8 files changed, 262 insertions, 47 deletions
diff --git a/docs/configuration/system/frr.rst b/docs/configuration/system/frr.rst
new file mode 100644
index 00000000..a7f7ff93
--- /dev/null
+++ b/docs/configuration/system/frr.rst
@@ -0,0 +1,38 @@
+.. _system_frr:
+
+###
+FRR
+###
+
+VyOS uses [FRRouting](https://frrouting.org/) as the control plane for dynamic
+and static routing. The routing daemon behavior can be adjusted during runtime,
+but require either a restart of the routing daemon, or a reboot of the system.
+
+.. cfgcmd:: set system frr bmp
+
+   Enable :abbr:`BMP (BGP Monitoring Protocol)` support
+
+.. cfgcmd:: set system frr descriptors <numer>
+
+   This allows the operator to control the number of open file descriptors
+   each daemon is allowed to start with. If the operator plans to run bgp with
+   several thousands of peers then this is where we would modify FRR to allow
+   this to happen.
+
+.. cfgcmd:: set system frr irdp
+
+   Enable ICMP Router Discovery Protocol support
+
+.. cfgcmd:: set system frr snmp <daemon>
+
+   Enable SNMP support for an individual routing daemon.
+
+   Supported daemons:
+
+   - bgpd
+   - isisd
+   - ldpd
+   - ospf6d
+   - ospfd
+   - ripd
+   - zebra
diff --git a/docs/configuration/system/index.rst b/docs/configuration/system/index.rst
index 23edaa3f..dbb63d09 100644
--- a/docs/configuration/system/index.rst
+++ b/docs/configuration/system/index.rst
@@ -11,6 +11,7 @@ System
    conntrack
    console
    flow-accounting
+   frr
    host-name
    ip
    ipv6
@@ -24,6 +25,7 @@ System
    sysctl
    task-scheduler
    time-zone
+   updates
 
 
 .. toctree::
diff --git a/docs/configuration/system/ip.rst b/docs/configuration/system/ip.rst
index 29f46ae9..0f45b7ca 100644
--- a/docs/configuration/system/ip.rst
+++ b/docs/configuration/system/ip.rst
@@ -27,6 +27,21 @@ System configuration commands
 
    Use this command to use Layer 4 information for IPv4 ECMP hashing.
 
+Zebra/Kernel route filtering
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Zebra supports prefix-lists and Route Mapss to match routes received from
+other FRR components. The permit/deny facilities provided by these commands
+can be used to filter which routes zebra will install in the kernel.
+
+.. cfgcmd:: set system ip protocol <protocol> route-map <route-map>
+
+   Apply a route-map filter to routes for the specified protocol. The following
+   protocols can be used: any, babel, bgp, connected, eigrp, isis, kernel,
+   ospf, rip, static, table
+
+   .. note:: If you choose any as the option that will cause all protocols that
+      are sending routes to zebra.
 
 Operational commands
 --------------------
diff --git a/docs/configuration/system/ipv6.rst b/docs/configuration/system/ipv6.rst
index 0b9f9cc8..c7308f9d 100644
--- a/docs/configuration/system/ipv6.rst
+++ b/docs/configuration/system/ipv6.rst
@@ -23,6 +23,21 @@ System configuration commands
 
    Use this command to user Layer 4 information for ECMP hashing.
 
+Zebra/Kernel route filtering
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Zebra supports prefix-lists and Route Mapss to match routes received from
+other FRR components. The permit/deny facilities provided by these commands
+can be used to filter which routes zebra will install in the kernel.
+
+.. cfgcmd:: set system ipv6 protocol <protocol> route-map <route-map>
+
+   Apply a route-map filter to routes for the specified protocol. The following
+   protocols can be used: any, babel, bgp, connected, isis, kernel, ospfv3,
+   ripng, static, table
+
+   .. note:: If you choose any as the option that will cause all protocols that
+      are sending routes to zebra.
 
 Operational commands
 --------------------
@@ -66,6 +81,7 @@ Show commands
         static        Show IPv6 static routes
         summary       Show IPv6 routes summary
         table         Show IP routes in policy table
+        tag           Show only routes with tag
         vrf           Show IPv6 routes in VRF
 
 
@@ -97,33 +113,6 @@ Show commands
         <Enter>       Execute the current command
         <text>        Show specified IPv6 access-list
 
-.. opcmd:: show ipv6 bgp
-
-   Use this command to show IPv6 Border Gateway Protocol information.
-
-
-   In addition, you can specify many other parameters to get BGP
-   information:
-
-   .. code-block:: none
-
-      vyos@vyos:~$ show ipv6 bgp
-      Possible completions:
-        <Enter>       Execute the current command
-        <X:X::X:X>    Show BGP information for given address or prefix
-        <X:X::X:X/M>
-        community     Show routes matching the communities
-        community-list
-                      Show routes matching the community-list
-        filter-list   Show routes conforming to the filter-list
-        large-community
-                      Show routes matching the large-community-list
-        large-community-list
-        neighbors     Show detailed information on TCP and BGP neighbor connections
-        prefix-list   Show routes matching the prefix-list
-        regexp        Show routes matching the AS path regular expression
-        route-map     Show BGP routes matching the specified route map
-        summary       Show summary of BGP neighbor status
 
 
 .. opcmd:: show ipv6 ospfv3
diff --git a/docs/configuration/system/login.rst b/docs/configuration/system/login.rst
index a5c1b558..98e05cdd 100644
--- a/docs/configuration/system/login.rst
+++ b/docs/configuration/system/login.rst
@@ -82,8 +82,8 @@ The third part is simply an identifier, and is for your own reference.
    <identifier> options <options>
 
    Set the options for this public key. See the ssh ``authorized_keys`` man
-   page for details of what you can specify here. To place a ``"`` 
-   character in the options field, use ``&quot;``, for example 
+   page for details of what you can specify here. To place a ``"``
+   character in the options field, use ``&quot;``, for example
    ``from=&quot;10.0.0.0/24&quot;`` to restrict where the user
    may connect from when using this key.
 
@@ -189,7 +189,7 @@ Display OTP key for user
 
 To display the configured OTP user key, use the command:
 
-.. cfgcmd:: sh system login authentication user <username> otp 
+.. cfgcmd:: sh system login authentication user <username> otp
    <full|key-b32|qrcode|uri>
 
 An example:
@@ -242,35 +242,122 @@ Configuration
 
 .. cfgcmd:: set system login radius server <address> key <secret>
 
-   Specify the `<address>` of the RADIUS server user with the pre-shared-secret
-   given in `<secret>`. Multiple servers can be specified.
+   Specify the IP `<address>` of the RADIUS server user with the pre-shared-secret
+   given in `<secret>`.
+
+   Multiple servers can be specified.
 
 .. cfgcmd:: set system login radius server <address> port <port>
 
    Configure the discrete port under which the RADIUS server can be reached.
-   This defaults to 1812.
 
-.. cfgcmd:: set system login radius server <address> timeout <timeout>
-
-   Setup the `<timeout>` in seconds when querying the RADIUS server.
+   This defaults to 1812.
 
 .. cfgcmd:: set system login radius server <address> disable
 
    Temporary disable this RADIUS server. It won't be queried.
 
+.. cfgcmd:: set system login radius server <address> timeout <timeout>
+
+   Setup the `<timeout>` in seconds when querying the RADIUS server.
+
 .. cfgcmd:: set system login radius source-address <address>
 
    RADIUS servers could be hardened by only allowing certain IP addresses to
    connect. As of this the source address of each RADIUS query can be
-   configured. If this is not set, incoming connections to the RADIUS server
-   will use the nearest interface address pointing towards the server - making
-   it error prone on e.g. OSPF networks when a link fails and a backup route is
-   taken.
+   configured.
+
+   If unset, incoming connections to the RADIUS server will use the nearest
+   interface address pointing towards the server - making it error prone on
+   e.g. OSPF networks when a link fails and a backup route is taken.
+
+.. cfgcmd:: set system login radius vrf <name>
+
+   Source all connections to the RADIUS servers from given VRF `<name>`.
+
+Configuration Example
+---------------------
+
+.. code-block:: none
+
+  set system login radius server 192.168.0.2 key 'test-vyos'
+  set system login radius server 192.168.0.2 port '1812'
+  set system login radius server 192.168.0.2 timeout '5'
+  set system login radius source-address '192.168.0.1'
+
+
+   If there is no communication between VyOS and RADIUS server users can 
+   authenticate from local user accounts. During authentication from the local
+   accounts users can observe some timeouts. Timeout in seconds depends on
+   the configured timeout option.
 
 .. hint:: If you want to have admin users to authenticate via RADIUS it is
    essential to sent the ``Cisco-AV-Pair shell:priv-lvl=15`` attribute. Without
    the attribute you will only get regular, non privilegued, system users.
 
+TACACS+
+=======
+
+In addition to :abbr:`RADIUS (Remote Authentication Dial-In User Service)`,
+:abbr:`TACACS (Terminal Access Controller Access Control System)` can also be
+found in large deployments.
+
+TACACS is defined in :rfc:`8907`.
+
+.. _TACACS Configuration:
+
+Configuration
+-------------
+
+.. cfgcmd:: set system login tacas server <address> key <secret>
+
+   Specify the IP `<address>` of the TACACS server user with the pre-shared-secret
+   given in `<secret>`.
+
+   Multiple servers can be specified.
+
+.. cfgcmd:: set system login tacas server <address> port <port>
+
+   Configure the discrete port under which the TACACS server can be reached.
+
+   This defaults to 49.
+
+.. cfgcmd:: set system login tacas server <address> disable
+
+   Temporary disable this TACACS server. It won't be queried.
+
+.. cfgcmd:: set system login tacas server <address> timeout <timeout>
+
+   Setup the `<timeout>` in seconds when querying the TACACS server.
+
+.. cfgcmd:: set system login tacas source-address <address>
+
+   TACACS servers could be hardened by only allowing certain IP addresses to
+   connect. As of this the source address of each TACACS query can be
+   configured.
+
+   If unset, incoming connections to the TACACS server will use the nearest
+   interface address pointing towards the server - making it error prone on
+   e.g. OSPF networks when a link fails and a backup route is taken.
+
+.. cfgcmd:: set system login tacas vrf <name>
+
+   Source all connections to the TACACS servers from given VRF `<name>`.
+
+.. _login:tacacs_example:
+
+Configuration Example
+---------------------
+
+.. code-block:: none
+
+  set system login tacacs server 192.168.0.2 key 'test-vyos'
+  set system login tacacs server 192.168.0.2 port '49'
+  set system login tacacs source-address '192.168.0.1'
+
+
+   If there is no communication between VyOS and TACACS server users can 
+   authenticate from local user accounts.
 
 Login Banner
 ============
@@ -290,6 +377,21 @@ information for this system.
 .. note:: To create a new line in your login message you need to escape the new
    line character by using ``\\n``.
 
+Limits
+======
+
+Login limits
+
+.. cfgcmd:: set system login max-login-session <number>
+
+   Set a limit on the maximum number of concurrent logged-in users on
+   the system.
+
+   This option must be used with ``timeout`` option.
+
+.. cfgcmd:: set system login timeout <timeout>
+
+   Configure session timeout after which the user will be logged out.
 
 Example
 =======
@@ -311,3 +413,32 @@ the password.
 
   set system login user vyos authentication otp key OHZ3OJ7U2N25BK4G7SOFFJTZDTCFUUE2
   set system login user vyos authentication plaintext-password vyos
+
+TACACS Example
+--------------
+
+We use a vontainer providing the TACACS serve rin this example.
+
+Load the container image in op-mode.
+
+.. code-block:: none
+
+   add container image lfkeitel/tacacs_plus:latest
+
+.. code-block:: none
+
+   set container network tac-test prefix '100.64.0.0/24'
+
+   set container name tacacs1 image 'lfkeitel/tacacs_plus:latest'
+   set container name tacacs1 network tac-test address '100.64.0.11'
+
+   set container name tacacs2 image 'lfkeitel/tacacs_plus:latest'
+   set container name tacacs2 network tac-test address '100.64.0.12'
+
+   set system login tacacs server 100.64.0.11 key 'tac_plus_key'
+   set system login tacacs server 100.64.0.12 key 'tac_plus_key'
+
+   commit
+
+You can now SSH into your system using admin/admin as a default user supplied
+from the ``lfkeitel/tacacs_plus:latest`` container.
diff --git a/docs/configuration/system/sflow.rst b/docs/configuration/system/sflow.rst
index b131d8a9..c2cf5a80 100644
--- a/docs/configuration/system/sflow.rst
+++ b/docs/configuration/system/sflow.rst
@@ -1,5 +1,3 @@
-.. _ntp:
-
 #####
 sFlow
 #####
diff --git a/docs/configuration/system/syslog.rst b/docs/configuration/system/syslog.rst
index ab427d99..8755d905 100644
--- a/docs/configuration/system/syslog.rst
+++ b/docs/configuration/system/syslog.rst
@@ -74,6 +74,11 @@ sending the messages via port 514/UDP.
    either UDP or TCP.
 
 
+.. cfgcmd:: set system syslog vrf <name>
+
+  Specify name of the :abbr:`VRF (Virtual Routing and Forwarding)` instance.
+
+
 Local User Account
 ------------------
 
@@ -238,8 +243,8 @@ Delete Logs
 
 Deletes the specified user-defined file <text> in the /var/log/user directory
 
-Note that deleting the log file does not stop the system from logging events. 
-If you use this command while the system is logging events, old log events 
-will be deleted, but events after the delete operation will be recorded in 
-the new file. To delete the file altogether, first delete logging to the 
-file using system syslog :ref:`custom-file` command, and then delete the file. 
+Note that deleting the log file does not stop the system from logging events.
+If you use this command while the system is logging events, old log events
+will be deleted, but events after the delete operation will be recorded in
+the new file. To delete the file altogether, first delete logging to the
+file using system syslog :ref:`custom-file` command, and then delete the file.
diff --git a/docs/configuration/system/updates.rst b/docs/configuration/system/updates.rst
new file mode 100644
index 00000000..a55bfa9a
--- /dev/null
+++ b/docs/configuration/system/updates.rst
@@ -0,0 +1,37 @@
+#######
+Updates
+#######
+
+VyOS supports online checking for updates
+
+Configuration
+=============
+
+.. cfgcmd:: set system update-check auto-check
+
+   Configure auto-checking for new images
+
+
+.. cfgcmd:: set system update-check url <url>
+
+   Configure a URL that contains information about images.
+
+
+Example
+=======
+
+.. code-block:: none
+
+  set system update-check auto-check
+  set system update-check url 'https://raw.githubusercontent.com/vyos/vyos-rolling-nightly-builds/main/version.json'
+
+Check:
+
+.. code-block:: none
+
+  vyos@r4:~$ show system updates 
+  Current version: 1.5-rolling-202312220023
+
+  Update available: 1.5-rolling-202312250024
+  Update URL: https://github.com/vyos/vyos-rolling-nightly-builds/releases/download/1.5-rolling-202312250024/1.5-rolling-202312250024-amd64.iso
+  vyos@r4:~$