server.xml.in:
service ipoe-server authentication ra-
dius max-try
Not documented yet
------------------
service_ipoe-server.xml.in:
service ipoe-server authentication ra-
dius nas-identifier
Not documented yet
------------------
service_ipoe-server.xml.in:
service ipoe-server authentication ra-
dius nas-ip-address
Not documented yet
------------------
service_ipoe-server.xml.in:
service ipoe-server authentication ra-
dius preallocate-vif
Not documented yet
------------------
service_ipoe-server.xml.in:
service ipoe-server authentication ra-
dius server <server> acct-port
Not documented yet
------------------
service_ipoe-server.xml.in:
service ipoe-server authentication ra-
dius server <server> disable
下页继续

16.1. Configuration Commands 944

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
service_ipoe-server.xml.in:
service ipoe-server authentication
radius server <server> disable-
accounting
Not documented yet
------------------
service_ipoe-server.xml.in:
service ipoe-server authentication ra-
dius server <server> fail-time
Not documented yet
------------------
service_ipoe-server.xml.in:
service ipoe-server authentication ra-
dius server <server> key
Not documented yet
------------------
service_ipoe-server.xml.in:
service ipoe-server authentication ra-
dius server <server> port
Not documented yet
------------------
service_ipoe-server.xml.in:
service ipoe-server authentication ra-
dius source-address
Not documented yet
------------------
service_ipoe-server.xml.in:
service ipoe-server authentication ra-
dius timeout
Not documented yet
------------------
service_ipoe-server.xml.in:
service ipoe-server client-ipv6-pool
delegate <delegate> delegation-
prefix
Not documented yet
------------------
service_ipoe-server.xml.in:
service ipoe-server client-ipv6-pool
prefix <prefix> mask
Not documented yet
------------------
service_ipoe-server.xml.in:
service ipoe-server interface <inter-
face> client-subnet
下页继续

16.1. Configuration Commands 945

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
service_ipoe-server.xml.in:
service ipoe-server interface <inter-
face> external-dhcp dhcp-relay
Not documented yet
------------------
service_ipoe-server.xml.in:
service ipoe-server interface <inter-
face> external-dhcp giaddr
Not documented yet
------------------
service_ipoe-server.xml.in:
service ipoe-server interface <inter-
face> network
Not documented yet
------------------
service_ipoe-server.xml.in:
service ipoe-server interface <inter-
face> network-mode
Not documented yet
------------------
service_ipoe-server.xml.in:
service ipoe-server interface <inter-
face> vlan-id
Not documented yet
------------------
service_ipoe-server.xml.in:
service ipoe-server interface <inter-
face> vlan-range
Not documented yet
------------------
service_ipoe-server.xml.in:
service ipoe-server name-server
set service lldp
Nothing found in XML Definitions
set service lldp
interface <interface>
Nothing found in XML Definitions
set service lldp
interface <interface>
disable
------------------
lldp.xml.in:
service lldp interface <interface> dis-
able
Not documented yet
------------------
lldp.xml.in:
service lldp interface <interface> lo-
cation coordinate-based altitude
下页继续

16.1. Configuration Commands 946

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
lldp.xml.in:
service lldp interface <interface> lo-
cation coordinate-based datum
Not documented yet
------------------
lldp.xml.in:
service lldp interface <interface> lo-
cation coordinate-based latitude
Not documented yet
------------------
lldp.xml.in:
service lldp interface <interface> lo-
cation coordinate-based longitude
Not documented yet
------------------
lldp.xml.in:
service lldp interface <interface> lo-
cation elin
set service lldp
legacy-protocols
<cdp|edp|fdp|sonmp>
Nothing found in XML Definitions
Not documented yet
------------------
lldp.xml.in:
service lldp legacy-protocols cdp
Not documented yet
------------------
lldp.xml.in:
service lldp legacy-protocols edp
Not documented yet
------------------
lldp.xml.in:
service lldp legacy-protocols fdp
Not documented yet
------------------
lldp.xml.in:
service lldp legacy-protocols sonmp
set service lldp
management-address
<address>
------------------
lldp.xml.in:
service lldp management-address
set service lldp snmp
enable
------------------
lldp.xml.in:
service lldp snmp enable
下页继续

16.1. Configuration Commands 947

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set service mdns
repeater disable
------------------
service_mdns-repeater.xml.in:
service mdns repeater disable
set service mdns
repeater interface
<interface>
------------------
service_mdns-repeater.xml.in:
service mdns repeater interface
set service pppoe-server
access-concentrator
<name>
------------------
service_pppoe-server.xml.in:
service pppoe-server access-
concentrator
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server authentication
local-users username <username>
disable
set service pppoe-server
authentication
local-users username
<name> password
<password>
------------------
service_pppoe-server.xml.in:
service pppoe-server authentication
local-users username <username>
password
set service pppoe-server
authentication
local-users username
<name> rate-limit
<download | upload>
Nothing found in XML Definitions
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server authentication
local-users username <username>
rate-limit download
下页继续

16.1. Configuration Commands 948

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server authentication
local-users username <username>
rate-limit upload
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server authentication
local-users username <username>
static-ip
set service pppoe-server
authentication mode
<local | radius>
------------------
service_pppoe-server.xml.in:
service pppoe-server authentication
mode
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server authentication
protocols
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server authentication
radius acct-interim-jitter
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server authentication
radius acct-timeout
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server authentication
radius called-sid-format
set service pppoe-server
authentication radius
dynamic-author <key |
port | server>
Nothing found in XML Definitions
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server authentication
radius dynamic-author key
下页继续

16.1. Configuration Commands 949

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server authentication
radius dynamic-author port
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server authentication
radius dynamic-author server
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server authentication
radius max-try
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server authentication
radius nas-identifier
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server authentication
radius nas-ip-address
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server authentication
radius preallocate-vif
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server authentication
radius rate-limit attribute
set service pppoe-server
authentication radius
rate-limit enable
------------------
service_pppoe-server.xml.in:
service pppoe-server authentication
radius rate-limit enable
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server authentication
radius rate-limit vendor
下页继续

16.1. Configuration Commands 950

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server authentication
radius server <server> acct-port
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server authentication
radius server <server> disable
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server authentication
radius server <server> disable-
accounting
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server authentication
radius server <server> fail-time
set service pppoe-server
authentication radius
server <address> key
<secret>
------------------
service_pppoe-server.xml.in:
service pppoe-server authentication
radius server <server> key
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server authentication
radius server <server> port
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server authentication
radius source-address
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server authentication
radius timeout
set service pppoe-server
client-ip-pool start
<address>
------------------
service_pppoe-server.xml.in:
service pppoe-server client-ip-pool
start
下页继续

16.1. Configuration Commands 951

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set service pppoe-server
client-ip-pool stop
<address>
------------------
service_pppoe-server.xml.in:
service pppoe-server client-ip-pool
stop
set service pppoe-server
client-ip-pool subnet
<address>
------------------
service_pppoe-server.xml.in:
service pppoe-server client-ip-pool
subnet
set service pppoe-server
client-ipv6-pool
delegate <address>
delegation-prefix
<number-of-bits>
------------------
service_pppoe-server.xml.in:
service pppoe-server client-ipv6-
pool delegate <delegate> delegation-
prefix
set service pppoe-server
client-ipv6-pool
prefix <address> mask
<number-of-bits>
------------------
service_pppoe-server.xml.in:
service pppoe-server client-ipv6-
pool prefix <prefix> mask
set service pppoe-server
gateway-address
<address>
------------------
service_pppoe-server.xml.in:
service pppoe-server gateway-
address
set service pppoe-server
interface <interface>
Nothing found in XML Definitions
set service pppoe-server
interface <interface>
<vlan-id | vlan range>
<text>
Nothing found in XML Definitions
下页继续

16.1. Configuration Commands 952

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server interface <in-
terface> vlan-id
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server interface <in-
terface> vlan-range
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server limits burst
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server limits
connection-limit
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server limits timeout
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server mtu
set service pppoe-server
name-server <address>
------------------
service_pppoe-server.xml.in:
service pppoe-server name-server
set service
pppoe-server pado-delay
<number-of-ms> sessions
<number-of-sessions>
------------------
service_pppoe-server.xml.in:
service pppoe-server pado-delay
<pado-delay> sessions
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server ppp-options ccp
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server ppp-options
ipv4
下页继续

16.1. Configuration Commands 953

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server ppp-options
ipv6
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server ppp-options
ipv6-accept-peer-intf-id
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server ppp-options
ipv6-intf-id
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server ppp-options
ipv6-peer-intf-id
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server ppp-options
lcp-echo-failure
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server ppp-options
lcp-echo-interval
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server ppp-options
lcp-echo-timeout
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server ppp-options
min-mtu
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server ppp-options
mppe
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server ppp-options
mru
下页继续

16.1. Configuration Commands 954

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server service-name
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server session-control
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server snmp master-
agent
Not documented yet
------------------
service_pppoe-server.xml.in:
service pppoe-server wins-server
set service
router-advert interface
<interface> ....
Nothing found in XML Definitions
Not documented yet
------------------
service_router-advert.xml.in:
service router-advert interface <in-
terface> default-lifetime
Not documented yet
------------------
service_router-advert.xml.in:
service router-advert interface <in-
terface> default-preference
Not documented yet
------------------
service_router-advert.xml.in:
service router-advert interface <in-
terface> dnssl
Not documented yet
------------------
service_router-advert.xml.in:
service router-advert interface <in-
terface> hop-limit
Not documented yet
------------------
service_router-advert.xml.in:
service router-advert interface <in-
terface> interval max
Not documented yet
------------------
service_router-advert.xml.in:
service router-advert interface <in-
terface> interval min
下页继续

16.1. Configuration Commands 955

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
service_router-advert.xml.in:
service router-advert interface <in-
terface> link-mtu
Not documented yet
------------------
service_router-advert.xml.in:
service router-advert interface <in-
terface> managed-flag
Not documented yet
------------------
service_router-advert.xml.in:
service router-advert interface <in-
terface> name-server
set service
router-advert
interface <interface>
no-send-advert
------------------
service_router-advert.xml.in:
service router-advert interface <in-
terface> no-send-advert
Not documented yet
------------------
service_router-advert.xml.in:
service router-advert interface <in-
terface> other-config-flag
set service
router-advert interface
<interface> prefix
2001:DB8::/32
Nothing found in XML Definitions
Not documented yet
------------------
service_router-advert.xml.in:
service router-advert interface
<interface> prefix <prefix> no-
autonomous-flag
Not documented yet
------------------
service_router-advert.xml.in:
service router-advert interface <in-
terface> prefix <prefix> no-on-link-
flag
Not documented yet
------------------
service_router-advert.xml.in:
service router-advert interface <in-
terface> prefix <prefix> preferred-
lifetime
下页继续

16.1. Configuration Commands 956

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
service_router-advert.xml.in:
service router-advert interface
<interface> prefix <prefix> valid-
lifetime
Not documented yet
------------------
service_router-advert.xml.in:
service router-advert interface <in-
terface> reachable-time
Not documented yet
------------------
service_router-advert.xml.in:
service router-advert interface <in-
terface> retrans-timer
set service salt-minion
hash <type>
------------------
salt-minion.xml.in:
service salt-minion hash
set service salt-minion
id <id>
------------------
salt-minion.xml.in:
service salt-minion id
set service salt-minion
interval <1-1440>
------------------
salt-minion.xml.in:
service salt-minion interval
set service salt-minion
master <hostname | IP>
------------------
salt-minion.xml.in:
service salt-minion master
set service salt-minion
master-key <key>
------------------
salt-minion.xml.in:
service salt-minion master-key
Not documented yet
------------------
snmp.xml.in:
service snmp community <commu-
nity> authorization
Not documented yet
------------------
snmp.xml.in:
service snmp community <commu-
nity> client
下页继续

16.1. Configuration Commands 957

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
snmp.xml.in:
service snmp community <commu-
nity> network
Not documented yet
------------------
snmp.xml.in:
service snmp contact
Not documented yet
------------------
snmp.xml.in:
service snmp description
Not documented yet
------------------
snmp.xml.in:
service snmp listen-address <listen-
address> port
Not documented yet
------------------
snmp.xml.in:
service snmp location
Not documented yet
------------------
snmp.xml.in:
service snmp script-extensions
extension-name <extension-name>
script
Not documented yet
------------------
snmp.xml.in:
service snmp smux-peer
Not documented yet
------------------
snmp.xml.in:
service snmp trap-source
Not documented yet
------------------
snmp.xml.in:
service snmp trap-target <trap-
target> community
Not documented yet
------------------
snmp.xml.in:
service snmp trap-target <trap-
target> port
Not documented yet
------------------
snmp.xml.in:
service snmp v3 engineid
下页继续

16.1. Configuration Commands 958

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
snmp.xml.in:
service snmp v3 group <group>
mode
Not documented yet
------------------
snmp.xml.in:
service snmp v3 group <group> se-
clevel
Not documented yet
------------------
snmp.xml.in:
service snmp v3 group <group> view
Not documented yet
------------------
snmp.xml.in:
service snmp v3 trap-target <trap-
target> auth encrypted-password
Not documented yet
------------------
snmp.xml.in:
service snmp v3 trap-target <trap-
target> auth plaintext-password
Not documented yet
------------------
snmp.xml.in:
service snmp v3 trap-target <trap-
target> auth type
Not documented yet
------------------
snmp.xml.in:
service snmp v3 trap-target <trap-
target> port
Not documented yet
------------------
snmp.xml.in:
service snmp v3 trap-target <trap-
target> privacy encrypted-password
Not documented yet
------------------
snmp.xml.in:
service snmp v3 trap-target <trap-
target> privacy plaintext-password
Not documented yet
------------------
snmp.xml.in:
service snmp v3 trap-target <trap-
target> privacy type
下页继续

16.1. Configuration Commands 959

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
snmp.xml.in:
service snmp v3 trap-target <trap-
target> protocol
Not documented yet
------------------
snmp.xml.in:
service snmp v3 trap-target <trap-
target> type
Not documented yet
------------------
snmp.xml.in:
service snmp v3 trap-target <trap-
target> user
Not documented yet
------------------
snmp.xml.in:
service snmp v3 user <user> auth
encrypted-password
Not documented yet
------------------
snmp.xml.in:
service snmp v3 user <user> auth
plaintext-password
Not documented yet
------------------
snmp.xml.in:
service snmp v3 user <user> auth
type
Not documented yet
------------------
snmp.xml.in:
service snmp v3 user <user> group
Not documented yet
------------------
snmp.xml.in:
service snmp v3 user <user> mode
Not documented yet
------------------
snmp.xml.in:
service snmp v3 user <user> privacy
encrypted-password
Not documented yet
------------------
snmp.xml.in:
service snmp v3 user <user> privacy
plaintext-password
下页继续

16.1. Configuration Commands 960

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
snmp.xml.in:
service snmp v3 user <user> privacy
type
Not documented yet
------------------
snmp.xml.in:
service snmp v3 view <view> oid
<oid> exclude
Not documented yet
------------------
snmp.xml.in:
service snmp v3 view <view> oid
<oid> mask
Not documented yet
------------------
snmp.xml.in:
service snmp vrf
set service ssh
access-control <allow
| deny> <group | user>
<name>
Nothing found in XML Definitions
Not documented yet
------------------
ssh.xml.in:
service ssh access-control allow
group
Not documented yet
------------------
ssh.xml.in:
service ssh access-control allow user
Not documented yet
------------------
ssh.xml.in:
service ssh access-control deny group
Not documented yet
------------------
ssh.xml.in:
service ssh access-control deny user
set service ssh ciphers
<cipher>
------------------
ssh.xml.in:
service ssh ciphers
下页继续

16.1. Configuration Commands 961

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set service ssh
client-keepalive-interval
<interval>
------------------
ssh.xml.in:
service ssh client-keepalive-interval
set service ssh
disable-host-validation
------------------
ssh.xml.in:
service ssh disable-host-validation
set service ssh
disable-password-authentication
------------------
ssh.xml.in:
service ssh disable-password-
authentication
set service ssh
key-exchange <kex>
------------------
ssh.xml.in:
service ssh key-exchange
set service ssh
listen-address
<address>
------------------
ssh.xml.in:
service ssh listen-address
set service ssh loglevel
<quiet | fatal | error |
info | verbose>
------------------
ssh.xml.in:
service ssh loglevel
Not documented yet
------------------
ssh.xml.in:
service ssh mac
set service ssh macs
<mac>
Nothing found in XML Definitions
set service ssh port
<port>
------------------
ssh.xml.in:
service ssh port
set service ssh vrf
<name>
------------------
ssh.xml.in:
service ssh vrf
下页继续

16.1. Configuration Commands 962

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set service tftp-server
allow-upload
------------------
tftp-server.xml.in:
service tftp-server allow-upload
set service tftp-server
directory <directory>
------------------
tftp-server.xml.in:
service tftp-server directory
set service tftp-server
listen-address
<address>
------------------
tftp-server.xml.in:
service tftp-server listen-address
Not documented yet
------------------
tftp-server.xml.in:
service tftp-server port
set service webproxy
append-domain <domain>
------------------
service_webproxy.xml.in:
service webproxy append-domain
set service webproxy
authentication children
<number>
------------------
service_webproxy.xml.in:
service webproxy authentication
children
set service webproxy
authentication
credentials-ttl <time>
------------------
service_webproxy.xml.in:
service webproxy authentication
credentials-ttl
set service webproxy
authentication ldap
base-dn <base-dn>
------------------
service_webproxy.xml.in:
service webproxy authentication ldap
base-dn
下页继续

16.1. Configuration Commands 963

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set service webproxy
authentication ldap
bind-dn <bind-dn>
------------------
service_webproxy.xml.in:
service webproxy authentication ldap
bind-dn
set service webproxy
authentication ldap
filter-expression
<expr>
------------------
service_webproxy.xml.in:
service webproxy authentication ldap
filter-expression
set service webproxy
authentication ldap
password <password>
------------------
service_webproxy.xml.in:
service webproxy authentication ldap
password
set service webproxy
authentication ldap
persistent-connection
------------------
service_webproxy.xml.in:
service webproxy authentication ldap
persistent-connection
set service webproxy
authentication ldap port
<port>
------------------
service_webproxy.xml.in:
service webproxy authentication ldap
port
set service webproxy
authentication ldap
server <server>
------------------
service_webproxy.xml.in:
service webproxy authentication ldap
server
set service webproxy
authentication ldap
use-ssl
------------------
service_webproxy.xml.in:
service webproxy authentication ldap
use-ssl
下页继续

16.1. Configuration Commands 964

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set service webproxy
authentication ldap
username-attribute
<attr>
------------------
service_webproxy.xml.in:
service webproxy authentication ldap
username-attribute
set service webproxy
authentication ldap
version <2 | 3>
------------------
service_webproxy.xml.in:
service webproxy authentication ldap
version
set service webproxy
authentication method
<ldap>
------------------
service_webproxy.xml.in:
service webproxy authentication
method
set service webproxy
authentication realm
------------------
service_webproxy.xml.in:
service webproxy authentication
realm
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy cache-peer
<cache-peer> address
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy cache-peer
<cache-peer> http-port
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy cache-peer
<cache-peer> icp-port
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy cache-peer
<cache-peer> options
下页继续

16.1. Configuration Commands 965

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy cache-peer
<cache-peer> type
set service webproxy
cache-size <size>
------------------
service_webproxy.xml.in:
service webproxy cache-size
set service webproxy
default-port <port>
------------------
service_webproxy.xml.in:
service webproxy default-port
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy disable-access-log
set service webproxy
domain-block <domain>
------------------
service_webproxy.xml.in:
service webproxy domain-block
set service webproxy
domain-noncache
<domain>
------------------
service_webproxy.xml.in:
service webproxy domain-noncache
set service webproxy
listen-address
<address>
Nothing found in XML Definitions
set service webproxy
listen-address <address>
disable-transparent
------------------
service_webproxy.xml.in:
service webproxy listen-address
<listen-address> disable-transparent
set service webproxy
listen-address <address>
port <port>
------------------
service_webproxy.xml.in:
service webproxy listen-address
<listen-address> port
下页继续

16.1. Configuration Commands 966

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy maximum-object-
size
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy mem-cache-size
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy minimum-object-
size
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy outgoing-address
set service webproxy
reply-block-mime <mime>
------------------
service_webproxy.xml.in:
service webproxy reply-block-mime
set service webproxy
reply-body-max-size
<size>
------------------
service_webproxy.xml.in:
service webproxy reply-body-max-
size
set service webproxy
url-filtering disable
------------------
service_webproxy.xml.in:
service webproxy url-filtering disable
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy url-filtering squid-
guard allow-category
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy url-filtering squid-
guard allow-ipaddr-url
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy url-filtering squid-
guard auto-update update-hour
下页继续

16.1. Configuration Commands 967

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy url-filtering squid-
guard block-category
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy url-filtering squid-
guard default-action
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy url-filtering squid-
guard enable-safe-search
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy url-filtering squid-
guard local-block
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy url-filtering squid-
guard local-block-keyword
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy url-filtering squid-
guard local-block-url
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy url-filtering squid-
guard local-ok
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy url-filtering squid-
guard local-ok-url
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy url-filtering squid-
guard log
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy url-filtering squid-
guard redirect-url
下页继续

16.1. Configuration Commands 968

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy url-filtering squid-
guard rule <rule> allow-category
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy url-filtering squid-
guard rule <rule> allow-ipaddr-url
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy url-filtering squid-
guard rule <rule> block-category
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy url-filtering squid-
guard rule <rule> default-action
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy url-filtering squid-
guard rule <rule> enable-safe-search
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy url-filtering squid-
guard rule <rule> local-block
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy url-filtering
squidguard rule <rule> local-block-
keyword
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy url-filtering squid-
guard rule <rule> local-block-url
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy url-filtering squid-
guard rule <rule> local-ok
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy url-filtering squid-
guard rule <rule> local-ok-url
下页继续

16.1. Configuration Commands 969

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy url-filtering squid-
guard rule <rule> log
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy url-filtering squid-
guard rule <rule> redirect-url
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy url-filtering squid-
guard rule <rule> source-group
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy url-filtering squid-
guard rule <rule> time-period
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy url-filtering squid-
guard source-group <source-group>
address
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy url-filtering squid-
guard source-group <source-group>
description
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy url-filtering squid-
guard source-group <source-group>
domain
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy url-filtering squid-
guard source-group <source-group>
ldap-ip-search
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy url-filtering squid-
guard source-group <source-group>
ldap-user-search
下页继续

16.1. Configuration Commands 970

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy url-filtering squid-
guard source-group <source-group>
user
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy url-filtering squid-
guard time-period <time-period>
days <days> time
Not documented yet
------------------
service_webproxy.xml.in:
service webproxy url-filtering squid-
guard time-period <time-period> de-
scription
show
Nothing found in XML Definitions
Not documented yet
------------------
intel_qat.xml.in:
system acceleration qat
set system
config-management
commit-archive location
<URI>
Nothing found in XML Definitions
set system
config-management
commit-revisions <N>
Nothing found in XML Definitions
set system console
device <device>
Nothing found in XML Definitions
set system console
device <device> speed
<speed>
------------------
system-console.xml.in:
system console device <device>
speed
Not documented yet
------------------
system-console.xml.in:
system console powersave
下页继续

16.1. Configuration Commands 971

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set system domain-name
<domain>
------------------
dns-domain-name.xml.in:
system domain-name
set system domain-search
domain <domain>
------------------
dns-domain-name.xml.in:
system domain-search domain
Not documented yet
------------------
flow-accounting-conf.xml.in:
system flow-accounting buffer-size
set system
flow-accounting
buffer-size <buffer
size>
Nothing found in XML Definitions
set system
flow-accounting
disable-imt
------------------
flow-accounting-conf.xml.in:
system flow-accounting disable-imt
set system
flow-accounting
enable-egress
------------------
flow-accounting-conf.xml.in:
system flow-accounting enable-
egress
set system
flow-accounting
interface <interface>
------------------
flow-accounting-conf.xml.in:
system flow-accounting interface
set system
flow-accounting netflow
engine-id <id>
------------------
flow-accounting-conf.xml.in:
system flow-accounting netflow
engine-id
下页继续

16.1. Configuration Commands 972

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set system
flow-accounting netflow
max-flows <n>
------------------
flow-accounting-conf.xml.in:
system flow-accounting netflow max-
flows
set system
flow-accounting netflow
sampling-rate <rate>
------------------
flow-accounting-conf.xml.in:
system flow-accounting netflow
sampling-rate
set system
flow-accounting netflow
server <address>
Nothing found in XML Definitions
Not documented yet
------------------
flow-accounting-conf.xml.in:
system flow-accounting netflow
server <server> port
set system
flow-accounting netflow
source-ip <address>
------------------
flow-accounting-conf.xml.in:
system flow-accounting netflow
source-ip
set system
flow-accounting netflow
timeout expiry-interval
<interval>
------------------
flow-accounting-conf.xml.in:
system flow-accounting netflow time-
out expiry-interval
Not documented yet
------------------
flow-accounting-conf.xml.in:
system flow-accounting netflow time-
out flow-generic
Not documented yet
------------------
flow-accounting-conf.xml.in:
system flow-accounting netflow time-
out icmp
下页继续

16.1. Configuration Commands 973

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
flow-accounting-conf.xml.in:
system flow-accounting netflow time-
out max-active-life
Not documented yet
------------------
flow-accounting-conf.xml.in:
system flow-accounting netflow time-
out tcp-fin
Not documented yet
------------------
flow-accounting-conf.xml.in:
system flow-accounting netflow time-
out tcp-generic
Not documented yet
------------------
flow-accounting-conf.xml.in:
system flow-accounting netflow time-
out tcp-rst
Not documented yet
------------------
flow-accounting-conf.xml.in:
system flow-accounting netflow time-
out udp
set system
flow-accounting netflow
version <version>
------------------
flow-accounting-conf.xml.in:
system flow-accounting netflow ver-
sion
set system
flow-accounting sflow
agent-address <address>
------------------
flow-accounting-conf.xml.in:
system flow-accounting sflow agent-
address
set system
flow-accounting sflow
sampling-rate <rate>
------------------
flow-accounting-conf.xml.in:
system flow-accounting sflow
sampling-rate
set system
flow-accounting sflow
server <address>
Nothing found in XML Definitions
下页继续

16.1. Configuration Commands 974

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
flow-accounting-conf.xml.in:
system flow-accounting sflow server
<server> port
set system
flow-accounting
syslog-facility
<facility>
------------------
flow-accounting-conf.xml.in:
system flow-accounting syslog-
facility
set system host-name
<hostname>
------------------
dns-domain-name.xml.in:
system host-name
set system ip arp
table-size <number>
------------------
system-ip.xml.in:
system ip arp table-size
set system ip
disable-forwarding
------------------
system-ip.xml.in:
system ip disable-forwarding
Not documented yet
------------------
system-ip.xml.in:
system ip multipath ignore-
unreachable-nexthops
set system ip multipath
layer4-hashing
------------------
system-ip.xml.in:
system ip multipath layer4-hashing
set system ipv6 disable
------------------
system-ipv6.xml.in:
system ipv6 disable
set system ipv6
disable-forwarding
------------------
system-ipv6.xml.in:
system ipv6 disable-forwarding
下页继续

16.1. Configuration Commands 975

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set system
ipv6 multipath
layer4-hashing
------------------
system-ipv6.xml.in:
system ipv6 multipath layer4-hashing
set system ipv6 neighbor
table-size <number>
------------------
system-ipv6.xml.in:
system ipv6 neighbor table-size
set system ipv6
strict-dad
------------------
system-ipv6.xml.in:
system ipv6 strict-dad
set system lcd device
<device>
------------------
system-lcd.xml.in:
system lcd device
set system lcd model
<model>
------------------
system-lcd.xml.in:
system lcd model
set system login banner
post-login <message>
------------------
system-login-banner.xml.in:
system login banner post-login
set system login banner
pre-login <message>
------------------
system-login-banner.xml.in:
system login banner pre-login
set system login radius
server <address> disable
------------------
system-login.xml.in:
system login radius server <server>
disable
Not documented yet
------------------
system-login.xml.in:
system login radius server <server>
key
下页继续

16.1. Configuration Commands 976

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set system login radius
server <address> port
<port>
------------------
system-login.xml.in:
system login radius server <server>
port
Not documented yet
------------------
system-login.xml.in:
system login radius server <server>
priority
set system login radius
server <address> secret
<secret>
Nothing found in XML Definitions
set system login radius
server <address> timeout
<timeout>
------------------
system-login.xml.in:
system login radius server <server>
timeout
set system login
radius source-address
<address>
------------------
system-login.xml.in:
system login radius source-address
Not documented yet
------------------
system-login.xml.in:
system login radius vrf
set system login user
<name> authentication
encrypted-password
<password>
------------------
system-login.xml.in:
system login user <user> authentica-
tion encrypted-password
set system login user
<name> authentication
plaintext-password
<password>
------------------
system-login.xml.in:
system login user <user> authentica-
tion plaintext-password
下页继续

16.1. Configuration Commands 977

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set system login
user <username>
authentication
public-keys <identifier>
key <key>
------------------
system-login.xml.in:
system login user <user> authentica-
tion public-keys <public-keys> key
Not documented yet
------------------
system-login.xml.in:
system login user <user> authenti-
cation public-keys <public-keys> op-
tions
set system login
user <username>
authentication
public-keys <identifier>
type <type>
------------------
system-login.xml.in:
system login user <user> authentica-
tion public-keys <public-keys> type
Not documented yet
------------------
system-login.xml.in:
system login user <user> full-name
set system login
user <name> full-name
"<string>"
Nothing found in XML Definitions
Not documented yet
------------------
system-login.xml.in:
system login user <user> home-
directory
set system name-server
<address>
------------------
dns-domain-name.xml.in:
system name-server
Not documented yet
------------------
dns-domain-name.xml.in:
system name-servers-dhcp
下页继续

16.1. Configuration Commands 978

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set system ntp
allow-clients address
<address>
------------------
ntp.xml.in:
system ntp allow-clients address
set system ntp
listen-address
<address>
------------------
ntp.xml.in:
system ntp listen-address
set system ntp server
<address> <noselect
| pool | preempt |
prefer>
Nothing found in XML Definitions
Not documented yet
------------------
ntp.xml.in:
system ntp server <server> noselect
Not documented yet
------------------
ntp.xml.in:
system ntp server <server> pool
Not documented yet
------------------
ntp.xml.in:
system ntp server <server> preempt
Not documented yet
------------------
ntp.xml.in:
system ntp server <server> prefer
set system ntp vrf
<name>
------------------
ntp.xml.in:
system ntp vrf
set system option
ctrl-alt-delete <ignore
| reboot | poweroff>
------------------
system-option.xml.in:
system option ctrl-alt-delete
下页继续

16.1. Configuration Commands 979

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set system option
http-client
source-address
<address>
------------------
system-option.xml.in:
system option http-client source-
address
set system option
http-client
source-interface
<interface>
------------------
system-option.xml.in:
system option http-client source-
interface
set system option
keyboard-layout <us |
fr | de | fi | no | dk>
------------------
system-option.xml.in:
system option keyboard-layout
Not documented yet
------------------
system-option.xml.in:
system option performance
set system option
performance < throughput
| latency >
Nothing found in XML Definitions
set system option
reboot-on-panic
------------------
system-option.xml.in:
system option reboot-on-panic
Not documented yet
------------------
system-option.xml.in:
system option ssh-client source-
address
set system option
startup-beep
------------------
system-option.xml.in:
system option startup-beep
set system proxy
password <password>
------------------
system-proxy.xml.in:
system proxy password
下页继续

16.1. Configuration Commands 980

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set system proxy port
<port>
------------------
system-proxy.xml.in:
system proxy port
set system proxy url
<url>
------------------
system-proxy.xml.in:
system proxy url
set system proxy
username <username>
------------------
system-proxy.xml.in:
system proxy username
set system
static-host-mapping
host-name <hostname>
alias <alias>
------------------
dns-domain-name.xml.in:
system static-host-mapping host-
name <host-name> alias
set system
static-host-mapping
host-name <hostname>
inet <address>
------------------
dns-domain-name.xml.in:
system static-host-mapping host-
name <host-name> inet
set system syslog
console facility
<keyword> level
<keyword>
------------------
system-syslog.xml.in:
system syslog console facility <facil-
ity> level
set system syslog file
<filename> archive file
<number>
------------------
system-syslog.xml.in:
system syslog file <file> archive file
set system syslog file
<filename> archive size
<size>
------------------
system-syslog.xml.in:
system syslog file <file> archive size
下页继续

16.1. Configuration Commands 981

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set system syslog file
<filename> facility
<keyword> level
<keyword>
------------------
system-syslog.xml.in:
system syslog file <file> facility <fa-
cility> level
Not documented yet
------------------
system-syslog.xml.in:
system syslog global archive file
Not documented yet
------------------
system-syslog.xml.in:
system syslog global archive size
Not documented yet
------------------
system-syslog.xml.in:
system syslog global facility <facil-
ity> level
Not documented yet
------------------
system-syslog.xml.in:
system syslog global marker interval
Not documented yet
------------------
system-syslog.xml.in:
system syslog global preserve-fqdn
set system syslog host
<address> facility
<keyword> level
<keyword>
------------------
system-syslog.xml.in:
system syslog host <host> facility
<facility> level
set system syslog host
<address> facility
<keyword> protocol
<udp|tcp>
------------------
system-syslog.xml.in:
system syslog host <host> facility
<facility> protocol
Not documented yet
------------------
system-syslog.xml.in:
system syslog host <host> format
octet-counted
下页继续

16.1. Configuration Commands 982

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
system-syslog.xml.in:
system syslog host <host> port
set system syslog user
<username> facility
<keyword> level
<keyword>
------------------
system-syslog.xml.in:
system syslog user <user> facility
<facility> level
set system
task-scheduler task
<task> crontab-spec
<spec>
------------------
cron.xml.in:
system task-scheduler task <task>
crontab-spec
set system
task-scheduler task
<task> executable
arguments <args>
------------------
cron.xml.in:
system task-scheduler task <task>
executable arguments
set system
task-scheduler task
<task> executable path
<path>
------------------
cron.xml.in:
system task-scheduler task <task>
executable path
set system
task-scheduler task
<task> interval
<interval>
------------------
cron.xml.in:
system task-scheduler task <task> in-
terval
set system time-zone
<timezone>
------------------
system-time-zone.xml.in:
system time-zone
下页继续

16.1. Configuration Commands 983

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set traffic-policy
drop-tail <policy-name>
queue-limit
<number-of-packets>
Nothing found in XML Definitions
set traffic-policy
fair-queue
<policy-name>
Nothing found in XML Definitions
set traffic-policy
fair-queue <policy-name>
hash-interval <seconds>`
Nothing found in XML Definitions
set traffic-policy
fair-queue <policy-name>
queue-limit <limit>
Nothing found in XML Definitions
set traffic-policy
fq-codel <policy name>
codel-quantum <bytes>
Nothing found in XML Definitions
set traffic-policy
fq-codel <policy name>
flows <number-of-flows>
Nothing found in XML Definitions
set traffic-policy
fq-codel <policy name>
interval <miliseconds>
Nothing found in XML Definitions
set traffic-policy
fq-codel <policy-name>
queue-limit
<number-of-packets>`
Nothing found in XML Definitions
set traffic-policy
fq-codel <policy-name>
target <miliseconds>`
Nothing found in XML Definitions
set traffic-policy
limiter <policy-name>
class <class ID> match
<match-name> description
<description>
Nothing found in XML Definitions
set traffic-policy
limiter <policy-name>
class <class ID>
priority <value>
Nothing found in XML Definitions
下页继续

16.1. Configuration Commands 984

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set traffic-policy
limiter <policy-name>
class <class-ID>
bandwidth <rate>
Nothing found in XML Definitions
set traffic-policy
limiter <policy-name>
class <class-ID> burst
<burst-size>
Nothing found in XML Definitions
set traffic-policy
limiter <policy-name>
default bandwidth
<rate>
Nothing found in XML Definitions
set traffic-policy
limiter <policy-name>
default burst
<burst-size>
Nothing found in XML Definitions
set traffic-policy
network-emulator
<policy-name> bandwidth
<rate>
Nothing found in XML Definitions
set traffic-policy
network-emulator
<policy-name> burst
<burst-size>
Nothing found in XML Definitions
set traffic-policy
network-emulator
<policy-name>
network-delay <delay>
Nothing found in XML Definitions
set traffic-policy
network-emulator
<policy-name>
packet-corruption
<percent>
Nothing found in XML Definitions
set traffic-policy
network-emulator
<policy-name>
packet-loss <percent>
Nothing found in XML Definitions
下页继续

16.1. Configuration Commands 985

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set traffic-policy
network-emulator
<policy-name>
packet-reordering
<percent>
Nothing found in XML Definitions
set traffic-policy
network-emulator
<policy-name>
queue-limit <limit>
Nothing found in XML Definitions
set traffic-policy
priority-queue
<policy-name> class
<class-ID> queue-limit
<limit>`
Nothing found in XML Definitions
set traffic-policy
random-detect
<policy-name> bandwidth
<bandwidth>
Nothing found in XML Definitions
set traffic-policy
random-detect
<policy-name> precedence
<IP-precedence-value>
average-packet <bytes>
Nothing found in XML Definitions
set traffic-policy
random-detect
<policy-name> precedence
<IP-precedence-value>
mark-probability
<value>
Nothing found in XML Definitions
set traffic-policy
random-detect
<policy-name> precedence
<IP-precedence-value>
maximum-threshold
<packets>
Nothing found in XML Definitions
set traffic-policy
random-detect
<policy-name> precedence
<IP-precedence-value>
minimum-threshold
<packets>
Nothing found in XML Definitions
下页继续

16.1. Configuration Commands 986

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set traffic-policy
random-detect
<policy-name> precedence
<IP-precedence-value>
queue-limit <packets>
Nothing found in XML Definitions
set traffic-policy
rate-control
<policy-name> bandwidth
<rate>
Nothing found in XML Definitions
set traffic-policy
rate-control
<policy-name> burst
<burst-size>
Nothing found in XML Definitions
set traffic-policy
rate-control
<policy-name> latency
Nothing found in XML Definitions
set traffic-policy
round-robin <policy
name> class <class ID>
queue-limit <packets>
Nothing found in XML Definitions
set traffic-policy
round-robin <policy
name> class <class-ID>
quantum <packets>
Nothing found in XML Definitions
set traffic-policy
shaper <policy-name>
bandwidth <rate>
Nothing found in XML Definitions
set traffic-policy
shaper <policy-name>
class <class-ID>
bandwidth <rate>
Nothing found in XML Definitions
set traffic-policy
shaper <policy-name>
class <class-ID> burst
<bytes>
Nothing found in XML Definitions
set traffic-policy
shaper <policy-name>
class <class-ID> ceiling
<bandwidth>
Nothing found in XML Definitions
下页继续

16.1. Configuration Commands 987

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set traffic-policy
shaper <policy-name>
class <class-ID>
priority <0-7>
Nothing found in XML Definitions
Not documented yet
------------------
ipsec-settings.xml.in:
vpn ipsec options disable-route-
autoinstall
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access authenti-
cation local-users username <user-
name> disable
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access authenti-
cation local-users username <user-
name> password
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access authenti-
cation local-users username <user-
name> rate-limit download
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access authenti-
cation local-users username <user-
name> rate-limit upload
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access authenti-
cation local-users username <user-
name> static-ip
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access authentica-
tion mode
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access authentica-
tion mppe
下页继续

16.1. Configuration Commands 988

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access authentica-
tion radius acct-timeout
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access authentica-
tion radius dae-server ip-address
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access authentica-
tion radius dae-server port
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access authentica-
tion radius dae-server secret
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access authentica-
tion radius max-try
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access authentica-
tion radius nas-identifier
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access authentica-
tion radius rate-limit attribute
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access authentica-
tion radius rate-limit enable
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access authentica-
tion radius rate-limit vendor
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access authentica-
tion radius server <server> disable
下页继续

16.1. Configuration Commands 989

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access authentica-
tion radius server <server> disable-
accounting
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access authentica-
tion radius server <server> fail-time
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access authentica-
tion radius server <server> key
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access authentica-
tion radius server <server> port
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access authentica-
tion radius source-address
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access authentica-
tion radius timeout
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access authentica-
tion require
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access ccp-disable
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access client-ip-pool
start
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access client-ip-pool
stop
下页继续

16.1. Configuration Commands 990

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access client-ip-pool
subnet
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access client-ipv6-
pool delegate <delegate> delegation-
prefix
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access client-ipv6-
pool prefix <prefix> mask
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access description
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access dhcp-
interface
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access gateway-
address
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access idle
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access ipsec-settings
authentication mode
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access ipsec-settings
authentication pre-shared-secret
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access ipsec-settings
authentication x509 ca-cert-file
下页继续

16.1. Configuration Commands 991

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access ipsec-settings
authentication x509 crl-file
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access ipsec-settings
authentication x509 server-cert-file
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access ipsec-settings
authentication x509 server-key-file
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access ipsec-settings
authentication x509 server-key-
password
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access ipsec-settings
ike-lifetime
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access ipsec-settings
lifetime
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access lns shared-
secret
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access mtu
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access name-server
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access outside-
address
下页继续

16.1. Configuration Commands 992

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access ppp-options
lcp-echo-failure
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access ppp-options
lcp-echo-interval
Not documented yet
------------------
vpn_l2tp.xml.in:
vpn l2tp remote-access wins-server
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec auto-update
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec disable-uniqreqids
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec esp-group <esp-group>
compression
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec esp-group <esp-group>
lifetime
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec esp-group <esp-group>
mode
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec esp-group <esp-group>
pfs
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec esp-group <esp-group>
proposal <proposal> encryption
下页继续

16.1. Configuration Commands 993

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec esp-group <esp-group>
proposal <proposal> hash
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec ike-group <ike-group>
close-action
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec ike-group <ike-group>
dead-peer-detection action
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec ike-group <ike-group>
dead-peer-detection interval
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec ike-group <ike-group>
dead-peer-detection timeout
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec ike-group <ike-group>
ikev2-reauth
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec ike-group <ike-group>
key-exchange
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec ike-group <ike-group>
lifetime
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec ike-group <ike-group>
mobike
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec ike-group <ike-group>
mode
下页继续

16.1. Configuration Commands 994

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec ike-group <ike-group>
proposal <proposal> dh-group
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec ike-group <ike-group>
proposal <proposal> encryption
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec ike-group <ike-group>
proposal <proposal> hash
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec include-ipsec-conf
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec include-ipsec-secrets
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec ipsec-interfaces interface
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec logging log-level
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec logging log-modes
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec nat-networks allowed-
network <allowed-network> exclude
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec nat-traversal
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec options disable-route-
autoinstall
下页继续

16.1. Configuration Commands 995

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec profile <profile> authenti-
cation mode pre-shared-secret
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec profile <profile> authenti-
cation pre-shared-secret
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec profile <profile> bind
bind_child
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec profile <profile> esp-
group
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec profile <profile> ike-
group
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec site-to-site peer <peer>
authentication id
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec site-to-site peer <peer>
authentication mode
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec site-to-site peer <peer>
authentication pre-shared-secret
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec site-to-site peer <peer>
authentication remote-id
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec site-to-site peer <peer>
authentication rsa-key-name
下页继续

16.1. Configuration Commands 996

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec site-to-site peer <peer>
authentication use-x509-id
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec site-to-site peer <peer>
authentication x509 ca-cert-file
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec site-to-site peer <peer>
authentication x509 cert-file
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec site-to-site peer <peer>
authentication x509 crl-file
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec site-to-site peer <peer>
authentication x509 key file
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec site-to-site peer <peer>
authentication x509 key password
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec site-to-site peer <peer>
connection-type
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec site-to-site peer <peer>
default-esp-group
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec site-to-site peer <peer>
description
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec site-to-site peer <peer>
dhcp-interface
下页继续

16.1. Configuration Commands 997

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec site-to-site peer <peer>
force-encapsulation
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec site-to-site peer <peer>
ike-group
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec site-to-site peer <peer>
ikev2-reauth
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec site-to-site peer <peer>
local-address
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec site-to-site peer <peer>
tunnel <tunnel> allow-nat-networks
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec site-to-site peer <peer>
tunnel <tunnel> allow-public-
networks
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec site-to-site peer <peer>
tunnel <tunnel> disable
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec site-to-site peer <peer>
tunnel <tunnel> esp-group
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec site-to-site peer <peer>
tunnel <tunnel> local port
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec site-to-site peer <peer>
tunnel <tunnel> local prefix
下页继续

16.1. Configuration Commands 998

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec site-to-site peer <peer>
tunnel <tunnel> protocol
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec site-to-site peer <peer>
tunnel <tunnel> remote port
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec site-to-site peer <peer>
tunnel <tunnel> remote prefix
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec site-to-site peer <peer>
vti bind
Not documented yet
------------------
vpn_ipsec.xml.in:
vpn nipsec site-to-site peer <peer>
vti esp-group
Not documented yet
------------------
vpn_openconnect.xml.in:
vpn openconnect authentication
local-users username <username>
disable
Not documented yet
------------------
vpn_openconnect.xml.in:
vpn openconnect authentication
local-users username <username>
password
Not documented yet
------------------
vpn_openconnect.xml.in:
vpn openconnect authentication
mode
Not documented yet
------------------
vpn_openconnect.xml.in:
vpn openconnect authentication ra-
dius server <server> disable
下页继续

16.1. Configuration Commands 999

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vpn_openconnect.xml.in:
vpn openconnect authentication ra-
dius server <server> key
Not documented yet
------------------
vpn_openconnect.xml.in:
vpn openconnect authentication ra-
dius server <server> port
Not documented yet
------------------
vpn_openconnect.xml.in:
vpn openconnect authentication ra-
dius source-address
Not documented yet
------------------
vpn_openconnect.xml.in:
vpn openconnect authentication ra-
dius timeout
Not documented yet
------------------
vpn_openconnect.xml.in:
vpn openconnect listen-ports tcp
Not documented yet
------------------
vpn_openconnect.xml.in:
vpn openconnect listen-ports udp
Not documented yet
------------------
vpn_openconnect.xml.in:
vpn openconnect network-settings
client-ip-settings subnet
Not documented yet
------------------
vpn_openconnect.xml.in:
vpn openconnect network-settings
client-ipv6-pool mask
Not documented yet
------------------
vpn_openconnect.xml.in:
vpn openconnect network-settings
client-ipv6-pool prefix
Not documented yet
------------------
vpn_openconnect.xml.in:
vpn openconnect network-settings
name-server
下页继续

16.1. Configuration Commands 1000

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vpn_openconnect.xml.in:
vpn openconnect network-settings
push-route
Not documented yet
------------------
vpn_openconnect.xml.in:
vpn openconnect ssl ca-cert-file
Not documented yet
------------------
vpn_openconnect.xml.in:
vpn openconnect ssl cert-file
Not documented yet
------------------
vpn_openconnect.xml.in:
vpn openconnect ssl key-file
Not documented yet
------------------
vpn_pptp.xml.in:
vpn pptp remote-access authenti-
cation local-users username <user-
name> disable
Not documented yet
------------------
vpn_pptp.xml.in:
vpn pptp remote-access authenti-
cation local-users username <user-
name> password
Not documented yet
------------------
vpn_pptp.xml.in:
vpn pptp remote-access authenti-
cation local-users username <user-
name> static-ip
Not documented yet
------------------
vpn_pptp.xml.in:
vpn pptp remote-access authentica-
tion mode
Not documented yet
------------------
vpn_pptp.xml.in:
vpn pptp remote-access authentica-
tion mppe
Not documented yet
------------------
vpn_pptp.xml.in:
vpn pptp remote-access authentica-
tion radius acct-interim-jitter
下页继续

16.1. Configuration Commands 1001

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vpn_pptp.xml.in:
vpn pptp remote-access authentica-
tion radius acct-timeout
Not documented yet
------------------
vpn_pptp.xml.in:
vpn pptp remote-access authentica-
tion radius dynamic-author key
Not documented yet
------------------
vpn_pptp.xml.in:
vpn pptp remote-access authentica-
tion radius dynamic-author port
Not documented yet
------------------
vpn_pptp.xml.in:
vpn pptp remote-access authentica-
tion radius dynamic-author server
Not documented yet
------------------
vpn_pptp.xml.in:
vpn pptp remote-access authentica-
tion radius max-try
Not documented yet
------------------
vpn_pptp.xml.in:
vpn pptp remote-access authentica-
tion radius nas-identifier
Not documented yet
------------------
vpn_pptp.xml.in:
vpn pptp remote-access authentica-
tion radius nas-ip-address
Not documented yet
------------------
vpn_pptp.xml.in:
vpn pptp remote-access authentica-
tion radius preallocate-vif
Not documented yet
------------------
vpn_pptp.xml.in:
vpn pptp remote-access authentica-
tion radius server <server> acct-port
Not documented yet
------------------
vpn_pptp.xml.in:
vpn pptp remote-access authentica-
tion radius server <server> disable
下页继续

16.1. Configuration Commands 1002

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vpn_pptp.xml.in:
vpn pptp remote-access authentica-
tion radius server <server> disable-
accounting
Not documented yet
------------------
vpn_pptp.xml.in:
vpn pptp remote-access authentica-
tion radius server <server> fail-time
Not documented yet
------------------
vpn_pptp.xml.in:
vpn pptp remote-access authentica-
tion radius server <server> key
Not documented yet
------------------
vpn_pptp.xml.in:
vpn pptp remote-access authentica-
tion radius server <server> port
Not documented yet
------------------
vpn_pptp.xml.in:
vpn pptp remote-access authentica-
tion radius source-address
Not documented yet
------------------
vpn_pptp.xml.in:
vpn pptp remote-access authentica-
tion radius timeout
Not documented yet
------------------
vpn_pptp.xml.in:
vpn pptp remote-access authentica-
tion require
Not documented yet
------------------
vpn_pptp.xml.in:
vpn pptp remote-access client-ip-
pool start
Not documented yet
------------------
vpn_pptp.xml.in:
vpn pptp remote-access client-ip-
pool stop
Not documented yet
------------------
vpn_pptp.xml.in:
vpn pptp remote-access gateway-
address
下页继续

16.1. Configuration Commands 1003

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vpn_pptp.xml.in:
vpn pptp remote-access mtu
Not documented yet
------------------
vpn_pptp.xml.in:
vpn pptp remote-access name-server
Not documented yet
------------------
vpn_pptp.xml.in:
vpn pptp remote-access outside-
address
Not documented yet
------------------
vpn_pptp.xml.in:
vpn pptp remote-access wins-server
set vpn sstp
authentication
local-users username
<user> disable
------------------
vpn_sstp.xml.in:
vpn sstp authentication local-users
username <username> disable
set vpn sstp
authentication
local-users username
<user> password <pass>
------------------
vpn_sstp.xml.in:
vpn sstp authentication local-users
username <username> password
set vpn sstp
authentication
local-users username
<user> rate-limit
download <bandwidth>
------------------
vpn_sstp.xml.in:
vpn sstp authentication local-users
username <username> rate-limit
download
下页继续

16.1. Configuration Commands 1004

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set vpn sstp
authentication
local-users username
<user> rate-limit upload
<bandwidth>
------------------
vpn_sstp.xml.in:
vpn sstp authentication local-users
username <username> rate-limit up-
load
set vpn sstp
authentication
local-users username
<user> static-ip
<address>
------------------
vpn_sstp.xml.in:
vpn sstp authentication local-users
username <username> static-ip
set vpn sstp
authentication mode
<local | radius>
------------------
vpn_sstp.xml.in:
vpn sstp authentication mode
set vpn sstp
authentication protocols
<pap | chap | mschap |
mschap-v2>
------------------
vpn_sstp.xml.in:
vpn sstp authentication protocols
Not documented yet
------------------
vpn_sstp.xml.in:
vpn sstp authentication radius acct-
interim-jitter
set vpn sstp
authentication radius
acct-timeout <timeout>
------------------
vpn_sstp.xml.in:
vpn sstp authentication radius acct-
timeout
下页继续

16.1. Configuration Commands 1005

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set vpn sstp
authentication radius
dynamic-author key
<secret>
------------------
vpn_sstp.xml.in:
vpn sstp authentication radius
dynamic-author key
set vpn sstp
authentication radius
dynamic-author port
<port>
------------------
vpn_sstp.xml.in:
vpn sstp authentication radius
dynamic-author port
set vpn sstp
authentication radius
dynamic-author server
<address>
------------------
vpn_sstp.xml.in:
vpn sstp authentication radius
dynamic-author server
set vpn sstp
authentication radius
max-try <number>
------------------
vpn_sstp.xml.in:
vpn sstp authentication radius max-
try
set vpn sstp
authentication
radius nas-identifier
<identifier>
------------------
vpn_sstp.xml.in:
vpn sstp authentication radius nas-
identifier
set vpn sstp
authentication
radius nas-ip-address
<address>
------------------
vpn_sstp.xml.in:
vpn sstp authentication radius nas-ip-
address
下页继续

16.1. Configuration Commands 1006

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vpn_sstp.xml.in:
vpn sstp authentication radius
preallocate-vif
set vpn sstp
authentication radius
rate-limit attribute
<attribute>
------------------
vpn_sstp.xml.in:
vpn sstp authentication radius rate-
limit attribute
set vpn sstp
authentication radius
rate-limit enable
------------------
vpn_sstp.xml.in:
vpn sstp authentication radius rate-
limit enable
set vpn sstp
authentication radius
rate-limit vendor
------------------
vpn_sstp.xml.in:
vpn sstp authentication radius rate-
limit vendor
Not documented yet
------------------
vpn_sstp.xml.in:
vpn sstp authentication radius server
<server> acct-port
set vpn sstp
authentication radius
server <server> disable
------------------
vpn_sstp.xml.in:
vpn sstp authentication radius server
<server> disable
Not documented yet
------------------
vpn_sstp.xml.in:
vpn sstp authentication radius server
<server> disable-accounting
下页继续

16.1. Configuration Commands 1007

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set vpn sstp
authentication radius
server <server>
fail-time <time>
------------------
vpn_sstp.xml.in:
vpn sstp authentication radius server
<server> fail-time
set vpn sstp
authentication radius
server <server> key
<secret>
------------------
vpn_sstp.xml.in:
vpn sstp authentication radius server
<server> key
set vpn sstp
authentication radius
server <server> port
<port>
------------------
vpn_sstp.xml.in:
vpn sstp authentication radius server
<server> port
set vpn sstp
authentication
radius source-address
<address>
------------------
vpn_sstp.xml.in:
vpn sstp authentication radius source-
address
set vpn sstp
authentication radius
timeout <timeout>
------------------
vpn_sstp.xml.in:
vpn sstp authentication radius time-
out
set vpn sstp
client-ip-pool subnet
<subnet>
------------------
vpn_sstp.xml.in:
vpn sstp client-ip-pool subnet
下页继续

16.1. Configuration Commands 1008

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set vpn sstp
client-ipv6-pool
delegate <address>
delegation-prefix
<number-of-bits>
------------------
vpn_sstp.xml.in:
vpn sstp client-ipv6-pool delegate
<delegate> delegation-prefix
set vpn sstp
client-ipv6-pool
prefix <address> mask
<number-of-bits>
------------------
vpn_sstp.xml.in:
vpn sstp client-ipv6-pool prefix <pre-
fix> mask
set vpn sstp
gateway-address
<gateway>
------------------
vpn_sstp.xml.in:
vpn sstp gateway-address
Not documented yet
------------------
vpn_sstp.xml.in:
vpn sstp mtu
set vpn sstp name-server
<address>
------------------
vpn_sstp.xml.in:
vpn sstp name-server
set vpn sstp ppp-options
lcp-echo-failure
<number>
------------------
vpn_sstp.xml.in:
vpn sstp ppp-options lcp-echo-failure
set vpn sstp ppp-options
lcp-echo-interval
<interval>
------------------
vpn_sstp.xml.in:
vpn sstp ppp-options lcp-echo-
interval
set vpn sstp ppp-options
lcp-echo-timeout
------------------
vpn_sstp.xml.in:
vpn sstp ppp-options lcp-echo-
timeout
下页继续

16.1. Configuration Commands 1009

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set vpn sstp ppp-options
mppe <require | prefer |
deny>
------------------
vpn_sstp.xml.in:
vpn sstp ppp-options mppe
set vpn sstp ssl
ca-cert-file <file>
------------------
vpn_sstp.xml.in:
vpn sstp ssl ca-cert-file
set vpn sstp ssl
cert-file <file>
------------------
vpn_sstp.xml.in:
vpn sstp ssl cert-file
set vpn sstp ssl
key-file <file>
------------------
vpn_sstp.xml.in:
vpn sstp ssl key-file
set vrf bind-to-all
------------------
vrf.xml.in:
vrf bind-to-all
set vrf name <name>
Nothing found in XML Definitions
Not documented yet
------------------
vrf.xml.in:
vrf name <name> description
Not documented yet
------------------
vrf.xml.in:
vrf name <name> disable
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols
bgp address-family ipv4-unicast
aggregate-address <aggregate-
address> as-set
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols
bgp address-family ipv4-unicast
aggregate-address <aggregate-
address> summary-only
下页继续

16.1. Configuration Commands 1010

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols
bgp address-family ipv4-unicast
maximum-paths ebgp
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols
bgp address-family ipv4-unicast
maximum-paths ibgp
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family ipv4-unicast network
<network> backdoor
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family ipv4-unicast network
<network> route-map
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family ipv4-unicast redis-
tribute connected metric
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family ipv4-unicast redis-
tribute connected route-map
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family ipv4-unicast redis-
tribute isis metric
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family ipv4-unicast redis-
tribute isis route-map
下页继续

16.1. Configuration Commands 1011

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family ipv4-unicast redis-
tribute kernel metric
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family ipv4-unicast redis-
tribute kernel route-map
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family ipv4-unicast redis-
tribute ospf metric
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family ipv4-unicast redis-
tribute ospf route-map
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family ipv4-unicast redis-
tribute rip metric
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family ipv4-unicast redis-
tribute rip route-map
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family ipv4-unicast redis-
tribute static metric
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family ipv4-unicast redis-
tribute static route-map
下页继续

16.1. Configuration Commands 1012

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family ipv4-unicast redis-
tribute table
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols
bgp address-family ipv6-unicast
aggregate-address <aggregate-
address> as-set
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols
bgp address-family ipv6-unicast
aggregate-address <aggregate-
address> summary-only
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols
bgp address-family ipv6-unicast
maximum-paths ebgp
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols
bgp address-family ipv6-unicast
maximum-paths ibgp
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family ipv6-unicast network
<network> path-limit
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family ipv6-unicast network
<network> route-map
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family ipv6-unicast redis-
tribute connected metric
下页继续

16.1. Configuration Commands 1013

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family ipv6-unicast redis-
tribute connected route-map
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family ipv6-unicast redis-
tribute kernel metric
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family ipv6-unicast redis-
tribute kernel route-map
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family ipv6-unicast redis-
tribute ospfv3 metric
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family ipv6-unicast redis-
tribute ospfv3 route-map
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family ipv6-unicast redis-
tribute ripng metric
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family ipv6-unicast redis-
tribute ripng route-map
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family ipv6-unicast redis-
tribute static metric
下页继续

16.1. Configuration Commands 1014

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family ipv6-unicast redis-
tribute static route-map
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family ipv6-unicast redis-
tribute table
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family l2vpn-evpn advertise-
all-vni
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family l2vpn-evpn advertise-
default-gw
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family l2vpn-evpn advertise-
pip
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family l2vpn-evpn advertise-
svi-ip
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family l2vpn-evpn advertise
ipv4 unicast route-map
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family l2vpn-evpn advertise
ipv6 unicast route-map
下页继续

16.1. Configuration Commands 1015

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family l2vpn-evpn flooding
disable
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family l2vpn-evpn flooding
head-end-replication
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family l2vpn-evpn rd
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family l2vpn-evpn route-
target both
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family l2vpn-evpn route-
target export
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family l2vpn-evpn route-
target import
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family l2vpn-evpn rt-auto-
derive
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family l2vpn-evpn vni <vni>
advertise-default-gw
下页继续

16.1. Configuration Commands 1016

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family l2vpn-evpn vni <vni>
advertise-svi-ip
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family l2vpn-evpn vni <vni>
rd
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family l2vpn-evpn vni <vni>
route-target both
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family l2vpn-evpn vni <vni>
route-target export
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
address-family l2vpn-evpn vni <vni>
route-target import
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp lis-
ten limit
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp lis-
ten range <range> peer-group
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
local-as
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv4-unicast addpath-tx-all
下页继续

16.1. Configuration Commands 1017

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv4-unicast addpath-tx-per-as
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv4-unicast allowas-in number
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv4-unicast as-override
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv4-unicast attribute-unchanged as-
path
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv4-unicast attribute-unchanged
med
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv4-unicast attribute-unchanged
next-hop
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv4-unicast capability orf prefix-list
receive
下页继续

16.1. Configuration Commands 1018

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv4-unicast capability orf prefix-list
send
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv4-unicast default-originate route-
map
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-
family ipv4-unicast disable-send-
community extended
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-
family ipv4-unicast disable-send-
community standard
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv4-unicast distribute-list export
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv4-unicast distribute-list import
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv4-unicast filter-list export
下页继续

16.1. Configuration Commands 1019

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv4-unicast filter-list import
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv4-unicast maximum-prefix
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv4-unicast nexthop-self force
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv4-unicast prefix-list export
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv4-unicast prefix-list import
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv4-unicast remove-private-as
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv4-unicast route-map export
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv4-unicast route-map import
下页继续

16.1. Configuration Commands 1020

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv4-unicast route-reflector-client
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv4-unicast route-server-client
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv4-unicast soft-reconfiguration in-
bound
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv4-unicast unsuppress-map
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv4-unicast weight
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv6-unicast addpath-tx-all
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv6-unicast addpath-tx-per-as
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv6-unicast allowas-in number
下页继续

16.1. Configuration Commands 1021

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv6-unicast as-override
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv6-unicast attribute-unchanged as-
path
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv6-unicast attribute-unchanged
med
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv6-unicast attribute-unchanged
next-hop
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv6-unicast capability orf prefix-list
receive
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv6-unicast capability orf prefix-list
send
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv6-unicast default-originate route-
map
下页继续

16.1. Configuration Commands 1022

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-
family ipv6-unicast disable-send-
community extended
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-
family ipv6-unicast disable-send-
community standard
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv6-unicast distribute-list export
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv6-unicast distribute-list import
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv6-unicast filter-list export
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv6-unicast filter-list import
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv6-unicast maximum-prefix
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-
family ipv6-unicast nexthop-local
unchanged
下页继续

16.1. Configuration Commands 1023

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv6-unicast nexthop-self force
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv6-unicast prefix-list export
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv6-unicast prefix-list import
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv6-unicast remove-private-as
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv6-unicast route-map export
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv6-unicast route-map import
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv6-unicast route-reflector-client
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv6-unicast route-server-client
下页继续

16.1. Configuration Commands 1024

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv6-unicast soft-reconfiguration in-
bound
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv6-unicast unsuppress-map
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
ipv6-unicast weight
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
l2vpn-evpn allowas-in number
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
l2vpn-evpn attribute-unchanged as-
path
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
l2vpn-evpn attribute-unchanged med
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
l2vpn-evpn attribute-unchanged
next-hop
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
l2vpn-evpn nexthop-self force
下页继续

16.1. Configuration Commands 1025

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
l2vpn-evpn route-map export
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
l2vpn-evpn route-map import
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
l2vpn-evpn route-reflector-client
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
l2vpn-evpn route-server-client
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> address-family
l2vpn-evpn soft-reconfiguration in-
bound
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> advertisement-
interval
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> bfd check-
control-plane-failure
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> capability dy-
namic
下页继续

16.1. Configuration Commands 1026

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> capability
extended-nexthop
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> description
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> disable-
capability-negotiation
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> disable-
connected-check
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> ebgp-multihop
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> interface peer-
group
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> interface
remote-as
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> interface
v6only peer-group
下页继续

16.1. Configuration Commands 1027

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> interface
v6only remote-as
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> local-as <local-
as> no-prepend
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> override-
capability
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> passive
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> password
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> peer-group
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> port
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> remote-as
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> shutdown
下页继续

16.1. Configuration Commands 1028

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols
bgp neighbor <neighbor> strict-
capability-match
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> timers connect
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> timers hold-
time
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols
bgp neighbor <neighbor> timers
keepalive
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> ttl-security
hops
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
neighbor <neighbor> update-source
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp pa-
rameters always-compare-med
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp pa-
rameters bestpath as-path confed
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp pa-
rameters bestpath as-path ignore
下页继续

16.1. Configuration Commands 1029

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp pa-
rameters bestpath as-path multipath-
relax
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp pa-
rameters bestpath compare-routerid
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp pa-
rameters bestpath med confed
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp pa-
rameters bestpath med missing-as-
worst
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp pa-
rameters cluster-id
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp pa-
rameters confederation identifier
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp pa-
rameters confederation peers
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp pa-
rameters dampening half-life
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp pa-
rameters dampening max-suppress-
time
下页继续

16.1. Configuration Commands 1030

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp pa-
rameters dampening re-use
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp pa-
rameters dampening start-suppress-
time
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp pa-
rameters default local-pref
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp pa-
rameters default no-ipv4-unicast
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp pa-
rameters deterministic-med
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp pa-
rameters distance global external
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp pa-
rameters distance global internal
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp pa-
rameters distance global local
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
parameters distance prefix <prefix>
distance
下页继续

16.1. Configuration Commands 1031

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp pa-
rameters ebgp-requires-policy
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp pa-
rameters graceful-restart stalepath-
time
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp pa-
rameters graceful-shutdown
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp pa-
rameters log-neighbor-changes
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp pa-
rameters network-import-check
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
parameters no-client-to-client-
reflection
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp pa-
rameters no-fast-external-failover
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp pa-
rameters router-id
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv4-unicast addpath-tx-all
下页继续

16.1. Configuration Commands 1032

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv4-unicast addpath-tx-per-
as
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv4-unicast allowas-in num-
ber
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv4-unicast as-override
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv4-unicast attribute-
unchanged as-path
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv4-unicast attribute-
unchanged med
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv4-unicast attribute-
unchanged next-hop
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv4-unicast capability orf
prefix-list receive
下页继续

16.1. Configuration Commands 1033

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv4-unicast capability orf
prefix-list send
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv4-unicast default-originate
route-map
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv4-unicast disable-send-
community extended
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv4-unicast disable-send-
community standard
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv4-unicast distribute-list ex-
port
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv4-unicast distribute-list im-
port
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv4-unicast filter-list export
下页继续

16.1. Configuration Commands 1034

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv4-unicast filter-list import
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv4-unicast maximum-prefix
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv4-unicast nexthop-self
force
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv4-unicast prefix-list export
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv4-unicast prefix-list import
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv4-unicast remove-private-
as
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv4-unicast route-map export
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv4-unicast route-map im-
port
下页继续

16.1. Configuration Commands 1035

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv4-unicast route-reflector-
client
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv4-unicast route-server-
client
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols
bgp peer-group <peer-group>
address-family ipv4-unicast soft-
reconfiguration inbound
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv4-unicast unsuppress-map
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv4-unicast weight
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv6-unicast addpath-tx-all
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv6-unicast addpath-tx-per-
as
下页继续

16.1. Configuration Commands 1036

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv6-unicast allowas-in num-
ber
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv6-unicast as-override
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv6-unicast attribute-
unchanged as-path
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv6-unicast attribute-
unchanged med
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv6-unicast attribute-
unchanged next-hop
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv6-unicast capability orf
prefix-list receive
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv6-unicast capability orf
prefix-list send
下页继续

16.1. Configuration Commands 1037

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv6-unicast default-originate
route-map
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv6-unicast disable-send-
community extended
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv6-unicast disable-send-
community standard
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv6-unicast distribute-list ex-
port
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv6-unicast distribute-list im-
port
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv6-unicast filter-list export
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv6-unicast filter-list import
下页继续

16.1. Configuration Commands 1038

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv6-unicast maximum-prefix
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv6-unicast nexthop-local un-
changed
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv6-unicast nexthop-self
force
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv6-unicast prefix-list export
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv6-unicast prefix-list import
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv6-unicast remove-private-
as
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv6-unicast route-map export
下页继续

16.1. Configuration Commands 1039

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv6-unicast route-map im-
port
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv6-unicast route-reflector-
client
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv6-unicast route-server-
client
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols
bgp peer-group <peer-group>
address-family ipv6-unicast soft-
reconfiguration inbound
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv6-unicast unsuppress-map
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family ipv6-unicast weight
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family l2vpn-evpn allowas-in number
下页继续

16.1. Configuration Commands 1040

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols
bgp peer-group <peer-group>
address-family l2vpn-evpn attribute-
unchanged as-path
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols
bgp peer-group <peer-group>
address-family l2vpn-evpn attribute-
unchanged med
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols
bgp peer-group <peer-group>
address-family l2vpn-evpn attribute-
unchanged next-hop
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family l2vpn-evpn nexthop-self force
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family l2vpn-evpn route-map export
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family l2vpn-evpn route-map import
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family l2vpn-evpn route-reflector-
client
下页继续

16.1. Configuration Commands 1041

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> address-
family l2vpn-evpn route-server-
client
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols
bgp peer-group <peer-group>
address-family l2vpn-evpn soft-
reconfiguration inbound
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> bfd check-
control-plane-failure
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> capability
dynamic
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> capability
extended-nexthop
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> descrip-
tion
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> disable-
capability-negotiation
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> disable-
connected-check
下页继续

16.1. Configuration Commands 1042

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> ebgp-
multihop
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> local-as
<local-as> no-prepend
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> override-
capability
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> passive
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> password
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> remote-as
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> shutdown
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> ttl-security
hops
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
peer-group <peer-group> update-
source
下页继续

16.1. Configuration Commands 1043

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
timers holdtime
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols bgp
timers keepalive
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis set-
attached-bit
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis set-
overload-bit
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis area-
password md5
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis area-
password plaintext-password
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis
default-information originate ipv4
level-1
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis
default-information originate ipv4
level-2
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis
default-information originate ipv6
level-1
下页继续

16.1. Configuration Commands 1044

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis
default-information originate ipv6
level-2
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis
domain-password plaintext-password
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis
dynamic-hostname
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis in-
terface <interface> bfd
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis in-
terface <interface> circuit-type
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis in-
terface <interface> hello-interval
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis in-
terface <interface> hello-multiplier
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis in-
terface <interface> hello-padding
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis in-
terface <interface> metric
下页继续

16.1. Configuration Commands 1045

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis in-
terface <interface> network point-to-
point
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis
interface <interface> no-three-way-
handshake
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis in-
terface <interface> passive
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis
interface <interface> password
plaintext-password
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis in-
terface <interface> priority
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis in-
terface <interface> psnp-interval
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis level
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis lsp-
gen-interval
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis lsp-
mtu
下页继续

16.1. Configuration Commands 1046

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis lsp-
refresh-interval
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis max-
lsp-lifetime
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis
metric-style
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis net
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis
purge-originator
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis re-
distribute ipv4 bgp level-1 metric
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis re-
distribute ipv4 bgp level-1 route-map
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis re-
distribute ipv4 bgp level-2 metric
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis re-
distribute ipv4 bgp level-2 route-map
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis
redistribute ipv4 connected level-1
metric
下页继续

16.1. Configuration Commands 1047

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis
redistribute ipv4 connected level-1
route-map
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis
redistribute ipv4 connected level-2
metric
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis
redistribute ipv4 connected level-2
route-map
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis re-
distribute ipv4 kernel level-1 metric
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis re-
distribute ipv4 kernel level-1 route-
map
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis re-
distribute ipv4 kernel level-2 metric
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis re-
distribute ipv4 kernel level-2 route-
map
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis re-
distribute ipv4 ospf level-1 metric
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis re-
distribute ipv4 ospf level-1 route-
map
下页继续

16.1. Configuration Commands 1048

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis re-
distribute ipv4 ospf level-2 metric
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis re-
distribute ipv4 ospf level-2 route-
map
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis re-
distribute ipv4 rip level-1 metric
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis re-
distribute ipv4 rip level-1 route-map
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis re-
distribute ipv4 rip level-2 metric
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis re-
distribute ipv4 rip level-2 route-map
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis re-
distribute ipv4 static level-1 metric
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis re-
distribute ipv4 static level-1 route-
map
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis re-
distribute ipv4 static level-2 metric
下页继续

16.1. Configuration Commands 1049

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis re-
distribute ipv4 static level-2 route-
map
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis
segment-routing enable
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis
segment-routing global-block high-
label-value
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis
segment-routing global-block low-
label-value
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis
segment-routing maximum-label-
depth
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis
segment-routing prefix <prefix> ab-
solute explicit-null
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis
segment-routing prefix <prefix> ab-
solute no-php-flag
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis
segment-routing prefix <prefix> ab-
solute value
下页继续

16.1. Configuration Commands 1050

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis
segment-routing prefix <prefix> in-
dex explicit-null
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis
segment-routing prefix <prefix> in-
dex no-php-flag
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis
segment-routing prefix <prefix> in-
dex value
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis spf-
delay-ietf holddown
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis spf-
delay-ietf init-delay
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis spf-
delay-ietf long-delay
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis spf-
delay-ietf short-delay
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis spf-
delay-ietf time-to-learn
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis spf-
interval
下页继续

16.1. Configuration Commands 1051

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis
traffic-engineering address
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols isis
traffic-engineering enable
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf
access-list <access-list> export
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf area
<area> area-type normal
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf area
<area> area-type nssa default-cost
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf area
<area> area-type nssa no-summary
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf area
<area> area-type nssa translate
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf area
<area> area-type stub default-cost
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf area
<area> area-type stub no-summary
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf area
<area> authentication
下页继续

16.1. Configuration Commands 1052

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf area
<area> network
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf area
<area> range <range> cost
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf area
<area> range <range> not-advertise
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf area
<area> range <range> substitute
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf area
<area> shortcut
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf
area <area> virtual-link <virtual-
link> authentication md5 key-id
<key-id> md5-key
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf area
<area> virtual-link <virtual-link>
authentication plaintext-password
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf
area <area> virtual-link <virtual-
link> dead-interval
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf
area <area> virtual-link <virtual-
link> hello-interval
下页继续

16.1. Configuration Commands 1053

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf
area <area> virtual-link <virtual-
link> retransmit-interval
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf
area <area> virtual-link <virtual-
link> transmit-delay
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf
auto-cost reference-bandwidth
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf
default-information originate always
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf
default-information originate metric
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf
default-information originate metric-
type
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf
default-information originate route-
map
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf
default-metric
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf dis-
tance global
下页继续

16.1. Configuration Commands 1054

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf dis-
tance ospf external
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf dis-
tance ospf inter-area
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf dis-
tance ospf intra-area
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf
interface <interface> authentication
md5 key-id <key-id> md5-key
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf
interface <interface> authentication
plaintext-password
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf in-
terface <interface> bandwidth
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf in-
terface <interface> bfd
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf in-
terface <interface> cost
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf in-
terface <interface> dead-interval
下页继续

16.1. Configuration Commands 1055

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf in-
terface <interface> hello-interval
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf in-
terface <interface> hello-multiplier
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf in-
terface <interface> mtu-ignore
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf in-
terface <interface> network
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf in-
terface <interface> priority
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf
interface <interface> retransmit-
interval
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf in-
terface <interface> transmit-delay
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf log-
adjacency-changes detail
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf
max-metric router-lsa administrative
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf
max-metric router-lsa on-shutdown
下页继续

16.1. Configuration Commands 1056

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf
max-metric router-lsa on-startup
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf
mpls-te enable
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf
mpls-te router-address
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf
neighbor <neighbor> poll-interval
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf
neighbor <neighbor> priority
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf pa-
rameters abr-type
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf pa-
rameters opaque-lsa
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf pa-
rameters rfc1583-compatibility
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf pa-
rameters router-id
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf
passive-interface
下页继续

16.1. Configuration Commands 1057

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf
passive-interface-exclude
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf re-
distribute bgp metric
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf re-
distribute bgp metric-type
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf re-
distribute bgp route-map
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf re-
distribute connected metric
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf re-
distribute connected metric-type
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf re-
distribute connected route-map
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf re-
distribute isis metric
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf re-
distribute isis metric-type
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf re-
distribute isis route-map
下页继续

16.1. Configuration Commands 1058

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf re-
distribute kernel metric
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf re-
distribute kernel metric-type
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf re-
distribute kernel route-map
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf re-
distribute rip metric
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf re-
distribute rip metric-type
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf re-
distribute rip route-map
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf re-
distribute static metric
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf re-
distribute static metric-type
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf re-
distribute static route-map
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf re-
fresh timers
下页继续

16.1. Configuration Commands 1059

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf
timers throttle spf delay
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf
timers throttle spf initial-holdtime
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols ospf
timers throttle spf max-holdtime
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols static
route6 <route6> blackhole distance
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols static
route6 <route6> blackhole tag
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols static
route6 <route6> interface <inter-
face> disable
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols static
route6 <route6> interface <inter-
face> distance
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols static
route6 <route6> interface <inter-
face> vrf
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols static
route6 <route6> next-hop <next-
hop> disable
下页继续

16.1. Configuration Commands 1060

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols static
route6 <route6> next-hop <next-
hop> distance
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols static
route6 <route6> next-hop <next-
hop> interface
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols static
route6 <route6> next-hop <next-
hop> vrf
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols static
route <route> blackhole distance
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols static
route <route> blackhole tag
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols static
route <route> dhcp-interface
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols static
route <route> interface <interface>
disable
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols static
route <route> interface <interface>
distance
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols static
route <route> interface <interface>
vrf
下页继续

16.1. Configuration Commands 1061

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols static
route <route> next-hop <next-hop>
disable
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols static
route <route> next-hop <next-hop>
distance
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols static
route <route> next-hop <next-hop>
interface
Not documented yet
------------------
vrf.xml.in:
vrf name <name> protocols static
route <route> next-hop <next-hop>
vrf
set vrf name <name>
table <id>
------------------
vrf.xml.in:
vrf name <name> table
Not documented yet
------------------
vrf.xml.in:
vrf name <name> vni
set zone-policy zone
<name> default-action
[drop | reject]
Nothing found in XML Definitions
set zone-policy zone
<name> description
Nothing found in XML Definitions
set zone-policy zone
<name> from <name>
firewall ipv6-name
<rule-set>
Nothing found in XML Definitions
set zone-policy
zone <name> from
<name> firewall name
<rule-set>
Nothing found in XML Definitions
下页继续

16.1. Configuration Commands 1062

 VyOS Documentation, 发布 1.4.x (sagitta)

表 1 – 续上页
1360/3352 in Docs 2928/3352 in XML Command
set zone-policy zone
<name> interface
<interfacenames>
Nothing found in XML Definitions
set zone-policy zone
<name> local-zone
Nothing found in XML Definitions

16.2 Operational Commands

172/1666 in Docs 1802/1666 in XML Command

Not documented yet
------------------
add-system-image.xml.in:
add system image <image>
add system image <url
| path> [vrf name]
[username user [password
pass]]
Nothing found in XML Definitions
Not documented yet
------------------
add-system-image.xml.in:
add system image <image> username
<username> password <password>
Not documented yet
------------------
add-system-image.xml.in:
add system image <image> vrf <vrf>
Not documented yet
------------------
add-system-image.xml.in:
add system image <image> vrf <vrf>
username <username> password
<password>
Not documented yet
------------------
terminal.xml.in:
set builtin <builtin>
Not documented yet
------------------
flow-accounting-op.xml.in:
clear flow-accounting counters
Not documented yet
------------------
clear-ip.xml.in:
clear ip prefix-list <prefix-list>
下页继续

16.2. Operational Commands 1063

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
clear-ip.xml.in:
clear ip prefix-list <prefix-list>
node.tag
Not documented yet
------------------
clear-ipv6.xml.in:
clear ipv6 prefix-list <prefix-list>
Not documented yet
------------------
clear-ipv6.xml.in:
clear ipv6 prefix-list <prefix-list>
node.tag
Not documented yet
------------------
configure.xml.in:
configure
Not documented yet
------------------
connect.xml.in:
connect console <console>
connect console-server
<device>
Nothing found in XML Definitions
connect interface
<interface>
------------------
connect.xml.in:
connect interface <interface>
Not documented yet
------------------
terminal.xml.in:
set console keymap
Not documented yet
------------------
date.xml.in:
set date <date>
Not documented yet
------------------
date.xml.in:
set date ntp <ntp>
delete system image
[image-name]
Nothing found in XML Definitions
Not documented yet
------------------
wireguard.xml.in:
delete wireguard keypair <keypair>
下页继续

16.2. Operational Commands 1064

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
disconnect interface
<interface>
------------------
disconnect.xml.in:
disconnect interface <interface>
Not documented yet
------------------
force-arp.xml.in:
force arp duplicate interface <inter-
face> address <address>
Not documented yet
------------------
force-arp.xml.in:
force arp reply interface <interface>
address <address>
Not documented yet
------------------
force-arp.xml.in:
force arp reply interface <interface>
address <address> count <count>
Not documented yet
------------------
force-arp.xml.in:
force arp request interface <inter-
face> address <address>
Not documented yet
------------------
force-arp.xml.in:
force arp request interface <in-
terface> address <address> count
<count>
force ipv6-nd interface
<interface> address
<ipv6-address>
------------------
force-ipv6-nd.xml.in:
force ipv6-nd interface <interface>
address <address>
Not documented yet
------------------
force-ipv6-rd.xml.in:
force ipv6-rd interface <interface>
force ipv6-rd interface
<interface> [address
<ipv6-address>]
Nothing found in XML Definitions
Not documented yet
------------------
force-ipv6-rd.xml.in:
force ipv6-rd interface <interface>
address <address>
下页继续

16.2. Operational Commands 1065

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
force-mtu-host.xml.in:
force mtu host <host>
Not documented yet
------------------
force-mtu-host.xml.in:
force mtu host <host> interface <in-
terface>
Not documented yet
------------------
generate-macsec-key.xml.in:
generate macsec mka-cak
Not documented yet
------------------
generate-macsec-key.xml.in:
generate macsec mka-ckn
Not documented yet
------------------
generate-ssh-server-key.xml.in:
generate ssh client-key <client-key>
generate ssh client-key
/path/to/private_key
Nothing found in XML Definitions
generate ssh server-key
------------------
generate-ssh-server-key.xml.in:
generate ssh server-key
generate wireguard
default-keypair
Nothing found in XML Definitions
Not documented yet
------------------
monitor-bandwidth-test.xml.in:
monitor bandwidth-test accept
Not documented yet
------------------
monitor-bandwidth-test.xml.in:
monitor bandwidth-test initiate <ini-
tiate>
Not documented yet
------------------
monitor-bandwidth.xml.in:
monitor bandwidth interface <inter-
face>
Not documented yet
------------------
monitor-log.xml.in:
monitor log
下页继续

16.2. Operational Commands 1066

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
monitor-log.xml.in:
monitor log colored
Not documented yet
------------------
monitor-ndp.xml.in:
monitor ndp
Not documented yet
------------------
monitor-ndp.xml.in:
monitor ndp interface <interface>
Not documented yet
------------------
monitor-ndp.xml.in:
monitor ndp interface <interface>
type <type>
Not documented yet
------------------
monitor-ndp.xml.in:
monitor ndp type <type>
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol bgp background
start
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol bgp background
stop
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol bgp disable all
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol bgp disable allow-
martians
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol bgp disable as4
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol bgp disable best-
path <bestpath>
下页继续

16.2. Operational Commands 1067

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol bgp disable
flowspec
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol bgp disable
keepalives
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol bgp disable la-
belpool
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol bgp disable
neighbor-events
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol bgp disable nht
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol bgp disable pbr
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol bgp disable rib
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol bgp disable update-
groups
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol bgp disable updates
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol bgp disable vnc
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol bgp disable vnc
import-bi-attach
下页继续

16.2. Operational Commands 1068

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol bgp disable vnc
import-del-remote
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol bgp disable vnc
rfapi-query
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol bgp disable vnc ver-
bose
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol bgp enable allow-
martians
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol bgp enable as4
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol bgp enable bestpath
<bestpath>
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol bgp enable flowspec
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol bgp enable
keepalives
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol bgp enable la-
belpool
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol bgp enable
neighbor-events
下页继续

16.2. Operational Commands 1069

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol bgp enable nht
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol bgp enable pbr
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol bgp enable rib
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol bgp enable update-
groups
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol bgp enable updates
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol bgp enable vnc
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol bgp enable vnc
import-bi-attach
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol bgp enable vnc
import-del-remote
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol bgp enable vnc
rfapi-query
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol bgp enable vnc ver-
bose
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf background
start
下页继续

16.2. Operational Commands 1070

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf background
stop
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable event
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable ism
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable ism
events
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable ism
status
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable ism
timers
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable lsa
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable lsa
flooding
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable lsa
generate
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable lsa in-
stall
下页继续

16.2. Operational Commands 1071

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable lsa re-
fresh
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable nsm
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable nsm
events
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable nsm
status
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable nsm
timers
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable nssa
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable packet
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable packet
all
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable packet
all detail
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable packet
all recv
下页继续

16.2. Operational Commands 1072

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable packet
all recv detail
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable packet
all send
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable packet
all send detail
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable packet
dd
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable packet
dd detail
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable packet
dd recv
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable packet
dd recv detail
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable packet
dd send
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable packet
dd send detail
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable packet
hello
下页继续

16.2. Operational Commands 1073

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable packet
hello detail
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable packet
hello recv
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable packet
hello recv detail
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable packet
hello send
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable packet
hello send detail
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable packet
ls-ack
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable packet
ls-ack detail
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable packet
ls-ack recv
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable packet
ls-ack recv detail
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable packet
ls-ack send
下页继续

16.2. Operational Commands 1074

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable packet
ls-ack send detail
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable packet
ls-request
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable packet
ls-request detail
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable packet
ls-request recv
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable packet
ls-request recv detail
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable packet
ls-request send
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable packet
ls-request send detail
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable packet
ls-update
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable packet
ls-update detail
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable packet
ls-update recv
下页继续

16.2. Operational Commands 1075

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable packet
ls-update recv detail
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable packet
ls-update send
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable packet
ls-update send detail
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable rib
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable rib in-
terface
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf disable rib re-
distribute
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable event
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable ism
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable ism
events
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable ism sta-
tus
下页继续

16.2. Operational Commands 1076

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable ism
timers
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable lsa
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable lsa
flooding
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable lsa gen-
erate
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable lsa in-
stall
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable lsa re-
fresh
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable nsm
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable nsm
events
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable nsm
status
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable nsm
timers
下页继续

16.2. Operational Commands 1077

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable nssa
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable packet
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable packet
all
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable packet
all detail
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable packet
all recv
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable packet
all recv detail
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable packet
all send
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable packet
all send detail
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable packet
dd
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable packet
dd detail
下页继续

16.2. Operational Commands 1078

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable packet
dd recv
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable packet
dd recv detail
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable packet
dd send
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable packet
dd send detail
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable packet
hello
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable packet
hello detail
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable packet
hello recv
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable packet
hello recv detail
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable packet
hello send
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable packet
hello send detail
下页继续

16.2. Operational Commands 1079

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable packet
ls-ack
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable packet
ls-ack detail
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable packet
ls-ack recv
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable packet
ls-ack recv detail
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable packet
ls-ack send
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable packet
ls-ack send detail
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable packet
ls-request
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable packet
ls-request detail
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable packet
ls-request recv
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable packet
ls-request recv detail
下页继续

16.2. Operational Commands 1080

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable packet
ls-request send
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable packet
ls-request send detail
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable packet
ls-update
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable packet
ls-update detail
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable packet
ls-update recv
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable packet
ls-update recv detail
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable packet
ls-update send
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable packet
ls-update send detail
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable rib
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable rib in-
terface
下页继续

16.2. Operational Commands 1081

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospf enable rib re-
distribute
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 background
start
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 background
stop
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 disable abr
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 disable asbr
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 disable
border-routers
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 disable
border-routers area-id
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 disable
border-routers router-id
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 disable
flooding
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 disable in-
terface
下页继续

16.2. Operational Commands 1082

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 disable lsa
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 disable lsa
as-external
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 disable lsa
inter-prefix
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 disable lsa
inter-router
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 disable lsa
intra-prefix
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 disable lsa
link
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 disable lsa
network
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 disable lsa
router
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 disable lsa
unknown
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 disable mes-
sage
下页继续

16.2. Operational Commands 1083

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 disable mes-
sage all
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 disable mes-
sage dbdesc
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 disable mes-
sage hello
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 disable mes-
sage lsack
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 disable mes-
sage lsreq
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 disable mes-
sage lsupdate
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 disable mes-
sage unknown
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 disable
neighbor
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 disable
neighbor event
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 disable
neighbor state
下页继续

16.2. Operational Commands 1084

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 disable rib
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 disable rib
recv
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 disable rib
send
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 disable
route
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 disable
route inter-area
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 disable
route intra-area
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 disable
route memory
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 disable
route table
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 disable spf
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 disable spf
database
下页继续

16.2. Operational Commands 1085

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 disable spf
process
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 disable spf
time
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 enable abr
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 enable asbr
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 enable
border-routers
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 enable
border-routers area-id
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 enable
border-routers router-id
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 enable
flooding
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 enable inter-
face
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 enable lsa
下页继续

16.2. Operational Commands 1086

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 enable lsa
as-external
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 enable lsa
inter-prefix
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 enable lsa
inter-router
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 enable lsa
intra-prefix
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 enable lsa
link
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 enable lsa
network
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 enable lsa
router
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 enable lsa
unknown
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 enable mes-
sage
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 enable mes-
sage all
下页继续

16.2. Operational Commands 1087

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 enable mes-
sage dbdesc
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 enable mes-
sage hello
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 enable mes-
sage lsack
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 enable mes-
sage lsreq
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 enable mes-
sage lsupdate
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 enable mes-
sage unknown
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 enable
neighbor
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 enable
neighbor event
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 enable
neighbor state
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 enable rib
下页继续

16.2. Operational Commands 1088

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 enable rib
recv
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 enable rib
send
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 enable route
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 enable route
inter-area
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 enable route
intra-area
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 enable route
memory
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 enable route
table
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 enable spf
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 enable spf
database
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 enable spf
process
下页继续

16.2. Operational Commands 1089

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ospfv3 enable spf
time
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol rib background
start
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol rib background stop
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol rib disable events
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol rib disable kernel
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol rib disable mpls
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol rib disable nexthop
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol rib disable packet
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol rib disable packet
detail
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol rib disable packet
recv
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol rib disable packet
send
下页继续

16.2. Operational Commands 1090

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol rib disable rib
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol rib disable rib de-
tailed
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol rib enable events
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol rib enable kernel
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol rib enable mpls
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol rib enable nexthop
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol rib enable packet
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol rib enable packet
detail
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol rib enable packet
recv
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol rib enable packet
send
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol rib enable rib
下页继续

16.2. Operational Commands 1091

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol rib enable rib de-
tailed
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol rip background
start
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol rip background stop
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol rip disable all
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol rip disable events
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol rip disable packet
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol rip disable packet
recv
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol rip disable packet
send
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol rip disable rib
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol rip enable events
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol rip enable packet
下页继续

16.2. Operational Commands 1092

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol rip enable packet
recv
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol rip enable packet
send
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol rip enable rib
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ripng background
start
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ripng background
stop
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ripng disable all
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ripng disable events
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ripng disable packet
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ripng disable packet
recv
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ripng disable packet
send
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ripng disable rib
下页继续

16.2. Operational Commands 1093

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ripng enable events
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ripng enable packet
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ripng enable packet
recv
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ripng enable packet
send
Not documented yet
------------------
monitor-protocol.xml.in:
monitor protocol ripng enable rib
monitor traceroute
<destination>
------------------
traceroute.xml.in:
monitor traceroute <traceroute>
Not documented yet
------------------
traceroute.xml.in:
monitor traceroute ipv4 <ipv4>
Not documented yet
------------------
traceroute.xml.in:
monitor traceroute ipv6 <ipv6>
Not documented yet
------------------
traceroute.xml.in:
monitor traceroute vrf <vrf> <>
Not documented yet
------------------
traceroute.xml.in:
monitor traceroute vrf <vrf> ipv4
<ipv4>
Not documented yet
------------------
traceroute.xml.in:
monitor traceroute vrf <vrf> ipv6
<ipv6>
下页继续

16.2. Operational Commands 1094

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
traffic-dump.xml.in:
monitor traffic interface <interface>
Not documented yet
------------------
traffic-dump.xml.in:
monitor traffic interface <interface>
filter <filter>
Not documented yet
------------------
traffic-dump.xml.in:
monitor traffic interface <interface>
save <save>
Not documented yet
------------------
traffic-dump.xml.in:
monitor traffic interface <interface>
save <save> filter <filter>
Not documented yet
------------------
traffic-dump.xml.in:
monitor traffic interface <interface>
verbose
Not documented yet
------------------
traffic-dump.xml.in:
monitor traffic interface <interface>
verbose filter <filter>
Not documented yet
------------------
traffic-dump.xml.in:
monitor traffic interface <interface>
verbose save <save>
Not documented yet
------------------
traffic-dump.xml.in:
monitor traffic interface <interface>
verbose save <save> filter <filter>
ping <destination>
------------------
ping.xml.in:
ping <ping>
Not documented yet
------------------
ping.xml.in:
ping <ping> node.tag
ping <host> vrf <name>
Nothing found in XML Definitions
下页继续

16.2. Operational Commands 1095

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
poweroff.xml.in:
poweroff
Not documented yet
------------------
poweroff.xml.in:
poweroff at <at>
Not documented yet
------------------
poweroff.xml.in:
poweroff at <at> date <date>
Not documented yet
------------------
poweroff.xml.in:
poweroff cancel
Not documented yet
------------------
poweroff.xml.in:
poweroff in <in>
Not documented yet
------------------
poweroff.xml.in:
poweroff now
set pppoe-server
maintenance-mode <enable
| disable>
Nothing found in XML Definitions
Not documented yet
------------------
pppoe-server.xml.in:
set pppoe-server maintenance-mode
cancel
Not documented yet
------------------
pppoe-server.xml.in:
set pppoe-server maintenance-mode
enable
reset <ip|ipv6> bgp
<address> [soft
[in|out]]
Nothing found in XML Definitions
Not documented yet
------------------
reboot.xml.in:
reboot
Not documented yet
------------------
reboot.xml.in:
reboot at <at>
下页继续

16.2. Operational Commands 1096

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
reboot.xml.in:
reboot at <at> date <date>
Not documented yet
------------------
reboot.xml.in:
reboot cancel
Not documented yet
------------------
reboot.xml.in:
reboot in <in>
Not documented yet
------------------
reboot.xml.in:
reboot now
Not documented yet
------------------
reset-conntrack.xml.in:
reset conntrack
reset dns forwarding
<all | domain>
Nothing found in XML Definitions
Not documented yet
------------------
dns-forwarding.xml.in:
reset dns forwarding all
Not documented yet
------------------
dns-forwarding.xml.in:
reset dns forwarding domain <do-
main>
Not documented yet
------------------
ipv4-route.xml.in:
reset ip arp address <address>
Not documented yet
------------------
ipv4-route.xml.in:
reset ip arp interface <interface>
Not documented yet
------------------
reset-ip-bgp.xml.in:
reset ip bgp <bgp>
reset ip bgp all
------------------
reset-ip-bgp.xml.in:
reset ip bgp all
下页继续

16.2. Operational Commands 1097

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
reset ip bgp dampening
------------------
reset-ip-bgp.xml.in:
reset ip bgp dampening <dampen-
ing>
Not documented yet
------------------
reset-ip-bgp.xml.in:
reset ip bgp dampening <dampen-
ing> node.tag
reset ip bgp external
------------------
reset-ip-bgp.xml.in:
reset ip bgp external
Not documented yet
------------------
reset-ip-bgp.xml.in:
reset ip bgp external in
Not documented yet
------------------
reset-ip-bgp.xml.in:
reset ip bgp external in prefix-filter
Not documented yet
------------------
reset-ip-bgp.xml.in:
reset ip bgp external out
Not documented yet
------------------
reset-ip-bgp.xml.in:
reset ip bgp external soft
Not documented yet
------------------
reset-ip-bgp.xml.in:
reset ip bgp external soft in
Not documented yet
------------------
reset-ip-bgp.xml.in:
reset ip bgp external soft out
Not documented yet
------------------
reset-ip-bgp.xml.in:
reset ip bgp <bgp> in
Not documented yet
------------------
reset-ip-bgp.xml.in:
reset ip bgp <bgp> in prefix-filter
Not documented yet
------------------
reset-ip-bgp.xml.in:
reset ip bgp <bgp> out
下页继续

16.2. Operational Commands 1098

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
reset-ip-bgp.xml.in:
reset ip bgp peer-group <peer-
group>
reset ip bgp peer-group
<name> [soft [in|out]]
Nothing found in XML Definitions
Not documented yet
------------------
reset-ip-bgp.xml.in:
reset ip bgp peer-group <peer-
group> in
Not documented yet
------------------
reset-ip-bgp.xml.in:
reset ip bgp peer-group <peer-
group> in prefix-filter
Not documented yet
------------------
reset-ip-bgp.xml.in:
reset ip bgp peer-group <peer-
group> out
Not documented yet
------------------
reset-ip-bgp.xml.in:
reset ip bgp peer-group <peer-
group> soft
Not documented yet
------------------
reset-ip-bgp.xml.in:
reset ip bgp peer-group <peer-
group> soft in
Not documented yet
------------------
reset-ip-bgp.xml.in:
reset ip bgp peer-group <peer-
group> soft out
Not documented yet
------------------
reset-ip-bgp.xml.in:
reset ip bgp <bgp> soft
Not documented yet
------------------
reset-ip-bgp.xml.in:
reset ip bgp <bgp> soft in
Not documented yet
------------------
reset-ip-bgp.xml.in:
reset ip bgp <bgp> soft out
下页继续

16.2. Operational Commands 1099

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
reset-ip-igmp.xml.in:
reset ip igmp interfaces
Not documented yet
------------------
reset-ip-multicast.xml.in:
reset ip multicast route
Not documented yet
------------------
ipv4-route.xml.in:
reset ip route cache <cache>
reset ipv6 bgp
<address>
------------------
reset-ipv6-bgp.xml.in:
reset ipv6 bgp <bgp>
Not documented yet
------------------
reset-ipv6-bgp.xml.in:
reset ipv6 bgp <bgp> in
Not documented yet
------------------
reset-ipv6-bgp.xml.in:
reset ipv6 bgp <bgp> in prefix-filter
Not documented yet
------------------
reset-ipv6-bgp.xml.in:
reset ipv6 bgp <bgp> out
Not documented yet
------------------
reset-ipv6-bgp.xml.in:
reset ipv6 bgp <bgp> soft
Not documented yet
------------------
reset-ipv6-bgp.xml.in:
reset ipv6 bgp <bgp> soft in
Not documented yet
------------------
reset-ipv6-bgp.xml.in:
reset ipv6 bgp <bgp> soft out
reset ipv6 neighbors
<address | interface>
Nothing found in XML Definitions
Not documented yet
------------------
ipv6-route.xml.in:
reset ipv6 neighbors address <ad-
dress>
下页继续

16.2. Operational Commands 1100

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
ipv6-route.xml.in:
reset ipv6 neighbors interface <inter-
face>
reset ipv6 route cache
------------------
ipv6-route.xml.in:
reset ipv6 route cache <cache>
Not documented yet
------------------
reset-mpls.xml.in:
reset mpls ldp neighbor <neighbor>
reset mpls ldp neighbor
<IPv4 or IPv6 address>
Nothing found in XML Definitions
Not documented yet
------------------
dhcp.xml.in:
renew dhcp interface <interface>
Not documented yet
------------------
dhcp.xml.in:
renew dhcpv6 interface <interface>
reset openvpn client
<text>
Nothing found in XML Definitions
reset openvpn interface
<interface>
Nothing found in XML Definitions
restart dhcp relay-agent
Nothing found in XML Definitions
restart dhcp server
Nothing found in XML Definitions
restart dhcpv6
relay-agent
Nothing found in XML Definitions
restart dhcpv6 server
Nothing found in XML Definitions
restart dns forwarding
Nothing found in XML Definitions
Not documented yet
------------------
restart-frr.xml.in:
restart frr
Not documented yet
------------------
restart-frr.xml.in:
restart frr bfdd
下页继续

16.2. Operational Commands 1101

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
restart-frr.xml.in:
restart frr bgpd
Not documented yet
------------------
restart-frr.xml.in:
restart frr ospf6d
Not documented yet
------------------
restart-frr.xml.in:
restart frr ospfd
Not documented yet
------------------
restart-frr.xml.in:
restart frr ripd
Not documented yet
------------------
restart-frr.xml.in:
restart frr ripngd
Not documented yet
------------------
restart-frr.xml.in:
restart frr staticd
Not documented yet
------------------
restart-frr.xml.in:
restart frr zebra
restart igmp-proxy
------------------
igmp-proxy.xml.in:
restart igmp-proxy
Not documented yet
------------------
ipoe-server.xml.in:
restart ipoe-server
Not documented yet
------------------
restart-snmp.xml.in:
restart snmp
restart ssh
------------------
restart-ssh.xml.in:
restart ssh
Not documented yet
------------------
vrrp.xml.in:
restart vrrp
下页继续

16.2. Operational Commands 1102

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
reset-vpn.xml.in:
reset vpn remote-access all
Not documented yet
------------------
reset-vpn.xml.in:
reset vpn remote-access all protocol
l2tp
Not documented yet
------------------
reset-vpn.xml.in:
reset vpn remote-access all protocol
pptp
Not documented yet
------------------
reset-vpn.xml.in:
reset vpn remote-access all protocol
sstp
Not documented yet
------------------
reset-vpn.xml.in:
reset vpn remote-access interface
<interface>
Not documented yet
------------------
reset-vpn.xml.in:
reset vpn remote-access user <user>
Not documented yet
------------------
reset-vpn.xml.in:
reset vpn remote-access user <user>
protocol l2tp
Not documented yet
------------------
reset-vpn.xml.in:
reset vpn remote-access user <user>
protocol pptp
Not documented yet
------------------
reset-vpn.xml.in:
reset vpn remote-access user <user>
protocol sstp
run generate macsec
mka-cak
Nothing found in XML Definitions
run generate macsec
mka-ckn
Nothing found in XML Definitions
下页继续

16.2. Operational Commands 1103

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-protocols-static.xml.in:
show arp
Not documented yet
------------------
show-protocols-static.xml.in:
show arp interface <interface>
show <ip|ipv6> bgp
<address|prefix>
------------------
show-bgp.xml.in:
show bgp
show <ip|ipv6> bgp
community <value>
------------------
show-bgp.xml.in:
show bgp community
show <ip|ipv6> bgp
community-list <name>
------------------
show-bgp.xml.in:
show bgp community-list
<community-list>
Not documented yet
------------------
show-bgp.xml.in:
show bgp community-list
<community-list> exact-match
Not documented yet
------------------
show-bgp.xml.in:
show bgp community accept-own
Not documented yet
------------------
show-bgp.xml.in:
show bgp community accept-own-
nexthop
Not documented yet
------------------
show-bgp.xml.in:
show bgp community blackhole
Not documented yet
------------------
show-bgp.xml.in:
show bgp community exact-match
Not documented yet
------------------
show-bgp.xml.in:
show bgp community graceful-
shutdown
下页继续

16.2. Operational Commands 1104

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-bgp.xml.in:
show bgp community llgr-stale
Not documented yet
------------------
show-bgp.xml.in:
show bgp community local-AS
Not documented yet
------------------
show-bgp.xml.in:
show bgp community no-advertise
Not documented yet
------------------
show-bgp.xml.in:
show bgp community no-export
Not documented yet
------------------
show-bgp.xml.in:
show bgp community no-llgr
Not documented yet
------------------
show-bgp.xml.in:
show bgp community no-peer
Not documented yet
------------------
show-bgp.xml.in:
show bgp community route-filter-
translated-v4
Not documented yet
------------------
show-bgp.xml.in:
show bgp community route-filter-
translated-v6
Not documented yet
------------------
show-bgp.xml.in:
show bgp community route-filter-v4
Not documented yet
------------------
show-bgp.xml.in:
show bgp community route-filter-v6
Not documented yet
------------------
show-bgp.xml.in:
show bgp dampening dampened-
paths
Not documented yet
------------------
show-bgp.xml.in:
show bgp dampening flap-statistics
下页继续

16.2. Operational Commands 1105

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-bgp.xml.in:
show bgp dampening parameters
Not documented yet
------------------
show-bgp.xml.in:
show bgp filter-list <filter-list>
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv4 <ipv4>
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv4 <ipv4> bestpath
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv4 community
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv4 community-list
<community-list>
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv4 community-list
<community-list> exact-match
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv4 community accept-
own
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv4 community accept-
own-nexthop
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv4 community blackhole
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv4 community exact-
match
下页继续

16.2. Operational Commands 1106

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv4 community graceful-
shutdown
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv4 community llgr-stale
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv4 community local-AS
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv4 community no-
advertise
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv4 community no-export
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv4 community no-llgr
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv4 community no-peer
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv4 community route-
filter-translated-v4
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv4 community route-
filter-translated-v6
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv4 community route-
filter-v4
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv4 community route-
filter-v6
下页继续

16.2. Operational Commands 1107

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv4 dampening
dampened-paths
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv4 dampening flap-
statistics
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv4 dampening parame-
ters
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv4 filter-list <filter-list>
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv4 large-community
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv4 <ipv4> longer-
prefixes
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv4 <ipv4> multipath
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv4 neighbors <neigh-
bors>
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv4 neighbors <neigh-
bors> advertised-routes
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv4 neighbors <neigh-
bors> dampened-routes
下页继续

16.2. Operational Commands 1108

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv4 neighbors <neigh-
bors> flap-statistics
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv4 neighbors <neigh-
bors> prefix-counts
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv4 neighbors <neigh-
bors> received-routes
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv4 neighbors <neigh-
bors> received prefix-filter
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv4 neighbors <neigh-
bors> routes
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv4 prefix-list <prefix-
list>
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv4 regexp <regexp>
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv4 route-map <route-
map>
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv4 statistics
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv4 summary
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv6 <ipv6>
下页继续

16.2. Operational Commands 1109

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv6 <ipv6> bestpath
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv6 community
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv6 community-list
<community-list>
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv6 community-list
<community-list> exact-match
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv6 community accept-
own
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv6 community accept-
own-nexthop
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv6 community blackhole
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv6 community exact-
match
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv6 community graceful-
shutdown
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv6 community llgr-stale
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv6 community local-AS
下页继续

16.2. Operational Commands 1110

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv6 community no-
advertise
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv6 community no-export
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv6 community no-llgr
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv6 community no-peer
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv6 community route-
filter-translated-v4
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv6 community route-
filter-translated-v6
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv6 community route-
filter-v4
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv6 community route-
filter-v6
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv6 dampening
dampened-paths
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv6 dampening flap-
statistics
下页继续

16.2. Operational Commands 1111

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv6 dampening parame-
ters
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv6 filter-list <filter-list>
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv6 large-community
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv6 <ipv6> longer-
prefixes
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv6 <ipv6> multipath
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv6 neighbors <neigh-
bors>
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv6 neighbors <neigh-
bors> advertised-routes
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv6 neighbors <neigh-
bors> dampened-routes
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv6 neighbors <neigh-
bors> flap-statistics
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv6 neighbors <neigh-
bors> prefix-counts
下页继续

16.2. Operational Commands 1112

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv6 neighbors <neigh-
bors> received-routes
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv6 neighbors <neigh-
bors> received prefix-filter
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv6 neighbors <neigh-
bors> routes
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv6 prefix-list <prefix-
list>
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv6 regexp <regexp>
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv6 route-map <route-
map>
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv6 statistics
Not documented yet
------------------
show-bgp.xml.in:
show bgp ipv6 summary
Not documented yet
------------------
show-bgp.xml.in:
show bgp l2vpn evpn
Not documented yet
------------------
show-bgp.xml.in:
show bgp l2vpn evpn all overlay
Not documented yet
------------------
show-bgp.xml.in:
show bgp l2vpn evpn all tags
下页继续

16.2. Operational Commands 1113

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-bgp.xml.in:
show bgp l2vpn evpn community
<community>
Not documented yet
------------------
show-bgp.xml.in:
show bgp l2vpn evpn community
<community> exact-match
Not documented yet
------------------
show-bgp.xml.in:
show bgp l2vpn evpn es
Not documented yet
------------------
show-bgp.xml.in:
show bgp l2vpn evpn es-evi
Not documented yet
------------------
show-bgp.xml.in:
show bgp l2vpn evpn es-evi detail
Not documented yet
------------------
show-bgp.xml.in:
show bgp l2vpn evpn es-evi vni <vni>
Not documented yet
------------------
show-bgp.xml.in:
show bgp l2vpn evpn es detail
Not documented yet
------------------
show-bgp.xml.in:
show bgp l2vpn evpn import-rt
Not documented yet
------------------
show-bgp.xml.in:
show bgp l2vpn evpn large-
community <large-community>
Not documented yet
------------------
show-bgp.xml.in:
show bgp l2vpn evpn neighbors
<neighbors>
Not documented yet
------------------
show-bgp.xml.in:
show bgp l2vpn evpn neighbors
<neighbors> advertised-routes
下页继续

16.2. Operational Commands 1114

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-bgp.xml.in:
show bgp l2vpn evpn neighbors
<neighbors> routes
Not documented yet
------------------
show-bgp.xml.in:
show bgp l2vpn evpn rd <rd>
Not documented yet
------------------
show-bgp.xml.in:
show bgp l2vpn evpn rd <rd> overlay
Not documented yet
------------------
show-bgp.xml.in:
show bgp l2vpn evpn rd <rd> tags
Not documented yet
------------------
show-bgp.xml.in:
show bgp l2vpn evpn route
Not documented yet
------------------
show-bgp.xml.in:
show bgp l2vpn evpn route detail
Not documented yet
------------------
show-bgp.xml.in:
show bgp l2vpn evpn route type 1
Not documented yet
------------------
show-bgp.xml.in:
show bgp l2vpn evpn route type 2
Not documented yet
------------------
show-bgp.xml.in:
show bgp l2vpn evpn route type 3
Not documented yet
------------------
show-bgp.xml.in:
show bgp l2vpn evpn route type 4
Not documented yet
------------------
show-bgp.xml.in:
show bgp l2vpn evpn route type 5
Not documented yet
------------------
show-bgp.xml.in:
show bgp l2vpn evpn route type ead
下页继续

16.2. Operational Commands 1115

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-bgp.xml.in:
show bgp l2vpn evpn route type es
Not documented yet
------------------
show-bgp.xml.in:
show bgp l2vpn evpn route type
macip
Not documented yet
------------------
show-bgp.xml.in:
show bgp l2vpn evpn route type mul-
ticast
Not documented yet
------------------
show-bgp.xml.in:
show bgp l2vpn evpn route type pre-
fix
Not documented yet
------------------
show-bgp.xml.in:
show bgp l2vpn evpn route vni <vni>
Not documented yet
------------------
show-bgp.xml.in:
show bgp l2vpn evpn statistics
Not documented yet
------------------
show-bgp.xml.in:
show bgp l2vpn evpn summary
Not documented yet
------------------
show-bgp.xml.in:
show bgp l2vpn evpn vni
Not documented yet
------------------
show-bgp.xml.in:
show bgp large-community
Not documented yet
------------------
show-bgp.xml.in:
show bgp neighbors <neighbors>
show <ip|ipv6> bgp
neighbors <address>
advertised-routes
------------------
show-bgp.xml.in:
show bgp neighbors <neighbors>
advertised-routes
下页继续

16.2. Operational Commands 1116

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
show <ip|ipv6> bgp
neighbors <address>
dampened-routes
------------------
show-bgp.xml.in:
show bgp neighbors <neighbors>
dampened-routes
Not documented yet
------------------
show-bgp.xml.in:
show bgp neighbors <neighbors>
flap-statistics
Not documented yet
------------------
show-bgp.xml.in:
show bgp neighbors <neighbors>
prefix-counts
show <ip|ipv6> bgp
neighbors <address>
received-routes
------------------
show-bgp.xml.in:
show bgp neighbors <neighbors>
received-routes
Not documented yet
------------------
show-bgp.xml.in:
show bgp neighbors <neighbors> re-
ceived prefix-filter
show <ip|ipv6> bgp
neighbors <address>
routes
------------------
show-bgp.xml.in:
show bgp neighbors <neighbors>
routes
Not documented yet
------------------
show-bgp.xml.in:
show bgp prefix-list <prefix-list>
show <ip|ipv6> bgp
regexp <text>
------------------
show-bgp.xml.in:
show bgp regexp <regexp>
Not documented yet
------------------
show-bgp.xml.in:
show bgp route-map <route-map>
下页继续

16.2. Operational Commands 1117

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-bgp.xml.in:
show bgp statistics
show <ip|ipv6> bgp
summary
------------------
show-bgp.xml.in:
show bgp summary
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf>
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> community
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> community-list
<community-list>
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> community-list
<community-list> exact-match
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> community
accept-own
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> community
accept-own-nexthop
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> community
blackhole
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> community
exact-match
下页继续

16.2. Operational Commands 1118

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> community
graceful-shutdown
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> community llgr-
stale
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> community
local-AS
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> community no-
advertise
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> community no-
export
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> community no-
llgr
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> community no-
peer
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> community
route-filter-translated-v4
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> community
route-filter-translated-v6
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> community
route-filter-v4
下页继续

16.2. Operational Commands 1119

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> community
route-filter-v6
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> dampening
dampened-paths
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> dampening flap-
statistics
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> dampening pa-
rameters
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> filter-list <filter-
list>
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv4 <ipv4>
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv4 <ipv4> best-
path
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv4 community
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv4 community-
list <community-list>
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv4 community-
list <community-list> exact-match
下页继续

16.2. Operational Commands 1120

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv4 community
accept-own
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv4 community
accept-own-nexthop
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv4 community
blackhole
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv4 community
exact-match
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv4 community
graceful-shutdown
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv4 community
llgr-stale
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv4 community
local-AS
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv4 community
no-advertise
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv4 community
no-export
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv4 community
no-llgr
下页继续

16.2. Operational Commands 1121

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv4 community
no-peer
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv4 community
route-filter-translated-v4
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv4 community
route-filter-translated-v6
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv4 community
route-filter-v4
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv4 community
route-filter-v6
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv4 dampening
dampened-paths
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv4 dampening
flap-statistics
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv4 dampening
parameters
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv4 filter-list
<filter-list>
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv4 large-
community
下页继续

16.2. Operational Commands 1122

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv4 <ipv4>
longer-prefixes
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv4 <ipv4> mul-
tipath
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv4 neighbors
<neighbors>
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv4 neighbors
<neighbors> advertised-routes
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv4 neighbors
<neighbors> dampened-routes
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv4 neighbors
<neighbors> flap-statistics
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv4 neighbors
<neighbors> prefix-counts
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv4 neighbors
<neighbors> received-routes
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv4 neighbors
<neighbors> received prefix-filter
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv4 neighbors
<neighbors> routes
下页继续

16.2. Operational Commands 1123

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv4 prefix-list
<prefix-list>
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv4 regexp
<regexp>
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv4 route-map
<route-map>
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv4 statistics
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv4 summary
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv6 <ipv6>
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv6 <ipv6> best-
path
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv6 community
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv6 community-
list <community-list>
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv6 community-
list <community-list> exact-match
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv6 community
accept-own
下页继续

16.2. Operational Commands 1124

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv6 community
accept-own-nexthop
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv6 community
blackhole
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv6 community
exact-match
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv6 community
graceful-shutdown
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv6 community
llgr-stale
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv6 community
local-AS
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv6 community
no-advertise
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv6 community
no-export
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv6 community
no-llgr
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv6 community
no-peer
下页继续

16.2. Operational Commands 1125

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv6 community
route-filter-translated-v4
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv6 community
route-filter-translated-v6
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv6 community
route-filter-v4
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv6 community
route-filter-v6
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv6 dampening
dampened-paths
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv6 dampening
flap-statistics
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv6 dampening
parameters
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv6 filter-list
<filter-list>
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv6 large-
community
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv6 <ipv6>
longer-prefixes
下页继续

16.2. Operational Commands 1126

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv6 <ipv6> mul-
tipath
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv6 neighbors
<neighbors>
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv6 neighbors
<neighbors> advertised-routes
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv6 neighbors
<neighbors> dampened-routes
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv6 neighbors
<neighbors> flap-statistics
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv6 neighbors
<neighbors> prefix-counts
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv6 neighbors
<neighbors> received-routes
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv6 neighbors
<neighbors> received prefix-filter
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv6 neighbors
<neighbors> routes
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv6 prefix-list
<prefix-list>
下页继续

16.2. Operational Commands 1127

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv6 regexp
<regexp>
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv6 route-map
<route-map>
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv6 statistics
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> ipv6 summary
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> l2vpn evpn
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> l2vpn evpn all
overlay
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> l2vpn evpn all
tags
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> l2vpn evpn com-
munity <community>
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> l2vpn evpn com-
munity <community> exact-match
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> l2vpn evpn es
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> l2vpn evpn es-evi
下页继续

16.2. Operational Commands 1128

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> l2vpn evpn es-evi
detail
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> l2vpn evpn es-evi
vni <vni>
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> l2vpn evpn es de-
tail
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> l2vpn evpn
import-rt
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> l2vpn evpn large-
community <large-community>
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> l2vpn evpn
neighbors <neighbors>
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> l2vpn evpn
neighbors <neighbors> advertised-
routes
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> l2vpn evpn
neighbors <neighbors> routes
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> l2vpn evpn rd
<rd>
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> l2vpn evpn rd
<rd> overlay
下页继续

16.2. Operational Commands 1129

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> l2vpn evpn rd
<rd> tags
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> l2vpn evpn route
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> l2vpn evpn route
detail
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> l2vpn evpn route
type 1
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> l2vpn evpn route
type 2
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> l2vpn evpn route
type 3
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> l2vpn evpn route
type 4
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> l2vpn evpn route
type 5
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> l2vpn evpn route
type ead
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> l2vpn evpn route
type es
下页继续

16.2. Operational Commands 1130

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> l2vpn evpn route
type macip
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> l2vpn evpn route
type multicast
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> l2vpn evpn route
type prefix
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> l2vpn evpn route
vni <vni>
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> l2vpn evpn statis-
tics
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> l2vpn evpn sum-
mary
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> l2vpn evpn vni
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> large-community
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> neighbors
<neighbors>
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> neighbors
<neighbors> advertised-routes
下页继续

16.2. Operational Commands 1131

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> neighbors
<neighbors> dampened-routes
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> neighbors
<neighbors> flap-statistics
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> neighbors
<neighbors> prefix-counts
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> neighbors
<neighbors> received-routes
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> neighbors
<neighbors> received prefix-filter
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> neighbors
<neighbors> routes
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> prefix-list
<prefix-list>
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> regexp <regexp>
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> route-map
<route-map>
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> statistics
下页继续

16.2. Operational Commands 1132

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-bgp.xml.in:
show bgp vrf <vrf> summary
show bridge
------------------
show-bridge.xml.in:
show bridge <bridge>
Not documented yet
------------------
show-bridge.xml.in:
show bridge <bridge> fdb
Not documented yet
------------------
show-bridge.xml.in:
show bridge <bridge> macs
show bridge <name>
spanning-tree
------------------
show-bridge.xml.in:
show bridge <bridge> spanning-tree
show configuration
------------------
show-configuration.xml.in:
show configuration
Not documented yet
------------------
show-configuration.xml.in:
show configuration all
show configuration
commands
------------------
show-configuration.xml.in:
show configuration commands
Not documented yet
------------------
show-configuration.xml.in:
show configuration files
show console-server
ports
------------------
show-console-server.xml.in:
show console-server ports
show console-server
user
------------------
show-console-server.xml.in:
show console-server user
show dhcp server leases
Nothing found in XML Definitions
下页继续

16.2. Operational Commands 1133

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
show dhcp server leases
pool <pool>
Nothing found in XML Definitions
show dhcp server leases
sort <key>
Nothing found in XML Definitions
show dhcp server leases
state <state>
Nothing found in XML Definitions
show dhcp server
statistics
Nothing found in XML Definitions
show dhcp server
statistics pool <pool>
Nothing found in XML Definitions
show dhcpv6 server
leases
Nothing found in XML Definitions
show dhcpv6 server
leases pool <pool>
Nothing found in XML Definitions
show dhcpv6 server
leases sort <key>
Nothing found in XML Definitions
show dhcpv6 server
leases state <state>
Nothing found in XML Definitions
show dhcpv6 server
status
Nothing found in XML Definitions
Not documented yet
------------------
disks.xml.in:
show disk <disk> format
Not documented yet
------------------
show-environment.xml.in:
show environment sensors
Not documented yet
------------------
show-evpn.xml.in:
show evpn arp-cache vni <vni>
Not documented yet
------------------
show-evpn.xml.in:
show evpn mac vni <vni>
Not documented yet
------------------
show-evpn.xml.in:
show evpn next-hops vni <vni>
下页继续

16.2. Operational Commands 1134

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-evpn.xml.in:
show evpn rmac vni <vni>
show firewall
Nothing found in XML Definitions
show firewall [name
| ipv6name] <name>
Nothing found in XML Definitions
show firewall [name
| ipv6name] <name> rule
<1-9999>
Nothing found in XML Definitions
show firewall [name
| ipv6name] <name>
statistics
Nothing found in XML Definitions
show firewall group
<name>
Nothing found in XML Definitions
show firewall statistics
Nothing found in XML Definitions
show firewall summary
Nothing found in XML Definitions
show flow-accounting
interface <interface>
Nothing found in XML Definitions
show flow-accounting
interface <interface>
host <address>
Nothing found in XML Definitions
Not documented yet
------------------
show-hardware.xml.in:
show hardware cpu
Not documented yet
------------------
show-hardware.xml.in:
show hardware cpu detail
Not documented yet
------------------
show-hardware.xml.in:
show hardware cpu summary
Not documented yet
------------------
show-hardware.xml.in:
show hardware dmi
下页继续

16.2. Operational Commands 1135

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-hardware.xml.in:
show hardware mem
Not documented yet
------------------
show-hardware.xml.in:
show hardware pci
Not documented yet
------------------
show-hardware.xml.in:
show hardware pci detail
Not documented yet
------------------
show-hardware.xml.in:
show hardware scsi
Not documented yet
------------------
show-hardware.xml.in:
show hardware scsi detail
show hardware usb
------------------
show-hardware.xml.in:
show hardware usb
Not documented yet
------------------
show-hardware.xml.in:
show hardware usb detail
show hardware usb serial
------------------
show-hardware.xml.in:
show hardware usb serial
Not documented yet
------------------
show-history.xml.in:
show history <history>
Not documented yet
------------------
show-history.xml.in:
show history brief
Not documented yet
------------------
show-host.xml.in:
show host date
Not documented yet
------------------
show-host.xml.in:
show host domain
下页继续

16.2. Operational Commands 1136

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-host.xml.in:
show host lookup <lookup>
Not documented yet
------------------
show-host.xml.in:
show host name
Not documented yet
------------------
show-host.xml.in:
show host os
Not documented yet
------------------
show-interfaces.xml.in:
show interfaces
show interfaces bonding
<interface>
------------------
show-interfaces-bonding.xml.in:
show interfaces bonding
Not documented yet
------------------
show-interfaces-bonding.xml.in:
show interfaces bonding <bonding>
brief
show interfaces bonding
<interface> detail
------------------
show-interfaces-bonding.xml.in:
show interfaces bonding detail
Not documented yet
------------------
show-interfaces-bonding.xml.in:
show interfaces bonding <bonding>
vif <vif>
Not documented yet
------------------
show-interfaces-bonding.xml.in:
show interfaces bonding <bonding>
vif <vif> brief
Not documented yet
------------------
show-interfaces-bonding.xml.in:
show interfaces bonding <bonding>
xdp
Not documented yet
------------------
show-interfaces-bridge.xml.in:
show interfaces bridge
下页继续

16.2. Operational Commands 1137

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-interfaces-bridge.xml.in:
show interfaces bridge <bridge>
brief
Not documented yet
------------------
show-interfaces-bridge.xml.in:
show interfaces bridge detail
Not documented yet
------------------
show-interfaces-bridge.xml.in:
show interfaces bridge vlan
Not documented yet
------------------
show-interfaces.xml.in:
show interfaces counters
Not documented yet
------------------
show-interfaces.xml.in:
show interfaces detail
show interfaces dummy
<interface>
------------------
show-interfaces-dummy.xml.in:
show interfaces dummy
Not documented yet
------------------
show-interfaces-dummy.xml.in:
show interfaces dummy <dummy>
brief
Not documented yet
------------------
show-interfaces-dummy.xml.in:
show interfaces dummy detail
show interfaces ethernet
<interface>
------------------
show-interfaces-ethernet.xml.in:
show interfaces ethernet
Not documented yet
------------------
show-interfaces-ethernet.xml.in:
show interfaces ethernet <ethernet>
brief
Not documented yet
------------------
show-interfaces-ethernet.xml.in:
show interfaces ethernet detail
下页继续

16.2. Operational Commands 1138

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-interfaces-ethernet.xml.in:
show interfaces ethernet <ethernet>
identify
show interfaces ethernet
<interface> physical
------------------
show-interfaces-ethernet.xml.in:
show interfaces ethernet <ethernet>
physical
show interfaces ethernet
<interface> physical
offload
------------------
show-interfaces-ethernet.xml.in:
show interfaces ethernet <ethernet>
physical offload
Not documented yet
------------------
show-interfaces-ethernet.xml.in:
show interfaces ethernet <ethernet>
statistics
show interfaces ethernet
<interface> transceiver
------------------
show-interfaces-ethernet.xml.in:
show interfaces ethernet <ethernet>
transceiver
Not documented yet
------------------
show-interfaces-ethernet.xml.in:
show interfaces ethernet <ethernet>
vif <vif>
Not documented yet
------------------
show-interfaces-ethernet.xml.in:
show interfaces ethernet <ethernet>
vif <vif> brief
show interfaces ethernet
<interface> xdp
------------------
show-interfaces-ethernet.xml.in:
show interfaces ethernet <ethernet>
xdp
Not documented yet
------------------
show-interfaces-input.xml.in:
show interfaces input
下页继续

16.2. Operational Commands 1139

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-interfaces-input.xml.in:
show interfaces input <input> brief
Not documented yet
------------------
show-interfaces-input.xml.in:
show interfaces input detail
Not documented yet
------------------
show-interfaces-l2tpv3.xml.in:
show interfaces l2tpv3
Not documented yet
------------------
show-interfaces-l2tpv3.xml.in:
show interfaces l2tpv3 <l2tpv3>
brief
Not documented yet
------------------
show-interfaces-l2tpv3.xml.in:
show interfaces l2tpv3 detail
show interfaces
loopback
------------------
show-interfaces-loopback.xml.in:
show interfaces loopback
Not documented yet
------------------
show-interfaces-loopback.xml.in:
show interfaces loopback <loop-
back> brief
Not documented yet
------------------
show-interfaces-loopback.xml.in:
show interfaces loopback detail
show interfaces loopback
lo
Nothing found in XML Definitions
show interfaces macsec
<interface>
------------------
show-interfaces-macsec.xml.in:
show interfaces macsec <macsec>
Not documented yet
------------------
openvpn.xml.in:
show interfaces openvpn <openvpn>
下页继续

16.2. Operational Commands 1140

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
openvpn.xml.in:
show interfaces openvpn <openvpn>
brief
Not documented yet
------------------
openvpn.xml.in:
show interfaces openvpn detail
show interfaces pppoe
<interface>
------------------
show-interfaces-pppoe.xml.in:
show interfaces pppoe
Not documented yet
------------------
show-interfaces-pppoe.xml.in:
show interfaces pppoe detail
Not documented yet
------------------
show-interfaces-pppoe.xml.in:
show interfaces pppoe <pppoe> log
show interfaces pppoe
<interface> queue
Nothing found in XML Definitions
Not documented yet
------------------
show-interfaces-pppoe.xml.in:
show interfaces pppoe <pppoe>
statistics
Not documented yet
------------------
show-interfaces-pseudo-
ethernet.xml.in:
show interfaces pseudo-ethernet
Not documented yet
------------------
show-interfaces-pseudo-
ethernet.xml.in:
show interfaces pseudo-ethernet
<pseudo-ethernet> brief
Not documented yet
------------------
show-interfaces-pseudo-
ethernet.xml.in:
show interfaces pseudo-ethernet de-
tail
Not documented yet
------------------
show-interfaces-tunnel.xml.in:
show interfaces tunnel
下页继续

16.2. Operational Commands 1141

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-interfaces-tunnel.xml.in:
show interfaces tunnel <tunnel> brief
Not documented yet
------------------
show-interfaces-tunnel.xml.in:
show interfaces tunnel detail
Not documented yet
------------------
show-interfaces-vti.xml.in:
show interfaces vti
Not documented yet
------------------
show-interfaces-vti.xml.in:
show interfaces vti <vti> brief
Not documented yet
------------------
show-interfaces-vti.xml.in:
show interfaces vti detail
Not documented yet
------------------
show-interfaces-vxlan.xml.in:
show interfaces vxlan
Not documented yet
------------------
show-interfaces-vxlan.xml.in:
show interfaces vxlan <vxlan> brief
Not documented yet
------------------
show-interfaces-vxlan.xml.in:
show interfaces vxlan detail
show interfaces wireless
<wlanX>
------------------
wireless.xml.in:
show interfaces wireless <wireless>
show interfaces wireless
<wlanX> brief
------------------
wireless.xml.in:
show interfaces wireless <wireless>
brief
show interfaces wireless
detail
------------------
wireless.xml.in:
show interfaces wireless detail
下页继续

16.2. Operational Commands 1142

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
show interfaces wireless
info
------------------
wireless.xml.in:
show interfaces wireless info
show interfaces
wirelessmodem
<interface>
------------------
show-interfaces-
wirelessmodem.xml.in:
show interfaces wirelessmodem
Not documented yet
------------------
show-interfaces-
wirelessmodem.xml.in:
show interfaces wirelessmodem de-
tail
show interfaces
wirelessmodem
<interface> log
------------------
show-interfaces-
wirelessmodem.xml.in:
show interfaces wirelessmodem
<wirelessmodem> log
show interfaces
wirelessmodem
<interface> statistics
------------------
show-interfaces-
wirelessmodem.xml.in:
show interfaces wirelessmodem
<wirelessmodem> statistics
show interfaces wireless
<wlanX> queue
Nothing found in XML Definitions
show interfaces wireless
<wlanX> scan
------------------
wireless.xml.in:
show interfaces wireless <wireless>
scan
Not documented yet
------------------
wireless.xml.in:
show interfaces wireless <wireless>
scan detail
下页继续

16.2. Operational Commands 1143

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
wireless.xml.in:
show interfaces wireless <wireless>
stations
Not documented yet
------------------
wireless.xml.in:
show interfaces wireless <wireless>
vif <vif>
Not documented yet
------------------
wireless.xml.in:
show interfaces wireless <wireless>
vif <vif> brief
Not documented yet
------------------
show-ip-access-paths-prefix-
community-lists.xml.in:
show ip access-list <access-list>
Not documented yet
------------------
show-ip-access-paths-prefix-
community-lists.xml.in:
show ip as-path-access-list <as-path-
access-list>
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp attribute-info
show ip bgp cidr-only
------------------
show-ip-bgp.xml.in:
show ip bgp cidr-only
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp community
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp community-info
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp community-list
<community-list>
下页继续

16.2. Operational Commands 1144

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp community-list
<community-list> exact-match
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp community accept-own
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp community accept-own-
nexthop
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp community blackhole
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp community exact-match
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp community graceful-
shutdown
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp community llgr-stale
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp community local-AS
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp community no-advertise
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp community no-export
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp community no-llgr
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp community no-peer
下页继续

16.2. Operational Commands 1145

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp community route-filter-
translated-v4
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp community route-filter-
translated-v6
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp community route-filter-
v4
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp community route-filter-
v6
show ip bgp
dampened-paths
Nothing found in XML Definitions
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp dampening dampened-
paths
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp dampening flap-statistics
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp dampening parameters
show ip bgp filter-list
<name>
------------------
show-ip-bgp.xml.in:
show ip bgp filter-list <filter-list>
show ip bgp
flap-statistics
Nothing found in XML Definitions
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp ipv4 unicast <unicast>
下页继续

16.2. Operational Commands 1146

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp ipv4 unicast cidr-only
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp ipv4 unicast community
<community>
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp ipv4 unicast community-
list <community-list>
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp ipv4 unicast community-
list <community-list> exact-match
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp ipv4 unicast neighbors
<neighbors>
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp ipv4 unicast neighbors
<neighbors> advertised-routes
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp ipv4 unicast neighbors
<neighbors> prefix-counts
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp ipv4 unicast neighbors
<neighbors> received-routes
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp ipv4 unicast neighbors
<neighbors> routes
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp ipv4 unicast paths
下页继续

16.2. Operational Commands 1147

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp ipv4 unicast prefix-list
<prefix-list>
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp ipv4 unicast regexp
<regexp>
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp ipv4 unicast route-map
<route-map>
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp ipv4 unicast summary
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp large-community
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp large-community-info
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp memory
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp neighbors <neighbors>
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp neighbors <neighbors>
advertised-routes
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp neighbors <neighbors>
dampened-routes
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp neighbors <neighbors>
flap-statistics
下页继续

16.2. Operational Commands 1148

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp neighbors <neighbors>
prefix-counts
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp neighbors <neighbors>
received-routes
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp neighbors <neighbors>
received prefix-filter
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp neighbors <neighbors>
routes
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp paths
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp prefix-list <prefix-list>
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp regexp <regexp>
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp route-map <route-map>
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp statistics
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp summary
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf>
下页继续

16.2. Operational Commands 1149

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> attribute-info
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> cidr-only
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> community
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> community-
info
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> community-
list <community-list>
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> community-
list <community-list> exact-match
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> community
accept-own
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> community
accept-own-nexthop
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> community
blackhole
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> community
exact-match
下页继续

16.2. Operational Commands 1150

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> community
graceful-shutdown
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> community
llgr-stale
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> community
local-AS
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> community
no-advertise
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> community
no-export
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> community
no-llgr
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> community
no-peer
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> community
route-filter-translated-v4
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> community
route-filter-translated-v6
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> community
route-filter-v4
下页继续

16.2. Operational Commands 1151

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> community
route-filter-v6
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> dampening
dampened-paths
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> dampening
flap-statistics
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> dampening pa-
rameters
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> filter-list
<filter-list>
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> ipv4 unicast
<unicast>
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> ipv4 unicast
cidr-only
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> ipv4 unicast
community <community>
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> ipv4 unicast
community-list <community-list>
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> ipv4 unicast
community-list <community-list>
exact-match
下页继续

16.2. Operational Commands 1152

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> ipv4 unicast
neighbors <neighbors>
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> ipv4 unicast
neighbors <neighbors> advertised-
routes
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> ipv4 unicast
neighbors <neighbors> prefix-counts
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> ipv4 uni-
cast neighbors <neighbors> received-
routes
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> ipv4 unicast
neighbors <neighbors> routes
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> ipv4 unicast
paths
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> ipv4 unicast
prefix-list <prefix-list>
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> ipv4 unicast
regexp <regexp>
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> ipv4 unicast
route-map <route-map>
下页继续

16.2. Operational Commands 1153

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> ipv4 unicast
summary
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> large-
community
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> large-
community-info
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> memory
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> neighbors
<neighbors>
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> neighbors
<neighbors> advertised-routes
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> neighbors
<neighbors> dampened-routes
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> neighbors
<neighbors> flap-statistics
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> neighbors
<neighbors> prefix-counts
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> neighbors
<neighbors> received-routes
下页继续

16.2. Operational Commands 1154

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> neighbors
<neighbors> received prefix-filter
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> neighbors
<neighbors> routes
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> paths
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> prefix-list
<prefix-list>
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> regexp <reg-
exp>
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> route-map
<route-map>
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> statistics
Not documented yet
------------------
show-ip-bgp.xml.in:
show ip bgp vrf <vrf> summary
Not documented yet
------------------
show-ip-access-paths-prefix-
community-lists.xml.in:
show ip community-list
<community-list>
Not documented yet
------------------
show-ip-access-paths-prefix-
community-lists.xml.in:
show ip extcommunity-list
<extcommunity-list>
下页继续

16.2. Operational Commands 1155

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ip-access-paths-prefix-
community-lists.xml.in:
show ip forwarding
Not documented yet
------------------
show-ip-igmp.xml.in:
show ip igmp groups
Not documented yet
------------------
show-ip-igmp.xml.in:
show ip igmp interfaces
Not documented yet
------------------
show-ip-igmp.xml.in:
show ip igmp join
Not documented yet
------------------
show-ip-igmp.xml.in:
show ip igmp sources
Not documented yet
------------------
show-ip-igmp.xml.in:
show ip igmp statistics
Not documented yet
------------------
show-ip-access-paths-prefix-
community-lists.xml.in:
show ip large-community-list <large-
community-list>
Not documented yet
------------------
show-ip-multicast.xml.in:
show ip multicast interface
Not documented yet
------------------
show-ip-multicast.xml.in:
show ip multicast mfc
Not documented yet
------------------
show-ip-multicast.xml.in:
show ip multicast route
Not documented yet
------------------
show-ip-multicast.xml.in:
show ip multicast summary
Not documented yet
------------------
show-ip.xml.in:
show ip neighbors
下页继续

16.2. Operational Commands 1156

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf
show ip ospf
border-routers
------------------
show-ip-ospf.xml.in:
show ip ospf border-routers
show ip ospf database
------------------
show-ip-ospf.xml.in:
show ip ospf database
show ip ospf database
<type> [A.B.C.D]
[adv-router <A.B.C.
D>|self-originate]
Nothing found in XML Definitions
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf database asbr-summary
<asbr-summary>
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf database asbr-summary
<asbr-summary> adv-router <adv-
router>
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf database asbr-summary
<asbr-summary> self-originate
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf database external <ex-
ternal>
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf database external <ex-
ternal> adv-router <adv-router>
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf database external <ex-
ternal> self-originate
下页继续

16.2. Operational Commands 1157

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
show ip ospf database
max-age
------------------
show-ip-ospf.xml.in:
show ip ospf database max-age
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf database network <net-
work>
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf database network <net-
work> adv-router <adv-router>
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf database network <net-
work> self-originate
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf database nssa-external
<nssa-external>
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf database nssa-external
<nssa-external> adv-router <adv-
router>
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf database nssa-external
<nssa-external> self-originate
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf database opaque-area
<opaque-area>
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf database opaque-
area <opaque-area> adv-router
<adv-router>
下页继续

16.2. Operational Commands 1158

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf database opaque-area
<opaque-area> self-originate
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf database opaque-as
<opaque-as>
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf database opaque-as
<opaque-as> adv-router <adv-
router>
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf database opaque-as
<opaque-as> self-originate
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf database opaque-link
<opaque-link>
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf database opaque-
link <opaque-link> adv-router
<adv-router>
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf database opaque-link
<opaque-link> self-originate
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf database router
<router>
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf database router
<router> adv-router <adv-router>
下页继续

16.2. Operational Commands 1159

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf database router
<router> self-originate
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf database self-originate
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf database summary
<summary>
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf database summary
<summary> adv-router <adv-router>
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf database summary
<summary> self-originate
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf interface <interface>
show ip ospf interface
[<intname>]
Nothing found in XML Definitions
show ip ospf neighbor
<intname>
------------------
show-ip-ospf.xml.in:
show ip ospf neighbor <neighbor>
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf neighbor address <ad-
dress>
show ip ospf neighbor
detail
------------------
show-ip-ospf.xml.in:
show ip ospf neighbor detail
show ip ospf route
------------------
show-ip-ospf.xml.in:
show ip ospf route
下页继续

16.2. Operational Commands 1160

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf vrf <vrf>
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf vrf <vrf> border-
routers
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf vrf <vrf> database
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf vrf <vrf> database asbr-
summary <asbr-summary>
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf vrf <vrf> database
asbr-summary <asbr-summary> adv-
router <adv-router>
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf vrf <vrf> database
asbr-summary <asbr-summary> self-
originate
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf vrf <vrf> database ex-
ternal <external>
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf vrf <vrf> database ex-
ternal <external> adv-router <adv-
router>
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf vrf <vrf> database ex-
ternal <external> self-originate
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf vrf <vrf> database max-
age
下页继续

16.2. Operational Commands 1161

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf vrf <vrf> database net-
work <network>
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf vrf <vrf> database net-
work <network> adv-router <adv-
router>
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf vrf <vrf> database net-
work <network> self-originate
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf vrf <vrf> database nssa-
external <nssa-external>
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf vrf <vrf> database nssa-
external <nssa-external> adv-router
<adv-router>
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf vrf <vrf> database
nssa-external <nssa-external> self-
originate
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf vrf <vrf> database
opaque-area <opaque-area>
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf vrf <vrf> database
opaque-area <opaque-area> adv-
router <adv-router>
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf vrf <vrf> database
opaque-area <opaque-area> self-
originate
下页继续

16.2. Operational Commands 1162

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf vrf <vrf> database
opaque-as <opaque-as>
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf vrf <vrf> database
opaque-as <opaque-as> adv-router
<adv-router>
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf vrf <vrf> database
opaque-as <opaque-as> self-
originate
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf vrf <vrf> database
opaque-link <opaque-link>
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf vrf <vrf> database
opaque-link <opaque-link> adv-
router <adv-router>
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf vrf <vrf> database
opaque-link <opaque-link> self-
originate
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf vrf <vrf> database
router <router>
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf vrf <vrf> database
router <router> adv-router <adv-
router>
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf vrf <vrf> database
router <router> self-originate
下页继续

16.2. Operational Commands 1163

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf vrf <vrf> database self-
originate
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf vrf <vrf> database sum-
mary <summary>
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf vrf <vrf> database sum-
mary <summary> adv-router <adv-
router>
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf vrf <vrf> database sum-
mary <summary> self-originate
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf vrf <vrf> interface <in-
terface>
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf vrf <vrf> neighbor
<neighbor>
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf vrf <vrf> neighbor ad-
dress <address>
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf vrf <vrf> neighbor de-
tail
Not documented yet
------------------
show-ip-ospf.xml.in:
show ip ospf vrf <vrf> route
Not documented yet
------------------
show-ip-pim.xml.in:
show ip pim interfaces
下页继续

16.2. Operational Commands 1164

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ip-pim.xml.in:
show ip pim join
Not documented yet
------------------
show-ip-pim.xml.in:
show ip pim neighbor
Not documented yet
------------------
show-ip-pim.xml.in:
show ip pim nexthop
Not documented yet
------------------
show-ip-pim.xml.in:
show ip pim rp
Not documented yet
------------------
show-ip-pim.xml.in:
show ip pim rpf
Not documented yet
------------------
show-ip-pim.xml.in:
show ip pim state
Not documented yet
------------------
show-ip-pim.xml.in:
show ip pim statistics
Not documented yet
------------------
show-ip-pim.xml.in:
show ip pim upstream
Not documented yet
------------------
show-ip-ports.xml.in:
show ip ports
Not documented yet
------------------
show-ip-access-paths-prefix-
community-lists.xml.in:
show ip prefix-list <prefix-list>
Not documented yet
------------------
show-ip-access-paths-prefix-
community-lists.xml.in:
show ip protocol
show ip rip
------------------
show-ip-rip.xml.in:
show ip rip
下页继续

16.2. Operational Commands 1165

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
show ip rip status
------------------
show-ip-rip.xml.in:
show ip rip status
Not documented yet
------------------
show-ip-route.xml.in:
show ip route <route>
show ip route 0.0.0.0
Nothing found in XML Definitions
Not documented yet
------------------
show-ip-route.xml.in:
show ip route bgp
Not documented yet
------------------
show-ip-route.xml.in:
show ip route cache <cache>
Not documented yet
------------------
show-ip-route.xml.in:
show ip route connected
Not documented yet
------------------
show-ip-route.xml.in:
show ip route forward <forward>
Not documented yet
------------------
show-ip-route.xml.in:
show ip route isis
Not documented yet
------------------
show-ip-route.xml.in:
show ip route kernel
Not documented yet
------------------
show-ip-route.xml.in:
show ip route <route> longer-
prefixes
Not documented yet
------------------
show-ip-route.xml.in:
show ip route ospf
Not documented yet
------------------
show-ip-route.xml.in:
show ip route rip
下页继续

16.2. Operational Commands 1166

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ip-route.xml.in:
show ip route static
Not documented yet
------------------
show-ip-route.xml.in:
show ip route summary
Not documented yet
------------------
show-ip-route.xml.in:
show ip route supernets-only
Not documented yet
------------------
show-ip-route.xml.in:
show ip route table <table>
Not documented yet
------------------
show-ip-route.xml.in:
show ip route tag <tag>
show ip route vrf
<name>
------------------
show-ip-route.xml.in:
show ip route vrf <vrf>
show ipv6 access-list
------------------
show-ipv6.xml.in:
show ipv6 access-list <access-list>
show ipv6 bgp
Nothing found in XML Definitions
show ipv6 forwarding
------------------
show-ipv6.xml.in:
show ipv6 forwarding
show ipv6 groups
Nothing found in XML Definitions
show ipv6 neighbors
Nothing found in XML Definitions
show ipv6 ospfv3
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 area <area>
下页继续

16.2. Operational Commands 1167

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 area <area> router
<router>
show ipv6 ospfv3
border-routers
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 border-routers
<border-routers>
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 border-routers de-
tail
show ipv6 ospfv3
database
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database
show ipv6 ospfv3
database <type> [A.B.
C.D] [adv-router <A.B.C.
D>|self-originate]
Nothing found in XML Definitions
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database adv-
router <adv-router> linkstate-id
<linkstate-id> detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database adv-
router <adv-router> linkstate-id
<linkstate-id> dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database adv-
router <adv-router> linkstate-id
<linkstate-id> internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database any <any>
下页继续

16.2. Operational Commands 1168

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database any any
<any> detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database any any
<any> dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database any any
<any> internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database any <any>
detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database any <any>
dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database any <any>
internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database any <any>
node.tag
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database any <any>
node.tag detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database any <any>
node.tag dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database any <any>
node.tag internal
下页继续

16.2. Operational Commands 1169

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database as-
external
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database as-
external adv-router <adv-router>
detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database as-
external adv-router <adv-router>
dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database as-
external adv-router <adv-router>
internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database as-
external adv-router <adv-router>
linkstate-id <linkstate-id> detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database as-
external adv-router <adv-router>
linkstate-id <linkstate-id> dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database as-
external adv-router <adv-router>
linkstate-id <linkstate-id> internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database as-
external any <any>
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database as-
external any <any> detail
下页继续

16.2. Operational Commands 1170

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database as-
external any <any> dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database as-
external any <any> internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database as-
external <as-external> detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database as-
external <as-external> dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database as-
external <as-external> internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database as-
external linkstate-id <linkstate-id>
detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database as-
external linkstate-id <linkstate-id>
dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database as-
external linkstate-id <linkstate-id>
internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database as-
external <as-external> node.tag
下页继续

16.2. Operational Commands 1171

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database as-
external <as-external> node.tag
detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database as-
external <as-external> node.tag
dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database as-
external <as-external> node.tag
internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database
as-external <as-external> self-
originated
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database
as-external <as-external> self-
originated detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database
as-external <as-external> self-
originated dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database
as-external <as-external> self-
originated internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database group-
membership
下页继续

16.2. Operational Commands 1172

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database group-
membership adv-router <adv-
router> detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database group-
membership adv-router <adv-
router> dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database group-
membership adv-router <adv-
router> internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database group-
membership adv-router <adv-
router> linkstate-id <linkstate-id>
detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database group-
membership adv-router <adv-
router> linkstate-id <linkstate-id>
dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database group-
membership adv-router <adv-
router> linkstate-id <linkstate-id>
internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database group-
membership detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database group-
membership dump
下页继续

16.2. Operational Commands 1173

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database group-
membership internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database group-
membership linkstate-id <linkstate-
id> detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database group-
membership linkstate-id <linkstate-
id> dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database group-
membership linkstate-id <linkstate-
id> internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database group-
membership node.tag
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database group-
membership node.tag detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database group-
membership node.tag dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database group-
membership node.tag internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database group-
membership node.tag self-originated
下页继续

16.2. Operational Commands 1174

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database group-
membership node.tag self-originated
detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database group-
membership node.tag self-originated
dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database group-
membership node.tag self-originated
internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database group-
membership self-originated
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database group-
membership self-originated detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database group-
membership self-originated dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database group-
membership self-originated internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
prefix
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
prefix adv-router <adv-router> detail
下页继续

16.2. Operational Commands 1175

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
prefix adv-router <adv-router> dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
prefix adv-router <adv-router> inter-
nal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
prefix adv-router <adv-router>
linkstate-id <linkstate-id> detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
prefix adv-router <adv-router>
linkstate-id <linkstate-id> dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
prefix adv-router <adv-router>
linkstate-id <linkstate-id> internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
prefix detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
prefix dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
prefix internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
prefix linkstate-id <linkstate-id> de-
tail
下页继续

16.2. Operational Commands 1176

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
prefix linkstate-id <linkstate-id>
dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
prefix linkstate-id <linkstate-id> in-
ternal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
prefix node.tag
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
prefix node.tag detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
prefix node.tag dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
prefix node.tag internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
prefix node.tag self-originated
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
prefix node.tag self-originated detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
prefix node.tag self-originated dump
下页继续

16.2. Operational Commands 1177

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
prefix node.tag self-originated inter-
nal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
prefix self-originated
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
prefix self-originated detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
prefix self-originated dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
prefix self-originated internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
router
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
router adv-router <adv-router> detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
router adv-router <adv-router> dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
router adv-router <adv-router> inter-
nal
下页继续

16.2. Operational Commands 1178

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
router adv-router <adv-router>
linkstate-id <linkstate-id> detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
router adv-router <adv-router>
linkstate-id <linkstate-id> dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
router adv-router <adv-router>
linkstate-id <linkstate-id> internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
router detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
router dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
router internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
router linkstate-id <linkstate-id> de-
tail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
router linkstate-id <linkstate-id>
dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
router linkstate-id <linkstate-id> in-
ternal
下页继续

16.2. Operational Commands 1179

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
router node.tag
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
router node.tag detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
router node.tag dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
router node.tag internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
router node.tag self-originated
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
router node.tag self-originated detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
router node.tag self-originated dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
router node.tag self-originated inter-
nal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
router self-originated
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
router self-originated detail
下页继续

16.2. Operational Commands 1180

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
router self-originated dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database inter-
router self-originated internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database intra-
prefix
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database intra-
prefix adv-router <adv-router> detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database intra-
prefix adv-router <adv-router> dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database intra-
prefix adv-router <adv-router> inter-
nal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database intra-
prefix adv-router <adv-router>
linkstate-id <linkstate-id> detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database intra-
prefix adv-router <adv-router>
linkstate-id <linkstate-id> dump
下页继续

16.2. Operational Commands 1181

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database intra-
prefix adv-router <adv-router>
linkstate-id <linkstate-id> internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database intra-
prefix detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database intra-
prefix dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database intra-
prefix internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database intra-
prefix linkstate-id <linkstate-id> de-
tail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database intra-
prefix linkstate-id <linkstate-id>
dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database intra-
prefix linkstate-id <linkstate-id> in-
ternal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database intra-
prefix node.tag
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database intra-
prefix node.tag detail
下页继续

16.2. Operational Commands 1182

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database intra-
prefix node.tag dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database intra-
prefix node.tag internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database intra-
prefix node.tag self-originated
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database intra-
prefix node.tag self-originated detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database intra-
prefix node.tag self-originated dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database intra-
prefix node.tag self-originated inter-
nal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database intra-
prefix self-originated
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database intra-
prefix self-originated detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database intra-
prefix self-originated dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database intra-
prefix self-originated internal
下页继续

16.2. Operational Commands 1183

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database link
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database link adv-
router <adv-router> detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database link adv-
router <adv-router> dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database link adv-
router <adv-router> internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database link
adv-router <adv-router> linkstate-id
<linkstate-id> detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database link
adv-router <adv-router> linkstate-id
<linkstate-id> dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database link
adv-router <adv-router> linkstate-id
<linkstate-id> internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database link detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database link dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database link inter-
nal
下页继续

16.2. Operational Commands 1184

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database link
linkstate-id <linkstate-id> detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database link
linkstate-id <linkstate-id> dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database link
linkstate-id <linkstate-id> internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database link
node.tag
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database link
node.tag detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database link
node.tag dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database link
node.tag internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database link
node.tag self-originated
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database link
node.tag self-originated detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database link
node.tag self-originated dump
下页继续

16.2. Operational Commands 1185

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database link
node.tag self-originated internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database link self-
originated
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database link self-
originated detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database link self-
originated dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database link self-
originated internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database linkstate-
id <linkstate-id> detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database linkstate-
id <linkstate-id> dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database linkstate-
id <linkstate-id> internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database network
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database network
adv-router <adv-router> detail
下页继续

16.2. Operational Commands 1186

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database network
adv-router <adv-router> dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database network
adv-router <adv-router> internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database network
adv-router <adv-router> linkstate-id
<linkstate-id> detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database network
adv-router <adv-router> linkstate-id
<linkstate-id> dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database network
adv-router <adv-router> linkstate-id
<linkstate-id> internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database network
detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database network
dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database network
internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database network
linkstate-id <linkstate-id> detail
下页继续

16.2. Operational Commands 1187

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database network
linkstate-id <linkstate-id> dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database network
linkstate-id <linkstate-id> internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database network
node.tag
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database network
node.tag detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database network
node.tag dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database network
node.tag internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database network
node.tag self-originated
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database network
node.tag self-originated detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database network
node.tag self-originated dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database network
node.tag self-originated internal
下页继续

16.2. Operational Commands 1188

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database network
self-originated
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database network
self-originated detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database network
self-originated dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database network
self-originated internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database node.tag
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database node.tag
adv-router <adv-router> detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database node.tag
adv-router <adv-router> dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database node.tag
adv-router <adv-router> internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database node.tag
adv-router <adv-router> linkstate-id
<linkstate-id> detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database node.tag
adv-router <adv-router> linkstate-id
<linkstate-id> dump
下页继续

16.2. Operational Commands 1189

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database node.tag
adv-router <adv-router> linkstate-id
<linkstate-id> internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database node.tag
detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database node.tag
dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database node.tag
internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database node.tag
linkstate-id <linkstate-id> detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database node.tag
linkstate-id <linkstate-id> dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database node.tag
linkstate-id <linkstate-id> internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database node.tag
node.tag
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database node.tag
node.tag detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database node.tag
node.tag dump
下页继续

16.2. Operational Commands 1190

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database node.tag
node.tag internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database node.tag
node.tag self-originated
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database node.tag
node.tag self-originated detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database node.tag
node.tag self-originated dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database node.tag
node.tag self-originated internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database node.tag
self-originated
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database node.tag
self-originated detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database node.tag
self-originated dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database node.tag
self-originated internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database router
下页继续

16.2. Operational Commands 1191

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database router
adv-router <adv-router> detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database router
adv-router <adv-router> dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database router
adv-router <adv-router> internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database router
adv-router <adv-router> linkstate-id
<linkstate-id> detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database router
adv-router <adv-router> linkstate-id
<linkstate-id> dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database router
adv-router <adv-router> linkstate-id
<linkstate-id> internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database router de-
tail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database router
dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database router in-
ternal
下页继续

16.2. Operational Commands 1192

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database router
linkstate-id <linkstate-id> detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database router
linkstate-id <linkstate-id> dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database router
linkstate-id <linkstate-id> internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database router
node.tag
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database router
node.tag detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database router
node.tag dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database router
node.tag internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database router
node.tag self-originated
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database router
node.tag self-originated detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database router
node.tag self-originated dump
下页继续

16.2. Operational Commands 1193

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database router
node.tag self-originated internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database router
self-originated
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database router
self-originated detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database router
self-originated dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database router
self-originated internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database self-
originated
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database self-
originated detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database self-
originated dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database self-
originated internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database type-7
下页继续

16.2. Operational Commands 1194

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database type-7
adv-router <adv-router> detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database type-7
adv-router <adv-router> dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database type-7
adv-router <adv-router> internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database type-7
adv-router <adv-router> linkstate-id
<linkstate-id> detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database type-7
adv-router <adv-router> linkstate-id
<linkstate-id> dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database type-7
adv-router <adv-router> linkstate-id
<linkstate-id> internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database type-7 de-
tail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database type-7
dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database type-7 in-
ternal
下页继续

16.2. Operational Commands 1195

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database type-7
linkstate-id <linkstate-id> detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database type-7
linkstate-id <linkstate-id> dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database type-7
linkstate-id <linkstate-id> internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database type-7
node.tag
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database type-7
node.tag detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database type-7
node.tag dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database type-7
node.tag internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database type-7
node.tag self-originated
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database type-7
node.tag self-originated detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database type-7
node.tag self-originated dump
下页继续

16.2. Operational Commands 1196

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database type-7
node.tag self-originated internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database type-7
self-originated
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database type-7
self-originated detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database type-7
self-originated dump
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 database type-7
self-originated internal
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 interface <inter-
face>
show ipv6 ospfv3
interface
[prefix]|[<intname>
[prefix]]
Nothing found in XML Definitions
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 interface <inter-
face> prefix <prefix>
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 interface <inter-
face> prefix <prefix> detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 interface <inter-
face> prefix <prefix> match
下页继续

16.2. Operational Commands 1197

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 linkstate detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 linkstate network
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 linkstate router
show ipv6 ospfv3
neighbor <intname>
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 neighbor
show ipv6 ospfv3
neighbor detail
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 neighbor detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 neighbor drchoice
show ipv6 ospfv3
redistribute
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 redistribute
show ipv6 ospfv3 route
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 route <route>
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 route detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 route external-1
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 route external-1 de-
tail
下页继续

16.2. Operational Commands 1198

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 route external-2
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 route external-2 de-
tail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 route inter-area
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 route inter-area de-
tail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 route intra-area
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 route intra-area de-
tail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 route <route>
longer
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 route <route>
match
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 route <route>
match detail
Not documented yet
------------------
show-ipv6-ospfv3.xml.in:
show ipv6 ospfv3 route summary
show ipv6 prefix-list
------------------
show-ipv6-prefix-list.xml.in:
show ipv6 prefix-list <prefix-list>
下页继续

16.2. Operational Commands 1199

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ipv6-prefix-list.xml.in:
show ipv6 prefix-list detail <detail>
Not documented yet
------------------
show-ipv6-prefix-list.xml.in:
show ipv6 prefix-list <prefix-list>
node.tag
Not documented yet
------------------
show-ipv6-prefix-list.xml.in:
show ipv6 prefix-list <prefix-list>
node.tag first-match
Not documented yet
------------------
show-ipv6-prefix-list.xml.in:
show ipv6 prefix-list <prefix-list>
node.tag longer
Not documented yet
------------------
show-ipv6-prefix-list.xml.in:
show ipv6 prefix-list <prefix-list> seq
<seq>
Not documented yet
------------------
show-ipv6-prefix-list.xml.in:
show ipv6 prefix-list summary <sum-
mary>
show ipv6 ripng
------------------
show-ipv6.xml.in:
show ipv6 ripng
show ipv6 ripng status
------------------
show-ipv6.xml.in:
show ipv6 ripng status
show ipv6 route
------------------
show-ipv6-route.xml.in:
show ipv6 route <route>
Not documented yet
------------------
show-ipv6-route.xml.in:
show ipv6 route bgp
Not documented yet
------------------
show-ipv6-route.xml.in:
show ipv6 route cache <cache>
下页继续

16.2. Operational Commands 1200

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-ipv6-route.xml.in:
show ipv6 route connected
Not documented yet
------------------
show-ipv6-route.xml.in:
show ipv6 route forward <forward>
Not documented yet
------------------
show-ipv6-route.xml.in:
show ipv6 route isis
Not documented yet
------------------
show-ipv6-route.xml.in:
show ipv6 route kernel
Not documented yet
------------------
show-ipv6-route.xml.in:
show ipv6 route <route> longer-
prefixes
Not documented yet
------------------
show-ipv6-route.xml.in:
show ipv6 route ospfv3
Not documented yet
------------------
show-ipv6-route.xml.in:
show ipv6 route ripng
Not documented yet
------------------
show-ipv6-route.xml.in:
show ipv6 route static
Not documented yet
------------------
show-ipv6-route.xml.in:
show ipv6 route summary
Not documented yet
------------------
show-ipv6-route.xml.in:
show ipv6 route table <table>
show ipv6 route vrf
<name>
------------------
show-ipv6-route.xml.in:
show ipv6 route vrf <vrf>
Not documented yet
------------------
show-isis.xml.in:
show isis database <database>
下页继续

16.2. Operational Commands 1201

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-isis.xml.in:
show isis database detail
Not documented yet
------------------
show-isis.xml.in:
show isis hostname
Not documented yet
------------------
show-isis.xml.in:
show isis interface <interface>
Not documented yet
------------------
show-isis.xml.in:
show isis interface detail
Not documented yet
------------------
show-isis.xml.in:
show isis mpls-te interface <inter-
face>
Not documented yet
------------------
show-isis.xml.in:
show isis mpls-te router
Not documented yet
------------------
show-isis.xml.in:
show isis neighbor <neighbor>
Not documented yet
------------------
show-isis.xml.in:
show isis neighbor detail
Not documented yet
------------------
show-isis.xml.in:
show isis route
Not documented yet
------------------
show-isis.xml.in:
show isis route level-1
Not documented yet
------------------
show-isis.xml.in:
show isis route level-2
Not documented yet
------------------
show-isis.xml.in:
show isis segment-routing node
下页继续

16.2. Operational Commands 1202

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-isis.xml.in:
show isis segment-routing prefix-sids
Not documented yet
------------------
show-isis.xml.in:
show isis spf-delay-ietf
Not documented yet
------------------
show-isis.xml.in:
show isis summary
Not documented yet
------------------
show-isis.xml.in:
show isis topology
Not documented yet
------------------
show-isis.xml.in:
show isis topology level-1
Not documented yet
------------------
show-isis.xml.in:
show isis topology level-2
Not documented yet
------------------
show-isis.xml.in:
show isis vrf <vrf> database
<database>
Not documented yet
------------------
show-isis.xml.in:
show isis vrf <vrf> database detail
Not documented yet
------------------
show-isis.xml.in:
show isis vrf <vrf> hostname
Not documented yet
------------------
show-isis.xml.in:
show isis vrf <vrf> interface <inter-
face>
Not documented yet
------------------
show-isis.xml.in:
show isis vrf <vrf> interface detail
Not documented yet
------------------
show-isis.xml.in:
show isis vrf <vrf> mpls-te interface
<interface>
下页继续

16.2. Operational Commands 1203

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-isis.xml.in:
show isis vrf <vrf> mpls-te router
Not documented yet
------------------
show-isis.xml.in:
show isis vrf <vrf> neighbor <neigh-
bor>
Not documented yet
------------------
show-isis.xml.in:
show isis vrf <vrf> neighbor detail
Not documented yet
------------------
show-isis.xml.in:
show isis vrf <vrf> route
Not documented yet
------------------
show-isis.xml.in:
show isis vrf <vrf> route level-1
Not documented yet
------------------
show-isis.xml.in:
show isis vrf <vrf> route level-2
Not documented yet
------------------
show-isis.xml.in:
show isis vrf <vrf> segment-routing
node
Not documented yet
------------------
show-isis.xml.in:
show isis vrf <vrf> segment-routing
prefix-sids
Not documented yet
------------------
show-isis.xml.in:
show isis vrf <vrf> spf-delay-ietf
Not documented yet
------------------
show-isis.xml.in:
show isis vrf <vrf> summary
Not documented yet
------------------
show-isis.xml.in:
show isis vrf <vrf> topology
Not documented yet
------------------
show-isis.xml.in:
show isis vrf <vrf> topology level-1
下页继续

16.2. Operational Commands 1204

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-isis.xml.in:
show isis vrf <vrf> topology level-2
Not documented yet
------------------
l2tp-server.xml.in:
show l2tp-server sessions
Not documented yet
------------------
l2tp-server.xml.in:
show l2tp-server statistics
Not documented yet
------------------
show-license.xml.in:
show license
show lldp neighbors
------------------
lldp.xml.in:
show lldp neighbors
show lldp neighbors
detail
------------------
lldp.xml.in:
show lldp neighbors detail
show lldp neighbors
interface <interface>
------------------
lldp.xml.in:
show lldp neighbors interface <inter-
face>
Not documented yet
------------------
show-log.xml.in:
show log
show log [all |
authorization | cluster
| conntrack-sync | ...]
Nothing found in XML Definitions
Not documented yet
------------------
show-log.xml.in:
show log all
Not documented yet
------------------
show-log.xml.in:
show log authorization
Not documented yet
------------------
show-log.xml.in:
show log cluster
下页继续

16.2. Operational Commands 1205

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-log.xml.in:
show log conntrack-sync
Not documented yet
------------------
show-console-server.xml.in:
show log console-server
Not documented yet
------------------
show-log.xml.in:
show log dhcp
show log firewall [name
| ipv6name] <name>
Nothing found in XML Definitions
Not documented yet
------------------
show-log.xml.in:
show log firewall ipv6-name <ipv6-
name>
Not documented yet
------------------
show-log.xml.in:
show log firewall ipv6-name <ipv6-
name> rule <rule>
Not documented yet
------------------
show-log.xml.in:
show log firewall name <name>
Not documented yet
------------------
show-log.xml.in:
show log firewall name <name> rule
<rule>
Not documented yet
------------------
show-log.xml.in:
show log https
Not documented yet
------------------
show-log.xml.in:
show log image <image>
show log image <name>
[all | authorization |
directory | file <file
name> | tail <lines>]
Nothing found in XML Definitions
Not documented yet
------------------
show-log.xml.in:
show log image <image> all
下页继续

16.2. Operational Commands 1206

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-log.xml.in:
show log image <image> authoriza-
tion
Not documented yet
------------------
show-log.xml.in:
show log image <image> tail <tail>
Not documented yet
------------------
show-login.xml.in:
show login
Not documented yet
------------------
show-login.xml.in:
show login groups
Not documented yet
------------------
show-login.xml.in:
show login level
Not documented yet
------------------
show-login.xml.in:
show login user
show log lldp
------------------
show-log.xml.in:
show log lldp
Not documented yet
------------------
show-log.xml.in:
show log nat
Not documented yet
------------------
show-log.xml.in:
show log openvpn
Not documented yet
------------------
show-log.xml.in:
show log snmp
Not documented yet
------------------
show-log.xml.in:
show log tail
Not documented yet
------------------
show-log.xml.in:
show log vpn all
下页继续

16.2. Operational Commands 1207

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-log.xml.in:
show log vpn ipsec
Not documented yet
------------------
show-log.xml.in:
show log vpn l2tp
Not documented yet
------------------
show-log.xml.in:
show log vpn pptp
Not documented yet
------------------
show-log.xml.in:
show log vpn sstp
Not documented yet
------------------
show-log.xml.in:
show log vrrp
Not documented yet
------------------
show-log.xml.in:
show log webproxy
Not documented yet
------------------
show-monitoring.xml.in:
show monitoring
show mpls ldp binding
------------------
show-mpls.xml.in:
show mpls ldp binding <binding>
Not documented yet
------------------
show-mpls.xml.in:
show mpls ldp binding <binding> de-
tail
Not documented yet
------------------
show-mpls.xml.in:
show mpls ldp binding local-label
<local-label>
Not documented yet
------------------
show-mpls.xml.in:
show mpls ldp binding local-label
<local-label> detail
下页继续

16.2. Operational Commands 1208

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-mpls.xml.in:
show mpls ldp binding local-label
<local-label> neighbor <neighbor>
Not documented yet
------------------
show-mpls.xml.in:
show mpls ldp binding local-label
<local-label> remote-label <remote-
label>
Not documented yet
------------------
show-mpls.xml.in:
show mpls ldp binding neighbor
<neighbor>
Not documented yet
------------------
show-mpls.xml.in:
show mpls ldp binding neighbor
<neighbor> detail
Not documented yet
------------------
show-mpls.xml.in:
show mpls ldp binding neighbor
<neighbor> local-label <local-label>
Not documented yet
------------------
show-mpls.xml.in:
show mpls ldp binding neighbor
<neighbor> remote-label <remote-
label>
Not documented yet
------------------
show-mpls.xml.in:
show mpls ldp binding remote-label
<remote-label>
Not documented yet
------------------
show-mpls.xml.in:
show mpls ldp binding remote-label
<remote-label> detail
Not documented yet
------------------
show-mpls.xml.in:
show mpls ldp binding remote-label
<remote-label> local-label <local-
label>
下页继续

16.2. Operational Commands 1209

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-mpls.xml.in:
show mpls ldp binding remote-label
<remote-label> neighbor <neighbor>
show mpls ldp discovery
------------------
show-mpls.xml.in:
show mpls ldp discovery
Not documented yet
------------------
show-mpls.xml.in:
show mpls ldp discovery detail
show mpls ldp interface
------------------
show-mpls.xml.in:
show mpls ldp interface
show mpls ldp neighbor
------------------
show-mpls.xml.in:
show mpls ldp neighbor <neighbor>
Not documented yet
------------------
show-mpls.xml.in:
show mpls ldp neighbor <neighbor>
capabilities
show mpls ldp neighbor
detail
------------------
show-mpls.xml.in:
show mpls ldp neighbor <neighbor>
detail
Not documented yet
------------------
show-mpls.xml.in:
show mpls pseudowire
Not documented yet
------------------
show-mpls.xml.in:
show mpls table
Not documented yet
------------------
nat66.xml.in:
show nat66 destination rules
Not documented yet
------------------
nat66.xml.in:
show nat66 destination statistics
下页继续

16.2. Operational Commands 1210

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
nat66.xml.in:
show nat66 destination translations
Not documented yet
------------------
nat66.xml.in:
show nat66 destination translations
address <address>
Not documented yet
------------------
nat66.xml.in:
show nat66 destination translations
detail
Not documented yet
------------------
nat66.xml.in:
show nat66 source rules
Not documented yet
------------------
nat66.xml.in:
show nat66 source statistics
Not documented yet
------------------
nat66.xml.in:
show nat66 source translations
Not documented yet
------------------
nat66.xml.in:
show nat66 source translations ad-
dress <address>
Not documented yet
------------------
nat66.xml.in:
show nat66 source translations detail
Not documented yet
------------------
nat.xml.in:
show nat destination rules
Not documented yet
------------------
nat.xml.in:
show nat destination statistics
Not documented yet
------------------
nat.xml.in:
show nat destination translations
下页继续

16.2. Operational Commands 1211

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
nat.xml.in:
show nat destination translations ad-
dress <address>
Not documented yet
------------------
nat.xml.in:
show nat destination translations de-
tail
Not documented yet
------------------
nat.xml.in:
show nat source rules
Not documented yet
------------------
nat.xml.in:
show nat source statistics
Not documented yet
------------------
nat.xml.in:
show nat source translations
Not documented yet
------------------
nat.xml.in:
show nat source translations address
<address>
Not documented yet
------------------
nat.xml.in:
show nat source translations detail
Not documented yet
------------------
show-ntp.xml.in:
show ntp
Not documented yet
------------------
show-ntp.xml.in:
show ntp info
Not documented yet
------------------
show-ntp.xml.in:
show ntp server <server>
Not documented yet
------------------
openconnect.xml.in:
show openconnect-server sessions
show openvpn client
------------------
openvpn.xml.in:
show openvpn client
下页继续

16.2. Operational Commands 1212

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
show openvpn server
------------------
openvpn.xml.in:
show openvpn server
show openvpn
site-to-site
------------------
openvpn.xml.in:
show openvpn site-to-site
Not documented yet
------------------
show-poweroff.xml.in:
show poweroff
show pppoe-server
sessions
Nothing found in XML Definitions
Not documented yet
------------------
pptp-server.xml.in:
show pptp-server sessions
Not documented yet
------------------
pptp-server.xml.in:
show pptp-server statistics
show protocols bfd peer
------------------
show-protocols-bfd.xml.in:
show protocols bfd peer <peer>
Not documented yet
------------------
show-protocols-bfd.xml.in:
show protocols bfd peer <peer>
counters
Not documented yet
------------------
show-protocols-bfd.xml.in:
show protocols bfd peers
show protocols static
arp
------------------
show-protocols-static.xml.in:
show protocols static arp
Not documented yet
------------------
show-protocols-static.xml.in:
show protocols static arp interface
<interface>
show protocols static
arp interface eth1
Nothing found in XML Definitions
下页继续

16.2. Operational Commands 1213

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
show queueing
<interface-type>
<interface-name>
Nothing found in XML Definitions
Not documented yet
------------------
show-raid.xml.in:
show raid <raid>
Not documented yet
------------------
show-reboot.xml.in:
show reboot
Not documented yet
------------------
show-route-map.xml.in:
show route-map <route-map>
Not documented yet
------------------
show-rpki.xml.in:
show rpki cache-connection
Not documented yet
------------------
show-rpki.xml.in:
show rpki cache-server
Not documented yet
------------------
show-rpki.xml.in:
show rpki prefix-table
Not documented yet
------------------
snmp.xml.in:
show snmp community <commu-
nity>
Not documented yet
------------------
snmp.xml.in:
show snmp community <commu-
nity> host <host>
Not documented yet
------------------
snmp.xml.in:
show snmp mib ifmib
Not documented yet
------------------
snmp.xml.in:
show snmp mib ifmib ifAlias
<ifAlias>
下页继续

16.2. Operational Commands 1214

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
snmp.xml.in:
show snmp mib ifmib ifDescr <ifDe-
scr>
Not documented yet
------------------
snmp.xml.in:
show snmp mib ifmib ifIndex
<ifIndex>
Not documented yet
------------------
snmp.xml.in:
show snmp v3
Not documented yet
------------------
snmp.xml.in:
show snmp v3 certificates
Not documented yet
------------------
snmp.xml.in:
show snmp v3 group
Not documented yet
------------------
snmp.xml.in:
show snmp v3 trap-target
Not documented yet
------------------
snmp.xml.in:
show snmp v3 user
Not documented yet
------------------
snmp.xml.in:
show snmp v3 view
Not documented yet
------------------
sstp-server.xml.in:
show sstp-server sessions
Not documented yet
------------------
sstp-server.xml.in:
show sstp-server statistics
Not documented yet
------------------
show-acceleration.xml.in:
show system acceleration qat
Not documented yet
------------------
show-acceleration.xml.in:
show system acceleration qat device
<device> config
下页继续

16.2. Operational Commands 1215

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-acceleration.xml.in:
show system acceleration qat device
<device> flows
Not documented yet
------------------
show-acceleration.xml.in:
show system acceleration qat inter-
rupts
Not documented yet
------------------
show-acceleration.xml.in:
show system acceleration qat status
show system commit
Nothing found in XML Definitions
show system commit diff
<number>
Nothing found in XML Definitions
Not documented yet
------------------
show-system.xml.in:
show system connections
Not documented yet
------------------
show-system.xml.in:
show system connections tcp
Not documented yet
------------------
show-system.xml.in:
show system connections tcp all
Not documented yet
------------------
show-system.xml.in:
show system connections tcp numeric
Not documented yet
------------------
show-system.xml.in:
show system connections udp
Not documented yet
------------------
show-system.xml.in:
show system connections udp nu-
meric
Not documented yet
------------------
show-system.xml.in:
show system cpu
show system image
Nothing found in XML Definitions
下页继续

16.2. Operational Commands 1216

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-system.xml.in:
show system integrity
Not documented yet
------------------
show-system.xml.in:
show system kernel-messages
Not documented yet
------------------
show-system.xml.in:
show system login users
Not documented yet
------------------
show-system.xml.in:
show system login users all
Not documented yet
------------------
show-system.xml.in:
show system login users locked
Not documented yet
------------------
show-system.xml.in:
show system login users other
Not documented yet
------------------
show-system.xml.in:
show system login users vyos
Not documented yet
------------------
show-system.xml.in:
show system memory
Not documented yet
------------------
show-system.xml.in:
show system memory cache
Not documented yet
------------------
show-system.xml.in:
show system memory detail
Not documented yet
------------------
show-system.xml.in:
show system memory routing-
daemons
Not documented yet
------------------
show-system.xml.in:
show system processes
下页继续

16.2. Operational Commands 1217

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-system.xml.in:
show system processes extensive
Not documented yet
------------------
show-system.xml.in:
show system processes summary
Not documented yet
------------------
show-system.xml.in:
show system processes tree
Not documented yet
------------------
show-system.xml.in:
show system routing-daemons
Not documented yet
------------------
show-system.xml.in:
show system storage
Not documented yet
------------------
show-system.xml.in:
show system uptime
Not documented yet
------------------
show-table.xml.in:
show table
Not documented yet
------------------
show-users.xml.in:
show users
Not documented yet
------------------
show-users.xml.in:
show users recent <recent>
show version
------------------
show-version.xml.in:
show version
Not documented yet
------------------
show-version.xml.in:
show version all
Not documented yet
------------------
show-version.xml.in:
show version frr
下页继续

16.2. Operational Commands 1218

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
show-version.xml.in:
show version funny
Not documented yet
------------------
show-vpn.xml.in:
show vpn remote-access
show vrf <name>
------------------
show-vrf.xml.in:
show vrf <vrf>
Not documented yet
------------------
show-vrf.xml.in:
show vrf <vrf> processes
show wireguard keypairs
pubkey default
Nothing found in XML Definitions
Not documented yet
------------------
show-zebra.xml.in:
show zebra
Not documented yet
------------------
show-zebra.xml.in:
show zebra client summary
Not documented yet
------------------
show-zebra.xml.in:
show zebra dplane
Not documented yet
------------------
show-zebra.xml.in:
show zebra router table summary
show zone-policy zone
<name>
Nothing found in XML Definitions
set system image
default-boot
[image-name]
Nothing found in XML Definitions
Not documented yet
------------------
telnet.xml.in:
telnet to <to>
Not documented yet
------------------
telnet.xml.in:
telnet to <to> port <port>
下页继续

16.2. Operational Commands 1219

 VyOS Documentation, 发布 1.4.x (sagitta)

表 2 – 续上页
172/1666 in Docs 1802/1666 in XML Command
Not documented yet
------------------
terminal.xml.in:
set terminal key query-help <query-
help>
Not documented yet
------------------
terminal.xml.in:
set terminal length <length>
Not documented yet
------------------
terminal.xml.in:
set terminal pager <pager>
Not documented yet
------------------
terminal.xml.in:
set terminal width <width>
traceroute
<destination>
Nothing found in XML Definitions
traceroute vrf <name>
[ipv4 | ipv6] <host>
Nothing found in XML Definitions
Not documented yet
------------------
dns-dynamic.xml.in:
update dns dynamic
update webproxy
blacklists
------------------
webproxy.xml.in:
update webproxy blacklists
update webproxy
blacklists category
<category>
Nothing found in XML Definitions
Not documented yet
------------------
wake-on-lan.xml.in:
wake-on-lan interface <interface>
host <host>

16.2. Operational Commands 1220

 CHAPTER 17

Copyright Notice

Copyright (C) 2018-2021 VyOS maintainers and contributors

Permission is granted to make and distribute verbatim copies of this manual provided the copyright notice and this per-
mission notice are preserved on all copies.
Permission is granted to copy and distribute modified versions of this manual under the conditions for verbatim copying,
provided that the entire resulting derived work is distributed under the terms of a permission notice identical to this one.
Permission is granted to copy and distribute translations of this manual into another language, under the above conditions
for modified versions, except that this permission notice may be stated in a translation approved by the VyOS maintainers.

1221
 索引

N RFC 3633, 207, 217, 229, 237, 247, 256, 262, 285,
no-vyos-firewall, 566 300, 308, 315, 341, 353, 360
no-vyos-migrate, 566 RFC 3704, 205, 215, 227, 234, 245, 253, 260, 270,
275, 283, 306, 312, 319, 327, 339, 351, 357
R RFC 3719, 411
RFC 3787, 411
RFC
RFC 3849, 655
RFC 1058, 432
RFC 3917, 494
RFC 1195, 410
RFC 3921, 271
RFC 1305, 505
RFC 4213, 321
RFC 1337, 188
RFC 4271, 390
RFC 1583, 419
RFC 4291, 205, 215, 227, 235, 245, 254, 260, 270,
RFC 1702, 545
275, 283, 306, 313, 319, 328, 339, 351, 358
RFC 1771, 390
RFC 4301, 545
RFC 1918, 297, 371
RFC 4456, 401
RFC 1930, 390
RFC 4595, 517
RFC 2003, 320
RFC 4861#section-4.6.2, 476
RFC 2037, 489
RFC 4862, 205, 215, 227, 235, 245, 254, 260, 270,
RFC 2131, 206, 216, 228, 236, 246, 255, 261, 284,
275, 283, 306, 312, 319, 327, 339, 351, 358
307, 313, 340, 352, 358
RFC 5036, 414, 416
RFC 2136, 462
RFC 5065, 401
RFC 2254, 489
RFC 5082, 395
RFC 2283, 391
RFC 5291, 401
RFC 2328, 417, 419
RFC 5303, 412
RFC 2332, 545
RFC 5308, 410
RFC 2439, 398
RFC 5340, 417
RFC 2453, 432
RFC 5389, 655
RFC 2474, 517
RFC 5737, 655
RFC 2763, 410
RFC 5880, 388
RFC 2842, 391
RFC 5881, 388
RFC 2858, 390
RFC 5883, 388
RFC 2860, 371
RFC 5905, 505
RFC 2922, 468
RFC 6232, 411
RFC 3021, 555
RFC 6480, 436
RFC 3069, 204, 205, 214, 215, 226, 227, 234, 245,
RFC 6598, 371
253, 260, 270, 274, 282, 306, 312, 318, 327,
RFC 6793, 390
339, 350, 351, 357
RFC 7042, 655
RFC 3137, 419
RFC 7348, 324
RFC 3509, 419
RFC 7552, 416
RFC 7606, 401

1222
 VyOS Documentation, 发布 1.4.x (sagitta)

RFC 7617, 508

RFC 791, 524
RFC 8210, 436
RFC 8212, 397
RFC 826, 440
RFC 8405, 413
RFC 894, 465

索引 1223