VyOS Networks Blog

Building an open source network OS for the people, together.

VyOS Project November 2023 update

VyOS Developer Erkin Batu Altunbas
Posted 8 Nov, 2023

Hello, Community!

Curious what we've been up to lately?

Here's the update for November: it includes the removal of the long de-facto deprecated cluster feature (all cluster configs will be migrated to VRRP) and multiple additions, such as interface group support in NAT rules, operational mode commands to display SSH key fingerprints,  MRU settings for PPPoE, loop-free alternative support for IS-IS, EVPN ESI multihoming, and more. 

New configuration options

  • MRU (Maximum Receive Unit) value of PPPd can be manually set (1492 by default) (T5630):

      set interfaces pppoe <interface> mru <n>
    Note: 296 works well on very slow links. For IPv6, the MRU must be at least 1280.
  • Local route policy rules can be set to use a specific protocol and source and destination ports (T5165):

      set policy local-route rule <n> protocol <protocol>
      set policy local-route rule <n> source port <port>
      set policy local-route rule <n> destination port <port>
  • NAT rules can be set to use interface groups (T5643):

      set firewall group interface-group <name> interface <interface>
  • Support for LFA (Loop Free Alternate) for IS-IS (T5530):

      set protocols isis fast-reroute lfa local load-sharing
      set protocols isis fast-reroute lfa local priority-limit [critical|high|medium] [level-1|level-2]
      set protocols isis fast-reroute lfa local tiebreaker [downstream|lowest-backup-metric|node-protecting] index <n> [level-1|level-2]
      set protocols isis fast-reroute lfa remote prefix-list <address> [level-1|level-2]
      show isis fast-reroute summary [level-1|level-2]
  • ECMP load balancing for BGP labeled unicast (T5667):

      set protocols bgp <asn> address-family ipv4-labeled-unicast maximum-paths [ibgp|ebgp] <n>
  • EVPN ESI multihoming support (T5698):

      set interfaces bonding <name> evpn es-df-pref <n>
      set interfaces bonding <name> evpn es-id <id>
      set interfaces bonding <name> evpn es-sys-mac <address>
      set interfaces bonding <name> member interface <interface>
      set interfaces bonding <name> mode <mode>
      set interfaces bonding <name> uplink
  • Option to suppress ARP/ND traffic in VXLAN tunnels (T5668):

      set interfaces vxlan <interface> parameters neighbor-suppress

New commands

  • Commands to display SSH server public key fingerprints (T5653):

      show ssh fingerprints
      show ssh fingerprints ascii
  • Commands to display and log IPs blocked after repeated attempts at SSH login in a short time (T5661):

      show ssh dynamic-protection
      show log ssh dynamic-protection
      monitor log ssh dynamic-protection

Removed features

The old cluster feature (based on the deprecated Heartbeat project) has been removed from the current branch, and that change will be backported to the 1.4/Sagitta branch. All cluster configs are automatically migrated to VRRP — thanks to the fact that the old cluster implementation never actually supported any services except for IPv4 addresses, so all functionality that it used to support can easily be done with keepalived.

Other changes

  • The zone-based firewall CLI is back. It still uses the refactored firewall implementation under the hood. No migration is necessary (T5541).

  • A copy of the current config is saved in JSON format at /run/vyatta/config/config.json after each commit (T5630).

  • The queuing discipline for network devices was changed to FQ-CoDel (fair queue + controlled delay) from the previous FQ (T5489).

  • The deprecated DES and Blowfish cipher options are no longer permitted in the OpenVPN configuration due to security issues (T5634).

  • The default VXLAN port was changed from 8472 (Linux default) to 4789 (IANA assigned) (T5671).


P.S. Spend a few moments and share your experience with VyOS

The post categories: