diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/_static/images/dual-hub-DMVPN.png | bin | 0 -> 88497 bytes | |||
| -rw-r--r-- | docs/configexamples/dmvpn-dualhub-dualcloud.rst | 548 | ||||
| -rw-r--r-- | docs/configexamples/index.rst | 1 | ||||
| -rw-r--r-- | docs/configuration/loadbalancing/haproxy.rst | 10 | ||||
| -rw-r--r-- | docs/configuration/nat/nat44.rst | 6 | ||||
| -rw-r--r-- | docs/configuration/system/flow-accounting.rst | 24 | ||||
| -rw-r--r-- | docs/configuration/system/sflow.rst | 4 | ||||
| -rw-r--r-- | docs/contributing/build-vyos.rst | 189 | ||||
| -rw-r--r-- | docs/contributing/development.rst | 151 | ||||
| -rw-r--r-- | docs/introducing/history.rst | 13 |
10 files changed, 591 insertions, 355 deletions
diff --git a/docs/_static/images/dual-hub-DMVPN.png b/docs/_static/images/dual-hub-DMVPN.png Binary files differnew file mode 100644 index 00000000..51ba9c14 --- /dev/null +++ b/docs/_static/images/dual-hub-DMVPN.png diff --git a/docs/configexamples/dmvpn-dualhub-dualcloud.rst b/docs/configexamples/dmvpn-dualhub-dualcloud.rst new file mode 100644 index 00000000..eb34d7e8 --- /dev/null +++ b/docs/configexamples/dmvpn-dualhub-dualcloud.rst @@ -0,0 +1,548 @@ +:lastproofread: 2024-02-21 + +.. _examples-dmvpn-dualhub-dualcloud: + +######################### +DMVPN Dual HUB Dual Cloud +######################### + +This document is to describe a basic setup to build DVMPN network with two Hubs and two clouds using DMVPN Phase3. +OSPF is used as routing protocol inside DMVPN. + +In this example we use VyOS 1.5 as HUBs and Spokes (HUB-1, HUB-2, SPOKE-2, SPOKE-3) and Cisco IOSv 15.5(3)M (SPOKE-1) +as a Spoke. + +Network Topology +================ + +.. image:: /_static/images/dual-hub-DMVPN.png + :width: 80% + :align: center + :alt: DMVPN Network Topology + +Configurations +============== + +Underlay configuration +______________________ + +Networks 192.168.X.0/24 are used as LANs for every spoke. + +HUB-1 + +.. code-block:: none + + set interfaces ethernet eth0 address '10.0.0.2/30' + set protocols static route 0.0.0.0/0 next-hop 10.0.0.1 + +HUB-2 + +.. code-block:: none + + set interfaces ethernet eth0 address '10.0.1.2/30' + set protocols static route 0.0.0.0/0 next-hop 10.0.1.1 + +Spoke-1 + +.. code-block:: none + + interface GigabitEthernet0/0 + ip address 10.0.11.2 255.255.255.252 + duplex auto + speed auto + media-type rj45 + ! + interface GigabitEthernet0/1 + ip address 192.168.11.1 255.255.255.0 + ip ospf 1 area 0 + duplex auto + speed auto + media-type rj45 + ! + ip route 0.0.0.0 0.0.0.0 10.0.11.1 + +Spoke-2 + +.. code-block:: none + + set interfaces ethernet eth0 address '10.0.12.2/30' + set interfaces ethernet eth1 address '192.168.12.1/24' + set protocols static route 0.0.0.0/0 next-hop 10.0.12.1 + +Spoke-3 + +.. code-block:: none + + set interfaces ethernet eth0 address '10.0.13.2/30' + set interfaces ethernet eth1 address '192.168.13.1/24' + set protocols static route 0.0.0.0/0 next-hop 10.0.13.1 + +NHRP configuration +__________________ + +The next step is to configure the NHRP protocol. In a Dual cloud network, every HUB has to be configured with one GRE +multipoint tunnel interface and every spoke has to be configured with two tunnel interfaces, one tunnel to each hub. +In this example tunnel networks are 10.100.100.0/32 for the first cloud and 10.100.100.0/32 for the second cloud. +But VyOS uses FRR for NHRP, that is why the tunnel address mask must be /32. + +HUB-1 + +.. code-block:: none + + set interfaces tunnel tun100 address '10.100.100.1/32' + set interfaces tunnel tun100 enable-multicast + set interfaces tunnel tun100 encapsulation 'gre' + set interfaces tunnel tun100 ip adjust-mss '1360' + set interfaces tunnel tun100 mtu '1436' + set interfaces tunnel tun100 parameters ip key '42' + set interfaces tunnel tun100 source-interface 'eth0' + set protocols nhrp tunnel tun100 authentication 'vyos' + set protocols nhrp tunnel tun100 holdtime '300' + set protocols nhrp tunnel tun100 multicast 'dynamic' + set protocols nhrp tunnel tun100 network-id '1' + set protocols nhrp tunnel tun100 redirect + set protocols nhrp tunnel tun100 registration-no-unique + +HUB-2 + +.. code-block:: none + + set interfaces tunnel tun101 address '10.100.101.1/32' + set interfaces tunnel tun101 enable-multicast + set interfaces tunnel tun101 encapsulation 'gre' + set interfaces tunnel tun101 ip adjust-mss '1360' + set interfaces tunnel tun101 mtu '1436' + set interfaces tunnel tun101 parameters ip key '43' + set interfaces tunnel tun101 source-interface 'eth0' + set protocols nhrp tunnel tun101 authentication 'vyos' + set protocols nhrp tunnel tun101 holdtime '300' + set protocols nhrp tunnel tun101 multicast 'dynamic' + set protocols nhrp tunnel tun101 network-id '2' + set protocols nhrp tunnel tun101 redirect + set protocols nhrp tunnel tun101 registration-no-unique + +Spoke-1 + +.. code-block:: none + + interface Tunnel100 + ip address 10.100.100.11 255.255.255.0 + no ip redirects + ip mtu 1436 + ip nhrp authentication vyos + ip nhrp map multicast 10.0.0.2 + ip nhrp network-id 1 + ip nhrp holdtime 300 + ip nhrp nhs 10.100.100.1 nbma 10.0.0.2 + ip nhrp shortcut + ip tcp adjust-mss 1360 + tunnel source GigabitEthernet0/0 + tunnel mode gre multipoint + tunnel key 42 + ! + interface Tunnel101 + ip address 10.100.101.11 255.255.255.0 + no ip redirects + ip mtu 1436 + ip nhrp authentication vyos + ip nhrp map multicast 10.0.1.2 + ip nhrp network-id 2 + ip nhrp holdtime 300 + ip nhrp nhs 10.100.101.1 nbma 10.0.1.2 + ip nhrp shortcut + ip tcp adjust-mss 1360 + tunnel source GigabitEthernet0/0 + tunnel mode gre multipoint + tunnel key 43 + + +Spoke-2 + +.. code-block:: none + + set interfaces tunnel tun100 address '10.100.100.12/32' + set interfaces tunnel tun100 enable-multicast + set interfaces tunnel tun100 encapsulation 'gre' + set interfaces tunnel tun100 ip adjust-mss '1360' + set interfaces tunnel tun100 mtu '1436' + set interfaces tunnel tun100 parameters ip key '42' + set interfaces tunnel tun100 source-interface 'eth0' + set interfaces tunnel tun101 address '10.100.101.12/32' + set interfaces tunnel tun101 enable-multicast + set interfaces tunnel tun101 encapsulation 'gre' + set interfaces tunnel tun101 ip adjust-mss '1360' + set interfaces tunnel tun101 mtu '1436' + set interfaces tunnel tun101 parameters ip key '43' + set interfaces tunnel tun101 source-interface 'eth0' + set protocols nhrp tunnel tun100 authentication 'vyos' + set protocols nhrp tunnel tun100 holdtime '300' + set protocols nhrp tunnel tun100 multicast '10.0.0.2' + set protocols nhrp tunnel tun100 network-id '1' + set protocols nhrp tunnel tun100 nhs tunnel-ip dynamic nbma '10.0.0.2' + set protocols nhrp tunnel tun100 registration-no-unique + set protocols nhrp tunnel tun100 shortcut + set protocols nhrp tunnel tun101 authentication 'vyos' + set protocols nhrp tunnel tun101 holdtime '300' + set protocols nhrp tunnel tun101 multicast '10.0.1.2' + set protocols nhrp tunnel tun101 network-id '2' + set protocols nhrp tunnel tun101 nhs tunnel-ip dynamic nbma '10.0.1.2' + set protocols nhrp tunnel tun101 registration-no-unique + set protocols nhrp tunnel tun101 shortcut + +Spoke-3 + +.. code-block:: none + + set protocols nhrp tunnel tun100 authentication 'vyos' + set protocols nhrp tunnel tun100 holdtime '300' + set protocols nhrp tunnel tun100 multicast '10.0.0.2' + set protocols nhrp tunnel tun100 network-id '1' + set protocols nhrp tunnel tun100 nhs tunnel-ip dynamic nbma '10.0.0.2' + set protocols nhrp tunnel tun100 registration-no-unique + set protocols nhrp tunnel tun100 shortcut + set protocols nhrp tunnel tun101 authentication 'vyos' + set protocols nhrp tunnel tun101 holdtime '300' + set protocols nhrp tunnel tun101 multicast '10.0.1.2' + set protocols nhrp tunnel tun101 network-id '2' + set protocols nhrp tunnel tun101 nhs tunnel-ip dynamic nbma '10.0.1.2' + set protocols nhrp tunnel tun101 registration-no-unique + set protocols nhrp tunnel tun101 shortcut + +Overlay configuration +_____________________ + +The last step is to configure the routing protocol. In this scenario, OSPF was chosen as the dynamic routing protocol. +But you can use iBGP or eBGP. To form fast convergence it is possible to use BFD protocol. + + +HUB-1 + +.. code-block:: none + + set protocols ospf interface tun100 area '0' + set protocols ospf interface tun100 network 'point-to-multipoint' + set protocols ospf interface tun100 passive disable + set protocols ospf passive-interface 'default' + +HUB-2 + +.. code-block:: none + + set protocols ospf interface tun101 area '0' + set protocols ospf interface tun101 network 'point-to-multipoint' + set protocols ospf interface tun101 passive disable + set protocols ospf passive-interface 'default' + +Spoke-1 + +.. code-block:: none + + interface Tunnel100 + ip ospf network point-to-multipoint + ip ospf dead-interval 40 + ip ospf hello-interval 10 + ip ospf 1 area 0 + ! + interface Tunnel101 + ip ospf network point-to-multipoint + ip ospf dead-interval 40 + ip ospf hello-interval 10 + ip ospf 1 area 0 + ! + router ospf 1 + passive-interface default + no passive-interface Tunnel100 + no passive-interface Tunnel101 + +Spoke-2 + +.. code-block:: none + + set protocols ospf interface eth1 area '0' + set protocols ospf interface tun100 area '0' + set protocols ospf interface tun100 network 'point-to-multipoint' + set protocols ospf interface tun100 passive disable + set protocols ospf interface tun101 area '0' + set protocols ospf interface tun101 network 'point-to-multipoint' + set protocols ospf interface tun101 passive disable + set protocols ospf passive-interface 'default' + +Spoke-3 + +.. code-block:: none + + set protocols ospf interface eth1 area '0' + set protocols ospf interface tun100 area '0' + set protocols ospf interface tun100 network 'point-to-multipoint' + set protocols ospf interface tun100 passive disable + set protocols ospf interface tun101 area '0' + set protocols ospf interface tun101 network 'point-to-multipoint' + set protocols ospf interface tun101 passive disable + set protocols ospf passive-interface 'default' + +Security configuration +______________________ + +Tunnels can be encrypted by IPSEC for security. + +HUB-1 + + .. code-block:: none + + set vpn ipsec esp-group ESP-HUB lifetime '1800' + set vpn ipsec esp-group ESP-HUB mode 'transport' + set vpn ipsec esp-group ESP-HUB pfs 'disable' + set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256' + set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1' + set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1' + set vpn ipsec ike-group IKE-HUB lifetime '3600' + set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2' + set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256' + set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1' + set vpn ipsec interface 'eth0' + set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret' + set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret' + set vpn ipsec profile NHRPVPN bind tunnel 'tun100' + set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB' + set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB' + +HUB-2 + + .. code-block:: none + + set vpn ipsec esp-group ESP-HUB lifetime '1800' + set vpn ipsec esp-group ESP-HUB mode 'transport' + set vpn ipsec esp-group ESP-HUB pfs 'disable' + set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256' + set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1' + set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1' + set vpn ipsec ike-group IKE-HUB lifetime '3600' + set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2' + set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256' + set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1' + set vpn ipsec interface 'eth0' + set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret' + set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret' + set vpn ipsec profile NHRPVPN bind tunnel 'tun101' + set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB' + set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB' + +VyOS Spokes have the same configuration + + .. code-block:: none + + set vpn ipsec esp-group ESP-HUB lifetime '1800' + set vpn ipsec esp-group ESP-HUB mode 'transport' + set vpn ipsec esp-group ESP-HUB pfs 'disable' + set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256' + set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1' + set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1' + set vpn ipsec ike-group IKE-HUB lifetime '3600' + set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2' + set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256' + set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1' + set vpn ipsec interface 'eth0' + set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret' + set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret' + set vpn ipsec profile NHRPVPN bind tunnel 'tun100' + set vpn ipsec profile NHRPVPN bind tunnel 'tun101' + set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB' + set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB' + +SPOKE-1 + + .. code-block:: none + + crypto isakmp policy 1 + encr aes 256 + authentication pre-share + group 2 + lifetime 3600 + crypto isakmp key secret address 0.0.0.0 + ! + ! + crypto ipsec transform-set ESP_TRANSFORMSET esp-aes 256 esp-sha-hmac + mode transport + ! + ! + crypto ipsec profile gre_protection + set security-association lifetime seconds 1800 + set transform-set ESP_TRANSFORMSET + ! + interface Tunnel100 + tunnel protection ipsec profile gre_protection shared + ! + interface Tunnel101 + tunnel protection ipsec profile gre_protection shared + +Monitoring +========== + +All spokes created IPSec tunnels to Hubs, are registered on Hubs using NHRP protocol and formed adjacency in OSPF. + +.. code-block:: none + + vyos@HUB-1:~$ show vpn ipsec sa + Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal + -------------------------- ------- -------- -------------- ---------------- ---------------- ----------- ------------------------ + dmvpn-NHRPVPN-tun100-child up 6m1s 4K/5K 51/56 10.0.13.2 10.0.13.2 AES_CBC_256/HMAC_SHA1_96 + dmvpn-NHRPVPN-tun100-child up 6m36s 4K/6K 56/65 10.0.12.2 10.0.12.2 AES_CBC_256/HMAC_SHA1_96 + dmvpn-NHRPVPN-tun100-child up 8m49s 6K/6K 73/77 10.0.11.2 10.0.11.2 AES_CBC_256/HMAC_SHA1_96 + + vyos@HUB-1:~$ show ip nhrp cache + Iface Type Protocol NBMA Claimed NBMA Flags Identity + tun100 dynamic 10.100.100.12 10.0.12.2 10.0.12.2 T 10.0.12.2 + tun100 dynamic 10.100.100.13 10.0.13.2 10.0.13.2 T 10.0.13.2 + tun100 dynamic 10.100.100.11 10.0.11.2 10.0.11.2 T 10.0.11.2 + tun100 local 10.100.100.1 10.0.0.2 10.0.0.2 - + + vyos@HUB-1:~$ show ip ospf neighbor + + Neighbor ID Pri State Up Time Dead Time Address Interface RXmtL RqstL DBsmL + 192.168.11.1 1 Full/DROther 17m01s 36.201s 10.100.100.11 tun100:10.100.100.1 0 0 0 + 192.168.12.1 1 Full/DROther 9m42s 37.443s 10.100.100.12 tun100:10.100.100.1 0 0 0 + 192.168.13.1 1 Full/DROther 9m15s 35.053s 10.100.100.13 tun100:10.100.100.1 0 0 0 + + +First, we see that LANs are accessible through hubs using OSPF routes. + +.. code-block:: none + + SPOKE-1#show ip route + Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP + D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area + N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 + E1 - OSPF external type 1, E2 - OSPF external type 2 + i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 + ia - IS-IS inter area, * - candidate default, U - per-user static route + o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + a - application route + + - replicated route, % - next hop override, p - overrides from PfR + + Gateway of last resort is 10.0.11.1 to network 0.0.0.0 + ..... + 192.168.11.0/24 is variably subnetted, 2 subnets, 2 masks + C 192.168.11.0/24 is directly connected, GigabitEthernet0/1 + L 192.168.11.1/32 is directly connected, GigabitEthernet0/1 + O 192.168.12.0/24 [110/1002] via 10.100.101.1, 00:14:36, Tunnel101 + [110/1002] via 10.100.100.1, 00:16:13, Tunnel100 + O 192.168.13.0/24 [110/1002] via 10.100.101.1, 00:14:36, Tunnel101 + [110/1002] via 10.100.100.1, 00:15:45, Tunnel100 + + + vyos@SPOKE-2:~$ show ip route + Codes: K - kernel route, C - connected, L - local, S - static, + R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, + T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, + f - OpenFabric, t - Table-Direct, + > - selected route, * - FIB route, q - queued, r - rejected, b - backup + t - trapped, o - offload failure + + ...... + O>* 192.168.11.0/24 [110/3] via 10.100.100.1, tun100 onlink, weight 1, 00:12:36 + * via 10.100.101.1, tun101 onlink, weight 1, 00:12:36 + O 192.168.12.0/24 [110/1] is directly connected, eth1, weight 1, 01:24:40 + C>* 192.168.12.0/24 is directly connected, eth1, weight 1, 01:24:43 + L>* 192.168.12.1/32 is directly connected, eth1, weight 1, 01:24:43 + O>* 192.168.13.0/24 [110/3] via 10.100.100.1, tun100 onlink, weight 1, 00:12:36 + * via 10.100.101.1, tun101 onlink, weight 1, 00:12:36 + +After initiating traffic between SPOKES sites, Phase 3 of DMVPN will work. +For instance, traceroute was generated from PC-SPOKE-2 to PC-SPOKE-1 + +.. code-block:: none + + PC-SPOKE-2 : 192.168.12.2 255.255.255.0 gateway 192.168.12.1 + + PC-SPOKE-2> trace 192.168.11.2 + trace to 192.168.11.2, 8 hops max, press Ctrl+C to stop + 1 192.168.12.1 0.558 ms 0.378 ms 0.561 ms + 2 10.100.101.1 1.768 ms 1.158 ms 1.744 ms + 3 10.100.101.11 7.196 ms 4.971 ms 4.793 ms + 4 *192.168.11.2 7.747 ms (ICMP type:3, code:3, Destination port unreachable) + + PC-SPOKE-2> trace 192.168.11.2 + trace to 192.168.11.2, 8 hops max, press Ctrl+C to stop + 1 192.168.12.1 0.562 ms 0.396 ms 0.364 ms + 2 10.100.100.11 4.401 ms 4.399 ms 4.174 ms + 3 *192.168.11.2 3.241 ms (ICMP type:3, code:3, Destination port unreachable) + +First trace goes via HUB but the second goes directly from SPOKE-1 to SPOKE-2. +Now routing tables are changed. LAN networks 192.168.12.0/24 and 192.168.11.0/24 available directly via SPOKES. + +.. code-block:: none + + vyos@SPOKE-2:~$ show ip route + Codes: K - kernel route, C - connected, L - local, S - static, + R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, + T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, + f - OpenFabric, t - Table-Direct, + > - selected route, * - FIB route, q - queued, r - rejected, b - backup + t - trapped, o - offload failure + + N>* 192.168.11.0/24 [10/0] via 10.100.100.11, tun100 onlink, weight 1, 00:00:14 + O 192.168.11.0/24 [110/3] via 10.100.100.1, tun100 onlink, weight 1, 00:00:54 + via 10.100.101.1, tun101 onlink, weight 1, 00:00:54 + + + SPOKE-1# show ip route next-hop-override + Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP + D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area + N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 + E1 - OSPF external type 1, E2 - OSPF external type 2 + i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 + ia - IS-IS inter area, * - candidate default, U - per-user static route + o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + a - application route + + - replicated route, % - next hop override, p - overrides from PfR + + Gateway of last resort is 10.0.11.1 to network 0.0.0.0 + + O % 192.168.12.0/24 [110/1002] via 10.100.101.1, 00:24:09, Tunnel101 + [110/1002] via 10.100.100.1, 00:25:46, Tunnel100 + [NHO][110/1] via 10.100.100.12, 00:00:03, Tunnel100 + +NHRP shows shortcuts on Spokes + +.. code-block:: none + + vyos@SPOKE-2:~$ show ip nhrp shortcut + Type Prefix Via Identity + dynamic 192.168.11.0/24 10.100.100.11 10.0.11.2 + + SPOKE-1# show ip nhrp shortcut + 10.100.100.12/32 via 10.100.100.12 + Tunnel100 created 00:09:59, expire 00:02:21 + Type: dynamic, Flags: router nhop rib nho + NBMA address: 10.0.12.2 + 192.168.12.0/24 via 10.100.100.12 + Tunnel100 created 00:02:38, expire 00:02:21 + Type: dynamic, Flags: router rib nho + NBMA address: 10.0.12.2 + +A new Spoke to Spoke IPSec tunnel is created + +.. code-block:: none + + SPOKE-1#show crypto isakmp sa + IPv4 Crypto ISAKMP SA + dst src state conn-id status + 10.0.0.2 10.0.11.2 QM_IDLE 1002 ACTIVE + 10.0.12.2 10.0.11.2 QM_IDLE 1004 ACTIVE + 10.0.1.2 10.0.11.2 QM_IDLE 1003 ACTIVE + + vyos@SPOKE-2:~$ show vpn ipsec sa + Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal + -------------------------- ------- -------- -------------- ---------------- ---------------- ----------- ------------------------ + dmvpn-NHRPVPN-tun100-child up 7m26s 4K/4K 57/53 10.0.0.2 10.0.0.2 AES_CBC_256/HMAC_SHA1_96 + dmvpn-NHRPVPN-tun100-child up 11m48s 316B/1K 3/15 10.0.11.2 10.0.11.2 AES_CBC_256/HMAC_SHA1_96 + dmvpn-NHRPVPN-tun101-child up 5m58s 5K/4K 62/51 10.0.1.2 10.0.1.2 AES_CBC_256/HMAC_SHA1_96 + +Summary +======= + +If one of the Hubs loses connectivity to the Internet, the other Hub will be available and take the main role. +This is a simple example where only one internet connection is used. But in the real world, there can be two +connections to the Internet. In this case, there is a recommendation to build each tunnel via each Internet connection, +choose the main cloud, and manipulate traffic via a routing protocol. It allows the creation failover on link-level +connections too.
\ No newline at end of file diff --git a/docs/configexamples/index.rst b/docs/configexamples/index.rst index 11dee806..36d3869b 100644 --- a/docs/configexamples/index.rst +++ b/docs/configexamples/index.rst @@ -19,6 +19,7 @@ This chapter contains various configuration examples: l3vpn-hub-and-spoke lac-lns inter-vrf-routing-vrf-lite + dmvpn-dualhub-dualcloud qos segment-routing-isis nmp diff --git a/docs/configuration/loadbalancing/haproxy.rst b/docs/configuration/loadbalancing/haproxy.rst index b29f9620..c7c25783 100644 --- a/docs/configuration/loadbalancing/haproxy.rst +++ b/docs/configuration/loadbalancing/haproxy.rst @@ -57,6 +57,16 @@ Service For an explanation on :ref:`syslog_facilities` and :ref:`syslog_severity_level` see tables in syslog configuration section. +.. cfgcmd:: set load-balancing haproxy service <name> http-compression algorithm + <gzip | deflate | identity | raw-deflate> + + Set the compression algorithm to be used when compressing HTTP responses. + +.. cfgcmd:: set load-balancing haproxy service <name> http-compression mime-type + <mime-type> + + Set the list of HTTP response MIME types which haproxy will attempt to + compress, if received uncompressed from backend server. Rules ^^^^^ diff --git a/docs/configuration/nat/nat44.rst b/docs/configuration/nat/nat44.rst index 68854c16..fb0d5af9 100644 --- a/docs/configuration/nat/nat44.rst +++ b/docs/configuration/nat/nat44.rst @@ -585,7 +585,7 @@ rule, using ``connection-status`` matcher: set firewall ipv4 forward filter rule 10 action accept set firewall ipv4 forward filter rule 10 connection-status nat destination - set firewall ipv4 forward filter rule 10 state new enable + set firewall ipv4 forward filter rule 10 state new This would generate the following configuration: @@ -599,9 +599,7 @@ This would generate the following configuration: connection-status { nat destination } - state { - new enable - } + state new } } } diff --git a/docs/configuration/system/flow-accounting.rst b/docs/configuration/system/flow-accounting.rst index 801ddae6..a339df75 100644 --- a/docs/configuration/system/flow-accounting.rst +++ b/docs/configuration/system/flow-accounting.rst @@ -7,8 +7,8 @@ Flow Accounting VyOS supports flow-accounting for both IPv4 and IPv6 traffic. The system acts as a flow exporter, and you are free to use it with any compatible collector. -Flows can be exported via two different protocols: NetFlow (versions 5, 9 and -10/IPFIX) and sFlow. Additionally, you may save flows to an in-memory table +Flows can be exported via protocol NetFlow (versions 5, 9 and +10/IPFIX). Additionally, you may save flows to an in-memory table internally in a router. .. warning:: You need to disable the in-memory table in production environments! @@ -144,26 +144,6 @@ NetFlow If you want to change the maximum number of flows, which are tracking simultaneously, you may do this with this command (default 8192). -sFlow -^^^^^ - -.. cfgcmd:: set system flow-accounting sflow server <address> - - Configure address of sFlow collector. sFlow server at `<address>` can - be an IPv4 or IPv6 address. But you cannot export to both IPv4 and - IPv6 collectors at the same time! - -.. cfgcmd:: set system flow-accounting sflow sampling-rate <rate> - - Enable sampling of packets, which will be transmitted to sFlow collectors. - -.. cfgcmd:: set system flow-accounting sflow agent-address <address> - - Configure a sFlow agent address. It can be IPv4 or IPv6 address, but you - must set the same protocol, which is used for sFlow collector addresses. By - default, using router-id from BGP or OSPF protocol, or the primary IP - address from the first interface. - Example: -------- diff --git a/docs/configuration/system/sflow.rst b/docs/configuration/system/sflow.rst index 0c8bf03b..926d667b 100644 --- a/docs/configuration/system/sflow.rst +++ b/docs/configuration/system/sflow.rst @@ -44,6 +44,10 @@ Configuration Configure address of sFlow collector. sFlow server at <address> can be both listening on an IPv4 or IPv6 address. +.. cfgcmd:: set system sflow enable-egress + + Use this command to if you need to sample also egress traffic + Example ======= diff --git a/docs/contributing/build-vyos.rst b/docs/contributing/build-vyos.rst index 93b492ae..623cba78 100644 --- a/docs/contributing/build-vyos.rst +++ b/docs/contributing/build-vyos.rst @@ -14,72 +14,41 @@ Building using a :ref:`build_docker` container, although not the only way, is the easiest way as all dependencies are managed for you. However, you can also set up your own build machine and run a :ref:`build_native`. -.. note:: Starting with VyOS 1.2 the release model of VyOS has changed. VyOS - is now **free as in speech, but not as in beer**. This means that while - VyOS is still an open source project, the release ISOs are no longer free - and can only be obtained via subscription, or by contributing to the - community. +.. note:: Starting with VyOS 1.4, only source code and Debian package repositories + of the rolling release (the **current** branch) are publicly available. - The source code remains public and an ISO can be built using the process - outlined in this chapter. + The source code and pre-built Debian package repositories of LTS releases + are only available to subscription holders (customers and active community members + with contributors subscriptions). - The following includes the build process for VyOS 1.2 to the latest version. + The following includes the build process for VyOS rolling release. This will guide you through the process of building a VyOS ISO using Docker_. -This process has been tested on clean installs of Debian Jessie, Stretch, and -Buster. +This process has been tested on clean installs of Debian Bookworm. .. _build_native: Native Build ============ -To build VyOS natively you require a properly configured build host with the +To build VyOS natively you need a properly configured build host with the following Debian versions installed: -- Debian Jessie for VyOS 1.2 (crux) -- Debian Buster for VyOS 1.3 (equuleus) -- Debian Bookworm for VyOS 1.4 (sagitta) -- Debian Bookworm for the upcoming VyOS 1.5/circinus/current - (subject to change) - aka the rolling release +- Debian Bookworm To start, clone the repository to your local machine: .. code-block:: none - # For VyOS 1.2 (crux) - $ git clone -b crux --single-branch https://github.com/vyos/vyos-build - - # For VyOS 1.3 (equuleus) - $ git clone -b equuleus --single-branch https://github.com/vyos/vyos-build - - # For VyOS 1.4 (sagitta) - $ git clone -b sagitta --single-branch https://github.com/vyos/vyos-build - - # For VyOS 1.5 (circinus,current) - $ git clone -b current --single-branch https://github.com/vyos/vyos-build - - $ cd vyos-build - - # For VyOS 1.2 (crux) and VyOS 1.3 (equuleus) - $ ./configure --architecture amd64 --build-by "j.randomhacker@vyos.io" - $ sudo make iso - - # For VyOS 1.4 (sagitta) $ sudo make clean - $ sudo ./build-vyos-image iso --architecture amd64 --build-by "j.randomhacker@vyos.io" - - # For VyOS 1.5 (circinus,current) - $ sudo make clean - $ sudo ./build-vyos-image generic --architecture amd64 --build-by "j.randomhacker@vyos.io" + $ sudo ./build-vyos-image --architecture amd64 --build-by "j.randomhacker@vyos.io" generic For the packages required, you can refer to the ``docker/Dockerfile`` file in the repository_. The ``./build-vyos-image`` script will also warn you if any dependencies are missing. This will guide you through the process of building a VyOS ISO using Docker. -This process has been tested on clean installs of Debian Bullseye (11) and -Bookworm (12). +This process has been tested on clean installs of Bookworm (12). .. _build_docker: @@ -142,10 +111,7 @@ To manually download the container from DockerHub, run: .. code-block:: none - $ docker pull vyos/vyos-build:crux # For VyOS 1.2 - $ docker pull vyos/vyos-build:equuleus # For VyOS 1.3 - $ docker pull vyos/vyos-build:sagitta # For VyOS 1.4 - $ docker pull vyos/vyos-build:current # For VyOS 1.5 rolling release + $ docker pull vyos/vyos-build:current # For VyOS rolling release Build from source ^^^^^^^^^^^^^^^^^ @@ -154,20 +120,10 @@ The container can also be built directly from source: .. code-block:: none - # For VyOS 1.2 (crux) - $ git clone -b crux --single-branch https://github.com/vyos/vyos-build - # For VyOS 1.3 (equuleus) - $ git clone -b equuleus --single-branch https://github.com/vyos/vyos-build - # For VyOS 1.4 (sagitta) - $ git clone -b sagitta --single-branch https://github.com/vyos/vyos-build - # For VyOS 1.5 (circinus,current) $ git clone -b current --single-branch https://github.com/vyos/vyos-build $ cd vyos-build - $ docker build -t vyos/vyos-build:crux docker # For VyOS 1.2 - $ docker build -t vyos/vyos-build:equuleus docker # For VyOS 1.3 - $ docker build -t vyos/vyos-build:sagitta docker # For VyOS 1.4 - $ docker build -t vyos/vyos-build:current docker # For VyOS 1.5 rolling release + $ docker build -t vyos/vyos-build:current docker .. note:: VyOS has switched to Debian (12) Bookworm in its ``current`` branch, Due to software version updates, it is recommended to use the official @@ -177,7 +133,7 @@ Tips and Tricks --------------- You can create yourself some handy Bash aliases to always launch the latest - -per release train (`current` or `crux`) - container. Add the following to your +per release train (`current`) - container. Add the following to your ``.bash_aliases`` file: .. code-block:: none @@ -191,16 +147,7 @@ per release train (`current` or `crux`) - container. Add the following to your -e GOSU_UID=$(id -u) -e GOSU_GID=$(id -g) \ vyos/vyos-build:current bash' - alias vybld_crux='docker pull vyos/vyos-build:crux && docker run --rm -it \ - -v "$(pwd)":/vyos \ - -v "$HOME/.gitconfig":/etc/gitconfig \ - -v "$HOME/.bash_aliases":/home/vyos_bld/.bash_aliases \ - -v "$HOME/.bashrc":/home/vyos_bld/.bashrc \ - -w /vyos --privileged --sysctl net.ipv6.conf.lo.disable_ipv6=0 \ - -e GOSU_UID=$(id -u) -e GOSU_GID=$(id -g) \ - vyos/vyos-build:crux bash' - -Now you are prepared with two new aliases ``vybld`` and ``vybld_crux`` to spawn +Now you are prepared with a new aliase ``vybld`` to spawn your development containers in your current working directory. .. note:: Some VyOS packages (namely vyos-1x) come with build-time tests which @@ -220,20 +167,9 @@ Build ISO Now as you are aware of the prerequisites we can continue and build our own ISO from source. For this we have to fetch the latest source code from GitHub. -Please note as this will differ for both `current` and `crux`. .. code-block:: none - # For VyOS 1.2 (crux) - $ git clone -b crux --single-branch https://github.com/vyos/vyos-build - - # For VyOS 1.3 (equuleus) - $ git clone -b equuleus --single-branch https://github.com/vyos/vyos-build - - # For VyOS 1.4 (sagitta) - $ git clone -b sagitta --single-branch https://github.com/vyos/vyos-build - - # For VyOS 1.5 (circinus,current) $ git clone -b current --single-branch https://github.com/vyos/vyos-build @@ -243,57 +179,20 @@ Now a fresh build of the VyOS ISO can begin. Change directory to the .. code-block:: none $ cd vyos-build - # For VyOS 1.2 (crux) - $ docker run --rm -it --privileged -v $(pwd):/vyos -w /vyos vyos/vyos-build:crux bash - - # For VyOS 1.3 (equuleus) - $ docker run --rm -it --privileged -v $(pwd):/vyos -w /vyos vyos/vyos-build:equuleus bash - - # For VyOS 1.4 (sagitta) - $ docker run --rm -it --privileged -v $(pwd):/vyos -w /vyos vyos/vyos-build:sagitta bash - - # For VyOS 1.5 (current) $ docker run --rm -it --privileged -v $(pwd):/vyos -w /vyos vyos/vyos-build:current bash .. code-block:: none - # For MacOS (crux, equuleus, sagitta) - $ git clone https://github.com/vyos/vyos-utils-misc - $ cd build-tools/macos-build - - # For VyOS 1.2 (crux) - $ os=jessie64 branch=crux make build - - # For VyOS 1.3 (equuleus) - $ os=buster64 branch=equuleus make build - - # For VyOS 1.4 (sagitta) - $ os=buster64 branch=sagitta make build - Start the build: .. code-block:: none - # For VyOS 1.2 (crux) and VyOS 1.3 (equuleus) - vyos_bld@8153428c7e1f:/vyos$ ./configure --architecture amd64 --build-by "j.randomhacker@vyos.io" - vyos_bld@8153428c7e1f:/vyos$ sudo make iso - - # For VyOS 1.4 (sagitta) vyos_bld@8153428c7e1f:/vyos$ sudo make clean - vyos_bld@8153428c7e1f:/vyos$ sudo ./build-vyos-image iso --architecture amd64 --build-by "j.randomhacker@vyos.io" - - # For VyOS 1.5 (circinus,current) - vyos_bld@8153428c7e1f:/vyos$ sudo make clean - vyos_bld@8153428c7e1f:/vyos$ sudo ./build-vyos-image generic --architecture amd64 --build-by "j.randomhacker@vyos.io" + vyos_bld@8153428c7e1f:/vyos$ sudo ./build-vyos-image --architecture amd64 --build-by "j.randomhacker@vyos.io" generic When the build is successful, the resulting iso can be found inside the ``build`` directory as ``live-image-[architecture].hybrid.iso``. -Good luck! - -.. hint:: Building VyOS on Windows WSL2 with Docker integrated into WSL2 will - work like a charm. No problems are known so far! - .. _build source: @@ -740,39 +639,6 @@ After compiling the packages you will find yourself the newly generated `*.deb` binaries in ``vyos-build/packages/linux-kernel`` from which you can copy them to the ``vyos-build/packages`` folder for inclusion during the ISO build. - -Mellanox OFED -^^^^^^^^^^^^^ - -The Mellanox OFED drivers do not come from a Git repository, instead we fetch the -tarball from Nvidia and compile the sources its contains against our kernel tree. - -Simply use our wrapper script to build all of the driver modules. - -.. code-block:: none - - ./build-mellanox-ofed.sh - ... - Below is the list of OFED packages that you have chosen - (some may have been added by the installer due to package dependencies): - - ofed-scripts - mlnx-tools - mlnx-ofed-kernel-utils - mlnx-ofed-kernel-modules - ... - Building packages - Building DEB for ofed-scripts-24.04.OFED.24.04.0.6.6 (ofed-scripts)... - Running /usr/bin/dpkg-buildpackage -us -uc - Installing ofed-scripts-24.04.OFED.24.04.0.6.6... - Running /usr/bin/dpkg -i --force-confmiss '/vyos/packages/linux-kernel/MLNX_OFED_SRC-debian-24.04-0.6.6.0/DEBS/debian12.1/x86_64/ofed-scripts_24.04.OFED.24.04.0.6.6-1_amd64.deb' - Building DEB for mlnx-tools-24.04.0 (mlnx-tools)... - - -After compiling the packages you will find yourself the newly generated `*.deb` -binaries in ``vyos-build/packages/linux-kernel`` from which you can copy them -to the ``vyos-build/packages`` folder for inclusion during the ISO build. - Packages ======== @@ -816,29 +682,6 @@ during ISO build. .. start_vyoslinter - - -Virtualization Platforms -======================== - -QEMU ----- - -Run the following command after building the ISO image. - -.. code-block:: none - - $ make qemu - -VMware ------- - -Run the following command after building the QEMU image. - -.. code-block:: none - - $ make vmware - .. _build_packages: ******** diff --git a/docs/contributing/development.rst b/docs/contributing/development.rst index c5df8b12..50e22c44 100644 --- a/docs/contributing/development.rst +++ b/docs/contributing/development.rst @@ -119,20 +119,11 @@ repositories found in the VyOS GitHub organisation at https://github.com/vyos Determinine source package -------------------------- -Suppose you want to make a change in the webproxy script but yet you do not know -which of the many VyOS packages ship this file. You can determine the VyOS +Suppose you want to make a change in a file but yet you do not know +which of the VyOS packages ship this file. You can determine the VyOS package name in question by using Debian's ``dpkg -S`` command of your running VyOS installation. -.. code-block:: none - - vyos@vyos:~ dpkg -S /opt/vyatta/sbin/vyatta-update-webproxy.pl - vyatta-webproxy: /opt/vyatta/sbin/vyatta-update-webproxy.pl - -This means the file in question (``/opt/vyatta/sbin/vyatta-update-webproxy.pl``) -is located in the ``vyatta-webproxy`` package which can be found here: -https://github.com/vyos/vyatta-webproxy - Fork Repository and submit Patch -------------------------------- @@ -171,7 +162,7 @@ record them in your created Git commit: * Submit the patch ``git push`` and create the GitHub pull-request. -Attach patch to Phabricator task +Attach patch to Phorge task -------------------------------- Follow the above steps on how to "Fork repository to submit a Patch". Instead @@ -192,9 +183,6 @@ us all. By having a consistent coding style it becomes very easy for new and also longtime contributors to navigate through the sources and all the implied logic of any one source file.. -Python 3 **shall** be used. How long can we keep Python 2 alive anyway? No -considerations for Python 2 compatibility **should** be taken at any time. - Formatting ---------- @@ -219,43 +207,6 @@ used for structured, multi-line formats such as those used by ISC DHCPd. The default template processor for VyOS code is Jinja2_. -Summary -------- - -When modifying the source code, remember these rules of the legacy elimination -campaign: - -* No new features in Perl -* No old style command definitions -* No code incompatible with Python3 - - -Python -====== - -The switch to the Python programming language for new code is not merely a -change of the language, but a chance to rethink and improve the programming -approach. - -Let's face it: VyOS is full of spaghetti code where logic for reading the VyOS -config, generating daemon configs, and restarting processes is all mixed up. - -Python (or any other language, for that matter) does not provide automatic -protection from bad design, so we need to also devise design guidelines and -follow them to keep the system extensible and maintainable. - -But we are here to assist you and want to guide you through how you can become -a good VyOS contributor. The rules we have are not there to punish you - the -rules are in place to help us all. What does it mean? By having a consistent -coding style it becomes very easy for new contributors and also longtime -contributors to navigate through the sources and all the implied logic of -the spaghetti code. - -Please use the following template as good starting point when developing new -modules or even rewrite a whole bunch of code in the new style XML/Python -interface. - - Configuration Script Structure and Behaviour -------------------------------------------- @@ -635,69 +586,6 @@ Examples: * Good: "Disable IPv6 forwarding" * Bad: "Disables IPv6 forwarding" -Migrating old CLI ------------------ - -.. list-table:: - :widths: 25 25 50 - :header-rows: 1 - - * - Old concept/syntax - - New syntax - - Notes - * - mynode/node.def - - <node name="mynode"> </node> - - Leaf nodes (nodes with values) use <leafNode> tag instead - * - mynode/node.tag , tag: - - <tagNode name="mynode> </node> - - - * - help: My node - - <properties> <help>My node</help> - - - * - val_help: <format>; some string - - <properties> <valueHelp> <format> format </format> <description> some - string </description> - - Do not add angle brackets around the format, they will be inserted - automatically - * - syntax:expression: pattern - - <properties> <constraint> <regex> ... - - <constraintErrorMessage> will be displayed on failure - * - syntax:expression: $VAR(@) in "foo", "bar", "baz" - - None - - Use regex - * - syntax:expression: exec ... - - <properties> <constraint> <validator> <name ="foo" argument="bar"> - - "${vyos_libexecdir}/validators/foo bar $VAR(@)" will be executed, - <constraintErrorMessage> will be displayed on failure - * - syntax:expression: (arithmetic expression) - - None - - External arithmetic validator may be added if there's demand, complex - validation is better left to commit-time scripts - * - priority: 999 - - <properties> <priority>999</priority> - - Please leave a comment explaining why the priority was chosen - (e.g. "after interfaces are configured") - * - multi: - - <properties> <multi/> - - Only applicable to leaf nodes - * - allowed: echo foo bar - - <properties> <completionHelp> <list> foo bar </list> - - - * - allowed: cli-shell-api listNodes vpn ipsec esp-group - - <properties> <completionHelp> <path> vpn ipsec esp-group </path> ... - - - * - allowed: /path/to/script - - <properties> <completionHelp> <script> /path/to/script </script> ... - - - * - default: - - None - - Move default values to scripts - * - commit:expression: - - None - - All commit time checks should be in the verify() function of the script - * - begin:/create:/delete: - - None - - All logic should be in the scripts C++ Backend Code ================ @@ -717,39 +605,6 @@ in the C/C++ code. - https://github.com/vyos/vyatta-cfg/blob/0f42786a0b3/src/commit/commit-algorithm.cpp#L1252 - -Continuous Integration -====================== - -VyOS makes use of Jenkins_ as our Continuous Integration (CI) service. Our -`VyOS CI`_ server is publicly accessible here: https://ci.vyos.net. You can get -a brief overview of all required components shipped in a VyOS ISO. - -To build our modules we utilize a CI/CD Pipeline script. Each and every VyOS -component comes with it's own ``Jenkinsfile`` which is (more or less) a copy. -The Pipeline utilizes the Docker container from the :ref:`build_iso` section - -but instead of building it from source on every run, we rather always fetch a -fresh copy (if needed) from Dockerhub_. - -Each module is build on demand if a new commit on the branch in question is -found. After a successful run the resulting Debian Package(s) will be deployed -to our Debian repository which is used during build time. It is located here: -http://dev.packages.vyos.net/repositories/. - - -.. stop_vyoslinter - -.. _Jenkins: https://jenkins.io/ -.. _Dockerhub: https://hub.docker.com/u/vyos/ -.. _process: https://blog.vyos.io/vyos-development-digest-10 -.. _VyConf: https://github.com/vyos/vyconf/tree/master/data/schemata -.. _vyos-1x: https://github.com/vyos/vyos-1x/tree/current/schema -.. _Jinja2: https://jinja.palletsprojects.com/ -.. _`IPv4, IPv6 and DHCP(v6)`: https://github.com/vyos/vyos-1x/blob/current/interface-definitions/include/interface/address-ipv4-ipv6-dhcp.xml.i -.. _`IPv4, IPv6`: https://github.com/vyos/vyos-1x/blob/current/interface-definitions/include/interface/address-ipv4-ipv6.xml.i -.. _`VLAN (VIF)`: https://github.com/vyos/vyos-1x/blob/current/interface-definitions/include/interface/vif.xml.i -.. _`MAC address`: https://github.com/vyos/vyos-1x/blob/current/interface-definitions/include/interface/mac.xml.i - .. include:: /_include/common-references.txt .. start_vyoslinter diff --git a/docs/introducing/history.rst b/docs/introducing/history.rst index 40b99b02..a81674f2 100644 --- a/docs/introducing/history.rst +++ b/docs/introducing/history.rst @@ -12,7 +12,7 @@ called Vyatta. [*]_ 2006 onwards, it was a great free software alternative to Cisco IOS and Jupiter JUNOS. It came in two editions: Vyatta Core (previously Vyatta Community Edition) that was completely free software, and Vyatta Subscription Edition that had proprietary -features and was only available to paying customers. [*]_ +features and was only available to paying customers. Vyatta was acquired by Brocade Communication Systems in 2012. Shortly after, Brocade renamed Vyatta Subscription Edition to Brocade vRouter, @@ -30,7 +30,7 @@ the last Vyatta Core version (6.6R1) and VyOS Project came into being. `Sentrium SL <https://blog.vyos.io/sentrium-what-sentrium>`_ was established by VyOS maintainers in 2014 to fund VyOS development by selling support, consulting services and prebuilt long-term support -images. +images. The company was later reorganized under the VyOS brand. Brocade was acquired by Broadcom in 2016 and sold what remains of erstwhile Vyatta to AT&T in 2017, who in turn sold it to Ciena in 2021. @@ -85,7 +85,7 @@ configuration migration. Introduction of new Perl and shell code was proscribed and the rewriting of legacy Perl code in pure Python began with Crux. -As of 2022, Crux is still supported and maintained. +Crux reached end of support in 2023.. Equuleus (1.3) -------------- @@ -101,13 +101,12 @@ interfaces, support for GENEVE and MACSec interfaces, VRF, IS-IS routing, preliminary support for MPLS and LDP, and many other initialisms. -As of 2022, Equuleus is in the stable. +Equuleus reached end of support in 2025. Sagitta (1.4) ------------- -Sagitta (the Arrow) is the codename of the current development -branch, so there's no VyOS 1.4 yet. +Sagitta (the Arrow) was released in 2024 and is currently a supported LTS release. Circinus (1.5) -------------- @@ -131,6 +130,4 @@ any pre-built image for more precise information. .. [*] From the Sanskrit adjective "Vyātta" (व्यात्त), meaning opened. -.. [*] A business model comparable to that of Redis, rather than that - of VyOS today. .. [*] This is not unlike how Linus Torvalds owns the trademark "Linux". |
