VyOS Configuration Fundamentals

How-To: VyOS

Karl William

Mar 24, 2025

Monday 24th March 2025

This parts begins where the earlier post about VyOS installation ends.

This post will cover the most fundamental features of VyOS router configuration:

How to add, delete, commit, save and verify configuration
How to configure some basic system settings
How to setup an OOBM interface for remote MGMT.

VyOS configuration in general

First off all, the 4 most foundational commands:

To enter configuration mode: configure
To exit configuration mode: exit
To commit pending changes: commit
To save the configuration to the startup configuration: save

Adding Configuration

For network engineers that are used with Cisco IOS, VyOS is totally different:

Cisco use a hierarchical configuration structure. For example when you configure a command under an IPv6 BGP neighbor:

router bgp 65002
 address-family ipv6 vrf NMS
  neighbor 2001:db8:1234:1::1 soft-reconfiguration inbound

Note: Indentation added for clarity.

VyOS in contrast, uses a flat configuration structure. To configure the above example, assuming system-as and BGP neighbor is already defined, you use this command:

set vrf name NMS protocols bgp neighbor 2001:464f:6f83:1::1 address-family ipv6-unicast soft-reconfiguration inbound

As you see the commands can get very long. However, VyOS supports tabbing so figuring out the commands, if you are already familiar with BGP, is not that hard to get used to.

vyos@LBS-RO1# set protocols bgp [tab]
Possible completions:
 > address-family   BGP address-family parameters
 > bmp              BGP Monitoring Protocol (BMP)
+> interface        Configure interface related parameters, e.g. MPLS
 > listen           Listen for and accept BGP dynamic neighbors from ra
+> neighbor         BGP neighbor
 > parameters       BGP parameters
+> peer-group       Name of peer-group
 > sid              SID value for VRF
 > srv6             Segment-Routing SRv6 configuration
   system-as        Autonomous System Number (ASN)
 > timers           BGP protocol timers

Note: If you still can’t figure out the commands needed, you can try the VyOS Configuration Guide.

Verify Configuration

To display the startup configuration in VyOS, you can use two commands:

show configuration gives you the configuration state in a json format:

vyos@LBS-RO1:~$ show configuration
interfaces {
    ethernet eth0 {
        address 2001:DB1:1234:A010::C/64
        address fe80::a:c/64
        description OOBM
        hw-id bc:24:db:08:83:3e
        offload {
            gro
            gso
            sg
            tso
        }
        vrf OOBM
    }
...

show configuration commands gives you a list of all configured commands:

vyos@LBS-RO1:~$ show configuration commands
set interfaces ethernet eth0 address '2001:DB8:1234:A010::C/64'
set interfaces ethernet eth0 address 'fe80::a:c/64'
set interfaces ethernet eth0 description 'OOBM'
set interfaces ethernet eth0 hw-id 'bc:24:db:08:83:3e'
set interfaces ethernet eth0 offload gro
set interfaces ethernet eth0 offload gso
set interfaces ethernet eth0 offload sg
set interfaces ethernet eth0 offload tso
set interfaces ethernet eth0 vrf 'OOBM'
....

FRR Configuration

VyOS is based on FRR. From shell you can enter the FRR daemon and verify the configuration from there as well:

vyos@LBS-RO1:~$ /bin/sh
sh-5.2$ vtysh
LBS-RO1# show running-config

Building configuration...

Current configuration:
!
frr version 10.2.1
frr defaults traditional
hostname LBS-RO1
nhrp nflog-group 1
nhrp multicast-nflog-group 2
service integrated-vtysh-config
!
vrf OOBM
 ipv6 route ::/0 fe80::a:1 eth0
exit-vrf
!
...

Note: I would not recommend making any changes from there. They will be overwritten after a configuration change or reboot.

Deleting configuration

To compare again with Cisco, you would negate the commands with pre-pending “no” in front of every command:

router bgp 65002
 address-family ipv6 vrf NMS
  no neighbor 2001:db8:1234:1::1 soft-reconfiguration inbound

VyOS is similar, but instead of “no”, you change “set” to “del” to negate commands:

del vrf name NMS protocols bgp neighbor 2001:464f:6f83:1::1 address-family ipv6-unicast soft-reconfiguration inbound

VyOS Basic Configuration

System Configuration

Source: https://docs.vyos.io/en/equuleus/configuration/system/index.html

Hostname and Domain Name

Change the hostname:

set system host-name LBS-RO1

Note: you may have to logout and login again before the name changes in the console.

Change the domain name:

set system domain-name nms.libertassolutions.io

Static IP to hostname mapping:

set system static-host-mapping host-name LBS-RO1 inet ::1
set system static-host-mapping host-name LBS-RO1 inet 127.0.0.1

System DNS server

configure system DNS. needed for patching:

set system name-server 2620:FE::FE

Timezone

To set the timezone:

set system time-zone Europe/Oslo

Note: The adjustment for daylight time will take place automatically based on the time of year.

Remove the console port

If you installed VyOS as a virtual machine, you probably don’t have a console port, unless you specified one in the VM setup. This causes the log to fill up with these messages:

Mar 04 23:42:18 systemd[1]: Stopped serial-getty@ttyS0.service - Serial Getty on ttyS0.
Mar 04 23:42:18 systemd[1]: Started serial-getty@ttyS0.service - Serial Getty on ttyS0.
Mar 04 23:42:28 systemd[1]: serial-getty@ttyS0.service: Deactivated successfully.
Mar 04 23:42:28 systemd[1]: serial-getty@ttyS0.service: Scheduled restart job, restart counter is at 118560.

You can stop those messages by deleting the default console port:

del system console device ttyS0

Remember to commit and save.

OOBM Interface Configuration

My VyOS has two network adapters attached. One of the adapters is connected to an external OOBM network. This interface will be used for SSH management.

VRF OOBM Configuration

VyOS doc: https://docs.vyos.io/en/equuleus/configuration/vrf/index.html#configuration

Firstly, I need to create a VRF for this adapter. This will work similar to a dedicated MGMT port on for example a physical router.

Create VRF name and ID:

set vrf name OOBM table 1000

Optional: To configure services that has no specified VRF configured (only running in the default routing table) to be enabled on all VRFs:

set vrf bind-to-all

OOBM Interface Configuration

For an overview of available interfaces:

vyos@LBS-RO1:~$ show interfaces summary 
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             -                                 u/u  
eth1             -                                 u/u 
lo               127.0.0.1/8                       u/u  
                 ::1/128

eth0 = enp0s18 = vmbr0
eth1 = enp0s19 = vmbr1

Note: The interface ID’s depends in what order you created the network adapters on your VyOS VM, assuming you didn’t install it on a bare metal appliance.

To remember which interface is which, I added a description to both of them:

set interfaces ethernet eth0 description OOBM
set interfaces ethernet eth1 description OVS

Bind the VRF to the interface:

set interfaces ethernet eth0 vrf OOBM

Configure IP addresses:

set interfaces ethernet eth0 address '2001:DB8:1234:A010::C/64'
set interfaces ethernet eth0 address 'fe80::a:c/64'

Note: To view more ethernet interface configuration parameters:
https://docs.vyos.io/en/equuleus/configuration/interfaces/ethernet.html

Verification

Interface Status

Verify Interface status:

vyos@LBS-RO1:~$ show interfaces ethernet eth0 
eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master OOBM state UP group default qlen 1000
    link/ether bc:24:db:08:83:3e brd ff:ff:ff:ff:ff:ff
    altname enp0s18
    altname ens18
    inet6 2001:db8:1234:a010::c/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::be24:11ff:fedb:083e/64 scope link 
       valid_lft forever preferred_lft forever
    inet6 fe80::a:c/64 scope link 
       valid_lft forever preferred_lft forever
    Description: OOBM

    RX:     bytes  packets  errors  dropped  overrun       mcast
         65994130   738178       0        0        0           0
    TX:     bytes  packets  errors  dropped  carrier  collisions
          1081533     7570       0        0        0           0

From the output above we can verify:

The VRF is set to OOBM
The configured IPv6 addresses
A description of the interface

Note: “altname enp0s18” is the adapter name seen in the Proxmox VM options.

Test connectivity

Ping from a VRF interface:

vyos@LBS-RO1:~$ ping 2001:db8:1234:a010::1 vrf OOBM
PING 2001:db8:1234:a010::1(2001:464f:6f83:a010::1) 56 data bytes
64 bytes from 2001:db8:1234:a010::1: icmp_seq=1 ttl=64 time=13.8 ms
64 bytes from 2001:db8:1234:a010::1: icmp_seq=2 ttl=64 time=2.00 ms
...

Ping from a VRF to a link local address on a specific interface:

vyos@LBS-RO1:~$ ping fe80::a:1%eth0 vrf OOBM
PING fe80::a:1%eth0(fe80::a:1%eth0) 56 data bytes
64 bytes from fe80::a:1%OOBM: icmp_seq=1 ttl=64 time=7.35 ms
64 bytes from fe80::a:1%OOBM: icmp_seq=2 ttl=64 time=2.05 ms

Enable SSH

VyOS doc: https://docs.vyos.io/en/equuleus/configuration/service/ssh.html

Enabling the SSH service is critical so I can start configure this router remotely, instead of using the Proxmox VE console.

Enable SSH service:

set service ssh port 22

Optional: Enable SSH for specific VRF:

set service ssh vrf OOBM

Optional: Configure which addresses should be listening:

set service ssh listen-address <address>

Now I am able to connect to my VyOS router through SSH.

Update VyOS image

Once in a while you may want to update your release to fix bugs. You can do that directly from the CLI by setting following commands:

set system update-check url 'https://raw.githubusercontent.com/vyos/vyos-rolling-nightly-builds/main/version.json'

set system update-check auto-check

Then perform following command to start the update:

add system image latest

Open Source Is Fun

Discussion about this post