summaryrefslogtreecommitdiff
path: root/docs/configuration/system
diff options
context:
space:
mode:
Diffstat (limited to 'docs/configuration/system')
-rw-r--r--docs/configuration/system/acceleration.md158
-rw-r--r--docs/configuration/system/conntrack.md218
-rw-r--r--docs/configuration/system/console.md59
-rw-r--r--docs/configuration/system/default-route.md40
-rw-r--r--docs/configuration/system/flow-accounting.md209
-rw-r--r--docs/configuration/system/frr.md45
-rw-r--r--docs/configuration/system/host-name.md70
-rw-r--r--docs/configuration/system/index.md34
-rw-r--r--docs/configuration/system/ip.md126
-rw-r--r--docs/configuration/system/ipv6.md193
-rw-r--r--docs/configuration/system/lcd.md41
-rw-r--r--docs/configuration/system/login.md604
-rw-r--r--docs/configuration/system/name-server.md65
-rw-r--r--docs/configuration/system/option.md190
-rw-r--r--docs/configuration/system/proxy.md27
-rw-r--r--docs/configuration/system/sflow.md66
-rw-r--r--docs/configuration/system/sysctl.md16
-rw-r--r--docs/configuration/system/syslog.md450
-rw-r--r--docs/configuration/system/task-scheduler.md45
-rw-r--r--docs/configuration/system/time-zone.md17
-rw-r--r--docs/configuration/system/updates.md36
-rw-r--r--docs/configuration/system/watchdog.md212
22 files changed, 2921 insertions, 0 deletions
diff --git a/docs/configuration/system/acceleration.md b/docs/configuration/system/acceleration.md
new file mode 100644
index 00000000..871129e6
--- /dev/null
+++ b/docs/configuration/system/acceleration.md
@@ -0,0 +1,158 @@
+(acceleration)=
+
+# Acceleration
+
+In this command tree, all hardware acceleration options will be handled.
+At the moment only [Intel® QAT] is supported
+
+## Intel® QAT
+
+```{opcmd} show system acceleration qat
+
+use this command to check if there is an Intel® QAT supported Processor in your system.
+
+:::{code-block} none
+vyos@vyos:~$ show system acceleration qat
+01:00.0 Co-processor [0b40]: Intel Corporation Atom Processor C3000 Series QuickAssist Technology [8086:19e2] (rev 11)
+:::
+
+if there is non device the command will show `` `No QAT device found` ``
+```
+
+```{cfgcmd} set system acceleration qat
+
+if there is a supported device, enable Intel® QAT
+```
+
+
+```{opcmd} show system acceleration qat status
+
+Check if the Intel® QAT device is up and ready to do the job.
+
+:::{code-block} none
+vyos@vyos:~$ show system acceleration qat status
+Checking status of all devices.
+There is 1 QAT acceleration device(s) in the system:
+qat_dev0 - type: c3xxx, inst_id: 0, node_id: 0, bsf: 0000:01:00.0, #accel: 3 #engines: 6 state: up
+:::
+```
+
+
+### Operation Mode
+
+```{opcmd} show system acceleration qat device \<device\> config
+
+Show the full config uploaded to the QAT device.
+```
+
+
+```{opcmd} show system acceleration qat device \<device\> flows
+
+Get an overview over the encryption counters.
+```
+
+
+```{opcmd} show system acceleration qat interrupts
+
+Show binded qat device interrupts to certain core.
+```
+
+
+### Example
+
+Let's build a simple VPN between 2 Intel® QAT ready devices.
+
+Side A:
+
+```
+set interfaces vti vti1 address '192.168.1.2/24'
+set vpn ipsec authentication psk right id '10.10.10.2'
+set vpn ipsec authentication psk right id '10.10.10.1'
+set vpn ipsec authentication psk right secret 'Qwerty123'
+set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256'
+set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256'
+set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '14'
+set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256'
+set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256'
+set vpn ipsec interface 'eth0'
+set vpn ipsec site-to-site peer right authentication local-id '10.10.10.2'
+set vpn ipsec site-to-site peer right authentication mode 'pre-shared-secret'
+set vpn ipsec site-to-site peer right authentication remote-id '10.10.10.1'
+set vpn ipsec site-to-site peer right connection-type 'initiate'
+set vpn ipsec site-to-site peer right default-esp-group 'MyESPGroup'
+set vpn ipsec site-to-site peer right ike-group 'MyIKEGroup'
+set vpn ipsec site-to-site peer right local-address '10.10.10.2'
+set vpn ipsec site-to-site peer right remote-address '10.10.10.1'
+set vpn ipsec site-to-site peer right vti bind 'vti1'
+```
+
+Side B:
+
+```
+set interfaces vti vti1 address '192.168.1.1/24'
+set vpn ipsec authentication psk left id '10.10.10.2'
+set vpn ipsec authentication psk left id '10.10.10.1'
+set vpn ipsec authentication psk left secret 'Qwerty123'
+set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256'
+set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256'
+set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '14'
+set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256'
+set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256'
+set vpn ipsec interface 'eth0'
+set vpn ipsec site-to-site peer left authentication local-id '10.10.10.1'
+set vpn ipsec site-to-site peer left authentication mode 'pre-shared-secret'
+set vpn ipsec site-to-site peer left authentication remote-id '10.10.10.2'
+set vpn ipsec site-to-site peer left connection-type 'initiate'
+set vpn ipsec site-to-site peer left default-esp-group 'MyESPGroup'
+set vpn ipsec site-to-site peer left ike-group 'MyIKEGroup'
+set vpn ipsec site-to-site peer left local-address '10.10.10.1'
+set vpn ipsec site-to-site peer left remote-address '10.10.10.2'
+set vpn ipsec site-to-site peer left vti bind 'vti1'
+```
+
+a bandwidth test over the VPN got these results:
+
+```
+Connecting to host 192.168.1.2, port 5201
+[ 9] local 192.168.1.1 port 51344 connected to 192.168.1.2 port 5201
+[ ID] Interval Transfer Bitrate Retr Cwnd
+[ 9] 0.00-1.01 sec 32.3 MBytes 268 Mbits/sec 0 196 KBytes
+[ 9] 1.01-2.03 sec 32.5 MBytes 268 Mbits/sec 0 208 KBytes
+[ 9] 2.03-3.03 sec 32.5 MBytes 271 Mbits/sec 0 208 KBytes
+[ 9] 3.03-4.04 sec 32.5 MBytes 272 Mbits/sec 0 208 KBytes
+[ 9] 4.04-5.00 sec 31.2 MBytes 272 Mbits/sec 0 208 KBytes
+[ 9] 5.00-6.01 sec 32.5 MBytes 272 Mbits/sec 0 234 KBytes
+[ 9] 6.01-7.04 sec 32.5 MBytes 265 Mbits/sec 0 234 KBytes
+[ 9] 7.04-8.04 sec 32.5 MBytes 272 Mbits/sec 0 234 KBytes
+[ 9] 8.04-9.04 sec 32.5 MBytes 273 Mbits/sec 0 336 KBytes
+[ 9] 9.04-10.00 sec 31.2 MBytes 272 Mbits/sec 0 336 KBytes
+- - - - - - - - - - - - - - - - - - - - - - - - -
+[ ID] Interval Transfer Bitrate Retr
+[ 9] 0.00-10.00 sec 322 MBytes 270 Mbits/sec 0 sender
+[ 9] 0.00-10.00 sec 322 MBytes 270 Mbits/sec receiver
+```
+
+with {cfgcmd}`set system acceleration qat` on both systems the bandwidth
+increases.
+
+```
+Connecting to host 192.168.1.2, port 5201
+[ 9] local 192.168.1.1 port 51340 connected to 192.168.1.2 port 5201
+[ ID] Interval Transfer Bitrate Retr Cwnd
+[ 9] 0.00-1.00 sec 97.3 MBytes 817 Mbits/sec 0 1000 KBytes
+[ 9] 1.00-2.00 sec 92.5 MBytes 776 Mbits/sec 0 1.07 MBytes
+[ 9] 2.00-3.00 sec 92.5 MBytes 776 Mbits/sec 0 820 KBytes
+[ 9] 3.00-4.00 sec 92.5 MBytes 776 Mbits/sec 0 899 KBytes
+[ 9] 4.00-5.00 sec 91.2 MBytes 765 Mbits/sec 0 972 KBytes
+[ 9] 5.00-6.00 sec 92.5 MBytes 776 Mbits/sec 0 1.02 MBytes
+[ 9] 6.00-7.00 sec 92.5 MBytes 776 Mbits/sec 0 1.08 MBytes
+[ 9] 7.00-8.00 sec 92.5 MBytes 776 Mbits/sec 0 1.14 MBytes
+[ 9] 8.00-9.00 sec 91.2 MBytes 765 Mbits/sec 0 915 KBytes
+[ 9] 9.00-10.00 sec 92.5 MBytes 776 Mbits/sec 0 1000 KBytes
+- - - - - - - - - - - - - - - - - - - - - - - - -
+[ ID] Interval Transfer Bitrate Retr
+[ 9] 0.00-10.00 sec 927 MBytes 778 Mbits/sec 0 sender
+[ 9] 0.00-10.01 sec 925 MBytes 775 Mbits/sec receiver
+```
+
+[intel® qat]: https://www.intel.com/content/www/us/en/architecture-and-technology/intel-quick-assist-technology-overview.html
diff --git a/docs/configuration/system/conntrack.md b/docs/configuration/system/conntrack.md
new file mode 100644
index 00000000..f83f0684
--- /dev/null
+++ b/docs/configuration/system/conntrack.md
@@ -0,0 +1,218 @@
+# Conntrack
+
+VyOS can be configured to track connections using the connection
+tracking subsystem. Connection tracking becomes operational once either
+stateful firewall or NAT is configured.
+
+## Configure
+
+```{cfgcmd} set system conntrack table-size \<1-50000000\>
+:defaultvalue:
+
+The connection tracking table contains one entry for each connection being
+tracked by the system.
+```
+
+```{cfgcmd} set system conntrack expect-table-size \<1-50000000\>
+:defaultvalue:
+
+The connection tracking expect table contains one entry for each expected
+connection related to an existing connection. These are generally used by
+“connection tracking helper” modules such as FTP.
+The default size of the expect table is 2048 entries.
+```
+
+```{cfgcmd} set system conntrack hash-size \<1-50000000\>
+:defaultvalue:
+
+Set the size of the hash table. The connection tracking hash table makes
+searching the connection tracking table faster. The hash table uses
+“buckets” to record entries in the connection tracking table.
+```
+
+```{eval-rst}
+.. cfgcmd:: set system conntrack modules ftp
+.. cfgcmd:: set system conntrack modules h323
+.. cfgcmd:: set system conntrack modules nfs
+.. cfgcmd:: set system conntrack modules pptp
+.. cfgcmd:: set system conntrack modules sip
+.. cfgcmd:: set system conntrack modules sqlnet
+.. cfgcmd:: set system conntrack modules tftp
+
+ Configure the connection tracking protocol helper modules.
+ All modules are enable by default.
+
+ | Use `delete system conntrack modules` to deactive all modules.
+ | Or, for example ftp, `delete system conntrack modules ftp`.
+```
+
+```{cfgcmd} set system conntrack tcp half-open-connections \<1-21474836\>
+:defaultvalue:
+
+Set the maximum number of TCP half-open connections.
+```
+
+```{cfgcmd} set system conntrack tcp loose \<enable | disable\>
+:defaultvalue:
+
+Policy to track previously established connections.
+```
+
+```{cfgcmd} set system conntrack tcp max-retrans \<1-2147483647\>
+:defaultvalue:
+
+Set the number of TCP maximum retransmit attempts.
+```
+
+### Contrack Timeouts
+
+You can define custom timeout values to apply to a specific subset of
+connections, based on a packet and flow selector. To do this, you need to
+create a rule defining the packet and flow selector.
+
+```{eval-rst}
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ description <test>
+
+ Set a rule description.
+
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ destination address <ip-address>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ source address <ip-address>
+
+ Set a destination and/or source address. Accepted input for ipv4:
+
+ .. code-block:: none
+
+ set system conntrack timeout custom ipv4 rule <1-999999> [source | destination] address
+ Possible completions:
+ <x.x.x.x> IPv4 address to match
+ <x.x.x.x/x> IPv4 prefix to match
+ <x.x.x.x>-<x.x.x.x> IPv4 address range to match
+ !<x.x.x.x> Match everything except the specified address
+ !<x.x.x.x/x> Match everything except the specified prefix
+ !<x.x.x.x>-<x.x.x.x> Match everything except the specified range
+
+ set system conntrack timeout custom ipv6 rule <1-999999> [source | destination] address
+ Possible completions:
+ <h:h:h:h:h:h:h:h> IP address to match
+ <h:h:h:h:h:h:h:h/x> Subnet to match
+ <h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>
+ IP range to match
+ !<h:h:h:h:h:h:h:h> Match everything except the specified address
+ !<h:h:h:h:h:h:h:h/x> Match everything except the specified prefix
+ !<h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>
+ Match everything except the specified range
+
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ destination port <value>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ source port <value>
+
+ Set a destination and/or source port. Accepted input:
+
+ .. code-block:: none
+
+ <port name> Named port (any name in /etc/services, e.g., http)
+ <1-65535> Numbered port
+ <start>-<end> Numbered port range (e.g., 1001-1005)
+
+ Multiple destination ports can be specified as a comma-separated list.
+ The whole list can also be "negated" using '!'. For example:
+ `!22,telnet,http,123,1001-1005``
+
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ protocol tcp close <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ protocol tcp close-wait <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ protocol tcp established <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ protocol tcp fin-wait <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ protocol tcp last-ack <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ protocol tcp syn-recv <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ protocol tcp syn-sent <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ protocol tcp time-wait <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ protocol udp replied <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ protocol udp unreplied <1-21474836>
+
+ Set the timeout in seconds for a protocol or state in a custom rule.
+```
+
+### Conntrack ignore rules
+
+:::{note}
+**Important note about conntrack ignore rules:**
+Starting from vyos-1.5-rolling-202406120020, ignore rules can be defined in
+``set firewall [ipv4 | ipv6] prerouting raw ...``. It's expected that in
+the future the conntrack ignore rules will be removed.
+
+> Customized ignore rules, based on a packet and flow selector.
+:::
+
+```{eval-rst}
+.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
+ description <text>
+.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
+ destination address <ip-address>
+.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
+ destination port <port>
+.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
+ inbound-interface <interface>
+.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
+ protocol <protocol>
+.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
+ source address <ip-address>
+.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
+ source port <port>
+.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
+ tcp flags [not] <text>
+
+ Allowed values fpr TCP flags: ``ack``, ``cwr``, ``ecn``, ``fin``, ``psh``,
+ ``rst``, ``syn`` and ``urg``. Multiple values are supported, and for
+ inverted selection use ``not``, as shown in the example.
+```
+
+### Conntrack log
+
+```{eval-rst}
+.. cfgcmd:: set system conntrack log event destroy
+.. cfgcmd:: set system conntrack log event new
+.. cfgcmd:: set system conntrack log event update
+
+ Log the connection tracking events per type.
+
+.. cfgcmd:: set system conntrack log event destroy icmp
+.. cfgcmd:: set system conntrack log event destroy other
+.. cfgcmd:: set system conntrack log event destroy tcp
+.. cfgcmd:: set system conntrack log event destroy udp
+.. cfgcmd:: set system conntrack log event new icmp
+.. cfgcmd:: set system conntrack log event new other
+.. cfgcmd:: set system conntrack log event new tcp
+.. cfgcmd:: set system conntrack log event new udp
+.. cfgcmd:: set system conntrack log event update icmp
+.. cfgcmd:: set system conntrack log event update other
+.. cfgcmd:: set system conntrack log event update tcp
+.. cfgcmd:: set system conntrack log event update udp
+
+ Log the connection tracking events per protocol.
+
+.. cfgcmd:: set system conntrack log timestamp
+
+ Turn on flow-based timestamp extension.
+
+.. cfgcmd:: set system conntrack log queue-size <100-999999>
+
+ Manage internal queue size, default size is 4096 events.
+
+.. cfgcmd:: set system conntrack log log-level <info | debug>
+
+ Manage log level
+``` \ No newline at end of file
diff --git a/docs/configuration/system/console.md b/docs/configuration/system/console.md
new file mode 100644
index 00000000..9017fa30
--- /dev/null
+++ b/docs/configuration/system/console.md
@@ -0,0 +1,59 @@
+(serial-console)=
+
+# Serial Console
+
+For the average user a serial console has no advantage over a console offered
+by a directly attached keyboard and screen. Serial consoles are much slower,
+taking up to a second to fill a 80 column by 24 line screen. Serial consoles
+generally only support non-proportional ASCII text, with limited support for
+languages other than English.
+
+There are some scenarios where serial consoles are useful. System administration
+of remote computers is usually done using {ref}`ssh`, but there are times when
+access to the console is the only way to diagnose and correct software failures.
+Major upgrades to the installed distribution may also require console access.
+
+```{cfgcmd} set system console device \<device\>
+
+Defines the specified device as a system console. Available console devices
+can be (see completion helper):
+* ``ttySN`` - Serial device name
+* ``ttyAMAN``- Serial device name for some arm64 systems
+* ``ttyUSBX`` - USB Serial device name
+* ``hvc0`` - Xen console
+```
+
+```{cfgcmd} set system console device \<device\> kernel
+
+When set, the selected serial console is used as the kernel boot console.
+When removed, the kernel boot console falls back to tty0.
+
+:::{note}
+Only one serial console can carry the ``kernel`` option.
+When VyOS is installed via serial console, this option is set automatically
+for the serial interface used during installation; usually ``ttyS0`` or
+``ttyAMA0``.
+:::
+```
+
+```{cfgcmd} set system console device \<device\> speed \<speed\>
+
+The speed (baudrate) of the console device. Supported values are:
+* ``1200`` - 1200 bps
+* ``2400`` - 2400 bps
+* ``4800`` - 4800 bps
+* ``9600`` - 9600 bps
+* ``19200`` - 19,200 bps
+* ``38400`` - 38,400 bps (default for Xen console)
+* ``57600`` - 57,600 bps
+* ``115200`` - 115,200 bps (default for serial console)
+
+:::{note}
+If you use USB to serial converters for connecting to your VyOS
+appliance please note that most of them use software emulation without flow
+control. This means you should start with a common baud rate (most likely
+9600 baud) as otherwise you probably can not connect to the device using
+high speed baud rates as your serial converter simply can not process this
+data rate.
+:::
+``` \ No newline at end of file
diff --git a/docs/configuration/system/default-route.md b/docs/configuration/system/default-route.md
new file mode 100644
index 00000000..9f2793d1
--- /dev/null
+++ b/docs/configuration/system/default-route.md
@@ -0,0 +1,40 @@
+(default-gateway)=
+
+# Default Gateway/Route
+
+In the past (VyOS 1.1) used a gateway-address configured under the system tree
+({cfgcmd}`set system gateway-address <address>`), this is no longer supported
+and existing configurations are migrated to the new CLI command.
+
+## Configuration
+
+```{cfgcmd} set protocols static route 0.0.0.0/0 next-hop \<address\>
+
+Specify static route into the routing table sending all non local traffic
+to the nexthop address \<address\>.
+```
+
+```{cfgcmd} delete protocols static route 0.0.0.0/0
+
+Delete default route from the system.
+```
+
+
+## Operation
+
+```{opcmd} show ip route 0.0.0.0
+
+Show routing table entry for the default route.
+
+:::{code-block} none
+vyos@vyos:~$ show ip route 0.0.0.0
+Routing entry for 0.0.0.0/0
+Known via "static", distance 10, metric 0, best
+Last update 09:46:30 ago
+* 172.18.201.254, via eth0.201
+:::
+```
+
+:::{seealso}
+Configuration of {ref}`routing-static`
+:::
diff --git a/docs/configuration/system/flow-accounting.md b/docs/configuration/system/flow-accounting.md
new file mode 100644
index 00000000..c97d5473
--- /dev/null
+++ b/docs/configuration/system/flow-accounting.md
@@ -0,0 +1,209 @@
+(flow-accounting)=
+
+# Flow Accounting
+
+VyOS supports flow-accounting for both IPv4 and IPv6 traffic. The system acts
+as a flow exporter, and you are free to use it with any compatible collector.
+
+Flows can be exported via protocol NetFlow (versions 5, 9 and
+10/IPFIX). Additionally, you may save flows to an in-memory table
+internally in a router.
+
+:::{warning}
+You need to disable the in-memory table in production environments!
+Using {abbr}`IMT (In-Memory Table)` may lead to heavy CPU overloading and
+unstable flow-accounting behavior.
+:::
+
+## NetFlow / IPFIX
+
+NetFlow is a feature that was introduced on Cisco routers around 1996 that
+provides the ability to collect IP network traffic as it enters or exits an
+interface. By analyzing the data provided by NetFlow, a network administrator
+can determine things such as the source and destination of traffic, class of
+service, and the causes of congestion. A typical flow monitoring setup (using
+NetFlow) consists of three main components:
+
+- **exporter**: aggregates packets into flows and exports flow records towards
+ one or more flow collectors
+- **collector**: responsible for reception, storage and pre-processing of flow
+ data received from a flow exporter
+- **application**: analyzes received flow data in the context of intrusion
+ detection or traffic profiling, for example
+
+For connectionless protocols as like ICMP and UDP, a flow is considered
+complete once no more packets for this flow appear after configurable timeout.
+
+NetFlow is usually enabled on a per-interface basis to limit load on the router
+components involved in NetFlow, or to limit the amount of NetFlow records
+exported.
+
+## Configuration
+
+:::{warning}
+Using NetFlow on routers with high traffic levels may lead to
+high CPU usage and may affect the router's performance. In such cases,
+consider using sFlow instead.
+:::
+
+In order for flow accounting information to be collected and displayed for an
+interface, the interface must be configured for flow accounting.
+
+```{cfgcmd} set system flow-accounting interface \<interface\>
+
+Configure and enable collection of flow information for the interface
+identified by \<interface\>.
+
+You can configure multiple interfaces which would participate in flow
+accounting.
+```
+
+:::{note}
+Will be recorded only packets/flows on **incoming** direction in
+configured interfaces by default.
+:::
+
+By default, recorded flows will be saved internally and can be listed with the
+CLI command. You may disable using the local in-memory table with the command:
+
+```{cfgcmd} set system flow-accounting disable-imt
+
+If you need to sample also egress traffic, you may want to
+configure egress flow-accounting:
+```
+
+```{cfgcmd} set system flow-accounting enable-egress
+
+Internally, in flow-accounting processes exist a buffer for data exchanging
+between core process and plugins (each export target is a separated plugin).
+If you have high traffic levels or noted some problems with missed records
+or stopping exporting, you may try to increase a default buffer size (10
+MiB) with the next command:
+```
+
+```{cfgcmd} set system flow-accounting buffer-size \<buffer size\>
+
+In case, if you need to catch some logs from flow-accounting daemon, you may
+configure logging facility:
+```
+
+```{cfgcmd} set system flow-accounting syslog-facility \<facility\>
+
+Set the syslog facility for flow-accounting log messages. Supported values
+include ``daemon``, ``local0`` through ``local7``, and other standard syslog
+facilities.
+```
+
+
+### Flow Export
+
+In addition to displaying flow accounting information locally, one can also
+exported them to a collection server.
+
+#### NetFlow
+
+```{cfgcmd} set system flow-accounting netflow version \<version\>
+
+There are multiple versions available for the NetFlow data. The \<version\>
+used in the exported flow data can be configured here. The following
+versions are supported:
+* **5** - Most common version, but restricted to IPv4 flows only
+* **9** - NetFlow version 9 (default)
+* **10** - {abbr}`IPFIX (IP Flow Information Export)` as per {rfc}`3917`
+```
+
+```{cfgcmd} set system flow-accounting netflow server \<address\>
+
+Configure address of NetFlow collector. NetFlow server at \<address\> can
+be both listening on an IPv4 or IPv6 address.
+```
+
+```{cfgcmd} set system flow-accounting netflow source-ip \<address\>
+
+IPv4 or IPv6 source address of NetFlow packets
+```
+
+```{cfgcmd} set system flow-accounting netflow engine-id \<id\>
+
+NetFlow engine-id which will appear in NetFlow data. The range is 0 to 255.
+```
+
+```{cfgcmd} set system flow-accounting netflow sampling-rate \<rate\>
+
+Use this command to configure the sampling rate for flow accounting. The
+system samples one in every \<rate\> packets, where \<rate\> is the value
+configured for the sampling-rate option. The advantage of sampling every n
+packets, where n > 1, allows you to decrease the amount of processing
+resources required for flow accounting. The disadvantage of not sampling
+every packet is that the statistics produced are estimates of actual data
+flows.
+
+Per default every packet is sampled (that is, the sampling rate is 1).
+```
+
+```{cfgcmd} set system flow-accounting netflow timeout expiry-interval \<interval\>
+
+Specifies the interval at which Netflow data will be sent to a collector. As
+per default, Netflow data will be sent every 60 seconds.
+
+You may also additionally configure timeouts for different types of
+connections.
+```
+
+```{cfgcmd} set system flow-accounting netflow max-flows \<n\>
+
+If you want to change the maximum number of flows, which are tracking
+simultaneously, you may do this with this command (default 8192).
+```
+
+
+### Example:
+
+NetFlow v5 example:
+
+```none
+set system flow-accounting netflow engine-id 100
+set system flow-accounting netflow version 5
+set system flow-accounting netflow server 192.168.2.10 port 2055
+```
+
+
+## Operation
+
+Once flow accounting is configured on an interfaces it provides the ability to
+display captured network traffic information for all configured interfaces.
+
+```{opcmd} show flow-accounting interface \<interface\>
+
+Show flow accounting information for given \<interface\>.
+
+
+:::{code-block} none
+vyos@vyos:~$ show flow-accounting interface eth0
+IN_IFACE SRC_MAC DST_MAC SRC_IP DST_IP SRC_PORT DST_PORT PROTOCOL TOS PACKETS FLOWS BYTES
+---------- ----------------- ----------------- ------------------------ --------------- ---------- ---------- ---------- ----- --------- ------- -------
+eth0 00:53:01:a8:28:ac ff:ff:ff:ff:ff:ff 192.0.2.2 255.255.255.255 5678 5678 udp 0 1 1 178
+eth0 00:53:01:b2:2f:34 33:33:ff:00:00:00 fe80::253:01ff:feb2:2f34 ff02::1:ff00:0 0 0 ipv6-icmp 0 2 1 144
+eth0 00:53:01:1a:b4:53 33:33:ff:00:00:00 fe80::253:01ff:fe1a:b453 ff02::1:ff00:0 0 0 ipv6-icmp 0 1 1 72
+eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 40152 22 tcp 16 39 1 2064
+eth0 00:53:01:c8:33:af ff:ff:ff:ff:ff:ff 192.0.2.3 255.255.255.255 5678 5678 udp 0 1 1 154
+eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 40006 22 tcp 16 146 1 9444
+eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 0 0 icmp 192 27 1 4455
+:::
+```
+
+```{opcmd} show flow-accounting interface \<interface\> host \<address\>
+
+Show flow accounting information for given \<interface\> for a specific host
+only.
+
+
+:::{code-block} none
+vyos@vyos:~$ show flow-accounting interface eth0 host 192.0.2.14
+IN_IFACE SRC_MAC DST_MAC SRC_IP DST_IP SRC_PORT DST_PORT PROTOCOL TOS PACKETS FLOWS BYTES
+---------- ----------------- ----------------- ----------- ---------- ---------- ---------- ---------- ----- --------- ------- -------
+eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 40006 22 tcp 16 197 2 12940
+eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 40152 22 tcp 16 94 1 4924
+eth0 00:53:01:b2:22:48 00:53:02:58:a2:92 192.0.2.100 192.0.2.14 0 0 icmp 192 36 1 5877
+:::
+``` \ No newline at end of file
diff --git a/docs/configuration/system/frr.md b/docs/configuration/system/frr.md
new file mode 100644
index 00000000..1741e286
--- /dev/null
+++ b/docs/configuration/system/frr.md
@@ -0,0 +1,45 @@
+(system-frr)=
+
+# FRR
+
+VyOS uses [FRRouting](https://frrouting.org/) as the control plane for dynamic
+and static routing. The routing daemon behavior can be adjusted during runtime,
+but requires either a restart of the routing daemon, or a reboot of the system.
+
+```{cfgcmd} set system frr bmp
+
+Enable {abbr}`BMP (BGP Monitoring Protocol)` support.
+```
+
+```{cfgcmd} set system frr descriptors \<numer\>
+
+This allows the operator to control the number of open file descriptors
+each daemon is allowed to start with. If the operator plans to run bgp with
+several thousands of peers then this is where we would modify FRR to allow
+this to happen.
+```
+
+```{cfgcmd} set system frr irdp
+
+Enable ICMP Router Discovery Protocol support.
+```
+
+```{cfgcmd} set system frr profile \<traditional | datacenter\>
+
+Select an FRR profile to adapt its default settings. If unset, the
+traditional profile is applied.
+```
+
+```{cfgcmd} set system frr snmp \<daemon\>
+
+Enable SNMP support for an individual routing daemon.
+
+Supported daemons:
+- bgpd
+- isisd
+- ldpd
+- ospf6d
+- ospfd
+- ripd
+- zebra
+``` \ No newline at end of file
diff --git a/docs/configuration/system/host-name.md b/docs/configuration/system/host-name.md
new file mode 100644
index 00000000..81840d1f
--- /dev/null
+++ b/docs/configuration/system/host-name.md
@@ -0,0 +1,70 @@
+(host-information)=
+
+# Host Information
+
+This section describes the system's host information and how to configure them,
+it covers the following topics:
+
+- Host name
+- Domain
+- IP address
+- Aliases
+
+## Hostname
+
+A hostname is the label (name) assigned to a network device (a host) on a
+network and is used to distinguish one device from another on specific networks
+or over the internet. On the other hand this will be the name which appears on
+the command line prompt.
+
+```{cfgcmd} set system host-name \<hostname\>
+
+ The hostname can be up to 63 characters. A hostname
+ must start and end with a letter or digit, and have as interior characters
+ only letters, digits, or a hyphen.
+
+ The default hostname used is `vyos`.
+```
+
+## Domain Name
+
+
+A domain name is the label (name) assigned to a computer network and is thus
+unique. VyOS appends the domain name as a suffix to any unqualified name. For
+example, if you set the domain name `example.com`, and you would ping the
+unqualified name of `crux`, then VyOS qualifies the name to `crux.example.com`.
+
+```{cfgcmd} set system domain-name \<domain\>
+
+Configure system domain name. A domain name must start and end with a letter
+or digit, and have as interior characters only letters, digits, or a hyphen.
+```
+
+## Static Hostname Mapping
+
+
+How an IP address is assigned to an interface in {ref}`ethernet-interface`.
+This section shows how to statically map an IP address to a hostname for local
+(meaning on this VyOS instance) name resolution. This is the VyOS equivalent to
+`/etc/hosts` file entries.
+
+
+:::{note}
+Do *not* manually edit `/etc/hosts`. This file will automatically be
+regenerated on boot based on the settings in this section, which means you'll
+lose all your manual edits. Instead, configure static host mappings as follows.
+:::
+
+```{cfgcmd} set system static-host-mapping host-name \<hostname\> inet \<address\>
+
+Create a static hostname mapping which will always resolve the name
+`<hostname>` to IP address `<address>`.
+```
+```{cfgcmd} set system static-host-mapping host-name \<hostname\> alias \<alias\>
+
+Create named `<alias>` for the configured static mapping for `<hostname>`.
+Thus the address configured as {cfgcmd}`set system static-host-mapping
+host-name <hostname> inet <address>` can be reached via multiple names.
+
+Multiple aliases can be specified per host-name.
+``` \ No newline at end of file
diff --git a/docs/configuration/system/index.md b/docs/configuration/system/index.md
new file mode 100644
index 00000000..e0b8a5a1
--- /dev/null
+++ b/docs/configuration/system/index.md
@@ -0,0 +1,34 @@
+# System
+
+```{toctree}
+:includehidden: true
+:maxdepth: 1
+
+acceleration
+conntrack
+console
+flow-accounting
+frr
+host-name
+ip
+ipv6
+lcd
+login
+name-server
+option
+proxy
+sflow
+syslog
+sysctl
+task-scheduler
+time-zone
+updates
+watchdog
+```
+
+```{toctree}
+:includehidden: true
+:maxdepth: 1
+
+default-route
+```
diff --git a/docs/configuration/system/ip.md b/docs/configuration/system/ip.md
new file mode 100644
index 00000000..717ee57d
--- /dev/null
+++ b/docs/configuration/system/ip.md
@@ -0,0 +1,126 @@
+# IP
+
+## System configuration commands
+
+```{cfgcmd} set system ip disable-forwarding
+
+Use this command to disable IPv4 forwarding on all interfaces.
+```
+
+```{cfgcmd} set system ip disable-directed-broadcast
+
+Use this command to disable IPv4 directed broadcast forwarding on all
+interfaces.
+
+If set, IPv4 directed broadcast forwarding will be completely disabled
+regardless of whether per-interface directed broadcast forwarding is
+enabled or not.
+```
+
+```{cfgcmd} set system ip arp table-size \<number\>
+
+Use this command to define the maximum number of entries to keep in
+the ARP cache (1024, 2048, 4096, 8192, 16384, 32768).
+```
+
+```{cfgcmd} set system ip multipath layer4-hashing
+
+Use this command to use Layer 4 information for IPv4 ECMP hashing.
+```
+
+```{cfgcmd} set system ip import-table \<table-id\>
+
+Use this command to immport the table, by given table id, into the main RIB.
+```
+
+```{cfgcmd} set system ip import-table \<table-id\> distance \<distance\>
+
+Use this command to override the default distance when importing routers
+from the alternate table.
+```
+
+```{cfgcmd} set system ip import-table \<table-id\> route-map \<route-map\>
+
+Use this command to filter routes that are imported into the main table
+from alternate table using route-map.
+```
+
+
+### Zebra/Kernel route filtering
+
+Zebra supports prefix-lists and Route Maps to match routes received from
+other FRR components. The permit/deny facilities provided by these commands
+can be used to filter which routes zebra will install in the kernel.
+
+```{cfgcmd} set system ip protocol \<protocol\> route-map \<route-map\>
+
+Apply a route-map filter to routes for the specified protocol. The following
+protocols can be used: any, babel, bgp, eigrp, isis, ospf, rip, static
+
+:::{note}
+If you choose any as the option that will cause all protocols that
+are sending routes to zebra.
+:::
+```
+
+
+### Nexthop Tracking
+
+Nexthop tracking resolve nexthops via the default route by default. This is enabled
+by default for a traditional profile of FRR which we use. It and can be disabled if
+you do not want to e.g. allow BGP to peer across the default route.
+
+```{cfgcmd} set system ip nht no-resolve-via-default
+
+Do not allow IPv4 nexthop tracking to resolve via the default route. This
+parameter is configured per-VRF, so the command is also available in the VRF
+subnode.
+```
+
+
+## Operational commands
+
+### show commands
+
+See below the different parameters available for the IPv4 **show** command:
+
+```none
+vyos@vyos:~$ show ip
+Possible completions:
+ access-list Show all IP access-lists
+ as-path-access-list
+ Show all as-path-access-lists
+ bgp Show Border Gateway Protocol (BGP) information
+ community-list
+ Show IP community-lists
+ extcommunity-list
+ Show extended IP community-lists
+ forwarding Show IP forwarding status
+ groups Show IP multicast group membership
+ igmp Show IGMP (Internet Group Management Protocol) information
+ large-community-list
+ Show IP large-community-lists
+ multicast Show IP multicast
+ ospf Show IPv4 Open Shortest Path First (OSPF) routing information
+ pim Show PIM (Protocol Independent Multicast) information
+ ports Show IP ports in use by various system services
+ prefix-list Show all IP prefix-lists
+ protocol Show IP route-maps per protocol
+ rip Show Routing Information Protocol (RIP) information
+ route Show IP routes
+```
+
+
+### reset commands
+
+And the different IPv4 **reset** commands available:
+
+```none
+vyos@vyos:~$ reset ip
+Possible completions:
+ arp Reset Address Resolution Protocol (ARP) cache
+ bgp Clear Border Gateway Protocol (BGP) statistics or status
+ igmp IGMP clear commands
+ multicast IP multicast routing table
+ route Reset IP route
+```
diff --git a/docs/configuration/system/ipv6.md b/docs/configuration/system/ipv6.md
new file mode 100644
index 00000000..ee0a6ade
--- /dev/null
+++ b/docs/configuration/system/ipv6.md
@@ -0,0 +1,193 @@
+# IPv6
+
+## System configuration commands
+
+```{cfgcmd} set system ipv6 disable-forwarding
+
+ Use this command to disable IPv6 forwarding on all interfaces.
+```
+
+
+```{cfgcmd} set system ipv6 neighbor table-size \<number\>
+
+Use this command to define the maximum number of entries to keep in
+the Neighbor cache (1024, 2048, 4096, 8192, 16384, 32768).
+```
+
+
+```{cfgcmd} set system ipv6 strict-dad
+
+Use this command to disable IPv6 operation on interface when
+Duplicate Address Detection fails on Link-Local address.
+```
+
+
+```{cfgcmd} set system ipv6 multipath layer4-hashing
+
+Use this command to user Layer 4 information for ECMP hashing.
+```
+
+### Zebra/Kernel route filtering
+
+
+Zebra supports prefix-lists and Route Maps to match routes received from
+other FRR components. The permit/deny facilities provided by these commands
+can be used to filter which routes zebra will install in the kernel.
+
+```{cfgcmd} set system ipv6 protocol \<protocol\> route-map \<route-map\>
+
+Apply a route-map filter to routes for the specified protocol. The following
+protocols can be used: any, babel, bgp, isis, ospfv3, ripng, static
+
+:::{note}
+If you choose any as the option that will cause all protocols that
+are sending routes to zebra.
+:::
+```
+
+### Nexthop Tracking
+
+
+Nexthop tracking resolve nexthops via the default route by default. This is enabled
+by default for a traditional profile of FRR which we use. It and can be disabled if
+you do not want to e.g. allow BGP to peer across the default route.
+
+```{cfgcmd} set system ipv6 nht no-resolve-via-default
+
+Do not allow IPv6 nexthop tracking to resolve via the default route. This
+parameter is configured per-VRF, so the command is also available in the VRF
+subnode.
+```
+
+## Operational commands
+
+
+### Show commands
+
+```{opcmd} show ipv6 neighbors
+
+Use this command to show IPv6 Neighbor Discovery Protocol information.
+```
+
+
+```{opcmd} show ipv6 groups
+
+Use this command to show IPv6 multicast group membership.
+```
+
+
+```{opcmd} show ipv6 forwarding
+
+Use this command to show IPv6 forwarding status.
+```
+
+
+```{opcmd} show ipv6 route
+
+Use this command to show IPv6 routes.
+
+Check the many parameters available for the show ipv6 route command:
+
+:::{code-block} none
+vyos@vyos:~$ show ipv6 route
+Possible completions:
+ <Enter> Execute the current command
+ <X:X::X:X> Show IPv6 routes of given address or prefix
+ <X:X::X:X/M>
+ bgp Show IPv6 BGP routes
+ cache Show kernel IPv6 route cache
+ connected Show IPv6 connected routes
+ forward Show kernel IPv6 route table
+ isis Show IPv6 ISIS routes
+ kernel Show IPv6 kernel routes
+ ospfv3 Show IPv6 OSPF6 routes
+ ripng Show IPv6 RIPNG routes
+ static Show IPv6 static routes
+ summary Show IPv6 routes summary
+ table Show IP routes in policy table
+ tag Show only routes with tag
+ vrf Show IPv6 routes in VRF
+:::
+```
+```{opcmd} show ipv6 prefix-list
+
+ Use this command to show all IPv6 prefix lists
+
+ There are different parameters for getting prefix-list information:
+
+ :::{code-block} none
+ vyos@vyos:~$ show ipv6 prefix-list
+ Possible completions:
+ <Enter> Execute the current command
+ <WORD> Show specified IPv6 prefix-list
+ detail Show detail of IPv6 prefix-lists
+ summary Show summary of IPv6 prefix-lists
+ :::
+```
+
+
+```{opcmd} show ipv6 access-list
+
+Use this command to show all IPv6 access lists
+
+You can also specify which IPv6 access-list should be shown:
+
+:::{code-block} none
+vyos@vyos:~$ show ipv6 access-list
+Possible completions:
+ <Enter> Execute the current command
+ <text> Show specified IPv6 access-list
+:::
+```
+```{opcmd} show ipv6 ospfv3
+
+ Use this command to get information about OSPFv3.
+
+ You can get more specific OSPFv3 information by using the parameters
+ shown below:
+
+ :::{code-block} none
+ vyos@vyos:~$ show ipv6 ospfv3
+ Possible completions:
+ <Enter> Execute the current command
+ area Show OSPFv3 spf-tree information
+ border-routers
+ Show OSPFv3 border-router (ABR and ASBR) information
+ database Show OSPFv3 Link state database information
+ interface Show OSPFv3 interface information
+ linkstate Show OSPFv3 linkstate routing information
+ neighbor Show OSPFv3 neighbor information
+ redistribute Show OSPFv3 redistribute External information
+ route Show OSPFv3 routing table information
+ :::
+```
+
+
+```{opcmd} show ipv6 ripng
+
+Use this command to get information about the RIPNG protocol
+```
+
+
+```{opcmd} show ipv6 ripng status
+
+Use this command to show the status of the RIPNG protocol
+```
+
+### Reset commands
+
+```{opcmd} reset bgp ipv6 \<address\>
+
+Use this command to clear Border Gateway Protocol statistics or
+status.
+```
+```{opcmd} reset ipv6 neighbors \<address | interface\>
+
+Use this command to reset IPv6 Neighbor Discovery Protocol cache for
+an address or interface.
+```
+```{opcmd} reset ipv6 route cache
+
+Use this command to flush the kernel IPv6 route cache.
+An address can be added to flush it only for that route.
+``` \ No newline at end of file
diff --git a/docs/configuration/system/lcd.md b/docs/configuration/system/lcd.md
new file mode 100644
index 00000000..ef9031ea
--- /dev/null
+++ b/docs/configuration/system/lcd.md
@@ -0,0 +1,41 @@
+(system-display)=
+
+# System Display (LCD)
+
+The system LCD {abbr}`LCD (Liquid-crystal display)` option is for users running
+VyOS on hardware that features an LCD display. This is typically a small display
+built in an 19 inch rack-mountable appliance. Those displays are used to show
+runtime data.
+
+To configure your LCD display you must first identify the used hardware, and
+connectivity of the display to your system. This can be any serial port
+(`ttySxx`) or serial via USB or even old parallel port interfaces.
+
+## Configuration
+
+```{cfgcmd} set system lcd device \<device\>
+
+This is the name of the physical interface used to connect to your LCD
+display. Tab completion is supported and it will list you all available
+serial interface.
+
+For serial via USB port information please refer to the USB hardware section.
+```
+
+```{cfgcmd} set system lcd model \<model\>
+
+This is the LCD model used in your system.
+
+At the time of this writing the following displays are supported:
+* Crystalfontz CFA-533
+* Crystalfontz CFA-631
+* Crystalfontz CFA-633
+* Crystalfontz CFA-635
+
+:::{note}
+We can't support all displays from the beginning. If your display
+type is missing, please create a feature request via
+Phabricator.
+:::
+```
+
diff --git a/docs/configuration/system/login.md b/docs/configuration/system/login.md
new file mode 100644
index 00000000..288d30a8
--- /dev/null
+++ b/docs/configuration/system/login.md
@@ -0,0 +1,604 @@
+---
+lastproofread: '2026-01-12'
+---
+
+(user-management)=
+
+# Login/user management
+
+The default VyOS user account (`vyos`), as well as newly created user accounts,
+possess full system configuration privileges. These accounts are granted sudo
+privileges, allowing them to execute commands as the root user.
+
+VyOS supports both local authentication and remote authentication via
+{abbr}`RADIUS (Remote Authentication Dial-In User Service)`/ {abbr}`TACACS+
+(Terminal Access Controller Access-Control System)`.
+
+## Local authentication
+
+```{cfgcmd} set system login user \<name\> full-name "\<string\>"
+
+**Configure the real name or description for a system user.**
+
+If the description includes spaces, enclose ``<string>`` in double quotes.
+
+If the user ``<name>`` already exists, the command updates the current
+description. If not, it creates a new user with the specified description.
+```
+
+```{cfgcmd} set system login user \<name\> authentication plaintext-password \<password\>
+
+**Configure a password for a system user.**
+
+Enter the password in plaintext. Upon ``commit``, VyOS hashes the password for
+secure storage and removes the plaintext value.
+
+If the user ``<name>`` already exists, the command updates the current password.
+If not, it creates a new user with the specified plaintext password.
+```
+
+```{cfgcmd} set system login user \<name\> authentication encrypted-password \<password\>
+
+**Configure a pre-encrypted password for a system user.**
+
+Enter the password in its hashed format. Upon ``commit``, VyOS stores this value
+directly without modification.
+
+If the user ``<name>`` already exists, the command updates the current password.
+If not, it creates a new user with the specified pre-encrypted password.
+```
+
+```{cfgcmd} set system login user \<name\> authentication principal \<principal\>
+
+**Configure an SSH certificate principal for a system user.**
+
+Enter the principal (a string included in the user's signed SSH certificate).
+Upon ``commit``, VyOS stores this mapping, allowing the user to log in if the
+certificate they present contains this principal.
+
+If the user ``<name>`` already exists, the command updates the principal. If not,
+it creates a new user linked to the specified principal.
+
+**If not configured**, the principal defaults to ``<name>``.
+```
+
+```{cfgcmd} set system login user \<name\> disable
+
+**Disable a system user account.**
+
+VyOS locks the account, preventing the user from logging in.
+```
+
+(ssh_key_based_authentication)=
+
+## Key-based authentication
+
+Key-based authentication is the recommended method for securing SSH access in
+VyOS. It uses a **public/private key pair** to verify user identity without
+requiring a password. To authorize access, you assign **SSH public keys** to
+user accounts on the router, while SSH private keys remain on local devices.
+VyOS allows assigning multiple SSH public keys to a single user account, which
+is useful for accessing a router from different devices.
+
+### Generate the key pair
+
+Generate an SSH key pair on your **local machine** using the `ssh-keygen`
+command. This creates two files:
+- **Private key** (e.g., `id_rsa`): Remains on your local machine and must
+ never be shared.
+- **Public key** (e.g., `id_rsa.pub`): Is used to configure the VyOS user
+ account. By default, it is saved to `~/.ssh/id_rsa.pub`.
+
+Each SSH public key consists of three parts, separated by spaces:
+- **Encryption algorithm type:** `ssh-rsa`, `ssh-ed25519`, etc.
+- **Key:** The actual data (a long string beginning with `AAAA...`).
+- **Comment:** An identifier for your reference (e.g., `user@host`).
+
+Only the encryption algorithm type and key parts are required to
+configure the authorization entry in VyOS. The comment part is optional.
+
+:::{seealso}
+{ref}`SSH operation <ssh_operation>`
+:::
+
+:::{warning}
+SSH key strings are long. When copying and pasting, ensure your
+terminal does not insert line breaks. The key must be entered as a **single
+line** to function correctly.
+:::
+
+### Configure the router
+
+To configure SSH public key authentication for a user account, run the
+following two commands using the same `<identifier>`:
+
+```{cfgcmd} set system login user \<username\> authentication public-keys \<identifier\> key \<key\>
+
+**Configure the SSH public key for the user account.**
+* ``<identifier>``: A unique label that identifies this specific key entry.
+* ``<key>``: The actual string of characters from your public key.
+```
+
+```{cfgcmd} set system login user \<username\> authentication public-keys \<identifier\> type \<type\>
+
+**Configure the SSH key's encryption type.**
+
+The following encryption algorithm types are available:
+
+* ``ecdsa-sha2-nistp256``
+* ``ecdsa-sha2-nistp384``
+* ``ecdsa-sha2-nistp521``
+* ``ssh-dss``
+* ``ssh-ed25519``
+* ``ssh-rsa``
+
+:::{note}
+To assign multiple SSH public keys to a user account, repeat the
+commands above with a unique identifier for each key.
+:::
+```
+
+```{cfgcmd} set system login user \<username\> authentication public-keys \<identifier\> options \<options\>
+
+**Configure specific restrictions or behaviors for an SSH public key.**
+
+``<options>``: A string of comma-separated values that define permissions
+or restrictions for this key.
+
+The command accepts standard OpenSSH options listed in the router's
+``~/.ssh/authorized_keys`` file.
+
+To include a ``"`` character in the options string, use ``&quot;``.
+
+For example, to restrict allowed source IP addresses for an SSH public key,
+use: ``from=&quot;10.0.0.0/24&quot;``.
+```
+
+
+## OTP-based MFA
+
+VyOS lets you enhance user access security by enabling {abbr}`OTP (One-time
+password)`-based {abbr}`MFA (Multi-factor Authentication)` for individual
+users. Users with {abbr}`OTP (One-time password)`-based {abbr}`MFA
+(Multi-factor Authentication)` must enter a valid {abbr}`OTP (One-time
+password)` along with their password at login. Users without {abbr}`OTP
+(One-time password)`-based {abbr}`MFA (Multi-factor Authentication)` use
+standard authentication.
+
+```{cfgcmd} set system login user \<username\> authentication otp key \<key\>
+
+**Configure** {abbr}`OTP (One-time password)`**-based** {abbr}`MFA
+(Multi-factor Authentication)` **for a user.**
+
+``<key>``: A Base32-encoded secret key. This key must be added to the user's
+authenticator app to generate valid {abbr}`OTPs (One-time passwords)`.
+
+**When configured**, the user is required to enter their password followed by
+a valid OTP for all subsequent logins.
+```
+
+
+### OTP settings
+
+```{cfgcmd} set system login user \<username\> authentication otp rate-limit \<limit\>
+
+**Configure the number of** {abbr}`OTP (One-time password)` **authentication
+attempts allowed within a specified time period.**
+
+If this limit is exceeded, the user is temporarily blocked.
+
+The default value is 3 attempts. The valid range is 1 to 10 attempts.
+```
+
+```{cfgcmd} set system login user \<username\> authentication otp rate-time \<seconds\>
+
+**Configure the time period, in seconds, for tracking** {abbr}`OTP (One-time
+password)` **authentication attempts.**
+
+The default value is 30 seconds. The valid range is 1 to 600 seconds.
+```
+
+```{cfgcmd} set system login user \<username\> authentication otp window-size \<size\>
+
+**Configure the** {abbr}`OTP (One-time password)` **window size for a user.**
+
+The {abbr}`OTP (One-time password)` window size defines the number of
+concurrently valid {abbr}`OTPs (One-time passwords)` that the authentication
+server accepts. This setting assumes a new token is generated every 30 seconds.
+
+The default value is 3. This permits 3 concurrent codes: the code for the
+current 30-second interval, the preceding code, and the following code. This
+allows up to 30 seconds of time skew between the authentication server and
+client.
+
+If the window size is increased to 17, the system permits 17 concurrent codes
+(the current code, the 8 preceding codes, and the 8 following codes). This
+allows for a time skew of up to 4 minutes.
+
+The valid range is 1 to 21.
+```
+
+
+### Generate an OTP-key
+
+Use the following command to generate an OTP key:
+
+```{cfgcmd} generate system login username \<username\> otp-key hotp-time rate-limit \<1-10\> rate-time \<15-600\> window-size \<1-21\>
+```
+
+Key generation example:
+
+```none
+vyos@vyos:~$ generate system login username otptester otp-key hotp-time rate-limit 2 rate-time 20 window-size 5
+# You can share it with the user, he just needs to scan the QR in his OTP app
+# username: otptester
+# OTP KEY: J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY
+# OTP URL: otpauth://totp/otptester@vyos?secret=J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY&digits=6&period=30
+█████████████████████████████████████████████
+█████████████████████████████████████████████
+████ ▄▄▄▄▄ █▀█ █▄ ▀▄▀▄█▀▄ ▀█▀ █ ▄▄▄▄▄ ████
+████ █ █ █▀▀▀█ ▄▀ █▄▀ ▀▄ ▄ ▀ ▄█ █ █ ████
+████ █▄▄▄█ █▀ █▀▀██▄▄ █ █ ██ ▀▄▀ █ █▄▄▄█ ████
+████▄▄▄▄▄▄▄█▄▀ ▀▄█ █ ▀ █ █ █ █▄█▄█▄▄▄▄▄▄▄████
+████ ▄ █▄ ▄ ▀▄▀▀▀▀▄▀▄▀▄▄▄▀▀▄▄▄ █ █▄█ █████
+████▄▄ ██▀▄▄▄▀▀█▀ ▄ ▄▄▄ ▄▀ ▀ █ ▄ ▄ ██▄█ ████
+█████▄ ██▄▄▀█▄█▄█▄ ▀█▄▀▄ ▀█▀▄ █▄▄▄ ▄ ▄████
+████▀▀▄ ▄█▀▄▀ ▄█▀█▀▄▄▄▀█▄ ██▄▄▄ ▀█ █ ████
+████ ▄▀▄█▀▄▄█▀▀▄▀▀▀▀█ ▄▀▄▀ ▄█ ▀▄ ▄ ▄▀ █▄████
+████▄ ██ ▀▄▀▀ ▄█▀ ▄ ██ ▀█▄█ ▄█ ▄ ▀▄ ▄▄ ████
+████▄█▀▀▄ ▄▄ █▄█▄█▄ █▄▄▀▄▄▀▀▄▄██▀ ▄▀▄▄ ▀▄████
+████▀▄▀ ▄ ▄▀█ ▄ ▄█▀ █ ▀▄▄ ▄█▀ ▄▄ ▀▄▄ ████
+████ ▀███▄ █▄█▄▀▀▀▀▄ ▄█▄▄▀ ▀███ ▄▄█▄▄ ▄████
+████ ███▀ ▄▄▀▀██▀ ▄▀▄█▄▄▄ ██▄▄▀▄▀ ███▄ ▄████
+████▄████▄▄▄▀▄ █▄█▄▀▄▄▄▄██▀ ▄▀ ▄ ▄▄▄ █▄▄█████
+████ ▄▄▄▄▄ █▄▄▄ ▄█▀█▀▀▀▀█▀█▀ █▄█ █▄█ ▄█ ████
+████ █ █ █ ██▄▀▀▀▀▄▄▄▀ ▄▄▄ ▀ ▄ ▄ ▄▄████
+████ █▄▄▄█ █ ▀▀█▀ ▄▄█ █▄▄██▀▀█▀ █▄▀▄██▄█ ████
+████▄▄▄▄▄▄▄█▄█▄█▄█▄▄▄▄▄█▄▄▄█▄██████▄██▄▄▄████
+█████████████████████████████████████████████
+█████████████████████████████████████████████
+# To add this OTP key to configuration, run the following commands:
+set system login user otptester authentication otp key 'J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY'
+set system login user otptester authentication otp rate-limit '2'
+set system login user otptester authentication otp rate-time '20'
+set system login user otptester authentication otp window-size '5'
+```
+
+### Display the OTP key for a user
+
+Use the following command to display the {abbr}`OTP (One-time password)`
+key for a user:
+
+```{cfgcmd} sh system login authentication user \<username\> otp \<full | key-b32 | qrcode | uri\>
+```
+
+Example:
+
+```none
+vyos@vyos:~$ sh system login authentication user otptester otp full
+# You can share the OTP key with the user. They just need to scan the QR in their OTP app.
+# username: otptester
+# OTP KEY: J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY
+# OTP URL: otpauth://totp/otptester@vyos?secret=J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY&digits=6&period=30
+█████████████████████████████████████████████
+█████████████████████████████████████████████
+████ ▄▄▄▄▄ █▀█ █▄ ▀▄▀▄█▀▄ ▀█▀ █ ▄▄▄▄▄ ████
+████ █ █ █▀▀▀█ ▄▀ █▄▀ ▀▄ ▄ ▀ ▄█ █ █ ████
+████ █▄▄▄█ █▀ █▀▀██▄▄ █ █ ██ ▀▄▀ █ █▄▄▄█ ████
+████▄▄▄▄▄▄▄█▄▀ ▀▄█ █ ▀ █ █ █ █▄█▄█▄▄▄▄▄▄▄████
+████ ▄ █▄ ▄ ▀▄▀▀▀▀▄▀▄▀▄▄▄▀▀▄▄▄ █ █▄█ █████
+████▄▄ ██▀▄▄▄▀▀█▀ ▄ ▄▄▄ ▄▀ ▀ █ ▄ ▄ ██▄█ ████
+█████▄ ██▄▄▀█▄█▄█▄ ▀█▄▀▄ ▀█▀▄ █▄▄▄ ▄ ▄████
+████▀▀▄ ▄█▀▄▀ ▄█▀█▀▄▄▄▀█▄ ██▄▄▄ ▀█ █ ████
+████ ▄▀▄█▀▄▄█▀▀▄▀▀▀▀█ ▄▀▄▀ ▄█ ▀▄ ▄ ▄▀ █▄████
+████▄ ██ ▀▄▀▀ ▄█▀ ▄ ██ ▀█▄█ ▄█ ▄ ▀▄ ▄▄ ████
+████▄█▀▀▄ ▄▄ █▄█▄█▄ █▄▄▀▄▄▀▀▄▄██▀ ▄▀▄▄ ▀▄████
+████▀▄▀ ▄ ▄▀█ ▄ ▄█▀ █ ▀▄▄ ▄█▀ ▄▄ ▀▄▄ ████
+████ ▀███▄ █▄█▄▀▀▀▀▄ ▄█▄▄▀ ▀███ ▄▄█▄▄ ▄████
+████ ███▀ ▄▄▀▀██▀ ▄▀▄█▄▄▄ ██▄▄▀▄▀ ███▄ ▄████
+████▄████▄▄▄▀▄ █▄█▄▀▄▄▄▄██▀ ▄▀ ▄ ▄▄▄ █▄▄█████
+████ ▄▄▄▄▄ █▄▄▄ ▄█▀█▀▀▀▀█▀█▀ █▄█ █▄█ ▄█ ████
+████ █ █ █ ██▄▀▀▀▀▄▄▄▀ ▄▄▄ ▀ ▄ ▄ ▄▄████
+████ █▄▄▄█ █ ▀▀█▀ ▄▄█ █▄▄██▀▀█▀ █▄▀▄██▄█ ████
+████▄▄▄▄▄▄▄█▄█▄█▄█▄▄▄▄▄█▄▄▄█▄██████▄██▄▄▄████
+█████████████████████████████████████████████
+█████████████████████████████████████████████
+# To add this OTP key to configuration, run the following commands:
+set system login user otptester authentication otp key 'J5A64ERPMGJOZXY6FMHHLKXKANNI6TCY'
+set system login user otptester authentication otp rate-limit '2'
+set system login user otptester authentication otp rate-time '20'
+set system login user otptester authentication otp window-size '5'
+```
+
+Once {abbr}`OTP (One-time password)`-based {abbr}`MFA (Multi-factor
+Authentication)` is configured for a user account, this user must enter their
+standard password followed by the current 6-digit OTP code at login. For
+example, if the user's password is `vyosrocks` and the OTP is `817454`, they
+should enter `vyosrocks817454`.
+
+## RADIUS authentication
+
+For large-scale deployments, managing individual user accounts across multiple
+VyOS instances is inefficient. VyOS supports centralized authentication via
+{abbr}`RADIUS (Remote Authentication Dial-In User Service)`, consolidating user
+account management on a single backend server.
+
+### Configuration
+
+```{cfgcmd} set system login radius server \<address\> key \<secret\>
+
+**Configure the** {abbr}`RADIUS (Remote Authentication Dial-In User Service)`
+**server's IP address and shared secret.**
+
+The shared secret is used to verify the router's identity and to encrypt user
+passwords during authentication.
+
+You can configure multiple {abbr}`RADIUS (Remote Authentication Dial-In User
+Service)` servers.
+```
+
+```{cfgcmd} set system login radius server \<address\> port \<port\>
+
+**Configure the UDP port for communication with the** {abbr}`RADIUS (Remote
+Authentication Dial-In User Service)` **server.**
+
+The default port is 1812.
+```
+
+```{cfgcmd} set system login radius server \<address\> disable
+
+**Disable a** {abbr}`RADIUS (Remote Authentication Dial-In User Service)`
+**server from the authentication process.**
+
+Disabling a specific {abbr}`RADIUS (Remote Authentication Dial-In User
+Service)` server doesn’t remove its configuration settings (the server’s IP
+address and shared secret).
+```
+
+```{cfgcmd} set system login radius server \<address\> timeout \<timeout\>
+
+Configure the duration, in seconds, that the VyOS router waits for a
+response from the {abbr}`RADIUS (Remote Authentication Dial-In User Service)`
+server after sending an authentication request.
+
+If the server does not respond within this timeframe, the VyOS router tries to
+connect to another configured server or falls back to local authentication.
+```
+
+```{cfgcmd} set system login radius source-address \<address\>
+
+**Configure the source IP address the router uses for** {abbr}`RADIUS (Remote
+Authentication Dial-In User Service)` **authentication requests.**
+
+A consistent source IP address is recommended as RADIUS servers typically
+accept requests only from known, trusted IP addresses.
+
+If not explicitly defined, the router uses the current egress interface
+address, which may change (e.g., due to a link outage), causing authentication
+failures.
+```
+
+```{cfgcmd} set system login radius vrf \<name\>
+
+**Configure the router to send all** {abbr}`RADIUS (Remote Authentication
+Dial-In User Service)` **authentication requests via a specific VRF.**
+
+By default, {abbr}`RADIUS (Remote Authentication Dial-In User Service)`
+authentication requests are sent via the global routing table.
+```
+
+### Configuration example
+
+```none
+set system login radius server 192.168.0.2 key 'test-vyos'
+set system login radius server 192.168.0.2 port '1812'
+set system login radius server 192.168.0.2 timeout '5'
+set system login radius source-address '192.168.0.1'
+```
+
+If communication with the {abbr}`RADIUS (Remote Authentication Dial-In User
+Service)` server fails, the router falls back to local user authentication.
+During this process, users may experience a login delay while the system waits
+for the {abbr}`RADIUS (Remote Authentication Dial-In User Service)` request to
+time out. This delay depends on the configured timeout value.
+
+:::{hint}
+To grant administrative privileges to {abbr}`RADIUS (Remote
+Authentication Dial-In User Service)`-authenticated users, the server must
+return the Cisco-AV-Pair attribute set to `shell:priv-lvl=15`. Otherwise, users
+receive standard privileges and cannot perform configuration tasks.
+:::
+
+## TACACS+ authentication
+
+In addition to {abbr}`RADIUS (Remote Authentication Dial-In User Service)`,
+VyOS supports {abbr}`TACACS+ (Terminal Access Controller Access Control
+System)`, which is commonly used in large enterprise environments.
+
+Unlike {abbr}`RADIUS (Remote Authentication Dial-In User Service)`,
+{abbr}`TACACS+ (Terminal Access Controller Access Control System)` separates
+Authentication, Authorization, and Accounting (AAA) into independent processes
+and encrypts the entire packet body for enhanced security.
+
+{abbr}`TACACS+ (Terminal Access Controller Access Control System)` is defined
+in {rfc}`8907`.
+(tacacs-configuration)=
+
+### Configuration
+
+```{cfgcmd} set system login tacacs server \<address\> key \<secret\>
+
+**Configure the** {abbr}`TACACS+ (Terminal Access Controller Access Control
+System)` **server IP address and shared secret.**
+
+Unlike {abbr}`RADIUS (Remote Authentication Dial-In User Service)`, which
+encrypts only passwords, {abbr}`TACACS+ (Terminal Access Controller Access
+Control System)` encrypts the entire packet body for enhanced security.
+
+You can configure multiple {abbr}`TACACS+ (Terminal Access Controller Access
+Control System)` servers.
+```
+
+```{cfgcmd} set system login tacacs server \<address\> port \<port\>
+
+**Configure the TCP port for communication with the** {abbr}`TACACS+ (Terminal
+Access Controller Access Control System)` **server.**
+
+The default port is 49.
+```
+
+```{cfgcmd} set system login tacacs server \<address\> disable
+
+**Disable a** {abbr}`TACACS+ (Terminal Access Controller Access Control
+System)` **server from the authentication process.**
+
+Disabling a specific {abbr}`TACACS+ (Terminal Access Controller Access Control
+System)` server doesn’t remove its configuration settings (the server’s IP
+address and shared secret).
+```
+
+```{cfgcmd} set system login tacacs server \<address\> timeout \<timeout\>
+
+Configure the duration, in seconds, that the VyOS router waits for a
+response from the {abbr}`TACACS+ (Terminal Access Controller Access
+Control System)` server after sending an authentication request.
+
+If the server does not respond within this timeframe, the VyOS router tries
+to connect to another configured server or falls back to local authentication.
+```
+
+```{cfgcmd} set system login tacacs source-address \<address\>
+
+**Configure the source IP address the router uses for**
+{abbr}`TACACS+ (Terminal Access Controller Access Control System)`
+**authentication requests.**
+
+A consistent source IP address is recommended as {abbr}`TACACS+ (Terminal
+Access Controller Access Control System)` servers typically accept requests
+only from known, trusted IP addresses.
+
+If not explicitly defined, the router uses the current egress interface address,
+which may change (e.g., due to a link outage), causing authentication failures.
+```
+
+```{cfgcmd} set system login tacacs vrf \<name\>
+
+Configure the router to send all {abbr}`TACACS+ (Terminal Access Controller
+Access Control System)` authentication requests via a specific VRF.
+
+By default, {abbr}`TACACS+ (Terminal Access Controller Access Control System)`
+authentication requests are sent via the global routing table.
+```
+
+(login-tacacs-example)=
+
+### Configuration example
+
+```none
+set system login tacacs server 192.168.0.2 key 'test-vyos'
+set system login tacacs server 192.168.0.2 port '49'
+set system login tacacs source-address '192.168.0.1'
+```
+
+If communication with the {abbr}`TACACS+ (Terminal Access Controller Access
+Control System)` server fails, the router falls back to local user
+authentication.
+
+## Login banners
+
+VyOS allows you to configure **pre-login** and **post-login** banners.
+Pre-login banners are typically used for system identification, legal disclaimers, or security warnings
+displayed before authentication, while post-login banners provide system
+information or operational notices to users after login.
+
+```{cfgcmd} set system login banner pre-login \<message\>
+
+Configure a message to be shown to users before the ``username`` and ``password``
+prompts appear.
+```
+
+```{cfgcmd} set system login banner post-login \<message\>
+
+Configure a message to be shown to users after successful authentication.
+```
+:::{note}
+Use `\\n` to insert line breaks in multi-line banner messages.
+:::
+
+## Login session limits
+
+```{cfgcmd} set system login max-login-session \<number\>
+
+**Configure the maximum number of concurrent login sessions.**
+```
+:::{note}
+If you limit concurrent login sessions, you must also configure a
+session `<timeout>`. This clears inactive sessions and prevents blocking new
+login attempts.
+:::
+```{cfgcmd} set system login timeout \<timeout\>
+
+**Configure the login session timeout, in seconds.**
+
+Idle login sessions are terminated after this period.
+```
+
+## Configuration examples
+
+Example 1: Multi-key SSH with MFA and source restrictions
+
+In this configuration, `User1` and `User2` both use the vyos user account,
+each with a unique SSH key. `User1` is restricted to authentication from a
+single IP address.
+
+For both users, password-based logins require {abbr}`OTP (One-time password)`
+-based {abbr}`MFA (Multi-factor Authentication)`.
+
+```none
+set system login user vyos authentication public-keys 'User1' key "AAAAB3Nz...KwEW"
+set system login user vyos authentication public-keys 'User1' type ssh-rsa
+set system login user vyos authentication public-keys 'User1' options "from=&quot;192.168.0.100&quot;"
+
+set system login user vyos authentication public-keys 'User2' key "AAAAQ39x...fbV3"
+set system login user vyos authentication public-keys 'User2' type ssh-rsa
+
+set system login user vyos authentication otp key OHZ3OJ7U2N25BK4G7SOFFJTZDTCFUUE2
+set system login user vyos authentication plaintext-password vyos
+```
+
+Example 2: Containerized {abbr}`TACACS+ (Terminal Access Controller Access Control System)`
+deployment with redundancy.
+
+In this configuration, the VyOS router hosts its own authentication
+infrastructure using two containerized {abbr}`TACACS+ (Terminal Access
+Controller Access Control System)` servers (`tacacs1` and `tacacs2`) on a
+private network for redundancy.
+
+System logins are authenticated against credentials stored within these internal
+containers rather than the router's local user database.
+
+First, download the image in operational mode:
+
+```none
+add container image lfkeitel/tacacs_plus:latest
+```
+
+Next, configure the containers in configuration mode:
+
+```none
+set container network tac-test prefix '100.64.0.0/24'
+
+set container name tacacs1 image 'lfkeitel/tacacs_plus:latest'
+set container name tacacs1 network tac-test address '100.64.0.11'
+
+set container name tacacs2 image 'lfkeitel/tacacs_plus:latest'
+set container name tacacs2 network tac-test address '100.64.0.12'
+
+set system login tacacs server 100.64.0.11 key 'tac_plus_key'
+set system login tacacs server 100.64.0.12 key 'tac_plus_key'
+
+commit
+```
+
+You can now log in via SSH or console using `admin/admin` credentials supplied
+by the container image.
diff --git a/docs/configuration/system/name-server.md b/docs/configuration/system/name-server.md
new file mode 100644
index 00000000..9090ba5f
--- /dev/null
+++ b/docs/configuration/system/name-server.md
@@ -0,0 +1,65 @@
+(system-dns)=
+
+# System DNS
+
+:::{warning}
+If you are configuring a VRF for management purposes, there is
+currently no way to force system DNS traffic via a specific VRF.
+:::
+
+This section describes configuring DNS on the system, namely:
+
+> - DNS name servers
+> - Domain search order
+
+## DNS name servers
+
+```{cfgcmd} set system name-server \<address\>
+
+Use this command to specify a DNS server for the system to be used
+for DNS lookups. More than one DNS server can be added, configuring
+one at a time. Both IPv4 and IPv6 addresses are supported.
+```
+
+
+### Example
+
+In this example, some *OpenNIC* servers are used, two IPv4 addresses
+and two IPv6 addresses:
+
+```none
+set system name-server 176.9.37.132
+set system name-server 195.10.195.195
+set system name-server 2a01:4f8:161:3441::1
+set system name-server 2a00:f826:8:2::195
+```
+
+
+## Domain search order
+
+In order for the system to use and complete unqualified host names, a
+list can be defined which will be used for domain searches.
+
+```{cfgcmd} set system domain-search \<domain\>
+
+Use this command to define domains, one at a time, so that the system
+uses them to complete unqualified host names. Maximum: 6 entries.
+```
+
+:::{note}
+Domain names can include letters, numbers, hyphens and periods
+with a maximum length of 253 characters.
+:::
+
+(name-server-domain-search-order-example)=
+
+### Example
+
+The system is configured to attempt domain completion in the following
+order: vyos.io (first), vyos.net (second) and vyos.network (last):
+
+```none
+set system domain-search vyos.io
+set system domain-search vyos.net
+set system domain-search vyos.network
+```
diff --git a/docs/configuration/system/option.md b/docs/configuration/system/option.md
new file mode 100644
index 00000000..c7a6ccf2
--- /dev/null
+++ b/docs/configuration/system/option.md
@@ -0,0 +1,190 @@
+(system-option)=
+
+# Option
+
+This chapter describe the possibilities of advanced system behavior.
+
+## General
+
+```{cfgcmd} set system option ctrl-alt-delete \<ignore | reboot | poweroff\>
+
+Action which will be run once the ctrl-alt-del keystroke is received.
+```
+
+```{cfgcmd} set system option reboot-on-panic
+
+Automatically reboot system on kernel panic after 60 seconds.
+```
+
+```{cfgcmd} set system option reboot-on-upgrade-failure \<timeout\>
+
+Automatically reboot after `timeout` minutes into the previous running
+image, that was used to perform the image upgrade.
+
+Reboot `timeout` is configurable in minutes. This gives the user the change
+to log into the system and perform some analysis before automatic rebooting.
+
+Automatic reboot can be cancelled after login using: {opcmd}`reboot cancel`
+```
+
+```{cfgcmd} set system option startup-beep
+
+Play an audible beep to the system speaker when system is ready.
+```
+
+```{cfgcmd} set system option root-partition-auto-resize
+
+Enables the root partition auto-extension and resizes to the maximum
+available space on system boot.
+```
+
+
+### Kernel
+
+```{cfgcmd} set system option kernel disable-mitigations
+
+Disable all optional CPU mitigations. This improves system performance,
+but it may also expose users to several CPU vulnerabilities.
+
+This will add the following option to the Kernel commandline:
+* ``mitigations=off``
+
+:::{note}
+Setting will only become active with the next reboot!
+:::
+```
+
+```{cfgcmd} set system option kernel disable-power-saving
+
+This will add the following two options to the Kernel commandline:
+* ``intel_idle.max_cstate=0`` Disable intel_idle and fall back on acpi_idle
+* ``processor.max_cstate=1`` Limit processor to maximum C-state 1
+
+:::{note}
+Setting will only become active with the next reboot!
+:::
+```
+
+```{cfgcmd} set system option kernel amd-pstate-driver \<mode\>
+
+Enables and configures p-state driver for modern AMD Ryzen and Epyc CPUs.
+
+The available modes are:
+* ``active`` This is the low-level firmware control mode based on the profile
+set and the system governor has no effect.
+* ``passive`` The driver allows the system governor to manage CPU frequency
+while providing available performance states.
+* ``guided`` The driver allows to set desired performance levels and the firmware
+selects a performance level in this range and fitting to the current workload.
+
+This will add the following two options to the Kernel commandline:
+* ``initcall_blacklist=acpi_cpufreq_init`` Disable default ACPI CPU frequency scale
+* ``amd_pstate={mode}`` Sets the p-state mode
+
+:::{note}
+Setting will only become active with the next reboot!
+:::
+
+:::{seealso}
+<https://docs.kernel.org/admin-guide/pm/amd-pstate.html>
+:::
+```
+
+```{cfgcmd} set system option kernel quiet
+
+Suppress most kernel messages during boot. This is useful for systems with
+embedded serial console interfaces to speed up the boot process.
+```
+
+
+## HTTP client
+
+```{cfgcmd} set system option http-client source-address \<address\>
+
+Several commands utilize cURL to initiate transfers. Configure the local
+source IPv4/IPv6 address used for all cURL operations.
+```
+
+```{cfgcmd} set system option http-client source-interface \<interface\>
+
+Several commands utilize curl to initiate transfers. Configure the local
+source interface used for all CURL operations.
+```
+
+:::{note}
+`source-address` and `source-interface` can not be used at the same
+time.
+:::
+
+## SSH client
+
+```{cfgcmd} set system option ssh-client source-address \<address\>
+
+Use the specified address on the local machine as the source address of the
+connection. Only useful on systems with more than one address.
+```
+
+```{cfgcmd} set system option ssh-client source-interface \<interface\>
+
+Use the address of the specified interface on the local machine as the
+source address of the connection.
+```
+
+
+## Keyboard Layout
+
+When starting a VyOS live system (the installation CD) the configured keyboard
+layout defaults to US. As this might not suite everyone's use case you can adjust
+the used keyboard layout on the system console.
+
+```{cfgcmd} set system option keyboard-layout \<us | fr | de | fi | no | dk\>
+
+Change system keyboard layout to given language.
+
+Defaults to ``us``.
+
+:::{note}
+Changing the keymap only has an effect on the system console, using
+SSH or Serial remote access to the device is not affected as the keyboard
+layout here corresponds to your access system.
+:::
+```
+
+(system-options-performance)=
+
+## Performance
+
+As more and more routers run on Hypervisors, expecially with a {abbr}`NOS
+(Network Operating System)` as VyOS, it makes fewer and fewer sense to use
+static resource bindings like `smp-affinity` as present in VyOS 1.2 and
+earlier to pin certain interrupt handlers to specific CPUs.
+
+We now utilize `tuned` for dynamic resource balancing based on profiles.
+
+:::{seealso}
+<https://access.redhat.com/sites/default/files/attachments/201501-perf-brief-low-latency-tuning-rhel7-v2.1.pdf>
+:::
+
+```{cfgcmd} set system option performance \< throughput | latency \>
+
+Configure one of the predefined system performance profiles.
+
+* ``throughput``: A server profile focused on improving network throughput.
+ This profile favors performance over power savings by setting
+ ``intel_pstate`` and ``max_perf_pct=100`` and increasing kernel network
+ buffer sizes.
+
+ It enables transparent huge pages, and uses cpupower to set the performance
+ cpufreq governor. It also sets ``kernel.sched_min_granularity_ns`` to 10 us,
+ ``kernel.sched_wakeup_granularity_ns`` to 15 uss, and ``vm.dirty_ratio`` to
+ 40%.
+
+* ``latency``: A server profile focused on lowering network latency.
+ This profile favors performance over power savings by setting
+ ``intel_pstate`` and ``min_perf_pct=100``.
+
+ It disables transparent huge pages, and automatic NUMA balancing. It also
+ uses cpupower to set the performance cpufreq governor, and requests a
+ cpu_dma_latency value of 1. It also sets busy_read and busy_poll times to
+ 50 us, and tcp_fastopen to 3.
+``` \ No newline at end of file
diff --git a/docs/configuration/system/proxy.md b/docs/configuration/system/proxy.md
new file mode 100644
index 00000000..286e835f
--- /dev/null
+++ b/docs/configuration/system/proxy.md
@@ -0,0 +1,27 @@
+(system-proxy)=
+
+# System Proxy
+
+Some IT environments require the use of a proxy to connect to the Internet.
+Without this configuration VyOS updates could not be installed directly by
+using the {opcmd}`add system image` command ({ref}`update_vyos`).
+
+```{cfgcmd} set system proxy url \<url\>
+
+Set proxy for all connections initiated by VyOS, including HTTP, HTTPS, and
+FTP (anonymous ftp).
+```
+```{cfgcmd} set system proxy port \<port\>
+
+Configure proxy port if it does not listen to the default port 80.
+```
+```{cfgcmd} set system proxy username \<username\>
+
+Some proxys require/support the "basic" HTTP authentication scheme as per
+{rfc}`7617`, thus a username can be configured.
+```
+```{cfgcmd} set system proxy password \<password\>
+
+Some proxys require/support the "basic" HTTP authentication scheme as per
+{rfc}`7617`, thus a password can be configured.
+``` \ No newline at end of file
diff --git a/docs/configuration/system/sflow.md b/docs/configuration/system/sflow.md
new file mode 100644
index 00000000..350bbdd8
--- /dev/null
+++ b/docs/configuration/system/sflow.md
@@ -0,0 +1,66 @@
+# sFlow
+
+VyOS supports sFlow accounting for both IPv4 and IPv6 traffic. The system acts as a flow exporter, and you are free to use it with any compatible collector.
+
+sFlow is a technology that enables monitoring of network traffic by sending sampled packets to a collector device.
+
+The sFlow accounting based on hsflowd <https://sflow.net/>
+
+## Configuration
+
+```{cfgcmd} set system sflow agent-address \<address\>
+
+Configure sFlow agent IPv4 or IPv6 address
+```
+```{cfgcmd} set system sflow agent-interface \<interface\>
+
+Configure agent IP address associated with this interface.
+```
+```{cfgcmd} set system sflow drop-monitor-limit \<limit\>
+
+ Dropped packets reported on DROPMON Netlink channel by Linux kernel are exported via the standard sFlow v5 extension for reporting dropped packets
+```
+
+
+```{cfgcmd} set system sflow interface \<interface\>
+
+Configure and enable collection of flow information for the interface identified by \<interface\>.
+
+You can configure multiple interfaces which would participate in sflow accounting.
+```
+```{cfgcmd} set system sflow polling \<sec\>
+
+ Configure schedule counter-polling in seconds (default: 30)
+```
+
+
+```{cfgcmd} set system sflow sampling-rate \<rate\>
+
+Use this command to configure the sampling rate for sFlow accounting (default: 1000)
+```
+
+
+```{cfgcmd} set system sflow server \<address\> port \<port\>
+
+Configure address of sFlow collector. sFlow server at \<address\> can be both listening on an IPv4 or IPv6 address.
+```
+
+
+```{cfgcmd} set system sflow enable-egress
+
+Use this command to if you need to sample also egress traffic
+```
+
+## Example
+
+```none
+set system sflow agent-address '192.0.2.14'
+set system sflow agent-interface 'eth0'
+set system sflow drop-monitor-limit '50'
+set system sflow interface 'eth0'
+set system sflow interface 'eth1'
+set system sflow polling '30'
+set system sflow sampling-rate '1000'
+set system sflow server 192.0.2.1 port '6343'
+set system sflow server 203.0.113.23 port '6343'
+```
diff --git a/docs/configuration/system/sysctl.md b/docs/configuration/system/sysctl.md
new file mode 100644
index 00000000..90434fb2
--- /dev/null
+++ b/docs/configuration/system/sysctl.md
@@ -0,0 +1,16 @@
+(sysctl)=
+
+# Sysctl
+
+:::{note}
+This page is a stub and needs expansion. Contributions
+welcome via the [VyOS documentation repository](https://github.com/vyos/vyos-documentation).
+:::
+
+This chapter describes how to configure kernel parameters at runtime.
+
+`sysctl` is used to modify kernel parameters at runtime. The parameters
+available are those listed under /proc/sys/.
+
+```{cfgcmd} set system sysctl parameter \<parameter\> value \<value\>
+``` \ No newline at end of file
diff --git a/docs/configuration/system/syslog.md b/docs/configuration/system/syslog.md
new file mode 100644
index 00000000..ae30d272
--- /dev/null
+++ b/docs/configuration/system/syslog.md
@@ -0,0 +1,450 @@
+(syslog)=
+
+# Syslog
+
+## Overview
+
+By default, VyOS provides a minimal logging configuration with local storage
+and log rotation. All errors, including local7 messages, are saved to a local
+file. Emergency alerts are sent to the console.
+
+To change these settings, enter configuration mode.
+
+## Syslog configuration
+
+Syslog supports logging to multiple destinations: a local file, a console, or
+a remote syslog server over UDP or TCP.
+
+The syslog configuration is organized into the following categories:
+
+- Global settings
+- Local logging
+- Console logging
+- Remote logging
+- TLS-encrypted remote logging
+
+### Global settings
+
+Configure the general behavior of the syslog service.
+
+```{cfgcmd} set system syslog marker interval \<number\>
+
+**Configure the interval, in seconds, for sending syslog mark messages.**
+
+Syslog mark messages confirm the logging service is operational.
+
+Default: 1200 seconds.
+```
+
+```{cfgcmd} set system syslog marker disable
+
+Disable sending syslog mark messages.
+```
+
+```{cfgcmd} set system syslog preserve-fqdn
+
+**Configure how the logging device's hostname appears in log messages sent
+to a remote syslog server.**
+
+If configured, the device includes its {abbr}`FQDN (Fully Qualified Domain
+Name)` in log messages, even if the syslog server is in the same domain.
+```
+
+
+### Local logging
+
+Configure which log messages to save to a local log file.
+
+```{cfgcmd} set system syslog local \<filename\> facility \<keyword\> level \<keyword\>
+
+**Configure syslog to save log messages for a specific facility and
+severity level to \`\`/var/log/messages\`\`.**
+
+Refer to the tables below for valid facility and severity options.
+```
+
+(syslog-console)=
+
+### Console logging
+
+Configure which log messages to send to `/dev/console`.
+
+```{cfgcmd} set system syslog console facility \<keyword\> level \<keyword\>
+
+**Configure syslog to send log messages for a specific facility and severity
+level to the device's console.**
+
+Refer to the tables below for valid facility and severity options.
+```
+
+(syslog-remote)=
+
+### Remote logging
+
+Configure **remote logging** to send log messages to a remote syslog server.
+
+Remote logging does not affect either **local** or **console logging** and
+runs in parallel with them. Remote logging supports sending log messages
+to multiple hosts.
+
+```{cfgcmd} set system syslog remote \<address\> facility \<keyword\> level \<keyword\>
+
+**Configure log transmission to the remote syslog server for a specific
+facility and severity level.**
+
+The server’s address can be specified using either a {abbr}`FQDN (Fully
+Qualified Domain Name)` or an IP address.
+
+Refer to the tables below for valid facility and severity options.
+```
+
+```{cfgcmd} set system syslog remote \<address\> protocol \<udp | tcp\>
+
+**Configure the protocol for log transmission.**
+
+The protocol can be either UDP or TCP. By default, log messages are sent
+over UDP.
+```
+
+```{cfgcmd} set system syslog remote \<address\> port \<port\>
+
+**Configure the port for log transmission.**
+
+By default, the standard port 514 is used.
+```
+
+```{cfgcmd} set system syslog remote \<address\> format include-timezone
+
+**Configure log transmission in the RFC 5424 format.**
+
+The RFC 5424 format includes the timezone in the timestamp. For example:
+
+:::{code-block} none
+<34>1 2003-10-11T22:14:15.003-07:00 mymachine.example.com su - ID47 - BOM’su root’ failed for lonvick on /dev/pts/8.
+:::
+
+By default, log messages are sent in the RFC 3164 format. For example:
+
+:::{code-block} none
+<34>Oct 11 22:14:15 mymachine su: ‘su root’ failed for lonvick on /dev/pts/8
+:::
+```
+
+```{cfgcmd} set system syslog remote \<address\> format octet-counted
+
+**Enable octet-counted framing for log transmission.**
+
+When enabled, multi-line log messages are sent without splitting. Ensure
+the remote server supports octet-counted framing to avoid parsing errors.
+
+Octet-counted framing is not available for the UDP protocol.
+```
+
+```{cfgcmd} set system syslog remote \<address\> vrf \<name\>
+
+Configure the {abbr}`VRF (Virtual Routing and Forwarding)` instance
+for log transmission.
+```
+
+```{cfgcmd} set system syslog remote \<address\> source-address \<address\>
+
+Configure the source IP address (IPv4 or IPv6) for log transmission.
+```
+
+
+#### {abbr}`TLS (Transport Layer Security)`-encrypted remote logging
+
+VyOS supports {abbr}`TLS (Transport Layer Security)`-encrypted remote logging
+over TCP to ensure secure transmission of syslog data to remote syslog servers.
+
+**Prerequisites**: Before configuring {abbr}`TLS (Transport Layer
+Security)`-encrypted remote logging, ensure you have:
+- A valid remote syslog server address.
+- Valid {abbr}`CA (Certificate Authority)` and client certificates uploaded
+ to the local {abbr}`PKI (Public Key Infrastructure)` storage.
+- The **remote syslog transport protocol** is set to **TCP**:
+
+ ```none
+ set system syslog remote <address> protocol tcp
+ ```
+
+:::{note}
+{abbr}`TLS (Transport Layer Security)`-encrypted remote logging is
+**not supported** over **UDP**.
+:::
+```{cfgcmd} set system syslog remote \<address\> tls
+
+Enable TLS-encrypted remote logging.
+
+```
+
+```{cfgcmd} set system syslog remote \<address\> tls ca-certificate \<ca_name\>
+
+**Configure the** {abbr}`CA (Certificate Authority)` **certificate.**
+
+The syslog client uses the {abbr}`CA (Certificate Authority)` certificate to
+verify the identity of the remote syslog server.
+
+The {abbr}`CA (Certificate Authority)` certificate is required for **all**
+authentication modes except ``anon``.
+
+```
+
+```{cfgcmd} set system syslog remote \<address\> tls certificate \<cert_name\>
+
+**Configure the client certificate.**
+
+The remote syslog server uses the client certificate to verify the identity
+of the syslog client.
+
+The client certificate is required if the remote syslog server enforces
+client certificate verification.
+
+```
+
+````{cfgcmd} set system syslog remote \<address\> tls auth-mode \<anon | fingerprint | certvalid | name\>
+
+**Configure the authentication mode.**
+
+The authentication mode defines how the syslog client verifies the syslog
+server's identity.
+
+The following authentication modes are available:
+
+```{eval-rst}
+* ``anon`` **(default)**: Allows encrypted connections without verifying the syslog
+ server's identity. This mode is **not recommended**, as it is vulnerable to
+ :abbr:`MITM (Man-in-the-Middle)` attacks.
+* ``fingerprint``: Verifies the server’s certificate fingerprint against the
+ value preconfigured with:
+
+ .. code-block:: none
+
+ set system syslog remote <address> tls permitted-peer <peer>
+
+* ``certvalid``: Verifies the server certificate is signed by a trusted
+ :abbr:`CA (Certificate Authority)`, skipping :abbr:`CN (Common Name)` check.
+* ``name``: Verifies that:
+
+ * The server’s certificate is signed by a trusted :abbr:`CA (Certificate
+ Authority)`.
+ * The :abbr:`CN (Common Name)` in the certificate matches the value
+ preconfigured with:
+
+ .. code-block:: none
+
+ set system syslog remote <address> tls permitted-peer <peer>
+
+ This is a **recommended** secure mode for production environments.
+```
+
+````
+
+```{cfgcmd} set system syslog remote \<address\> tls permitted-peer \<peer\>
+
+**Configure the peer certificate identifiers.**
+
+The certificate identifier format depends on the authentication mode:
+* ``fingerprint``: Enter the expected certificate fingerprints (SHA-1 or
+SHA-256).
+* ``name``: Enter the expected certificate {abbr}`CNs (Common Names)`.
+
+For ``anon`` and ``certvalid`` authentication modes, certificate identifiers
+are not required.
+
+```
+
+#### Examples:
+
+```none
+# Example of 'anon' authentication mode
+set system syslog remote 10.10.2.3 facility all level debug
+set system syslog remote 10.10.2.3 port 6514
+set system syslog remote 10.10.2.3 protocol tcp
+set system syslog remote 10.10.2.3 tls auth-mode anon
+# or just use 'set system syslog remote 10.10.2.3 tls'
+
+# Example of 'certvalid' authentication mode
+set system syslog remote elk.example.com facility all level debug
+set system syslog remote elk.example.com port 6514
+set system syslog remote elk.example.com protocol tcp
+set system syslog remote elk.example.com tls ca-certificate my-ca
+set system syslog remote elk.example.com tls auth-mode certvalid
+
+# Example of 'fingerprint' authentication mode
+set system syslog remote syslog.example.com facility all level debug
+set system syslog remote syslog.example.com port 6514
+set system syslog remote syslog.example.com protocol tcp
+set system syslog remote syslog.example.com tls ca-certificate my-ca
+set system syslog remote syslog.example.com tls auth-mode fingerprint
+set system syslog remote syslog.example.com tls permitted-peers 'SHA1:10:C4:26:...,SHA256:7B:4B:10:...'
+
+# Example of 'name' authentication mode
+set system syslog remote graylog.example.com facility all level debug
+set system syslog remote graylog.example.com port 6514
+set system syslog remote graylog.example.com protocol tcp
+set system syslog remote graylog.example.com tls ca-certificate my-ca
+set system syslog remote graylog.example.com tls certificate syslog-client
+set system syslog remote graylog.example.com tls auth-mode name
+set system syslog remote graylog.example.com tls permitted-peers 'graylog.example.com'
+```
+
+#### Security recommendations
+
+- For secure deployments, always use the `name` authentication mode. It
+ ensures that the server is validated by a trusted {abbr}`CA (Certificate
+ Authority)` and that the hostname matches the certificate.
+- Use the `anon` authentication mode only in testing environments, as it
+ doesn't provide server authentication.
+- Ensure private keys are generated, stored, and maintained exclusively within
+ the {doc}`PKI system </configuration/pki/index>`.
+(syslog_facilities)=
+
+## Syslog facilities
+
+This section lists facilities used by syslog. Most facility names are self-
+explanatory. The local0–local7 facilities are used for custom purposes, such as
+logging from network nodes and equipment. Facility assignment is flexible and
+should be tailored to your company's needs. Consider facilities as categorization
+tools, rather than strict directives.
+
+```{eval-rst}
++----------+----------+----------------------------------------------------+
+| Facility | Keyword | Description |
+| code | | |
++==========+==========+====================================================+
+| | all | All facilities |
++----------+----------+----------------------------------------------------+
+| 0 | kern | Kernel messages |
++----------+----------+----------------------------------------------------+
+| 1 | user | User-level messages |
++----------+----------+----------------------------------------------------+
+| 2 | mail | Mail system |
++----------+----------+----------------------------------------------------+
+| 3 | daemon | System daemons |
++----------+----------+----------------------------------------------------+
+| 4 | auth | Security/authentication messages |
++----------+----------+----------------------------------------------------+
+| 5 | syslog | Messages generated internally by syslog |
++----------+----------+----------------------------------------------------+
+| 6 | lpr | Line printer subsystem |
++----------+----------+----------------------------------------------------+
+| 7 | news | Network news subsystem |
++----------+----------+----------------------------------------------------+
+| 8 | uucp | UUCP subsystem |
++----------+----------+----------------------------------------------------+
+| 9 | cron | Clock daemon |
++----------+----------+----------------------------------------------------+
+| 10 | security | Security/authentication messages |
++----------+----------+----------------------------------------------------+
+| 11 | ftp | FTP daemon |
++----------+----------+----------------------------------------------------+
+| 12 | ntp | NTP subsystem |
++----------+----------+----------------------------------------------------+
+| 13 | logaudit | Log audit |
++----------+----------+----------------------------------------------------+
+| 14 | logalert | Log alert |
++----------+----------+----------------------------------------------------+
+| 15 | clock | clock daemon (note 2) |
++----------+----------+----------------------------------------------------+
+| 16 | local0 | local use 0 (local0) |
++----------+----------+----------------------------------------------------+
+| 17 | local1 | local use 1 (local1) |
++----------+----------+----------------------------------------------------+
+| 18 | local2 | local use 2 (local2) |
++----------+----------+----------------------------------------------------+
+| 19 | local3 | local use 3 (local3) |
++----------+----------+----------------------------------------------------+
+| 20 | local4 | local use 4 (local4) |
++----------+----------+----------------------------------------------------+
+| 21 | local5 | local use 5 (local5) |
++----------+----------+----------------------------------------------------+
+| 22 | local6 | local use 6 (local6) |
++----------+----------+----------------------------------------------------+
+| 23 | local7 | local use 7 (local7) |
++----------+----------+----------------------------------------------------+
+```
+
+(syslog_severity_level)=
+
+## Severity levels
+
+```{eval-rst}
++-------+---------------+---------+-------------------------------------------+
+| Value | Severity | Keyword | Description |
++=======+===============+=========+===========================================+
+| | | all | Log everything. |
++-------+---------------+---------+-------------------------------------------+
+| 0 | Emergency | emerg | System is unusable - a panic condition. |
++-------+---------------+---------+-------------------------------------------+
+| 1 | Alert | alert | Action must be taken immediately - A |
+| | | | condition that should be corrected |
+| | | | immediately, such as a corrupted system |
+| | | | database. |
++-------+---------------+---------+-------------------------------------------+
+| 2 | Critical | crit | Critical conditions - e.g., hard drive |
+| | | | errors. |
++-------+---------------+---------+-------------------------------------------+
+| 3 | Error | err | Error conditions. |
++-------+---------------+---------+-------------------------------------------+
+| 4 | Warning | warning | Warning conditions. |
++-------+---------------+---------+-------------------------------------------+
+| 5 | Notice | notice | Normal but significant conditions - |
+| | | | conditions that are not error conditions, |
+| | | | but that may require special handling. |
++-------+---------------+---------+-------------------------------------------+
+| 6 | Informational | info | Informational messages. |
++-------+---------------+---------+-------------------------------------------+
+| 7 | Debug | debug | Debug-level messages - Messages that |
+| | | | contain information normally of use only |
+| | | | when debugging a program. |
++-------+---------------+---------+-------------------------------------------+
+```
+
+## Display logs
+
+```{opcmd} show log [all | authorization | cluster | conntrack-sync | ...]
+
+**Display logs for a specific category on the console.**
+
+Use tab completion to view a list of available categories.
+
+If no category is specified, all logs are shown.
+
+```
+
+````{opcmd} show log image \<name\> [all | authorization | directory | file \<file name\> | tail \<lines\>]
+
+**Display logs for a specific image on the console.**
+
+Available log categories:
+
+```{eval-rst}
+.. list-table::
+ :widths: 25 75
+ :header-rows: 0
+
+ * - all
+ - Displays the contents of system log files of the specified image.
+ * - authorization
+ - Displays authorization attempts of the specified image.
+ * - directory
+ - Displays user-defined log files of the specified image.
+ * - file <file name>
+ - Displays the contents of a specified user-defined log file of the specified
+ image.
+ * - tail
+ - Displays last lines of the system log of the specified image.
+ * - <lines>
+ - Number of lines to be displayed, default 10.
+```
+
+````
+
+If no category is specified, the contents of the main syslog file are
+displayed.
+
+:::{hint}
+Use `show log | strip-private` to hide private data
+when displaying your logs.
+:::
diff --git a/docs/configuration/system/task-scheduler.md b/docs/configuration/system/task-scheduler.md
new file mode 100644
index 00000000..94ca9f4d
--- /dev/null
+++ b/docs/configuration/system/task-scheduler.md
@@ -0,0 +1,45 @@
+(task-scheduler)=
+
+# Task Scheduler
+
+The task scheduler allows you to execute tasks on a given schedule. It makes
+use of UNIX [cron].
+
+:::{note}
+All scripts executed this way are executed as root user - this may
+be dangerous. Together with {ref}`command-scripting` this can be used for
+automating (re-)configuration.
+:::
+
+```{cfgcmd} set system task-scheduler task \<task\> interval \<interval\>
+
+Specify the time interval when `<task>` should be executed. The interval
+is specified as number with one of the following suffixes:
+* ``none`` - Execution interval in minutes
+* ``m`` - Execution interval in minutes
+* ``h`` - Execution interval in hours
+* ``d`` - Execution interval in days
+
+:::{note}
+If suffix is omitted, minutes are implied.
+:::
+```
+
+```{cfgcmd} set system task-scheduler task \<task\> crontab-spec \<spec\>
+
+Set execution time in common cron time format. A cron `<spec>` of
+``30 */6 * * *`` would execute the `<task>` at minute 30 past every 6th hour.
+```
+
+```{cfgcmd} set system task-scheduler task \<task\> executable path \<path\>
+
+Specify absolute `<path>` to script which will be run when `<task>` is
+executed.
+```
+
+```{cfgcmd} set system task-scheduler task \<task\> executable arguments \<args\>
+
+Arguments which will be passed to the executable.
+```
+
+[cron]: https://en.wikipedia.org/wiki/Cron
diff --git a/docs/configuration/system/time-zone.md b/docs/configuration/system/time-zone.md
new file mode 100644
index 00000000..2279a773
--- /dev/null
+++ b/docs/configuration/system/time-zone.md
@@ -0,0 +1,17 @@
+(timezone)=
+
+# Time Zone
+
+Time Zone setting is very important as e.g all your logfile entries will be
+based on the configured zone. Without proper time zone configuration it will
+be very difficult to compare logfiles from different systems.
+
+```{cfgcmd} set system time-zone \<timezone\>
+
+Specify the systems \<timezone\> as the Region/Location that best defines
+your location. For example, specifying US/Pacific sets the time zone to US
+Pacific time.
+
+Command completion can be used to list available time zones. The adjustment
+for daylight time will take place automatically based on the time of year.
+``` \ No newline at end of file
diff --git a/docs/configuration/system/updates.md b/docs/configuration/system/updates.md
new file mode 100644
index 00000000..c82d37be
--- /dev/null
+++ b/docs/configuration/system/updates.md
@@ -0,0 +1,36 @@
+# Updates
+
+VyOS supports online checking for updates
+
+## Configuration
+
+```{cfgcmd} set system update-check auto-check
+
+Configure auto-checking for new images
+```
+
+```{cfgcmd} set system update-check url \<url\>
+
+Configure a URL that contains information about images.
+```
+
+
+## Example
+
+```none
+set system update-check auto-check
+set system update-check url 'https://raw.githubusercontent.com/vyos/vyos-rolling-nightly-builds/main/version.json'
+```
+
+Check:
+
+```none
+vyos@r4:~$ show system updates
+Current version: 1.5-rolling-202312220023
+
+Update available: 1.5-rolling-202312250024
+Update URL: https://github.com/vyos/vyos-rolling-nightly-builds/releases/download/1.5-rolling-202312250024/1.5-rolling-202312250024-amd64.iso
+vyos@r4:~$
+
+vyos@r4:~$ add system image latest
+```
diff --git a/docs/configuration/system/watchdog.md b/docs/configuration/system/watchdog.md
new file mode 100644
index 00000000..700051a6
--- /dev/null
+++ b/docs/configuration/system/watchdog.md
@@ -0,0 +1,212 @@
+(system-watchdog)=
+
+# Watchdog
+
+VyOS supports hardware watchdog timers to automatically reboot the system if
+it becomes unresponsive. This is particularly useful for remote or embedded
+systems where physical access is limited.
+
+A watchdog timer is a hardware or software mechanism that automatically resets
+the system if the operating system stops responding within a configured timeout
+period. The system will periodically notify the watchdog that it is still
+running. If the watchdog is not notified within the timeout period, the watchdog
+will reset the system.
+
+## Configuration
+
+The watchdog feature is configured under the `system watchdog` configuration
+tree. The presence of the `system watchdog` node enables the watchdog feature.
+
+```{cfgcmd} set system watchdog
+
+Enable watchdog support.
+
+The watchdog is enabled only when a watchdog device is available as
+``/dev/watchdog0``.
+
+:::{note}
+If multiple watchdog devices are present, only the first watchdog
+device is supported (VyOS uses ``/dev/watchdog0`` only).
+:::
+If ``/dev/watchdog0`` does not exist and no module is configured, commit will
+fail. If a module is configured but ``/dev/watchdog0`` still cannot be
+created, VyOS will emit a warning and will not enable the systemd watchdog.
+```
+
+```{cfgcmd} set system watchdog module \<module-name\>
+
+Specify the kernel watchdog driver module to load for ``/dev/watchdog0``.
+
+The configured module must be a watchdog driver module, not an arbitrary
+kernel module.
+
+**In most cases, this option is not required** as the kernel will
+automatically load the appropriate watchdog driver for your system. Use this
+option if the kernel fails to load the required driver, or when you want to
+use the software watchdog (``softdog``).
+
+Common modules include:
+* ``softdog`` - Software watchdog timer (available on all systems)
+* ``iTCO_wdt`` - Intel TCO watchdog timer
+* ``sp5100_tco`` - AMD SP5100 TCO watchdog timer
+* ``i6300esb`` - Intel 6300ESB watchdog timer
+* ``ipmi_watchdog`` - IPMI watchdog timer
+
+:::{warning}
+``softdog`` is not a hardware watchdog. It is implemented using
+kernel timers and therefore depends on the Linux kernel continuing to run.
+In some fault conditions (for example, a kernel hang), ``softdog`` may not
+be able to trigger a reset.
+
+Prefer a hardware watchdog driver whenever possible, as hardware watchdogs
+can operate independently of the operating system.
+:::
+
+If no module is specified, VyOS will use an existing ``/dev/watchdog0``
+device if available.
+
+:::{note}
+If a module is specified but a different driver is actually bound
+to ``watchdog0``, VyOS will emit a warning during commit.
+:::
+Example:
+
+:::{code-block} none
+set system watchdog module softdog
+:::
+```
+
+```{cfgcmd} set system watchdog timeout \<seconds\>
+:defaultvalue:
+
+Set the watchdog timeout for normal runtime operation in seconds.
+
+Valid range: 1-65535 seconds
+
+:::{note}
+Some watchdog drivers expose minimum and maximum supported runtime
+timeouts via sysfs. When available, VyOS validates ``timeout`` against
+those driver limits during commit.
+:::
+
+This is the interval during which the system must respond to the watchdog.
+If the system does not respond within this time, the watchdog will trigger
+a reboot.
+
+Example:
+
+:::{code-block} none
+set system watchdog timeout 30
+:::
+```
+
+```{cfgcmd} set system watchdog shutdown-timeout \<seconds\>
+:defaultvalue:
+
+Set the watchdog timeout during system shutdown in seconds.
+
+Valid range: 60-65535 seconds
+
+This extended timeout allows the system to complete a graceful shutdown
+without triggering the watchdog.
+
+:::{warning}
+Setting this value too low (below 120 seconds) may cause
+unclean shutdowns, as the system may not have enough time to properly
+stop all services and flush disk buffers. The recommended minimum value
+is 120 seconds.
+:::
+Example:
+
+:::{code-block} none
+set system watchdog shutdown-timeout 180
+:::
+```
+
+```{cfgcmd} set system watchdog reboot-timeout \<seconds\>
+:defaultvalue:
+
+Set the watchdog timeout during system reboot in seconds.
+
+Valid range: 60-65535 seconds
+
+This extended timeout allows the system to complete the reboot process
+without triggering the watchdog during the transition.
+
+:::{warning}
+Setting this value too low (below 120 seconds) may cause
+unclean reboots, as the system may not have enough time to properly
+stop all services before restarting. The recommended minimum value
+is 120 seconds.
+:::
+Example:
+
+:::{code-block} none
+set system watchdog reboot-timeout 180
+:::
+```
+
+
+## Examples
+
+### Basic Configuration with Software Watchdog
+
+This example configures a basic software watchdog with default timeouts:
+
+```none
+set system watchdog module softdog
+```
+
+This will:
+- Enable the watchdog feature
+- Load the `softdog` kernel module
+- Use a 10-second runtime timeout (default)
+- Use 120-second shutdown and reboot timeouts (default)
+
+### Advanced Configuration
+
+This example shows a more customized configuration suitable for a production
+system:
+
+```none
+set system watchdog module iTCO_wdt
+set system watchdog timeout 30
+set system watchdog shutdown-timeout 300
+set system watchdog reboot-timeout 300
+```
+
+This configuration:
+
+- Enables the watchdog feature
+- Loads the Intel TCO hardware watchdog module
+- Sets a 30-second runtime timeout
+- Allows 5 minutes for shutdown and reboot operations
+
+## Best Practices
+
+- **Start with conservative timeouts**: Use longer timeouts initially and
+ reduce them as you gain confidence in system stability.
+- **Test before deployment**: Verify the watchdog works as expected in a
+ non-production environment before deploying to production systems.
+- **Choose appropriate modules**: Use hardware watchdog modules (like
+ `iTCO_wdt`) when available, as they are more reliable than software
+ watchdogs.
+- **Consider shutdown time**: Set `shutdown-timeout` and `reboot-timeout`
+ values high enough to allow for normal shutdown procedures, especially on
+ systems with many services or slow storage.
+- **Monitor watchdog events**: Check system logs after any unexpected reboots
+ to determine if the watchdog triggered the reboot.
+- **Remote systems**: For systems without physical console access, use
+ conservative timeout values to avoid false-positive reboots during high
+ load conditions.
+
+:::{note}
+The watchdog configuration takes effect immediately after commit,
+but systemd must be reloaded. This happens automatically during commit.
+:::
+
+:::{warning}
+Incorrect watchdog configuration on remote systems can result
+in unexpected reboots. Always test watchdog settings in a controlled
+environment before deploying to production systems.
+:::