DANOS 2012 Release Notes
- Scott Leishman
- 1 Overview
- 2 show version
- 3 Important changes
- 4 New Features
- 4.1 Enhancements to RSTP and spanning tree
- 4.2 L3 ingress and egress stateless ACLs
- 4.3 BGP enhancements
- 4.4 IS-IS enhancements
- 4.4.1 IPv6 Support
- 4.4.2 Topologies
- 4.4.3 Switch VIF Support
- 4.4.4 Traffic Engineering
- 4.5 Stateful firewall override
- 4.6 User isolation in a restricted environment
- 4.7 Storage block device configuration
- 4.7.1 Scheduler
- 4.7.2 Periodic TRIM
- 4.8 TACACS+
- 4.8.1 Command Accounting Start Records
- 4.8.2 Debug Logs
- 4.8.3 Offline Timer
- 4.8.4 Disable Server
- 4.8.5 Global Server Parameters
- 5 Obsolete features
- 6 Operational command changes
- 7 Resolved Security Vulnerabilities
Overview
Welcome to the 2012 (December 2020) version of DANOS.
The DANOS 2012 release is based upon Debian 10, with the 5.4 version of the Linux Kernel, the 1911 version of DPDK, and the 7.4 version of FRR.
show version
user@danos2012:~$ show version
Version: 2012
Description: DANOS 2012 (DANOS:Shipping:2012:20210114)
Built on: Thu Jan 14 12:43:42 UTC 2021 |
Important changes
User Isolation
By default from DANOS 2012, users of "operator" and "admin" levels are logged into a restricted, isolated environment. This environment ensures these users may only interact with the underlying system via the DANOS operational and configuration infrastructure, by using separate IPC, network, mount, PID, and UTS namespaces.
For example, the "ip" utility is not installed in the restricted environment. Even if it were, the separate namespaces would prevent access to, or manipulation of, state of the underlying host system.
Users of the "superuser" level are not placed in an isolated environment. These users should observe no behaviour changes compared to earlier DANOS releases.
We strongly recommend keeping user isolation enabled to improve system security. However, it may be disabled via the configuration:
system login user-isolation disable |
BGP behaviour changes
RFC 8212
By default, DANOS 2012 will no longer advertise routes to, or import routes from, eBGP peers unless import and export policies are configured. This default behaviour change is inherited from FRR 7.4 and defined by RFC 8212.
The value "(Policy)" in the output of the BGP summary show command(s) indicates that route import and/or export has been blocked due to a missing policy. For example:
$ show protocols bgp all summary
IPv4 Unicast Summary:
BGP router identifier 192.168.252.179, local AS number 65000 vrf-id 0
BGP table version 3
RIB entries 5, using 960 bytes of memory
Peers 1, using 21 KiB of memory
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd PfxSnt
10.10.2.2 4 65001 8 10 0 0 0 00:04:17 (Policy) (Policy)
Total number of neighbors 1 |
Import/export policies can be applied on a neighbor or peer-group basis under the corresponding address-family configuration:
[routing routing-instance <name>] protocols bgp <asn> <peer-group-or-neighbor> address-family <af> distribute-list (import|export) <text>
[routing routing-instance <name>] protocols bgp <asn> <peer-group-or-neighbor> address-family <af> filter-list (import|export) <text>
[routing routing-instance <name>] protocols bgp <asn> <peer-group-or-neighbor> address-family <af> prefix-list (import|export) <text> |
Alternatively, the RFC 8212 behaviour can be reverted (to that of previous DANOS/FRR releases) by setting "ebgp-requires-policy" to "disabled":
[routing routing-instance <instance-name>] protocols bgp <asn> parameters ebgp-requires-policy (enabled|disabled) |
Network Advertisement
By default, DANOS 2012 will no longer advertise routes which are not present in the RIB. This default behaviour change is inherited from FRR 7.4.
This behaviour can be reverted by setting "import-check" to "disabled":
[routing routing-instance <instance-name>] protocols bgp <asn> parameters network import-check (enabled|disabled) |
Reminder about the default username and password
The default LiveCD and ONIE image username and password change in the 2005 release from vyatta/vyatta to tmpuser/tmppswd.
As part of the installation process, the user has to enter a username and password manually. It is no longer possible to press "enter" and accept the default vyatta/vyatta option.
New Features
Enhancements to RSTP and spanning tree
The following configuration options have been added
interfaces bonding <tagnode> switch-group admin-edge
interfaces bonding <tagnode> switch-group auto-edge
interfaces bonding <tagnode> switch-group bpdu-filter
interfaces bonding <tagnode> switch-group bpdu-guard
interfaces bonding <tagnode> switch-group cost <value>
interfaces bonding <tagnode> switch-group cost auto
interfaces bonding <tagnode> switch-group network-port
interfaces bonding <tagnode> switch-group point-to-point auto
interfaces bonding <tagnode> switch-group point-to-point off
interfaces bonding <tagnode> switch-group point-to-point on
interfaces bonding <tagnode> switch-group priority <value>
interfaces bonding <tagnode> switch-group pvst-filter
interfaces bonding <tagnode> switch-group pvst-guard
interfaces bonding <tagnode> switch-group restrict-tcn
interfaces bonding <tagnode> switch-group root-block |
which do the following:
admin-edge Enable Spanning Tree admin edge mode
auto-edge Enable Spanning Tree automatic admin edge detection
bpdu-filter Enable the Spanning Tree BPDU filter capability
bpdu-guard Enable Spanning Tree BPDU guard
cost Spanning Tree port cost
network-port Enable Spanning Tree uni-directional link detection
point-to-point Set point-to-point operational status
priority Spanning Tree port priority (0 is highest priority)
pvst-filter Enable the Spanning Tree PVST filter capability
pvst-guard Enable the Spanning Tree PVST guard capability
restrict-tcn Restrict propagation of Spanning Tree topology change notifications
root-block Restrict ports ability to take Spanning Tree root role |
L3 ingress and egress stateless ACLs
L3 ingress and egress stateless ACLs operate at the start and end of the packet path. They are different from the current stateless firewall rules because:
The firewall is always stateful, even when only stateless rules exist.
The firewall always reassembles fragments, which entails maintaining state.
The firewall always attempts to match a packet against state entries, before it consults the ruleset.
Reassembly can be triggered by the presence of a firewall, NAT, or PBR.
By default, the presence of NAT state impacts firewall behaviour (firewall always attempts state lookup). This behaviour can be modified with the stateful firewall override functionality defined below.
The firewall can never block router originated packets (which is desired for these L3 ACLs).
The filter action is only to affect L3 packets which are L3 processed. i.e. an L3 packet which is L2 forwarded between links in a VLAN will not be affected by this feature.
The L3 ingress/egress counters can be cleared and accessed using the following command hierarchies. See below for the full set of options.
clear security ip-packet-filter statistics
show security ip-packet-filter statisticsSo why use L3 ingress/egress ACLs?
Ingress ACLs are processed very early in the packet path, so the performance of drop actions will be superior compared to stateless firewall rules.
Egress ACLs can block router originated traffic.
Ingress and Egress ACLs can be expressed in named groups, making the construction and documentation of complex rules simpler.
security ip-packet-filter group <group-name> counters
security ip-packet-filter group <group-name> counters count packets
security ip-packet-filter group <group-name> counters sharing per-interface
security ip-packet-filter group <group-name> counters type
security ip-packet-filter group <group-name> counters type auto-per-action
security ip-packet-filter group <group-name> counters type auto-per-action action accept
security ip-packet-filter group <group-name> counters type auto-per-action action drop
security ip-packet-filter group <group-name> counters type auto-per-rule
security ip-packet-filter group <group-name> description <value>
security ip-packet-filter group <group-name> ip-version ipv4
security ip-packet-filter group <group-name> ip-version ipv6
security ip-packet-filter group <group-name> rule <number> action accept
security ip-packet-filter group <group-name> rule <number> action drop
security ip-packet-filter group <group-name> rule <number> description <value>
security ip-packet-filter group <group-name> rule <number> disable
security ip-packet-filter group <group-name> rule <number> match destination ipv4 host <value>
security ip-packet-filter group <group-name> rule <number> match destination ipv4 prefix <value>
security ip-packet-filter group <group-name> rule <number> match destination ipv6 host <value>
security ip-packet-filter group <group-name> rule <number> match destination ipv6 prefix <value>
security ip-packet-filter group <group-name> rule <number> match destination port number <value>
security ip-packet-filter group <group-name> rule <number> match dscp name [ af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 ]
security ip-packet-filter group <group-name> rule <number> match dscp name [ cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | default | ef | va ]
security ip-packet-filter group <group-name> rule <number> match dscp value <value>
security ip-packet-filter group <group-name> rule <number> match fragment any
security ip-packet-filter group <group-name> rule <number> match icmp name TOS-host-redirect
security ip-packet-filter group <group-name> rule <number> match icmp name TOS-host-unreachable
security ip-packet-filter group <group-name> rule <number> match icmp name TOS-network-redirect
security ip-packet-filter group <group-name> rule <number> match icmp name TOS-network-unreachable
security ip-packet-filter group <group-name> rule <number> match icmp name address-mask-reply
security ip-packet-filter group <group-name> rule <number> match icmp name address-mask-request
security ip-packet-filter group <group-name> rule <number> match icmp name communication-prohibited
security ip-packet-filter group <group-name> rule <number> match icmp name destination-unreachable
security ip-packet-filter group <group-name> rule <number> match icmp name echo-reply
security ip-packet-filter group <group-name> rule <number> match icmp name echo-request
security ip-packet-filter group <group-name> rule <number> match icmp name fragmentation-needed
security ip-packet-filter group <group-name> rule <number> match icmp name host-precedence-violation
security ip-packet-filter group <group-name> rule <number> match icmp name host-prohibited
security ip-packet-filter group <group-name> rule <number> match icmp name host-redirect
security ip-packet-filter group <group-name> rule <number> match icmp name host-unknown
security ip-packet-filter group <group-name> rule <number> match icmp name host-unreachable
security ip-packet-filter group <group-name> rule <number> match icmp name ip-header-bad
security ip-packet-filter group <group-name> rule <number> match icmp name network-prohibited
security ip-packet-filter group <group-name> rule <number> match icmp name network-redirect
security ip-packet-filter group <group-name> rule <number> match icmp name network-unknown
security ip-packet-filter group <group-name> rule <number> match icmp name network-unreachable
security ip-packet-filter group <group-name> rule <number> match icmp name parameter-problem
security ip-packet-filter group <group-name> rule <number> match icmp name port-unreachable
security ip-packet-filter group <group-name> rule <number> match icmp name precedence-cutoff
security ip-packet-filter group <group-name> rule <number> match icmp name protocol-unreachable
security ip-packet-filter group <group-name> rule <number> match icmp name redirect
security ip-packet-filter group <group-name> rule <number> match icmp name required-option-missing
security ip-packet-filter group <group-name> rule <number> match icmp name router-advertisement
security ip-packet-filter group <group-name> rule <number> match icmp name router-solicitation
security ip-packet-filter group <group-name> rule <number> match icmp name source-quench
security ip-packet-filter group <group-name> rule <number> match icmp name source-route-failed
security ip-packet-filter group <group-name> rule <number> match icmp name time-exceeded
security ip-packet-filter group <group-name> rule <number> match icmp name timestamp-reply
security ip-packet-filter group <group-name> rule <number> match icmp name timestamp-request
security ip-packet-filter group <group-name> rule <number> match icmp name ttl-zero-during-reassembly
security ip-packet-filter group <group-name> rule <number> match icmp name ttl-zero-during-transit
security ip-packet-filter group <group-name> rule <number> match icmp type <type-number>
security ip-packet-filter group <group-name> rule <number> match icmp type <type-number> code <value>
security ip-packet-filter group <group-name> rule <number> match icmpv6 class error
security ip-packet-filter group <group-name> rule <number> match icmpv6 class info
security ip-packet-filter group <group-name> rule <number> match icmpv6 name address-unreachable
security ip-packet-filter group <group-name> rule <number> match icmpv6 name bad-header
security ip-packet-filter group <group-name> rule <number> match icmpv6 name communication-prohibited
security ip-packet-filter group <group-name> rule <number> match icmpv6 name destination-unreachable
security ip-packet-filter group <group-name> rule <number> match icmpv6 name echo-reply
security ip-packet-filter group <group-name> rule <number> match icmpv6 name echo-request
security ip-packet-filter group <group-name> rule <number> match icmpv6 name mobile-prefix-advertisement
security ip-packet-filter group <group-name> rule <number> match icmpv6 name mobile-prefix-solicitation
security ip-packet-filter group <group-name> rule <number> match icmpv6 name multicast-listener-done
security ip-packet-filter group <group-name> rule <number> match icmpv6 name multicast-listener-query
security ip-packet-filter group <group-name> rule <number> match icmpv6 name multicast-listener-report
security ip-packet-filter group <group-name> rule <number> match icmpv6 name neighbor-advertisement
security ip-packet-filter group <group-name> rule <number> match icmpv6 name neighbor-solicitation
security ip-packet-filter group <group-name> rule <number> match icmpv6 name no-route
security ip-packet-filter group <group-name> rule <number> match icmpv6 name packet-too-big
security ip-packet-filter group <group-name> rule <number> match icmpv6 name parameter-problem
security ip-packet-filter group <group-name> rule <number> match icmpv6 name port-unreachable
security ip-packet-filter group <group-name> rule <number> match icmpv6 name redirect
security ip-packet-filter group <group-name> rule <number> match icmpv6 name router-advertisement
security ip-packet-filter group <group-name> rule <number> match icmpv6 name router-solicitation
security ip-packet-filter group <group-name> rule <number> match icmpv6 name time-exceeded
security ip-packet-filter group <group-name> rule <number> match icmpv6 name ttl-zero-during-reassembly
security ip-packet-filter group <group-name> rule <number> match icmpv6 name ttl-zero-during-transit
security ip-packet-filter group <group-name> rule <number> match icmpv6 name unknown-header-type
security ip-packet-filter group <group-name> rule <number> match icmpv6 name unknown-option
security ip-packet-filter group <group-name> rule <number> match icmpv6 type <type-number>
security ip-packet-filter group <group-name> rule <number> match icmpv6 type <type-number> code <value>
security ip-packet-filter group <group-name> rule <number> match protocol base name [ dccp | esp | gre | icmp | igmp | ipv6-frag | ipv6-icmp | sctp | tcp | udp | updlite ]
security ip-packet-filter group <group-name> rule <number> match protocol base number <value>
security ip-packet-filter group <group-name> rule <number> match protocol final name [ dccp | esp | gre | icmp | igmp | ipv6-frag | ipv6-icmp | sctp | tcp | udp | updlite ]
security ip-packet-filter group <group-name> rule <number> match protocol final number <value>
security ip-packet-filter group <group-name> rule <number> match source ipv4 host <value>
security ip-packet-filter group <group-name> rule <number> match source ipv4 prefix <value>
security ip-packet-filter group <group-name> rule <number> match source ipv6 host <value>
security ip-packet-filter group <group-name> rule <number> match source ipv6 prefix <value>
security ip-packet-filter group <group-name> rule <number> match source port number <value>
security ip-packet-filter group <group-name> rule <number> match ttl equals <value>
security ip-packet-filter interface <interface-name>
security ip-packet-filter interface <interface-name> in <value>
security ip-packet-filter interface <interface-name> out <value> |
BGP enhancements
Some default BGP behaviours have changed in DANOS 2012 (inherited from FRR 7.4). These changes can be reversed by applying the configuration. Please see the "Important Changes" section at the top of the document for further details.
protocols bgp <tagnode> parameters ebgp-requires-policy disabled
protocols bgp <tagnode> parameters ebgp-requires-policy enabled
protocols bgp <tagnode> parameters network import-check disabled
protocols bgp <tagnode> parameters network import-check enabled
routing routing-instance <instance-name> protocols bgp <tagnode> parameters ebgp-requires-policy disabled
routing routing-instance <instance-name> protocols bgp <tagnode> parameters ebgp-requires-policy enabled
routing routing-instance <instance-name> protocols bgp <tagnode> parameters network import-check disabled
routing routing-instance <instance-name> protocols bgp <tagnode> parameters network import-check enabled |
IS-IS enhancements
Additional IS-IS functionality has been exposed in the DANOS configuration. Thanks to Niral Networks for their contributions here.
IPv6 Support
interfaces dataplane <tagnode> ipv6 isis instance <value>
interfaces dataplane <tagnode> vif <tagnode> ipv6 isis instance <value>
interfaces loopback <tagnode> ipv6 isis instance <value> |
Topologies
interfaces dataplane <tagnode> isis topology ipv4-mgmt
interfaces dataplane <tagnode> isis topology ipv4-multicast
interfaces dataplane <tagnode> isis topology ipv4-unicast
interfaces dataplane <tagnode> isis topology ipv6-dstsrc
interfaces dataplane <tagnode> isis topology ipv6-mgmt
interfaces dataplane <tagnode> isis topology ipv6-multicast
interfaces dataplane <tagnode> isis topology ipv6-unicast
interfaces loopback <tagnode> isis topology ipv4-mgmt
interfaces loopback <tagnode> isis topology ipv4-multicast
interfaces loopback <tagnode> isis topology ipv4-unicast
interfaces loopback <tagnode> isis topology ipv6-dstsrc
interfaces loopback <tagnode> isis topology ipv6-mgmt
interfaces loopback <tagnode> isis topology ipv6-multicast
interfaces loopback <tagnode> isis topology ipv6-unicast
protocols isis <area-tag> topology ipv4-mgmt
protocols isis <area-tag> topology ipv4-mgmt overload
protocols isis <area-tag> topology ipv4-multicast
protocols isis <area-tag> topology ipv4-multicast overload
protocols isis <area-tag> topology ipv4-unicast
protocols isis <area-tag> topology ipv4-unicast overload
protocols isis <area-tag> topology ipv6-dstsrc
protocols isis <area-tag> topology ipv6-dstsrc overload
protocols isis <area-tag> topology ipv6-mgmt
protocols isis <area-tag> topology ipv6-mgmt overload
protocols isis <area-tag> topology ipv6-multicast
protocols isis <area-tag> topology ipv6-multicast overload
protocols isis <area-tag> topology ipv6-unicast
protocols isis <area-tag> topology ipv6-unicast overload |
Switch VIF Support
interfaces switch <name> vif <tagnode> ip isis instance <value>
interfaces switch <name> vif <tagnode> ipv6 isis instance <value>
interfaces switch <name> vif <tagnode> isis circuit-type level-1
interfaces switch <name> vif <tagnode> isis circuit-type level-1-2
interfaces switch <name> vif <tagnode> isis circuit-type level-2-only
interfaces switch <name> vif <tagnode> isis hello-interval level-1 <value>
interfaces switch <name> vif <tagnode> isis hello-interval level-2 <value>
interfaces switch <name> vif <tagnode> isis metric level-1 <value>
interfaces switch <name> vif <tagnode> isis metric level-2 <value>
interfaces switch <name> vif <tagnode> isis network point-to-point
interfaces switch <name> vif <tagnode> isis passive
interfaces switch <name> vif <tagnode> isis password
interfaces switch <name> vif <tagnode> isis password clear <value>
interfaces switch <name> vif <tagnode> isis password md5 <value>
interfaces switch <name> vif <tagnode> isis priority level-1 <value>
interfaces switch <name> vif <tagnode> isis priority level-2 <value>
interfaces switch <name> vif <tagnode> isis topology ipv4-mgmt
interfaces switch <name> vif <tagnode> isis topology ipv4-multicast
interfaces switch <name> vif <tagnode> isis topology ipv4-unicast
interfaces switch <name> vif <tagnode> isis topology ipv6-dstsrc
interfaces switch <name> vif <tagnode> isis topology ipv6-mgmt
interfaces switch <name> vif <tagnode> isis topology ipv6-multicast
interfaces switch <name> vif <tagnode> isis topology ipv6-unicast |
Traffic Engineering
protocols isis <area-tag> mpls-te
protocols isis <area-tag> mpls-te router-address <value> |
Stateful firewall override
This feature allows SNAT/DNAT rules to be configured to not automatically install a pinhole for return traffic matching the NAT sessions. This means a user can have a firewall configuration that affects traffic matching a NAT session.
service nat destination explicit-firewall-pinhole
service nat destination rule <tagnode> firewall-pinhole
service nat source explicit-firewall-pinhole
service nat source rule <tagnode> firewall-pinhole |
User isolation in a restricted environment
Please see the "Important Changes" section at the top of this document for an overview of the user isolation functionality.
User isolation may be disabled using the below command.
system login user-isolation disable |
With user-isolation enabled the underlying system's directories aren't accessible to operator and admin-level users. This causes a problem for the admin-level users that may need to retain files across system reboots and upgrades.
The shared-storage configuration can define virtual storage mounted on directories accessible to the isolated operator and admin-level users. At the time of configuration, these directories must be empty. Users should log out from all of their login sessions for these configurations to take effect.
These shared directories are created as a virtual filesystem backed up by a file in the underlying file system. The filename is derived from the shared directory name.
system login user-isolation shared-storage <path>
system login user-isolation shared-storage <path> allow-exec
system login user-isolation shared-storage <path> size <value> |
Allow isolated users read-only access to directories via the "copy file" and "show file" operational mode commands.
system login user-isolation read-only-directory <value> |
Storage block device configuration
Scheduler
I/O schedulers attempt to improve throughput by reordering request access into a linear order based on the logical addresses of the data and trying to group these together. While this may increase overall throughput, it may lead to some I/O requests waiting for too long, causing latency issues. I/O schedulers attempt to balance the need for high throughput while sharing I/O requests amongst processes fairly.
Configuration is now provided to allow particular schedulers to be used for the block devices attached to the system.
system storage block-device <name> scheduler deadline
system storage block-device <name> scheduler none |
To view scheduler information for the block devices attached to the system, use the following new operational mode command:
show system storage block-device |
Periodic TRIM
fstrim is used on a mounted filesystem to discard (or "trim") blocks which are not in use by the filesystem. This is useful for solid-state drives (SSDs) and thinly-provisioned storage. By default, fstrim will discard all unused blocks in the filesystem.
The configuration is now provided to enable periodic trimming of the filesystem.
system storage block-device <name> discard-unused-blocks
system storage block-device <name> discard-unused-blocks repeat-interval daily
system storage block-device <name> discard-unused-blocks repeat-interval hourly
system storage block-device <name> discard-unused-blocks repeat-interval monthly
system storage block-device <name> discard-unused-blocks repeat-interval weekly
system storage block-device <name> discard-unused-blocks start-time <value> |
A TRIM operation can also be run on-demand, using the following new operational mode command:
clear block-device <block-device-name | all> unused-blocks |
TACACS+
Command Accounting Start Records
When enabled, a TACACS+ command accounting record is issued, with a start_time attribute, before a modelled NOS command being executed.
system tacplus-options accounting command-start-records |
In addition, command accounting stop records now also include the corresponding start_time attribute. This happens regardless of whether "command-start-records" has been enabled.
Debug Logs
TACACS+ debugging logs are no longer emitted by default in DANOS 2012. Use the below configuration to re-enable the logs.
system tacplus-options log debug |
Offline Timer
Use this command to define the minimum period during which the system will not perform any TACACS+ transactions following failure.
The offline period is triggered following a failure to connect to all TACACS+ servers. This can be due to either failed connection attempts, or because all configured servers have an active hold-down timer while attempting to connect to a server, or a combination.
When the running offline timer expires, the system will once again attempt to perform TACACS+ transactions. In most cases, the TACACS+ login provider will request a connection check immediately after the timer expires. If this succeeds the local fallback user login is once again locked (if TACACS+ login is enforced via the auth-chain configuration). Otherwise, a failure will cause the offline timer to be restarted, and the TACACS+ component will enter offline mode again.
system tacplus-options offline-timer <value> |
The global offline timer, and all per-server hold down timers, maybe reset with the below operational mode command:
reset system tacplus suppression-timers |
Disable Server
Use this command to prevent the use of a given TACACS+ server for any TACACS+ transaction.
A server which has been disabled will not appear in the output of the "show system tacplus status" operational mode command.
system login tacplus-server <tagnode> disable
routing routing-instance <instance-name> system login tacplus-server <tagnode> disable |
Global Server Parameters
Use this command to define the TCP port used for communications with all configured TACACS+ servers.
The value configured here can be overridden on a per-server basis using the existing "system login tacplus-server <address> port <port>" configuration.
system tacplus-options server port <value> |
Use this command to define the secret key used to obfuscate communications with all configured TACACS+ servers.
The value configured here can be overridden on a per-server basis using the existing "system login tacplus-server <address> secret <key>" configuration.
system tacplus-options server secret <value> |
Use this command to define the timeout to be used for communications with all configured TACACS+ servers.
The value configured here can be overridden on a per-server basis using the existing "system login tacplus-server <address> timeout <timeout>" configuration.
Long timeouts should generally not be used, to avoid sluggish system response for users.
If long timeouts are used, it is strongly recommended to use hold-down timers and/or the offline-timer.
system tacplus-options server timeout <value> |
Obsolete features
VRRP translation scripts
Support of custom VRRP transition scripts has been removed from this release. Transition scripts are a security issue and have been replaced with notify and DBus signals.
interfaces bonding <tagnode> vif <tagnode> vrrp vrrp-group <tagnode> run-transition-scripts
interfaces bonding <tagnode> vif <tagnode> vrrp vrrp-group <tagnode> run-transition-scripts backup <value>
interfaces bonding <tagnode> vif <tagnode> vrrp vrrp-group <tagnode> run-transition-scripts fault <value>
interfaces bonding <tagnode> vif <tagnode> vrrp vrrp-group <tagnode> run-transition-scripts master <value>
interfaces bonding <tagnode> vrrp vrrp-group <tagnode> run-transition-scripts
interfaces bonding <tagnode> vrrp vrrp-group <tagnode> run-transition-scripts backup <value>
interfaces bonding <tagnode> vrrp vrrp-group <tagnode> run-transition-scripts fault <value>
interfaces bonding <tagnode> vrrp vrrp-group <tagnode> run-transition-scripts master <value>
interfaces dataplane <tagnode> vif <tagnode> vrrp vrrp-group <tagnode> run-transition-scripts
interfaces dataplane <tagnode> vif <tagnode> vrrp vrrp-group <tagnode> run-transition-scripts backup <value>
interfaces dataplane <tagnode> vif <tagnode> vrrp vrrp-group <tagnode> run-transition-scripts fault <value>
interfaces dataplane <tagnode> vif <tagnode> vrrp vrrp-group <tagnode> run-transition-scripts master <value>
interfaces dataplane <tagnode> vrrp vrrp-group <tagnode> run-transition-scripts
interfaces dataplane <tagnode> vrrp vrrp-group <tagnode> run-transition-scripts backup <value>
interfaces dataplane <tagnode> vrrp vrrp-group <tagnode> run-transition-scripts fault <value>
interfaces dataplane <tagnode> vrrp vrrp-group <tagnode> run-transition-scripts master <value>
interfaces switch <name> vif <tagnode> vrrp vrrp-group <tagnode> run-transition-scripts
interfaces switch <name> vif <tagnode> vrrp vrrp-group <tagnode> run-transition-scripts backup <value>
interfaces switch <name> vif <tagnode> vrrp vrrp-group <tagnode> run-transition-scripts fault <value>
interfaces switch <name> vif <tagnode> vrrp vrrp-group <tagnode> run-transition-scripts master <value> |
Operational command changes
Dataplane sessions
These commands complement the existing show session table commands, and in the future may replace them.
It is now possible to clear sessions based on the source address/port, destination address/port, translation address/port, direction, interface, protocol and feature (alg, application, dnat, firewall, nat46, nat64, other, snat).
The show commands allow sorting of the output using the "ascending" and "descending" options. Filtering of the output can be done by source address/port, destination address/port, translation address/port, direction, interface, protocol and feature (alg, application, dnat, firewall, nat46, nat64, other, snat).
Note that CGNAT does not use "dataplane" sessions. The separate clear cgnat session and show cgnat session commands should be used.
clear dataplane session
clear dataplane session destination address <value>
clear dataplane session destination port <value>
clear dataplane session direction in
clear dataplane session direction out
clear dataplane session feature [ alg | application | dnat | firewall | nat46 | nat64 | other | snat ]
clear dataplane session id <value>
clear dataplane session interface <value>
clear dataplane session ip
clear dataplane session ip6
clear dataplane session protocol <value>
clear dataplane session source address <value>
clear dataplane session source port <value>
clear dataplane session translation address <value>
clear dataplane session translation port <value>
show dataplane session
show dataplane session ascending destination-address
show dataplane session ascending id
show dataplane session ascending source-address
show dataplane session ascending timeout
show dataplane session ascending translation-address
show dataplane session brief
show dataplane session count <value>
show dataplane session descending destination-address
show dataplane session descending id
show dataplane session descending source-address
show dataplane session descending timeout
show dataplane session descending translation-address
show dataplane session destination address <value>
show dataplane session destination port <value>
show dataplane session detail
show dataplane session direction in
show dataplane session direction out
show dataplane session feature [ alg | application | dnat | firewall | nat46 | nat64 | other | snat ]
show dataplane session id <value>
show dataplane session interface <value>
show dataplane session ip
show dataplane session ip6
show dataplane session protocol <value>
show dataplane session source address <value>
show dataplane session source port <value>
show dataplane session starting-with address <value>
show dataplane session starting-with id <value>
show dataplane session starting-with timeout <value>
show dataplane session summary
show dataplane session translation address <value>
show dataplane session translation port <value>
show dataplane session unordered |
L3 ingress and egress stateless ACLs
The following commands allow the viewing and clearing of the L3 ingress/egress stateless ACLs.
clear security ip-packet-filter statistics interface <if-name>
clear security ip-packet-filter statistics interface <if-name> direction [ in | out ]
clear security ip-packet-filter statistics interface <if-name> direction [ in | out ] group <group-name>
show security ip-packet-filter statistics action [ accept | drop | punt | reject ]
show security ip-packet-filter statistics direction [ in | out ]
show security ip-packet-filter statistics group <group-name>
show security ip-packet-filter statistics group <group-name> rule <rule-number>
show security ip-packet-filter statistics interface <if-name>
|
VRRP
The "group" keyword has been removed from the "show vrrp sync-group" command.
show vrrp sync-group group <value>
show vrrp sync-group <sync-group-name> |
Resolved Security Vulnerabilities
The following security issues are resolved in this release:
CVE-2020-27670, CVE-2020-27671, CVE-2020-27672, CVE-2020-27674, CVE-2020-28368: Debian DSA 4804-1: xen security update
CVE-2020-28196: Debian DSA-4795-1 : krb5 security update
CVE-2020-25709, CVE-2020-25710: Debian DSA-4792-1 : openldap security update
CVE-2020-25692: Debian DSA-4782-1 : openldap security update
CVE-2020-15180: Debian DSA-4776-1: mariadb-10.3 security update
CVE-2020-25595, CVE-2020-25596, CVE-2020-25597, CVE-2020-25599, CVE-2020-25600, CVE-2020-25601, CVE-2020-25602, CVE-2020-25603, CVE-2020-25604: Debian DSA-4769-1: xen security update
CVE-2019-3874, CVE-2019-19448, CVE-2019-19813, CVE-2019-19816, CVE-2020-10781, CVE-2020-12888, CVE-2020-14314, CVE-2020-14331, CVE-2020-14356, CVE-2020-14385, CVE-2020-14386, CVE-2020-14390, CVE-2020-16166, CVE-2020-25212, CVE-2020-25284, CVE-2020-25285, CVE-2020-25641, CVE-2020-26088: Debian DLA-2385-1: linux-4.19 LTS security update
CVE-2019-18814, CVE-2019-18885, CVE-2019-20810, CVE-2020-10766, CVE-2020-10767, CVE-2020-10768, CVE-2020-12655, CVE-2020-12771, CVE-2020-13974, CVE-2020-15393: Debian DLA-2323-1 : linux-5.4 new package