Overview
Welcome to the 2105 (May 2021) version of DANOS.
The DANOS 2105 release is based upon Debian 10, with the 5.4 version of the Linux Kernel, the 1911 version of DPDK, and the 7.5.1 version of FRR.
show version
vyatta@vm-d2105-1:~$ show version Version: 2105 Description: DANOS (Inverness) 2105 (DANOS:Shipping:2105:20210611) Built on: Fri Jun 11 11:58:32 UTC 2021 |
Important changes
Reminder about the default username and password
The default LiveCD and ONIE image username and password change in the 2005 release from vyatta/vyatta to tmpuser/tmppswd.
As part of the installation process, the user has to enter a username and password manually. It is no longer possible to press "enter" and accept the default vyatta/vyatta option.
New Features
Enhanced Syslog
The Enhanced Syslog feature allows syslog to be configured using a rule-based approach, similar to firewall rules. This provides more flexibility such that more complex expressions can be used to select which messages to discard and select, to which files/hosts those messages are forwarded, as well as rate-limiting based support.
system syslog-enhanced system syslog-enhanced file <entry> system syslog-enhanced file <entry> archive files <value> system syslog-enhanced file <entry> archive size <value> system syslog-enhanced file <entry> filename <value> system syslog-enhanced host <entry> system syslog-enhanced host <entry> hostname <value> system syslog-enhanced host <entry> port <value> system syslog-enhanced host <entry> protocol tcp system syslog-enhanced host <entry> protocol udp system syslog-enhanced host <entry> source-interface <value> system syslog-enhanced host <entry> tls system syslog-enhanced host <entry> tls authentication mode x509/fingerprint system syslog-enhanced host <entry> tls authentication mode x509/name system syslog-enhanced host <entry> tls authentication peers <peer> system syslog-enhanced host <entry> tls authentication peers <peer> fingerprint <value> system syslog-enhanced host <entry> tls cipher-suite <cipher> system syslog-enhanced input journal rate-limit burst <value> system syslog-enhanced input journal rate-limit interval <value> system syslog-enhanced rule <rule-number> system syslog-enhanced rule <rule-number> description <value> system syslog-enhanced rule <rule-number> disable system syslog-enhanced rule <rule-number> match facility all system syslog-enhanced rule <rule-number> match facility auth system syslog-enhanced rule <rule-number> match facility authpriv system syslog-enhanced rule <rule-number> match facility cron system syslog-enhanced rule <rule-number> match facility daemon system syslog-enhanced rule <rule-number> match facility dataplane system syslog-enhanced rule <rule-number> match facility kern system syslog-enhanced rule <rule-number> match facility local0 system syslog-enhanced rule <rule-number> match facility local1 system syslog-enhanced rule <rule-number> match facility local2 system syslog-enhanced rule <rule-number> match facility local3 system syslog-enhanced rule <rule-number> match facility local4 system syslog-enhanced rule <rule-number> match facility local5 system syslog-enhanced rule <rule-number> match facility local6 system syslog-enhanced rule <rule-number> match facility local7 system syslog-enhanced rule <rule-number> match facility lpr system syslog-enhanced rule <rule-number> match facility mail system syslog-enhanced rule <rule-number> match facility mark system syslog-enhanced rule <rule-number> match facility news system syslog-enhanced rule <rule-number> match facility protocols system syslog-enhanced rule <rule-number> match facility security system syslog-enhanced rule <rule-number> match facility sensors system syslog-enhanced rule <rule-number> match facility syslog system syslog-enhanced rule <rule-number> match facility user system syslog-enhanced rule <rule-number> match facility uucp system syslog-enhanced rule <rule-number> match msg posix-match <regex> system syslog-enhanced rule <rule-number> match msg posix-match <regex> unless <value> system syslog-enhanced rule <rule-number> match severity at-least alert system syslog-enhanced rule <rule-number> match severity at-least crit system syslog-enhanced rule <rule-number> match severity at-least debug system syslog-enhanced rule <rule-number> match severity at-least emerg system syslog-enhanced rule <rule-number> match severity at-least err system syslog-enhanced rule <rule-number> match severity at-least info system syslog-enhanced rule <rule-number> match severity at-least notice system syslog-enhanced rule <rule-number> match severity at-least warning system syslog-enhanced rule <rule-number> match severity at-most alert system syslog-enhanced rule <rule-number> match severity at-most crit system syslog-enhanced rule <rule-number> match severity at-most debug system syslog-enhanced rule <rule-number> match severity at-most emerg system syslog-enhanced rule <rule-number> match severity at-most err system syslog-enhanced rule <rule-number> match severity at-most info system syslog-enhanced rule <rule-number> match severity at-most notice system syslog-enhanced rule <rule-number> match severity at-most warning system syslog-enhanced rule <rule-number> match severity equals alert system syslog-enhanced rule <rule-number> match severity equals crit system syslog-enhanced rule <rule-number> match severity equals debug system syslog-enhanced rule <rule-number> match severity equals emerg system syslog-enhanced rule <rule-number> match severity equals err system syslog-enhanced rule <rule-number> match severity equals info system syslog-enhanced rule <rule-number> match severity equals notice system syslog-enhanced rule <rule-number> match severity equals warning system syslog-enhanced rule <rule-number> match with-flag <value> system syslog-enhanced rule <rule-number> match without-flag <value> system syslog-enhanced rule <rule-number> otherwise clear-flag <value> system syslog-enhanced rule <rule-number> otherwise console system syslog-enhanced rule <rule-number> otherwise discard system syslog-enhanced rule <rule-number> otherwise file <value> system syslog-enhanced rule <rule-number> otherwise host <value> system syslog-enhanced rule <rule-number> otherwise set-facility all system syslog-enhanced rule <rule-number> otherwise set-facility auth system syslog-enhanced rule <rule-number> otherwise set-facility authpriv system syslog-enhanced rule <rule-number> otherwise set-facility cron system syslog-enhanced rule <rule-number> otherwise set-facility daemon system syslog-enhanced rule <rule-number> otherwise set-facility dataplane system syslog-enhanced rule <rule-number> otherwise set-facility kern system syslog-enhanced rule <rule-number> otherwise set-facility local0 system syslog-enhanced rule <rule-number> otherwise set-facility local1 system syslog-enhanced rule <rule-number> otherwise set-facility local2 system syslog-enhanced rule <rule-number> otherwise set-facility local3 system syslog-enhanced rule <rule-number> otherwise set-facility local4 system syslog-enhanced rule <rule-number> otherwise set-facility local5 system syslog-enhanced rule <rule-number> otherwise set-facility local6 system syslog-enhanced rule <rule-number> otherwise set-facility local7 system syslog-enhanced rule <rule-number> otherwise set-facility lpr system syslog-enhanced rule <rule-number> otherwise set-facility mail system syslog-enhanced rule <rule-number> otherwise set-facility mark system syslog-enhanced rule <rule-number> otherwise set-facility news system syslog-enhanced rule <rule-number> otherwise set-facility protocols system syslog-enhanced rule <rule-number> otherwise set-facility security system syslog-enhanced rule <rule-number> otherwise set-facility sensors system syslog-enhanced rule <rule-number> otherwise set-facility syslog system syslog-enhanced rule <rule-number> otherwise set-facility user system syslog-enhanced rule <rule-number> otherwise set-facility uucp system syslog-enhanced rule <rule-number> otherwise set-flag <value> system syslog-enhanced rule <rule-number> otherwise set-indicator <value> system syslog-enhanced rule <rule-number> otherwise set-severity alert system syslog-enhanced rule <rule-number> otherwise set-severity crit system syslog-enhanced rule <rule-number> otherwise set-severity debug system syslog-enhanced rule <rule-number> otherwise set-severity emerg system syslog-enhanced rule <rule-number> otherwise set-severity err system syslog-enhanced rule <rule-number> otherwise set-severity info system syslog-enhanced rule <rule-number> otherwise set-severity notice system syslog-enhanced rule <rule-number> otherwise set-severity warning system syslog-enhanced rule <rule-number> otherwise user <value> system syslog-enhanced rule <rule-number> rate-limit <flag> system syslog-enhanced rule <rule-number> rate-limit <flag> burst <value> system syslog-enhanced rule <rule-number> rate-limit <flag> interval <value> system syslog-enhanced rule <rule-number> rate-limit <flag> select-every-nth <value> system syslog-enhanced rule <rule-number> then clear-flag <value> system syslog-enhanced rule <rule-number> then console system syslog-enhanced rule <rule-number> then discard system syslog-enhanced rule <rule-number> then file <value> system syslog-enhanced rule <rule-number> then host <value> system syslog-enhanced rule <rule-number> then set-facility all system syslog-enhanced rule <rule-number> then set-facility auth system syslog-enhanced rule <rule-number> then set-facility authpriv system syslog-enhanced rule <rule-number> then set-facility cron system syslog-enhanced rule <rule-number> then set-facility daemon system syslog-enhanced rule <rule-number> then set-facility dataplane system syslog-enhanced rule <rule-number> then set-facility kern system syslog-enhanced rule <rule-number> then set-facility local0 system syslog-enhanced rule <rule-number> then set-facility local1 system syslog-enhanced rule <rule-number> then set-facility local2 system syslog-enhanced rule <rule-number> then set-facility local3 system syslog-enhanced rule <rule-number> then set-facility local4 system syslog-enhanced rule <rule-number> then set-facility local5 system syslog-enhanced rule <rule-number> then set-facility local6 system syslog-enhanced rule <rule-number> then set-facility local7 system syslog-enhanced rule <rule-number> then set-facility lpr system syslog-enhanced rule <rule-number> then set-facility mail system syslog-enhanced rule <rule-number> then set-facility mark system syslog-enhanced rule <rule-number> then set-facility news system syslog-enhanced rule <rule-number> then set-facility protocols system syslog-enhanced rule <rule-number> then set-facility security system syslog-enhanced rule <rule-number> then set-facility sensors system syslog-enhanced rule <rule-number> then set-facility syslog system syslog-enhanced rule <rule-number> then set-facility user system syslog-enhanced rule <rule-number> then set-facility uucp system syslog-enhanced rule <rule-number> then set-flag <value> system syslog-enhanced rule <rule-number> then set-indicator <value> system syslog-enhanced rule <rule-number> then set-severity alert system syslog-enhanced rule <rule-number> then set-severity crit system syslog-enhanced rule <rule-number> then set-severity debug system syslog-enhanced rule <rule-number> then set-severity emerg system syslog-enhanced rule <rule-number> then set-severity err system syslog-enhanced rule <rule-number> then set-severity info system syslog-enhanced rule <rule-number> then set-severity notice system syslog-enhanced rule <rule-number> then set-severity warning system syslog-enhanced rule <rule-number> then user <value> system syslog-enhanced tls system syslog-enhanced tls certificate-authority <CA> system syslog-enhanced tls certificate-authority <CA> file <value> system syslog-enhanced tls local-certificate certificate <value> system syslog-enhanced tls local-certificate key <value> system syslog-enhanced host <entry> routing-instance <value>
ARP Configuration support
This feature adds support to allow the ARP cache timeout (ARP timeout or ARP ageing timeout) and the ARP cache size to be configured.
system ip arp stale-time <value> system ip arp table-size 1024 system ip arp table-size 2048 system ip arp table-size 4096 system ip arp table-size 8192 system ip arp table-size 16384 system ip arp table-size 32768 system ip arp table-size 65536 system ip arp table-size 131072 system ipv6 neighbor table-size 131072
NETCONF support for adding copy-config to the candidate configuration
This feature adds the ability for a pre-generated configuration to be pushed to the router and have it applied to the candidate datastore via the NETCONF RPC.
Prohibit password reuse
This feature adds the ability to prohibit the use of old passwords for the same system account. It only affects local system accounts and not those such as GRUB passwords or TACACS+ accounts. It also enforces password expiry based on a configurable time, thereby forcing users to update their passwords after a given time.
Password history and expiration operate on a system-wide level i.e. this policy cannot be enforced on a per user basis.
system password requirements expiration maximum-days <value> system password requirements history forbid-previous <value>
New DPI applications and protocols
Upgrade to use nDPI 3.4, which will introduce support for: anydesk, blookbert, capwap, discord, doh_dot, iec60870, microsoft365, nats, s7comm, soap, teams, websocket, zabbix.
security application firewall name <ruleset-name> rule <rule-number> engine ndpi name anydesk security application firewall name <ruleset-name> rule <rule-number> engine ndpi name bloomberg security application firewall name <ruleset-name> rule <rule-number> engine ndpi name capwap security application firewall name <ruleset-name> rule <rule-number> engine ndpi name discord security application firewall name <ruleset-name> rule <rule-number> engine ndpi name doh_dot security application firewall name <ruleset-name> rule <rule-number> engine ndpi name iec60870 security application firewall name <ruleset-name> rule <rule-number> engine ndpi name microsoft365 security application firewall name <ruleset-name> rule <rule-number> engine ndpi name nats security application firewall name <ruleset-name> rule <rule-number> engine ndpi name s7comm security application firewall name <ruleset-name> rule <rule-number> engine ndpi name soap security application firewall name <ruleset-name> rule <rule-number> engine ndpi name teams security application firewall name <ruleset-name> rule <rule-number> engine ndpi name websocket security application firewall name <ruleset-name> rule <rule-number> engine ndpi name zabbix security application firewall name <ruleset-name> rule <rule-number> engine ndpi protocol anydesk security application firewall name <ruleset-name> rule <rule-number> engine ndpi protocol bloomberg security application firewall name <ruleset-name> rule <rule-number> engine ndpi protocol capwap security application firewall name <ruleset-name> rule <rule-number> engine ndpi protocol discord security application firewall name <ruleset-name> rule <rule-number> engine ndpi protocol doh_dot security application firewall name <ruleset-name> rule <rule-number> engine ndpi protocol iec60870 security application firewall name <ruleset-name> rule <rule-number> engine ndpi protocol microsoft365 security application firewall name <ruleset-name> rule <rule-number> engine ndpi protocol nats security application firewall name <ruleset-name> rule <rule-number> engine ndpi protocol s7comm security application firewall name <ruleset-name> rule <rule-number> engine ndpi protocol soap security application firewall name <ruleset-name> rule <rule-number> engine ndpi protocol teams security application firewall name <ruleset-name> rule <rule-number> engine ndpi protocol websocket security application firewall name <ruleset-name> rule <rule-number> engine ndpi protocol zabbix security application firewall name <ruleset-name> rule <rule-number> engine ndpi type connectivitycheck security application firewall name <ruleset-name> rule <rule-number> engine ndpi type iot_scada
DHCP enhancements for switch interfaces
interfaces switch <name> vif <tagnode> dhcp-options no-rfc3442 interfaces switch <name> vif <tagnode> dhcpv6-options parameters-only interfaces switch <name> vif <tagnode> dhcpv6-options prefix-delegation interfaces switch <name> vif <tagnode> dhcpv6-options temporary
ISIS enhancements
IS-IS routing protocol now supports topology and MPLS-TE configuration options, and IS-IS can be applied to a VIF interface.
interfaces dataplane <tagnode> isis topology ipv4-mgmt interfaces dataplane <tagnode> isis topology ipv4-multicast interfaces dataplane <tagnode> isis topology ipv4-unicast interfaces dataplane <tagnode> isis topology ipv6-dstsrc interfaces dataplane <tagnode> isis topology ipv6-mgmt interfaces dataplane <tagnode> isis topology ipv6-multicast interfaces dataplane <tagnode> isis topology ipv6-unicast interfaces loopback <tagnode> isis topology ipv4-mgmt interfaces loopback <tagnode> isis topology ipv4-multicast interfaces loopback <tagnode> isis topology ipv4-unicast interfaces loopback <tagnode> isis topology ipv6-dstsrc interfaces loopback <tagnode> isis topology ipv6-mgmt interfaces loopback <tagnode> isis topology ipv6-multicast interfaces loopback <tagnode> isis topology ipv6-unicast interfaces switch <name> vif <tagnode> ip isis instance <value> interfaces switch <name> vif <tagnode> ipv6 isis instance <value> interfaces switch <name> vif <tagnode> isis circuit-type level-1 interfaces switch <name> vif <tagnode> isis circuit-type level-1-2 interfaces switch <name> vif <tagnode> isis circuit-type level-2-only interfaces switch <name> vif <tagnode> isis hello-interval level-1 <value> interfaces switch <name> vif <tagnode> isis hello-interval level-2 <value> interfaces switch <name> vif <tagnode> isis metric level-1 <value> interfaces switch <name> vif <tagnode> isis metric level-2 <value> interfaces switch <name> vif <tagnode> isis network point-to-point interfaces switch <name> vif <tagnode> isis passive interfaces switch <name> vif <tagnode> isis password interfaces switch <name> vif <tagnode> isis password clear <value> interfaces switch <name> vif <tagnode> isis password md5 <value> interfaces switch <name> vif <tagnode> isis priority level-1 <value> interfaces switch <name> vif <tagnode> isis priority level-2 <value> interfaces switch <name> vif <tagnode> isis topology ipv4-mgmt interfaces switch <name> vif <tagnode> isis topology ipv4-multicast interfaces switch <name> vif <tagnode> isis topology ipv4-unicast interfaces switch <name> vif <tagnode> isis topology ipv6-dstsrc interfaces switch <name> vif <tagnode> isis topology ipv6-mgmt interfaces switch <name> vif <tagnode> isis topology ipv6-multicast interfaces switch <name> vif <tagnode> isis topology ipv6-unicast protocols isis <area-tag> mpls-te protocols isis <area-tag> mpls-te router-address <value> protocols isis <area-tag> topology ipv4-mgmt protocols isis <area-tag> topology ipv4-mgmt overload protocols isis <area-tag> topology ipv4-multicast protocols isis <area-tag> topology ipv4-multicast overload protocols isis <area-tag> topology ipv4-unicast protocols isis <area-tag> topology ipv4-unicast overload protocols isis <area-tag> topology ipv6-dstsrc protocols isis <area-tag> topology ipv6-dstsrc overload protocols isis <area-tag> topology ipv6-mgmt protocols isis <area-tag> topology ipv6-mgmt overload protocols isis <area-tag> topology ipv6-multicast protocols isis <area-tag> topology ipv6-multicast overload protocols isis <area-tag> topology ipv6-unicast protocols isis <area-tag> topology ipv6-unicast overload
Support for non-dataplane interfaces
Some interfaces do not (yet) have support in DPDK and will be owned by the kernel. They are likely to be used for the management of the system and not for the main packet forwarding functions. The ‘interfaces system’ configuration model provides a method of configuring such interfaces in a manner consistent with the rest of the system. All packet forwarding on such interfaces will occur in the kernel. The configuration available on these interfaces is a significantly smaller subset of the configuration available on interfaces owned by the dataplane.
interfaces system <ifname> interfaces system <ifname> address dhcp interfaces system <ifname> address dhcpv6 interfaces system <ifname> description <value> interfaces system <ifname> disable interfaces system <ifname> disable-link-detect interfaces system <ifname> ip enable-proxy-arp interfaces system <ifname> ip gratuitous-arp reply drop interfaces system <ifname> ip gratuitous-arp reply update interfaces system <ifname> ip gratuitous-arp request drop interfaces system <ifname> ip gratuitous-arp request update interfaces system <ifname> ip gratuitous-arp-count <value> interfaces system <ifname> ip rpf-check disable interfaces system <ifname> ip rpf-check loose interfaces system <ifname> ip rpf-check strict interfaces system <ifname> ipv6 address interfaces system <ifname> ipv6 address autoconf interfaces system <ifname> ipv6 address eui64 <value> interfaces system <ifname> ipv6 address link-local <value> interfaces system <ifname> ipv6 disable interfaces system <ifname> ipv6 dup-addr-detect-transmits <value> interfaces system <ifname> log_martians interfaces system <ifname> mac <value> interfaces system <ifname> mtu <value> interfaces system <ifname> vif <tagnode> interfaces system <ifname> vif <tagnode> address dhcp interfaces system <ifname> vif <tagnode> address dhcpv6 interfaces system <ifname> vif <tagnode> description <value> interfaces system <ifname> vif <tagnode> disable interfaces system <ifname> vif <tagnode> inner-vlan <value> interfaces system <ifname> vif <tagnode> ip enable-proxy-arp interfaces system <ifname> vif <tagnode> ip gratuitous-arp reply drop interfaces system <ifname> vif <tagnode> ip gratuitous-arp reply update interfaces system <ifname> vif <tagnode> ip gratuitous-arp request drop interfaces system <ifname> vif <tagnode> ip gratuitous-arp request update interfaces system <ifname> vif <tagnode> ip rpf-check disable interfaces system <ifname> vif <tagnode> ip rpf-check loose interfaces system <ifname> vif <tagnode> ip rpf-check strict interfaces system <ifname> vif <tagnode> ipv6 address interfaces system <ifname> vif <tagnode> ipv6 address autoconf interfaces system <ifname> vif <tagnode> ipv6 address eui64 <value> interfaces system <ifname> vif <tagnode> ipv6 address link-local <value> interfaces system <ifname> vif <tagnode> ipv6 disable interfaces system <ifname> vif <tagnode> ipv6 dup-addr-detect-transmits <value> interfaces system <ifname> vif <tagnode> log_martians interfaces system <ifname> vif <tagnode> mtu <value> interfaces system <ifname> vif <tagnode> vlan <value>
Miscellaneous changes
protocols next-hop resolve-via-default disabled protocols next-hop resolve-via-default enabled routing routing-instance <instance-name> protocols next-hop resolve-via-default disabled routing routing-instance <instance-name> protocols next-hop resolve-via-default enabled service ssh client-alive-attempts <value> service ssh client-alive-interval <value> routing routing-instance <instance-name> service ssh client-alive-attempts <value> routing routing-instance <instance-name> service ssh client-alive-interval <value>
Obsolete features
None
Operational command changes
tech-support archive removed
To prevent DANOS users from accidentally uploading “tech-support” archives that have sensitive information, we have removed this feature.
generate tech-support archive generate tech-support archive <destination> generate tech-support archive <destination> authentication username <value> password <value> generate tech-support archive <destination> authentication username <value> password <value> file-password <value> generate tech-support archive <destination> password <value> generate tech-support archive option exclude-command-history generate tech-support archive password <value> show tech-support show tech-support brief show tech-support option exclude-command-history show tech-support save show tech-support save <destination> show tech-support save <destination> authentication username <value> password <value> show tech-support save <destination> authentication username <value> password <value> file-password <value> show tech-support save <destination> password <value> show tech-support save password <value> show tech-support save-uncompressed show tech-support save-uncompressed <destination> show tech-support save-uncompressed <destination> authentication username <value> password <value> show tech-support save-uncompressed <destination> authentication username <value> password <value> file-password <value> show tech-support save-uncompressed <destination> password <value> show tech-support save-uncompressed password <value>
Query dataplane pipeline to find out which features are enabled
If you are working with different pipeline nodes, it can be useful to check which pipeline nodes are actually enabled.
show dataplane feature show dataplane feature filter <value> show dataplane feature global show dataplane feature interface <value> show dataplane feature ip show dataplane feature ip6 show dataplane feature l2 show dataplane feature sparse show dataplane feature vrf <value>
Query the dataplane’s view of the MPLS routes
show platform dataplane mpls-route show platform dataplane mpls-route error show platform dataplane mpls-route no-resource show platform dataplane mpls-route no-support show platform dataplane mpls-route not-needed show platform dataplane mpls-route partial
Miscellaneous changes
add system image routing-instance <value> <image-url> username <value> password <value> show policy qos <interface-name> filter-classification show policy qos filter-classification show queuing <interface-name> filter-classification
Resolved Security Vulnerabilities
The following security issues are resolved in this release:
CVE-2020-10730, CVE-2020-27840, CVE-2021-20277: Debian DSA-4884-1 : ldb - security update
CVE-2020-35523, CVE-2020-35524: Debian DSA-4869-1 : tiff - security update
CVE-2015-9542: [DLA 2116-1] libpam-radius-auth security update
Licenses
MSTP/RSA
/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All rights reserved.
License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing this software or this function.
License is also granted to make and use derivative works provided that such works are identified as "derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing the derived work.
RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided "as is" without express or implied warranty of any kind.
These notices must be retained in any copies of any part of this documentation and/or software. */