diff options
Diffstat (limited to 'docs/appendix')
-rw-r--r-- | docs/appendix/commandtree/configmode.rst | 62 | ||||
-rw-r--r-- | docs/appendix/commandtree/operationmode.rst | 58 | ||||
-rw-r--r-- | docs/appendix/examples/azure-vpn-bgp.rst | 16 | ||||
-rw-r--r-- | docs/appendix/examples/azure-vpn-dual-bgp.rst | 16 | ||||
-rw-r--r-- | docs/appendix/examples/bgp-ipv6-unnumbered.rst | 20 | ||||
-rw-r--r-- | docs/appendix/examples/dmvpn.rst | 6 | ||||
-rw-r--r-- | docs/appendix/examples/ha.rst | 42 | ||||
-rw-r--r-- | docs/appendix/examples/ospf-unnumbered.rst | 12 | ||||
-rw-r--r-- | docs/appendix/examples/tunnelbroker-ipv6.rst | 12 | ||||
-rw-r--r-- | docs/appendix/examples/zone-policy.rst | 22 | ||||
-rw-r--r-- | docs/appendix/migrate-from-vyatta.rst | 6 | ||||
-rw-r--r-- | docs/appendix/vyos-on-baremetal.rst | 12 |
12 files changed, 142 insertions, 142 deletions
diff --git a/docs/appendix/commandtree/configmode.rst b/docs/appendix/commandtree/configmode.rst index e286e85f..29dc43d0 100644 --- a/docs/appendix/commandtree/configmode.rst +++ b/docs/appendix/commandtree/configmode.rst @@ -3,7 +3,7 @@ Configuration mode ------------------ -.. code-block:: console +.. code-block:: none confirm Confirm prior commit-confirm comment Add comment to this configuration element @@ -39,21 +39,21 @@ The command cannot be used at the top of the configuration hierarchy, only on su To add a comment to a section, while being already at the proper section level: -.. code-block:: console +.. code-block:: none [edit <section>] vyos@vyos# comment "Type Comment Here" To add a comment directly to a section, from the top or a higher section: -.. code-block:: console +.. code-block:: none [edit] vyos@vyos# comment <section> "Type Comment Here" To remove a comment, add a blank comment to overwrite: -.. code-block:: console +.. code-block:: none [edit <section>] vyos@vyos# comment "" @@ -63,7 +63,7 @@ Examples To add a comment to the "interfaces" section: -.. code-block:: console +.. code-block:: none [edit] vyos@vyos# edit interfaces @@ -74,7 +74,7 @@ To add a comment to the "interfaces" section: The comment would then appear like this: -.. code-block:: console +.. code-block:: none [edit] vyos@vyos# show @@ -86,7 +86,7 @@ The comment would then appear like this: An important thing to note is that since the comment is added on top of the section, it will not appear if the ``show <section>`` command is used. With the above example, the ``show interfaces`` command would return starting after the "interfaces {" line, hiding the comment: -.. code-block:: console +.. code-block:: none [edit] vyos@vyos# show interfaces @@ -96,7 +96,7 @@ An important thing to note is that since the comment is added on top of the sect To add a comment to the interfaces section from the top: -.. code-block:: console +.. code-block:: none [edit] vyos@vyos# comment interfaces "test" @@ -104,7 +104,7 @@ To add a comment to the interfaces section from the top: The comment can be added to any node that already exists, even if it's multiple levels lower: -.. code-block:: console +.. code-block:: none [edit] vyos@vyos# comment interfaces ethernet eth0 vif 222 address "Far down comment" @@ -119,7 +119,7 @@ To discard the changes without committing, use the ``discard`` command. The ``co The confirm keyword can be added, see ``commit-confirm``. A comment can be entered, it will appear in the commit log. -.. code-block:: console +.. code-block:: none [edit] vyos@vyos# commit @@ -134,7 +134,7 @@ The ``commit-confirm`` command commits the proposed changes to the configuration If the ``confirm`` command is not entered before the timer expiration, the configuration will be rolled back and VyOS will reboot. The default timer value is 10 minutes, but a custom value can be entered. -.. code-block:: console +.. code-block:: none [edit] vyos@vyos# commit-confirm @@ -149,7 +149,7 @@ Compare VyOS maintains backups of previous configurations. To compare configuration revisions in configuration mode, use the compare command: -.. code-block:: console +.. code-block:: none [edit] vyos@vyos# compare @@ -178,7 +178,7 @@ The ``copy`` command allows you to copy a configuration object. Copy the configuration entrys from a firewall name WAN rule 1 to rule 2. -.. code-block:: console +.. code-block:: none [edit firewall name WAN] vyos@vyos# show @@ -212,7 +212,7 @@ The ``delte`` command is to delete a configuration entry. This Example delete the hole ``service tftp-server`` section. -.. code-block:: console +.. code-block:: none delete service tftp-server @@ -221,7 +221,7 @@ Discard The ``discard`` command removes all pending configuration changes. -.. code-block:: console +.. code-block:: none [edit] vyos@vyos# discard @@ -235,7 +235,7 @@ The ``edit`` command allows you to navigate down into the configuration tree. To get back to an upper level, use the ``up`` command or use the ``top`` command to get back to the upper most level. The ``[edit]`` text displays where the user is located in the configuration tree. -.. code-block:: console +.. code-block:: none [edit] vyos@vyos# edit interfaces @@ -255,14 +255,14 @@ The ``exit`` command doesn't save the configuration, only the ``save`` command d Exiting from a configuration level: -.. code-block:: console +.. code-block:: none [edit interfaces ethernet eth0] vyos@vyos# exit Exiting from configuration mode: -.. code-block:: console +.. code-block:: none [edit] vyos@vyos# exit @@ -271,14 +271,14 @@ Exiting from configuration mode: Exiting from operational mode: -.. code-block:: console +.. code-block:: none vyos@vyos:~$ exit logout Error message when trying to exit with uncommitted changes: -.. code-block:: console +.. code-block:: none vyos@vyos# exit Cannot exit: configuration modified. @@ -287,7 +287,7 @@ Error message when trying to exit with uncommitted changes: Warning message when exiting with unsaved changes: -.. code-block:: console +.. code-block:: none [edit] vyos@vyos# exit @@ -298,7 +298,7 @@ Load The ``load`` command load a configuration from a local or remote file. You have to be use ``commit`` to make the change active -.. code-block:: console +.. code-block:: none <Enter> Load from system config file <file> Load from file on local machine @@ -310,7 +310,7 @@ The ``load`` command load a configuration from a local or remote file. You have tftp://<host>/<file> Load from file on remote machine -.. code-block:: console +.. code-block:: none [edit] vyos@vyos# load @@ -324,7 +324,7 @@ Loadkey Copies the content of a public key to the ~/.ssh/authorized_keys file. -.. code-block:: console +.. code-block:: none loadkey <username> [tab] @@ -342,7 +342,7 @@ The ``merge`` command merge the config from a local or remote file with the runn In the example below exist a ``default-firewall.config`` file with some common firewall rules you saved earlier. -.. code-block:: console +.. code-block:: none [edit] vyos@vyos# show firewall @@ -384,7 +384,7 @@ The ``rename`` command allows you to rename or move a configuration object. See here how to move the configuration entrys from vlanid 3 to 2 -.. code-block:: console +.. code-block:: none [edit interfaces ethernet eth1] vyos@vyos# show @@ -418,7 +418,7 @@ Rollback You can ``rollback`` configuration using the rollback command, however this command will currently trigger a system reboot. Use the compare command to verify the configuration you want to rollback to. -.. code-block:: console +.. code-block:: none vyos@vyos# compare 1 [edit system] @@ -436,7 +436,7 @@ Run The ``run`` command allows you to execute any operational mode commands without exiting the configuration session. -.. code-block:: console +.. code-block:: none [edit] vyos@vyos# run show interfaces @@ -451,7 +451,7 @@ Save The ``save`` command saves the current configuration to non-volatile storage. VyOS also supports saving and loading configuration remotely using SCP, FTP, or TFTP. -.. code-block:: console +.. code-block:: none <Enter> Save to system config file <file> Save to file on local machine @@ -465,7 +465,7 @@ Set The ``set`` command create all configuration entrys -.. code-block:: console +.. code-block:: none [edit] vyos@vyos# set protocols static route 0.0.0.0/0 next-hop 192.168.1.1 @@ -477,7 +477,7 @@ The ``show`` command in the configuration mode displays the configuration and sh Show the hole config, the address and description of eth1 is moving to vlan 2 if you commit the changes. -.. code-block:: console +.. code-block:: none [edit] vyos@vyos# show diff --git a/docs/appendix/commandtree/operationmode.rst b/docs/appendix/commandtree/operationmode.rst index 96c7a631..8092f248 100644 --- a/docs/appendix/commandtree/operationmode.rst +++ b/docs/appendix/commandtree/operationmode.rst @@ -8,7 +8,7 @@ After this is the first view after the login. Please see :ref:`cli` for navigation in the CLI -.. code-block:: console +.. code-block:: none vyos@vyos:~$ [tab] @@ -44,7 +44,7 @@ Please see :ref:`cli` for navigation in the CLI Add ^^^ -.. code-block:: console +.. code-block:: none raid Add a RAID set element system Add an item to a system facility @@ -52,7 +52,7 @@ Add Clear ^^^^^ -.. code-block:: console +.. code-block:: none console Clear screen firewall Clear firewall statistics @@ -69,13 +69,13 @@ Clone The ``clone`` command allows you to clone a configuration from a system image to another one, or from the running config to another system image. To clone the running config to a system image: -.. code-block:: console +.. code-block:: none clone system config <system-image> from running To clone from system image A to system image B: -.. code-block:: console +.. code-block:: none clone system config <system-image-B> from <system-image-A> @@ -85,7 +85,7 @@ Configure The ``configure`` command allows you to enter configuration mode. -.. code-block:: console +.. code-block:: none vyos@vyos:~$ configure [edit] @@ -97,7 +97,7 @@ Connect The ``connect`` command allows you to bring up a connection oriented interface, like a pppoe interface. -.. code-block:: console +.. code-block:: none connect interface <interface> @@ -108,7 +108,7 @@ The ``copy`` command allows you to copy a file to your running config or over im It can look like this example: -.. code-block:: console +.. code-block:: none vyos@vyos:~$ copy file [tab] Possible completions: @@ -127,7 +127,7 @@ It can look like this example: To copy from file A to file B: -.. code-block:: console +.. code-block:: none copy <file A> to <file B> @@ -135,7 +135,7 @@ To copy from file A to file B: Delete ^^^^^^ -.. code-block:: console +.. code-block:: none conntrack Delete Conntrack entries file Delete files in a particular image @@ -149,14 +149,14 @@ Disconnect The ``disconnect`` command allows you to take down a connection oriented interface, like a pppoe interface. -.. code-block:: console +.. code-block:: none disconnect interface <interface> Force ^^^^^ -.. code-block:: console +.. code-block:: none arp Send gratuitous ARP request or reply cluster Force a cluster state transition @@ -167,14 +167,14 @@ Format The ``format`` command allows you to format a disk the same way as another one. -.. code-block:: console +.. code-block:: none format disk <target> like <source> Generate ^^^^^^^^ -.. code-block:: console +.. code-block:: none openvpn OpenVPN key generation tool ssh-server-key @@ -188,7 +188,7 @@ Install The ``install`` command allows you to install the system image on the disk. -.. code-block:: console +.. code-block:: none install image @@ -198,7 +198,7 @@ Monitor ``monitor`` can be used to continually view what is happening on the router. -.. code-block:: console +.. code-block:: none bandwidth Monitor interface bandwidth in real time bandwidth-test @@ -232,7 +232,7 @@ Ping The ``ping`` command allows you to send an ICMP-EchoRequest packet and display the ICMP-EchoReply received. -.. code-block:: console +.. code-block:: none <hostname> Send Internet Control Message Protocol (ICMP) echo request <x.x.x.x> @@ -244,7 +244,7 @@ Poweroff The ``poweroff`` command allows you to properly shut down the VyOS instance. Without any modifier, the command is executed immediately. -.. code-block:: console +.. code-block:: none <Enter> Execute the current command at Poweroff at a specific time @@ -256,7 +256,7 @@ Reboot ^^^^^^ The ``reboot`` command allows you to properly restart the VyOS instance. Without any modifier, the command is executed immediately. -.. code-block:: console +.. code-block:: none <Enter> Execute the current command at Poweroff at a specific time @@ -269,7 +269,7 @@ Release The ``release`` command allows you to release a DHCP or DHCPv6 lease. -.. code-block:: console +.. code-block:: none vyos@vyos:~$ release dhcp interface <int> vyos@vyos:~$ release dhcpv6 interface <int> @@ -280,7 +280,7 @@ Rename The ``rename`` command allows you to rename a system image. -.. code-block:: console +.. code-block:: none rename system image <currentname> <newname> @@ -290,7 +290,7 @@ Renew The ``renew`` command allows you to renew a DHCP or DHCPv6 lease. -.. code-block:: console +.. code-block:: none vyos@vyos:~$ renew dhcp interface <int> vyos@vyos:~$ renew dhcpv6 interface <int> @@ -298,7 +298,7 @@ The ``renew`` command allows you to renew a DHCP or DHCPv6 lease. Reset ^^^^^ -.. code-block:: console +.. code-block:: none conntrack Reset all currently tracked connections conntrack-sync @@ -315,7 +315,7 @@ Reset Restart ^^^^^^^ -.. code-block:: console +.. code-block:: none cluster Restart cluster node conntrack-sync @@ -335,7 +335,7 @@ Restart Set ^^^ -.. code-block:: console +.. code-block:: none <OPTION> Bash builtin set command console Control console behaviors @@ -346,7 +346,7 @@ Set Show ^^^^ -.. code-block:: console +.. code-block:: none arp Show Address Resolution Protocol (ARP) information bridge Show bridging information @@ -410,7 +410,7 @@ In the past the ``telnet`` command allowed you to connect remotely to another de Telnet is unencrypted and should not use anymore. But its nice to test if an TCP Port to a host is open. -.. code-block:: console +.. code-block:: none vyos@vyos:~$ telnet 192.168.1.3 443 Trying 192.168.1.3... @@ -426,7 +426,7 @@ Traceroute The ``traceroute`` command allows you to trace the path taken to a particular device. -.. code-block:: console +.. code-block:: none <hostname> Track network path to specified node <x.x.x.x> @@ -438,7 +438,7 @@ The ``traceroute`` command allows you to trace the path taken to a particular de Update ^^^^^^ -.. code-block:: console +.. code-block:: none dns Update DNS information webproxy Update webproxy
\ No newline at end of file diff --git a/docs/appendix/examples/azure-vpn-bgp.rst b/docs/appendix/examples/azure-vpn-bgp.rst index 896f43d4..57f82396 100644 --- a/docs/appendix/examples/azure-vpn-bgp.rst +++ b/docs/appendix/examples/azure-vpn-bgp.rst @@ -52,7 +52,7 @@ Vyos configuration - Configure the IKE and ESP settings to match a subset of those supported by Azure: -.. code-block:: console +.. code-block:: none set vpn ipsec esp-group AZURE compression 'disable' set vpn ipsec esp-group AZURE lifetime '3600' @@ -73,26 +73,26 @@ Vyos configuration - Enable IPsec on eth0 -.. code-block:: console +.. code-block:: none set vpn ipsec ipsec-interfaces interface 'eth0' - Configure a VTI with a dummy IP address -.. code-block:: console +.. code-block:: none set interfaces vti vti1 address '10.10.1.5/32' set interfaces vti vti1 description 'Azure Tunnel' - Clamp the VTI's MSS to 1350 to avoid PMTU blackholes. -.. code-block:: console +.. code-block:: none set firewall options interface vti1 adjust-mss 1350 - Configure the VPN tunnel -.. code-block:: console +.. code-block:: none set vpn ipsec site-to-site peer 203.0.113.2 authentication id '198.51.100.3' set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret' @@ -108,13 +108,13 @@ Vyos configuration - **Important**: Add an interface route to reach Azure's BGP listener -.. code-block:: console +.. code-block:: none set protocols static interface-route 10.0.0.4/32 next-hop-interface vti1 - Configure your BGP settings -.. code-block:: console +.. code-block:: none set protocols bgp 64499 neighbor 10.0.0.4 remote-as '65540' set protocols bgp 64499 neighbor 10.0.0.4 address-family ipv4-unicast soft-reconfiguration 'inbound' @@ -123,6 +123,6 @@ Vyos configuration - **Important**: Disable connected check \ -.. code-block:: console +.. code-block:: none set protocols bgp 64499 neighbor 10.0.0.4 disable-connected-check diff --git a/docs/appendix/examples/azure-vpn-dual-bgp.rst b/docs/appendix/examples/azure-vpn-dual-bgp.rst index 27007709..cbe9a4d9 100644 --- a/docs/appendix/examples/azure-vpn-dual-bgp.rst +++ b/docs/appendix/examples/azure-vpn-dual-bgp.rst @@ -55,7 +55,7 @@ Vyos configuration - Configure the IKE and ESP settings to match a subset of those supported by Azure: -.. code-block:: console +.. code-block:: none set vpn ipsec esp-group AZURE compression 'disable' set vpn ipsec esp-group AZURE lifetime '3600' @@ -76,13 +76,13 @@ Vyos configuration - Enable IPsec on eth0 -.. code-block:: console +.. code-block:: none set vpn ipsec ipsec-interfaces interface 'eth0' - Configure two VTIs with a dummy IP address each -.. code-block:: console +.. code-block:: none set interfaces vti vti1 address '10.10.1.5/32' set interfaces vti vti1 description 'Azure Primary Tunnel' @@ -92,14 +92,14 @@ Vyos configuration - Clamp the VTI's MSS to 1350 to avoid PMTU blackholes. -.. code-block:: console +.. code-block:: none set firewall options interface vti1 adjust-mss 1350 set firewall options interface vti2 adjust-mss 1350 - Configure the VPN tunnels -.. code-block:: console +.. code-block:: none set vpn ipsec site-to-site peer 203.0.113.2 authentication id '198.51.100.3' set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret' @@ -127,14 +127,14 @@ Vyos configuration - **Important**: Add an interface route to reach both Azure's BGP listeners -.. code-block:: console +.. code-block:: none set protocols static interface-route 10.0.0.4/32 next-hop-interface vti1 set protocols static interface-route 10.0.0.5/32 next-hop-interface vti2 - Configure your BGP settings -.. code-block:: console +.. code-block:: none set protocols bgp 64499 neighbor 10.0.0.4 remote-as '65540' set protocols bgp 64499 neighbor 10.0.0.4 address-family ipv4-unicast soft-reconfiguration 'inbound' @@ -149,7 +149,7 @@ Vyos configuration - **Important**: Disable connected check, otherwise the routes learned from Azure will not be imported into the routing table. -.. code-block:: console +.. code-block:: none set protocols bgp 64499 neighbor 10.0.0.4 disable-connected-check set protocols bgp 64499 neighbor 10.0.0.5 disable-connected-check diff --git a/docs/appendix/examples/bgp-ipv6-unnumbered.rst b/docs/appendix/examples/bgp-ipv6-unnumbered.rst index 0aceee01..0e5f48b4 100644 --- a/docs/appendix/examples/bgp-ipv6-unnumbered.rst +++ b/docs/appendix/examples/bgp-ipv6-unnumbered.rst @@ -10,7 +10,7 @@ Configuration - Router A: -.. code-block:: console +.. code-block:: none set protocols bgp 65020 address-family ipv4-unicast redistribute connected set protocols bgp 65020 address-family ipv6-unicast redistribute connected @@ -29,7 +29,7 @@ Configuration - Router B: -.. code-block:: console +.. code-block:: none set protocols bgp 65021 address-family ipv4-unicast redistribute connected set protocols bgp 65021 address-family ipv6-unicast redistribute connected @@ -51,7 +51,7 @@ Results - Router A: -.. code-block:: console +.. code-block:: none vyos@vyos:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down @@ -64,7 +64,7 @@ Results 192.168.0.1/32 ::1/128 -.. code-block:: console +.. code-block:: none vyos@vyos:~$ show ip route Codes: K - kernel route, C - connected, S - static, R - RIP, @@ -79,7 +79,7 @@ Results B>* 192.168.0.2/32 [20/0] via fe80::a00:27ff:fe3b:7ed2, eth2, 00:05:07 * via fe80::a00:27ff:fe7b:4000, eth1, 00:05:07 -.. code-block:: console +.. code-block:: none vyos@vyos:~$ ping 192.168.0.2 PING 192.168.0.2 (192.168.0.2) 56(84) bytes of data. @@ -93,7 +93,7 @@ Results 5 packets transmitted, 5 received, 0% packet loss, time 4086ms rtt min/avg/max/mdev = 0.575/0.612/0.682/0.047 ms -.. code-block:: console +.. code-block:: none vyos@vyos:~$ show ip bgp summary @@ -112,7 +112,7 @@ Results - Router B: -.. code-block:: console +.. code-block:: none vyos@vyos:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down @@ -125,7 +125,7 @@ Results 192.168.0.2/32 ::1/128 -.. code-block:: console +.. code-block:: none vyos@vyos:~$ show ip route Codes: K - kernel route, C - connected, S - static, R - RIP, @@ -140,7 +140,7 @@ Results * via fe80::a00:27ff:fe93:e142, eth2, 00:06:18 C>* 192.168.0.2/32 is directly connected, lo, 00:44:11 -.. code-block:: console +.. code-block:: none vyos@vyos:~$ ping 192.168.0.1 PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data. @@ -153,7 +153,7 @@ Results 4 packets transmitted, 4 received, 0% packet loss, time 3051ms rtt min/avg/max/mdev = 0.427/0.598/0.782/0.155 ms -.. code-block:: console +.. code-block:: none vyos@vyos:~$ show ip bgp summary IPv4 Unicast Summary: diff --git a/docs/appendix/examples/dmvpn.rst b/docs/appendix/examples/dmvpn.rst index 4ccce3d9..30ca8e86 100644 --- a/docs/appendix/examples/dmvpn.rst +++ b/docs/appendix/examples/dmvpn.rst @@ -9,7 +9,7 @@ General infomration can be found in the :ref:`vpn-dmvpn` chapter. Configuration ^^^^^^^^^^^^^ -.. code-block:: console +.. code-block:: none set interfaces tunnel tun100 address '172.16.253.134/29' set interfaces tunnel tun100 encapsulation 'gre' @@ -54,7 +54,7 @@ Cisco IOS Spoke This example is verified with a Cisco 2811 platform running IOS 15.1(4)M9 and VyOS 1.1.7 (helium) up to VyOS 1.2 (Crux). -.. code-block:: console +.. code-block:: none Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.1(4)M9, RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport @@ -65,7 +65,7 @@ VyOS 1.1.7 (helium) up to VyOS 1.2 (Crux). Use this configuration on your Cisco device: -.. code-block:: console +.. code-block:: none crypto pki token default removal timeout 0 crypto keyring DMVPN diff --git a/docs/appendix/examples/ha.rst b/docs/appendix/examples/ha.rst index 1c37463c..6dbc0334 100644 --- a/docs/appendix/examples/ha.rst +++ b/docs/appendix/examples/ha.rst @@ -94,7 +94,7 @@ Bonding on Hardware Router Create a LACP bond on the hardware router. We are assuming that eth0 and eth1 are connected to port 8 on both switches, and that those ports are configured as a Port-Channel. -.. code-block:: console +.. code-block:: none set interfaces bonding bond0 description 'Switch Port-Channel' set interfaces bonding bond0 hash-policy 'layer2' @@ -111,14 +111,14 @@ VLAN 100 and 201 will have floating IP addresses, but VLAN50 does not, as this i For the hardware router, replace ``eth0`` with ``bond0``. As (almost) every command is identical, this will not be specified unless different things need to be performed on different hosts. -.. code-block:: console +.. code-block:: none set interfaces ethernet eth0 vif 50 address '192.0.2.21/24' In this case, the hardware router has a different IP, so it would be -.. code-block:: console +.. code-block:: none set interfaces ethernet bond0 vif 50 address '192.0.2.22/24' @@ -128,7 +128,7 @@ Add (temporary) default route, and enable SSH It is assumed that the routers provided by upstream are capable of acting as a default router. Add that as a static route, and enable SSH so you can now SSH into the routers, rather than using the console. -.. code-block:: console +.. code-block:: none set protocols static route 0.0.0.0/0 next-hop 192.0.2.11 set service ssh @@ -158,7 +158,7 @@ This has a floating IP address of 10.200.201.1, using virtual router ID 201. The router1 ~~~~~~~ -.. code-block:: console +.. code-block:: none set interfaces ethernet eth0 vif 201 address 10.200.201.2/24 set high-availability vrrp group int hello-source-address '10.200.201.2' @@ -173,7 +173,7 @@ router1 router2 ~~~~~~~ -.. code-block:: console +.. code-block:: none set interfaces ethernet bond0 vif 201 address 10.200.201.3/24 set high-availability vrrp group int hello-source-address '10.200.201.3' @@ -194,7 +194,7 @@ The virtual router ID is just a random number between 1 and 254, and can be set router1 ~~~~~~~ -.. code-block:: console +.. code-block:: none set interfaces ethernet eth0 vif 100 address 203.0.113.2/24 set high-availability vrrp group public hello-source-address '203.0.113.2' @@ -209,7 +209,7 @@ router1 router2 ~~~~~~~ -.. code-block:: console +.. code-block:: none set interfaces ethernet bond0 vif 100 address 203.0.113.3/24 set high-availability vrrp group public hello-source-address '203.0.113.3' @@ -226,7 +226,7 @@ Create vrrp sync-group The sync group is used to replicate connection tracking. It needs to be assigned to a random VRRP group, and we are creating a sync group called ``sync`` using the vrrp group ``int``. -.. code-block:: console +.. code-block:: none set high-availability vrrp sync-group sync member 'int' @@ -236,7 +236,7 @@ Testing At this point, you should be able to see both IP addresses when you run ``show interfaces``\ , and ``show vrrp`` should show both interfaces in MASTER state (and SLAVE state on router2). -.. code-block:: console +.. code-block:: none vyos@router1:~$ show vrrp Name Interface VRID State Last Transition @@ -254,7 +254,7 @@ NAT and conntrack-sync Masquerade Traffic originating from 10.200.201.0/24 that is heading out the public interface. Note we explicitly exclude the primary upstream network so that BGP or OSPF traffic doesn't accidentally get NAT'ed. -.. code-block:: console +.. code-block:: none set nat source rule 10 destination address '!192.0.2.0/24' set nat source rule 10 outbound-interface 'eth0.50' @@ -267,7 +267,7 @@ Configure conntrack-sync and disable helpers Most conntrack modules cause more problems than they're worth, especially in a complex network. Turn them off by default, and if you need to turn them on later, you can do so. -.. code-block:: console +.. code-block:: none set system conntrack modules ftp disable set system conntrack modules gre disable @@ -279,7 +279,7 @@ Most conntrack modules cause more problems than they're worth, especially in a c Now enable replication between nodes. Replace eth0.201 with bond0.201 on the hardware router. -.. code-block:: console +.. code-block:: none set service conntrack-sync accept-protocol 'tcp,udp,icmp' set service conntrack-sync event-listen-queue-size '8' @@ -315,7 +315,7 @@ router1 Replace the 99.99.99.99 with whatever the other router's IP address is. -.. code-block:: console +.. code-block:: none set interfaces wireguard wg01 address '10.254.60.1/30' set interfaces wireguard wg01 description 'router1-to-offsite1' @@ -339,7 +339,7 @@ offsite1 This is connecting back to the STATIC IP of router1, not the floating. -.. code-block:: console +.. code-block:: none set interfaces wireguard wg01 address '10.254.60.2/30' set interfaces wireguard wg01 description 'offsite1-to-router1' @@ -373,7 +373,7 @@ This filter is applied to ``redistribute connected``. If we WERE to advertise i via their default route, establish the connection, and then OSPF would say '192.0.2.0/24 is available via this tunnel', at which point the tunnel would break, OSPF would drop the routes, and then 192.0.2.0/24 would be reachable via default again. This is called 'flapping'. -.. code-block:: console +.. code-block:: none set policy access-list 150 description 'Outbound OSPF Redistribution' set policy access-list 150 rule 10 action 'permit' @@ -394,7 +394,7 @@ Create Import Filter We only want to import networks we know about. Our OSPF peer should only be advertising networks in the 10.201.0.0/16 range. Note that this is an INVERSE MATCH. You deny in access-list 100 to accept the route. -.. code-block:: console +.. code-block:: none set policy access-list 100 description 'Inbound OSPF Routes from Peers' set policy access-list 100 rule 10 action 'deny' @@ -415,7 +415,7 @@ Enable OSPF Every router **must** have a unique router-id. The 'reference-bandwidth' is used because when OSPF was originally designed, the idea of a link faster than 1gbit was unheard of, and it does not scale correctly. -.. code-block:: console +.. code-block:: none set protocols ospf area 0.0.0.0 authentication 'md5' set protocols ospf area 0.0.0.0 network '10.254.60.0/24' @@ -440,7 +440,7 @@ As a reminder, only advertise routes that you are the default router for. This i 192.0.2.0/24 network, because if that was announced into OSPF, the other routers would try to connect to that network over a tunnel that connects to that network! -.. code-block:: console +.. code-block:: none set protocols ospf access-list 150 export 'connected' set protocols ospf redistribute connected @@ -458,7 +458,7 @@ Priorities Set the cost on the secondary links to be 200. This means that they will not be used unless the primary links are down. -.. code-block:: console +.. code-block:: none set interfaces wireguard wg01 ip ospf cost '10' set interfaces wireguard wg02 ip ospf cost '200' @@ -476,7 +476,7 @@ router1 The ``redistribute ospf`` command is there purely as an example of how this can be expanded. In this walkthrough, it will be filtered by BGPOUT rule 10000, as it is not 203.0.113.0/24. -.. code-block:: console +.. code-block:: none set policy prefix-list BGPOUT description 'BGP Export List' set policy prefix-list BGPOUT rule 10 action 'deny' diff --git a/docs/appendix/examples/ospf-unnumbered.rst b/docs/appendix/examples/ospf-unnumbered.rst index 923e0286..47f3011c 100644 --- a/docs/appendix/examples/ospf-unnumbered.rst +++ b/docs/appendix/examples/ospf-unnumbered.rst @@ -10,7 +10,7 @@ Configuration - Router A: -.. code-block:: console +.. code-block:: none set interfaces ethernet eth0 address '10.0.0.1/24' set interfaces ethernet eth1 address '192.168.0.1/32' @@ -27,7 +27,7 @@ Configuration - Router B: -.. code-block:: console +.. code-block:: none set interfaces ethernet eth0 address '10.0.0.2/24' set interfaces ethernet eth1 address '192.168.0.2/32' @@ -48,7 +48,7 @@ Results - Router A: -.. code-block:: console +.. code-block:: none vyos@vyos:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down @@ -61,7 +61,7 @@ Results 192.168.0.1/32 ::1/128 -.. code-block:: console +.. code-block:: none vyos@vyos:~$ show ip route Codes: K - kernel route, C - connected, S - static, R - RIP, @@ -83,7 +83,7 @@ Results - Router B: -.. code-block:: console +.. code-block:: none vyos@vyos:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down @@ -96,7 +96,7 @@ Results 192.168.0.2/32 ::1/128 -.. code-block:: console +.. code-block:: none vyos@vyos:~$ show ip route Codes: K - kernel route, C - connected, S - static, R - RIP, diff --git a/docs/appendix/examples/tunnelbroker-ipv6.rst b/docs/appendix/examples/tunnelbroker-ipv6.rst index e8fc9a8b..2977604d 100644 --- a/docs/appendix/examples/tunnelbroker-ipv6.rst +++ b/docs/appendix/examples/tunnelbroker-ipv6.rst @@ -17,7 +17,7 @@ Setting up the initial tunnel - Set up the initial IPv6 tunnel. Replace the field below from the fields on the `Tunnelbroker.net <https://www.tunnelbroker.net/>`_ tunnel information page. -.. code-block:: console +.. code-block:: none conf set interfaces tunnel tun0 address Client_IPv6_from_Tunnelbroker # This will be your VyOS install's public IPv6 address @@ -34,7 +34,7 @@ Setting up the initial tunnel - At this point you should be able to ping an IPv6 address. Try pinging Google: -.. code-block:: console +.. code-block:: none ping6 -c2 2001:4860:4860::8888 @@ -47,7 +47,7 @@ Setting up the initial tunnel - Assuming the pings are successful, you need to add some DNS servers. Some options: -.. code-block:: console +.. code-block:: none set system name-server 2001:4860:4860::8888 # Google set system name-server 2001:4860:4860::8844 # Google @@ -57,7 +57,7 @@ Setting up the initial tunnel - You should now be able to ping something by IPv6 DNS name: -.. code-block:: console +.. code-block:: none # ping6 -c2 one.one.one.one PING one.one.one.one(one.one.one.one) 56 data bytes @@ -87,7 +87,7 @@ Single LAN Setup Single LAN setup where eth1 is your LAN interface. Use the /64 (all the xxxx should be replaced with the information from your `Routed /64` tunnel): -.. code-block:: console +.. code-block:: none set interfaces ethernet eth1 address '2001:470:xxxx:xxxx::1/64' set interfaces ethernet eth1 ipv6 router-advert name-server '2001:4860:4860::8888' @@ -118,7 +118,7 @@ In the above examples, 1,2,ffff are all chosen by you. You can use 1-ffff (1-65 So, when your LAN is eth1, your DMZ is eth2, your cameras live on eth3, etc: -.. code-block:: console +.. code-block:: none set interfaces ethernet eth1 address '2001:470:xxxx:1::1/64' set interfaces ethernet eth1 ipv6 router-advert name-server '2001:4860:4860::8888' diff --git a/docs/appendix/examples/zone-policy.rst b/docs/appendix/examples/zone-policy.rst index 66cc3338..7a25d063 100644 --- a/docs/appendix/examples/zone-policy.rst +++ b/docs/appendix/examples/zone-policy.rst @@ -8,7 +8,7 @@ Native IPv4 and IPv6 We have three networks. -.. code-block:: console +.. code-block:: none WAN - 172.16.10.0/24, 2001:0DB8:0:9999::0/64 LAN - 192.168.100.0/24, 2001:0DB8:0:AAAA::0/64 @@ -25,7 +25,7 @@ WAN is on VLAN 10, LAN on VLAN 20, and DMZ on VLAN 30. It will look something like this: -.. code-block:: console +.. code-block:: none interfaces { ethernet eth0 { @@ -80,7 +80,7 @@ ruleset. In rules, it is good to keep them named consistently. As the number of rules you have grows, the more consistency you have, the easier your life will be. -.. code-block:: console +.. code-block:: none Rule 1 - State Established, Related Rule 2 - State Invalid @@ -105,7 +105,7 @@ significant headaches when trying to troubleshoot a connectivity issue. To add logging to the default rule, do: -.. code-block:: console +.. code-block:: none set firewall name <ruleSet> enable-default-log @@ -143,7 +143,7 @@ The following are the rules that were created for this example (may not be complete), both in IPv4 and IPv6. If there is no IP specified, then the source/destination address is not explicit. -.. code-block:: console +.. code-block:: none WAN – DMZ:192.168.200.200 – tcp/80 WAN – DMZ:192.168.200.200 – tcp/443 @@ -195,7 +195,7 @@ then the source/destination address is not explicit. Since we have 4 zones, we need to setup the following rulesets. -.. code-block:: console +.. code-block:: none Lan-wan Lan-local @@ -217,7 +217,7 @@ connection attempts. This is an example of the three base rules. -.. code-block:: console +.. code-block:: none name wan-lan { default-action drop @@ -241,7 +241,7 @@ This is an example of the three base rules. Here is an example of an IPv6 DMZ-WAN ruleset. -.. code-block:: console +.. code-block:: none ipv6-name dmz-wan-6 { default-action drop @@ -317,7 +317,7 @@ zone-policy. Start by setting the interface and default action for each zone. -.. code-block:: console +.. code-block:: none set zone-policy zone dmz default-action drop set zone-policy zone dmz interface eth0.30 @@ -342,7 +342,7 @@ LAN, WAN, DMZ, local and TUN (tunnel) v6 pairs would be: -.. code-block:: console +.. code-block:: none lan-tun lan-local @@ -363,7 +363,7 @@ You would have to add a couple of rules on your wan-local ruleset to allow proto Something like: -.. code-block:: console +.. code-block:: none rule 400 { action accept diff --git a/docs/appendix/migrate-from-vyatta.rst b/docs/appendix/migrate-from-vyatta.rst index 7ca64c16..051d7cef 100644 --- a/docs/appendix/migrate-from-vyatta.rst +++ b/docs/appendix/migrate-from-vyatta.rst @@ -30,7 +30,7 @@ You just use ``add system image``, as if it was a new VC release (see is to verify the new images digital signature. You will have to add the public key manually once as it is not shipped the first time. -.. code-block:: console +.. code-block:: none vyatta@vyatta:~$ wget http://wiki.vyos.net/so3group_maintainers.key Connecting to vyos.net (x.x.x.x:80) @@ -41,7 +41,7 @@ key manually once as it is not shipped the first time. For completion the key below corresponds to the key listed in the URL above. -.. code-block:: console +.. code-block:: none -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.12 (GNU/Linux) @@ -101,7 +101,7 @@ Next add the VyOS image. This example uses VyOS 1.0.0, however, it's better to install the latest release. -.. code-block:: console +.. code-block:: none vyatta@vyatta:~$ show system image The system currently has the following image(s) installed: diff --git a/docs/appendix/vyos-on-baremetal.rst b/docs/appendix/vyos-on-baremetal.rst index e6b7597e..2b155fd7 100644 --- a/docs/appendix/vyos-on-baremetal.rst +++ b/docs/appendix/vyos-on-baremetal.rst @@ -114,7 +114,7 @@ Create a bootable USB pendrive using e.g. Rufus_ on a Windows machine. Connect serial port to a PC through null modem cable (RXD / TXD crossed over). Set terminal emulator to 115200 8N1. -.. code-block:: console +.. code-block:: none PC Engines apu4 coreboot build 20171130 @@ -135,7 +135,7 @@ Now boot from the ``USB MSC Drive Generic Flash Disk 8.07`` media by pressing ``2``, the VyOS boot menu will appear, just wait 10 seconds or press ``Enter`` to continue. -.. code-block:: console +.. code-block:: none lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk x VyOS - Boot Menu x @@ -147,7 +147,7 @@ to continue. The image will be loaded and the last lines you will get will be: -.. code-block:: console +.. code-block:: none Loading /live/vmlinuz... ok Loading /live/initrd.img... @@ -155,7 +155,7 @@ The image will be loaded and the last lines you will get will be: The Kernel will now spin up using a different console setting. Set terminal emulator to 9600 8N1 and after a while your console will show: -.. code-block:: console +.. code-block:: none Loading /live/vmlinuz... ok Loading /live/initrd.img... @@ -172,14 +172,14 @@ your first successful boot. Use the following command to adjust the :ref:`serial-console` settings: -.. code-block:: console +.. code-block:: none set system console device ttyS0 speed 115200 .. note:: Once you ``commit`` the above changes access to the serial interface is lost until you set your terminal emulator to 115200 8N1 again. -.. code-block:: console +.. code-block:: none vyos@vyos# show system console device ttyS0 { |