8 files changed, 124 insertions, 30 deletions
diff --git a/docs/configuration/interfaces/macsec.rst b/docs/configuration/interfaces/macsec.rst
index 0c0c052b..1ab7f361 100644
--- a/docs/configuration/interfaces/macsec.rst
+++ b/docs/configuration/interfaces/macsec.rst
@@ -236,4 +236,50 @@ the unencrypted but authenticated content.
   set interfaces macsec macsec1 security static key 'eadcc0aa9cf203f3ce651b332bd6e6c7'
   set interfaces macsec macsec1 security static peer R2 mac 00:11:22:33:44:01
   set interfaces macsec macsec1 security static peer R2 key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7'
-  set interfaces macsec macsec1 source-interface 'eth1'
-\ No newline at end of file
+  set interfaces macsec macsec1 source-interface 'eth1'
+
+***************
+MACsec over wan
+***************
+
+MACsec is an interesting alternative to existing tunneling solutions that 
+protects layer 2 by performing integrity, origin authentication, and optionally 
+encryption. The typical use case is to use MACsec between hosts and access 
+switches, between two hosts, or between two switches. in this example below, 
+we use VXLAN and MACsec to secure the tunnel.
+
+**R1 MACsec01**
+
+.. code-block:: none
+
+  set interfaces macsec macsec1 address '192.0.2.1/24'
+  set interfaces macsec macsec1 address '2001:db8::1/64'
+  set interfaces macsec macsec1 security cipher 'gcm-aes-128'
+  set interfaces macsec macsec1 security encrypt
+  set interfaces macsec macsec1 security static key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7'
+  set interfaces macsec macsec1 security static peer SEC02 key 'eadcc0aa9cf203f3ce651b332bd6e6c7'
+  set interfaces macsec macsec1 security static peer SEC02 mac '00:11:22:33:44:02'
+  set interfaces macsec macsec1 source-interface 'vxlan1'
+  set interfaces vxlan vxlan1 mac '00:11:22:33:44:01'
+  set interfaces vxlan vxlan1 remote '10.1.3.3'
+  set interfaces vxlan vxlan1 source-address '172.16.100.1'
+  set interfaces vxlan vxlan1 vni '10'
+  set protocols static route 10.1.3.3/32 next-hop 172.16.100.2
+
+**R2 MACsec02**
+
+.. code-block:: none
+
+  set interfaces macsec macsec1 address '192.0.2.2/24'
+  set interfaces macsec macsec1 address '2001:db8::2/64'
+  set interfaces macsec macsec1 security cipher 'gcm-aes-128'
+  set interfaces macsec macsec1 security encrypt
+  set interfaces macsec macsec1 security static key 'eadcc0aa9cf203f3ce651b332bd6e6c7'
+  set interfaces macsec macsec1 security static peer SEC01 key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7'
+  set interfaces macsec macsec1 security static peer SEC01 mac '00:11:22:33:44:01'
+  set interfaces macsec macsec1 source-interface 'vxlan1'
+  set interfaces vxlan vxlan1 mac '00:11:22:33:44:02'
+  set interfaces vxlan vxlan1 remote '10.1.2.2'
+  set interfaces vxlan vxlan1 source-address '172.16.100.2'
+  set interfaces vxlan vxlan1 vni '10'
+  set protocols static route 10.1.2.2/32 next-hop 172.16.100.1
diff --git a/docs/configuration/interfaces/vxlan.rst b/docs/configuration/interfaces/vxlan.rst
index af00fdec..831870c5 100644
--- a/docs/configuration/interfaces/vxlan.rst
+++ b/docs/configuration/interfaces/vxlan.rst
@@ -31,10 +31,6 @@ If configuring VXLAN in a VyOS virtual machine, ensure that MAC spoofing
 (Hyper-V) or Forged Transmits (ESX) are permitted, otherwise forwarded frames
 may be blocked by the hypervisor.
 
-.. note:: As VyOS is based on Linux and there was no official IANA port assigned
-   for VXLAN, VyOS uses a default port of 8472. You can change the port on a
-   per VXLAN interface basis to get it working across multiple vendors.
-
 Configuration
 =============
 
@@ -58,11 +54,7 @@ VXLAN specific options
 
   Configure port number of remote VXLAN endpoint.
 
-  .. note:: As VyOS is Linux based the default port used is not using 4789
-     as the default IANA-assigned destination UDP port number. Instead VyOS
-     uses the Linux default port of 8472.
-
-.. cfgcmd:: set interfaces vxlan <interface> source-address <interface>
+.. cfgcmd:: set interfaces vxlan <interface> source-address <IP address>
 
   Source IP address used for VXLAN underlay. This is mandatory when using VXLAN
   via L2VPN/EVPN.
@@ -331,10 +323,9 @@ multicast-address.
 
   set interfaces vxlan vxlan241 port 12345
 
-The destination port used for creating a VXLAN interface in Linux defaults to
-its pre-standard value of 8472 to preserve backward compatibility. A
-configuration directive to support a user-specified destination port to override
-that behavior is available using the above command.
+The destination port used for creating a VXLAN interface defaults to
+4789. Aconfiguration directive to support a user-specified destination port
+to override that behavior is available using the above command.
 
 Unicast VXLAN
 =============
@@ -354,5 +345,5 @@ set directly. Let's change the Multicast example from above:
   # leaf3
   set interface vxlan vxlan241 remote 10.1.2.2
 
-The default port udp is set to 8472.
+The default port udp is set to 4789.
 It can be changed with ``set interface vxlan <vxlanN> port <port>``
diff --git a/docs/configuration/pki/index.rst b/docs/configuration/pki/index.rst
index 99bd2815..70b89d9f 100644
--- a/docs/configuration/pki/index.rst
+++ b/docs/configuration/pki/index.rst
@@ -255,6 +255,8 @@ ACME
 
 The VyOS PKI subsystem can also be used to automatically retrieve Certificates
 using the :abbr:`ACME (Automatic Certificate Management Environment)` protocol.
+VyOS 1.4.1 does not store the intermediate certificates from ACME. Which makes
+this functionality limited. See :vytask:`T7299`.
 
 .. cfgcmd:: set pki certificate <name> acme domain-name <name>
 
diff --git a/docs/configuration/policy/route-map.rst b/docs/configuration/policy/route-map.rst
index ccc4cef0..909f7e25 100644
--- a/docs/configuration/policy/route-map.rst
+++ b/docs/configuration/policy/route-map.rst
@@ -179,6 +179,10 @@ Route Map
 
    Match RPKI validation result.
 
+.. cfgcmd:: set policy route-map <text> rule <1-65535> match source-vrf <text>
+
+   Source VRF to match.
+
 .. cfgcmd:: set policy route-map <text> rule <1-65535> match tag <1-65535>
 
    Route tag to match.
diff --git a/docs/configuration/service/dhcp-server.rst b/docs/configuration/service/dhcp-server.rst
index 45555336..a02f60d1 100644
--- a/docs/configuration/service/dhcp-server.rst
+++ b/docs/configuration/service/dhcp-server.rst
@@ -170,28 +170,44 @@ Individual Client Subnet
 
    Enable DHCP failover configuration for this address pool.
 
-Failover
---------
+High Availability
+-----------------
+
+VyOS provides High Availability support for DHCP server. DHCP High
+Availability can act in two different modes:
+
+* **Active-active**: both DHCP servers will respond to DHCP requests. If
+  ``mode`` is not defined, this is the default behavior.
+
+* **Active-passive**: only ``primary`` server will respond to DHCP requests.
+  If this server goes offline, then ``secondary`` server will take place.
+
+DHCP High Availability must be configured explicitly by the following
+statements on both servers:
+
+.. cfgcmd:: set service dhcp-server high-availability mode [active-active
+   | active-passive]
 
-VyOS provides support for DHCP failover. DHCP failover must be configured
-explicitly by the following statements.
+   Define operation mode of High Availability feature. Default value if command
+   is not specified is `active-active`
 
-.. cfgcmd:: set service dhcp-server failover source-address <address>
+.. cfgcmd:: set service dhcp-server high-availability source-address <address>
 
-   Local IP `<address>` used when communicating to the failover peer.
+   Local IP `<address>` used when communicating to the HA peer.
 
-.. cfgcmd:: set service dhcp-server failover remote <address>
+.. cfgcmd:: set service dhcp-server high-availability remote <address>
 
-   Remote peer IP `<address>` of the second DHCP server in this failover
+   Remote peer IP `<address>` of the second DHCP server in this HA
    cluster.
 
-.. cfgcmd:: set service dhcp-server failover name <name>
+.. cfgcmd:: set service dhcp-server high-availability name <name>
 
    A generic `<name>` referencing this sync service.
 
    .. note:: `<name>` must be identical on both sides!
 
-.. cfgcmd:: set service dhcp-server failover status <primary | secondary>
+.. cfgcmd:: set service dhcp-server high-availability status <primary
+   | secondary>
 
    The primary and secondary statements determines whether the server is primary
    or secondary.
@@ -200,12 +216,12 @@ explicitly by the following statements.
       their lease tables in sync, they must be able to reach each other on TCP
       port 647. If you have firewall rules in effect, adjust them accordingly.
 
-   .. hint:: The dialogue between failover partners is neither encrypted nor
+   .. hint:: The dialogue between HA partners is neither encrypted nor
       authenticated. Since most DHCP servers exist within an organisation's own
       secure Intranet, this would be an unnecessary overhead. However, if you
-      have DHCP failover peers whose communications traverse insecure networks,
+      have DHCP HA peers whose communications traverse insecure networks,
       then we recommend that you consider the use of VPN tunneling between them
-      to ensure that the failover partnership is immune to disruption
+      to ensure that the HA partnership is immune to disruption
       (accidental or otherwise) via third parties.
 
 Static mappings
diff --git a/docs/configuration/system/flow-accounting.rst b/docs/configuration/system/flow-accounting.rst
index 8d46b178..b36ddc27 100644
--- a/docs/configuration/system/flow-accounting.rst
+++ b/docs/configuration/system/flow-accounting.rst
@@ -42,6 +42,10 @@ exported.
 Configuration
 =============
 
+.. warning:: Using NetFlow on routers with high traffic levels may lead to
+   high CPU usage and may affect the router's performance. In such cases,
+   consider using sFlow instead.
+
 In order for flow accounting information to be collected and displayed for an
 interface, the interface must be configured for flow accounting.
 
diff --git a/docs/configuration/system/option.rst b/docs/configuration/system/option.rst
index 02c889dd..d039315c 100644
--- a/docs/configuration/system/option.rst
+++ b/docs/configuration/system/option.rst
@@ -43,8 +43,6 @@ Kernel
 
 .. cfgcmd:: set system option kernel disable-power-saving
 
-    Disable CPU power saving mechanisms also known as C states.
-
     This will add the following two options to the Kernel commandline:
 
     * ``intel_idle.max_cstate=0`` Disable intel_idle and fall back on acpi_idle
@@ -52,6 +50,33 @@ Kernel
 
     .. note:: Setting will only become active with the next reboot!
 
+.. cfgcmd:: set system option kernel amd-pstate-driver <mode>
+
+    Enables and configures p-state driver for modern AMD Ryzen and Epyc CPUs.
+
+    The available modes are:
+
+    * ``active`` This is the low-level firmware control mode based on the profile
+      set and the system governor has no effect.
+    * ``passive`` The driver allows the system governor to manage CPU frequency
+      while providing available performance states.
+    * ``guided`` The driver allows to set desired performance levels and the firmware
+      selects a performance level in this range and fitting to the current workload.
+
+    This will add the following two options to the Kernel commandline:
+
+    * ``initcall_blacklist=acpi_cpufreq_init`` Disable default ACPI CPU frequency scale
+    * ``amd_pstate={mode}`` Sets the p-state mode
+
+    .. note:: Setting will only become active with the next reboot!
+
+    .. seealso:: https://docs.kernel.org/admin-guide/pm/amd-pstate.html
+
+.. cfgcmd:: set system option kernel quiet
+
+    Suppress most kernel messages during boot. This is useful for systems with
+    embedded serial console interfaces to speed up the boot process.
+
 ***********
 HTTP client
 ***********
diff --git a/docs/configuration/vrf/index.rst b/docs/configuration/vrf/index.rst
index 08f489bb..0d44e326 100644
--- a/docs/configuration/vrf/index.rst
+++ b/docs/configuration/vrf/index.rst
@@ -505,6 +505,12 @@ address-family.
    derived and should not be specified explicitly for either the source or
    destination VRF’s.
 
+.. cfgcmd:: set vrf name <name> protocols bgp address-family
+            <ipv4-unicast|ipv6-unicast> route-map vrf import
+            [route-map <name>]
+
+   Specifies an optional route-map to be applied to routes imported from VRFs.
+
 .. cfgcmd:: set vrf name <name> protocols bgp interface <interface> mpls
             forwarding