Vyatta Network OS Documentation

Learn how to install, configure and operate the Vyatta NOS, which helps drive our virtual networking & physical platforms portfolio.

Show Page Sections

Limitations and restrictions

Security improvements have been made in this release, however some limitations still exist.

Disable spanning tree processing on individual ports

Since this feature turns off spanning tree on a particular link, it is possible for bridge loops to form, resulting in broadcast storms,  a good understanding of the remote network is required before enabling this feature.

Multiple backplane support

The ability to configure the backplane that traffic uses is only available on Flexware uCPE platforms and the ability to configure the CPUs that the dataplane will use is only available on backplane interfaces.

Port monitor hardware support

This section details how additional load can effect port monitor sessions.

Backplane bandwidth and expected traffic patterns on the Flexware uCPE platform should be taken into account when port monitor sessions are configured.  For XS uCPE, the backplane bandwidth is 2.5 G, and all eight front panel ports are 1 G.  For S, M, and L uCPEs, the backplane interconnect is 10 G and the number of front panel ports ranges from 14 in S and M, to 40 in L, some of which support 10 G SFPs. 

If the destination port is a vhost interface, mirrored packets for hardware-switched traffic will be punted to the CPU, causing additional load on the backplane interface, and should be taken into account when configuring port monitor sessions on the uCPE.

64-bit wide QoS counters

This feature can only be used after at least one QoS policy has been associated with an interface, the existing show queuing commands will be deprecated in a future release and superseded by show policy qos.

Support marking Ethernet COS bits (0-7) on outgoing packets

This feature should improve future flexibility and possible support multiple mark-ups.

This feature only supports a single mark-map on the UfiSpace S9500-30XS hardware, however the QoS configuration commands will allow multiple mark-maps to be defined. This is to allow for future flexibility and the possibility of supporting multiple mark-maps.

This feature is a replacement for QoS's use of the NPF match <match-name> dscp <dscp-value> and and match <match-name> mark pcp <pcp-value> commands that can be used as packet classification rules by QoS.  The QoS class command and the NPF match commands will not be available on the SIAD platform, and the new commands introduced by this feature will only be available on the SIAD platform, so there is no possibility of these two sets of commands interfering with one another.

Shared storage and file access

This feature provides users with access to shared storage and files.

This feature works best with the user isolation feature, however shared storage may be configured on systems with user isolation disabled. Both of these configurations can open up sensitive information about the system and should be used sparingly. The writable shared directories should be cleaned up regularly.

Deprecation of TACACS+ local-user-name authorization argument

This feature allows TACACS+ to login as an already configured local user, however this capability will be removed in a future release.

The local-user-name authorization argument allows TACACS+ to login as an already configured local user. Alternatively, Vyatta also supports on-the-fly creation of a local user during the login process for TACACS+ users. This is done when local-user-name is not present in the session authorization reply. Support for this feature will be removed in a future release at which time presence of the local-user-name argument in authorization replies will cause an authorization failure

REST API spawn commands

This section details the REST API spawn commands.

When executed via the REST API, the spawn operational mode command is not run in the calling user's isolated environment. Therefore, the default ACM operational mode ruleset in 1903 is updated to prevent operator and admin level users from executing spawn.

If you are migrating an ACM ruleset from an earlier release for use on 1903, we highly recommend configuring a similar rule. To aid this, the configuration commands representing the 1903 default rule are shown below for reference purposes:
  # set system acm operational-ruleset rule 9971 action deny
  # set system acm operational-ruleset rule 9971 command '/spawn/*'
  # set system acm operational-ruleset rule 9971 group vyattaop
  # set system acm operational-ruleset rule 9971 group vyattaadm
When TACACS+ command authorization is enabled, this ACM policy restriction is not applied to TACACS+ users. Therefore, we highly recommend updating TACACS+ servers to fail authorization for operator and admin level users in response to authorization requests with the following arguments:
  cmd=spawn
 protocol=op-mode
 service=vyatta-exec
Note: TACACS+ users will still be able to execute spawn via a shell. However, when executed in this manner, spawn is correctly constrained to the user's isolated environment.
Note: The long-term fix for this issue is being tracked by VRVDR-45807.