Vyatta NOS documentation

Learn how to install, configure, and operate Vyatta Network Operating System (Vyatta NOS), which helps to drive our virtual networking and physical platforms portfolio.

Show Page Sections

New features

New CLI commands associated with the new features can be found in the configuration section.

Extra small (XS) uCPE hardware switch integration

The Vyatta NOS has been extended to work on the new range of Flexware uCPE hardware being developed and provided by Silicom Ltd.

Support for the Extra Small (XS) uCPE is supported in this release, with support for the larger uCPE range coming in a later release when the hardware platforms are made available.

PlatformSummary Hardware Spec (CPU)MemorySwitch PortsSwitch device
Extra Small uCPE hardware platform CPU: Denverton 4 Core 8GB2x 2.5GE (int)/ 8x 1GE (ext-sw) / 2x10GE(ext) Marvell 88E6190X

This uCPE will provide support for existing vRouter/VNF platform functionality as well as hardware based L2 switching/forwarding. Specific features include:

Layer 2 Switching

  • Port configuration to support access mode /trunk mode
  • MAC Learning on ports
  • Support for primary /default /native VLANs
  • Add / Delete per VLAN, per interface MAC FDB entries
  • Ability to untag packets on egress (default is to maintain the tag, even for the Primary VLAN)
  • Ability to set Port speed and MTU

Port Isolation support

  • Disable/ Enable hardware switching
  • Punt all traffic to CPU for a port when hardware switching disabled (Punt path to CPU)

STP support

  • Punt Path to CPU when port state is blocked
  • Port state setting of the ports

Zero touch provisioning client support for Ciena phone home server

This release adds zero touch provisioning client support to the Ciena phone home server.

The Zero Touch Provisioning Client (ZTP) and Phone Home Client (PHC) were both extended to be compatible with the existing Ciena phone home server, and to work over a standard broadband or ISP link. The ZTP client was also extended to support cloud based bootstrap discovery. Support for remotely upgrading vRouter images was also added, either as part of the ZTP process or thereafter.

IPsec Remote access VPN client support for AT&T vVIG

This feature adds support for an IPsec remote access VPN client.

In order to interoperate with the AT&T vVIG platform, which forms part of the Flexware service, support for an IPsec remote access VPN client was added. This provides a generic IPsec remote access VPN client and supports:
  • IKEv2
  • IPsec ESP
  • Authentication: PSK + EAP-GTC
  • Tunnel failover per profile

The resulting IPsec tunnel can be terminated in a VRF. IPsec VRF support is limited to the tunnel (overlay), whereas the transport (underlay) needs to reside in the default VRF. Additionally IPsec support for all IP address family combinations have been added: IPv4-IPv4, IPv6-IPv6, IPv4overIPv6 and IPv6overIPv4.

All root CA certificates used for the EAP authentication in this scenario on the vRouter/uCPE platform must be provided by the end user. Intermediate CA certificates should be provided by the remote access server or the end user, and will be subject to validation by the IPsec remote access client, using either OCSP or certificate revocation lists. If the certificate revocation check cannot be performed, due to connectivity issues, the client authentication will continue (soft-failure). Only if the IPsec RA server certificate has actually been revoked, will the IPsec RA client authentication fail.

QoS: Eight Weighted Round Robin (WRR) queues per traffic-class

This feature adds the ability to have 8 WRR queues per traffic class, an increase from four in previous releases.

This enables the vRouter to emulate the Cisco model of guaranteed minimum rate bandwidth, whereby each class of service can be allocated its own WRR queue within a traffic-class and use different weightings on each WRR queue to divide the traffic-class's bandwidth between the different WRR queues. This provides the ability for the AT&T Flexware service to continue offering either four or six different levels of class of service (COS) to their customers.

QoS: Allow setting of IEEE 802.1Q PCP value in inner header when the outer header is marked

This feature gives the ability for an inner header to be marked the same as the outer header.

This provides the ability in a scenario where QoS marking is enabled on a VLAN, for an inner header to be marked the same as the outer header, such that when the outer header is stripped at the adjacent networking device, classification can still be performed on the packet, for example the Priority Code Point (PCP) value will still persist on the inner header.

QoS: Clear all counters

This feature provides the ability to clear all QoS counters, usually used as part of troubleshooting network issues.

QoS: Layer 2 negative overhead accounting

This feature enables the shaper and policer to rate limit traffic to a rate which does not include the Ethernet header, which is required in scenarios involving a TDM device on the AT&T Flexware service.

Packets sent from the vRouter/uCPE to a TDM device have their Ethernet header removed and are then sent on without one and with no shaping or policing being done by the TDM device. The vRouter/uCPE needs to shape the traffic to the TDM rates.

QoS: Added policer token bucket tuning

This feature allows the policer time interval (Tc) period for the token bucket algorithm to be configurable.

QoS: Increased WRED max-threshold capability

This feature enables the platform to accommodate higher bandwidths by increasing the WRED max-threshold from 1024 to 8191.

Software RAID support

This feature adds software RAID support.

This feature enables the ability to support multiple disks being configured in a Software RAID, providing support to stripe, mirror or parity the libvirt partition.
Note: RAID support requires a clean install of the system as the RAID and system partitions need to be newly created.

VRRP Path monitor tracking

This feature extends the existing VRRP tracking capabilities.

The user now has the ability to modify VRRP priorities or state based on the state of a path monitor monitor/policy pairs. The feature will behave in a similar manner to the existing VRRP interface tracking feature. The compliance state of the monitor/policy pair will determine if there is a change to the VRRP group.

Static route path monitor tracking

This feature adds the ability to associate static routes with one or more path monitor monitor/policy pairs.

The compliance state of each monitor with its paired policy determines whether the associated route is active in the FIB. This enables route manipulation of traffic without requiring the use of PBR policies.

OSPF Throttling enhancements

These include the ability to enable LSA throttling, LSA arrival throttling and SPF throttling.

MPLS Operations, Administration, and Maintenance (OAM) support

This feature adds support for MPLS OAM tools, including ping and traceroute functionality used to verify an MPLS LSP.

MPLS ping provides end-to-end connectivity verification and MPLS traceroute provides hop-by-hop fault isolation. MPLS OAM also provides fault detection in the dataplane, control plane validation, MTU fault detection and ECMP path verification. Both LDP and RSVP-TE LSPs can be verified by providing a suitable label stack.

System service enhancements

This feature adds a range of new system service support.

  • The ability to specify the interface used to obtain a source IP address for packets sent to the TACACS+ server
  • The ability to specify the interface used to obtain a source IP address for packets sent from the SSH client
    Note: The SSH source interface command should be run in Op Mode or, if run within the Config Mode, it needs to use the run <command> option, for example run ssh user@host.
  • The ability to specify the interface used to obtain a source IP address for NTP packets
  • Extension of ciphers used by the SSH server to include: 3des-cbc, blowfish-cbc, cast128-cbc, aes128-cbc, aes192-cbc, aes256-cbc
  • Limiting the total number of concurrent login sessions on the system.

MMC Flash support

This feature adds support for MultiMediaCard (MMC) flash drives into the system.


This feature provides the ability for NETCONF to be VRF aware.

Point-to-Point Protocol over Ethernet (PPPoE) support

This feature provides the ability for the forwarding dataplane to initiate PPP connections over an Ethernet network, thereby creating a tunnel endpoint on a particular dataplane instance.

Show tech-support enhancements

Changes have been made to the show tech support diagnostic tool.

  • show configuration commands output has been added
  • journalctl -a output has been added
  • The lsof -b +M -n -l output has been removed and instead added to generate tech-support archive.

IPsec Remote-access VPN client WAN failover

This feature provide the ability for IPsec remote-access clients to failover to an alternative WAN interface(s) if the currently used WAN interface is no longer usable to maintain a connection to the IPsec remote-access server.

QoS: Display WRED stats on a per config per queue basis

This allows troubleshooting on the WRED feature.

Query hardware status through SNMP

This feature provides the ability for a HW platform that has a set of sensors and controllers for fan speed and temperature to be reported over SNMP.

Add support for PoE management

This feature provides the necessary CLI to configure and manage PoE controllers on a system, PoE may also be known as 802.3af, 802.3at and 802.3bt.

Path monitor enhancements to support management tunnel failover

This feature adds path monitor enhancements.

This feature provides the ability for an IPSEC management tunnel to failover between different RA VPN servers which are located within distinct clouds, each of which is reachable through a different WAN. This is an augmentation to, not a replacement of, the existing server failover capability of the RA VPN client.

Allow the configuration of a boot-loader password

This feature allows boot-loader passwords to be configured.

This feature provides the ability to configure a boot-loader password and password to protect all entries except the default. In order to alter the default boot sequence you should be required to enter the boot-loader password if it is configured.

Make password and configuration recovery boot loader options optional

This features provide the ability to configure the boot loader to disallow access to the special password and configuration recovery mechanisms.

Generate an SNMP trap when syslog process dies

This is needed since audit logs are sent through syslog, there must be a redundant mechanism to know if a superuser kills syslog.

Local source control traffic classification

This feature provides the ability to configure a separate queue for high priority (CS6 and CS7) traffic that is locally generated, for example BFD and OSPF control packets.

Add MSTP to spanning tree protocol

The Multiple Spanning Tree Protocol (MSTP), as defined by IEEE 802.1s, provides for multiple spanning-tree instances.

Each instance runs the rapid spanning tree algorithm. The protocol allows for each spanning-tree instance to operate over a group of VLANs; essentially dividing the topology into a series of logical spanning-tree instances. Thus a spanning-tree port may be blocked in one logical instance (group of VLANs), but forwarding in another instance. This allows groups of VLANs to operate over separate redundant links; frames associated with different VLANs are forwarded through the associated logical spanning-tree instance.

Simplified cloud-init passing through ISO/CDROM

This feature provides the necessary framework and CLI for simplified cloud-init passing through ISO for the VNF platform.

OSPF enable link-state advertisement arrival throttling

The feature provides a way to configure the OSPF link-state advertisement arrival timer.

Add Local path option for zone-based firewall

This feature adds the functionality of the 5400 local zone to the 5600 zone-based firewall to allow filtering of traffic to and from the host.

Specify interface IP address for syslog messages

This feature allows the source interface IP address for syslog messages to be configured through the specification of an interface.

Create custom flow classification applications

This feature provides a way to define a set of L3/L4 packet criteria to classify flows into application types, these application types are evaluated first before making use of the general Deep Packet Inspection engine.

Whitebox status LEDs

This feature provides a way for the Vyatta software to control the status LEDs.

Access control over YANG RPCs, notifications and operational data

This feature extends the current Roll Based Access Control (RBAC) that supports filtering configuration and operational model commands to YANG RPCs, notifications and operational data.


This feature provides a way to support applying WRED to distinct DSCP groups with a queue, before this there was only one set of WRED parameters associated with a queue.

QoS: Add ability to configure queue-limit and random-detect thresholds configurable per VLAN

This feature allows each individual VLAN interface to have its own unique set of queue-limits and WRED configuration parameters.

Install image should execute installer from to be installed image

The feature provides a way to run the installer from the new image, rather than from the currently installed image.

This feature allows significant changes to be made in the implementation of the installer in future, where previously a fresh install is needed.