Vyatta Config Sync Howto and Overview

Tags: config-sync, firewall, howto, linux, nat, networking, routing, sysadmin, vse, vyatta

Here is a quick run down of how to set up vyatta config sync on VSE (subscription edition).

Note: Vyatta subscription edition is required for this functionality.

Vyatta config sync allows you to select a subset of your router config, then set one of your routers as the master for that subset. In this example we’ll be syncing our nat config section from vyatta-01 (master) to vyatta-02 (slave).

Preparing the slave system:

First, we need to enable the web server on the slave system as this is the transport used by config-sync.

vyatta@vyatta-02# configure
vyatta@vyatta-02# set service https listen-address <IP_OF_VYATTA-02>
vyatta@vyatta-02# commit

Then, I recommend creating a user account dedicated to the purpose of config-sync.

vyatta@vyatta-02# configure
vyatta@vyatta-02# set system login user config-sync authentication plaintext-password secret
vyatta@vyatta-02# commit

Configuring vyatta config sync on the master system

Now we tell vyatta-01 about vyatta-02:

vyatta@vyatta-01# configure
vyatta@vyatta-01# set system config-sync remote-router <IP_OF_VYATTA-02>
vyatta@vyatta-01# set system config-sync remote-router <IP_OF_VYATTA-02> username config-sync
vyatta@vyatta-01# set system config-sync remote-router <IP_OF_VYATTA-02> password secret
vyatta@vyatta-01# commit

Then, we specify what to sync from vyatta-01 to vyatta-02…

vyatta@vyatta-01# configure
vyatta@vyatta-01# set system config-sync sync-map default rule 0 action include
vyatta@vyatta-01# set system config-sync sync-map default rule 0 location nat
vyatta@vyatta-01# commit

And finally we go back and assign the sync-map to the remote-router entry.

vyatta@vyatta-01# configure
vyatta@vyatta-01# set system config-sync remote-router <IP_OF_VYATTA-02> sync-map default
vyatta@vyatta-01# commit

That’s it. You should see vyatta-01 attempt to sync to vyatta-02 upon subsequent commits, and anything under nat should appear on vyatta-02.

For quick reference, here’s a config dump of the relevant sections:

Vyatta-01:

vyatta@vyatta-01# show system config-sync 
 remote-router <IP_OF_VYATTA-02> {
     password secret
     sync-map default
     username config-sync
 }
 sync-map default {
     rule 0 {
         action include
         location nat
     }
 }

Vyatta-02:

vyatta@vyatta-02# show service http
 listen-address <IP_OF_VYATTA-02>
 
vyatta@vyatta-02# show system login user config-sync
 authentication {
     encrypted-password $19aboeuo/20u230b+8239bulkj8271J.
     plaintext-password ""
 }