New features – Base Vyatta NOS
New CLI commands associated with the new features can be found in the configuration section.
This feature allows for more flexibility by configuring syslog using a rule-based approach.
The enhanced syslog feature allows syslog to be configured using a rule-based approach, similar to firewall rules. This provides more flexibility such that more complex expressions can be used to select which messages to discard and select, to which files/hosts those messages are forwarded, as well as rate-limiting based support.
IPsec throughput performance improvement
IPsec throughput performance has been extended such that it can now achieve a throughput of approximately 12 Gbps per core for 1420 Byte packets with the AES-128-GCM cipher.
ARP configuration support
This feature adds support to allow the ARP cache timeout (ARP timeout or ARP aging timeout) and the ARP cache size to be configured.
OSPF cost fallback support
This feature allows selection of an alternative path whilst maintaining OSPF adjacencies.
This feature adds the ability to set a (usually) higher cost to an OSPF bonding interface, in the event that the combined bandwidth falls below a set threshold. This allows selecting an alternative path whilst maintaining OSPF adjacencies. The original cost is retained once the bonding interface bandwidth breaches the threshold.
Ability to block outbound OSPFv2/v3 LSAs
This feature provides the ability to block outbound OSPFv2/v3 Link State Advertisements (LSAs).
LSAs are used to communicate the router's local routing topology to all other local routers in the same OSPF area. By default, on receipt of an LSA, OSPF floods the LSA out all other interfaces, except for the interface on which the LSA was received. In the presence of redundant (parallel) links this results in a neighbor receiving and processing the same LSA multiple times. This feature adds support for configuring the router such that OSPFv2 and OSPFv3 LSAs (as contained in Link State Update packets) are prevented from being sent to adjacent neighbors and not flooded out all of the interfaces. Clearly, preventing the flooding of LSAs will have an impact on the resulting reachability information. Thus the LSAs need to be propagated to the neighbors by some other means or there needs to be other mechanisms to counter the missing LSAs, for example static routes or parallel links. OSPF Hello and Database Description (DD) messages remain unaffected and are still sent and received, with adjacencies formed as normal.
NETCONF support for adding copy-config to candidate configuration
This feature adds the ability for a pre-generated configuration to be pushed to the router and have it applied to the candidate datastore via the NETCONF RPC.
Prohibit password reuse
This feature adds the ability to prohibit the use of old passwords for the same system account.
This feature only affects local system accounts and not those such as GRUB passwords or TACACS+ accounts. It also enforces password expiry based on a configurable time, thereby forcing users to update their passwords after a given time.
Password history and expiration operate on a system wide level i.e. this policy cannot be enforced on a per user basis.