Vyatta NOS documentation

Learn how to install, configure, and operate Vyatta Network Operating System (Vyatta NOS), which helps to drive our virtual networking and physical platforms portfolio.

Limitations, restrictions or behavior changes

Security improvements have been made in this release, however some limitations still exist.

IPv6 is not supported on the 40G Fortville NIC.

Vxlan tunnels do not currently work with a multicast transport.  That is the command set interfaces vxlan xxx transport multicast-group does not work.

vxlan-gpe tunnel cannot be added to a bridge-group due to an underlying kernel issue.

While the OS does support IKEv1, we strongly recommend that IKEv2 is used to avoid security vulnerabilities associated with IKEv1, such as reflector and Amplifier DoS attacks.

VRRP in RFC Compatibility mode does not work fully on VRFs. Without RFC compatibility mode, VRRP will work fine with VRFs and this should be used as the solution.

FRAGMENT ANY filter issue - When deploying the Qumran AX whitebox platform, do not use fragment any as part of an ip-packet-filter rule match condition. For example: set security ip-packet-filter group FW1 rule 10 match fragment any. It will prevent the rule ever matching a packet.

To allow commit archive credentials to be kept secret, a new configuration has been added as an alternative to system config-management commit-archive location <url>, which is now being deprecated. Users are encouraged to use the new configuration system config-management commit-archive archive <url> configuration, and to transition existing configurations to the new system config-management commit-archive archive <url> configuration, which keeps archive password credentials secret from unauthorised users. Example of deprecated configuration:
  system {
       config-management {
            commit-archive {
                location "scp://user-fred:freds-password@192.168.1.1/home/username/archive-location"
            }
         }
    }
Example of the new configuration:
  system {
        config-management {
            commit-archive {
                archive "scp://192.168.1.1/home/username/archive-location" {
                    password freds-password
                    username user-fred
                }
            }
        }
    }
For users that are not members of the secrets group, passwords will be obfuscated when listing the configuration, for example:
  system {
        config-management {
            commit-archive {
                archive "scp://192.168.1.1/home/username/archive-location" {
                    password "********"
                    username user-fred
                }
            }
        }
    }