VyOS Project November 2023 update
Curious what we've been up to lately?
Here's the update for November: it includes the removal of the long de-facto deprecated cluster feature (all cluster configs will be migrated to VRRP) and multiple additions, such as interface group support in NAT rules, operational mode commands to display SSH key fingerprints, MRU settings for PPPoE, loop-free alternative support for IS-IS, EVPN ESI multihoming, and more.
New configuration options
MRU (Maximum Receive Unit) value of PPPd can be manually set (
1492by default) (T5630):
set interfaces pppoe <interface> mru <n>Note:
296works well on very slow links. For IPv6, the MRU must be at least
Local route policy rules can be set to use a specific protocol and source and destination ports (T5165):
set policy local-route rule <n> protocol <protocol> set policy local-route rule <n> source port <port> set policy local-route rule <n> destination port <port>
NAT rules can be set to use interface groups (T5643):
set firewall group interface-group <name> interface <interface>
Support for LFA (Loop Free Alternate) for IS-IS (T5530):
set protocols isis fast-reroute lfa local load-sharing set protocols isis fast-reroute lfa local priority-limit [critical|high|medium] [level-1|level-2] set protocols isis fast-reroute lfa local tiebreaker [downstream|lowest-backup-metric|node-protecting] index <n> [level-1|level-2] set protocols isis fast-reroute lfa remote prefix-list <address> [level-1|level-2] show isis fast-reroute summary [level-1|level-2]
ECMP load balancing for BGP labeled unicast (T5667):
set protocols bgp <asn> address-family ipv4-labeled-unicast maximum-paths [ibgp|ebgp] <n>
EVPN ESI multihoming support (T5698):
set interfaces bonding <name> evpn es-df-pref <n> set interfaces bonding <name> evpn es-id <id> set interfaces bonding <name> evpn es-sys-mac <address> set interfaces bonding <name> member interface <interface> set interfaces bonding <name> mode <mode> set interfaces bonding <name> uplink
Option to suppress ARP/ND traffic in VXLAN tunnels (T5668):
set interfaces vxlan <interface> parameters neighbor-suppress
Commands to display SSH server public key fingerprints (T5653):
show ssh fingerprints show ssh fingerprints ascii
Commands to display and log IPs blocked after repeated attempts at SSH login in a short time (T5661):
show ssh dynamic-protection show log ssh dynamic-protection monitor log ssh dynamic-protection
The old cluster feature (based on the deprecated Heartbeat project) has been removed from the current branch, and that change will be backported to the 1.4/Sagitta branch. All cluster configs are automatically migrated to VRRP — thanks to the fact that the old cluster implementation never actually supported any services except for IPv4 addresses, so all functionality that it used to support can easily be done with keepalived.
The zone-based firewall CLI is back. It still uses the refactored firewall implementation under the hood. No migration is necessary (T5541).
A copy of the current config is saved in JSON format at
/run/vyatta/config/config.jsonafter each commit (T5630).
The queuing discipline for network devices was changed to FQ-CoDel (fair queue + controlled delay) from the previous FQ (T5489).
The deprecated DES and Blowfish cipher options are no longer permitted in the OpenVPN configuration due to security issues (T5634).
The default VXLAN port was changed from
8472(Linux default) to
4789(IANA assigned) (T5671).