1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
|
.. _commandtree_configmode:
Configuration mode
------------------
.. code-block:: none
confirm Confirm prior commit-confirm
comment Add comment to this configuration element
commit Commit the current set of changes
commit-confirm Commit the current set of changes with 'confirm' required
compare Compare configuration revisions
copy Copy a configuration element
delete Delete a configuration element
discard Discard uncommitted changes
edit Edit a sub-element
exit Exit from this configuration level
load Load configuration from a file and replace running configuration
loadkey Load user SSH key from a file
merge Load configuration from a file and merge running configuration
rename Rename a configuration element
rollback Rollback to a prior config revision (requires reboot)
run Run an operational-mode command
save Save configuration to a file
set Set the value of a parameter or create a new element
show Show the configuration (default values may be suppressed)
Confirm
^^^^^^^
The ``confirm`` command confirms the prior ``commit-confirm``.
Comment
^^^^^^^
The ``comment`` commands allow you to insert a comment above the current configuration section.
The command cannot be used at the top of the configuration hierarchy, only on subsections. Comments needs to be commited, just like other config changes.
To add a comment to a section, while being already at the proper section level:
.. code-block:: none
[edit <section>]
vyos@vyos# comment "Type Comment Here"
To add a comment directly to a section, from the top or a higher section:
.. code-block:: none
[edit]
vyos@vyos# comment <section> "Type Comment Here"
To remove a comment, add a blank comment to overwrite:
.. code-block:: none
[edit <section>]
vyos@vyos# comment ""
Examples
********
To add a comment to the "interfaces" section:
.. code-block:: none
[edit]
vyos@vyos# edit interfaces
[edit interfaces]
vyos@vyos# comment "Here is a comment"
[edit interfaces]
vyos@vyos# commit
The comment would then appear like this:
.. code-block:: none
[edit]
vyos@vyos# show
/* Here is a comment */
interfaces {
ethernet eth0 {
[...]
An important thing to note is that since the comment is added on top of the section, it will not appear if the ``show <section>`` command is used. With the above example, the ``show interfaces`` command would return starting after the "interfaces {" line, hiding the comment:
.. code-block:: none
[edit]
vyos@vyos# show interfaces
ethernet eth0 {
[...]
To add a comment to the interfaces section from the top:
.. code-block:: none
[edit]
vyos@vyos# comment interfaces "test"
The comment can be added to any node that already exists, even if it's multiple levels lower:
.. code-block:: none
[edit]
vyos@vyos# comment interfaces ethernet eth0 vif 222 address "Far down comment"
Commit
^^^^^^
The ``commit`` command commits the proposed changes to the configuration file.
Every changes done in the configuration session is only applied when the configuration is committed. To view the changes that will be applied, use the show command.
To discard the changes without committing, use the ``discard`` command. The ``commit`` command doesn't save the configuration, you need to manually use the ``save`` command.
The confirm keyword can be added, see ``commit-confirm``. A comment can be entered, it will appear in the commit log.
.. code-block:: none
[edit]
vyos@vyos# commit
Possible completions:
<Enter> Commit working configuration
comment Comment for commit log
Commit-confirm
^^^^^^^^^^^^^^
The ``commit-confirm`` command commits the proposed changes to the configuration file and starts a timer.
If the ``confirm`` command is not entered before the timer expiration, the configuration will be rolled back and VyOS will reboot.
The default timer value is 10 minutes, but a custom value can be entered.
.. code-block:: none
[edit]
vyos@vyos# commit-confirm
Possible completions:
<Enter> Commit, rollback/reboot in 10 minutes if no confirm
<N> Commit, rollback/reboot in N minutes if no confirm
comment Comment for commit log
Compare
^^^^^^^
VyOS maintains backups of previous configurations. To compare configuration revisions in configuration mode, use the compare command:
.. code-block:: none
[edit]
vyos@vyos# compare
Possible completions:
<Enter> Compare working & active configurations
saved Compare working & saved configurations
<N> Compare working with revision N
<N> <M> Compare revision N with M
Revisions:
0 2019-03-20 20:57:22 root by boot-config-loader
1 2019-03-15 20:00:04 root by boot-config-loader
2 2019-03-05 01:58:39 vyos by cli
3 2019-03-05 01:54:59 vyos by cli
4 2019-03-05 01:53:08 vyos by cli
5 2019-03-05 01:52:21 vyos by cli
6 2019-02-24 21:01:24 root by boot-config-loader
7 2019-02-21 22:00:12 vyos by cli
8 2019-02-21 21:56:49 vyos by cli
Copy
^^^^
The ``copy`` command allows you to copy a configuration object.
Copy the configuration entrys from a firewall name WAN rule 1 to rule 2.
.. code-block:: none
[edit firewall name WAN]
vyos@vyos# show
rule 1 {
action accept
source {
address 10.1.0.0/24
}
}
[edit firewall name WAN]
vyos@vyos# copy rule 1 to rule 2
[edit firewall name WAN]
vyos@vyos# show
rule 1 {
action accept
source {
address 10.1.0.0/24
}
}
+rule 2 {
+ action accept
+ source {
+ address 10.1.0.0/24
+ }
+}
Delete
^^^^^^
The ``delte`` command is to delete a configuration entry.
This Example delete the hole ``service tftp-server`` section.
.. code-block:: none
delete service tftp-server
Discard
^^^^^^^
The ``discard`` command removes all pending configuration changes.
.. code-block:: none
[edit]
vyos@vyos# discard
Changes have been discarded
Edit
^^^^
The ``edit`` command allows you to navigate down into the configuration tree.
To avoid writing or pasting long paths,
you can set the edit level to any node with the "edit" command,
such as "edit firewall name Foo".
Once you are at some level, you can use relative node paths,
such as "set rule 10 action accept" in this case.
To get back to an upper level, use the ``up`` command or use the ``top`` command to get back to the upper most level.
The ``[edit]`` text displays where the user is located in the configuration tree.
.. code-block:: none
vyos@vyos# edit firewall name Foo
[edit firewall name Foo]
vyos@vyos# set rule 10 protocol tcp
[edit firewall name Foo]
vyos@vyos# edit rule 10
[edit firewall name Foo rule 10]
vyos@vyos# set destination port 22
[edit firewall name Foo rule 10]
vyos@vyos# up
[edit firewall name Foo]
vyos@vyos# set rule 10 description "Allow SSH"
[edit firewall name Foo]
vyos@vyos# top
[edit]
Exit
^^^^
The ``exit`` command exits the current configuration mode. If the current configuration level isn't the top-most, then the configuration level is put back to the top-most level.
If the configuration level is at the top-most level, then it exits the configuration mode and returns to operational mode.
The ``exit`` command cannot be used if uncommitted changes exists in the configuration file. To exit with uncommitted changes, you either need to use the ``exit discard`` command or you need to commit the changes before exiting.
The ``exit`` command doesn't save the configuration, only the ``save`` command does. A warning will be given when exiting with unsaved changes. Using the ``exit`` command in operational mode will logout the session.
Exiting from a configuration level:
.. code-block:: none
[edit interfaces ethernet eth0]
vyos@vyos# exit
Exiting from configuration mode:
.. code-block:: none
[edit]
vyos@vyos# exit
exit
vyos@vyos:~$
Exiting from operational mode:
.. code-block:: none
vyos@vyos:~$ exit
logout
Error message when trying to exit with uncommitted changes:
.. code-block:: none
vyos@vyos# exit
Cannot exit: configuration modified.
Use 'exit discard' to discard the changes and exit.
Warning message when exiting with unsaved changes:
.. code-block:: none
[edit]
vyos@vyos# exit
Warning: configuration changes have not been saved.
Load
^^^^
The ``load`` command load a configuration from a local or remote file. You have to be use ``commit`` to make the change active
.. code-block:: none
<Enter> Load from system config file
<file> Load from file on local machine
scp://<user>:<passwd>@<host>/<file> Load from file on remote machine
sftp://<user>:<passwd>@<host>/<file> Load from file on remote machine
ftp://<user>:<passwd>@<host>/<file> Load from file on remote machine
http://<host>/<file> Load from file on remote machine
https://<host>/<file> Load from file on remote machine
tftp://<host>/<file> Load from file on remote machine
.. code-block:: none
[edit]
vyos@vyos# load
Loading configuration from '/config/config.boot'...
Load complete. Use 'commit' to make changes active.
Loadkey
^^^^^^^^
Copies the content of a public key to the ~/.ssh/authorized_keys file.
.. code-block:: none
loadkey <username> [tab]
<file> Load from file on local machine
scp://<user>@<host>/<file> Load from file on remote machine
sftp://<user>@<host>/<file> Load from file on remote machine
ftp://<user>@<host>/<file> Load from file on remote machine
http://<host>/<file> Load from file on remote machine
tftp://<host>/<file> Load from file on remote machine
Merge
^^^^^
The ``merge`` command merge the config from a local or remote file with the running config.
In the example below exist a ``default-firewall.config`` file with some common firewall rules you saved earlier.
.. code-block:: none
[edit]
vyos@vyos# show firewall
Configuration under specified path is empty
[edit]
vyos@vyos# merge default-firewall.config
Loading configuration from '/config/default-firewall.config'...
Merge complete. Use 'commit' to make changes active.
vyos@vyos# show firewall
+all-ping enable
+broadcast-ping disable
+config-trap disable
+ipv6-receive-redirects disable
+ipv6-src-route disable
+ip-src-route disable
+log-martians enable
+name WAN {
+ default-action drop
+ rule 1 {
+ action accept
+ source {
+ address 10.1.0.0/24
+ }
+ }
+ rule 2 {
+ action accept
+ source {
+ address 10.1.0.0/24
+ }
......
Rename
^^^^^^
The ``rename`` command allows you to rename or move a configuration object.
See here how to move the configuration entrys from vlanid 3 to 2
.. code-block:: none
[edit interfaces ethernet eth1]
vyos@vyos# show
duplex auto
hw-id 00:53:22:81:c6:59
smp-affinity auto
speed auto
vif 3 {
address 10.4.4.4/32
}
[edit interfaces ethernet eth1]
vyos@vyos# rename vif 3 to vif 2
[edit interfaces ethernet eth1]
vyos@vyos# show
duplex auto
hw-id 00:53:22:81:c6:59
smp-affinity auto
speed auto
+vif 2 {
+ address 10.4.4.4/32
+}
-vif 3 {
- address 10.4.4.4/32
-}
[edit interfaces ethernet eth1]
Rollback
^^^^^^^^
You can ``rollback`` configuration using the rollback command, however this command will currently trigger a system reboot.
Use the compare command to verify the configuration you want to rollback to.
.. code-block:: none
vyos@vyos# compare 1
[edit system]
>host-name vyos-1
[edit]
vyos@vyos# rollback 1
Proceed with reboot? [confirm][y]
Broadcast message from root@vyos-1 (pts/0) (Tue Dec 17 21:07:45 2018):
The system is going down for reboot NOW!
Run
^^^
The ``run`` command allows you to execute any operational mode commands without exiting the configuration session.
.. code-block:: none
[edit]
vyos@vyos# run show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 10.1.1.1/24 u/u
Save
^^^^
The ``save`` command saves the current configuration to non-volatile storage. VyOS also supports saving and loading configuration remotely using SCP, FTP, or TFTP.
.. code-block:: none
<Enter> Save to system config file
<file> Save to file on local machine
scp://<user>:<passwd>@<host>/<file> Save to file on remote machine
sftp://<user>:<passwd>@<host>/<file> Save to file on remote machine
ftp://<user>:<passwd>@<host>/<file> Save to file on remote machine
tftp://<host>/<file> Save to file on remote machine
Set
^^^
The ``set`` command create all configuration entrys
.. code-block:: none
[edit]
vyos@vyos# set protocols static route 0.0.0.0/0 next-hop 192.168.1.1
Show
^^^^
The ``show`` command in the configuration mode displays the configuration and show uncommitted changes.
Show the hole config, the address and description of eth1 is moving to vlan 2 if you commit the changes.
.. code-block:: none
[edit]
vyos@vyos# show
interfaces {
dummy dum0 {
address 10.3.3.3/24
}
ethernet eth0 {
address dhcp
duplex auto
hw-id 00:53:22:2b:c0:0b
smp-affinity auto
speed auto
}
ethernet eth1 {
- address 10.1.1.1/32
- description "MGMT Interface"
duplex auto
hw-id 00:53:22:81:c6:59
smp-affinity auto
speed auto
+ vif 2 {
+ address 10.1.1.1/32
+ description "MGMT Interface"
+ }
}
loopback lo {
}
}
service {
ssh {
port 22
......
|