Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The DANOS 2009 release is based upon Debian 10, with the 5.4 version of the Linux Kernel, the 19.11 version of DPDK, and the 7.3.1 version of FRR.

Important changes

Reminder about the default username and password

The default LiveCD and ONIE image username and password change in the 2005 release from vyatta/vyatta to tmpuser/tmppswd.

As part of the installation process, the user has to manually enter a username and password. It is no longer possible to press "enter" and accept the default vyatta/vyatta option.

New Features

Integration of ntop's nDPI engine into the match criteria for firewall rules

Full details about this feature can be found at Deep Packet Inspection

Code Block
resources group application-group <group-name> description <value>

resources group application-group <group-name> engine ndpi name <name>
resources group application-group <group-name> engine ndpi protocol <protocol>
resources group application-group <group-name> engine ndpi type <type>

security application firewall name <ruleset-name>
security application firewall name <ruleset-name> description <value>
security application firewall name <ruleset-name> no-match-action accept
security application firewall name <ruleset-name> no-match-action drop
security application firewall name <ruleset-name> rule <rule-number>
security application firewall name <ruleset-name> rule <rule-number> action accept
security application firewall name <ruleset-name> rule <rule-number> action drop
security application firewall name <ruleset-name> rule <rule-number> description <value>
security application firewall name <ruleset-name> rule <rule-number> engine ndpi
security application firewall name <ruleset-name> rule <rule-number> engine ndpi name <application-name>
security application firewall name <ruleset-name> rule <rule-number> engine ndpi protocol <application-protocol>
security application firewall name <ruleset-name> rule <rule-number> engine ndpi type <application-type>
security firewall name <ruleset-name> rule <tagnode> session application firewall <value>

show application engine ndpi name <value>
show application engine ndpi type <value>

User-defined applications

User-defined applications can be defined using L3 / L4 rules. These user-defined applications can then be integrated into "security application firewall" and "resources group application-group" configurations.

...

show version

Code Block
user@danos2009:~$ show version
Version:      2009
Description:  DANOS 2009 (DANOS:Shipping:2009:20200923)
Built on:     Mon Oct 12 10:47:04 UTC 2020
System type:  Intel 64bit
Boot via:     image
Hypervisor:   KVM
HW model:     Bochs
HW S/N:       Not Specified
HW UUID:      dba075fa-259e-499d-99b5-83cf71e8b767
Uptime:       13:39:04 up 2 min,  1 user,  load average: 1.64, 0.47, 0.16

Important changes

Reminder about the default username and password

The default LiveCD and ONIE image username and password change in the 2005 release from vyatta/vyatta to tmpuser/tmppswd.

As part of the installation process, the user has to manually enter a username and password. It is no longer possible to press "enter" and accept the default vyatta/vyatta option.

New Features

Integration of ntop's nDPI engine into the match criteria for firewall rules

Full details about this feature can be found at Deep Packet Inspection

Code Block
resources group application-group <group-name> description <value>

resources group application-group <group-name> engine ndpi name <name>
resources group application-group <group-name> engine ndpi protocol <protocol>
resources group application-group <group-name> engine ndpi type <type>

security application firewall name <ruleset-name>
security application firewall name <ruleset-name> description <value>
security application firewall name <ruleset-name> no-match-action accept
security application firewall name <ruleset-name> no-match-action drop
security application firewall name <ruleset-name> rule <rule-number>
security application firewall name <ruleset-name> rule <rule-number> action accept
security application firewall name <ruleset-name> rule <rule-number> action drop
security application firewall name <ruleset-name> rule <rule-number> description <value>
security application firewall name <ruleset-name> rule <rule-number> engine ndpi
security application firewall name <ruleset-name> rule <rule-number> engine ndpi name <application-name>
security application firewall name <ruleset-name> rule <rule-number> engine ndpi protocol <application-protocol>
security application firewall name <ruleset-name> rule <rule-number> engine ndpi type <application-type>
security firewall name <ruleset-name> rule <tagnode> session application firewall <value>

show application engine ndpi name <value>
show application engine ndpi type <value>

User-defined applications

User-defined applications can be defined using L3 / L4 rules. These user-defined applications can then be integrated into "security application firewall" and "resources group application-group" configurations.

Code Block
service application rule <rule-number>
service application rule <rule-number> description <value>
service application rule <rule-number> destination address <value>
service application rule <rule-number> destination mac-address <value>
service application rule <rule-number> destination port <value>
service application rule <rule-number> disable
service application rule <rule-number> dscp [ af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 ]
service application rule <rule-number> dscp [ cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | default | ef | va ]
service application rule <rule-number> dscp-group <value>
service application rule <rule-number> ethertype <value>
service application rule <rule-number> icmp
service application rule <rule-number> icmp group <value>
service application rule <rule-number> icmp name [ TOS-host-redirect | TOS-host-unreachable | TOS-network-redirect | TOS-network-unreachable ]
service application rule <rule-number> icmp name [ address-mask-reply | address-mask-request | communication-prohibited | destination-unreachable ]
service application rule <rule-number> destinationicmp addressname <value>[ serviceecho-reply application| rule <ruleecho-number>request destination| macfragmentation-addressneeded <value>
service application rule <rule-number> destination port <value>
| host-precedence-violation | host-prohibited ]
service application rule <rule-number> disableicmp servicename application[ rule <rulehost-number>redirect dscp [ af11| host-unknown | af12host-unreachable | af13ip-header-bad | af21network-prohibited |]
af22service |application af23rule |<rule-number> af31icmp |name af32 | af33[ network-redirect | af41network-unknown | af42network-unreachable | af43parameter-problem ]
service application rule <rule-number> dscpicmp name [ cs1port-unreachable | cs2precedence-cutoff | cs3protocol-unreachable | redirect cs4]
service |application cs5rule |<rule-number> cs6icmp | cs7name [required-option-missing | defaultrouter-advertisement | efrouter-solicitation | vasource-quench ]
service application rule <rule-number> dscp-group <value>
service application rule <rule-number> ethertype <value>
icmp name [ source-route-failed | time-exceeded | timestamp-reply | timestamp-request ]
service application rule <rule-number> icmp name [ttl-zero-during-reassembly | ttl-zero-during-transit ]
service application rule <rule-number> icmp grouptype <value><type-number>
service application rule <rule-number> icmp nametype [ TOS-host-redirect | TOS-host-unreachable | TOS-network-redirect | TOS-network-unreachable ]<type-number> code <value>
service application rule <rule-number> icmpv6
service application rule <rule-number> icmpicmpv6 namegroup [ address-mask-reply | address-mask-request | communication-prohibited | destination-unreachable ]
<value>
service application rule <rule-number> icmpicmpv6 name [ echo-reply | echo-requestaddress-unreachable | fragmentationbad-neededheader | hostcommunication-precedence-violationprohibited | hostdestination-prohibitedunreachable ]
service application rule <rule-number> icmpicmpv6 name [ hostecho-redirectreply | hostecho-unknownrequest | hostmobile-prefix-unreachableadvertisement | ipmobile-header-bad | network-prohibitedprefix-solicitation ]
service application rule <rule-number> icmpicmpv6 name [ networkmulticast-listener-redirectdone | networkmulticast-listener-unknownquery | network-unreachable | parameter-problemmulticast-listener-report ]
service application rule <rule-number> icmpicmpv6 name [ portneighbor-unreachableadvertisement | precedenceneighbor-cutoffsolicitation | protocolno-unreachableroute | redirectpacket-too-big ]
service application rule <rule-number> icmpicmpv6 name [required-option-missing parameter-problem | routerport-advertisementunreachable | router-solicitationredirect | sourcerouter-quenchadvertisement ]
service application rule <rule-number> icmpicmpv6 name [ sourcerouter-route-failedsolicitation | time-exceeded | timestamp-replyttl-zero-during-reassembly | timestamp-requestttl-zero-during-transit ]
service application rule <rule-number> icmpicmpv6 name [ttl unknown-zeroheader-during-reassemblytype | ttl-zero-during-transit unknown-option ]
service application rule <rule-number> icmpicmpv6 type <type-number>
service application rule <rule-number> icmpicmpv6 type <type-number> code <value>
service application rule <rule-number> icmpv6ipv6-route
service application rule <rule-number> icmpv6 group ipv6-route type <value>
service application rule <rule-number> icmpv6log
nameservice [application address-unreachable | bad-header | communication-prohibited | destination-unreachable ]
rule <rule-number> pcp <value>
service application rule <rule-number> icmpv6protocol name<value>
[service echo-replyapplication |rule echo<rule-requestnumber> | mobile-prefix-advertisement | mobile-prefix-solicitation ]
protocol-group <value>
service application rule <rule-number> icmpv6source address name<value>
[ multicast-listener-done | multicast-listener-query | multicast-listener-report ]service application rule <rule-number> source mac-address <value>
service application rule <rule-number> icmpv6 name [ neighbor-advertisement | neighbor-solicitation | no-route | packet-too-big ]source port <value>
service application rule <rule-number> tcp
service application rule <rule-number> tcp flags <value>
service application rule <rule-number> icmpv6then name [ parameter-problem | port-unreachable | redirect | router-advertisement ]<value>
service application rule <rule-number> then protocol <value>
service application rule <rule-number> icmpv6then nametype [ router<type-solicitationvalue>
|
time-exceededsecurity | ttl-zero-during-reassembly | ttl-zero-during-transit ]
service applicationapplication firewall name <ruleset-name> rule <rule-number> icmpv6 name [ unknown-header-type |  unknown-option ]
service application rule <rule-number> icmpv6 type <type-number>
service application group <application-group-name>
security application firewall name <ruleset-name> rule <rule-number> engine user
security application firewall name <ruleset-name> rule <rule-number> icmpv6engine typeuser <type-number>name code <value>
servicesecurity application rulefirewall <rule-number>name ipv6-route
service application<ruleset-name> rule <rule-number> engine ipv6-routeuser typeprotocol <value>
servicesecurity application firewall name <ruleset-name> rule <rule-number> logengine serviceuser applicationtype rule<value>
<rule-number>
pcpresources <value>group service application-group rule <rule<group-number>name> protocolengine <value>user servicename application<name>
ruleresources <rule-number>group protocolapplication-group <value><group-name> serviceengine applicationuser ruleprotocol <rule-number><protocol>
sourceresources address <value>group service application rule <rule-number>group source mac<group-addressname> <value>engine serviceuser application rule <rule-number> source port <value>
service application rule <rule-number> tcp
service application rule <rule-number> tcp flags <value>
service application rule <rule-number> then name <value>
service application rule <rule-number> then protocol <value>
service application rule <rule-number> then type <type-value>

security application firewall name <ruleset-name> rule <rule-number> group <application-group-name>
security application firewall name <ruleset-name> rule <rule-number> engine user
security application firewall name <ruleset-name> rule <rule-number> engine user name <value>
security application firewall name <ruleset-name> rule <rule-number> engine user protocol <value>
security application firewall name <ruleset-name> rule <rule-number> engine user type <value>

resources group application-group <group-name> engine user name <name>
resources group application-group <group-name> engine user protocol <protocol>
resources group application-group <group-name> engine user type <type>

Intermediate System to Intermediate System (IS-IS) routing protocol

...

type <type>

Intermediate System to Intermediate System (IS-IS) routing protocol

Code Block
interfaces dataplane <tagnode> ip isis instance <value>
interfaces dataplane <tagnode> isis circuit-type level-1
interfaces dataplane <tagnode> isis circuit-type level-1-2
interfaces dataplane <tagnode> isis circuit-type level-2-only
interfaces dataplane <tagnode> isis hello-interval level-1 <value>
interfaces dataplane <tagnode> isis hello-interval level-2 <value>
interfaces dataplane <tagnode> isis metric level-1 <value>
interfaces dataplane <tagnode> isis metric level-2 <value>
interfaces dataplane <tagnode> isis network point-to-point
interfaces dataplane <tagnode> isis passive
interfaces dataplane <tagnode> isis password
interfaces dataplane <tagnode> isis password clear <value>
interfaces dataplane <tagnode> isis password md5 <value>
interfaces dataplane <tagnode> isis priority level-1 <value>
interfaces dataplane <tagnode> isis priority level-2 <value>
interfaces dataplane <tagnode> vif <tagnode> ip isis instance <value>

interfaces loopback <tagnode> ip isis instance <value>
interfaces dataplaneloopback <tagnode> isis circuit-type level-1
interfaces dataplaneloopback <tagnode> isis circuit-type level-1-2
interfaces dataplaneloopback <tagnode> isis circuit-type level-2-only
interfaces dataplaneloopback <tagnode> isis hello-interval level-1 <value>
interfaces dataplaneloopback <tagnode> isis hello-interval level-2 <value>
interfaces dataplaneloopback <tagnode> isis metric level-1 <value>
interfaces dataplaneloopback <tagnode> isis metric level-2 <value>
interfaces dataplaneloopback <tagnode> isis network point-to-point
interfaces dataplaneloopback <tagnode> isis passive
interfaces dataplaneloopback <tagnode> isis password
interfaces dataplaneloopback <tagnode> isis password clear <value>
interfaces dataplaneloopback <tagnode> isis password md5 <value>
interfaces dataplaneloopback <tagnode> isis priority level-1 <value>
interfaces dataplaneloopback <tagnode> isis priority level-2 <value>

protocols isis <area-tag>
protocols isis <area-tag> area-password clear <value>
protocols isis <area-tag> area-password md5 <value>
interfaces dataplane <tagnode> vif <tagnode> ip isis instance <value>

interfaces loopback <tagnode> ip isis instance <value>
interfaces loopback <tagnode> isis circuitprotocols isis <area-tag> default-information originate ipv4 <level>
protocols isis <area-tag> default-information originate ipv6 <level>
protocols isis <area-tag> domain-password clear <value>
protocols isis <area-tag> domain-password md5 <value>
protocols isis <area-tag> is-type level-1
interfacesprotocols loopbackisis <tagnode> isis circuit<area-tag> is-type level-1-2
interfacesprotocols loopbackisis <tagnode> isis circuit<area-tag> is-type level-2-only
interfaces loopback <tagnode> isis helloprotocols isis <area-tag> log-adjacency-changes
protocols isis <area-tag> lsp-gen-interval level-1 <value>
interfacesprotocols loopbackisis <tagnode> isis hello<area-tag> lsp-gen-interval level-2 <value>
interfacesprotocols loopback <tagnode> isis metric<area-tag> levellsp-1mtu <value>
interfaces loopbackprotocols <tagnode> isis metric level<area-2 <value>
interfaces loopback <tagnode> isis network point-to-point
interfaces loopback <tagnode> isis passive
interfaces loopback <tagnode> isis password
interfaces loopback <tagnode> isis password clear <value>
interfaces loopback <tagnode> isis password md5 <value>
interfaces loopback <tagnode> isis priority level-1 <value>
interfaces loopback <tagnode> isis priority level-2 <value>
tag> lsp-refresh-interval level-1 <value>
protocols isis <area-tag> lsp-refresh-interval level-2 <value>
protocols isis <area-tag> max-lsp-lifetime level-1 <value>
protocols isis <area-tag> max-lsp-lifetime level-2 <value>
protocols isis <area-tag> metric-style narrow
protocols isis <area-tag> metric-style transition
protocols isis <area-tag> metric-style wide
protocols isis <area-tag> area-passwordnet clear <value>
protocols isis <area-tag> redistribute area-passwordipv4 md5bgp <value>level-1
protocols isis <area-tag> default-informationredistribute originateipv4 ipv4bgp <level>level-2
protocols isis <area-tag> default-informationredistribute originateipv4 ipv6connected <level>level-1
protocols isis <area-tag> domain-password clear <value>redistribute ipv4 connected level-2
protocols isis <area-tag> domain-password md5 <value>redistribute ipv4 kernel level-1
protocols isis <area-tag> is-type redistribute ipv4 kernel level-12
protocols isis <area-tag> is-type redistribute ipv4 ospf level-1-2
protocols isis <area-tag> is-type redistribute ipv4 ospf level-2-only
protocols isis <area-tag> log-adjacency-changes redistribute ipv4 rip level-1
protocols isis <area-tag> lsp-gen-interval redistribute ipv4 rip level-12
<value>
protocols isis <area-tag> lsp-gen-intervalredistribute ipv4 static level-21
<value>
protocols isis <area-tag> lsp-mtu <value>redistribute ipv4 static level-2
protocols isis <area-tag> lsp-refresh-interval redistribute ipv6 bgp level-1 <value>
protocols isis <area-tag> lsp-refresh-intervalredistribute ipv6 bgp level-2 <value>
protocols isis <area-tag> max-lsp-lifetime redistribute ipv6 connected level-1 <value>
protocols isis <area-tag> max-lsp-lifetime redistribute ipv6 connected level-2
<value>
protocols isis <area-tag> metric-style narrow
 redistribute ipv6 kernel level-1
protocols isis <area-tag> metric-style transition
redistribute ipv6 kernel level-2
protocols isis <area-tag> metric-style wide
 redistribute ipv6 ospf level-1
protocols isis <area-tag> net <value>-tag> redistribute ipv6 ospf level-2
protocols isis <area-tag> redistribute ipv4ipv6 bgprip level-1
protocols isis <area-tag> redistribute ipv4ipv6 bgprip level-2
protocols isis <area-tag> redistribute ipv4ipv6 connectedstatic level-1
protocols isis <area-tag> redistribute ipv4ipv6 connectedstatic level-2
protocols isis <area-tag> redistribute ipv4 kernel level-1 set-overload-bit
protocols isis <area-tag> spf-delay-ietf
protocols isis <area-tag> redistribute ipv4 kernel level-2spf-delay-ietf holddown <value>
protocols isis <area-tag> spf-delay-ietf init-delay <value>
protocols isis <area-tag> redistribute ipv4 ospf level-1spf-delay-ietf long-delay <value>
protocols isis <area-tag> redistribute ipv4 ospf level-2
spf-delay-ietf short-delay <value>
protocols isis <area-tag> redistribute ipv4 rip level-1spf-delay-ietf time-to-learn <value>
protocols isis <area-tag> redistribute ipv4 rip spf-interval level-21 <value>
protocols isis <area-tag> redistribute ipv4 static level-1spf-interval level-2 <value>

Operational commands are in this hierarchy:

Code Block
user@danos2009:~$ show protocols isis
<area-tag> redistribute ipv4 static level-2
protocols isis <area-tag> redistribute ipv6 bgp level-1
protocols isis <area-tag> redistribute ipv6 bgp level-2
protocols isis <area-tag> redistribute ipv6 connected level-1
protocols isis <area-tag> redistribute ipv6 connected level-2
protocols isis <area-tag> redistribute ipv6 kernel level-1
protocols isis <area-tag> redistribute ipv6 kernel level-2
protocols isis <area-tag> redistribute ipv6 ospf level-1
protocols isis <area-tag> redistribute ipv6 ospf level-2
protocols isis <area-tag> redistribute ipv6 rip level-1
protocols isis <area-tag> redistribute ipv6 rip level-2
protocols isis <area-tag> redistribute ipv6 static level-1
protocols isis <area-tag> redistribute ipv6 static level-2
protocols isis <area-tag> set-overload-bit
protocols isis <area-tag> spf-delay-ietf
protocols isis <area-tag> spf-delay-ietf holddown <value>
protocols isis <area-tag> spf-delay-ietf init-delay <value>
protocols isis <area-tag> spf-delay-ietf long-delay <value>
protocols isis <area-tag> spf-delay-ietf short-delay <value>
protocols isis <area-tag> spf-delay-ietf time-to-learn <value>
protocols isis <area-tag> spf-interval level-1 <value>
protocols isis <area-tag> spf-interval level-2 <value>Possible completions:
  database        Show ISIS Link state database
  hostname        Show IS-IS Dynamic hostname mapping
  interface       Show ISIS interface
  mpls-te         Show MPLS-TE specific commands
  neighbor        Show ISIS neighbor adjacencies
  spf-delay-ietf  Show SPF delay IETF information
  summary         Show summary
  topology        Show IS-IS paths to Intermediate Systems

user@danos2009:~$ monitor protocol isis
Possible completions:
  disable   Disable ISIS Monitor
  enable    Enable ISIS Monitor

user@danos2009:~$

Originate firewall

The "originate" firewall allow the filtering of all router originated traffic.

...