summaryrefslogtreecommitdiff
path: root/docs/configuration/system
diff options
context:
space:
mode:
authorYuriy Andamasov <yuriy@vyos.io>2026-05-06 14:40:28 +0300
committerGitHub <noreply@github.com>2026-05-06 12:40:28 +0100
commit4b36114e053ee11d0cb264a1e4cfe4692d78f194 (patch)
treebe4ecc665eb3f1d556a37e768eed14989fec57b6 /docs/configuration/system
parent21a554bd4f9156e41f1c73ba6b7223bb63b3a4ef (diff)
downloadvyos-documentation-4b36114e053ee11d0cb264a1e4cfe4692d78f194.tar.gz
vyos-documentation-4b36114e053ee11d0cb264a1e4cfe4692d78f194.zip
Add incremental RST-to-MyST swap mechanism (#1857)
* feat: add swap_sources.py for incremental RST-to-MyST migration Pre-build swap/restore script that renames md-{name}.md → {name}.md before Sphinx builds and restores after. Includes state tracking, exclude file generation, collision detection, and partial-failure rollback. 10 tests cover all specified behaviors plus rollback path. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * feat: add import_myst.py for importing MyST files from myst/* branches Adds scripts/import_myst.py with import_page, git_show, list_myst_files, list_rst_files, and do_import. Imported files are written as md-{name}.md alongside existing RST files; importing is decoupled from swap activation. Adds tests/test_import_myst.py covering single-page write, identical-skip, warn-on-different-without-force, force-overwrite, and nested-path creation. All 5 tests pass on Python 3.9. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * feat: add MyST swap exclude patterns and directive config to conf.py 🤖 Generated by [robots](https://vyos.io) * feat: add swap-wrapped rendering targets to Makefile 🤖 Generated by [robots](https://vyos.io) * feat: add swap pre/post build hooks for ReadTheDocs 🤖 Generated by [robots](https://vyos.io) * feat: add empty _swap.txt, remove atexit from swap script The atexit handler in --swap mode caused immediate restore on process exit, breaking standalone usage. Makefile trap and RTD post_build handle restore reliably. 🤖 Generated by [robots](https://vyos.io) * feat: activate quick-start as MyST canary via swap mechanism Imports docs/md-quick-start.md from origin/myst/current and adds quick-start to docs/_swap.txt. Validates the swap pipeline end-to-end on one page: import_myst pulls the MD via git show, swap_sources renames md-quick-start.md to quick-start.md, sphinx-build renders quick-start.html with zero MD-specific warnings, and restore reverses the rename cleanly. 🤖 Generated by [robots](https://vyos.io) * feat: activate 106 visual-validated canaries via swap Imports 105 MD files (plus quick-start already present) from origin/myst/current and adds them to docs/_swap.txt. The selection is the BackstopJS visual-passers cohort: pages with <5% rendered diff vs the live RST docs at docs.vyos.io/en/latest/, filtered to those with an RST counterpart on current and no cmdincludemd usage (template-format reconciliation pending). Local sphinx-build with all 106 swapped: succeeded with 100 warnings (vs 95 baseline). The 5 new warnings are all undefined cross-reference labels, not build failures: - contributing/development.md (missing 'coding-guidelines') - operation/upgrade-recovery.md (3 missing 'how_it_works' / 'cancelling_recovery') - vpp/configuration/dataplane/{buffers,memory,unix}.md (missing 'vpp_config_dataplane_*' labels) Source list: ~/.claude/projects/-Users-vybot-GitHub-vyos-documentation/docs/2026-04-29-myst-conversion-audit/visual-passers-under-5pct.txt BackstopJS report: claude/gifted-hertz-74b9f9 worktree (visual-compare/), 2026-04-23 vs vyos--1838.org.readthedocs.build. 🤖 Generated by [robots](https://vyos.io) * fix: re-import 4 canary md-*.md files with xref label fixes Re-imports the dash-form-corrected versions of: - contributing/md-development.md (added (coding-guidelines)= anchor) - operation/md-upgrade-recovery.md (3 ref renames: how_it_works / cancelling_recovery -> dash form) - vpp/configuration/dataplane/md-buffers.md (vpp_config_dataplane_physmem -> vpp-config-dataplane-physmem) - vpp/configuration/dataplane/md-unix.md (vpp_config_dataplane_interface_rx_mode -> vpp-config-dataplane-interface-rx-mode) Source: origin/myst/current commit 59fbe3ea. Verified locally: clean swap-build no longer reports any of the 5 target labels (1 of 6 — vpp-config-hugepages — remains because system.md isn't in the canary swap list; that anchor lives there). 🤖 Generated by [robots](https://vyos.io) * fix: re-add 4 canary md-*.md files deleted by 242b334a Commit 242b334a accidentally staged deletions instead of modifications because the working tree had unprefixed *.md files left over from an incomplete swap-restore cycle. Re-imports the same 4 files from origin/myst/current with the xref label fixes applied: - contributing/md-development.md — (coding-guidelines)= anchor - operation/md-upgrade-recovery.md — how_it_works → how-it-works, cancelling_recovery → cancelling-recovery - vpp/configuration/dataplane/md-buffers.md — vpp_config_dataplane_physmem → vpp-config-dataplane-physmem - vpp/configuration/dataplane/md-unix.md — vpp_config_dataplane_interface_rx_mode → vpp-config-dataplane-interface-rx-mode Source: origin/myst/current commit 59fbe3ea. 🤖 Generated by [robots](https://vyos.io) * fix: resolve remaining xref label gaps in swap-active build Three small additions clear the cross-reference warnings tied to underscore-vs-dash label form mismatches and the vpp-config-hugepages reference that previously needed system.md in the canary set. - system.rst: add .. _vpp-config-hugepages: alongside the existing underscore label so memory.md references resolve regardless of whether system.md is swap-active. - md-lcp.md: add (vpp_config_dataplane_lcp_ignore-kernel-routes)= alongside dash form (carries upstream from myst/current 079fa786). - md-memory.md: add (vpp_config_dataplane_memory)= alongside dash form (also from myst/current 079fa786). Local clean swap-build with 106 canaries: before: 305 warnings, 8 undefined-label entries in our scope after: 300 warnings, 0 undefined-label entries in our scope Remaining undefined-label warnings (release-notes, prepare_commit) are in documentation.rst and unrelated to the canary swap mechanism. 🤖 Generated by [robots](https://vyos.io) * fix: re-add md-lcp.md and md-memory.md (deleted by 870c9e7e) Same disaster pattern as 242b334a: a swap-restore cycle left unprefixed *.md files in the working tree, and the subsequent git add staged deletions instead of modifications. Restoring the two affected md-*.md files from origin/myst/current 079fa786 (which has the dual underscore+dash anchors needed for the swap-active build). 🤖 Generated by [robots](https://vyos.io) * feat: expand canaries to 114; refresh 3 with cfgcmd body fix Adds 8 new visual-validated canaries from the post-cfgcmd-fix BackstopJS run (2026-04-29): - configuration/policy/as-path-list - configuration/policy/community-list - configuration/policy/extcommunity-list - configuration/policy/large-community-list - configuration/policy/local-route - configuration/policy/prefix-list - configuration/service/salt-minion - configuration/system/updates Refreshes 3 existing canaries whose MD content changed via the cfgcmd/opcmd single-line body fix on myst/current fc19ab5c: - configuration/firewall/global-options - configuration/firewall/groups - configuration/policy/route All 11 sourced from origin/myst/current. Net: 106 -> 114 canaries. 🤖 Generated by [robots](https://vyos.io) * fix: re-import md-cloud-init.md (block 3 fix from myst/current) 🤖 Generated by [robots](https://vyos.io) * feat(swap): import .md files and webp transition from myst/current Selective import from origin/myst/current (cf9c9b34): - Add/update 255 .md files (full MyST conversion plus webp ref updates) - Delete 175 PNG/JPG from docs/_static/images (webp twins already present) - Delete 5 autotest topology.png (webp twins already present) Preserved on swap (untouched): - All .rst files (incremental swap pattern) - conf.py, _ext/, _include/*.txt, .gitignore - 115 canary md-*.md files - 7 superpowers/specs/*.md design docs - Logos vyos-logo.png / vyos-logo-icon.png (referenced by conf.py) 🤖 Generated by [robots](https://vyos.io) * chore(swap): remove canary md-*.md files and docs/superpowers - Remove 115 canary md-*.md files (incremental swap helpers no longer needed) - Remove 8 files under docs/superpowers (project planning/design docs that shouldn't ship in the documentation tree) 🤖 Generated by [robots](https://vyos.io) * docs: address Copilot review feedback on imported MyST pages Fix issues flagged by Copilot review on PR #1857 (the same content lives in myst/current as the canonical source): Real bugs: - site-2-site-cisco.md: replace curly quote (U+2019) with ASCII apostrophe - rsa-keys.md: fix typo "key-pair nam>>" → "key-pair name>" - vmware.md: lowercase admonition directive (:::{NOTE} → :::{note}) - vpp/configuration/nat/index.md: remove blank line inside {include} fence Grammar: - vpp/configuration/interfaces/loopback.md: "bounded" → "bound" - vpp/configuration/sflow.md: "VyOS support" → "VyOS supports" - vpp/requirements.md: "bypass" → "bypasses" - vpp/configuration/dataplane/interface.md: "configures" → "configure" CI linter (IP addresses): - nmp.md: wrap 8.8.8.8 example with stop/start_vyoslinter - lac-lns.md: wrap LNS config block (contains 8.8.8.8) - wan-load-balancing.md: wrap whole file (illustrative non-RFC IPs) - policy/examples.md: replace 192.0.1.1 with RFC 5737 192.0.2.1 🤖 Generated by [robots](https://vyos.io) * fix(swap): address Copilot review feedback on swap infrastructure Category D — drop obsolete canary mechanism settings: - conf.py: remove '**/md-*.md' from exclude_patterns (no canaries left) - Makefile: replace malformed '*/_build/*' with '$(BUILDDIR)/**' and drop the '*/md-*' ignore (canary files no longer exist) Category C — script robustness: - import_myst.py: * list_myst_files() now raises SystemExit on git ls-tree failure instead of silently returning [] (would have masked typo'd --source refs) * list_rst_files() skips _build/ when scanning for .rst stems * import_page() rejects stems containing '..' or absolute paths and re-checks that the resolved destination stays under docs_dir * --dry-run uses a separate "would_import" counter; summary line now distinguishes dry-run from actual imports - swap_sources.py: * parse_swap_list() reads with explicit encoding='utf-8' * do_restore() validates state file version + entry shape before renaming files; raises with actionable message on corruption * State file reads/writes use explicit encoding='utf-8' throughout _swap.txt: - Wrap long comment line to satisfy 80-character doc-linter limit 🤖 Generated by [robots](https://vyos.io) * refactor(swap): rename imported .md files to md- prefix for swap mechanism Restore the canary file naming convention that swap_sources.py expects: the imported MyST pages now live as docs/<dir>/md-<name>.md alongside the existing docs/<dir>/<name>.rst, so swap_sources.py --swap can rename them into place at build time. - 254 .md files renamed (every page with a matching .rst counterpart) - 2 MyST-only pages left at their final names (no .rst exists, no swap needed): docs/copyright.md, docs/automation/terraform/terraformvyos.md All 114 stems listed in docs/_swap.txt now have a corresponding md-<name>.md source file ready to swap in. 🤖 Generated by [robots](https://vyos.io) * docs: address CodeRabbit review feedback on imported MyST pages Fix issues flagged by CodeRabbit on PR #1857. All issues are pre-existing in the upstream RST docs and inherited by the MyST conversion. Real bugs: - inter-vrf-routing-vrf-lite.md: invalid IPv6 next-hop "2001:db8::*" → "2001:db8::1" - ipsec-pa-route-based.md: vendor mislabel "Cisco" → "Palo Alto" (header on line 39 and "Monitoring on Cisco side" section heading) - bgp-ipv6-unnumbered.md: AS number mismatch between configuration and verification output for both routers (Router A: 65020 → 64496; Router B: 65021 → 64499) - qos.md: class 30 used "match ADDRESS20" instead of ADDRESS30 — broke the documented pattern (classes 10/20/30 → ADDRESS10/20/30) Security: - OpenVPN_with_LDAP.md: redact full PEM private key material from the three "set pki ... private key '...'" lines and from the embedded OpenVPN client <key> block; replace with <REDACTED> / ...REDACTED... placeholders. Public certificates retained. 🤖 Generated by [robots](https://vyos.io) * feat(swap): default to serving MyST for all swapped pages Replace the previously-curated 114-stem _swap.txt with the full set of 254 imported md-prefixed pages, so MD is served by default at build time. To revert any specific page back to RST, remove its stem from _swap.txt (or comment it out). 🤖 Generated by [robots](https://vyos.io) * fix(ext): handle RST fallback in CmdInclude when _renderer absent `cmdincludemd` is in `myst_fence_as_directive`, so MyST routes fence blocks through `render_fence → render_restructuredtext → MockRSTParser`. In that path `self.state` is a plain docutils Body with no `_renderer`, crashing the build. Fall back to `nested_parse` when `_renderer` is unavailable so the directive works in both MyST and RST/MockRSTParser contexts. 🤖 Generated by [robots](https://vyos.io) * feat(conf): copy .md sources into HTML output for plain-text serving Adds a build-finished hook that mirrors every .md file from the Sphinx source tree into the HTML output directory verbatim, making unrendered MyST sources accessible alongside HTML renders at the same URL path. 🤖 Generated by [robots](https://vyos.io) * docs: address review feedback from PR #1857 Fix conversion artifacts, typos, grammar errors, and technical inaccuracies flagged by automated code review (Copilot + CodeRabbit). Infrastructure: add root-level md-*.md exclusion to conf.py, fix sphinx-autobuild ignore globs in Makefile. Content: fix curly quotes, invalid Go panic() calls, shell quoting in cURL examples, incorrect firewall command paths, typos across 22 documentation files, remove duplicate sections. 🤖 Generated by [robots](https://vyos.io) --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Diffstat (limited to 'docs/configuration/system')
-rw-r--r--docs/configuration/system/md-acceleration.md158
-rw-r--r--docs/configuration/system/md-conntrack.md218
-rw-r--r--docs/configuration/system/md-console.md59
-rw-r--r--docs/configuration/system/md-default-route.md40
-rw-r--r--docs/configuration/system/md-flow-accounting.md209
-rw-r--r--docs/configuration/system/md-frr.md45
-rw-r--r--docs/configuration/system/md-host-name.md70
-rw-r--r--docs/configuration/system/md-index.md34
-rw-r--r--docs/configuration/system/md-ip.md126
-rw-r--r--docs/configuration/system/md-ipv6.md193
-rw-r--r--docs/configuration/system/md-lcd.md41
-rw-r--r--docs/configuration/system/md-login.md604
-rw-r--r--docs/configuration/system/md-name-server.md65
-rw-r--r--docs/configuration/system/md-option.md190
-rw-r--r--docs/configuration/system/md-proxy.md27
-rw-r--r--docs/configuration/system/md-sflow.md66
-rw-r--r--docs/configuration/system/md-sysctl.md16
-rw-r--r--docs/configuration/system/md-syslog.md450
-rw-r--r--docs/configuration/system/md-task-scheduler.md45
-rw-r--r--docs/configuration/system/md-time-zone.md17
-rw-r--r--docs/configuration/system/md-updates.md36
-rw-r--r--docs/configuration/system/md-watchdog.md212
22 files changed, 2921 insertions, 0 deletions
diff --git a/docs/configuration/system/md-acceleration.md b/docs/configuration/system/md-acceleration.md
new file mode 100644
index 00000000..871129e6
--- /dev/null
+++ b/docs/configuration/system/md-acceleration.md
@@ -0,0 +1,158 @@
+(acceleration)=
+
+# Acceleration
+
+In this command tree, all hardware acceleration options will be handled.
+At the moment only [Intel® QAT] is supported
+
+## Intel® QAT
+
+```{opcmd} show system acceleration qat
+
+use this command to check if there is an Intel® QAT supported Processor in your system.
+
+:::{code-block} none
+vyos@vyos:~$ show system acceleration qat
+01:00.0 Co-processor [0b40]: Intel Corporation Atom Processor C3000 Series QuickAssist Technology [8086:19e2] (rev 11)
+:::
+
+if there is non device the command will show `` `No QAT device found` ``
+```
+
+```{cfgcmd} set system acceleration qat
+
+if there is a supported device, enable Intel® QAT
+```
+
+
+```{opcmd} show system acceleration qat status
+
+Check if the Intel® QAT device is up and ready to do the job.
+
+:::{code-block} none
+vyos@vyos:~$ show system acceleration qat status
+Checking status of all devices.
+There is 1 QAT acceleration device(s) in the system:
+qat_dev0 - type: c3xxx, inst_id: 0, node_id: 0, bsf: 0000:01:00.0, #accel: 3 #engines: 6 state: up
+:::
+```
+
+
+### Operation Mode
+
+```{opcmd} show system acceleration qat device \<device\> config
+
+Show the full config uploaded to the QAT device.
+```
+
+
+```{opcmd} show system acceleration qat device \<device\> flows
+
+Get an overview over the encryption counters.
+```
+
+
+```{opcmd} show system acceleration qat interrupts
+
+Show binded qat device interrupts to certain core.
+```
+
+
+### Example
+
+Let's build a simple VPN between 2 Intel® QAT ready devices.
+
+Side A:
+
+```
+set interfaces vti vti1 address '192.168.1.2/24'
+set vpn ipsec authentication psk right id '10.10.10.2'
+set vpn ipsec authentication psk right id '10.10.10.1'
+set vpn ipsec authentication psk right secret 'Qwerty123'
+set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256'
+set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256'
+set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '14'
+set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256'
+set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256'
+set vpn ipsec interface 'eth0'
+set vpn ipsec site-to-site peer right authentication local-id '10.10.10.2'
+set vpn ipsec site-to-site peer right authentication mode 'pre-shared-secret'
+set vpn ipsec site-to-site peer right authentication remote-id '10.10.10.1'
+set vpn ipsec site-to-site peer right connection-type 'initiate'
+set vpn ipsec site-to-site peer right default-esp-group 'MyESPGroup'
+set vpn ipsec site-to-site peer right ike-group 'MyIKEGroup'
+set vpn ipsec site-to-site peer right local-address '10.10.10.2'
+set vpn ipsec site-to-site peer right remote-address '10.10.10.1'
+set vpn ipsec site-to-site peer right vti bind 'vti1'
+```
+
+Side B:
+
+```
+set interfaces vti vti1 address '192.168.1.1/24'
+set vpn ipsec authentication psk left id '10.10.10.2'
+set vpn ipsec authentication psk left id '10.10.10.1'
+set vpn ipsec authentication psk left secret 'Qwerty123'
+set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256'
+set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256'
+set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '14'
+set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256'
+set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256'
+set vpn ipsec interface 'eth0'
+set vpn ipsec site-to-site peer left authentication local-id '10.10.10.1'
+set vpn ipsec site-to-site peer left authentication mode 'pre-shared-secret'
+set vpn ipsec site-to-site peer left authentication remote-id '10.10.10.2'
+set vpn ipsec site-to-site peer left connection-type 'initiate'
+set vpn ipsec site-to-site peer left default-esp-group 'MyESPGroup'
+set vpn ipsec site-to-site peer left ike-group 'MyIKEGroup'
+set vpn ipsec site-to-site peer left local-address '10.10.10.1'
+set vpn ipsec site-to-site peer left remote-address '10.10.10.2'
+set vpn ipsec site-to-site peer left vti bind 'vti1'
+```
+
+a bandwidth test over the VPN got these results:
+
+```
+Connecting to host 192.168.1.2, port 5201
+[ 9] local 192.168.1.1 port 51344 connected to 192.168.1.2 port 5201
+[ ID] Interval Transfer Bitrate Retr Cwnd
+[ 9] 0.00-1.01 sec 32.3 MBytes 268 Mbits/sec 0 196 KBytes
+[ 9] 1.01-2.03 sec 32.5 MBytes 268 Mbits/sec 0 208 KBytes
+[ 9] 2.03-3.03 sec 32.5 MBytes 271 Mbits/sec 0 208 KBytes
+[ 9] 3.03-4.04 sec 32.5 MBytes 272 Mbits/sec 0 208 KBytes
+[ 9] 4.04-5.00 sec 31.2 MBytes 272 Mbits/sec 0 208 KBytes
+[ 9] 5.00-6.01 sec 32.5 MBytes 272 Mbits/sec 0 234 KBytes
+[ 9] 6.01-7.04 sec 32.5 MBytes 265 Mbits/sec 0 234 KBytes
+[ 9] 7.04-8.04 sec 32.5 MBytes 272 Mbits/sec 0 234 KBytes
+[ 9] 8.04-9.04 sec 32.5 MBytes 273 Mbits/sec 0 336 KBytes
+[ 9] 9.04-10.00 sec 31.2 MBytes 272 Mbits/sec 0 336 KBytes
+- - - - - - - - - - - - - - - - - - - - - - - - -
+[ ID] Interval Transfer Bitrate Retr
+[ 9] 0.00-10.00 sec 322 MBytes 270 Mbits/sec 0 sender
+[ 9] 0.00-10.00 sec 322 MBytes 270 Mbits/sec receiver
+```
+
+with {cfgcmd}`set system acceleration qat` on both systems the bandwidth
+increases.
+
+```
+Connecting to host 192.168.1.2, port 5201
+[ 9] local 192.168.1.1 port 51340 connected to 192.168.1.2 port 5201
+[ ID] Interval Transfer Bitrate Retr Cwnd
+[ 9] 0.00-1.00 sec 97.3 MBytes 817 Mbits/sec 0 1000 KBytes
+[ 9] 1.00-2.00 sec 92.5 MBytes 776 Mbits/sec 0 1.07 MBytes
+[ 9] 2.00-3.00 sec 92.5 MBytes 776 Mbits/sec 0 820 KBytes
+[ 9] 3.00-4.00 sec 92.5 MBytes 776 Mbits/sec 0 899 KBytes
+[ 9] 4.00-5.00 sec 91.2 MBytes 765 Mbits/sec 0 972 KBytes
+[ 9] 5.00-6.00 sec 92.5 MBytes 776 Mbits/sec 0 1.02 MBytes
+[ 9] 6.00-7.00 sec 92.5 MBytes 776 Mbits/sec 0 1.08 MBytes
+[ 9] 7.00-8.00 sec 92.5 MBytes 776 Mbits/sec 0 1.14 MBytes
+[ 9] 8.00-9.00 sec 91.2 MBytes 765 Mbits/sec 0 915 KBytes
+[ 9] 9.00-10.00 sec 92.5 MBytes 776 Mbits/sec 0 1000 KBytes
+- - - - - - - - - - - - - - - - - - - - - - - - -
+[ ID] Interval Transfer Bitrate Retr
+[ 9] 0.00-10.00 sec 927 MBytes 778 Mbits/sec 0 sender
+[ 9] 0.00-10.01 sec 925 MBytes 775 Mbits/sec receiver
+```
+
+[intel® qat]: https://www.intel.com/content/www/us/en/architecture-and-technology/intel-quick-assist-technology-overview.html
diff --git a/docs/configuration/system/md-conntrack.md b/docs/configuration/system/md-conntrack.md
new file mode 100644
index 00000000..f83f0684
--- /dev/null
+++ b/docs/configuration/system/md-conntrack.md
@@ -0,0 +1,218 @@
+# Conntrack
+
+VyOS can be configured to track connections using the connection
+tracking subsystem. Connection tracking becomes operational once either
+stateful firewall or NAT is configured.
+
+## Configure
+
+```{cfgcmd} set system conntrack table-size \<1-50000000\>
+:defaultvalue:
+
+The connection tracking table contains one entry for each connection being
+tracked by the system.
+```
+
+```{cfgcmd} set system conntrack expect-table-size \<1-50000000\>
+:defaultvalue:
+
+The connection tracking expect table contains one entry for each expected
+connection related to an existing connection. These are generally used by
+“connection tracking helper” modules such as FTP.
+The default size of the expect table is 2048 entries.
+```
+
+```{cfgcmd} set system conntrack hash-size \<1-50000000\>
+:defaultvalue:
+
+Set the size of the hash table. The connection tracking hash table makes
+searching the connection tracking table faster. The hash table uses
+“buckets” to record entries in the connection tracking table.
+```
+
+```{eval-rst}
+.. cfgcmd:: set system conntrack modules ftp
+.. cfgcmd:: set system conntrack modules h323
+.. cfgcmd:: set system conntrack modules nfs
+.. cfgcmd:: set system conntrack modules pptp
+.. cfgcmd:: set system conntrack modules sip
+.. cfgcmd:: set system conntrack modules sqlnet
+.. cfgcmd:: set system conntrack modules tftp
+
+ Configure the connection tracking protocol helper modules.
+ All modules are enable by default.
+
+ | Use `delete system conntrack modules` to deactive all modules.
+ | Or, for example ftp, `delete system conntrack modules ftp`.
+```
+
+```{cfgcmd} set system conntrack tcp half-open-connections \<1-21474836\>
+:defaultvalue:
+
+Set the maximum number of TCP half-open connections.
+```
+
+```{cfgcmd} set system conntrack tcp loose \<enable | disable\>
+:defaultvalue:
+
+Policy to track previously established connections.
+```
+
+```{cfgcmd} set system conntrack tcp max-retrans \<1-2147483647\>
+:defaultvalue:
+
+Set the number of TCP maximum retransmit attempts.
+```
+
+### Contrack Timeouts
+
+You can define custom timeout values to apply to a specific subset of
+connections, based on a packet and flow selector. To do this, you need to
+create a rule defining the packet and flow selector.
+
+```{eval-rst}
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ description <test>
+
+ Set a rule description.
+
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ destination address <ip-address>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ source address <ip-address>
+
+ Set a destination and/or source address. Accepted input for ipv4:
+
+ .. code-block:: none
+
+ set system conntrack timeout custom ipv4 rule <1-999999> [source | destination] address
+ Possible completions:
+ <x.x.x.x> IPv4 address to match
+ <x.x.x.x/x> IPv4 prefix to match
+ <x.x.x.x>-<x.x.x.x> IPv4 address range to match
+ !<x.x.x.x> Match everything except the specified address
+ !<x.x.x.x/x> Match everything except the specified prefix
+ !<x.x.x.x>-<x.x.x.x> Match everything except the specified range
+
+ set system conntrack timeout custom ipv6 rule <1-999999> [source | destination] address
+ Possible completions:
+ <h:h:h:h:h:h:h:h> IP address to match
+ <h:h:h:h:h:h:h:h/x> Subnet to match
+ <h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>
+ IP range to match
+ !<h:h:h:h:h:h:h:h> Match everything except the specified address
+ !<h:h:h:h:h:h:h:h/x> Match everything except the specified prefix
+ !<h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>
+ Match everything except the specified range
+
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ destination port <value>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ source port <value>
+
+ Set a destination and/or source port. Accepted input:
+
+ .. code-block:: none
+
+ <port name> Named port (any name in /etc/services, e.g., http)
+ <1-65535> Numbered port
+ <start>-<end> Numbered port range (e.g., 1001-1005)
+
+ Multiple destination ports can be specified as a comma-separated list.
+ The whole list can also be "negated" using '!'. For example:
+ `!22,telnet,http,123,1001-1005``
+
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ protocol tcp close <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ protocol tcp close-wait <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ protocol tcp established <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ protocol tcp fin-wait <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ protocol tcp last-ack <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ protocol tcp syn-recv <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ protocol tcp syn-sent <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ protocol tcp time-wait <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ protocol udp replied <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ protocol udp unreplied <1-21474836>
+
+ Set the timeout in seconds for a protocol or state in a custom rule.
+```
+
+### Conntrack ignore rules
+
+:::{note}
+**Important note about conntrack ignore rules:**
+Starting from vyos-1.5-rolling-202406120020, ignore rules can be defined in
+``set firewall [ipv4 | ipv6] prerouting raw ...``. It's expected that in
+the future the conntrack ignore rules will be removed.
+
+> Customized ignore rules, based on a packet and flow selector.
+:::
+
+```{eval-rst}
+.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
+ description <text>
+.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
+ destination address <ip-address>
+.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
+ destination port <port>
+.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
+ inbound-interface <interface>
+.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
+ protocol <protocol>
+.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
+ source address <ip-address>
+.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
+ source port <port>
+.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
+ tcp flags [not] <text>
+
+ Allowed values fpr TCP flags: ``ack``, ``cwr``, ``ecn``, ``fin``, ``psh``,
+ ``rst``, ``syn`` and ``urg``. Multiple values are supported, and for
+ inverted selection use ``not``, as shown in the example.
+```
+
+### Conntrack log
+
+```{eval-rst}
+.. cfgcmd:: set system conntrack log event destroy
+.. cfgcmd:: set system conntrack log event new
+.. cfgcmd:: set system conntrack log event update
+
+ Log the connection tracking events per type.
+
+.. cfgcmd:: set system conntrack log event destroy icmp
+.. cfgcmd:: set system conntrack log event destroy other
+.. cfgcmd:: set system conntrack log event destroy tcp
+.. cfgcmd:: set system conntrack log event destroy udp
+.. cfgcmd:: set system conntrack log event new icmp
+.. cfgcmd:: set system conntrack log event new other
+.. cfgcmd:: set system conntrack log event new tcp
+.. cfgcmd:: set system conntrack log event new udp
+.. cfgcmd:: set system conntrack log event update icmp
+.. cfgcmd:: set system conntrack log event update other
+.. cfgcmd:: set system conntrack log event update tcp
+.. cfgcmd:: set system conntrack log event update udp
+
+ Log the connection tracking events per protocol.
+
+.. cfgcmd:: set system conntrack log timestamp
+
+ Turn on flow-based timestamp extension.
+
+.. cfgcmd:: set system conntrack log queue-size <100-999999>
+
+ Manage internal queue size, default size is 4096 events.
+
+.. cfgcmd:: set system conntrack log log-level <info | debug>
+
+ Manage log level
+``` \ No newline at end of file
diff --git a/docs/configuration/system/md-console.md b/docs/configuration/system/md-console.md
new file mode 100644
index 00000000..9017fa30
--- /dev/null
+++ b/docs/configuration/system/md-console.md
@@ -0,0 +1,59 @@
+(serial-console)=
+
+# Serial Console
+
+For the average user a serial console has no advantage over a console offered
+by a directly attached keyboard and screen. Serial consoles are much slower,
+taking up to a second to fill a 80 column by 24 line screen. Serial consoles
+generally only support non-proportional ASCII text, with limited support for
+languages other than English.
+
+There are some scenarios where serial consoles are useful. System administration
+of remote computers is usually done using {ref}`ssh`, but there are times when
+access to the console is the only way to diagnose and correct software failures.
+Major upgrades to the installed distribution may also require console access.
+
+```{cfgcmd} set system console device \<device\>
+
+Defines the specified device as a system console. Available console devices
+can be (see completion helper):
+* ``ttySN`` - Serial device name
+* ``ttyAMAN``- Serial device name for some arm64 systems
+* ``ttyUSBX`` - USB Serial device name
+* ``hvc0`` - Xen console
+```
+
+```{cfgcmd} set system console device \<device\> kernel
+
+When set, the selected serial console is used as the kernel boot console.
+When removed, the kernel boot console falls back to tty0.
+
+:::{note}
+Only one serial console can carry the ``kernel`` option.
+When VyOS is installed via serial console, this option is set automatically
+for the serial interface used during installation; usually ``ttyS0`` or
+``ttyAMA0``.
+:::
+```
+
+```{cfgcmd} set system console device \<device\> speed \<speed\>
+
+The speed (baudrate) of the console device. Supported values are:
+* ``1200`` - 1200 bps
+* ``2400`` - 2400 bps
+* ``4800`` - 4800 bps
+* ``9600`` - 9600 bps
+* ``19200`` - 19,200 bps
+* ``38400`` - 38,400 bps (default for Xen console)
+* ``57600`` - 57,600 bps
+* ``115200`` - 115,200 bps (default for serial console)
+
+:::{note}
+If you use USB to serial converters for connecting to your VyOS
+appliance please note that most of them use software emulation without flow
+control. This means you should start with a common baud rate (most likely
+9600 baud) as otherwise you probably can not connect to the device using
+high speed baud rates as your serial converter simply can not process this
+data rate.
+:::
+``` \ No newline at end of file
diff --git a/docs/configuration/system/md-default-route.md b/docs/configuration/system/md-default-route.md
new file mode 100644
index 00000000..9f2793d1
--- /dev/null
+++ b/docs/configuration/system/md-default-route.md
@@ -0,0 +1,40 @@
+(default-gateway)=
+
+# Default Gateway/Route
+
+In the past (VyOS 1.1) used a gateway-address configured under the system tree
+({cfgcmd}`set system gateway-address <address>`), this is no longer supported
+and existing configurations are migrated to the new CLI command.
+
+## Configuration
+
+```{cfgcmd} set protocols static route 0.0.0.0/0 next-hop \<address\>
+
+Specify static route into the routing table sending all non local traffic
+to the nexthop address \<address\>.
+```
+
+```{cfgcmd} delete protocols static route 0.0.0.0/0
+
+Delete default route from the system.
+```
+
+
+## Operation
+
+```{opcmd} show ip route 0.0.0.0
+
+Show routing table entry for the default route.
+
+:::{code-block} none
+vyos@vyos:~$ show ip route 0.0.0.0
+Routing entry for 0.0.0.0/0
+Known via "static", distance 10, metric 0, best
+Last update 09:46:30 ago
+* 172.18.201.254, via eth0.201
+:::
+```
+
+:::{seealso}
+Configuration of {ref}`routing-static`
+:::
diff --git a/docs/configuration/system/md-flow-accounting.md b/docs/configuration/system/md-flow-accounting.md
new file mode 100644
index 00000000..c97d5473
--- /dev/null
+++ b/docs/configuration/system/md-flow-accounting.md
@@ -0,0 +1,209 @@
+(flow-accounting)=
+
+# Flow Accounting
+
+VyOS supports flow-accounting for both IPv4 and IPv6 traffic. The system acts
+as a flow exporter, and you are free to use it with any compatible collector.
+
+Flows can be exported via protocol NetFlow (versions 5, 9 and
+10/IPFIX). Additionally, you may save flows to an in-memory table
+internally in a router.
+
+:::{warning}
+You need to disable the in-memory table in production environments!
+Using {abbr}`IMT (In-Memory Table)` may lead to heavy CPU overloading and
+unstable flow-accounting behavior.
+:::
+
+## NetFlow / IPFIX
+
+NetFlow is a feature that was introduced on Cisco routers around 1996 that
+provides the ability to collect IP network traffic as it enters or exits an
+interface. By analyzing the data provided by NetFlow, a network administrator
+can determine things such as the source and destination of traffic, class of
+service, and the causes of congestion. A typical flow monitoring setup (using
+NetFlow) consists of three main components:
+
+- **exporter**: aggregates packets into flows and exports flow records towards
+ one or more flow collectors
+- **collector**: responsible for reception, storage and pre-processing of flow
+ data received from a flow exporter
+- **application**: analyzes received flow data in the context of intrusion
+ detection or traffic profiling, for example
+
+For connectionless protocols as like ICMP and UDP, a flow is considered
+complete once no more packets for this flow appear after configurable timeout.
+
+NetFlow is usually enabled on a per-interface basis to limit load on the router
+components involved in NetFlow, or to limit the amount of NetFlow records
+exported.
+
+## Configuration
+
+:::{warning}
+Using NetFlow on routers with high traffic levels may lead to
+high CPU usage and may affect the router's performance. In such cases,
+consider using sFlow instead.
+:::
+
+In order for flow accounting information to be collected and displayed for an
+interface, the interface must be configured for flow accounting.
+
+```{cfgcmd} set system flow-accounting interface \<interface\>
+
+Configure and enable collection of flow information for the interface
+identified by \<interface\>.
+
+You can configure multiple interfaces which would participate in flow
+accounting.
+```
+
+:::{note}
+Will be recorded only packets/flows on **incoming** direction in
+configured interfaces by default.
+:::
+
+By default, recorded flows will be saved internally and can be listed with the
+CLI command. You may disable using the local in-memory table with the command:
+
+```{cfgcmd} set system flow-accounting disable-imt
+
+If you need to sample also egress traffic, you may want to
+configure egress flow-accounting:
+```
+
+```{cfgcmd} set system flow-accounting enable-egress
+
+Internally, in flow-accounting processes exist a buffer for data exchanging
+between core process and plugins (each export target is a separated plugin).
+If you have high traffic levels or noted some problems with missed records
+or stopping exporting, you may try to increase a default buffer size (10
+MiB) with the next command:
+```
+
+```{cfgcmd} set system flow-accounting buffer-size \<buffer size\>
+
+In case, if you need to catch some logs from flow-accounting daemon, you may
+configure logging facility:
+```
+
+```{cfgcmd} set system flow-accounting syslog-facility \<facility\>
+
+Set the syslog facility for flow-accounting log messages. Supported values
+include ``daemon``, ``local0`` through ``local7``, and other standard syslog
+facilities.
+```
+
+
+### Flow Export
+
+In addition to displaying flow accounting information locally, one can also
+exported them to a collection server.
+
+#### NetFlow
+
+```{cfgcmd} set system flow-accounting netflow version \<version\>
+
+There are multiple versions available for the NetFlow data. The \<version\>
+used in the exported flow data can be configured here. The following
+versions are supported:
+* **5** - Most common version, but restricted to IPv4 flows only
+* **9** - NetFlow version 9 (default)
+* **10** - {abbr}`IPFIX (IP Flow Information Export)` as per {rfc}`3917`
+```
+
+```{cfgcmd} set system flow-accounting netflow server \<address\>
+
+Configure address of NetFlow collector. NetFlow server at \<address\> can
+be both listening on an IPv4 or IPv6 address.
+```
+
+```{cfgcmd} set system flow-accounting netflow source-ip \<address\>
+
+IPv4 or IPv6 source address of NetFlow packets
+```
+
+```{cfgcmd} set system flow-accounting netflow engine-id \<id\>
+
+NetFlow engine-id which will appear in NetFlow data. The range is 0 to 255.
+```
+
+```{cfgcmd} set system flow-accounting netflow sampling-rate \<rate\>
+
+Use this command to configure the sampling rate for flow accounting. The
+system samples one in every \<rate\> packets, where \<rate\> is the value
+configured for the sampling-rate option. The advantage of sampling every n
+packets, where n > 1, allows you to decrease the amount of processing
+resources required for flow accounting. The disadvantage of not sampling
+every packet is that the statistics produced are estimates of actual data
+flows.
+
+Per default every packet is sampled (that is, the sampling rate is 1).
+```
+
+```{cfgcmd} set system flow-accounting netflow timeout expiry-interval \<interval\>
+
+Specifies the interval at which Netflow data will be sent to a collector. As
+per default, Netflow data will be sent every 60 seconds.
+
+You may also additionally configure timeouts for different types of
+connections.
+```
+
+```{cfgcmd} set system flow-accounting netflow max-flows \<n\>
+
+If you want to change the maximum number of flows, which are tracking
+simultaneously, you may do this with this command (default 8192).
+```
+
+
+### Example:
+
+NetFlow v5 example:
+
+```none
+set system flow-accounting netflow engine-id 100
+set system flow-accounting netflow version 5
+set system flow-accounting netflow server 192.168.2.10 port 2055
+```
+
+
+## Operation
+
+Once flow accounting is configured on an interfaces it provides the ability to
+display captured network traffic information for all configured interfaces.
+
+```{opcmd} show flow-accounting interface \<interface\>
+
+Show flow accounting information for given \<interface\>.
+
+
+:::{code-block} none
+vyos@vyos:~$ show flow-accounting interface eth0
+IN_IFACE SRC_MAC DST_MAC SRC_IP DST_IP SRC_PORT DST_PORT PROTOCOL TOS PACKETS FLOWS BYTES
+---------- ----------------- ----------------- ------------------------ --------------- ---------- ---------- ---------- ----- --------- ------- -------
+eth0 00:53:01:a8:28:ac ff:ff:ff:ff:ff:ff 192.0.2.2 255.255.255.255 5678 5678 udp 0 1 1 178
+eth0 00:53:01:b2:2f:34 33:33:ff:00:00:00 fe80::253:01ff:feb2:2f34 ff02::1:ff00:0 0 0 ipv6-icmp 0 2 1 144
+eth0 00:53:01:1a:b4:53 33:33:ff:00:00:00 fe80::253:01ff:fe1a:b453 ff02::1:ff00:0 0 0 ipv6-icmp 0 1 1 72
+eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 40152 22 tcp 16 39 1 2064
+eth0 00:53:01:c8:33:af ff:ff:ff:ff:ff:ff 192.0.2.3 255.255.255.255 5678 5678 udp 0 1 1 154
+eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 40006 22 tcp 16 146 1 9444
+eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 0 0 icmp 192 27 1 4455
+:::
+```
+
+```{opcmd} show flow-accounting interface \<interface\> host \<address\>
+
+Show flow accounting information for given \<interface\> for a specific host
+only.
+
+
+:::{code-block} none
+vyos@vyos:~$ show flow-accounting interface eth0 host 192.0.2.14
+IN_IFACE SRC_MAC DST_MAC SRC_IP DST_IP SRC_PORT DST_PORT PROTOCOL TOS PACKETS FLOWS BYTES
+---------- ----------------- ----------------- ----------- ---------- ---------- ---------- ---------- ----- --------- ------- -------
+eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 40006 22 tcp 16 197 2 12940
+eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 40152 22 tcp 16 94 1 4924
+eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 0 0 icmp 192 36 1 5877
+:::
+``` \ No newline at end of file
diff --git a/docs/configuration/system/md-frr.md b/docs/configuration/system/md-frr.md
new file mode 100644
index 00000000..1741e286
--- /dev/null
+++ b/docs/configuration/system/md-frr.md
@@ -0,0 +1,45 @@
+(system-frr)=
+
+# FRR
+
+VyOS uses [FRRouting](https://frrouting.org/) as the control plane for dynamic
+and static routing. The routing daemon behavior can be adjusted during runtime,
+but requires either a restart of the routing daemon, or a reboot of the system.
+
+```{cfgcmd} set system frr bmp
+
+Enable {abbr}`BMP (BGP Monitoring Protocol)` support.
+```
+
+```{cfgcmd} set system frr descriptors \<numer\>
+
+This allows the operator to control the number of open file descriptors
+each daemon is allowed to start with. If the operator plans to run bgp with
+several thousands of peers then this is where we would modify FRR to allow
+this to happen.
+```
+
+```{cfgcmd} set system frr irdp
+
+Enable ICMP Router Discovery Protocol support.
+```
+
+```{cfgcmd} set system frr profile \<traditional | datacenter\>
+
+Select an FRR profile to adapt its default settings. If unset, the
+traditional profile is applied.
+```
+
+```{cfgcmd} set system frr snmp \<daemon\>
+
+Enable SNMP support for an individual routing daemon.
+
+Supported daemons:
+- bgpd
+- isisd
+- ldpd
+- ospf6d
+- ospfd
+- ripd
+- zebra
+``` \ No newline at end of file
diff --git a/docs/configuration/system/md-host-name.md b/docs/configuration/system/md-host-name.md
new file mode 100644
index 00000000..81840d1f
--- /dev/null
+++ b/docs/configuration/system/md-host-name.md
@@ -0,0 +1,70 @@
+(host-information)=
+
+# Host Information
+
+This section describes the system's host information and how to configure them,
+it covers the following topics:
+
+- Host name
+- Domain
+- IP address
+- Aliases
+
+## Hostname
+
+A hostname is the label (name) assigned to a network device (a host) on a
+network and is used to distinguish one device from another on specific networks
+or over the internet. On the other hand this will be the name which appears on
+the command line prompt.
+
+```{cfgcmd} set system host-name \<hostname\>
+
+ The hostname can be up to 63 characters. A hostname
+ must start and end with a letter or digit, and have as interior characters
+ only letters, digits, or a hyphen.
+
+ The default hostname used is `vyos`.
+```
+
+## Domain Name
+
+
+A domain name is the label (name) assigned to a computer network and is thus
+unique. VyOS appends the domain name as a suffix to any unqualified name. For
+example, if you set the domain name `example.com`, and you would ping the
+unqualified name of `crux`, then VyOS qualifies the name to `crux.example.com`.
+
+```{cfgcmd} set system domain-name \<domain\>
+
+Configure system domain name. A domain name must start and end with a letter
+or digit, and have as interior characters only letters, digits, or a hyphen.
+```
+
+## Static Hostname Mapping
+
+
+How an IP address is assigned to an interface in {ref}`ethernet-interface`.
+This section shows how to statically map an IP address to a hostname for local
+(meaning on this VyOS instance) name resolution. This is the VyOS equivalent to
+`/etc/hosts` file entries.
+
+
+:::{note}
+Do *not* manually edit `/etc/hosts`. This file will automatically be
+regenerated on boot based on the settings in this section, which means you'll
+lose all your manual edits. Instead, configure static host mappings as follows.
+:::
+
+```{cfgcmd} set system static-host-mapping host-name \<hostname\> inet \<address\>
+
+Create a static hostname mapping which will always resolve the name
+`<hostname>` to IP address `<address>`.
+```
+```{cfgcmd} set system static-host-mapping host-name \<hostname\> alias \<alias\>
+
+Create named `<alias>` for the configured static mapping for `<hostname>`.
+Thus the address configured as {cfgcmd}`set system static-host-mapping
+host-name <hostname> inet <address>` can be reached via multiple names.
+
+Multiple aliases can be specified per host-name.
+``` \ No newline at end of file
diff --git a/docs/configuration/system/md-index.md b/docs/configuration/system/md-index.md
new file mode 100644
index 00000000..e0b8a5a1
--- /dev/null
+++ b/docs/configuration/system/md-index.md
@@ -0,0 +1,34 @@
+# System
+
+```{toctree}
+:includehidden: true
+:maxdepth: 1
+
+acceleration
+conntrack
+console
+flow-accounting
+frr
+host-name
+ip
+ipv6
+lcd
+login
+name-server
+option
+proxy
+sflow
+syslog
+sysctl
+task-scheduler
+time-zone
+updates
+watchdog
+```
+
+```{toctree}
+:includehidden: true
+:maxdepth: 1
+
+default-route
+```
diff --git a/docs/configuration/system/md-ip.md b/docs/configuration/system/md-ip.md
new file mode 100644
index 00000000..717ee57d
--- /dev/null
+++ b/docs/configuration/system/md-ip.md
@@ -0,0 +1,126 @@
+# IP
+
+## System configuration commands
+
+```{cfgcmd} set system ip disable-forwarding
+
+Use this command to disable IPv4 forwarding on all interfaces.
+```
+
+```{cfgcmd} set system ip disable-directed-broadcast
+
+Use this command to disable IPv4 directed broadcast forwarding on all
+interfaces.
+
+If set, IPv4 directed broadcast forwarding will be completely disabled
+regardless of whether per-interface directed broadcast forwarding is
+enabled or not.
+```
+
+```{cfgcmd} set system ip arp table-size \<number\>
+
+Use this command to define the maximum number of entries to keep in
+the ARP cache (1024, 2048, 4096, 8192, 16384, 32768).
+```
+
+```{cfgcmd} set system ip multipath layer4-hashing
+
+Use this command to use Layer 4 information for IPv4 ECMP hashing.
+```
+
+```{cfgcmd} set system ip import-table \<table-id\>
+
+Use this command to immport the table, by given table id, into the main RIB.
+```
+
+```{cfgcmd} set system ip import-table \<table-id\> distance \<distance\>
+
+Use this command to override the default distance when importing routers
+from the alternate table.
+```
+
+```{cfgcmd} set system ip import-table \<table-id\> route-map \<route-map\>
+
+Use this command to filter routes that are imported into the main table
+from alternate table using route-map.
+```
+
+
+### Zebra/Kernel route filtering
+
+Zebra supports prefix-lists and Route Maps to match routes received from
+other FRR components. The permit/deny facilities provided by these commands
+can be used to filter which routes zebra will install in the kernel.
+
+```{cfgcmd} set system ip protocol \<protocol\> route-map \<route-map\>
+
+Apply a route-map filter to routes for the specified protocol. The following
+protocols can be used: any, babel, bgp, eigrp, isis, ospf, rip, static
+
+:::{note}
+If you choose any as the option that will cause all protocols that
+are sending routes to zebra.
+:::
+```
+
+
+### Nexthop Tracking
+
+Nexthop tracking resolve nexthops via the default route by default. This is enabled
+by default for a traditional profile of FRR which we use. It and can be disabled if
+you do not want to e.g. allow BGP to peer across the default route.
+
+```{cfgcmd} set system ip nht no-resolve-via-default
+
+Do not allow IPv4 nexthop tracking to resolve via the default route. This
+parameter is configured per-VRF, so the command is also available in the VRF
+subnode.
+```
+
+
+## Operational commands
+
+### show commands
+
+See below the different parameters available for the IPv4 **show** command:
+
+```none
+vyos@vyos:~$ show ip
+Possible completions:
+ access-list Show all IP access-lists
+ as-path-access-list
+ Show all as-path-access-lists
+ bgp Show Border Gateway Protocol (BGP) information
+ community-list
+ Show IP community-lists
+ extcommunity-list
+ Show extended IP community-lists
+ forwarding Show IP forwarding status
+ groups Show IP multicast group membership
+ igmp Show IGMP (Internet Group Management Protocol) information
+ large-community-list
+ Show IP large-community-lists
+ multicast Show IP multicast
+ ospf Show IPv4 Open Shortest Path First (OSPF) routing information
+ pim Show PIM (Protocol Independent Multicast) information
+ ports Show IP ports in use by various system services
+ prefix-list Show all IP prefix-lists
+ protocol Show IP route-maps per protocol
+ rip Show Routing Information Protocol (RIP) information
+ route Show IP routes
+```
+
+
+### reset commands
+
+And the different IPv4 **reset** commands available:
+
+```none
+vyos@vyos:~$ reset ip
+Possible completions:
+ arp Reset Address Resolution Protocol (ARP) cache
+ bgp Clear Border Gateway Protocol (BGP) statistics or status
+ igmp IGMP clear commands
+ multicast IP multicast routing table
+ route Reset IP route
+```
diff --git a/docs/configuration/system/md-ipv6.md b/docs/configuration/system/md-ipv6.md
new file mode 100644
index 00000000..ee0a6ade
--- /dev/null
+++ b/docs/configuration/system/md-ipv6.md
@@ -0,0 +1,193 @@
+# IPv6
+
+## System configuration commands
+
+```{cfgcmd} set system ipv6 disable-forwarding
+
+ Use this command to disable IPv6 forwarding on all interfaces.
+```
+
+
+```{cfgcmd} set system ipv6 neighbor table-size \<number\>
+
+Use this command to define the maximum number of entries to keep in
+the Neighbor cache (1024, 2048, 4096, 8192, 16384, 32768).
+```
+
+
+```{cfgcmd} set system ipv6 strict-dad
+
+Use this command to disable IPv6 operation on interface when
+Duplicate Address Detection fails on Link-Local address.
+```
+
+
+```{cfgcmd} set system ipv6 multipath layer4-hashing
+
+Use this command to user Layer 4 information for ECMP hashing.
+```
+
+### Zebra/Kernel route filtering
+
+
+Zebra supports prefix-lists and Route Maps to match routes received from
+other FRR components. The permit/deny facilities provided by these commands
+can be used to filter which routes zebra will install in the kernel.
+
+```{cfgcmd} set system ipv6 protocol \<protocol\> route-map \<route-map\>
+
+Apply a route-map filter to routes for the specified protocol. The following
+protocols can be used: any, babel, bgp, isis, ospfv3, ripng, static
+
+:::{note}
+If you choose any as the option that will cause all protocols that
+are sending routes to zebra.
+:::
+```
+
+### Nexthop Tracking
+
+
+Nexthop tracking resolve nexthops via the default route by default. This is enabled
+by default for a traditional profile of FRR which we use. It and can be disabled if
+you do not want to e.g. allow BGP to peer across the default route.
+
+```{cfgcmd} set system ipv6 nht no-resolve-via-default
+
+Do not allow IPv6 nexthop tracking to resolve via the default route. This
+parameter is configured per-VRF, so the command is also available in the VRF
+subnode.
+```
+
+## Operational commands
+
+
+### Show commands
+
+```{opcmd} show ipv6 neighbors
+
+Use this command to show IPv6 Neighbor Discovery Protocol information.
+```
+
+
+```{opcmd} show ipv6 groups
+
+Use this command to show IPv6 multicast group membership.
+```
+
+
+```{opcmd} show ipv6 forwarding
+
+Use this command to show IPv6 forwarding status.
+```
+
+
+```{opcmd} show ipv6 route
+
+Use this command to show IPv6 routes.
+
+Check the many parameters available for the show ipv6 route command:
+
+:::{code-block} none
+vyos@vyos:~$ show ipv6 route
+Possible completions:
+ <Enter> Execute the current command
+ <X:X::X:X> Show IPv6 routes of given address or prefix
+ <X:X::X:X/M>
+ bgp Show IPv6 BGP routes
+ cache Show kernel IPv6 route cache
+ connected Show IPv6 connected routes
+ forward Show kernel IPv6 route table
+ isis Show IPv6 ISIS routes
+ kernel Show IPv6 kernel routes
+ ospfv3 Show IPv6 OSPF6 routes
+ ripng Show IPv6 RIPNG routes
+ static Show IPv6 static routes
+ summary Show IPv6 routes summary
+ table Show IP routes in policy table
+ tag Show only routes with tag
+ vrf Show IPv6 routes in VRF
+:::
+```
+```{opcmd} show ipv6 prefix-list
+
+ Use this command to show all IPv6 prefix lists
+
+ There are different parameters for getting prefix-list information:
+
+ :::{code-block} none
+ vyos@vyos:~$ show ipv6 prefix-list
+ Possible completions:
+ <Enter> Execute the current command
+ <WORD> Show specified IPv6 prefix-list
+ detail Show detail of IPv6 prefix-lists
+ summary Show summary of IPv6 prefix-lists
+ :::
+```
+
+
+```{opcmd} show ipv6 access-list
+
+Use this command to show all IPv6 access lists
+
+You can also specify which IPv6 access-list should be shown:
+
+:::{code-block} none
+vyos@vyos:~$ show ipv6 access-list
+Possible completions:
+ <Enter> Execute the current command
+ <text> Show specified IPv6 access-list
+:::
+```
+```{opcmd} show ipv6 ospfv3
+
+ Use this command to get information about OSPFv3.
+
+ You can get more specific OSPFv3 information by using the parameters
+ shown below:
+
+ :::{code-block} none
+ vyos@vyos:~$ show ipv6 ospfv3
+ Possible completions:
+ <Enter> Execute the current command
+ area Show OSPFv3 spf-tree information
+ border-routers
+ Show OSPFv3 border-router (ABR and ASBR) information
+ database Show OSPFv3 Link state database information
+ interface Show OSPFv3 interface information
+ linkstate Show OSPFv3 linkstate routing information
+ neighbor Show OSPFv3 neighbor information
+ redistribute Show OSPFv3 redistribute External information
+ route Show OSPFv3 routing table information
+ :::
+```
+
+
+```{opcmd} show ipv6 ripng
+
+Use this command to get information about the RIPNG protocol
+```
+
+
+```{opcmd} show ipv6 ripng status
+
+Use this command to show the status of the RIPNG protocol
+```
+
+### Reset commands
+
+```{opcmd} reset bgp ipv6 \<address\>
+
+Use this command to clear Border Gateway Protocol statistics or
+status.
+```
+```{opcmd} reset ipv6 neighbors \<address | interface\>
+
+Use this command to reset IPv6 Neighbor Discovery Protocol cache for
+an address or interface.
+```
+```{opcmd} reset ipv6 route cache
+
+Use this command to flush the kernel IPv6 route cache.
+An address can be added to flush it only for that route.
+``` \ No newline at end of file
diff --git a/docs/configuration/system/md-lcd.md b/docs/configuration/system/md-lcd.md
new file mode 100644
index 00000000..ef9031ea
--- /dev/null
+++ b/docs/configuration/system/md-lcd.md
@@ -0,0 +1,41 @@
+(system-display)=
+
+# System Display (LCD)
+
+The system LCD {abbr}`LCD (Liquid-crystal display)` option is for users running
+VyOS on hardware that features an LCD display. This is typically a small display
+built in an 19 inch rack-mountable appliance. Those displays are used to show
+runtime data.
+
+To configure your LCD display you must first identify the used hardware, and
+connectivity of the display to your system. This can be any serial port
+(`ttySxx`) or serial via USB or even old parallel port interfaces.
+
+## Configuration
+
+```{cfgcmd} set system lcd device \<device\>
+
+This is the name of the physical interface used to connect to your LCD
+display. Tab completion is supported and it will list you all available
+serial interface.
+
+For serial via USB port information please refer to the USB hardware section.
+```
+
+```{cfgcmd} set system lcd model \<model\>
+
+This is the LCD model used in your system.
+
+At the time of this writing the following displays are supported:
+* Crystalfontz CFA-533
+* Crystalfontz CFA-631
+* Crystalfontz CFA-633
+* Crystalfontz CFA-635
+
+:::{note}
+We can't support all displays from the beginning. If your display
+type is missing, please create a feature request via
+Phabricator.
+:::
+```
+
diff --git a/docs/configuration/system/md-login.md b/docs/configuration/system/md-login.md
new file mode 100644
index 00000000..288d30a8
--- /dev/null
+++ b/docs/configuration/system/md-login.md
@@ -0,0 +1,604 @@
+---
+lastproofread: '2026-01-12'
+---
+
+(user-management)=
+
+# Login/user management
+
+The default VyOS user account (`vyos`), as well as newly created user accounts,
+possess full system configuration privileges. These accounts are granted sudo
+privileges, allowing them to execute commands as the root user.
+
+VyOS supports both local authentication and remote authentication via
+{abbr}`RADIUS (Remote Authentication Dial-In User Service)`/ {abbr}`TACACS+
+(Terminal Access Controller Access-Control System)`.
+
+## Local authentication
+
+```{cfgcmd} set system login user \<name\> full-name "\<string\>"
+
+**Configure the real name or description for a system user.**
+
+If the description includes spaces, enclose ``<string>`` in double quotes.
+
+If the user ``<name>`` already exists, the command updates the current
+description. If not, it creates a new user with the specified description.
+```
+
+```{cfgcmd} set system login user \<name\> authentication plaintext-password \<password\>
+
+**Configure a password for a system user.**
+
+Enter the password in plaintext. Upon ``commit``, VyOS hashes the password for
+secure storage and removes the plaintext value.
+
+If the user ``<name>`` already exists, the command updates the current password.
+If not, it creates a new user with the specified plaintext password.
+```
+
+```{cfgcmd} set system login user \<name\> authentication encrypted-password \<password\>
+
+**Configure a pre-encrypted password for a system user.**
+
+Enter the password in its hashed format. Upon ``commit``, VyOS stores this value
+directly without modification.
+
+If the user ``<name>`` already exists, the command updates the current password.
+If not, it creates a new user with the specified pre-encrypted password.
+```
+
+```{cfgcmd} set system login user \<name\> authentication principal \<principal\>
+
+**Configure an SSH certificate principal for a system user.**
+
+Enter the principal (a string included in the user's signed SSH certificate).
+Upon ``commit``, VyOS stores this mapping, allowing the user to log in if the
+certificate they present contains this principal.
+
+If the user ``<name>`` already exists, the command updates the principal. If not,
+it creates a new user linked to the specified principal.
+
+**If not configured**, the principal defaults to ``<name>``.
+```
+
+```{cfgcmd} set system login user \<name\> disable
+
+**Disable a system user account.**
+
+VyOS locks the account, preventing the user from logging in.
+```
+
+(ssh_key_based_authentication)=
+
+## Key-based authentication
+
+Key-based authentication is the recommended method for securing SSH access in
+VyOS. It uses a **public/private key pair** to verify user identity without
+requiring a password. To authorize access, you assign **SSH public keys** to
+user accounts on the router, while SSH private keys remain on local devices.
+VyOS allows assigning multiple SSH public keys to a single user account, which
+is useful for accessing a router from different devices.
+
+### Generate the key pair
+
+Generate an SSH key pair on your **local machine** using the `ssh-keygen`
+command. This creates two files:
+- **Private key** (e.g., `id_rsa`): Remains on your local machine and must
+ never be shared.
+- **Public key** (e.g., `id_rsa.pub`): Is used to configure the VyOS user
+ account. By default, it is saved to `~/.ssh/id_rsa.pub`.
+
+Each SSH public key consists of three parts, separated by spaces:
+- **Encryption algorithm type:** `ssh-rsa`, `ssh-ed25519`, etc.
+- **Key:** The actual data (a long string beginning with `AAAA...`).
+- **Comment:** An identifier for your reference (e.g., `user@host`).
+
+Only the encryption algorithm type and key parts are required to
+configure the authorization entry in VyOS. The comment part is optional.
+
+:::{seealso}
+{ref}`SSH operation <ssh_operation>`
+:::
+
+:::{warning}
+SSH key strings are long. When copying and pasting, ensure your
+terminal does not insert line breaks. The key must be entered as a **single
+line** to function correctly.
+:::
+
+### Configure the router
+
+To configure SSH public key authentication for a user account, run the
+following two commands using the same `<identifier>`:
+
+```{cfgcmd} set system login user \<username\> authentication public-keys \<identifier\> key \<key\>
+
+**Configure the SSH public key for the user account.**
+* ``<identifier>``: A unique label that identifies this specific key entry.
+* ``<key>``: The actual string of characters from your public key.
+```
+
+```{cfgcmd} set system login user \<username\> authentication public-keys \<identifier\> type \<type\>
+
+**Configure the SSH key's encryption type.**
+
+The following encryption algorithm types are available:
+
+* ``ecdsa-sha2-nistp256``
+* ``ecdsa-sha2-nistp384``
+* ``ecdsa-sha2-nistp521``
+* ``ssh-dss``
+* ``ssh-ed25519``
+* ``ssh-rsa``
+
+:::{note}
+To assign multiple SSH public keys to a user account, repeat the
+commands above with a unique identifier for each key.
+:::
+```
+
+```{cfgcmd} set system login user \<username\> authentication public-keys \<identifier\> options \<options\>
+
+**Configure specific restrictions or behaviors for an SSH public key.**
+
+``<options>``: A string of comma-separated values that define permissions
+or restrictions for this key.
+
+The command accepts standard OpenSSH options listed in the router's
+``~/.ssh/authorized_keys`` file.
+
+To include a ``"`` character in the options string, use ``&quot;``.
+
+For example, to restrict allowed source IP addresses for an SSH public key,
+use: ``from=&quot;10.0.0.0/24&quot;``.
+```
+
+
+## OTP-based MFA
+
+VyOS lets you enhance user access security by enabling {abbr}`OTP (One-time
+password)`-based {abbr}`MFA (Multi-factor Authentication)` for individual
+users. Users with {abbr}`OTP (One-time password)`-based {abbr}`MFA
+(Multi-factor Authentication)` must enter a valid {abbr}`OTP (One-time
+password)` along with their password at login. Users without {abbr}`OTP
+(One-time password)`-based {abbr}`MFA (Multi-factor Authentication)` use
+standard authentication.
+
+```{cfgcmd} set system login user \<username\> authentication otp key \<key\>
+
+**Configure** {abbr}`OTP (One-time password)`**-based** {abbr}`MFA
+(Multi-factor Authentication)` **for a user.**
+
+``<key>``: A Base32-encoded secret key. This key must be added to the user's
+authenticator app to generate valid {abbr}`OTPs (One-time passwords)`.
+
+**When configured**, the user is required to enter their password followed by
+a valid OTP for all subsequent logins.
+```
+
+
+### OTP settings
+
+```{cfgcmd} set system login user \<username\> authentication otp rate-limit \<limit\>
+
+**Configure the number of** {abbr}`OTP (One-time password)` **authentication
+attempts allowed within a specified time period.**
+
+If this limit is exceeded, the user is temporarily blocked.
+
+The default value is 3 attempts. The valid range is 1 to 10 attempts.
+```
+
+```{cfgcmd} set system login user \<username\> authentication otp rate-time \<seconds\>
+
+**Configure the time period, in seconds, for tracking** {abbr}`OTP (One-time
+password)` **authentication attempts.**
+
+The default value is 30 seconds. The valid range is 1 to 600 seconds.
+```
+
+```{cfgcmd} set system login user \<username\> authentication otp window-size \<size\>
+
+**Configure the** {abbr}`OTP (One-time password)` **window size for a user.**
+
+The {abbr}`OTP (One-time password)` window size defines the number of
+concurrently valid {abbr}`OTPs (One-time passwords)` that the authentication
+server accepts. This setting assumes a new token is generated every 30 seconds.
+
+The default value is 3. This permits 3 concurrent codes: the code for the
+current 30-second interval, the preceding code, and the following code. This
+allows up to 30 seconds of time skew between the authentication server and
+client.
+
+If the window size is increased to 17, the system permits 17 concurrent codes
+(the current code, the 8 preceding codes, and the 8 following codes). This
+allows for a time skew of up to 4 minutes.
+
+The valid range is 1 to 21.
+```
+
+
+### Generate an OTP-key
+
+Use the following command to generate an OTP key:
+
+```{cfgcmd} generate system login username \<username\> otp-key hotp-time rate-limit \<1-10\> rate-time \<15-600\> window-size \<1-21\>
+```
+
+Key generation example:
+
+```none
+vyos@vyos:~$ generate system login username otptester otp-key hotp-time rate-limit 2 rate-time 20 window-size 5
+# You can share it with the user, he just needs to scan the QR in his OTP app
+# username: otptester
+# OTP KEY: J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY
+# OTP URL: otpauth://totp/otptester@vyos?secret=J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY&digits=6&period=30
+█████████████████████████████████████████████
+█████████████████████████████████████████████
+████ ▄▄▄▄▄ █▀█ █▄ ▀▄▀▄█▀▄ ▀█▀ █ ▄▄▄▄▄ ████
+████ █ █ █▀▀▀█ ▄▀ █▄▀ ▀▄ ▄ ▀ ▄█ █ █ ████
+████ █▄▄▄█ █▀ █▀▀██▄▄ █ █ ██ ▀▄▀ █ █▄▄▄█ ████
+████▄▄▄▄▄▄▄█▄▀ ▀▄█ █ ▀ █ █ █ █▄█▄█▄▄▄▄▄▄▄████
+████ ▄ █▄ ▄ ▀▄▀▀▀▀▄▀▄▀▄▄▄▀▀▄▄▄ █ █▄█ █████
+████▄▄ ██▀▄▄▄▀▀█▀ ▄ ▄▄▄ ▄▀ ▀ █ ▄ ▄ ██▄█ ████
+█████▄ ██▄▄▀█▄█▄█▄ ▀█▄▀▄ ▀█▀▄ █▄▄▄ ▄ ▄████
+████▀▀▄ ▄█▀▄▀ ▄█▀█▀▄▄▄▀█▄ ██▄▄▄ ▀█ █ ████
+████ ▄▀▄█▀▄▄█▀▀▄▀▀▀▀█ ▄▀▄▀ ▄█ ▀▄ ▄ ▄▀ █▄████
+████▄ ██ ▀▄▀▀ ▄█▀ ▄ ██ ▀█▄█ ▄█ ▄ ▀▄ ▄▄ ████
+████▄█▀▀▄ ▄▄ █▄█▄█▄ █▄▄▀▄▄▀▀▄▄██▀ ▄▀▄▄ ▀▄████
+████▀▄▀ ▄ ▄▀█ ▄ ▄█▀ █ ▀▄▄ ▄█▀ ▄▄ ▀▄▄ ████
+████ ▀███▄ █▄█▄▀▀▀▀▄ ▄█▄▄▀ ▀███ ▄▄█▄▄ ▄████
+████ ███▀ ▄▄▀▀██▀ ▄▀▄█▄▄▄ ██▄▄▀▄▀ ███▄ ▄████
+████▄████▄▄▄▀▄ █▄█▄▀▄▄▄▄██▀ ▄▀ ▄ ▄▄▄ █▄▄█████
+████ ▄▄▄▄▄ █▄▄▄ ▄█▀█▀▀▀▀█▀█▀ █▄█ █▄█ ▄█ ████
+████ █ █ █ ██▄▀▀▀▀▄▄▄▀ ▄▄▄ ▀ ▄ ▄ ▄▄████
+████ █▄▄▄█ █ ▀▀█▀ ▄▄█ █▄▄██▀▀█▀ █▄▀▄██▄█ ████
+████▄▄▄▄▄▄▄█▄█▄█▄█▄▄▄▄▄█▄▄▄█▄██████▄██▄▄▄████
+█████████████████████████████████████████████
+█████████████████████████████████████████████
+# To add this OTP key to configuration, run the following commands:
+set system login user otptester authentication otp key 'J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY'
+set system login user otptester authentication otp rate-limit '2'
+set system login user otptester authentication otp rate-time '20'
+set system login user otptester authentication otp window-size '5'
+```
+
+### Display the OTP key for a user
+
+Use the following command to display the {abbr}`OTP (One-time password)`
+key for a user:
+
+```{cfgcmd} sh system login authentication user \<username\> otp \<full | key-b32 | qrcode | uri\>
+```
+
+Example:
+
+```none
+vyos@vyos:~$ sh system login authentication user otptester otp full
+# You can share the OTP key with the user. They just need to scan the QR in their OTP app.
+# username: otptester
+# OTP KEY: J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY
+# OTP URL: otpauth://totp/otptester@vyos?secret=J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY&digits=6&period=30
+█████████████████████████████████████████████
+█████████████████████████████████████████████
+████ ▄▄▄▄▄ █▀█ █▄ ▀▄▀▄█▀▄ ▀█▀ █ ▄▄▄▄▄ ████
+████ █ █ █▀▀▀█ ▄▀ █▄▀ ▀▄ ▄ ▀ ▄█ █ █ ████
+████ █▄▄▄█ █▀ █▀▀██▄▄ █ █ ██ ▀▄▀ █ █▄▄▄█ ████
+████▄▄▄▄▄▄▄█▄▀ ▀▄█ █ ▀ █ █ █ █▄█▄█▄▄▄▄▄▄▄████
+████ ▄ █▄ ▄ ▀▄▀▀▀▀▄▀▄▀▄▄▄▀▀▄▄▄ █ █▄█ █████
+████▄▄ ██▀▄▄▄▀▀█▀ ▄ ▄▄▄ ▄▀ ▀ █ ▄ ▄ ██▄█ ████
+█████▄ ██▄▄▀█▄█▄█▄ ▀█▄▀▄ ▀█▀▄ █▄▄▄ ▄ ▄████
+████▀▀▄ ▄█▀▄▀ ▄█▀█▀▄▄▄▀█▄ ██▄▄▄ ▀█ █ ████
+████ ▄▀▄█▀▄▄█▀▀▄▀▀▀▀█ ▄▀▄▀ ▄█ ▀▄ ▄ ▄▀ █▄████
+████▄ ██ ▀▄▀▀ ▄█▀ ▄ ██ ▀█▄█ ▄█ ▄ ▀▄ ▄▄ ████
+████▄█▀▀▄ ▄▄ █▄█▄█▄ █▄▄▀▄▄▀▀▄▄██▀ ▄▀▄▄ ▀▄████
+████▀▄▀ ▄ ▄▀█ ▄ ▄█▀ █ ▀▄▄ ▄█▀ ▄▄ ▀▄▄ ████
+████ ▀███▄ █▄█▄▀▀▀▀▄ ▄█▄▄▀ ▀███ ▄▄█▄▄ ▄████
+████ ███▀ ▄▄▀▀██▀ ▄▀▄█▄▄▄ ██▄▄▀▄▀ ███▄ ▄████
+████▄████▄▄▄▀▄ █▄█▄▀▄▄▄▄██▀ ▄▀ ▄ ▄▄▄ █▄▄█████
+████ ▄▄▄▄▄ █▄▄▄ ▄█▀█▀▀▀▀█▀█▀ █▄█ █▄█ ▄█ ████
+████ █ █ █ ██▄▀▀▀▀▄▄▄▀ ▄▄▄ ▀ ▄ ▄ ▄▄████
+████ █▄▄▄█ █ ▀▀█▀ ▄▄█ █▄▄██▀▀█▀ █▄▀▄██▄█ ████
+████▄▄▄▄▄▄▄█▄█▄█▄█▄▄▄▄▄█▄▄▄█▄██████▄██▄▄▄████
+█████████████████████████████████████████████
+█████████████████████████████████████████████
+# To add this OTP key to configuration, run the following commands:
+set system login user otptester authentication otp key 'J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY'
+set system login user otptester authentication otp rate-limit '2'
+set system login user otptester authentication otp rate-time '20'
+set system login user otptester authentication otp window-size '5'
+```
+
+Once {abbr}`OTP (One-time password)`-based {abbr}`MFA (Multi-factor
+Authentication)` is configured for a user account, this user must enter their
+standard password followed by the current 6-digit OTP code at login. For
+example, if the user's password is `vyosrocks` and the OTP is `817454`, they
+should enter `vyosrocks817454`.
+
+## RADIUS authentication
+
+For large-scale deployments, managing individual user accounts across multiple
+VyOS instances is inefficient. VyOS supports centralized authentication via
+{abbr}`RADIUS (Remote Authentication Dial-In User Service)`, consolidating user
+account management on a single backend server.
+
+### Configuration
+
+```{cfgcmd} set system login radius server \<address\> key \<secret\>
+
+**Configure the** {abbr}`RADIUS (Remote Authentication Dial-In User Service)`
+**server's IP address and shared secret.**
+
+The shared secret is used to verify the router's identity and to encrypt user
+passwords during authentication.
+
+You can configure multiple {abbr}`RADIUS (Remote Authentication Dial-In User
+Service)` servers.
+```
+
+```{cfgcmd} set system login radius server \<address\> port \<port\>
+
+**Configure the UDP port for communication with the** {abbr}`RADIUS (Remote
+Authentication Dial-In User Service)` **server.**
+
+The default port is 1812.
+```
+
+```{cfgcmd} set system login radius server \<address\> disable
+
+**Disable a** {abbr}`RADIUS (Remote Authentication Dial-In User Service)`
+**server from the authentication process.**
+
+Disabling a specific {abbr}`RADIUS (Remote Authentication Dial-In User
+Service)` server doesn’t remove its configuration settings (the server’s IP
+address and shared secret).
+```
+
+```{cfgcmd} set system login radius server \<address\> timeout \<timeout\>
+
+Configure the duration, in seconds, that the VyOS router waits for a
+response from the {abbr}`RADIUS (Remote Authentication Dial-In User Service)`
+server after sending an authentication request.
+
+If the server does not respond within this timeframe, the VyOS router tries to
+connect to another configured server or falls back to local authentication.
+```
+
+```{cfgcmd} set system login radius source-address \<address\>
+
+**Configure the source IP address the router uses for** {abbr}`RADIUS (Remote
+Authentication Dial-In User Service)` **authentication requests.**
+
+A consistent source IP address is recommended as RADIUS servers typically
+accept requests only from known, trusted IP addresses.
+
+If not explicitly defined, the router uses the current egress interface
+address, which may change (e.g., due to a link outage), causing authentication
+failures.
+```
+
+```{cfgcmd} set system login radius vrf \<name\>
+
+**Configure the router to send all** {abbr}`RADIUS (Remote Authentication
+Dial-In User Service)` **authentication requests via a specific VRF.**
+
+By default, {abbr}`RADIUS (Remote Authentication Dial-In User Service)`
+authentication requests are sent via the global routing table.
+```
+
+### Configuration example
+
+```none
+set system login radius server 192.168.0.2 key 'test-vyos'
+set system login radius server 192.168.0.2 port '1812'
+set system login radius server 192.168.0.2 timeout '5'
+set system login radius source-address '192.168.0.1'
+```
+
+If communication with the {abbr}`RADIUS (Remote Authentication Dial-In User
+Service)` server fails, the router falls back to local user authentication.
+During this process, users may experience a login delay while the system waits
+for the {abbr}`RADIUS (Remote Authentication Dial-In User Service)` request to
+time out. This delay depends on the configured timeout value.
+
+:::{hint}
+To grant administrative privileges to {abbr}`RADIUS (Remote
+Authentication Dial-In User Service)`-authenticated users, the server must
+return the Cisco-AV-Pair attribute set to `shell:priv-lvl=15`. Otherwise, users
+receive standard privileges and cannot perform configuration tasks.
+:::
+
+## TACACS+ authentication
+
+In addition to {abbr}`RADIUS (Remote Authentication Dial-In User Service)`,
+VyOS supports {abbr}`TACACS+ (Terminal Access Controller Access Control
+System)`, which is commonly used in large enterprise environments.
+
+Unlike {abbr}`RADIUS (Remote Authentication Dial-In User Service)`,
+{abbr}`TACACS+ (Terminal Access Controller Access Control System)` separates
+Authentication, Authorization, and Accounting (AAA) into independent processes
+and encrypts the entire packet body for enhanced security.
+
+{abbr}`TACACS+ (Terminal Access Controller Access Control System)` is defined
+in {rfc}`8907`.
+(tacacs-configuration)=
+
+### Configuration
+
+```{cfgcmd} set system login tacacs server \<address\> key \<secret\>
+
+**Configure the** {abbr}`TACACS+ (Terminal Access Controller Access Control
+System)` **server IP address and shared secret.**
+
+Unlike {abbr}`RADIUS (Remote Authentication Dial-In User Service)`, which
+encrypts only passwords, {abbr}`TACACS+ (Terminal Access Controller Access
+Control System)` encrypts the entire packet body for enhanced security.
+
+You can configure multiple {abbr}`TACACS+ (Terminal Access Controller Access
+Control System)` servers.
+```
+
+```{cfgcmd} set system login tacacs server \<address\> port \<port\>
+
+**Configure the TCP port for communication with the** {abbr}`TACACS+ (Terminal
+Access Controller Access Control System)` **server.**
+
+The default port is 49.
+```
+
+```{cfgcmd} set system login tacacs server \<address\> disable
+
+**Disable a** {abbr}`TACACS+ (Terminal Access Controller Access Control
+System)` **server from the authentication process.**
+
+Disabling a specific {abbr}`TACACS+ (Terminal Access Controller Access Control
+System)` server doesn’t remove its configuration settings (the server’s IP
+address and shared secret).
+```
+
+```{cfgcmd} set system login tacacs server \<address\> timeout \<timeout\>
+
+Configure the duration, in seconds, that the VyOS router waits for a
+response from the {abbr}`TACACS+ (Terminal Access Controller Access
+Control System)` server after sending an authentication request.
+
+If the server does not respond within this timeframe, the VyOS router tries
+to connect to another configured server or falls back to local authentication.
+```
+
+```{cfgcmd} set system login tacacs source-address \<address\>
+
+**Configure the source IP address the router uses for**
+{abbr}`TACACS+ (Terminal Access Controller Access Control System)`
+**authentication requests.**
+
+A consistent source IP address is recommended as {abbr}`TACACS+ (Terminal
+Access Controller Access Control System)` servers typically accept requests
+only from known, trusted IP addresses.
+
+If not explicitly defined, the router uses the current egress interface address,
+which may change (e.g., due to a link outage), causing authentication failures.
+```
+
+```{cfgcmd} set system login tacacs vrf \<name\>
+
+Configure the router to send all {abbr}`TACACS+ (Terminal Access Controller
+Access Control System)` authentication requests via a specific VRF.
+
+By default, {abbr}`TACACS+ (Terminal Access Controller Access Control System)`
+authentication requests are sent via the global routing table.
+```
+
+(login-tacacs-example)=
+
+### Configuration example
+
+```none
+set system login tacacs server 192.168.0.2 key 'test-vyos'
+set system login tacacs server 192.168.0.2 port '49'
+set system login tacacs source-address '192.168.0.1'
+```
+
+If communication with the {abbr}`TACACS+ (Terminal Access Controller Access
+Control System)` server fails, the router falls back to local user
+authentication.
+
+## Login banners
+
+VyOS allows you to configure **pre-login** and **post-login** banners.
+Pre-login banners are typically used for system identification, legal disclaimers, or security warnings
+displayed before authentication, while post-login banners provide system
+information or operational notices to users after login.
+
+```{cfgcmd} set system login banner pre-login \<message\>
+
+Configure a message to be shown to users before the ``username`` and ``password``
+prompts appear.
+```
+
+```{cfgcmd} set system login banner post-login \<message\>
+
+Configure a message to be shown to users after successful authentication.
+```
+:::{note}
+Use `\\n` to insert line breaks in multi-line banner messages.
+:::
+
+## Login session limits
+
+```{cfgcmd} set system login max-login-session \<number\>
+
+**Configure the maximum number of concurrent login sessions.**
+```
+:::{note}
+If you limit concurrent login sessions, you must also configure a
+session `<timeout>`. This clears inactive sessions and prevents blocking new
+login attempts.
+:::
+```{cfgcmd} set system login timeout \<timeout\>
+
+**Configure the login session timeout, in seconds.**
+
+Idle login sessions are terminated after this period.
+```
+
+## Configuration examples
+
+Example 1: Multi-key SSH with MFA and source restrictions
+
+In this configuration, `User1` and `User2` both use the vyos user account,
+each with a unique SSH key. `User1` is restricted to authentication from a
+single IP address.
+
+For both users, password-based logins require {abbr}`OTP (One-time password)`
+-based {abbr}`MFA (Multi-factor Authentication)`.
+
+```none
+set system login user vyos authentication public-keys 'User1' key "AAAAB3Nz...KwEW"
+set system login user vyos authentication public-keys 'User1' type ssh-rsa
+set system login user vyos authentication public-keys 'User1' options "from=&quot;192.168.0.100&quot;"
+
+set system login user vyos authentication public-keys 'User2' key "AAAAQ39x...fbV3"
+set system login user vyos authentication public-keys 'User2' type ssh-rsa
+
+set system login user vyos authentication otp key OHZ3OJ7U2N25BK4G7SOFFJTZDTCFUUE2
+set system login user vyos authentication plaintext-password vyos
+```
+
+Example 2: Containerized {abbr}`TACACS+ (Terminal Access Controller Access Control System)`
+deployment with redundancy.
+
+In this configuration, the VyOS router hosts its own authentication
+infrastructure using two containerized {abbr}`TACACS+ (Terminal Access
+Controller Access Control System)` servers (`tacacs1` and `tacacs2`) on a
+private network for redundancy.
+
+System logins are authenticated against credentials stored within these internal
+containers rather than the router's local user database.
+
+First, download the image in operational mode:
+
+```none
+add container image lfkeitel/tacacs_plus:latest
+```
+
+Next, configure the containers in configuration mode:
+
+```none
+set container network tac-test prefix '100.64.0.0/24'
+
+set container name tacacs1 image 'lfkeitel/tacacs_plus:latest'
+set container name tacacs1 network tac-test address '100.64.0.11'
+
+set container name tacacs2 image 'lfkeitel/tacacs_plus:latest'
+set container name tacacs2 network tac-test address '100.64.0.12'
+
+set system login tacacs server 100.64.0.11 key 'tac_plus_key'
+set system login tacacs server 100.64.0.12 key 'tac_plus_key'
+
+commit
+```
+
+You can now log in via SSH or console using `admin/admin` credentials supplied
+by the container image.
diff --git a/docs/configuration/system/md-name-server.md b/docs/configuration/system/md-name-server.md
new file mode 100644
index 00000000..9090ba5f
--- /dev/null
+++ b/docs/configuration/system/md-name-server.md
@@ -0,0 +1,65 @@
+(system-dns)=
+
+# System DNS
+
+:::{warning}
+If you are configuring a VRF for management purposes, there is
+currently no way to force system DNS traffic via a specific VRF.
+:::
+
+This section describes configuring DNS on the system, namely:
+
+> - DNS name servers
+> - Domain search order
+
+## DNS name servers
+
+```{cfgcmd} set system name-server \<address\>
+
+Use this command to specify a DNS server for the system to be used
+for DNS lookups. More than one DNS server can be added, configuring
+one at a time. Both IPv4 and IPv6 addresses are supported.
+```
+
+
+### Example
+
+In this example, some *OpenNIC* servers are used, two IPv4 addresses
+and two IPv6 addresses:
+
+```none
+set system name-server 176.9.37.132
+set system name-server 195.10.195.195
+set system name-server 2a01:4f8:161:3441::1
+set system name-server 2a00:f826:8:2::195
+```
+
+
+## Domain search order
+
+In order for the system to use and complete unqualified host names, a
+list can be defined which will be used for domain searches.
+
+```{cfgcmd} set system domain-search \<domain\>
+
+Use this command to define domains, one at a time, so that the system
+uses them to complete unqualified host names. Maximum: 6 entries.
+```
+
+:::{note}
+Domain names can include letters, numbers, hyphens and periods
+with a maximum length of 253 characters.
+:::
+
+(name-server-domain-search-order-example)=
+
+### Example
+
+The system is configured to attempt domain completion in the following
+order: vyos.io (first), vyos.net (second) and vyos.network (last):
+
+```none
+set system domain-search vyos.io
+set system domain-search vyos.net
+set system domain-search vyos.network
+```
diff --git a/docs/configuration/system/md-option.md b/docs/configuration/system/md-option.md
new file mode 100644
index 00000000..c7a6ccf2
--- /dev/null
+++ b/docs/configuration/system/md-option.md
@@ -0,0 +1,190 @@
+(system-option)=
+
+# Option
+
+This chapter describe the possibilities of advanced system behavior.
+
+## General
+
+```{cfgcmd} set system option ctrl-alt-delete \<ignore | reboot | poweroff\>
+
+Action which will be run once the ctrl-alt-del keystroke is received.
+```
+
+```{cfgcmd} set system option reboot-on-panic
+
+Automatically reboot system on kernel panic after 60 seconds.
+```
+
+```{cfgcmd} set system option reboot-on-upgrade-failure \<timeout\>
+
+Automatically reboot after `timeout` minutes into the previous running
+image, that was used to perform the image upgrade.
+
+Reboot `timeout` is configurable in minutes. This gives the user the change
+to log into the system and perform some analysis before automatic rebooting.
+
+Automatic reboot can be cancelled after login using: {opcmd}`reboot cancel`
+```
+
+```{cfgcmd} set system option startup-beep
+
+Play an audible beep to the system speaker when system is ready.
+```
+
+```{cfgcmd} set system option root-partition-auto-resize
+
+Enables the root partition auto-extension and resizes to the maximum
+available space on system boot.
+```
+
+
+### Kernel
+
+```{cfgcmd} set system option kernel disable-mitigations
+
+Disable all optional CPU mitigations. This improves system performance,
+but it may also expose users to several CPU vulnerabilities.
+
+This will add the following option to the Kernel commandline:
+* ``mitigations=off``
+
+:::{note}
+Setting will only become active with the next reboot!
+:::
+```
+
+```{cfgcmd} set system option kernel disable-power-saving
+
+This will add the following two options to the Kernel commandline:
+* ``intel_idle.max_cstate=0`` Disable intel_idle and fall back on acpi_idle
+* ``processor.max_cstate=1`` Limit processor to maximum C-state 1
+
+:::{note}
+Setting will only become active with the next reboot!
+:::
+```
+
+```{cfgcmd} set system option kernel amd-pstate-driver \<mode\>
+
+Enables and configures p-state driver for modern AMD Ryzen and Epyc CPUs.
+
+The available modes are:
+* ``active`` This is the low-level firmware control mode based on the profile
+set and the system governor has no effect.
+* ``passive`` The driver allows the system governor to manage CPU frequency
+while providing available performance states.
+* ``guided`` The driver allows to set desired performance levels and the firmware
+selects a performance level in this range and fitting to the current workload.
+
+This will add the following two options to the Kernel commandline:
+* ``initcall_blacklist=acpi_cpufreq_init`` Disable default ACPI CPU frequency scale
+* ``amd_pstate={mode}`` Sets the p-state mode
+
+:::{note}
+Setting will only become active with the next reboot!
+:::
+
+:::{seealso}
+<https://docs.kernel.org/admin-guide/pm/amd-pstate.html>
+:::
+```
+
+```{cfgcmd} set system option kernel quiet
+
+Suppress most kernel messages during boot. This is useful for systems with
+embedded serial console interfaces to speed up the boot process.
+```
+
+
+## HTTP client
+
+```{cfgcmd} set system option http-client source-address \<address\>
+
+Several commands utilize cURL to initiate transfers. Configure the local
+source IPv4/IPv6 address used for all cURL operations.
+```
+
+```{cfgcmd} set system option http-client source-interface \<interface\>
+
+Several commands utilize curl to initiate transfers. Configure the local
+source interface used for all CURL operations.
+```
+
+:::{note}
+`source-address` and `source-interface` can not be used at the same
+time.
+:::
+
+## SSH client
+
+```{cfgcmd} set system option ssh-client source-address \<address\>
+
+Use the specified address on the local machine as the source address of the
+connection. Only useful on systems with more than one address.
+```
+
+```{cfgcmd} set system option ssh-client source-interface \<interface\>
+
+Use the address of the specified interface on the local machine as the
+source address of the connection.
+```
+
+
+## Keyboard Layout
+
+When starting a VyOS live system (the installation CD) the configured keyboard
+layout defaults to US. As this might not suite everyone's use case you can adjust
+the used keyboard layout on the system console.
+
+```{cfgcmd} set system option keyboard-layout \<us | fr | de | fi | no | dk\>
+
+Change system keyboard layout to given language.
+
+Defaults to ``us``.
+
+:::{note}
+Changing the keymap only has an effect on the system console, using
+SSH or Serial remote access to the device is not affected as the keyboard
+layout here corresponds to your access system.
+:::
+```
+
+(system-options-performance)=
+
+## Performance
+
+As more and more routers run on Hypervisors, expecially with a {abbr}`NOS
+(Network Operating System)` as VyOS, it makes fewer and fewer sense to use
+static resource bindings like `smp-affinity` as present in VyOS 1.2 and
+earlier to pin certain interrupt handlers to specific CPUs.
+
+We now utilize `tuned` for dynamic resource balancing based on profiles.
+
+:::{seealso}
+<https://access.redhat.com/sites/default/files/attachments/201501-perf-brief-low-latency-tuning-rhel7-v2.1.pdf>
+:::
+
+```{cfgcmd} set system option performance \< throughput | latency \>
+
+Configure one of the predefined system performance profiles.
+
+* ``throughput``: A server profile focused on improving network throughput.
+ This profile favors performance over power savings by setting
+ ``intel_pstate`` and ``max_perf_pct=100`` and increasing kernel network
+ buffer sizes.
+
+ It enables transparent huge pages, and uses cpupower to set the performance
+ cpufreq governor. It also sets ``kernel.sched_min_granularity_ns`` to 10 us,
+ ``kernel.sched_wakeup_granularity_ns`` to 15 uss, and ``vm.dirty_ratio`` to
+ 40%.
+
+* ``latency``: A server profile focused on lowering network latency.
+ This profile favors performance over power savings by setting
+ ``intel_pstate`` and ``min_perf_pct=100``.
+
+ It disables transparent huge pages, and automatic NUMA balancing. It also
+ uses cpupower to set the performance cpufreq governor, and requests a
+ cpu_dma_latency value of 1. It also sets busy_read and busy_poll times to
+ 50 us, and tcp_fastopen to 3.
+``` \ No newline at end of file
diff --git a/docs/configuration/system/md-proxy.md b/docs/configuration/system/md-proxy.md
new file mode 100644
index 00000000..286e835f
--- /dev/null
+++ b/docs/configuration/system/md-proxy.md
@@ -0,0 +1,27 @@
+(system-proxy)=
+
+# System Proxy
+
+Some IT environments require the use of a proxy to connect to the Internet.
+Without this configuration VyOS updates could not be installed directly by
+using the {opcmd}`add system image` command ({ref}`update_vyos`).
+
+```{cfgcmd} set system proxy url \<url\>
+
+Set proxy for all connections initiated by VyOS, including HTTP, HTTPS, and
+FTP (anonymous ftp).
+```
+```{cfgcmd} set system proxy port \<port\>
+
+Configure proxy port if it does not listen to the default port 80.
+```
+```{cfgcmd} set system proxy username \<username\>
+
+Some proxys require/support the "basic" HTTP authentication scheme as per
+{rfc}`7617`, thus a username can be configured.
+```
+```{cfgcmd} set system proxy password \<password\>
+
+Some proxys require/support the "basic" HTTP authentication scheme as per
+{rfc}`7617`, thus a password can be configured.
+``` \ No newline at end of file
diff --git a/docs/configuration/system/md-sflow.md b/docs/configuration/system/md-sflow.md
new file mode 100644
index 00000000..350bbdd8
--- /dev/null
+++ b/docs/configuration/system/md-sflow.md
@@ -0,0 +1,66 @@
+# sFlow
+
+VyOS supports sFlow accounting for both IPv4 and IPv6 traffic. The system acts as a flow exporter, and you are free to use it with any compatible collector.
+
+sFlow is a technology that enables monitoring of network traffic by sending sampled packets to a collector device.
+
+The sFlow accounting based on hsflowd <https://sflow.net/>
+
+## Configuration
+
+```{cfgcmd} set system sflow agent-address \<address\>
+
+Configure sFlow agent IPv4 or IPv6 address
+```
+```{cfgcmd} set system sflow agent-interface \<interface\>
+
+Configure agent IP address associated with this interface.
+```
+```{cfgcmd} set system sflow drop-monitor-limit \<limit\>
+
+ Dropped packets reported on DROPMON Netlink channel by Linux kernel are exported via the standard sFlow v5 extension for reporting dropped packets
+```
+
+
+```{cfgcmd} set system sflow interface \<interface\>
+
+Configure and enable collection of flow information for the interface identified by \<interface\>.
+
+You can configure multiple interfaces which would participate in sflow accounting.
+```
+```{cfgcmd} set system sflow polling \<sec\>
+
+ Configure schedule counter-polling in seconds (default: 30)
+```
+
+
+```{cfgcmd} set system sflow sampling-rate \<rate\>
+
+Use this command to configure the sampling rate for sFlow accounting (default: 1000)
+```
+
+
+```{cfgcmd} set system sflow server \<address\> port \<port\>
+
+Configure address of sFlow collector. sFlow server at \<address\> can be both listening on an IPv4 or IPv6 address.
+```
+
+
+```{cfgcmd} set system sflow enable-egress
+
+Use this command to if you need to sample also egress traffic
+```
+
+## Example
+
+```none
+set system sflow agent-address '192.0.2.14'
+set system sflow agent-interface 'eth0'
+set system sflow drop-monitor-limit '50'
+set system sflow interface 'eth0'
+set system sflow interface 'eth1'
+set system sflow polling '30'
+set system sflow sampling-rate '1000'
+set system sflow server 192.0.2.1 port '6343'
+set system sflow server 203.0.113.23 port '6343'
+```
diff --git a/docs/configuration/system/md-sysctl.md b/docs/configuration/system/md-sysctl.md
new file mode 100644
index 00000000..90434fb2
--- /dev/null
+++ b/docs/configuration/system/md-sysctl.md
@@ -0,0 +1,16 @@
+(sysctl)=
+
+# Sysctl
+
+:::{note}
+This page is a stub and needs expansion. Contributions
+welcome via the [VyOS documentation repository](https://github.com/vyos/vyos-documentation).
+:::
+
+This chapter describes how to configure kernel parameters at runtime.
+
+`sysctl` is used to modify kernel parameters at runtime. The parameters
+available are those listed under /proc/sys/.
+
+```{cfgcmd} set system sysctl parameter \<parameter\> value \<value\>
+``` \ No newline at end of file
diff --git a/docs/configuration/system/md-syslog.md b/docs/configuration/system/md-syslog.md
new file mode 100644
index 00000000..ae30d272
--- /dev/null
+++ b/docs/configuration/system/md-syslog.md
@@ -0,0 +1,450 @@
+(syslog)=
+
+# Syslog
+
+## Overview
+
+By default, VyOS provides a minimal logging configuration with local storage
+and log rotation. All errors, including local7 messages, are saved to a local
+file. Emergency alerts are sent to the console.
+
+To change these settings, enter configuration mode.
+
+## Syslog configuration
+
+Syslog supports logging to multiple destinations: a local file, a console, or
+a remote syslog server over UDP or TCP.
+
+The syslog configuration is organized into the following categories:
+
+- Global settings
+- Local logging
+- Console logging
+- Remote logging
+- TLS-encrypted remote logging
+
+### Global settings
+
+Configure the general behavior of the syslog service.
+
+```{cfgcmd} set system syslog marker interval \<number\>
+
+**Configure the interval, in seconds, for sending syslog mark messages.**
+
+Syslog mark messages confirm the logging service is operational.
+
+Default: 1200 seconds.
+```
+
+```{cfgcmd} set system syslog marker disable
+
+Disable sending syslog mark messages.
+```
+
+```{cfgcmd} set system syslog preserve-fqdn
+
+**Configure how the logging device's hostname appears in log messages sent
+to a remote syslog server.**
+
+If configured, the device includes its {abbr}`FQDN (Fully Qualified Domain
+Name)` in log messages, even if the syslog server is in the same domain.
+```
+
+
+### Local logging
+
+Configure which log messages to save to a local log file.
+
+```{cfgcmd} set system syslog local \<filename\> facility \<keyword\> level \<keyword\>
+
+**Configure syslog to save log messages for a specific facility and
+severity level to \`\`/var/log/messages\`\`.**
+
+Refer to the tables below for valid facility and severity options.
+```
+
+(syslog-console)=
+
+### Console logging
+
+Configure which log messages to send to `/dev/console`.
+
+```{cfgcmd} set system syslog console facility \<keyword\> level \<keyword\>
+
+**Configure syslog to send log messages for a specific facility and severity
+level to the device's console.**
+
+Refer to the tables below for valid facility and severity options.
+```
+
+(syslog-remote)=
+
+### Remote logging
+
+Configure **remote logging** to send log messages to a remote syslog server.
+
+Remote logging does not affect either **local** or **console logging** and
+runs in parallel with them. Remote logging supports sending log messages
+to multiple hosts.
+
+```{cfgcmd} set system syslog remote \<address\> facility \<keyword\> level \<keyword\>
+
+**Configure log transmission to the remote syslog server for a specific
+facility and severity level.**
+
+The server’s address can be specified using either a {abbr}`FQDN (Fully
+Qualified Domain Name)` or an IP address.
+
+Refer to the tables below for valid facility and severity options.
+```
+
+```{cfgcmd} set system syslog remote \<address\> protocol \<udp | tcp\>
+
+**Configure the protocol for log transmission.**
+
+The protocol can be either UDP or TCP. By default, log messages are sent
+over UDP.
+```
+
+```{cfgcmd} set system syslog remote \<address\> port \<port\>
+
+**Configure the port for log transmission.**
+
+By default, the standard port 514 is used.
+```
+
+```{cfgcmd} set system syslog remote \<address\> format include-timezone
+
+**Configure log transmission in the RFC 5424 format.**
+
+The RFC 5424 format includes the timezone in the timestamp. For example:
+
+:::{code-block} none
+<34>1 2003-10-11T22:14:15.003-07:00 mymachine.example.com su - ID47 - BOM’su root’ failed for lonvick on /dev/pts/8.
+:::
+
+By default, log messages are sent in the RFC 3164 format. For example:
+
+:::{code-block} none
+<34>Oct 11 22:14:15 mymachine su: ‘su root’ failed for lonvick on /dev/pts/8
+:::
+```
+
+```{cfgcmd} set system syslog remote \<address\> format octet-counted
+
+**Enable octet-counted framing for log transmission.**
+
+When enabled, multi-line log messages are sent without splitting. Ensure
+the remote server supports octet-counted framing to avoid parsing errors.
+
+Octet-counted framing is not available for the UDP protocol.
+```
+
+```{cfgcmd} set system syslog remote \<address\> vrf \<name\>
+
+Configure the {abbr}`VRF (Virtual Routing and Forwarding)` instance
+for log transmission.
+```
+
+```{cfgcmd} set system syslog remote \<address\> source-address \<address\>
+
+Configure the source IP address (IPv4 or IPv6) for log transmission.
+```
+
+
+#### {abbr}`TLS (Transport Layer Security)`-encrypted remote logging
+
+VyOS supports {abbr}`TLS (Transport Layer Security)`-encrypted remote logging
+over TCP to ensure secure transmission of syslog data to remote syslog servers.
+
+**Prerequisites**: Before configuring {abbr}`TLS (Transport Layer
+Security)`-encrypted remote logging, ensure you have:
+- A valid remote syslog server address.
+- Valid {abbr}`CA (Certificate Authority)` and client certificates uploaded
+ to the local {abbr}`PKI (Public Key Infrastructure)` storage.
+- The **remote syslog transport protocol** is set to **TCP**:
+
+ ```none
+ set system syslog remote <address> protocol tcp
+ ```
+
+:::{note}
+{abbr}`TLS (Transport Layer Security)`-encrypted remote logging is
+**not supported** over **UDP**.
+:::
+```{cfgcmd} set system syslog remote \<address\> tls
+
+Enable TLS-encrypted remote logging.
+
+```
+
+```{cfgcmd} set system syslog remote \<address\> tls ca-certificate \<ca_name\>
+
+**Configure the** {abbr}`CA (Certificate Authority)` **certificate.**
+
+The syslog client uses the {abbr}`CA (Certificate Authority)` certificate to
+verify the identity of the remote syslog server.
+
+The {abbr}`CA (Certificate Authority)` certificate is required for **all**
+authentication modes except ``anon``.
+
+```
+
+```{cfgcmd} set system syslog remote \<address\> tls certificate \<cert_name\>
+
+**Configure the client certificate.**
+
+The remote syslog server uses the client certificate to verify the identity
+of the syslog client.
+
+The client certificate is required if the remote syslog server enforces
+client certificate verification.
+
+```
+
+````{cfgcmd} set system syslog remote \<address\> tls auth-mode \<anon | fingerprint | certvalid | name\>
+
+**Configure the authentication mode.**
+
+The authentication mode defines how the syslog client verifies the syslog
+server's identity.
+
+The following authentication modes are available:
+
+```{eval-rst}
+* ``anon`` **(default)**: Allows encrypted connections without verifying the syslog
+ server's identity. This mode is **not recommended**, as it is vulnerable to
+ :abbr:`MITM (Man-in-the-Middle)` attacks.
+* ``fingerprint``: Verifies the server’s certificate fingerprint against the
+ value preconfigured with:
+
+ .. code-block:: none
+
+ set system syslog remote <address> tls permitted-peer <peer>
+
+* ``certvalid``: Verifies the server certificate is signed by a trusted
+ :abbr:`CA (Certificate Authority)`, skipping :abbr:`CN (Common Name)` check.
+* ``name``: Verifies that:
+
+ * The server’s certificate is signed by a trusted :abbr:`CA (Certificate
+ Authority)`.
+ * The :abbr:`CN (Common Name)` in the certificate matches the value
+ preconfigured with:
+
+ .. code-block:: none
+
+ set system syslog remote <address> tls permitted-peer <peer>
+
+ This is a **recommended** secure mode for production environments.
+```
+
+````
+
+```{cfgcmd} set system syslog remote \<address\> tls permitted-peer \<peer\>
+
+**Configure the peer certificate identifiers.**
+
+The certificate identifier format depends on the authentication mode:
+* ``fingerprint``: Enter the expected certificate fingerprints (SHA-1 or
+SHA-256).
+* ``name``: Enter the expected certificate {abbr}`CNs (Common Names)`.
+
+For ``anon`` and ``certvalid`` authentication modes, certificate identifiers
+are not required.
+
+```
+
+#### Examples:
+
+```none
+# Example of 'anon' authentication mode
+set system syslog remote 10.10.2.3 facility all level debug
+set system syslog remote 10.10.2.3 port 6514
+set system syslog remote 10.10.2.3 protocol tcp
+set system syslog remote 10.10.2.3 tls auth-mode anon
+# or just use 'set system syslog remote 10.10.2.3 tls'
+
+# Example of 'certvalid' authentication mode
+set system syslog remote elk.example.com facility all level debug
+set system syslog remote elk.example.com port 6514
+set system syslog remote elk.example.com protocol tcp
+set system syslog remote elk.example.com tls ca-certificate my-ca
+set system syslog remote elk.example.com tls auth-mode certvalid
+
+# Example of 'fingerprint' authentication mode
+set system syslog remote syslog.example.com facility all level debug
+set system syslog remote syslog.example.com port 6514
+set system syslog remote syslog.example.com protocol tcp
+set system syslog remote syslog.example.com tls ca-certificate my-ca
+set system syslog remote syslog.example.com tls auth-mode fingerprint
+set system syslog remote syslog.example.com tls permitted-peers 'SHA1:10:C4:26:...,SHA256:7B:4B:10:...'
+
+# Example of 'name' authentication mode
+set system syslog remote graylog.example.com facility all level debug
+set system syslog remote graylog.example.com port 6514
+set system syslog remote graylog.example.com protocol tcp
+set system syslog remote graylog.example.com tls ca-certificate my-ca
+set system syslog remote graylog.example.com tls certificate syslog-client
+set system syslog remote graylog.example.com tls auth-mode name
+set system syslog remote graylog.example.com tls permitted-peers 'graylog.example.com'
+```
+
+#### Security recommendations
+
+- For secure deployments, always use the `name` authentication mode. It
+ ensures that the server is validated by a trusted {abbr}`CA (Certificate
+ Authority)` and that the hostname matches the certificate.
+- Use the `anon` authentication mode only in testing environments, as it
+ doesn't provide server authentication.
+- Ensure private keys are generated, stored, and maintained exclusively within
+ the {doc}`PKI system </configuration/pki/index>`.
+(syslog_facilities)=
+
+## Syslog facilities
+
+This section lists facilities used by syslog. Most facility names are self-
+explanatory. The local0–local7 facilities are used for custom purposes, such as
+logging from network nodes and equipment. Facility assignment is flexible and
+should be tailored to your company's needs. Consider facilities as categorization
+tools, rather than strict directives.
+
+```{eval-rst}
++----------+----------+----------------------------------------------------+
+| Facility | Keyword | Description |
+| code | | |
++==========+==========+====================================================+
+| | all | All facilities |
++----------+----------+----------------------------------------------------+
+| 0 | kern | Kernel messages |
++----------+----------+----------------------------------------------------+
+| 1 | user | User-level messages |
++----------+----------+----------------------------------------------------+
+| 2 | mail | Mail system |
++----------+----------+----------------------------------------------------+
+| 3 | daemon | System daemons |
++----------+----------+----------------------------------------------------+
+| 4 | auth | Security/authentication messages |
++----------+----------+----------------------------------------------------+
+| 5 | syslog | Messages generated internally by syslog |
++----------+----------+----------------------------------------------------+
+| 6 | lpr | Line printer subsystem |
++----------+----------+----------------------------------------------------+
+| 7 | news | Network news subsystem |
++----------+----------+----------------------------------------------------+
+| 8 | uucp | UUCP subsystem |
++----------+----------+----------------------------------------------------+
+| 9 | cron | Clock daemon |
++----------+----------+----------------------------------------------------+
+| 10 | security | Security/authentication messages |
++----------+----------+----------------------------------------------------+
+| 11 | ftp | FTP daemon |
++----------+----------+----------------------------------------------------+
+| 12 | ntp | NTP subsystem |
++----------+----------+----------------------------------------------------+
+| 13 | logaudit | Log audit |
++----------+----------+----------------------------------------------------+
+| 14 | logalert | Log alert |
++----------+----------+----------------------------------------------------+
+| 15 | clock | clock daemon (note 2) |
++----------+----------+----------------------------------------------------+
+| 16 | local0 | local use 0 (local0) |
++----------+----------+----------------------------------------------------+
+| 17 | local1 | local use 1 (local1) |
++----------+----------+----------------------------------------------------+
+| 18 | local2 | local use 2 (local2) |
++----------+----------+----------------------------------------------------+
+| 19 | local3 | local use 3 (local3) |
++----------+----------+----------------------------------------------------+
+| 20 | local4 | local use 4 (local4) |
++----------+----------+----------------------------------------------------+
+| 21 | local5 | local use 5 (local5) |
++----------+----------+----------------------------------------------------+
+| 22 | local6 | local use 6 (local6) |
++----------+----------+----------------------------------------------------+
+| 23 | local7 | local use 7 (local7) |
++----------+----------+----------------------------------------------------+
+```
+
+(syslog_severity_level)=
+
+## Severity levels
+
+```{eval-rst}
++-------+---------------+---------+-------------------------------------------+
+| Value | Severity | Keyword | Description |
++=======+===============+=========+===========================================+
+| | | all | Log everything. |
++-------+---------------+---------+-------------------------------------------+
+| 0 | Emergency | emerg | System is unusable - a panic condition. |
++-------+---------------+---------+-------------------------------------------+
+| 1 | Alert | alert | Action must be taken immediately - A |
+| | | | condition that should be corrected |
+| | | | immediately, such as a corrupted system |
+| | | | database. |
++-------+---------------+---------+-------------------------------------------+
+| 2 | Critical | crit | Critical conditions - e.g., hard drive |
+| | | | errors. |
++-------+---------------+---------+-------------------------------------------+
+| 3 | Error | err | Error conditions. |
++-------+---------------+---------+-------------------------------------------+
+| 4 | Warning | warning | Warning conditions. |
++-------+---------------+---------+-------------------------------------------+
+| 5 | Notice | notice | Normal but significant conditions - |
+| | | | conditions that are not error conditions, |
+| | | | but that may require special handling. |
++-------+---------------+---------+-------------------------------------------+
+| 6 | Informational | info | Informational messages. |
++-------+---------------+---------+-------------------------------------------+
+| 7 | Debug | debug | Debug-level messages - Messages that |
+| | | | contain information normally of use only |
+| | | | when debugging a program. |
++-------+---------------+---------+-------------------------------------------+
+```
+
+## Display logs
+
+```{opcmd} show log [all | authorization | cluster | conntrack-sync | ...]
+
+**Display logs for a specific category on the console.**
+
+Use tab completion to view a list of available categories.
+
+If no category is specified, all logs are shown.
+
+```
+
+````{opcmd} show log image \<name\> [all | authorization | directory | file \<file name\> | tail \<lines\>]
+
+**Display logs for a specific image on the console.**
+
+Available log categories:
+
+```{eval-rst}
+.. list-table::
+ :widths: 25 75
+ :header-rows: 0
+
+ * - all
+ - Displays the contents of system log files of the specified image.
+ * - authorization
+ - Displays authorization attempts of the specified image.
+ * - directory
+ - Displays user-defined log files of the specified image.
+ * - file <file name>
+ - Displays the contents of a specified user-defined log file of the specified
+ image.
+ * - tail
+ - Displays last lines of the system log of the specified image.
+ * - <lines>
+ - Number of lines to be displayed, default 10.
+```
+
+````
+
+If no category is specified, the contents of the main syslog file are
+displayed.
+
+:::{hint}
+Use `show log | strip-private` to hide private data
+when displaying your logs.
+:::
diff --git a/docs/configuration/system/md-task-scheduler.md b/docs/configuration/system/md-task-scheduler.md
new file mode 100644
index 00000000..94ca9f4d
--- /dev/null
+++ b/docs/configuration/system/md-task-scheduler.md
@@ -0,0 +1,45 @@
+(task-scheduler)=
+
+# Task Scheduler
+
+The task scheduler allows you to execute tasks on a given schedule. It makes
+use of UNIX [cron].
+
+:::{note}
+All scripts executed this way are executed as root user - this may
+be dangerous. Together with {ref}`command-scripting` this can be used for
+automating (re-)configuration.
+:::
+
+```{cfgcmd} set system task-scheduler task \<task\> interval \<interval\>
+
+Specify the time interval when `<task>` should be executed. The interval
+is specified as number with one of the following suffixes:
+* ``none`` - Execution interval in minutes
+* ``m`` - Execution interval in minutes
+* ``h`` - Execution interval in hours
+* ``d`` - Execution interval in days
+
+:::{note}
+If suffix is omitted, minutes are implied.
+:::
+```
+
+```{cfgcmd} set system task-scheduler task \<task\> crontab-spec \<spec\>
+
+Set execution time in common cron time format. A cron `<spec>` of
+``30 */6 * * *`` would execute the `<task>` at minute 30 past every 6th hour.
+```
+
+```{cfgcmd} set system task-scheduler task \<task\> executable path \<path\>
+
+Specify absolute `<path>` to script which will be run when `<task>` is
+executed.
+```
+
+```{cfgcmd} set system task-scheduler task \<task\> executable arguments \<args\>
+
+Arguments which will be passed to the executable.
+```
+
+[cron]: https://en.wikipedia.org/wiki/Cron
diff --git a/docs/configuration/system/md-time-zone.md b/docs/configuration/system/md-time-zone.md
new file mode 100644
index 00000000..2279a773
--- /dev/null
+++ b/docs/configuration/system/md-time-zone.md
@@ -0,0 +1,17 @@
+(timezone)=
+
+# Time Zone
+
+Time Zone setting is very important as e.g all your logfile entries will be
+based on the configured zone. Without proper time zone configuration it will
+be very difficult to compare logfiles from different systems.
+
+```{cfgcmd} set system time-zone \<timezone\>
+
+Specify the systems \<timezone\> as the Region/Location that best defines
+your location. For example, specifying US/Pacific sets the time zone to US
+Pacific time.
+
+Command completion can be used to list available time zones. The adjustment
+for daylight time will take place automatically based on the time of year.
+``` \ No newline at end of file
diff --git a/docs/configuration/system/md-updates.md b/docs/configuration/system/md-updates.md
new file mode 100644
index 00000000..c82d37be
--- /dev/null
+++ b/docs/configuration/system/md-updates.md
@@ -0,0 +1,36 @@
+# Updates
+
+VyOS supports online checking for updates
+
+## Configuration
+
+```{cfgcmd} set system update-check auto-check
+
+Configure auto-checking for new images
+```
+
+```{cfgcmd} set system update-check url \<url\>
+
+Configure a URL that contains information about images.
+```
+
+
+## Example
+
+```none
+set system update-check auto-check
+set system update-check url 'https://raw.githubusercontent.com/vyos/vyos-rolling-nightly-builds/main/version.json'
+```
+
+Check:
+
+```none
+vyos@r4:~$ show system updates
+Current version: 1.5-rolling-202312220023
+
+Update available: 1.5-rolling-202312250024
+Update URL: https://github.com/vyos/vyos-rolling-nightly-builds/releases/download/1.5-rolling-202312250024/1.5-rolling-202312250024-amd64.iso
+vyos@r4:~$
+
+vyos@r4:~$ add system image latest
+```
diff --git a/docs/configuration/system/md-watchdog.md b/docs/configuration/system/md-watchdog.md
new file mode 100644
index 00000000..700051a6
--- /dev/null
+++ b/docs/configuration/system/md-watchdog.md
@@ -0,0 +1,212 @@
+(system-watchdog)=
+
+# Watchdog
+
+VyOS supports hardware watchdog timers to automatically reboot the system if
+it becomes unresponsive. This is particularly useful for remote or embedded
+systems where physical access is limited.
+
+A watchdog timer is a hardware or software mechanism that automatically resets
+the system if the operating system stops responding within a configured timeout
+period. The system will periodically notify the watchdog that it is still
+running. If the watchdog is not notified within the timeout period, the watchdog
+will reset the system.
+
+## Configuration
+
+The watchdog feature is configured under the `system watchdog` configuration
+tree. The presence of the `system watchdog` node enables the watchdog feature.
+
+```{cfgcmd} set system watchdog
+
+Enable watchdog support.
+
+The watchdog is enabled only when a watchdog device is available as
+``/dev/watchdog0``.
+
+:::{note}
+If multiple watchdog devices are present, only the first watchdog
+device is supported (VyOS uses ``/dev/watchdog0`` only).
+:::
+If ``/dev/watchdog0`` does not exist and no module is configured, commit will
+fail. If a module is configured but ``/dev/watchdog0`` still cannot be
+created, VyOS will emit a warning and will not enable the systemd watchdog.
+```
+
+```{cfgcmd} set system watchdog module \<module-name\>
+
+Specify the kernel watchdog driver module to load for ``/dev/watchdog0``.
+
+The configured module must be a watchdog driver module, not an arbitrary
+kernel module.
+
+**In most cases, this option is not required** as the kernel will
+automatically load the appropriate watchdog driver for your system. Use this
+option if the kernel fails to load the required driver, or when you want to
+use the software watchdog (``softdog``).
+
+Common modules include:
+* ``softdog`` - Software watchdog timer (available on all systems)
+* ``iTCO_wdt`` - Intel TCO watchdog timer
+* ``sp5100_tco`` - AMD SP5100 TCO watchdog timer
+* ``i6300esb`` - Intel 6300ESB watchdog timer
+* ``ipmi_watchdog`` - IPMI watchdog timer
+
+:::{warning}
+``softdog`` is not a hardware watchdog. It is implemented using
+kernel timers and therefore depends on the Linux kernel continuing to run.
+In some fault conditions (for example, a kernel hang), ``softdog`` may not
+be able to trigger a reset.
+
+Prefer a hardware watchdog driver whenever possible, as hardware watchdogs
+can operate independently of the operating system.
+:::
+
+If no module is specified, VyOS will use an existing ``/dev/watchdog0``
+device if available.
+
+:::{note}
+If a module is specified but a different driver is actually bound
+to ``watchdog0``, VyOS will emit a warning during commit.
+:::
+Example:
+
+:::{code-block} none
+set system watchdog module softdog
+:::
+```
+
+```{cfgcmd} set system watchdog timeout \<seconds\>
+:defaultvalue:
+
+Set the watchdog timeout for normal runtime operation in seconds.
+
+Valid range: 1-65535 seconds
+
+:::{note}
+Some watchdog drivers expose minimum and maximum supported runtime
+timeouts via sysfs. When available, VyOS validates ``timeout`` against
+those driver limits during commit.
+:::
+
+This is the interval during which the system must respond to the watchdog.
+If the system does not respond within this time, the watchdog will trigger
+a reboot.
+
+Example:
+
+:::{code-block} none
+set system watchdog timeout 30
+:::
+```
+
+```{cfgcmd} set system watchdog shutdown-timeout \<seconds\>
+:defaultvalue:
+
+Set the watchdog timeout during system shutdown in seconds.
+
+Valid range: 60-65535 seconds
+
+This extended timeout allows the system to complete a graceful shutdown
+without triggering the watchdog.
+
+:::{warning}
+Setting this value too low (below 120 seconds) may cause
+unclean shutdowns, as the system may not have enough time to properly
+stop all services and flush disk buffers. The recommended minimum value
+is 120 seconds.
+:::
+Example:
+
+:::{code-block} none
+set system watchdog shutdown-timeout 180
+:::
+```
+
+```{cfgcmd} set system watchdog reboot-timeout \<seconds\>
+:defaultvalue:
+
+Set the watchdog timeout during system reboot in seconds.
+
+Valid range: 60-65535 seconds
+
+This extended timeout allows the system to complete the reboot process
+without triggering the watchdog during the transition.
+
+:::{warning}
+Setting this value too low (below 120 seconds) may cause
+unclean reboots, as the system may not have enough time to properly
+stop all services before restarting. The recommended minimum value
+is 120 seconds.
+:::
+Example:
+
+:::{code-block} none
+set system watchdog reboot-timeout 180
+:::
+```
+
+
+## Examples
+
+### Basic Configuration with Software Watchdog
+
+This example configures a basic software watchdog with default timeouts:
+
+```none
+set system watchdog module softdog
+```
+
+This will:
+- Enable the watchdog feature
+- Load the `softdog` kernel module
+- Use a 10-second runtime timeout (default)
+- Use 120-second shutdown and reboot timeouts (default)
+
+### Advanced Configuration
+
+This example shows a more customized configuration suitable for a production
+system:
+
+```none
+set system watchdog module iTCO_wdt
+set system watchdog timeout 30
+set system watchdog shutdown-timeout 300
+set system watchdog reboot-timeout 300
+```
+
+This configuration:
+
+- Enables the watchdog feature
+- Loads the Intel TCO hardware watchdog module
+- Sets a 30-second runtime timeout
+- Allows 5 minutes for shutdown and reboot operations
+
+## Best Practices
+
+- **Start with conservative timeouts**: Use longer timeouts initially and
+ reduce them as you gain confidence in system stability.
+- **Test before deployment**: Verify the watchdog works as expected in a
+ non-production environment before deploying to production systems.
+- **Choose appropriate modules**: Use hardware watchdog modules (like
+ `iTCO_wdt`) when available, as they are more reliable than software
+ watchdogs.
+- **Consider shutdown time**: Set `shutdown-timeout` and `reboot-timeout`
+ values high enough to allow for normal shutdown procedures, especially on
+ systems with many services or slow storage.
+- **Monitor watchdog events**: Check system logs after any unexpected reboots
+ to determine if the watchdog triggered the reboot.
+- **Remote systems**: For systems without physical console access, use
+ conservative timeout values to avoid false-positive reboots during high
+ load conditions.
+
+:::{note}
+The watchdog configuration takes effect immediately after commit,
+but systemd must be reloaded. This happens automatically during commit.
+:::
+
+:::{warning}
+Incorrect watchdog configuration on remote systems can result
+in unexpected reboots. Always test watchdog settings in a controlled
+environment before deploying to production systems.
+:::