Refactor "code-block:: sh" to "code-block:: console"

This will add proper new-lines into the rendered PDF. Before if it has been a long line, not all content was preserved in the PDF.
2025-10-26 08:41:46 +01:00 · 2019-11-27 17:20:36 +01:00 · 2019-11-27 17:20:36 +01:00 · 6aa3cbb611
commit 6aa3cbb611
parent 76bbe2744d
83 changed files with 652 additions and 654 deletions
--- a/docs/appendix/commandtree/configmode.rst
+++ b/docs/appendix/commandtree/configmode.rst
@ -3,7 +3,7 @@
 Configuration mode
 ------------------
-.. code-block:: sh
+.. code-block:: console
  confirm           Confirm prior commit-confirm
  comment           Add comment to this configuration element
@ -39,21 +39,21 @@ The command cannot be used at the top of the configuration hierarchy, only on su
 To add a comment to a section, while being already at the proper section level:
-.. code-block:: sh
+.. code-block:: console
  [edit <section>]
  vyos@vyos# comment "Type Comment Here"
 To add a comment directly to a section, from the top or a higher section:
-.. code-block:: sh
+.. code-block:: console
  [edit]
  vyos@vyos# comment <section> "Type Comment Here"
 To remove a comment, add a blank comment to overwrite:
-.. code-block:: sh
+.. code-block:: console
  [edit <section>]
  vyos@vyos# comment ""
@ -63,7 +63,7 @@ Examples
 To add a comment to the "interfaces" section:
-.. code-block:: sh
+.. code-block:: console
  [edit]
  vyos@vyos# edit interfaces
@ -74,7 +74,7 @@ To add a comment to the "interfaces" section:
 The comment would then appear like this:
-.. code-block:: sh
+.. code-block:: console
  [edit]
  vyos@vyos# show
@ -86,7 +86,7 @@ The comment would then appear like this:
 An important thing to note is that since the comment is added on top of the section, it will not appear if the ``show <section>`` command is used. With the above example, the ``show interfaces`` command would return starting after the "interfaces {" line, hiding the comment:
-.. code-block:: sh
+.. code-block:: console
  [edit]
  vyos@vyos# show interfaces
@ -96,7 +96,7 @@ An important thing to note is that since the comment is added on top of the sect
 To add a comment to the interfaces section from the top:
-.. code-block:: sh
+.. code-block:: console
  [edit]
  vyos@vyos# comment interfaces "test"
@ -104,7 +104,7 @@ To add a comment to the interfaces section from the top:
 The comment can be added to any node that already exists, even if it's multiple levels lower:
-.. code-block:: sh
+.. code-block:: console
  [edit]
  vyos@vyos# comment interfaces ethernet eth0 vif 222 address "Far down comment"
@ -119,7 +119,7 @@ To discard the changes without committing, use the ``discard`` command. The ``co
 The confirm keyword can be added, see ``commit-confirm``. A comment can be entered, it will appear in the commit log.
-.. code-block:: sh
+.. code-block:: console
  [edit]
  vyos@vyos# commit
@ -134,7 +134,7 @@ The ``commit-confirm`` command commits the proposed changes to the configuration
 If the ``confirm`` command is not entered before the timer expiration, the configuration will be rolled back and VyOS will reboot.
 The default timer value is 10 minutes, but a custom value can be entered.
-.. code-block:: sh
+.. code-block:: console
  [edit]
  vyos@vyos# commit-confirm
@ -149,7 +149,7 @@ Compare
 VyOS maintains backups of previous configurations. To compare configuration revisions in configuration mode, use the compare command:
-.. code-block:: sh
+.. code-block:: console
  [edit]
  vyos@vyos# compare
@ -178,7 +178,7 @@ The ``copy`` command allows you to copy a configuration object.
 Copy the configuration entrys from a firewall name WAN rule 1 to rule 2.
-.. code-block:: sh
+.. code-block:: console
  [edit firewall name WAN]
  vyos@vyos# show
@ -212,7 +212,7 @@ The ``delte`` command is to delete a configuration entry.
 This Example delete the hole ``service tftp-server`` section.
-.. code-block:: sh
+.. code-block:: console
  delete service tftp-server
@ -221,7 +221,7 @@ Discard
 The ``discard`` command removes all pending configuration changes.
-.. code-block:: sh
+.. code-block:: console
  [edit]
  vyos@vyos# discard
@ -235,7 +235,7 @@ The ``edit`` command allows you to navigate down into the configuration tree.
 To get back to an upper level, use the ``up`` command or use the ``top`` command to get back to the upper most level.
 The ``[edit]`` text displays where the user is located in the configuration tree.
-.. code-block:: sh
+.. code-block:: console
  [edit]
  vyos@vyos# edit interfaces
@ -255,7 +255,7 @@ The ``exit`` command doesn't save the configuration, only the ``save`` command d
 Exiting from a configuration level:
-.. code-block:: sh
+.. code-block:: console
  [edit interfaces ethernet eth0]
  vyos@vyos# exit
@ -264,7 +264,7 @@ Exiting from a configuration level:
 Exiting from configuration mode:
-.. code-block:: sh
+.. code-block:: console
  [edit]
  vyos@vyos# exit
@ -273,14 +273,14 @@ Exiting from configuration mode:
 Exiting from operational mode:
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ exit
  logout
 Error message when trying to exit with uncommitted changes:
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos# exit
  Cannot exit: configuration modified.
@ -291,7 +291,7 @@ Error message when trying to exit with uncommitted changes:
 Warning message when exiting with unsaved changes:
-.. code-block:: sh
+.. code-block:: console
  [edit]
  vyos@vyos# exit
@ -304,7 +304,7 @@ Load
 The ``load`` command load a configuration from a local or remote file. You have to be use ``commit`` to make the change active
-.. code-block:: sh
+.. code-block:: console
  <Enter>				Load from system config file
  <file>				Load from file on local machine
@ -316,7 +316,7 @@ The ``load`` command load a configuration from a local or remote file. You have
  tftp://<host>/<file>			Load from file on remote machine
-.. code-block:: sh
+.. code-block:: console
  [edit]
  vyos@vyos# load
@ -330,7 +330,7 @@ Loadkey
 Copies the content of a public key to the ~/.ssh/authorized_keys file.
-.. code-block:: sh
+.. code-block:: console
  loadkey <username> [tab]
@ -348,7 +348,7 @@ The ``merge`` command merge the config from a local or remote file with the runn
 In the example below exist a ``default-firewall.config`` file with some common firewall rules you saved earlier.
-.. code-block:: sh
+.. code-block:: console
  [edit]
  vyos@vyos# show firewall
@ -392,7 +392,7 @@ The ``rename`` command allows you to rename or move a configuration object.
 See here how to move the configuration entrys from vlanid 3 to 2
-.. code-block:: sh
+.. code-block:: console
  [edit interfaces ethernet eth1]
  vyos@vyos# show
@ -427,7 +427,7 @@ Rollback
 You can ``rollback`` configuration using the rollback command, however this command will currently trigger a system reboot.
 Use the compare command to verify the configuration you want to rollback to.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos# compare 1
  [edit system]
@ -447,7 +447,7 @@ Run
 The ``run`` command allows you to execute any operational mode commands without exiting the configuration session.
-.. code-block:: sh
+.. code-block:: console
  [edit]
  vyos@vyos# run show interfaces
@ -462,7 +462,7 @@ Save
 The ``save`` command saves the current configuration to non-volatile storage. VyOS also supports saving and loading configuration remotely using SCP, FTP, or TFTP.
-.. code-block:: sh
+.. code-block:: console
  <Enter>				Save to system config file
  <file>				Save to file on local machine
@ -476,7 +476,7 @@ Set
 The ``set`` command create all configuration entrys
-.. code-block:: sh
+.. code-block:: console
  [edit]
  vyos@vyos# set protocols static route 0.0.0.0/0 next-hop 192.168.1.1
@ -488,7 +488,7 @@ The ``show`` command in the configuration mode displays the configuration and sh
 Show the hole config, the address and description of eth1 is moving to vlan 2 if you commit the changes.
-.. code-block:: sh
+.. code-block:: console
  [edit]
  vyos@vyos# show
--- a/docs/appendix/commandtree/operationmode.rst
+++ b/docs/appendix/commandtree/operationmode.rst
@ -8,7 +8,7 @@ After this is the first view after the login.
 Please see :ref:`cli` for navigation in the CLI
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ [tab]
@ -44,7 +44,7 @@ Please see :ref:`cli` for navigation in the CLI
 Add
 ^^^
-.. code-block:: sh
+.. code-block:: console
 raid         Add a RAID set element
 system       Add an item to a system facility
@ -52,7 +52,7 @@ Add
 Clear
 ^^^^^
-.. code-block:: sh
+.. code-block:: console
  console            Clear screen
  firewall           Clear firewall statistics
@ -69,13 +69,13 @@ Clone
 The ``clone`` command allows you to clone a configuration from a system image to another one, or from the running config to another system image.
 To clone the running config to a system image:
-.. code-block:: sh
+.. code-block:: console
  clone system config <system-image> from running
 To clone from system image A to system image B:
-.. code-block:: sh
+.. code-block:: console
  clone system config <system-image-B> from <system-image-A>
@ -85,7 +85,7 @@ Configure
 The ``configure`` command allows you to enter configuration mode.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ configure
  [edit]
@ -97,7 +97,7 @@ Connect
 The ``connect`` command allows you to bring up a connection oriented interface, like a pppoe interface.
-.. code-block:: sh
+.. code-block:: console
  connect interface <interface>
@ -108,7 +108,7 @@ The ``copy`` command allows you to copy a file to your running config or over im
 It can look like this example:
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$  copy file [tab]
  Possible completions:
@ -127,7 +127,7 @@ It can look like this example:
 To copy from file A to file B:
-.. code-block:: sh
+.. code-block:: console
  copy <file A> to <file B>
@ -135,7 +135,7 @@ To copy from file A to file B:
 Delete
 ^^^^^^
-.. code-block:: sh
+.. code-block:: console
  conntrack     Delete Conntrack entries
  file          Delete files in a particular image
@ -149,14 +149,14 @@ Disconnect
 The ``disconnect`` command allows you to take down a connection oriented interface, like a pppoe interface.
-.. code-block:: sh
+.. code-block:: console
  disconnect interface <interface>
 Force
 ^^^^^
-.. code-block:: sh
+.. code-block:: console
  arp           Send gratuitous ARP request or reply
  cluster       Force a cluster state transition
@ -167,14 +167,14 @@ Format
 The ``format`` command allows you to format a disk the same way as another one.
-.. code-block:: sh
+.. code-block:: console
  format disk <target> like <source>
 Generate
 ^^^^^^^^
-.. code-block:: sh
+.. code-block:: console
  openvpn       OpenVPN key generation tool
  ssh-server-key
@ -188,7 +188,7 @@ Install
 The ``install`` command allows you to install the system image on the disk.
-.. code-block:: sh
+.. code-block:: console
  install image
@ -198,7 +198,7 @@ Monitor
 ``monitor`` can be used to continually view what is happening on the router.
-.. code-block:: sh
+.. code-block:: console
  bandwidth     Monitor interface bandwidth in real time
  bandwidth-test
@ -232,7 +232,7 @@ Ping
 The ``ping`` command allows you to send an ICMP-EchoRequest packet and display the ICMP-EchoReply received.
-.. code-block:: sh
+.. code-block:: console
  <hostname>    Send Internet Control Message Protocol (ICMP) echo request
  <x.x.x.x>
@ -244,7 +244,7 @@ Poweroff
 The ``poweroff`` command allows you to properly shut down the VyOS instance. Without any modifier, the command is executed immediately.
-.. code-block:: sh
+.. code-block:: console
  <Enter>       Execute the current command
  at            Poweroff at a specific time
@ -256,7 +256,7 @@ Reboot
 ^^^^^^
 The ``reboot`` command allows you to properly restart the VyOS instance. Without any modifier, the command is executed immediately.
-.. code-block:: sh
+.. code-block:: console
  <Enter>       Execute the current command
  at            Poweroff at a specific time
@ -269,7 +269,7 @@ Release
 The ``release`` command allows you to release a DHCP or DHCPv6 lease.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ release dhcp interface <int>
  vyos@vyos:~$ release dhcpv6 interface <int>
@ -280,7 +280,7 @@ Rename
 The ``rename`` command allows you to rename a system image.
-.. code-block:: sh
+.. code-block:: console
 rename system image <currentname> <newname>
@ -290,7 +290,7 @@ Renew
 The ``renew`` command allows you to renew a DHCP or DHCPv6 lease.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ renew dhcp interface <int>
  vyos@vyos:~$ renew dhcpv6 interface <int>
@ -298,7 +298,7 @@ The ``renew`` command allows you to renew a DHCP or DHCPv6 lease.
 Reset
 ^^^^^
-.. code-block:: sh
+.. code-block:: console
  conntrack     Reset all currently tracked connections
  conntrack-sync
@ -315,7 +315,7 @@ Reset
 Restart
 ^^^^^^^
-.. code-block:: sh
+.. code-block:: console
  cluster       Restart cluster node
  conntrack-sync
@ -335,7 +335,7 @@ Restart
 Set
 ^^^
-.. code-block:: sh
+.. code-block:: console
  <OPTION>      Bash builtin set command
  console       Control console behaviors
@ -346,7 +346,7 @@ Set
 Show
 ^^^^
-.. code-block:: sh
+.. code-block:: console
  arp           Show Address Resolution Protocol (ARP) information
  bridge        Show bridging information
@ -410,7 +410,7 @@ In the past the ``telnet`` command allowed you to connect remotely to another de
 Telnet is unencrypted and should not use anymore. But its nice to test if an TCP Port to a host is open.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ telnet 192.168.1.3 443
  Trying 192.168.1.3...
@ -426,7 +426,7 @@ Traceroute
 The ``traceroute`` command allows you to trace the path taken to a particular device.
-.. code-block:: sh
+.. code-block:: console
  <hostname>    Track network path to specified node
  <x.x.x.x>
@ -438,7 +438,7 @@ The ``traceroute`` command allows you to trace the path taken to a particular de
 Update
 ^^^^^^
-.. code-block:: sh
+.. code-block:: console
  dns           Update DNS information
  webproxy      Update webproxy
--- a/docs/appendix/examples/azure-vpn-bgp.rst
+++ b/docs/appendix/examples/azure-vpn-bgp.rst
@ -52,7 +52,7 @@ Vyos configuration
 - Configure the IKE and ESP settings to match a subset
  of those supported by Azure:
-.. code-block:: sh
+.. code-block:: console
  set vpn ipsec esp-group AZURE compression 'disable'
  set vpn ipsec esp-group AZURE lifetime '3600'
@ -73,26 +73,26 @@ Vyos configuration
 - Enable IPsec on eth0
-.. code-block:: sh
+.. code-block:: console
  set vpn ipsec ipsec-interfaces interface 'eth0'
 - Configure a VTI with a dummy IP address
-.. code-block:: sh
+.. code-block:: console
  set interfaces vti vti1 address '10.10.1.5/32'
  set interfaces vti vti1 description 'Azure Tunnel'
 - Clamp the VTI's MSS to 1350 to avoid PMTU blackholes.
-.. code-block:: sh
+.. code-block:: console
  set firewall options interface vti1 adjust-mss 1350
 - Configure the VPN tunnel
-.. code-block:: sh
+.. code-block:: console
  set vpn ipsec site-to-site peer 203.0.113.2 authentication id '198.51.100.3'
  set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret'
@ -108,13 +108,13 @@ Vyos configuration
 - **Important**: Add an interface route to reach Azure's BGP listener
-.. code-block:: sh
+.. code-block:: console
  set protocols static interface-route 10.0.0.4/32 next-hop-interface vti1
 - Configure your BGP settings
-.. code-block:: sh
+.. code-block:: console
  set protocols bgp 64499 neighbor 10.0.0.4 remote-as '65540'
  set protocols bgp 64499 neighbor 10.0.0.4 address-family ipv4-unicast soft-reconfiguration 'inbound'
@ -123,6 +123,6 @@ Vyos configuration
 - **Important**: Disable connected check \
-.. code-block:: sh
+.. code-block:: console
  set protocols bgp 64499 neighbor 10.0.0.4 disable-connected-check
--- a/docs/appendix/examples/azure-vpn-dual-bgp.rst
+++ b/docs/appendix/examples/azure-vpn-dual-bgp.rst
@ -55,7 +55,7 @@ Vyos configuration
 - Configure the IKE and ESP settings to match a subset
  of those supported by Azure:
-.. code-block:: sh
+.. code-block:: console
  set vpn ipsec esp-group AZURE compression 'disable'
  set vpn ipsec esp-group AZURE lifetime '3600'
@ -76,13 +76,13 @@ Vyos configuration
 - Enable IPsec on eth0
-.. code-block:: sh
+.. code-block:: console
  set vpn ipsec ipsec-interfaces interface 'eth0'
 - Configure two VTIs with a dummy IP address each
-.. code-block:: sh
+.. code-block:: console
  set interfaces vti vti1 address '10.10.1.5/32'
  set interfaces vti vti1 description 'Azure Primary Tunnel'
@ -92,14 +92,14 @@ Vyos configuration
 - Clamp the VTI's MSS to 1350 to avoid PMTU blackholes.
-.. code-block:: sh
+.. code-block:: console
  set firewall options interface vti1 adjust-mss 1350
  set firewall options interface vti2 adjust-mss 1350
 - Configure the VPN tunnels
-.. code-block:: sh
+.. code-block:: console
  set vpn ipsec site-to-site peer 203.0.113.2 authentication id '198.51.100.3'
  set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret'
@ -127,14 +127,14 @@ Vyos configuration
 - **Important**: Add an interface route to reach both Azure's BGP listeners
-.. code-block:: sh
+.. code-block:: console
  set protocols static interface-route 10.0.0.4/32 next-hop-interface vti1
  set protocols static interface-route 10.0.0.5/32 next-hop-interface vti2
 - Configure your BGP settings
-.. code-block:: sh
+.. code-block:: console
  set protocols bgp 64499 neighbor 10.0.0.4 remote-as '65540'
  set protocols bgp 64499 neighbor 10.0.0.4 address-family ipv4-unicast soft-reconfiguration 'inbound'
@ -149,7 +149,7 @@ Vyos configuration
 - **Important**: Disable connected check, otherwise the routes learned
  from Azure will not be imported into the routing table.
-.. code-block:: sh
+.. code-block:: console
  set protocols bgp 64499 neighbor 10.0.0.4 disable-connected-check
  set protocols bgp 64499 neighbor 10.0.0.5 disable-connected-check
--- a/docs/appendix/examples/bgp-ipv6-unnumbered.rst
+++ b/docs/appendix/examples/bgp-ipv6-unnumbered.rst
@ -10,7 +10,7 @@ Configuration
 - Router A:
-.. code-block:: sh
+.. code-block:: console
  set protocols bgp 65020 address-family ipv4-unicast redistribute connected
  set protocols bgp 65020 address-family ipv6-unicast redistribute connected
@ -29,7 +29,7 @@ Configuration
 - Router B:
-.. code-block:: sh
+.. code-block:: console
  set protocols bgp 65021 address-family ipv4-unicast redistribute connected
  set protocols bgp 65021 address-family ipv6-unicast redistribute connected
@ -51,7 +51,7 @@ Results
 - Router A:
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ show interfaces
  Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
@ -64,7 +64,7 @@ Results
                   192.168.0.1/32
                   ::1/128
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ show ip route
  Codes: K - kernel route, C - connected, S - static, R - RIP,
@ -79,7 +79,7 @@ Results
  B>* 192.168.0.2/32 [20/0] via fe80::a00:27ff:fe3b:7ed2, eth2, 00:05:07
    *                       via fe80::a00:27ff:fe7b:4000, eth1, 00:05:07
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ ping 192.168.0.2
  PING 192.168.0.2 (192.168.0.2) 56(84) bytes of data.
@ -93,7 +93,7 @@ Results
  5 packets transmitted, 5 received, 0% packet loss, time 4086ms
  rtt min/avg/max/mdev = 0.575/0.612/0.682/0.047 ms
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ show ip bgp summary
@ -112,7 +112,7 @@ Results
 - Router B:
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ show interfaces
  Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
@ -125,7 +125,7 @@ Results
                   192.168.0.2/32
                   ::1/128
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ show ip route
  Codes: K - kernel route, C - connected, S - static, R - RIP,
@ -140,7 +140,7 @@ Results
    *                       via fe80::a00:27ff:fe93:e142, eth2, 00:06:18
  C>* 192.168.0.2/32 is directly connected, lo, 00:44:11
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ ping 192.168.0.1
  PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
@ -153,7 +153,7 @@ Results
  4 packets transmitted, 4 received, 0% packet loss, time 3051ms
  rtt min/avg/max/mdev = 0.427/0.598/0.782/0.155 ms
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ show ip bgp summary
  IPv4 Unicast Summary:
--- a/docs/appendix/examples/dmvpn.rst
+++ b/docs/appendix/examples/dmvpn.rst
@ -9,7 +9,7 @@ General infomration can be found in the :ref:`vpn-dmvpn` chapter.
 Configuration
 ^^^^^^^^^^^^^
-.. code-block:: sh
+.. code-block:: console
  set interfaces tunnel tun100 address '172.16.253.134/29'
  set interfaces tunnel tun100 encapsulation 'gre'
@ -54,7 +54,7 @@ Cisco IOS Spoke
 This example is verified with a Cisco 2811 platform running IOS 15.1(4)M9 and
 VyOS 1.1.7 (helium) up to VyOS 1.2 (Crux).
-.. code-block:: sh
+.. code-block:: console
  Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.1(4)M9, RELEASE SOFTWARE (fc3)
  Technical Support: http://www.cisco.com/techsupport
@ -65,7 +65,7 @@ VyOS 1.1.7 (helium) up to VyOS 1.2 (Crux).
 Use this configuration on your Cisco device:
-.. code-block:: sh
+.. code-block:: console
  crypto pki token default removal timeout 0
  crypto keyring DMVPN
--- a/docs/appendix/examples/ha.rst
+++ b/docs/appendix/examples/ha.rst
@ -94,7 +94,7 @@ Bonding on Hardware Router
 Create a LACP bond on the hardware router. We are assuming that eth0 and eth1 are connected to port 8 on both switches, and that those ports are configured as a Port-Channel.
-.. code-block:: sh
+.. code-block:: console
   set interfaces bonding bond0 description 'Switch Port-Channel'
   set interfaces bonding bond0 hash-policy 'layer2'
@ -111,14 +111,14 @@ VLAN 100 and 201 will have floating IP addresses, but VLAN50 does not, as this i
 For the hardware router, replace ``eth0`` with ``bond0``. As (almost) every command is identical, this will not be specified unless different things need to be performed on different hosts.
-.. code-block:: sh
+.. code-block:: console
   set interfaces ethernet eth0 vif 50 address '192.0.2.21/24'
 In this case, the hardware router has a different IP, so it would be
-.. code-block:: sh
+.. code-block:: console
   set interfaces ethernet bond0 vif 50 address '192.0.2.22/24'
@ -128,7 +128,7 @@ Add (temporary) default route, and enable SSH
 It is assumed that the routers provided by upstream are capable of acting as a default router. Add that as a static route, and enable SSH so you can now SSH into the routers, rather than using the console.
-.. code-block:: sh
+.. code-block:: console
   set protocols static route 0.0.0.0/0 next-hop 192.0.2.11
   set service ssh
@ -158,7 +158,7 @@ This has a floating IP address of 10.200.201.1, using virtual router ID 201. The
 router1
 ~~~~~~~
-.. code-block:: sh
+.. code-block:: console
   set interfaces ethernet eth0 vif 201 address 10.200.201.2/24
   set high-availability vrrp group int hello-source-address '10.200.201.2'
@ -173,7 +173,7 @@ router1
 router2
 ~~~~~~~
-.. code-block:: sh
+.. code-block:: console
   set interfaces ethernet bond0 vif 201 address 10.200.201.3/24
   set high-availability vrrp group int hello-source-address '10.200.201.3'
@ -194,7 +194,7 @@ The virtual router ID is just a random number between 1 and 254, and can be set
 router1
 ~~~~~~~
-.. code-block:: sh
+.. code-block:: console
   set interfaces ethernet eth0 vif 100 address 203.0.113.2/24
   set high-availability vrrp group public hello-source-address '203.0.113.2'
@ -209,7 +209,7 @@ router1
 router2
 ~~~~~~~
-.. code-block:: sh
+.. code-block:: console
   set interfaces ethernet bond0 vif 100 address 203.0.113.3/24
   set high-availability vrrp group public hello-source-address '203.0.113.3'
@ -226,7 +226,7 @@ Create vrrp sync-group
 The sync group is used to replicate connection tracking. It needs to be assigned to a random VRRP group, and we are creating a sync group called ``sync`` using the vrrp group ``int``. 
-.. code-block:: sh
+.. code-block:: console
   set high-availability vrrp sync-group sync member 'int'
@ -236,7 +236,7 @@ Testing
 At this point, you should be able to see both IP addresses when you run ``show interfaces``\ , and ``show vrrp`` should show both interfaces in MASTER state (and SLAVE state on router2).
-.. code-block:: sh
+.. code-block:: console
   vyos@router1:~$ show vrrp
   Name      Interface      VRID  State    Last Transition
@ -254,7 +254,7 @@ NAT and conntrack-sync
 Masquerade Traffic originating from 10.200.201.0/24 that is heading out the public interface. 
 Note we explicitly exclude the primary upstream network so that BGP or OSPF traffic doesn't accidentally get NAT'ed.
-.. code-block:: sh
+.. code-block:: console
   set nat source rule 10 destination address '!192.0.2.0/24'
   set nat source rule 10 outbound-interface 'eth0.50'
@ -267,7 +267,7 @@ Configure conntrack-sync and disable helpers
 Most conntrack modules cause more problems than they're worth, especially in a complex network. Turn them off by default, and if you need to turn them on later, you can do so. 
-.. code-block:: sh
+.. code-block:: console
   set system conntrack modules ftp disable
   set system conntrack modules gre disable
@ -279,7 +279,7 @@ Most conntrack modules cause more problems than they're worth, especially in a c
 Now enable replication between nodes. Replace eth0.201 with bond0.201 on the hardware router.
-.. code-block:: sh
+.. code-block:: console
   set service conntrack-sync accept-protocol 'tcp,udp,icmp'
   set service conntrack-sync event-listen-queue-size '8'
@ -315,7 +315,7 @@ router1
 Replace the 99.99.99.99 with whatever the other router's IP address is.
-.. code-block:: sh
+.. code-block:: console
   set interfaces wireguard wg01 address '10.254.60.1/30'
   set interfaces wireguard wg01 description 'router1-to-offsite1'
@ -339,7 +339,7 @@ offsite1
 This is connecting back to the STATIC IP of router1, not the floating.
-.. code-block:: sh
+.. code-block:: console
   set interfaces wireguard wg01 address '10.254.60.2/30'
   set interfaces wireguard wg01 description 'offsite1-to-router1'
@ -373,7 +373,7 @@ This filter is applied to ``redistribute connected``.  If we WERE to advertise i
 via their default route, establish the connection, and then OSPF would say '192.0.2.0/24 is available via this tunnel', at which point
 the tunnel would break, OSPF would drop the routes, and then 192.0.2.0/24 would be reachable via default again. This is called 'flapping'.
-.. code-block:: sh
+.. code-block:: console
   set policy access-list 150 description 'Outbound OSPF Redistribution'
   set policy access-list 150 rule 10 action 'permit'
@ -394,7 +394,7 @@ Create Import Filter
 We only want to import networks we know about. Our OSPF peer should only be advertising networks in the 10.201.0.0/16 range. Note that this is an INVERSE MATCH. You deny in access-list 100 to accept the route.
-.. code-block:: sh
+.. code-block:: console
   set policy access-list 100 description 'Inbound OSPF Routes from Peers'
   set policy access-list 100 rule 10 action 'deny'
@ -415,7 +415,7 @@ Enable OSPF
 Every router **must** have a unique router-id.
 The 'reference-bandwidth' is used because when OSPF was originally designed, the idea of a link faster than 1gbit was unheard of, and it does not scale correctly. 
-.. code-block:: sh
+.. code-block:: console
   set protocols ospf area 0.0.0.0 authentication 'md5'
   set protocols ospf area 0.0.0.0 network '10.254.60.0/24'
@ -440,7 +440,7 @@ As a reminder, only advertise routes that you are the default router for. This i
 192.0.2.0/24 network, because if that was announced into OSPF, the other routers would try to connect to that
 network over a tunnel that connects to that network!
-.. code-block:: sh
+.. code-block:: console
   set protocols ospf access-list 150 export 'connected'
   set protocols ospf redistribute connected
@ -458,7 +458,7 @@ Priorities
 Set the cost on the secondary links to be 200. This means that they will not be used unless the primary links are down.
-.. code-block:: sh
+.. code-block:: console
   set interfaces wireguard wg01 ip ospf cost '10'
   set interfaces wireguard wg02 ip ospf cost '200'
@ -476,7 +476,7 @@ router1
 The ``redistribute ospf`` command is there purely as an example of how this can be expanded. In this walkthrough, it will be filtered by BGPOUT rule 10000, as it is not 203.0.113.0/24.
-.. code-block:: sh
+.. code-block:: console
   set policy prefix-list BGPOUT description 'BGP Export List'
   set policy prefix-list BGPOUT rule 10 action 'deny'
--- a/docs/appendix/examples/ospf-unnumbered.rst
+++ b/docs/appendix/examples/ospf-unnumbered.rst
@ -10,7 +10,7 @@ Configuration
 - Router A:
-.. code-block:: sh
+.. code-block:: console
  set interfaces ethernet eth0 address '10.0.0.1/24'
  set interfaces ethernet eth1 address '192.168.0.1/32'
@ -27,7 +27,7 @@ Configuration
 - Router B:
-.. code-block:: sh
+.. code-block:: console
  set interfaces ethernet eth0 address '10.0.0.2/24'
  set interfaces ethernet eth1 address '192.168.0.2/32'
@ -48,7 +48,7 @@ Results
 - Router A:
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ show interfaces 
  Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
@ -63,7 +63,7 @@ Results
  vyos@vyos:~$ 
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ show ip route 
  Codes: K - kernel route, C - connected, S - static, R - RIP,
@ -87,7 +87,7 @@ Results
 - Router B:
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ show interfaces 
  Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
@ -102,7 +102,7 @@ Results
  vyos@vyos:~$ 
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ show ip route 
  Codes: K - kernel route, C - connected, S - static, R - RIP,
--- a/docs/appendix/examples/tunnelbroker-ipv6.rst
+++ b/docs/appendix/examples/tunnelbroker-ipv6.rst
@ -17,7 +17,7 @@ Setting up the initial tunnel
 - Set up the initial IPv6 tunnel. Replace the field below from the fields on the `Tunnelbroker.net <https://www.tunnelbroker.net/>`_ tunnel information page.
-.. code-block:: sh
+.. code-block:: console
    conf
    set interfaces tunnel tun0 address Client_IPv6_from_Tunnelbroker    # This will be your VyOS install's public IPv6 address
@ -34,7 +34,7 @@ Setting up the initial tunnel
 - At this point you should be able to ping an IPv6 address. Try pinging Google:
-.. code-block:: sh
+.. code-block:: console
   ping6 -c2 2001:4860:4860::8888
@ -47,7 +47,7 @@ Setting up the initial tunnel
 - Assuming the pings are successful, you need to add some DNS servers. Some options:
-.. code-block:: sh
+.. code-block:: console
   set system name-server 2001:4860:4860::8888  # Google
   set system name-server 2001:4860:4860::8844  # Google
@ -57,7 +57,7 @@ Setting up the initial tunnel
 - You should now be able to ping something by IPv6 DNS name:
-.. code-block:: sh
+.. code-block:: console
   # ping6 -c2 one.one.one.one
   PING one.one.one.one(one.one.one.one) 56 data bytes
@ -87,7 +87,7 @@ Single LAN Setup
 Single LAN setup where eth1 is your LAN interface.  Use the /64 (all the xxxx should be replaced with the information from your `Routed /64` tunnel):
-.. code-block:: sh
+.. code-block:: console
   set interfaces ethernet eth1 address '2001:470:xxxx:xxxx::1/64'    
   set interfaces ethernet eth1 ipv6 router-advert name-server '2001:4860:4860::8888'
@ -118,7 +118,7 @@ In the above examples, 1,2,ffff are all chosen by you.  You can use 1-ffff (1-65
 So, when your LAN is eth1, your DMZ is eth2, your cameras live on eth3, etc:
-.. code-block:: sh
+.. code-block:: console
   set interfaces ethernet eth1 address '2001:470:xxxx:1::1/64'
   set interfaces ethernet eth1 ipv6 router-advert name-server '2001:4860:4860::8888'
--- a/docs/appendix/examples/zone-policy.rst
+++ b/docs/appendix/examples/zone-policy.rst
@ -8,7 +8,7 @@ Native IPv4 and IPv6
 We have three networks.
-.. code-block:: sh
+.. code-block:: console
  WAN - 172.16.10.0/24, 2001:0DB8:0:9999::0/64
  LAN - 192.168.100.0/24, 2001:0DB8:0:AAAA::0/64
@ -25,7 +25,7 @@ WAN is on VLAN 10, LAN on VLAN 20, and DMZ on VLAN 30.
 It will look something like this:
-.. code-block:: sh
+.. code-block:: console
  interfaces {
      ethernet eth0 {
@ -80,7 +80,7 @@ ruleset.
 In rules, it is good to keep them named consistently. As the number of rules
 you have grows, the more consistency you have, the easier your life will be.
-.. code-block:: sh
+.. code-block:: console
  Rule 1 - State Established, Related
  Rule 2 - State Invalid
@ -105,7 +105,7 @@ significant headaches when trying to troubleshoot a connectivity issue.
 To add logging to the default rule, do:
-.. code-block:: sh
+.. code-block:: console
  set firewall name <ruleSet> enable-default-log
@ -143,7 +143,7 @@ The following are the rules that were created for this example
 (may not be complete), both in IPv4 and IPv6. If there is no IP specified,
 then the source/destination address is not explicit.
-.. code-block:: sh
+.. code-block:: console
  WAN – DMZ:192.168.200.200 – tcp/80
  WAN – DMZ:192.168.200.200 – tcp/443
@ -195,7 +195,7 @@ then the source/destination address is not explicit.
 Since we have 4 zones, we need to setup the following rulesets.
-.. code-block:: sh
+.. code-block:: console
  Lan-wan
  Lan-local
@ -217,7 +217,7 @@ connection attempts.
 This is an example of the three base rules.
-.. code-block:: sh
+.. code-block:: console
  name wan-lan {
    default-action drop
@ -241,7 +241,7 @@ This is an example of the three base rules.
 Here is an example of an IPv6 DMZ-WAN ruleset.
-.. code-block:: sh
+.. code-block:: console
  ipv6-name dmz-wan-6 {
    default-action drop
@ -317,7 +317,7 @@ zone-policy.
 Start by setting the interface and default action for each zone.
-.. code-block:: sh
+.. code-block:: console
  set zone-policy zone dmz default-action drop
  set zone-policy zone dmz interface eth0.30
@ -342,7 +342,7 @@ LAN, WAN, DMZ, local and TUN (tunnel)
 v6 pairs would be:
-.. code-block:: sh
+.. code-block:: console
  lan-tun
  lan-local
@ -363,7 +363,7 @@ You would have to add a couple of rules on your wan-local ruleset to allow proto
 Something like:
-.. code-block:: sh
+.. code-block:: console
  rule 400 {
    action accept
--- a/docs/appendix/migrate-from-vyatta.rst
+++ b/docs/appendix/migrate-from-vyatta.rst
@ -30,7 +30,7 @@ You just use ``add system image``, as if it was a new VC release (see
 is to verify the new images digital signature. You will have to add the public
 key manually once as it is not shipped the first time.
-.. code-block:: sh
+.. code-block:: console
  vyatta@vyatta:~$ wget http://wiki.vyos.net/so3group_maintainers.key
  Connecting to vyos.net (x.x.x.x:80)
@ -41,7 +41,7 @@ key manually once as it is not shipped the first time.
 For completion the key below corresponds to the key listed in the URL above.
-.. code-block:: sh
+.. code-block:: console
  -----BEGIN PGP PUBLIC KEY BLOCK-----
  Version: GnuPG v1.4.12 (GNU/Linux)
@ -101,7 +101,7 @@ Next add the VyOS image.
 This example uses VyOS 1.0.0, however, it's better to install the latest
 release.
-.. code-block:: sh
+.. code-block:: console
  vyatta@vyatta:~$ show system image
  The system currently has the following image(s) installed:
--- a/docs/appendix/vyos-on-baremetal.rst
+++ b/docs/appendix/vyos-on-baremetal.rst
@ -114,7 +114,7 @@ Create a bootable USB pendrive using e.g. Rufus_ on a Windows machine.
 Connect serial port to a PC through null modem cable (RXD / TXD crossed over).
 Set terminal emulator to 115200 8N1.
-.. code-block:: sh
+.. code-block:: console
  PC Engines apu4
  coreboot build 20171130
@ -135,7 +135,7 @@ Now boot from the ``USB MSC Drive Generic Flash Disk 8.07`` media by pressing
 ``2``, the VyOS boot menu will appear, just wait 10 seconds or press ``Enter``
 to continue.
-.. code-block:: sh
+.. code-block:: console
  lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
  x                      VyOS - Boot Menu                      x
@ -147,7 +147,7 @@ to continue.
 The image will be loaded and the last lines you will get will be:
-.. code-block:: sh
+.. code-block:: console
  Loading /live/vmlinuz... ok
  Loading /live/initrd.img...
@ -155,7 +155,7 @@ The image will be loaded and the last lines you will get will be:
 The Kernel will now spin up using a different console setting. Set terminal
 emulator to 9600 8N1 and after a while your console will show:
-.. code-block:: sh
+.. code-block:: console
  Loading /live/vmlinuz... ok
  Loading /live/initrd.img...
@ -172,14 +172,14 @@ your first successful boot.
 Use the following command to adjust the :ref:`serial-console` settings:
-.. code-block:: sh
+.. code-block:: console
  set system console device ttyS0 speed 115200
 .. note:: Once you ``commit`` the above changes access to the serial interface
   is lost until you set your terminal emulator to 115200 8N1 again.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos# show system console
   device ttyS0 {
--- a/docs/cli.rst
+++ b/docs/cli.rst
@ -20,14 +20,14 @@ For example typing ``sh`` followed by the ``TAB`` key will complete to
 ``show``. Pressing ``TAB`` a second time will display the possible
 sub-commands of the ``show`` command.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ s[tab]
  set   show
 Example showing possible show commands:
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ show [tab]
  Possible completions:
@ -71,7 +71,7 @@ When viewing in page mode the following commands are available:
 To enter configuration mode use the ``configure`` command:
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ configure
  [edit]
@ -80,7 +80,7 @@ To enter configuration mode use the ``configure`` command:
 .. note:: Prompt changes from ``$`` to ``#``. To exit configuration mode,
   type ``exit``.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~# exit
  exit
--- a/docs/clustering.rst
+++ b/docs/clustering.rst
@ -17,7 +17,7 @@ General cluster configuration
 In the general cluster configuration the network interfaces used for monitoring and negotiation of the cluster health is defined.
 Additionally, the communication interval settings, multicast group (for sending/receiving heartbeat messages), and pre-shared secret used in this monitoring is defined.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos# set cluster
  Possible completions:
@ -35,7 +35,7 @@ Cluster group configuration
 For the cluster group configuration, the group name must be defined before the groups configuration can be set (See Example below).
 After the group name is defined, the specific service to be clustered between primary and secondary nodes is configured.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos# set cluster group GROUPNAME
  Possible completions:
@ -48,7 +48,7 @@ After the group name is defined, the specific service to be clustered between pr
 Review cluster status
 ---------------------
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ show cluster status
@ -58,7 +58,7 @@ Example
 In the example below SSH is clustered between two nodes.
-.. code-block:: sh
+.. code-block:: console
  cluster {
      dead-interval 20000
--- a/docs/commandscripting.rst
+++ b/docs/commandscripting.rst
@ -9,7 +9,7 @@ from shell scripts.
 To include VyOS specific functions and aliases you need to ``source
 /opt/vyatta/etc/functions/script-template`` files at the top of your script.
-.. code-block:: sh
+.. code-block:: console
  #!/bin/vbash
  source /opt/vyatta/etc/functions/script-template
@ -21,7 +21,7 @@ Run configuration commands
 Configuration commands are executed just like from a normal config session. For
 example, if you want to disable a BGP peer on VRRP transition to backup:
-.. code-block:: sh
+.. code-block:: console
  #!/bin/vbash
  source /opt/vyatta/etc/functions/script-template
@ -36,7 +36,7 @@ Run operational commands
 Unlike a normal configuration sessions, all operational commands must be
 prepended with ``run``, even if you haven't created a session with configure.
-.. code-block:: sh
+.. code-block:: console
  #!/bin/vbash
  source /opt/vyatta/etc/functions/script-template
@ -59,7 +59,7 @@ Here is a simple example:
  print "set firewall group address-group somehosts address '1.1.1.2'"
-.. code-block:: sh
+.. code-block:: console
  #!/bin/vbash
  source /opt/vyatta/etc/functions/script-template
@ -79,7 +79,7 @@ On VyOS this will cause the following problem: After modifying the configuration
 via script like this once, it is not possible to manually modify the config
 anymore:
-.. code-block:: sh
+.. code-block:: console
  sudo ./myscript.sh # Modifies config
  configure
@ -91,14 +91,14 @@ a reboot is required to be able to edit the config manually again.
 To avoid these problems, the proper way is to call a script with the
 ``vyattacfg`` group, e.g., by using the ``sg`` (switch group) command:
-.. code-block:: sh
+.. code-block:: console
  sg vyattacfg -c ./myscript.sh
 To make sure that a script is not accidentally called without the ``vyattacfg``
 group, the script can be safeguarded like this:
-.. code-block:: sh
+.. code-block:: console
  if [ "$(id -g -n)" != 'vyattacfg' ] ; then
      exec sg vyattacfg -c "/bin/vbash $(readlink -f $0) $@"
@ -115,7 +115,7 @@ which are not complete in the VyOS system can be placed here.
 The default file looks like this:
-.. code-block:: sh
+.. code-block:: console
  #!/bin/sh
  # This script is executed at boot time after VyOS configuration is fully
--- a/docs/configuration-overview.rst
+++ b/docs/configuration-overview.rst
@ -11,7 +11,7 @@ of system configuration.
 The current active configuration -aka running configuration- can be viewed
 using the show configuration command.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ show configuration
  interfaces {
@ -75,7 +75,7 @@ through a collection of ``set`` and ``delete`` commands.
 Get a collection of all the set commands required which led to this
 running configuration.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ show configuration commands
  set interfaces ethernet eth0 address 'dhcp'
@ -131,7 +131,7 @@ When entering the configuration mode you are navigating inside the tree
 structure exported in the overview above, to enter configuration mode enter
 the command ``configure`` when in operational mode.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos$ configure
  [edit]
@ -146,7 +146,7 @@ lengthy when manually typing them.
 To change the current hierarchy level use the command: ``edit``
-.. code-block:: sh
+.. code-block:: console
  [edit]
  vyos@vyos# edit interfaces ethernet eth0
@ -163,7 +163,7 @@ The ``show`` command within configuration mode will show the working
 configuration indicating line changes with ``+`` for additions, ``>`` for
 replacements and ``-`` for deletions.
-.. code-block:: sh
+.. code-block:: console
 vyos@vyos:~$ configure
 [edit]
@ -197,7 +197,7 @@ replacements and ``-`` for deletions.
 It is also possible to display all `set` commands within configuration mode
 using ``show | commands``
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos# show interfaces ethernet eth0 | commands
  set address dhcp
@ -206,7 +206,7 @@ using ``show | commands``
 These commands are also relative to the level you are inside and only relevant
 configuration blocks will be displayed when entering a sub-level.
-.. code-block:: sh
+.. code-block:: console
  [edit interfaces ethernet eth0]
  vyos@vyos# show
@ -217,7 +217,7 @@ Exiting from the configuration mode is done via the ``exit`` command from the
 top level, executing `exit` from within a sub-level takes you back to the top
 level.
-.. code-block:: sh
+.. code-block:: console
  [edit interfaces ethernet eth0]
  vyos@vyos# exit
@ -239,7 +239,7 @@ These commands are also relative to the level where they are executed and all
 redundant information from the current level is removed from the command
 entered.
-.. code-block:: sh
+.. code-block:: console
  [edit]
  vyos@vyos# set interface ethernet eth0 address 192.0.2.100/24
@ -255,7 +255,7 @@ all sub-levels under the current level you've specified in the ``delete``
 command. Deleting an entry will also result in the element reverting back to
 its default value if one exists.
-.. code-block:: sh
+.. code-block:: console
  [edit interfaces ethernet eth0]
  vyos@vyos#  delete address 192.0.2.100/24
@ -263,7 +263,7 @@ its default value if one exists.
 Any change you do on the configuration, will not take effect until committed
 using the ``commit`` command in configuration mode.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos# commit
  [edit]
@ -275,7 +275,7 @@ In order to preserve configuration changes upon reboot, the configuration must
 also be saved once applied. This is done using the ``save`` command in
 configuration mode.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos# save
  Saving configuration to '/config/config.boot'...
@ -288,7 +288,7 @@ Configuration mode can not be exited while uncommitted changes exist. To exit
 configuration mode without applying changes, the exit discard command can be
 used.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos# exit
  Cannot exit: configuration modified.
@ -298,7 +298,7 @@ used.
  exit
  vyos@vyos:~$
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos# save [tab]
  Possible completions:
@ -324,7 +324,7 @@ operational mode.
 Command completion and syntax help with ``?`` and ``[tab]`` will also work.
-.. code-block:: sh
+.. code-block:: console
  [edit]
  vyos@vyos# run show interfaces
@ -347,7 +347,7 @@ previous revisions if anything goes wrong.
 To view existing revisions, use ``show system commit`` operational mode command.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos-test-2# run show system commit
  0   2015-03-30 08:53:03 by vyos via cli
@ -362,7 +362,7 @@ To view existing revisions, use ``show system commit`` operational mode command.
 To compare configuration revisions in configuration mode, use the compare
 command:
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos# compare [tab]
  Possible completions:
@ -395,7 +395,7 @@ compared to Y, indicating with a plus sign (``+``) the additional parts X has
 when compared to y, and indicating with a minus sign (``-``) the lacking parts
 x misses when compared to y.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos-test-2# compare 0 6
  [edit interfaces]
@ -416,7 +416,7 @@ Rolling Back Changes
 You can rollback configuration using the rollback command. This command will
 apply the selected revision and trigger a system reboot.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos# compare 1
  [edit system]
@ -459,7 +459,7 @@ Restore Default
 In the case you want to completely delete your configuration and restore the
 default one, you can enter the following command in configuration mode:
-.. code-block:: sh
+.. code-block:: console
  load /opt/vyatta/etc/config.boot.default
--- a/docs/contributing/build-vyos.rst
+++ b/docs/contributing/build-vyos.rst
@ -18,7 +18,7 @@ Buster.
 Installing Docker_ and prerequisites:
-.. code-block:: sh
+.. code-block:: console
  $ apt-get update
  $ apt-get install -y apt-transport-https ca-certificates curl \
@ -48,7 +48,7 @@ the vyos-build repository).
 The container can always be built directly from source:
-.. code-block:: sh
+.. code-block:: console
  $ git clone -b current --single-branch https://github.com/vyos/vyos-build
  $ docker build -t vyos/vyos-build docker
@ -68,7 +68,7 @@ Build ISO
 After the container is generated either manually or fetched from DockerHub,
 a fresh build of the VyOS ISO can begin.
-.. code-block:: sh
+.. code-block:: console
  $ docker run --rm -it --privileged -v $(pwd):/vyos -w /vyos vyos/vyos-build bash
  vyos_bld@d4220bb519a0:/vyos# ./configure --architecture amd64 \
@ -88,7 +88,7 @@ image:
 This ISO can be customized with the following list of configure options.
 The full and current list can be generated with ``./configure --help``:
-.. code-block:: sh
+.. code-block:: console
  -h, --help            show this help message and exit
  --architecture ARCHITECTURE
--- a/docs/contributing/development.rst
+++ b/docs/contributing/development.rst
@ -115,7 +115,7 @@ which of the many VyOS packages ship this file. You can determine the VyOS
 package name in question by using Debians ``dpkg -S`` command of your running
 VyOS installation.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~ dpkg -S /opt/vyatta/sbin/vyatta-update-webproxy.pl
  vyatta-webproxy: /opt/vyatta/sbin/vyatta-update-webproxy.pl
@ -144,7 +144,7 @@ In order to record you as the author of the fix please indentify yourself to Git
 by setting up your name and email. This can be done local for this one and only
 repository ``git config`` or globally using ``git config --global``.
-.. code-block:: sh
+.. code-block:: console
  git config --global user.name "J. Random Hacker"
  git config --global user.email "jrhacker@example.net"
--- a/docs/contributing/documentation.rst
+++ b/docs/contributing/documentation.rst
@ -59,7 +59,7 @@ This requires you already have a GitHub account.
  Check your configured remote repositories:
-  .. code-block:: sh
+  .. code-block:: console
    $ git remote -v
    origin    https://github.com/YOUR_USERNAME/vyos-documentation.git (fetch)
@ -70,7 +70,7 @@ This requires you already have a GitHub account.
  Your remote repo on Github is called Origin, while the original repo you
  have forked is called Upstream. Now you can locally update your forked repo.
-  .. code-block:: sh
+  .. code-block:: console
    $ git fetch upstream
    $ git checkout master
@ -88,7 +88,7 @@ Sections
 We use the following syntax for Headlines.
-.. code-block:: sh
+.. code-block:: console
  #####
  Parts
@ -139,7 +139,7 @@ Under the command a short exlaination should be provide.
 Example:
-.. code-block:: sh
+.. code-block:: console
  .. opcmd:: show protocols static arp
--- a/docs/firewall.rst
+++ b/docs/firewall.rst
@ -44,14 +44,14 @@ addresses and networks, the network group is recommended.
 Here is an example of a network group for the IP networks that make up the
 internal network:
-.. code-block:: sh
+.. code-block:: console
  set firewall group network-group NET-INSIDE network 192.168.0.0/24
  set firewall group network-group NET-INSIDE network 192.168.1.0/24
 Groups need to have unique names. Even though some contain IPv4 addresses and others contain IPv6 addresses, they still need to have unique names, so you may want to append "-v4" or "-v6" to your group names.
-.. code-block:: sh
+.. code-block:: console
  set firewall group network-group NET-INSIDE-v4 network 192.168.1.0/24
  set firewall group ipv6-network-group NET-INSIDE-v6 network 2001:db8::/64
@ -64,7 +64,7 @@ Ranges of ports can be specified by using `-`.
 Here is an example of a port group a server:
-.. code-block:: sh
+.. code-block:: console
  set firewall group port-group PORT-TCP-SERVER1 port 80
  set firewall group port-group PORT-TCP-SERVER1 port 443
@ -79,7 +79,7 @@ is matched, and the ability to specify the criteria to match.
 Example of a rule-set to filter traffic to the internal network:
-.. code-block:: sh
+.. code-block:: console
  set firewall name INSIDE-OUT default-action drop
  set firewall name INSIDE-OUT rule 1010 action accept
@ -96,7 +96,7 @@ Once a rule-set is created, it can be applied to an interface.
 .. note:: Only one rule-set can be applied to each interface for `in`, `out`,
   or `local` traffic for each protocol (IPv4 and IPv6).
-.. code-block:: sh
+.. code-block:: console
  set interfaces ethernet eth1 firewall out name INSIDE-OUT
@ -106,7 +106,7 @@ Applying a Rule-Set to a Zone
 A named rule-set can also be applied to a zone relationship (note, zones must
 first be created):
-.. code-block:: sh
+.. code-block:: console
  set zone-policy zone INSIDE from OUTSIDE firewall name INSIDE-OUT
@ -119,13 +119,13 @@ With the firewall you can set rules to accept, drop or reject ICMP in, out or lo
 .. note:: **firewall all-ping** affects only to LOCAL and it always behaves in the most restrictive way
-.. code-block:: sh
+.. code-block:: console
  set firewall all-ping enable
 When the command above is set, VyOS will answer every ICMP echo request addressed to itself, but that will only happen if no other rule is applied droping or rejecting local echo requests. In case of conflict, VyOS will not answer ICMP echo requests.
-.. code-block:: sh
+.. code-block:: console
  set firewall all-ping disable
@ -134,7 +134,7 @@ When the comand above is set, VyOS will answer no ICMP echo request addressed to
 Example Partial Config
 ----------------------
-.. code-block:: sh
+.. code-block:: console
  firewall {
     all-ping enable
--- a/docs/high-availability.rst
+++ b/docs/high-availability.rst
@ -21,7 +21,7 @@ The required parameters are interface, vrid, and virtual-address.
 minimal config
-.. code-block:: sh
+.. code-block:: console
  set high-availability vrrp group Foo vrid 10
  set high-availability vrrp group Foo interface eth0
@ -29,7 +29,7 @@ minimal config
 You can verify your VRRP group status with the operational mode ``run show vrrp`` command:
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos# run show vrrp 
  Name        Interface      VRID  State    Last Transition
@ -46,7 +46,7 @@ Disabling a VRRP group
 You can disable a VRRP group with ``disable`` option:
-.. code-block:: sh
+.. code-block:: console
  set high-availability vrrp group Foo disable
@ -57,7 +57,7 @@ Setting VRRP group priority
 VRRP priority can be set with ``priority`` option:
-.. code-block:: sh
+.. code-block:: console
  set high-availability vrrp group Foo priority 200
@ -68,7 +68,7 @@ Sync groups
 A sync group allows VRRP groups to transition together.  
-.. code-block:: sh
+.. code-block:: console
    edit high-availability
    set sync-group MAIN member VLAN9
@ -76,7 +76,7 @@ A sync group allows VRRP groups to transition together.
 In the following example, when VLAN9 transitions, VLAN20 will also transition:
-.. code-block:: sh
+.. code-block:: console
    vrrp {
        group VLAN9 {
@ -108,13 +108,13 @@ VRRP can use two modes: preemptive and non-preemptive. In the preemptive mode, i
 By default VRRP uses preemption. You can disable it with the "no-preempt" option:
-.. code-block:: sh
+.. code-block:: console
  set high-availability vrrp group Foo no-preempt
 You can also configure the time interval for preemption with the "preempt-delay" option. For example, to set the higher priority router to take over in 180 seconds, use:
-.. code-block:: sh
+.. code-block:: console
  set high-availability vrrp group Foo preempt-delay 180
@ -123,7 +123,7 @@ Unicast VRRP
 By default VRRP uses multicast packets. If your network does not support multicast for whatever reason, you can make VRRP use unicast communication instead.
-.. code-block:: sh
+.. code-block:: console
  set high-availability vrrp group Foo peer-address 192.0.2.10
  set high-availability vrrp group Foo hello-source-address 192.0.2.15
@ -139,7 +139,7 @@ Health check scripts
 This setup will make the VRRP process execute the ``/config/scripts/vrrp-check.sh script`` every 60 seconds, and transition the group to the fault state if it fails (i.e. exits with non-zero status) three times:
-.. code-block:: sh
+.. code-block:: console
  set high-availability vrrp group Foo health-check script /config/scripts/vrrp-check.sh
  set high-availability vrrp group Foo health-check interval 60
@ -151,7 +151,7 @@ Transition scripts
 Transition scripts can help you implement various fixups, such as starting and stopping services, or even modifying the VyOS config on VRRP transition.
 This setup will make the VRRP process execute the ``/config/scripts/vrrp-fail.sh`` with argument ``Foo`` when VRRP fails, and the ``/config/scripts/vrrp-master.sh`` when the router becomes the master:
-.. code-block:: sh
+.. code-block:: console
  set high-availability vrrp group Foo transition-script backup "/config/scripts/vrrp-fail.sh Foo"
  set high-availability vrrp group Foo transition-script fault "/config/scripts/vrrp-fail.sh Foo"
--- a/docs/image-mgmt.rst
+++ b/docs/image-mgmt.rst
@ -9,7 +9,7 @@ each image on the storage device selected during the install process.
 The directory structure of the boot device:
-.. code-block:: sh
+.. code-block:: console
  /
  /boot
@ -37,7 +37,7 @@ default-boot` command in operational mode.
 A list of available images can be shown using the :code:`show system image`
 command in operational mode.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ show system image
  The system currently has the following image(s) installed:
@ -62,7 +62,7 @@ install process will prompt you to use the current system configuration and SSH
 security keys, allowing for the new image to boot using the current
 configuration.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ add system image https://downloads.vyos.io/rolling/current/amd64/vyos-1.2.0-rolling%2B201810030440-amd64.iso
  Trying to fetch ISO file from https://downloads.vyos.io/rolling/current/amd64/vyos-1.2.0-rolling%2B201810030440-amd64.iso
@ -100,7 +100,7 @@ If you need some files from a previous images - take a look inside a
 After reboot you might want to verify the version you are running with :code:`show version`
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ show version
  Version:          VyOS 1.2.0-rolling+201810030440
--- a/docs/install.rst
+++ b/docs/install.rst
@ -71,7 +71,7 @@ https://pgp.mit.edu/pks/lookup?op=get&search=0xFD220285A0FE6D7E
 Or from the following block:
-.. code-block:: sh
+.. code-block:: console
  -----BEGIN PGP PUBLIC KEY BLOCK-----
  Version: GnuPG v1.4.12 (GNU/Linux)
@ -131,7 +131,7 @@ file_with_the_public_key``
 The import can be verified with:
-.. code-block:: sh
+.. code-block:: console
  $ gpg --list-keys
  ...
@ -154,7 +154,7 @@ downloaded.
 Finally, verify the authencity of the downloaded image:
-.. code-block:: sh
+.. code-block:: console
  $ gpg2 --verify vyos-1.2.1-amd64.iso.asc  vyos-1.2.1-amd64.iso
  gpg: Signature made So 14 Apr 12:58:07 2019 CEST
@ -171,7 +171,7 @@ VyOS ISO is a Live CD and will boot to a functional VyOS image.
 To login to the system, use the default username and password will be: ``vyos``
-.. code-block:: sh
+.. code-block:: console
  The programs included with the Debian GNU/Linux system are free software;
  the exact distribution terms for each program are described in the
@ -203,7 +203,7 @@ keys, or custom scripts.
 To install VyOS, run ``install image`` after logging into the live system with
 the provided default credentials.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ install image
  Welcome to the VyOS install program.  This script
@ -257,7 +257,7 @@ the provided default credentials.
 After the installation is complete, remove the Live CD and reboot the system:
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ reboot
  Proceed with reboot? (Yes/No) [No] Yes
@ -293,7 +293,7 @@ Configure DHCP server to provide the client with:
 In this example we configured an existent VyOS as the DHCP server:
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos# show service dhcp-server
   shared-network-name mydhcp {
@ -334,7 +334,7 @@ Configure a TFTP server so that it serves the following:
 In the example we configured our existent VyOS as the TFTP server too:
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos# show service tftp-server
   directory /config/tftpboot
@ -344,7 +344,7 @@ In the example we configured our existent VyOS as the TFTP server too:
 Example of the contents of the TFTP server:
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos# ls -hal /config/tftpboot/
  total 29M
@ -364,7 +364,7 @@ Example of the contents of the TFTP server:
 Example of simple (no menu) configuration file:
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos# cat /config/tftpboot/pxelinux.cfg/default
  DEFAULT VyOS123
--- a/docs/interfaces/addresses.rst
+++ b/docs/interfaces/addresses.rst
@ -27,7 +27,7 @@ PPP.
 The command is ``set interfaces $type $name address $address``. Examples:
-.. code-block:: sh
+.. code-block:: console
  set interfaces ethernet eth0 address 192.0.2.1/24
  set interfaces tunnel tun0 address 10.0.0.1/30
@ -43,7 +43,7 @@ Pseudo-ethernet, Wireless).
 The command is ``set interfaces $type $name address dhcp``. Examples:
-.. code-block:: sh
+.. code-block:: console
  set interfaces ethernet eth0 vif 90 address dhcp
  set interfaces bridge br0 address dhcp
@ -61,7 +61,7 @@ except :ref:`tunnel-interface`.
 The command is ``set interfaces $type $name address $address``. Examples:
-.. code-block:: sh
+.. code-block:: console
  set interfaces ethernet eth0 address 2001:db8:100::ffff/64
  set interfaces tunnel tun0 address 2001:db8::1/64
@ -77,7 +77,7 @@ Pseudo-ethernet, Wireless).
 The command is `set interfaces $type $name address dhcpv6`. Examples:
-.. code-block:: sh
+.. code-block:: console
  set interfaces bonding bond1 address dhcpv6
  set interfaces bridge br0 vif 56 address dhcpv6
@ -91,7 +91,7 @@ interfaces, and those that are directly connected to a physical interface
 The command is ``set interfaces $type $name ipv6 address autoconf``. Examples:
-.. code-block:: sh
+.. code-block:: console
  set interfaces ethernet eth0 vif 90 ipv6 address autoconf
  set interfaces bridge br0 ipv6 address autoconf
@ -109,7 +109,7 @@ MAC address, if you specify the prefix.
 The command is `set interfaces $type $name ipv6 address eui64 $prefix`.
 Examples:
-.. code-block:: sh
+.. code-block:: console
  set interfaces bridge br0 ipv6 address eui64 2001:db8:beef::/64
  set interfaces pseudo-ethernet peth0 ipv6 address eui64 2001:db8:aa::/64
@ -123,14 +123,14 @@ of what is known as SLAAC (Stateless Address Autoconfiguration).
 To enable or disable, use:
-.. code-block:: sh
+.. code-block:: console
  set interfaces <interface> ipv6 router-advert send-advert <true|false>
 To set the options described in "Router Advertisement Message Format":
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos#  set interfaces <interface> ipv6 router-advert
  Possible completions:
@ -154,7 +154,7 @@ Prefix Information
 Prefix information is described in :rfc:`4861#section-4.6.2`.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos# set interfaces <interface> ipv6 router-advert prefix <h:h:h:h:h:h:h:h/x>
  Possible completions:
@ -169,7 +169,7 @@ Receiving Router Advertisements
 To receive and accept RAs on an interface, you need to enable it with the
 following configuration command
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos# set system sysctl custom net.ipv6.conf.<interface>.accept_ra value 2
--- a/docs/interfaces/bond.rst
+++ b/docs/interfaces/bond.rst
@ -8,13 +8,13 @@ logical one. It's called bonding, or LAG, or ether-channel, or port-channel.
 Create interface bondX, where X is just a number:
-.. code-block:: sh
+.. code-block:: console
  set interfaces bonding bond0 description 'my-sw1 int 23 and 24'
 You are able to choose a hash policy:
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos# set interfaces bonding bond0 hash-policy
  Possible completions:
@ -24,20 +24,20 @@ You are able to choose a hash policy:
 For example:
-.. code-block:: sh
+.. code-block:: console
  set interfaces bonding bond0 hash-policy 'layer2'
 You may want to set IEEE 802.3ad Dynamic link aggregation (802.3ad) AKA LACP
 (don't forget to setup it on the other end of these links):
-.. code-block:: sh
+.. code-block:: console
 set interfaces bonding bond0 mode '802.3ad'
 or some other modes:
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos# set interfaces bonding bond0 mode
  Possible completions:
@ -54,7 +54,7 @@ or some other modes:
 Now bond some physical interfaces into bond0:
-.. code-block:: sh
+.. code-block:: console
  set interfaces bonding bond0 member interface eth0
  set interfaces bonding bond0 member interface eth1
@ -64,7 +64,7 @@ change its` duplex, for example) and assign IPs or VIFs on it.
 You may check the result:
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos# run sh interfaces bonding
  Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
--- a/docs/interfaces/bridge.rst
+++ b/docs/interfaces/bridge.rst
@ -9,7 +9,7 @@ Layer-2 traffic.
 A bridge is created when a bridge interface is defined. In the example below
 we create a bridge named br100 with eth1 and eth2 as the bridge member ports.
-.. code-block:: sh
+.. code-block:: console
  set interfaces bridge 'br100'
  set interfaces bridge br100 member interface eth1
@ -18,7 +18,7 @@ we create a bridge named br100 with eth1 and eth2 as the bridge member ports.
 Each bridge member can be assiged a port cost and priority using the following
 commands:
-.. code-block:: sh
+.. code-block:: console
  set interfaces bridge br100 member interface eth1 cost 10
  set interfaces bridge br100 member interface eth1 priority 1024
@ -27,14 +27,14 @@ Interfaces assigned to a bridge do not have address configuration. An IP
 address can be assigned to the bridge interface itself, however, like any
 normal interface.
-.. code-block:: sh
+.. code-block:: console
  set interfaces bridge br100 address '192.168.100.1/24'
  set interfaces bridge br100 address '2001:db8:100::1/64'
 Example Result:
-.. code-block:: sh
+.. code-block:: console
  bridge br100 {
      address 192.168.100.1/24
@ -59,7 +59,7 @@ Spanning-Tree Protocol. STP is disabled by default.
 To enable spanning-tree use the `set interfaces bridge <name> stp` command:
-.. code-block:: sh
+.. code-block:: console
  set interfaces bridge br100 stp
@ -70,7 +70,7 @@ using the `aging` directive.
 The `show bridge` operational command can be used to display configured
 bridges:
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ show bridge
  bridge name     bridge id               STP enabled     interfaces
@ -79,7 +79,7 @@ bridges:
 If spanning-tree is enabled, the `show bridge <name> spanning-tree` command
 can be used to show STP configuration:
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ show bridge br100 spanning-tree
  br100
@ -105,7 +105,7 @@ can be used to show STP configuration:
 The MAC address-table for a bridge can be displayed using the
 `show bridge <name> macs` command:
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ show bridge br100 macs
  port no mac addr                is local?       ageing timer
--- a/docs/interfaces/dummy.rst
+++ b/docs/interfaces/dummy.rst
@ -10,7 +10,7 @@ purposes.
 Configuration commands:
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos# set interfaces dummy dum0
  Possible completions:
--- a/docs/interfaces/ethernet.rst
+++ b/docs/interfaces/ethernet.rst
@ -6,7 +6,7 @@ Ethernet
 Ethernet interfaces allow for the configuration of speed, duplex, and hw-id
 (MAC address). Below is an example configuration:
-.. code-block:: sh
+.. code-block:: console
  set interfaces ethernet eth1 address '192.168.0.1/24'
  set interfaces ethernet eth1 address '2001:db8:1::ffff/64'
@ -16,7 +16,7 @@ Ethernet interfaces allow for the configuration of speed, duplex, and hw-id
 Resulting in:
-.. code-block:: sh
+.. code-block:: console
  ethernet eth1 {
      address 192.168.0.1/24
@ -35,7 +35,7 @@ In addition, Ethernet interfaces provide the extended operational commands:
 Statistics available are driver dependent.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ show interfaces ethernet eth0 physical
  Settings for eth0:
--- a/docs/interfaces/geneve.rst
+++ b/docs/interfaces/geneve.rst
@ -20,7 +20,7 @@ fabric. Sometimes termed "leaf and spine" or "fat tree" topologies.
 Geneve Header:
-.. code-block:: sh
+.. code-block:: console
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |Ver|  Opt Len  |O|C|    Rsvd.  |          Protocol Type        |
--- a/docs/interfaces/index.rst
+++ b/docs/interfaces/index.rst
@ -7,7 +7,7 @@ Network Interfaces
 Configured interfaces on a VyOS system can be displayed using the
 ``show interfaces`` command.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ show interfaces
  Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
@ -21,7 +21,7 @@ Configured interfaces on a VyOS system can be displayed using the
 A specific interface can be shown using the ``show interfaces <type> <name>``
 command.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ show interfaces ethernet eth0
  eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
--- a/docs/interfaces/l2tpv3.rst
+++ b/docs/interfaces/l2tpv3.rst
@ -12,7 +12,7 @@ to PPP.
 Over IP
 ^^^^^^^
-.. code-block:: sh
+.. code-block:: console
  # show interfaces l2tpv3
  l2tpv3 l2tpeth10 {
@ -36,7 +36,7 @@ UDP mode works better with NAT:
 * Set local-ip to your local IP (LAN).
 * Add a forwarding rule matching UDP port on your internet router.
-.. code-block:: sh
+.. code-block:: console
  # show interfaces l2tpv3
  l2tpv3 l2tpeth10 {
@ -63,7 +63,7 @@ will be directly connected like if there was a switch between them.
 IPSec:
-.. code-block:: sh
+.. code-block:: console
  set vpn ipsec ipsec-interfaces <VPN-interface>
  set vpn ipsec esp-group test-ESP-1 compression 'disable'
@ -91,7 +91,7 @@ IPSec:
 Bridge:
-.. code-block:: sh
+.. code-block:: console
  set interfaces bridge br0 description 'L2 VPN Bridge'
  # remote side in this example:
@ -102,7 +102,7 @@ Bridge:
 L2TPv3:
-.. code-block:: sh
+.. code-block:: console
  set interfaces bridge br0 member interface 'l2tpeth0'
  set interfaces l2tpv3 l2tpeth0 description 'L2 VPN Tunnel'
--- a/docs/interfaces/pppoe.rst
+++ b/docs/interfaces/pppoe.rst
@ -72,7 +72,7 @@ Requirements:
  nameservers your ISP sens you and thus you can fully rely on the ones you
  have configured statically.
-.. code-block:: sh
+.. code-block:: console
  set interfaces ethernet eth0 description "DSL Modem"
  set interfaces ethernet eth0 duplex auto
@ -88,7 +88,7 @@ Requirements:
 You should add a firewall to your configuration above as well by
 assigning it to the pppoe0 itself as shown here:
-.. code-block:: sh
+.. code-block:: console
  set interfaces ethernet eth0 pppoe 0 firewall in name NET-IN
  set interfaces ethernet eth0 pppoe 0 firewall local name NET-LOCAL
@ -103,7 +103,7 @@ can easily create a PPPoE session through an encapsulated VLAN interface.
 The following configuration will run your PPPoE connection through VLAN7
 which is the default VLAN for Deutsche Telekom:
-.. code-block:: sh
+.. code-block:: console
  set interfaces ethernet eth0 description "DSL Modem"
  set interfaces ethernet eth0 duplex auto
--- a/docs/interfaces/qinq.rst
+++ b/docs/interfaces/qinq.rst
@ -31,7 +31,7 @@ tag is the one closer/closest to the Ethernet header, its name is S-TAG
 Configuration commands:
-.. code-block:: sh
+.. code-block:: console
  interfaces
      ethernet <eth[0-999]>
@ -65,7 +65,7 @@ Configuration commands:
 Example:
-.. code-block:: sh
+.. code-block:: console
  set interfaces ethernet eth0 vif-s 333
  set interfaces ethernet eth0 vif-s 333 address 192.0.2.10/32
--- a/docs/interfaces/tunnel.rst
+++ b/docs/interfaces/tunnel.rst
@ -22,7 +22,7 @@ this reason, there are no other configuration options for this kind of tunnel.
 An example:
-.. code-block:: sh
+.. code-block:: console
  set interfaces tunnel tun0 encapsulation ipip
  set interfaces tunnel tun0 local-ip 192.0.2.10
@ -40,7 +40,7 @@ It's not likely that anyone will need it any time soon, but it does exist.
 An example:
-.. code-block:: sh
+.. code-block:: console
  set interfaces tunnel tun0 encapsulation ipip
  set interfaces tunnel tun0 local-ip 2001:db8:aa::1/64
@ -57,7 +57,7 @@ As the name implies, it's IPv4 encapsulated in IPv6, as simple as that.
 An example:
-.. code-block:: sh
+.. code-block:: console
  set interfaces tunnel tun0 encapsulation ipip6
  set interfaces tunnel tun0 local-ip 2001:db8:aa::1/64
@ -79,7 +79,7 @@ Electric`_.
 An example:
-.. code-block:: sh
+.. code-block:: console
  set interfaces tunnel tun0 encapsulation sit
  set interfaces tunnel tun0 local-ip 192.0.2.10
@ -108,7 +108,7 @@ ip otherwise it would have to be configured as well.
 **VyOS Router:**
-.. code-block:: sh
+.. code-block:: console
  set interfaces tunnel tun100 address '10.0.0.1/30'
  set interfaces tunnel tun100 encapsulation 'gre'
@ -117,7 +117,7 @@ ip otherwise it would have to be configured as well.
 **Cisco IOS Router:**
-.. code-block:: sh
+.. code-block:: console
  interface Tunnel100
  ip address 10.0.0.2 255.255.255.252
@ -135,7 +135,7 @@ that are discarding IP protocol 47 or blocking your source/desintation traffic.
 **1. Confirm IP connectivity between tunnel local-ip and remote-ip:**
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ ping 203.0.113.10 interface 198.51.100.2 count 4
  PING 203.0.113.10 (203.0.113.10) from 198.51.100.2 : 56(84) bytes of data.
@ -150,7 +150,7 @@ that are discarding IP protocol 47 or blocking your source/desintation traffic.
 **2. Confirm the link type has been set to GRE:**
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ show interfaces tunnel tun100
  tun100@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN group default qlen 1000
@ -167,7 +167,7 @@ that are discarding IP protocol 47 or blocking your source/desintation traffic.
 **3. Confirm IP connectivity across the tunnel:**
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ ping 10.0.0.2 interface 10.0.0.1 count 4
  PING 10.0.0.2 (10.0.0.2) from 10.0.0.1 : 56(84) bytes of data.
@ -185,14 +185,14 @@ Virtual Tunnel Interface (VTI)
 Set Virtual Tunnel Interface
-.. code-block:: sh
+.. code-block:: console
  set interfaces vti vti0 address 192.168.2.249/30
  set interfaces vti vti0 address 2001:db8:2::249/64
 Results in:
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos# show interfaces vti
  vti vti0 {
--- a/docs/interfaces/vlan.rst
+++ b/docs/interfaces/vlan.rst
@ -30,7 +30,7 @@ accomplished using the configuration command:
 To assign a vif 100 using the VLAN 100 tag to physical interface eth1 use:
-.. code-block:: sh
+.. code-block:: console
  set interfaces ethernet eth1 vif 100 description 'VLAN 100'
  set interfaces ethernet eth1 vif 100 address '192.168.100.1/24'
@ -38,7 +38,7 @@ To assign a vif 100 using the VLAN 100 tag to physical interface eth1 use:
 Resulting in:
-.. code-block:: sh
+.. code-block:: console
  ethernet eth1 {
      address 192.168.100.1/24
@ -56,7 +56,7 @@ Resulting in:
 VLAN interfaces are shown as `<name>.<vlan-id>`, e.g. `eth1.100`:
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ show interfaces
  Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
--- a/docs/interfaces/vxlan.rst
+++ b/docs/interfaces/vxlan.rst
@ -68,7 +68,7 @@ support this.
 Configuration commands
 ^^^^^^^^^^^^^^^^^^^^^^
-.. code-block:: sh
+.. code-block:: console
  interfaces
    vxlan <vxlan[0-16777215]>
@ -97,7 +97,7 @@ This topology was built using GNS3.
 Topology:
-.. code-block:: sh
+.. code-block:: console
  Spine1:
  fa0/2 towards Leaf2, IP-address: 10.1.2.1/24
@ -113,7 +113,7 @@ Topology:
 Spine1 Configuration:
-.. code-block:: sh
+.. code-block:: console
  conf t
  ip multicast-routing
@ -136,7 +136,7 @@ from.
 Leaf2 configuration:
-.. code-block:: sh
+.. code-block:: console
  set interfaces ethernet eth0 address '10.1.2.2/24'
  set protocols ospf area 0 network '10.0.0.0/8'
@ -161,7 +161,7 @@ Leaf2 configuration:
 Leaf3 configuration:
-.. code-block:: sh
+.. code-block:: console
  set interfaces ethernet eth0 address '10.1.3.3/24'
  set protocols ospf area 0 network '10.0.0.0/8'
@ -188,7 +188,7 @@ As you can see, Leaf2 and Leaf3 configuration is almost identical. There are
 lots of commands above, I'll try to into more detail below, command
 descriptions are placed under the command boxes:
-.. code-block:: sh
+.. code-block:: console
  set interfaces bridge br241 address '172.16.241.1/24'
@ -200,7 +200,7 @@ so that the Spine will learn how to reach it. To do this you need to change the
 OSPF network from '10.0.0.0/8' to '0.0.0.0/0' to allow 172.16/12-networks to be
 advertised.
-.. code-block:: sh
+.. code-block:: console
  set interfaces bridge br241 member interface 'eth1.241'
  set interfaces bridge br241 member interface 'vxlan241'
@ -208,28 +208,28 @@ advertised.
 Binds eth1.241 and vxlan241 to each other by making them both member interfaces of
 the same bridge.
-.. code-block:: sh
+.. code-block:: console
  set interfaces vxlan vxlan241 group '239.0.0.241'
 The multicast-group used by all Leafs for this vlan extension. Has to be the
 same on all Leafs that has this interface.
-.. code-block:: sh
+.. code-block:: console
  set interfaces vxlan vxlan241 link 'eth0'
 Sets the interface to listen for multicast packets on. Could be a loopback, not
 yet tested.
-.. code-block:: sh
+.. code-block:: console
  set interfaces vxlan vxlan241 vni '241'
 Sets the unique id for this vxlan-interface. Not sure how it correlates with
 multicast-address.
-.. code-block:: sh
+.. code-block:: console
  set interfaces vxlan vxlan241 remote-port 12345
@ -244,7 +244,7 @@ Older Examples
 Example for bridging normal L2 segment and vxlan overlay network, and using a
 vxlan interface as routing interface.
-.. code-block:: sh
+.. code-block:: console
  interfaces {
       bridge br0 {
@ -276,7 +276,7 @@ router has a VLAN interface (26) facing the client devices and a VLAN interface
 can flow between both routers' VLAN 26, but can't escape since there is no L3
 gateway. You can add an IP to a bridge to create a gateway.
-.. code-block:: sh
+.. code-block:: console
  interfaces {
       bridge br0 {
@ -310,7 +310,7 @@ Alternative to multicast, the remote IPv4 address of the VXLAN tunnel can set di
 Let's change the Multicast example from above:
-.. code-block:: sh
+.. code-block:: console
  # leaf2 and leaf3
  delete interfaces vxlan vxlan241 group '239.0.0.241'
--- a/docs/interfaces/wireless.rst
+++ b/docs/interfaces/wireless.rst
@ -45,7 +45,7 @@ The WAP in this example has the following characteristics:
 * Use 802.11n protocol
 * Wireless channel ``1``
-.. code-block:: sh
+.. code-block:: console
  set interfaces wireless wlan0 address '192.0.2.1/24'
  set interfaces wireless wlan0 type access-point
@ -58,7 +58,7 @@ The WAP in this example has the following characteristics:
 Resulting in
-.. code-block:: sh
+.. code-block:: console
  interfaces {
    [...]
@ -110,7 +110,7 @@ The WAP in this example has the following characteristics:
 * Wireless channel ``1``
 * RADIUS server at ``192.0.3.10`` with shared-secret ``VyOSPassword``
-.. code-block:: sh
+.. code-block:: console
  set interfaces wireless wlan0 address '192.0.2.1/24'
  set interfaces wireless wlan0 type access-point
@ -124,7 +124,7 @@ The WAP in this example has the following characteristics:
 Resulting in
-.. code-block:: sh
+.. code-block:: console
  interfaces {
    [...]
@ -161,7 +161,7 @@ The example creates a wireless station (commonly referred to as Wi-Fi client)
 that accesses the network through the WAP defined in the above example. The
 default physical device (``phy0``) is used.
-.. code-block:: sh
+.. code-block:: console
  set interfaces wireless wlan0 type station
  set interfaces wireless wlan0 address dhcp
@ -170,7 +170,7 @@ default physical device (``phy0``) is used.
 Resulting in
-.. code-block:: sh
+.. code-block:: console
  interfaces {
    [...]
@ -193,7 +193,7 @@ Operational Commands
 Use this command to view operational status and wireless-specific information
 about all wireless interfaces.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ show interfaces wireless info
  Interface  Type          SSID                         Channel
@ -204,7 +204,7 @@ about all wireless interfaces.
 Use this command to view operational status and detailes wireless-specific
 information about all wireless interfaces.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ show interfaces wireless detail
  wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
@ -236,7 +236,7 @@ information about all wireless interfaces.
 This command shows both status and statistics on the specified wireless interface.
 The wireless interface identifier can range from wlan0 to wlan999.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ show interfaces wireless wlan0
  wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
@ -257,7 +257,7 @@ The wireless interface identifier can range from wlan0 to wlan999.
 This command gives a brief status overview of a specified wireless interface.
 The wireless interface identifier can range from wlan0 to wlan999.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ show interfaces wireless wlan0 brief
  Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
@ -271,7 +271,7 @@ The wireless interface identifier can range from wlan0 to wlan999.
 Use this command to view wireless interface queue information.
 The wireless interface identifier can range from wlan0 to wlan999.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ show interfaces wireless wlan0 queue
  qdisc pfifo_fast 0: root bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
@ -289,7 +289,7 @@ in station mode.
   hardware. Refer to your driver and wireless hardware documentation for
   further details.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ show interfaces wireless wlan0 scan
  Address            SSID                          Channel  Signal (dbm)
--- a/docs/load-balancing.rst
+++ b/docs/load-balancing.rst
@ -15,7 +15,7 @@ In a minimal, configuration the following must be provided:
 lets assume we have two dhcp WAN interfaces and one LAN (eth2)
-.. code-block:: sh
+.. code-block:: console
    set load-balancing wan interface-health eth0 nexthop 'dhcp'
    set load-balancing wan interface-health eth1 nexthop 'dhcp'
@ -32,7 +32,7 @@ If a packet doesn't match any rule it is sent by using the system routing table.
 Create a load balancing rule, rule can be a number between 1 and 9999:
-.. code-block:: sh
+.. code-block:: console
    vyos@vyos# set load-balancing wan rule 1
    Possible completions:
@ -53,7 +53,7 @@ Interface weight
 Let's expand the example from above and add a weight to the interfaces. The bandwidth from eth0 is larger than eth1.
 Per default outbound traffic is distributed randomly across available interfaces. Weights can be assigned to interfaces to influence the balancing.
-.. code-block:: sh
+.. code-block:: console
    set load-balancing wan rule 1 interface eth0 weight 2
    set load-balancing wan rule 1 interface eth1 weight 1
@ -66,7 +66,7 @@ Rate limit
 A packet rate limit can be set for a rule to apply the rule to traffic above or below a specified threshold.
 To configure the rate limiting use:
-.. code-block:: sh
+.. code-block:: console
    set load-balancing wan rule <rule> limit <parameter>
@ -85,7 +85,7 @@ This has the advantage that packets always arrive in order if links with differe
 Packet-based balancing can lead to a better balance across interfaces when out of order packets are no issue. Per-packet-based balancing can be set for a balancing rule with:
-.. code-block:: sh
+.. code-block:: console
    set load-balancing wan rule <rule> per-packet-balancing
@ -94,7 +94,7 @@ Exclude traffic
 To exclude traffic from load balancing, traffic matching an exclude rule is not balanced but routed through the system routing table instead:
-.. code-block:: sh
+.. code-block:: console
    set load-balancing wan rule <rule> exclude
@ -105,7 +105,7 @@ Health checks
 The health of interfaces and paths assigned to the load balancer is periodically checked by sending ICMP packets (ping) to remote destinations, a TTL test or the execution of a user defined script.
 If an interface fails the health check it is removed from the load balancer's pool of interfaces. To enable health checking for an interface:
-.. code-block:: sh
+.. code-block:: console
    vyos@vyos# set load-balancing wan interface-health <interface>
    Possible completions:
@ -116,14 +116,14 @@ If an interface fails the health check it is removed from the load balancer's po
 Specify nexthop on the path to destination, ``ipv4-address`` can be set to ``dhcp``
-.. code-block:: sh
+.. code-block:: console
    set load-balancing wan interface-health <interface> nexthop <ipv4-address>
 Set the number of health check failures before an interface is marked as unavailable, range for number is 1 to 10, default 1.
 Or set the number of successful health checks before an interface is added back to the interface pool, range for number is 1 to 10, default 1.
-.. code-block:: sh
+.. code-block:: console
    set load-balancing wan interface-health <interface> failure-count <number>
    set load-balancing wan interface-health <interface> success-count <number>
@ -131,7 +131,7 @@ Or set the number of successful health checks before an interface is added back
 Each health check is configured in its own test, tests are numbered and processed in numeric order.
 For multi target health checking multiple tests can be defined:
-.. code-block:: sh
+.. code-block:: console
    vyos@vyos# set load-balancing wan interface-health eth1 test 0
    Possible completions:
@ -153,7 +153,7 @@ Source NAT rules
 Per default, interfaces used in a load balancing pool replace the source IP of each outgoing packet with its own address to ensure that replies arrive on the same interface. 
 This works through automatically generated source NAT (SNAT) rules, these rules are only applied to balanced traffic. In cases where this behaviour is not desired, the automatic generation of SNAT rules can be disabled:
-.. code-block:: sh
+.. code-block:: console
    set load-balancing wan disable-source-nat
@ -163,7 +163,7 @@ Sticky Connections
 Upon reception of an incoming packet, when a response is sent, it might be desired to ensure that it leaves from the same interface as the inbound one.
 This can be achieved by enabling sticky connections in the load balancing:
-.. code-block:: sh
+.. code-block:: console
    set load-balancing wan sticky-connections inbound
@ -176,13 +176,13 @@ The primary interface is selected based on its weight and health, others become
 Secondary interfaces to take over a failed primary interface are chosen from the load balancer's interface pool, depending on their weight and health.
 Interface roles can also be selected based on rule order by including interfaces in balancing rules and ordering those rules accordingly. To put the load balancer in failover mode, create a failover rule:
-.. code-block:: sh
+.. code-block:: console
    set load-balancing wan rule <number> failover
 Because existing sessions do not automatically fail over to a new path, the session table can be flushed on each connection state change:
-.. code-block:: sh
+.. code-block:: console
    set load-balancing wan flush-connections
@ -195,7 +195,7 @@ Script execution
 A script can be run when an interface state change occurs. Scripts are run from /config/scripts, for a different location specify the full path:
-.. code-block:: sh
+.. code-block:: console
    set load-balancing wan hook script-name
@ -219,7 +219,7 @@ A character at the start of each line depicts the state of the test
 * ``-`` failed
 * a blank indicates that no test has been carried out
-.. code-block:: sh
+.. code-block:: console
    vyos@vyos:~$ show wan-load-balance
    Interface:  eth0
@ -240,7 +240,7 @@ A character at the start of each line depicts the state of the test
 Show connection data of load balanced traffic:
-.. code-block:: sh
+.. code-block:: console
    vyos@vyos:~$ show wan-load-balance connection
    conntrack v1.4.2 (conntrack-tools): 3 flow entries have been shown.
@ -252,6 +252,6 @@ Show connection data of load balanced traffic:
 Restart
 *******
-.. code-block:: sh
+.. code-block:: console
    restart wan-load-balance
--- a/docs/nat.rst
+++ b/docs/nat.rst
@ -21,7 +21,7 @@ To setup SNAT, we need to know:
 In the example used for the Quick Start configuration above, we demonstrate
 the following configuration:
-.. code-block:: sh
+.. code-block:: console
  set nat source rule 100 outbound-interface 'eth0'
  set nat source rule 100 source address '192.168.0.0/24'
@ -29,7 +29,7 @@ the following configuration:
 Which generates the following configuration:
-.. code-block:: sh
+.. code-block:: console
  rule 100 {
      outbound-interface eth0
@ -58,7 +58,7 @@ recommended.
 A pool of addresses can be defined by using a **-** in the 
 `set nat source rule [n] translation address` statement.
-.. code-block:: sh
+.. code-block:: console
  set nat source rule 100 translation address '203.0.113.32-203.0.113.63'
@ -108,7 +108,7 @@ To setup a NAT reflection rule, we need to create a rule to NAT connections
 from the internal network to the same internal network to use the source
 address of the internal interface.
-.. code-block:: sh
+.. code-block:: console
  set nat source rule 110 description 'NAT Reflection: INSIDE'
  set nat source rule 110 destination address '192.168.0.0/24'
@ -118,7 +118,7 @@ address of the internal interface.
 Which results in a configuration of:
-.. code-block:: sh
+.. code-block:: console
  rule 110 {
      description "NAT Reflection: INSIDE"
@ -156,7 +156,7 @@ For other common port numbers, see: http://en.wikipedia.org/wiki/List_of_TCP_and
 Our configuration commands would be:
-.. code-block:: sh
+.. code-block:: console
  set nat destination rule 10 description 'Port Forward: HTTP to 192.168.0.100'
  set nat destination rule 10 destination port '80'
@ -166,7 +166,7 @@ Our configuration commands would be:
 Which would generate the following NAT destination configuration:
-.. code-block:: sh
+.. code-block:: console
  nat {
      destination {
@ -198,7 +198,7 @@ the destination address has already been translated to 192.168.0.100.
 So in our firewall policy, we want to allow traffic coming in on the outside
 interface, destined for TCP port 80 and the IP address of 192.168.0.100.
-.. code-block:: sh
+.. code-block:: console
  set firewall name OUTSIDE-IN rule 20 action 'accept'
  set firewall name OUTSIDE-IN rule 20 destination address '192.168.0.100'
@ -208,7 +208,7 @@ interface, destined for TCP port 80 and the IP address of 192.168.0.100.
 This would generate the following configuration:
-.. code-block:: sh
+.. code-block:: console
  rule 20 {
      action accept
@ -248,7 +248,7 @@ notion of ports, such as GRE.
 Here's an extract of a simple 1-to-1 NAT configuration with one internal and
 one external interface:
-.. code-block:: sh
+.. code-block:: console
  set interfaces ethernet eth0 address '192.168.1.1/24'
  set interfaces ethernet eth0 description 'Inside interface'
@ -305,7 +305,7 @@ VyOS Support
 NPTv6 support has been added in VyOS 1.2 (Crux) and is available through
 `nat nptv6` configuration nodes.
-.. code-block:: sh
+.. code-block:: console
  set rule 10 inside-prefix 'fc00:dead:beef::/48'
  set rule 10 outside-interface 'eth1'
@ -316,7 +316,7 @@ NPTv6 support has been added in VyOS 1.2 (Crux) and is available through
 Resulting in the following ip6tables rules:
-.. code-block:: sh
+.. code-block:: console
  Chain VYOS_DNPT_HOOK (1 references)
   pkts bytes target   prot opt in   out   source              destination
@ -368,14 +368,14 @@ but which are not actually assigned to a real network.
 We only need a single step for this interface:
-.. code-block:: sh
+.. code-block:: console
  set interfaces dummy dum0 address '172.29.41.89/32'
 NAT Configuration
 *****************
-.. code-block:: sh
+.. code-block:: console
  set nat source rule 110 description 'Internal to ASP'
  set nat source rule 110 destination address '172.27.1.0/24'
@ -408,7 +408,7 @@ The ASP has documented their IPSec requirements:
 Additionally, we want to use VPNs only on our eth1 interface (the external interface in the image above)
-.. code-block:: sh
+.. code-block:: console
  set vpn ipsec ike-group my-ike ikev2-reauth 'no'
  set vpn ipsec ike-group my-ike key-exchange 'ikev1'
@ -433,7 +433,7 @@ We'll use the IKE and ESP groups created above for this VPN.
 Because we need access to 2 different subnets on the far side, we will need two different tunnels.
 If you changed the names of the ESP group and IKE group in the previous step, make sure you use the correct names here too.
-.. code-block:: sh
+.. code-block:: console
  set vpn ipsec site-to-site peer 198.51.100.243 authentication mode 'pre-shared-secret'
  set vpn ipsec site-to-site peer 198.51.100.243 authentication pre-shared-secret 'PASSWORD IS HERE'
@ -454,7 +454,7 @@ If you've completed all the above steps you no doubt want to see if it's all wor
 Start by checking for IPSec SAs (Security Associations) with:
-.. code-block:: sh
+.. code-block:: console
  $ show vpn ipsec sa
--- a/docs/qos.rst
+++ b/docs/qos.rst
@ -31,7 +31,7 @@ Such configuration takes place under the `traffic-policy` tree.
 Available subtrees :
-.. code-block:: sh
+.. code-block:: console
  set traffic-policy drop-tail NAME
  set traffic-policy fair-queue NAME
@ -49,7 +49,7 @@ Apply traffic policy to an interface
 Once a traffic-policy is created, you can apply it to an interface :
-.. code-block:: sh
+.. code-block:: console
  set interfaces ethernet eth0 traffic-policy in WAN-IN
  set interfaces etherhet eth0 traffic-policy out WAN-OUT
@ -67,7 +67,7 @@ traffic that needs the bandwidth, the lower-priority traffic can use most of the
 that the connection can be used fully by whatever wants it, without suffocating real-time traffic or 
 throttling background traffic too much.
-.. code-block:: sh
+.. code-block:: console
  set traffic-policy shaper download bandwidth '175mbit'
  set traffic-policy shaper download class 10 bandwidth '10%'
@ -1203,13 +1203,13 @@ Matching traffic
 A class can have multiple match filters:
-.. code-block:: sh
+.. code-block:: console
  set traffic-policy <POLICY> <POLICY-NAME> class N match MATCH-FILTER-NAME
 Example:
-.. code-block:: sh
+.. code-block:: console
  set traffic-policy shaper SHAPER class 30 match HTTP
  set traffic-policy shaper SHAPER class 30 match HTTPs
@ -1218,7 +1218,7 @@ A match filter contains multiple criteria and will match traffic if all those cr
 For example:
-.. code-block:: sh
+.. code-block:: console
  set traffic-policy shaper SHAPER class 30 match HTTP ip protocol tcp
  set traffic-policy shaper SHAPER class 30 match HTTP ip source port 80
@ -1228,14 +1228,14 @@ This will match tcp traffic with source port 80.
 description
 ***********
-.. code-block:: sh
+.. code-block:: console
  set traffic-policy shaper SHAPER class 30 match MATCH description "match filter description"
 ether
 *****
-.. code-block:: sh
+.. code-block:: console
  edit traffic-policy shaper SHAPER class 30 match MATCH ether
@ -1251,20 +1251,20 @@ source
 interface
 *********
-.. code-block:: sh
+.. code-block:: console
  edit traffic-policy shaper SHAPER class 30 match MATCH interface <interface-name>
 ip
 **
-.. code-block:: sh
+.. code-block:: console
  edit traffic-policy shaper SHAPER class 30 match MATCH ip
 destination
 ###########
-.. code-block:: sh
+.. code-block:: console
 set destination address IPv4-SUBNET
 set destination port U32-PORT
@ -1272,14 +1272,14 @@ destination
 dscp
 ####
-.. code-block:: sh
+.. code-block:: console
  set dscp DSCPVALUE
 max-length
 ##########
-.. code-block:: sh
+.. code-block:: console
  set max-length U32-MAXLEN
@ -1288,14 +1288,14 @@ Will match ipv4 packets with a total length lesser than set value.
 protocol
 ########
-.. code-block:: sh
+.. code-block:: console
  set protocol <IP PROTOCOL>
 source
 ######
-.. code-block:: sh
+.. code-block:: console
  set source address IPv4-SUBNET
  set source port U32-PORT
@ -1308,13 +1308,13 @@ tcp
 .. note:: This filter will only match packets with an IPv4 header length of
   20 bytes (which is the majority of IPv4 packets anyway).
-.. code-block:: sh
+.. code-block:: console
 set tcp ack
 Will match tcp packets with ACK flag set.
-.. code-block:: sh
+.. code-block:: console
  set tcp syn
@ -1323,14 +1323,14 @@ Will match tcp packets with SYN flag set.
 ipv6
 ****
-.. code-block:: sh
+.. code-block:: console
  edit traffic-policy shaper SHAPER class 30 match MATCH ipv6
 destination
 ###########
- .. code-block:: sh
+ .. code-block:: console
  set destination address IPv6-SUBNET
  set destination port U32-PORT
@ -1338,14 +1338,14 @@ destination
 dscp
 ####
-.. code-block:: sh
+.. code-block:: console
  set dscp DSCPVALUE
 max-length
 ##########
-.. code-block:: sh
+.. code-block:: console
  set max-length U32-MAXLEN
@ -1354,14 +1354,14 @@ Will match ipv6 packets with a payload length lesser than set value.
 protocol
 ########
-.. code-block:: sh
+.. code-block:: console
  set protocol IPPROTOCOL
 source
 ######
-.. code-block:: sh
+.. code-block:: console
  set source address IPv6-SUBNET
  set source port U32-PORT
@ -1375,13 +1375,13 @@ tcp
   http://en.wikipedia.org/wiki/IPv6_packet#Extension_headers for no header
   extension.
-.. code-block:: sh
+.. code-block:: console
  set tcp ack
 Will match tcp packets with ACK flag set.
-.. code-block:: sh
+.. code-block:: console
  set tcp syn
@ -1390,18 +1390,18 @@ Will match tcp packets with SYN flag set.
 mark
 ****
-.. code-block:: sh
+.. code-block:: console
  set traffic-policy shaper SHAPER class 30 match MATCH mark **firewall-mark**
 vif
 ***
-.. code-block:: sh
+.. code-block:: console
  set traffic-policy shaper SHAPER class 30 match MATCH vif **vlan-tag**
-.. code-block:: sh
+.. code-block:: console
  set interfaces ethernet eth0 traffic-policy out 'WAN-OUT'
  set interfaces ethernet eth1 traffic-policy out 'LAN-OUT'
--- a/docs/quick-start.rst
+++ b/docs/quick-start.rst
@ -9,14 +9,14 @@ for a device with two interfaces.
 Enter configuration mode:
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos$ configure
  vyos@vyos#
 Configure network interfaces:
-.. code-block:: sh
+.. code-block:: console
  set interfaces ethernet eth0 address dhcp
  set interfaces ethernet eth0 description 'OUTSIDE'
@ -25,14 +25,14 @@ Configure network interfaces:
 Enable SSH for remote management:
-.. code-block:: sh
+.. code-block:: console
  set service ssh port '22'
 Configure DHCP Server and DNS
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-.. code-block:: sh
+.. code-block:: console
  set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 default-router '192.168.0.1'
  set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 dns-server '192.168.0.1'
@ -43,7 +43,7 @@ Configure DHCP Server and DNS
 And a DNS forwarder:
-.. code-block:: sh
+.. code-block:: console
  set service dns forwarding cache-size '0'
  set service dns forwarding listen-address '192.168.0.1'
@ -55,7 +55,7 @@ NAT and Firewall
 Configure Source NAT for our "Inside" network.
-.. code-block:: sh
+.. code-block:: console
  set nat source rule 100 outbound-interface 'eth0'
  set nat source rule 100 source address '192.168.0.0/24'
@ -65,7 +65,7 @@ Add a set of firewall policies for our "Outside" interface.
 This configuration creates a proper stateful firewall that blocks all traffic:
-.. code-block:: sh
+.. code-block:: console
  set firewall name OUTSIDE-IN default-action 'drop'
  set firewall name OUTSIDE-IN rule 10 action 'accept'
@ -86,7 +86,7 @@ could create some additional rules to allow the traffic.
 These rules allow SSH traffic and rate limit it to 4 requests per minute. This
 blocks brute-forcing attempts:
-.. code-block:: sh
+.. code-block:: console
  set firewall name OUTSIDE-LOCAL rule 30 action 'drop'
  set firewall name OUTSIDE-LOCAL rule 30 destination port '22'
@ -101,14 +101,14 @@ blocks brute-forcing attempts:
 Apply the firewall policies:
-.. code-block:: sh
+.. code-block:: console
  set interfaces ethernet eth0 firewall in name 'OUTSIDE-IN'
  set interfaces ethernet eth0 firewall local name 'OUTSIDE-LOCAL'
 Commit changes, save the configuration, and exit configuration mode:
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos# commit
  vyos@vyos# save
@ -127,7 +127,7 @@ One common use of traffic policy is to limit bandwidth for an interface. In
 the example below we limit bandwidth for our LAN connection to 200 Mbit
 download and out WAN connection to 50 Mbit upload:
-.. code-block:: sh
+.. code-block:: console
  set traffic-policy shaper WAN-OUT bandwidth '50Mbit'
  set traffic-policy shaper WAN-OUT default bandwidth '50%'
@ -140,7 +140,7 @@ download and out WAN connection to 50 Mbit upload:
 Resulting in the following configuration:
-.. code-block:: sh
+.. code-block:: console
  traffic-policy {
      shaper WAN-OUT {
@ -164,7 +164,7 @@ Resulting in the following configuration:
 Once defined, a traffic policy can be applied to each interface using the
 interface-level traffic-policy directive:
-.. code-block:: sh
+.. code-block:: console
  set interfaces ethernet eth0 traffic-policy out 'WAN-OUT'
  set interfaces ethernet eth1 traffic-policy out 'LAN-OUT'
@ -184,7 +184,7 @@ additional configuration steps that should be taken.
 Create a user to replace the default `vyos` user:
-.. code-block:: sh
+.. code-block:: console
  set system login user myvyosuser level admin
  set system login user myvyosuser authentication plaintext-password mysecurepassword
@ -192,7 +192,7 @@ Create a user to replace the default `vyos` user:
 Set up SSH key based authentication. For example, on Linux you'd want to run
 ``ssh-keygen -t rsa``. Then the contents of ``id_rsa.pub`` would be used below:
-.. code-block:: sh
+.. code-block:: console
  set system login user myvyosuser authentication public-keys myusername@mydesktop type ssh-rsa
  set system login user myvyosuser authentication public-keys myusername@mydesktop key contents_of_id_rsa.pub
@ -204,7 +204,7 @@ confirmed that your new user can access your server, without a password, delete
 the original ``vyos`` user and probably disable password authentication for
 SSH:
-.. code-block:: sh
+.. code-block:: console
  delete system login user vyos
  set service ssh disable-password-authentication
--- a/docs/routing/arp.rst
+++ b/docs/routing/arp.rst
@ -31,7 +31,7 @@ Operation
 Display all known ARP table entries spanning accross all interfaces
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ show protocols static arp
  Address                  HWtype  HWaddress           Flags Mask     Iface
@ -43,7 +43,7 @@ Display all known ARP table entries spanning accross all interfaces
 Display all known ARP table entries on a given interface only (`eth1`):
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ show protocols static arp interface eth1
  Address                  HWtype  HWaddress           Flags Mask     Iface
--- a/docs/routing/bgp.rst
+++ b/docs/routing/bgp.rst
@ -15,7 +15,7 @@ A simple eBGP configuration:
 **Node 1:**
-.. code-block:: sh
+.. code-block:: console
  set protocols bgp 65534 neighbor 192.168.0.2 ebgp-multihop '2'
  set protocols bgp 65534 neighbor 192.168.0.2 remote-as '65535'
@ -25,7 +25,7 @@ A simple eBGP configuration:
 **Node 2:**
-.. code-block:: sh
+.. code-block:: console
  set protocols bgp 65535 neighbor 192.168.0.1 ebgp-multihop '2'
  set protocols bgp 65535 neighbor 192.168.0.1 remote-as '65534'
@ -40,13 +40,13 @@ creating a static route:**
 **Node 1:**
-.. code-block:: sh
+.. code-block:: console
  set protocols static route 172.16.0.0/16 blackhole distance '254'
 **Node 2:**
-.. code-block:: sh
+.. code-block:: console
  set protocols static route 172.17.0.0/16 blackhole distance '254'
@ -58,7 +58,7 @@ A simple BGP configuration via IPv6.
 **Node 1:**
-.. code-block:: sh
+.. code-block:: console
  set protocols bgp 65534 neighbor 2001:db8::2 ebgp-multihop '2'
  set protocols bgp 65534 neighbor 2001:db8::2 remote-as '65535'
@ -69,7 +69,7 @@ A simple BGP configuration via IPv6.
 **Node 2:**
-.. code-block:: sh
+.. code-block:: console
  set protocols bgp 65535 neighbor 2001:db8::1 ebgp-multihop '2'
  set protocols bgp 65535 neighbor 2001:db8::1 remote-as '65534'
@ -84,13 +84,13 @@ creating a static route:**
 **Node 1:**
-.. code-block:: sh
+.. code-block:: console
  set protocols static route6 2001:db8:1::/48 blackhole distance '254'
 **Node 2:**
-.. code-block:: sh
+.. code-block:: console
  set protocols static route6 2001:db8:2::/48 blackhole distance '254'
@ -101,7 +101,7 @@ Route filter can be applied using a route-map:
 **Node1:**
-.. code-block:: sh
+.. code-block:: console
  set policy prefix-list AS65535-IN rule 10 action 'permit'
  set policy prefix-list AS65535-IN rule 10 prefix '172.16.0.0/16'
@ -124,7 +124,7 @@ Route filter can be applied using a route-map:
 **Node2:**
-.. code-block:: sh
+.. code-block:: console
  set policy prefix-list AS65534-IN rule 10 action 'permit'
  set policy prefix-list AS65534-IN rule 10 prefix '172.17.0.0/16'
--- a/docs/routing/igmp-proxy.rst
+++ b/docs/routing/igmp-proxy.rst
@ -14,7 +14,7 @@ simple example:
 Interface eth1 LAN is behind NAT. In order to subscribe 10.0.0.0/23 subnet multicast which is in eth0 WAN we need igmp-proxy.
-.. code-block:: sh
+.. code-block:: console
  # show protocols igmp-proxy 
  interface eth0 {
--- a/docs/routing/mss-clamp.rst
+++ b/docs/routing/mss-clamp.rst
@ -9,7 +9,7 @@ to clamp your TCP MSS value for IPv4 and IPv6.
 Clamping can be disabled per interface using the `disable` keyword:
-.. code-block:: sh
+.. code-block:: console
  set firewall options interface pppoe0 disable
@ -19,7 +19,7 @@ IPv4
 Clamp outgoing MSS value in a TCP SYN packet to `1452` for `pppoe0` and `1372`
 for your WireGuard `wg02` tunnel.
-.. code-block:: sh
+.. code-block:: console
  set firewall options interface pppoe0 adjust-mss '1452'
  set firewall options interface wg02 adjust-mss '1372'
@ -32,7 +32,7 @@ Clamp outgoing MSS value in a TCP SYN packet to `1280` for both `pppoe0` and
 To achieve the same for IPv6 please use:
-.. code-block:: sh
+.. code-block:: console
  set firewall options interface pppoe0 adjust-mss6 '1280'
  set firewall options interface wg02 adjust-mss6 '1280'
--- a/docs/routing/ospf.rst
+++ b/docs/routing/ospf.rst
@ -19,13 +19,13 @@ OSPFv2 (IPv4)
 In order to have a VyOS system exchanging routes with OSPF neighbors, you will
 at least need to configure the area and a network,
-.. code-block:: sh
+.. code-block:: console
  set protocols ospf area 0 network 192.168.0.0/24
 as well as the router ID.
-.. code-block:: sh
+.. code-block:: console
  set protocols ospf parameters router-id 10.1.1.1
@ -36,7 +36,7 @@ address and the node 1 sending the default route:
 **Node 1**
-.. code-block:: sh
+.. code-block:: console
  set interfaces loopback lo address 10.1.1.1/32
  set protocols ospf area 0 network 192.168.0.0/24
@ -53,7 +53,7 @@ address and the node 1 sending the default route:
 **Node 2**
-.. code-block:: sh
+.. code-block:: console
  set interfaces loopback lo address 10.2.2.2/32
  set protocols ospf area 0 network 192.168.0.0/24
@ -72,7 +72,7 @@ A typical configuration using 2 nodes.
 **Node 1:**
-.. code-block:: sh
+.. code-block:: console
  set protocols ospfv3 area 0.0.0.0 interface eth1
  set protocols ospfv3 area 0.0.0.0 range 2001:db8:1::/64
@ -81,7 +81,7 @@ A typical configuration using 2 nodes.
 **Node 2:**
-.. code-block:: sh
+.. code-block:: console
  set protocols ospfv3 area 0.0.0.0 interface eth1
  set protocols ospfv3 area 0.0.0.0 range 2001:db8:2::/64
@ -96,7 +96,7 @@ Example configuration for WireGuard interfaces:
 **Node 1**
-.. code-block:: sh
+.. code-block:: console
  set interfaces wireguard wg01 address 'fe80::216:3eff:fe51:fd8c/64'
  set interfaces wireguard wg01 address '192.168.0.1/24'
@ -111,7 +111,7 @@ Example configuration for WireGuard interfaces:
 **Node 2**
-.. code-block:: sh
+.. code-block:: console
  set interfaces wireguard wg01 address 'fe80::216:3eff:fe0a:7ada/64'
  set interfaces wireguard wg01 address '192.168.0.2/24'
@ -126,7 +126,7 @@ Example configuration for WireGuard interfaces:
 **Status**
-.. code-block:: sh
+.. code-block:: console
  vyos@ospf01:~$ sh ipv6 ospfv3 neighbor
  Neighbor ID     Pri    DeadTime    State/IfState         Duration I/F[State]
--- a/docs/routing/pbr.rst
+++ b/docs/routing/pbr.rst
@ -13,7 +13,7 @@ Transparent Proxy
 The following example will show how VyOS can be used to redirect web traffic to
 an external transparent proxy:
-.. code-block:: sh
+.. code-block:: console
  set policy route FILTER-WEB rule 1000 destination port 80
  set policy route FILTER-WEB rule 1000 protocol tcp
@ -26,7 +26,7 @@ default routing table.
 To create routing table 100 and add a new default gateway to be used by
 traffic matching our route policy:
-.. code-block:: sh
+.. code-block:: console
  set protocols static table 100 route 0.0.0.0/0 next-hop 10.255.0.2
@ -35,7 +35,7 @@ This can be confirmed using the show ip route table 100 operational command.
 Finally, to apply the policy route to ingress traffic on our LAN interface,
 we use:
-.. code-block:: sh
+.. code-block:: console
  set interfaces ethernet eth1 policy route FILTER-WEB
@ -62,14 +62,14 @@ Routing tables that will be used in this example are:
 Add default routes for routing ``table 10`` and ``table 11``
-.. code-block:: sh
+.. code-block:: console
  set protocols static table 10 route 0.0.0.0/0 next-hop 192.0.1.1
  set protocols static table 11 route 0.0.0.0/0 next-hop 192.0.2.2
 Add policy route matching VLAN source addresses
-.. code-block:: sh
+.. code-block:: console
  set policy route PBR rule 20 set table '10'
  set policy route PBR rule 20 description 'Route VLAN10 traffic to table 10'
@ -81,7 +81,7 @@ Add policy route matching VLAN source addresses
 Apply routing policy to **inbound** direction of out VLAN interfaces
-.. code-block:: sh
+.. code-block:: console
  set interfaces ethernet eth0 vif 10 policy route 'PBR'
  set interfaces ethernet eth0 vif 11 policy route 'PBR'
@ -89,7 +89,7 @@ Apply routing policy to **inbound** direction of out VLAN interfaces
 **OPTIONAL:** Exclude Inter-VLAN traffic (between VLAN10 and VLAN11) from PBR
-.. code-block:: sh
+.. code-block:: console
  set policy route PBR rule 10 description 'VLAN10 <-> VLAN11 shortcut'
  set policy route PBR rule 10 destination address '192.168.188.0/24'
--- a/docs/routing/rip.rst
+++ b/docs/routing/rip.rst
@ -19,7 +19,7 @@ Simple RIP configuration using 2 nodes and redistributing connected interfaces.
 **Node 1:**
-.. code-block:: sh
+.. code-block:: console
  set interfaces loopback address 10.1.1.1/32
  set protocols rip network 192.168.0.0/24
@ -27,7 +27,7 @@ Simple RIP configuration using 2 nodes and redistributing connected interfaces.
 **Node 2:**
-.. code-block:: sh
+.. code-block:: console
  set interfaces loopback address 10.2.2.2/32
  set protocols rip network 192.168.0.0/24
--- a/docs/routing/routing-policy.rst
+++ b/docs/routing/routing-policy.rst
@ -15,7 +15,7 @@ Routing Policy Example
 **Policy definition:**
-.. code-block:: sh
+.. code-block:: console
  #Create policy
  set policy route-map setmet rule 2 action 'permit'
@ -29,7 +29,7 @@ Routing Policy Example
 **Routes learned before routing policy applied:**
-.. code-block:: sh
+.. code-block:: console
  vyos@vos1:~$ show ip bgp
  BGP table version is 0, local router ID is 192.168.56.101
@ -44,7 +44,7 @@ Routing Policy Example
 **Routes learned after routing policy applied:**
-.. code-block:: sh
+.. code-block:: console
  vyos@vos1:~$ sho ip b
  BGP table version is 0, local router ID is 192.168.56.101
--- a/docs/routing/static.rst
+++ b/docs/routing/static.rst
@ -9,7 +9,7 @@ Static routes are manually configured network routes.
 A typical use for a static route is a static default route for systems that do
 not make use of DHCP or dynamic routing protocols:
-.. code-block:: sh
+.. code-block:: console
  set protocols static route 0.0.0.0/0 next-hop 10.1.1.1 distance '1'
@ -19,7 +19,7 @@ example below, :rfc:`1918` networks are set as blackhole routes.
 This prevents these networks leaking out public interfaces, but it does not prevent
 them from being used as the most specific route has the highest priority.
-.. code-block:: sh
+.. code-block:: console
  set protocols static route 10.0.0.0/8 blackhole distance '254'
  set protocols static route 172.16.0.0/12 blackhole distance '254'
--- a/docs/services/conntrack.rst
+++ b/docs/services/conntrack.rst
@ -27,7 +27,7 @@ will be mandatorily defragmented.
 Configuration
 ^^^^^^^^^^^^^
-.. code-block:: sh
+.. code-block:: console
  # Protocols only for which local conntrack entries will be synced (tcp, udp, icmp, sctp)
  set service conntrack-sync accept-protocol
@ -69,20 +69,20 @@ The next exemple is a simple configuration of conntrack-sync.
 First of all, make sure conntrack is enabled by running
-.. code-block:: sh
+.. code-block:: console
  show conntrack table ipv4
 If the table is empty and you have a warning message, it means conntrack is not
 enabled. To enable conntrack, just create a NAT or a firewall rule.
-.. code-block:: sh
+.. code-block:: console
  set firewall state-policy established action accept
 You now should have a conntrack table
-.. code-block:: sh
+.. code-block:: console
  $ show conntrack table ipv4
  TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED,
@ -99,7 +99,7 @@ You now should have a conntrack table
 Now configure conntrack-sync service on ``router1`` **and** ``router2``
-.. code-block:: sh
+.. code-block:: console
  set service conntrack-sync accept-protocol 'tcp,udp,icmp'
  set service conntrack-sync event-listen-queue-size '8'
@ -110,7 +110,7 @@ Now configure conntrack-sync service on ``router1`` **and** ``router2``
 If you are using VRRP, you need to define a VRRP sync-group, and use ``vrrp sync-group`` instead of ``cluster group``.
-.. code-block:: sh
+.. code-block:: console
  set high-availablilty vrrp group internal virtual-address ... etc ...
  set high-availability vrrp sync-group syncgrp member 'internal'
@ -123,7 +123,7 @@ the external-cache of the standby router
 On active router run:
-.. code-block:: sh
+.. code-block:: console
  $ show conntrack-sync statistics
--- a/docs/services/dhcp.rst
+++ b/docs/services/dhcp.rst
@ -28,20 +28,18 @@ Prerequisites:
 Multiple DHCP ranges can be defined and may contain holes.
-.. code-block:: sh
+.. code-block:: console
-  edit service dhcp-server shared-network-name '<name>'
+  set service dhcp-server shared-network-name '<name>' authoritative
-  set authoritative
+  set service dhcp-server shared-network-name '<name>' subnet 192.0.2.0/24 default-router 192.0.2.1
-  set subnet 192.0.2.0/24 default-router 192.0.2.1
+  set service dhcp-server shared-network-name '<name>' subnet 192.0.2.0/24 dns-server 192.0.2.1
-  set subnet 192.0.2.0/24 dns-server 192.0.2.1
+  set service dhcp-server shared-network-name '<name>' subnet 192.0.2.0/24 lease 86400
-  set subnet 192.0.2.0/24 lease 86400
+  set service dhcp-server shared-network-name '<name>' subnet 192.0.2.0/24 range 0 start 192.0.2.100
-  set subnet 192.0.2.0/24 range 0 start 192.0.2.100
+  set service dhcp-server shared-network-name '<name>' subnet 192.0.2.0/24 range 0 stop 192.0.2.199
  set subnet 192.0.2.0/24 range 0 stop 192.0.2.199
  exit
 The generated config will look like:
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos# show service dhcp-server shared-network-name '<name>'
  authoritative
@ -99,7 +97,7 @@ Failover
 VyOS provides support for DHCP failover:
-.. code-block:: sh
+.. code-block:: console
  set service dhcp-server shared-network-name 'LAN' subnet '192.0.2.0/24' \
      failover local-address '192.0.2.1'
@ -113,14 +111,14 @@ VyOS provides support for DHCP failover:
 The primary and secondary statements determines whether the server is
 primary or secondary
-.. code-block:: sh
+.. code-block:: console
  set service dhcp-server shared-network-name 'LAN' subnet '192.0.2.0/24' \
      failover status 'primary'
 or
-.. code-block:: sh
+.. code-block:: console
  set service dhcp-server shared-network-name 'LAN' subnet '192.0.2.0/24' \
      failover status 'secondary'
@ -239,7 +237,7 @@ server. The following example describes a common scenario.
 * Address pool shall be ``2001:db8::100`` through ``2001:db8::199``.
 * Lease time will be left at the default value which is 24 hours
-.. code-block:: sh
+.. code-block:: console
  set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 \
      address-range start 2001:db8::100 stop 2001:db8::199
@ -248,7 +246,7 @@ server. The following example describes a common scenario.
 The configuration will look as follows:
-.. code-block:: sh
+.. code-block:: console
  show service dhcpv6-server
      shared-network-name NET1 {
@ -277,7 +275,7 @@ be created. The following example explains the process.
 .. hint:: The MAC address identifier is defined by the last 4 byte of the
   MAC address.
-.. code-block:: sh
+.. code-block:: console
  set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 \
      static-mapping client1 ipv6-address 2001:db8::101
@ -286,7 +284,7 @@ be created. The following example explains the process.
 The configuration will look as follows:
-.. code-block:: sh
+.. code-block:: console
  show service dhcp-server shared-network-name NET1
     shared-network-name NET1 {
@ -364,7 +362,7 @@ Example
 The generated configuration will look like:
-.. code-block:: sh
+.. code-block:: console
  show service dhcp-relay
      interface eth1
@ -442,7 +440,7 @@ Example
 The generated configuration will look like:
-.. code-block:: sh
+.. code-block:: console
  commit
  show service dhcpv6-relay
--- a/docs/services/dns-forwarding.rst
+++ b/docs/services/dns-forwarding.rst
@ -5,33 +5,33 @@ Use DNS forwarding if you want your router to function as a DNS server for the
 local network. There are several options, the easiest being 'forward all
 traffic to the system DNS server(s)' (defined with set system name-server):
-.. code-block:: sh
+.. code-block:: console
  set service dns forwarding system
 Manually setting DNS servers for forwarding:
-.. code-block:: sh
+.. code-block:: console
  set service dns forwarding name-server 8.8.8.8
  set service dns forwarding name-server 8.8.4.4
 Manually setting DNS servers with IPv6 connectivity:
-.. code-block:: sh
+.. code-block:: console
  set service dns forwarding name-server 2001:4860:4860::8888
  set service dns forwarding name-server 2001:4860:4860::8844
 Setting a forwarding DNS server for a specific domain:
-.. code-block:: sh
+.. code-block:: console
  set service dns forwarding domain example.com server 192.0.2.1
 Set which networks or clients are allowed to query the DNS Server. Allow from all:
-.. code-block:: sh
+.. code-block:: console
  set service dns forwarding allow-from 0.0.0.0/0
@ -44,7 +44,7 @@ Router with two interfaces eth0 (WAN link) and eth1 (LAN). Split DNS for example
 * Other DNS requests are forwarded to Google's DNS servers.
 * The IP address for the LAN interface is 192.168.0.1.
-.. code-block:: sh
+.. code-block:: console
  set service dns forwarding domain example.com server 192.0.2.1
  set service dns forwarding name-server 8.8.8.8
@ -60,7 +60,7 @@ servers.
 The IP addresses for the LAN interface are 192.168.0.1 and 2001:db8::1
-.. code-block:: sh
+.. code-block:: console
  set service dns forwarding domain example.com server 192.0.2.1
  set service dns forwarding name-server 8.8.8.8
--- a/docs/services/dynamic-dns.rst
+++ b/docs/services/dynamic-dns.rst
@ -16,44 +16,44 @@ VyOS CLI and RFC2136
 First, create an :rfc:`2136` config node :
-.. code-block:: sh
+.. code-block:: console
  edit service dns dynamic interface eth0 rfc2136 <confignodename>
 Present your RNDC key to ddclient :
-.. code-block:: sh
+.. code-block:: console
  set key /config/dyndns/mydnsserver.rndc.key
 Set the DNS server IP/FQDN :
-.. code-block:: sh
+.. code-block:: console
  set server dns.mydomain.com
 Set the NS zone to be updated :
-.. code-block:: sh
+.. code-block:: console
  set zone mydomain.com
 Set the records to be updated :
-.. code-block:: sh
+.. code-block:: console
  set record dyn
  set record dyn2
 You can optionally set a TTL (note : default value is 600 seconds) :
-.. code-block:: sh
+.. code-block:: console
  set ttl 600
 This will generate the following ddclient config blocks:
-.. code-block:: sh
+.. code-block:: console
  server=dns.mydomain.com
  protocol=nsupdate
@ -70,7 +70,7 @@ This will generate the following ddclient config blocks:
 You can also keep a different dns zone updated. Just create a new config node:
-.. code-block:: sh
+.. code-block:: console
  edit service dns dynamic interface eth0 rfc2136 <confignode2>
@ -83,7 +83,7 @@ by ddclient.
 To use such a service, you must define a login, a password, one or multiple
 hostnames, a protocol and a server.
-.. code-block:: sh
+.. code-block:: console
  edit service dns dynamic interface eth0 service HeNet
  set login my-login # set password my-password
@ -107,7 +107,7 @@ the services VyOS knows about:
 To use DynDNS for example:
-.. code-block:: sh
+.. code-block:: console
  edit service dns dynamic interface eth0 service dyndns
  set login my-login
@ -116,7 +116,7 @@ To use DynDNS for example:
 It's possible to use multiple services :
-.. code-block:: sh
+.. code-block:: console
  edit service dns dynamic interface eth0 service dyndns
  set login my-login
@ -139,7 +139,7 @@ record will be updated to point to your internal IP.
 ddclient_ has another way to determine the WAN IP address. This is controlled
 by these two options:
-.. code-block:: sh
+.. code-block:: console
  set service dns dynamic interface eth0 use-web url
  set service dns dynamic interface eth0 use-web skip
--- a/docs/services/ipoe-server.rst
+++ b/docs/services/ipoe-server.rst
@ -17,7 +17,7 @@ The clients mac address and the incoming interface is being used as control para
 The example configuration below will assign an IP to the client on the incoming interface eth2 with the client mac address 08:00:27:2f:d8:06.
 Other DHCP discovery requests will be ignored, unless the client mac has been enabled in the configuration.
-.. code-block:: sh
+.. code-block:: console
  set service ipoe-server authentication interface eth2 mac-address 08:00:27:2f:d8:06
  set service ipoe-server authentication mode 'local'
@ -29,7 +29,7 @@ Other DHCP discovery requests will be ignored, unless the client mac has been en
 The first address of the parameter ``client-subnet``, will be used as the default gateway. 
 Connected sessions can be checked via the ``show ipoe-server sessions`` command.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ show ipoe-server sessions
@ -46,7 +46,7 @@ for devices routed via the clients cpe.
 IPv6 DNS addresses are optional.
-.. code-block:: sh
+.. code-block:: console
  set service ipoe-server authentication interface eth3 mac-address 08:00:27:2F:D8:06
  set service ipoe-server authentication mode 'local'
@ -57,7 +57,7 @@ IPv6 DNS addresses are optional.
  set service ipoe-server dnsv6-server server-3 '2001:db8:bbb::'
  set service ipoe-server interface eth3 client-subnet '192.168.1.0/24'
-.. code-block:: sh
+.. code-block:: console
  vyos@ipoe-server# run sh ipoe-server sessions 
  ifname | called-sid |    calling-sid    |     ip      |               ip6               | ip6-dp          | rate-limit | state  |  uptime  |        sid       
@ -74,7 +74,7 @@ Automatic VLAN creation
 To create VLANs per user during runtime, the following settings are required on a per interface basis. VLAN ID and VLAN range can be present in the configuration at the same time.
-.. code-block:: sh
+.. code-block:: console
  set service ipoe-server interface eth2 network vlan
  set service ipoe-server interface eth2 vlan-id 100
@ -88,7 +88,7 @@ RADIUS Setup
 To use a RADIUS server for authentication and bandwidth-shaping, the following example configuration can be used.
-.. code-block:: sh
+.. code-block:: console
  set service ipoe-server authentication mode 'radius'
  set service ipoe-server authentication radius-server 10.100.100.1 secret 'password'
@ -105,7 +105,7 @@ Bandwidth Shaping for local users
 The rate-limit is set in kbit/sec.
-.. code-block:: sh
+.. code-block:: console
  set service ipoe-server authentication interface eth2 mac-address 08:00:27:2f:d8:06 rate-limit download '500'
  set service ipoe-server authentication interface eth2 mac-address 08:00:27:2f:d8:06 rate-limit upload '500'
@ -115,7 +115,7 @@ The rate-limit is set in kbit/sec.
  set service ipoe-server interface eth2 client-subnet '192.168.0.0/24'
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos# run show ipoe-server sessions 
--- a/docs/services/lldp.rst
+++ b/docs/services/lldp.rst
@ -74,7 +74,7 @@ Display neighbors
 Exemple:
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~# show lldp neighbors
  Capability Codes: R - Router, B - Bridge, W - Wlan r - Repeater, S - Station
--- a/docs/services/mdns-repeater.rst
+++ b/docs/services/mdns-repeater.rst
@ -12,14 +12,14 @@ multiple VLANs.
 To enable mDNS repeater you need to configure at least two interfaces. To re-
 broadcast all mDNS packets from `eth0` to `eth1` and vice versa run:
-.. code-block:: sh
+.. code-block:: console
  set service mdns repeater interface eth0
  set service mdns repeater interface eth1
 mDNS repeater can be temporarily disabled without deleting the service using
-.. code-block:: sh
+.. code-block:: console
  set service mdns repeater disable
--- a/docs/services/pppoe-server.rst
+++ b/docs/services/pppoe-server.rst
@ -15,7 +15,7 @@ The example below uses ACN as access-concentrator name, assigns an address
 from the pool 10.1.1.100-111, terminates at the local endpoint 10.1.1.1 and
 serves requests only on eth1.
-.. code-block:: sh
+.. code-block:: console
  set service pppoe-server access-concentrator 'ACN'
  set service pppoe-server authentication local-users username foo password 'bar'
@ -30,7 +30,7 @@ serves requests only on eth1.
 Connections can be locally checked via the command
-.. code-block:: sh
+.. code-block:: console
  show pppoe-server sessions
  ifname | username |     ip     |    calling-sid    | rate-limit  | state  |  uptime  | rx-bytes | tx-bytes 
@ -48,7 +48,7 @@ If the CIDR notation is used, multiple subnets can be setup which are used seque
 **Client IP address via IP range definition**
-.. code-block:: sh
+.. code-block:: console
  set service pppoe-server client-ip-pool start '10.1.1.100'
  set service pppoe-server client-ip-pool stop '10.1.1.111'
@ -56,7 +56,7 @@ If the CIDR notation is used, multiple subnets can be setup which are used seque
 **Client IP subnets via CIDR notation**
-.. code-block:: sh
+.. code-block:: console
  set service pppoe-server client-ip-pool subnet '10.1.1.0/24'
  set service pppoe-server client-ip-pool subnet '10.1.2.0/24'
@ -70,7 +70,7 @@ To use a radius server, you need to switch to authentication mode radius and
 of course need to specify an IP for the server. You can have multiple RADIUS
 server configured, if you wish to achieve redundancy.
-.. code-block:: sh
+.. code-block:: console
  set service pppoe-server access-concentrator 'ACN'
  set service pppoe-server authentication mode 'radius'
@ -84,7 +84,7 @@ RADIUS provides the IP addresses in the example above via Framed-IP-Address.
 For remotely disconnect sessions and change some authentication parameters you can configure dae-server
-.. code-block:: sh
+.. code-block:: console
  set service pppoe-server authentication radius-settings dae-server ip-address '10.1.1.2'
  set service pppoe-server authentication radius-settings dae-server port '3799'
@ -92,20 +92,20 @@ For remotely disconnect sessions and change some authentication parameters you c
 Example, from radius-server send command for disconnect client with username test
-.. code-block:: sh
+.. code-block:: console
  root@radius-server:~# echo "User-Name=test" | radclient -x 10.1.1.2:3799 disconnect secret123
 You can also use another attributes for identify client for disconnect, like Framed-IP-Address, Acct-Session-Id, etc.
 Result commands appears in log
-.. code-block:: sh
+.. code-block:: console
  show log | match Disconnect*
 Example for changing rate-limit via RADIUS CoA
-.. code-block:: sh
+.. code-block:: console
  echo "User-Name=test,Filter-Id=5000/4000" | radclient 10.1.1.2:3799 coa secret123
@ -119,7 +119,7 @@ Automatic VLAN creation
 VLAN's can be created by accel-ppp on the fly if via the use of the kernel module vlan_mon, which is monitoring incoming vlans and creates the necessary VLAN if required and allowed.
 VyOS supports the use of either VLAN ID's or entire ranges, both values can be defined at the same time for an interface.
-.. code-block:: sh
+.. code-block:: console
  set service pppoe-server interface eth3 vlan-id 100
  set service pppoe-server interface eth3 vlan-id 200
@ -141,7 +141,7 @@ Bandwidth Shaping for local users
 The rate-limit is set in kbit/sec.
-.. code-block:: sh
+.. code-block:: console
  set service pppoe-server access-concentrator 'ACN'
  set service pppoe-server authentication local-users username foo password 'bar'
@ -158,7 +158,7 @@ The rate-limit is set in kbit/sec.
 Once the user is connected, the user session is using the set limits and can be displayed via 'show pppoe-server sessions'.
-.. code-block:: sh
+.. code-block:: console
  show pppoe-server sessions
  ifname | username |     ip     |    calling-sid    | rate-limit  | state  |  uptime  | rx-bytes | tx-bytes
@ -175,7 +175,7 @@ Filter-Id=2000/3000 (means 2000Kbit down-stream rate and 3000Kbit up-stream rate
 The command below enables it, assuming the RADIUS connection has been setup and is working.
-.. code-block:: sh
+.. code-block:: console
  set service pppoe-server authentication radius-settings rate-limit enable
@ -191,7 +191,7 @@ Dual-stack provisioning with IPv6 PD via pppoe
 The example below covers a dual-stack configuration via pppoe-server.
-.. code-block:: sh
+.. code-block:: console
  set service pppoe-server authentication local-users username test password 'test'
  set service pppoe-server authentication mode 'local'
@ -207,7 +207,7 @@ The example below covers a dual-stack configuration via pppoe-server.
 The client, once successfully authenticated, will receive an IPv4 and an IPv6 /64 address, to terminate the pppoe endpoint on the client side and a /56 subnet for the clients internal use.
-.. code-block:: sh
+.. code-block:: console
  vyos@pppoe-server:~$ sh pppoe-server sessions 
   ifname | username |     ip      |            ip6           |       ip6-dp        |    calling-sid    | rate-limit | state  |  uptime  | rx-bytes | tx-bytes 
--- a/docs/services/snmp.rst
+++ b/docs/services/snmp.rst
@ -90,7 +90,7 @@ plain text.
 Example
 *******
-.. code-block:: sh
+.. code-block:: console
  # Define a community
  set service snmp community routers authorization ro
@ -139,7 +139,7 @@ The securityapproach in v3 targets:
 Example
 *******
-.. code-block:: sh
+.. code-block:: console
  set service snmp v3 engineid '0x0aa0d6c6f450'
  set service snmp v3 group defaultgroup mode 'ro'
@ -160,7 +160,7 @@ After commit the resulting configuration will look like:
 .. note:: SNMPv3 keys won't we stored in plaintext. On ``commit`` the keys
   will be encrypted and the encrypted key is based on the engineid!
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos# show service snmp
   v3 {
@ -200,7 +200,7 @@ vyos@your_router:/config/user-data``. Once the script is uploaded, it needs to
 be configured via the command below.
-.. code-block:: sh
+.. code-block:: console
  set service snmp script-extensions extension-name my-extension script your_script.sh
  commit
@ -209,7 +209,7 @@ be configured via the command below.
 The OID ``.1.3.6.1.4.1.8072.1.3.2.3.1.1.4.116.101.115.116``, once called, will
 contain the output of the extension.
-.. code-block:: sh
+.. code-block:: console
  root@vyos:/home/vyos# snmpwalk -v2c  -c public 127.0.0.1 nsExtendOutput1
  NET-SNMP-EXTEND-MIB::nsExtendOutput1Line."my-extension" = STRING: hello
@ -226,7 +226,7 @@ Templates Management. A template for VyOS can be easily imported.
 Create a file named ``VyOS-1.3.6.1.4.1.44641.ConfigMgmt-Commands`` using the
 following content:
-.. code-block:: sh
+.. code-block:: console
  <Configuration-Management Device="VyOS" SystemOID="1.3.6.1.4.1.44641">
      <Commands>
--- a/docs/services/ssh.rst
+++ b/docs/services/ssh.rst
@ -30,7 +30,7 @@ Configuration
 Enabling SSH only requires you to add ``service ssh port NN``, where 'NN' is
 the port you want SSH to listen on. By default, SSH runs on port 22.
-.. code-block:: sh
+.. code-block:: console
  set service ssh port 22
@ -130,7 +130,7 @@ line. The third part is simply an identifier, and is for your own reference.
 Under the user (in this example, ``vyos``), add the public key and the type.
 The `identifier` is simply a string that is relevant to you.
-.. code-block:: sh
+.. code-block:: console
  set system login user vyos authentication public-keys 'identifier' key "AAAAB3Nz...."
  set system login user vyos authentication public-keys 'identifier' type ssh-rsa"
@ -139,7 +139,7 @@ You can assign multiple keys to the same user by changing the identifier. In
 the following example, both Unicron and xrobau will be able to SSH into VyOS
 as the ``vyos`` user using their own keys.
-.. code-block:: sh
+.. code-block:: console
  set system login user vyos authentication public-keys 'Unicron' key "AAAAB3Nz...."
  set system login user vyos authentication public-keys 'Unicron' type ssh-rsa
--- a/docs/services/sstp-server.rst
+++ b/docs/services/sstp-server.rst
@ -24,7 +24,7 @@ Self Signed CA and server certificates
 To generate the CA, the server private key and certificates the following
 commands can be used.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ conf
  [edit]
@ -60,7 +60,7 @@ The example below will answer configuration request for the user ``foo``.
 Use <tab> to setup the ``set sstp-settings ssl-certs ...``, it automatically
 looks for all files and directories in ``/config/user-data/sstp``.
-.. code-block:: sh
+.. code-block:: console
  edit service sstp-server
  set authentication local-users username foo password 'bar'
--- a/docs/services/tftp.rst
+++ b/docs/services/tftp.rst
@ -10,7 +10,7 @@ simple to implement.
 Example
 ^^^^^^^
-.. code-block:: sh
+.. code-block:: console
  # If you want to enable uploads, else TFTP server will act as read-only (optional)
  set service tftp-server allow-upload
@ -30,7 +30,7 @@ Example
 The resulting configuration will look like:
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos# show service
   tftp-server {
--- a/docs/services/udp-broadcast-relay.rst
+++ b/docs/services/udp-broadcast-relay.rst
@ -14,7 +14,7 @@ support 99 IDs!
 Example #1: To forward all broadcast packets received on `UDP port 1900` on
 `eth3`, `eth4` or `eth5` to all other interfaces in this configuration.
-.. code-block:: sh
+.. code-block:: console
  set service broadcast-relay id 1 description 'SONOS'
  set service broadcast-relay id 1 interface 'eth3'
@ -25,7 +25,7 @@ Example #1: To forward all broadcast packets received on `UDP port 1900` on
 Example #2: To Forward all broadcasts packets received on `UDP port 6969` on
 `eth3` or `eth4` to the other interface in this configuration.
-.. code-block:: sh
+.. code-block:: console
  set service broadcast-relay id 2 description 'SONOS MGMT'
  set service broadcast-relay id 2 interface 'eth3'
@ -38,14 +38,14 @@ Disable Instance(s)
 Each broadcast relay instance can be individually disabled without deleting the
 configured node by using the following command:
-.. code-block:: sh
+.. code-block:: console
  set service broadcast-relay id <n> disable
 In addition you can also disable the whole service without removing the
 configuration by:
-.. code-block:: sh
+.. code-block:: console
  set service broadcast-relay disable
--- a/docs/services/webproxy.rst
+++ b/docs/services/webproxy.rst
@ -19,7 +19,7 @@ URL Filtering is provided by Squidguard_.
 Configuration
 ^^^^^^^^^^^^^^
-.. code-block:: sh
+.. code-block:: console
  # Enable proxy service
  set service webproxy listen-address 192.168.0.1
@ -46,7 +46,7 @@ Filtering by category
 If you wan't to use existing blacklists you have to create/download a database
 first. Otherwise you will not be able to commit the config changes.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos# commit
  [ service webproxy ]
@ -83,7 +83,7 @@ The embedded Squid proxy can use LDAP to authenticate users against a company
 wide directory. The following configuration is an example of how to use Active
 Directory as authentication backend. Queries are done via LDAP.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos# show service webproxy
   authentication {
@ -117,7 +117,7 @@ Adjusting cache size
 The size of the proxy cache can be adjusted by the user.
-.. code-block:: sh
+.. code-block:: console
  set service webproxy cache-size
   Possible completions:
--- a/docs/system/config-management.rst
+++ b/docs/system/config-management.rst
@ -6,7 +6,7 @@ Config Management
 The following changes the number of commit revisions. In the default settings, 20 revisions are stored locally.
-.. code-block:: sh
+.. code-block:: console
  set system config-management commit-revisions 50
@ -14,7 +14,7 @@ The following changes the number of commit revisions. In the default settings, 2
 | If you want to save all config changes to a remote destination. Set the commit-archive location. Every time a commit is successfully the config.boot file will be copied to the defined destinations.
-.. code-block:: sh
+.. code-block:: console
  set system config-management commit-archive location 'tftp://10.0.0.2'
@ -22,7 +22,7 @@ The following changes the number of commit revisions. In the default settings, 2
 A commit look now like this:
-.. code-block:: sh
+.. code-block:: console
    vyos@vyos-R1# commit
    Archiving config...
--- a/docs/system/eventhandler.rst
+++ b/docs/system/eventhandler.rst
@ -7,7 +7,7 @@ Event handler allows you to execute scripts when a string that matches a regex a
 It uses "feeds" (output of commands, or a named pipes) and "policies" that define what to execute if a regex is matched.
-.. code-block:: sh
+.. code-block:: console
  system
  event-handler
@ -29,7 +29,7 @@ It uses "feeds" (output of commands, or a named pipes) and "policies" that defin
 In this small example a script runs every time a login failed and an interface goes down
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos# show system event-handler 
  feed Syslog {
--- a/docs/system/flowaccounting.rst
+++ b/docs/system/flowaccounting.rst
@ -30,7 +30,7 @@ In order for flow accounting information to be collected and displayed for an
 interface, the interface must be configured for flow accounting. The following
 example shows how to configure ``eth0`` and ``bond3`` for flow accounting.
-.. code-block:: sh
+.. code-block:: console
  set system flow-accounting interface eth0
  set system flow-accounting interface bond3
@ -41,7 +41,7 @@ VyOS supports version 5, 9 and 10 (IPFIX - IP Flow Information Export)
 NetFlow v5 example:
-.. code-block:: sh
+.. code-block:: console
  set system flow-accounting netflow engine-id 100
  set system flow-accounting netflow version 5
@ -55,7 +55,7 @@ display captured network traffic information for all configured interfaces.
 The following op-mode command shows flow accounting for eth0.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ show flow-accounting interface eth0
  flow-accounting for [eth0]
--- a/docs/system/host-information.rst
+++ b/docs/system/host-information.rst
@ -21,7 +21,7 @@ or over the internet.
 Set a system host name:
-.. code-block:: sh
+.. code-block:: console
  set system host-name <hostname>
@ -29,19 +29,19 @@ Set a system host name:
 Show host name:
-.. code-block:: sh
+.. code-block:: console
  show system host-name
 Delete host name:
-.. code-block:: sh
+.. code-block:: console
  delete system host-name <hostname>
 Example: Set system hostname to 'RT01':
-.. code-block:: sh
+.. code-block:: console
  set system host-name RT01
  commit
@ -56,7 +56,7 @@ unique.
 Set the system's domain:
-.. code-block:: sh
+.. code-block:: console
  set system domain-name <domain>
@ -64,19 +64,19 @@ Set the system's domain:
 Show domain:
-.. code-block:: sh
+.. code-block:: console
  show system domain-name
 Remove domain name:
-.. code-block:: sh
+.. code-block:: console
  set system delete domain-name <domain>
 Example: Set system domain to example.com:
-.. code-block:: sh
+.. code-block:: console
  set system domain-name example.com
  commit
@ -90,20 +90,20 @@ How to assign IPs to interfaces is described in chapter
 :ref:`interfaces-addresses`. This section shows how to statically map a system
 IP to its host name for local (meaning on this VyOS instance) DNS resolution:
-.. code-block:: sh
+.. code-block:: console
  set system static-host-mapping host-name <hostname> inet <IP address>
 Show static mapping:
-.. code-block:: sh
+.. code-block:: console
  show system static-host-mapping
 Example: Create a static mapping between the system's hostname `RT01` and
 IP address `10.20.30.41`:
-.. code-block:: sh
+.. code-block:: console
  set system static-host-mapping host-name RT01 inet 10.20.30.41
  commit
@ -117,25 +117,25 @@ Aliases
 One or more system aliases (static mappings) can be defined:
-.. code-block:: sh
+.. code-block:: console
  set system static-host-mapping host-name <hostname> alias <alias>
 Show aliases:
-.. code-block:: sh
+.. code-block:: console
  show system static-mapping
 Delete alias:
-.. code-block:: sh
+.. code-block:: console
  delete system static-host-mapping host-name <hostname> alias <alias>
 Example: Set alias `router1` for system with hostname `RT01`:
-.. code-block:: sh
+.. code-block:: console
  set system static-host-mapping host-name RT01 alias router1
  commit
@ -154,19 +154,19 @@ existing configurations are migrated to the new CLI commands.
 It is replaced by inserting a static route into the routing table using:
-.. code-block:: sh
+.. code-block:: console
  set protocols static route 0.0.0.0/0 next-hop <gateway ip>
 Delete the default route from the system
-.. code-block:: sh
+.. code-block:: console
  delete protocols static route 0.0.0.0/0
 Show default route:
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos$ show ip route 0.0.0.0
  Routing entry for 0.0.0.0/0
--- a/docs/system/login-users.rst
+++ b/docs/system/login-users.rst
@ -16,20 +16,20 @@ Local
 Create user account `jsmith` and the password `mypassword`.
-.. code-block:: sh
+.. code-block:: console
  set system login user jsmith full-name "Johan Smith"
  set system login user jsmith authentication plaintext-password mypassword
 The command:
-.. code-block:: sh
+.. code-block:: console
  show system login
 will show the contents of :code:`system login` configuration node:
-.. code-block:: sh
+.. code-block:: console
  user jsmith {
      authentication {
@ -45,7 +45,7 @@ SSH with Public Keys
 The following command will load the public key `dev.pub` for user `jsmith`
-.. code-block:: sh
+.. code-block:: console
  loadkey jsmith dev.pub
@ -53,7 +53,7 @@ The following command will load the public key `dev.pub` for user `jsmith`
   first. As an alternative you can also load the SSH public key directly
   from a remote system:
-.. code-block:: sh
+.. code-block:: console
  loadkey jsmith scp://devuser@dev001.vyos.net/home/devuser/.ssh/dev.pub
@ -61,7 +61,7 @@ In addition SSH public keys can be fully added using the CLI. Each key can be
 given a unique identifier, `calypso` is used oin the example below to id an SSH
 key.
-.. code-block:: sh
+.. code-block:: console
  set system login user jsmith authentication public-keys callisto key 'AAAABo..Q=='
  set system login user jsmith authentication public-keys callisto type 'ssh-rsa'
@ -75,7 +75,7 @@ The following command sets up two servers for RADIUS authentication, one with a
 discrete timeout of `5` seconds and a discrete port of `1812` and the other using
 a default timeout and port.
-.. code-block:: sh
+.. code-block:: console
  set system login radius server 192.168.1.2 secret 's3cr3t0815'
  set system login radius server 192.168.1.2 timeout '5'
@ -84,7 +84,7 @@ a default timeout and port.
 This configuration results in:
-.. code-block:: sh
+.. code-block:: console
  show system login
   radius {
@ -111,7 +111,7 @@ not set incoming connections to the RADIUS server will use the nearest interface
 address pointing towards the RADIUS server - making it error prone on e.g. OSPF
 networks when a link fails.
-.. code-block:: sh
+.. code-block:: console
  set system login radius source-address 192.168.1.254
@ -120,7 +120,7 @@ Login Banner
 You are able to set post-login or pre-login messages with the following lines:
-.. code-block:: sh
+.. code-block:: console
  set system login banner pre-login "UNAUTHORIZED USE OF THIS SYSTEM IS PROHIBITED\n"
  set system login banner post-login "Welcome to VyOS"
--- a/docs/system/ntp.rst
+++ b/docs/system/ntp.rst
@ -5,7 +5,7 @@ NTP
 there are 3 default NTP server set. You are able to change them.
-.. code-block:: sh
+.. code-block:: console
  set system ntp server 0.pool.ntp.org
  set system ntp server 1.pool.ntp.org
@ -13,7 +13,7 @@ there are 3 default NTP server set. You are able to change them.
 To set up VyOS as an NTP responder, you must specify the listen address and optionally the permitted clients.
-.. code-block:: sh
+.. code-block:: console
  set system ntp listen-address 192.168.199.1
  set system ntp allow-clients address 192.168.199.0/24
--- a/docs/system/proxy.rst
+++ b/docs/system/proxy.rst
@ -8,14 +8,14 @@ The option allowes to set a HTTP proxy and if necessary, supports `basic auth`_.
 The code example below sets a proxy for all HTTP, HTTPS and FTP (anonymous ftp) connections, initiated by vyos. 
-.. code-block:: sh
+.. code-block:: console
  set system proxy url http://10.100.100.1
  set system proxy port 8080
 That enables the update of a system image if the vyos system operates behind a proxy.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ add system image https://downloads.vyos.io/rolling/current/amd64/vyos-rolling-latest.iso
  Trying to fetch ISO file from https://downloads.vyos.io/rolling/current/amd64/vyos-rolling-latest.iso
--- a/docs/system/serialconsole.rst
+++ b/docs/system/serialconsole.rst
@ -8,7 +8,7 @@ Serial console
 Configuring Console
 -------------------
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos# set system console
  Possible completions:
--- a/docs/system/syslog.rst
+++ b/docs/system/syslog.rst
@ -16,14 +16,14 @@ Logging to serial console
 The below would log all messages to :code:`/dev/console`.
-.. code-block:: sh
+.. code-block:: console
  set system syslog console facility all level all
 Use the **[tab]** function to display all facilities and levels which can
 be configured.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos# set system syslog console facility <TAB>
  Possible completions:
@ -70,7 +70,7 @@ Logging to a custom file
 Logging to a custom file, rotation size and the number of rotate files left
 on the system can be configured.
-.. code-block:: sh
+.. code-block:: console
  set system syslog file <FILENAME> facility <FACILITY>  level <LEVEL>
  set system syslog file <FILENAME> archive file <NUMBER OF FILES>
@ -88,7 +88,7 @@ using either TCP or UDP. The default is sending the messages via UDP.
 **UDP**
-.. code-block:: sh
+.. code-block:: console
  set system syslog host 10.1.1.1 facility all level all
  <optional>
@ -97,7 +97,7 @@ using either TCP or UDP. The default is sending the messages via UDP.
 **TCP**
-.. code-block:: sh
+.. code-block:: console
  set system syslog host 10.1.1.2 facility all level all
  set system syslog host 10.1.1.2 facility all protocol tcp
@ -109,7 +109,7 @@ If logging to a local useraccount is configured, all defined log messages are
 display on the console if the local user is logged in, if the user is not
 logged in, no messages are being displayed.
-.. code-block:: sh
+.. code-block:: console
  set system syslog user <LOCAL_USERNAME> facility <FACILITY> level <LEVEL>
@ -118,7 +118,7 @@ Show logs
 Display log files on the console
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ show log
  Possible completions:
@ -149,7 +149,7 @@ Show contents of a log file in an image
 Log messages from a specified image can be displayed on the console:
-.. code-block:: sh
+.. code-block:: console
  $ show log image <image name>
  $ show log image <image name> [all | authorization | directory | file <file name> | tail <lines>]
--- a/docs/system/task-scheduler.rst
+++ b/docs/system/task-scheduler.rst
@ -7,7 +7,7 @@ Task scheduler
 | Task scheduler — allows scheduled task execution. Note that scripts excecuted this way are executed as root user - this may be dangerous.
 | Together with :ref:`commandscripting` this can be used for automating configuration.
-.. code-block:: sh
+.. code-block:: console
  system
      task-scheduler
@ -24,7 +24,7 @@ Interval
 You are able to set the time as an time interval.
-.. code-block:: sh
+.. code-block:: console
  set system task-scheduler task <name> interval <value><suffix>
@ -38,14 +38,14 @@ If suffix is omitted, minutes are implied.
 Or set the execution time in common cron time.
-.. code-block:: sh
+.. code-block:: console
  set system task-scheduler task TEST crontab-spec "* * * 1 *"
 Example
 *******
-.. code-block:: sh
+.. code-block:: console
  system
      task-scheduler
--- a/docs/system/time-zone.rst
+++ b/docs/system/time-zone.rst
@ -5,7 +5,7 @@ Time Zone
 To set the system time zone type:
-.. code-block:: sh
+.. code-block:: console
  [edit]
  vyos@vyos# set system time-zone [time-zone]
--- a/docs/troubleshooting.rst
+++ b/docs/troubleshooting.rst
@ -15,7 +15,7 @@ commands. The options for each are shown (the options for each command were
 displayed using the built-in help as described in the :ref:`cli`
 section and are omitted from the output here):
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ ping
  Possible completions:
@ -25,7 +25,7 @@ section and are omitted from the output here):
 Several options are available when more extensive troubleshooting is needed:
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ ping 8.8.8.8
  Possible completions:
@ -51,7 +51,7 @@ Several options are available when more extensive troubleshooting is needed:
    ttl
    verbose
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ traceroute
  Possible completions:
@ -64,7 +64,7 @@ Several options are available when more extensive troubleshooting is needed:
 However, another tool, mtr_, is available which combines ping and traceroute
 into a single tool. An example of its output is shown:
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ mtr 10.62.212.12
@ -95,7 +95,7 @@ It's possible to monitor network traffic, either at the flow level or protocol
 level. This can be useful when troubleshooting a variety of protocols and
 configurations. The following interface types can be monitored:
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ monitor interfaces
  Possible completions:
@ -117,7 +117,7 @@ To monitor traffic flows, issue the :code:`monitor interfaces <type> <name> flow
 command, replacing `<type>` and `<name>` with your desired interface type and
 name, respectively. Output looks like the following:
-.. code-block:: sh
+.. code-block:: console
                     12.5Kb              25.0Kb              37.5Kb              50.0Kb        62.5Kb
  ????????????????????????????????????????????????????????????????????????????????????????????????????
@ -145,7 +145,7 @@ traffic` command, replacing `<type>` and `<name>` with your desired interface
 type and name, respectively. This command invokes the familiar tshark_ utility
 and the following options are available:
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ monitor interfaces ethernet eth0 traffic
  Possible completions:
@ -170,13 +170,13 @@ Interface Bandwith
 to take a quick view on the used bandwith of an interface use the ``monitor
 bandwith`` command
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ monitor bandwidth interface eth0
 show the following:
-.. code-block:: sh
+.. code-block:: console
         B                      (RX Bytes/second)
    198.00 .|....|.....................................................
@ -202,7 +202,7 @@ Interface performance
 To take a look on the network bandwith between two nodes, the ``monitor
 bandwidth-test`` command is used to run iperf.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ monitor bandwidth-test
  Possible completions:
@ -212,7 +212,7 @@ bandwidth-test`` command is used to run iperf.
 * The ``accept`` command open a listen iperf server on TCP Port 5001
 * The ``initiate`` command conncet to this server.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ monitor bandwidth-test initiate
  Possible completions:
@ -229,14 +229,14 @@ a continuously refreshed output. The command is run and output every 2 seconds,
 allowing you to monitor the output continuously without having to re-run the
 command. This can be useful to follow routing adjacency formation.
-.. code-block:: sh
+.. code-block:: console
  vyos@router:~$ monitor command "show interfaces"
 Will clear the screen and show you the output of ``show interfaces`` every
 2 seconds.
-.. code-block:: sh
+.. code-block:: console
  Every 2.0s: /opt/vyatta/bin/vyatta-op-cmd-wrapper    Sun Mar 26 02:49:46 2019
@ -259,13 +259,13 @@ To do this use the ``clear`` command in Operational mode.
 to clear the console output
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ clear console
 to clear interface counters
-.. code-block:: sh
+.. code-block:: console
  # clear all interfaces
  vyos@vyos:~$ clear interface ethernet counters
@ -274,7 +274,7 @@ to clear interface counters
 The command follow the same logic as the ``set`` command in configuration mode.
-.. code-block:: sh
+.. code-block:: console
  # clear all counters of a interface type
  vyos@vyos:~$ clear interface <interface_type> counters
@ -284,7 +284,7 @@ The command follow the same logic as the ``set`` command in configuration mode.
 to clear counters on firewall rulesets or single rules
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ clear firewall name <ipv4 ruleset name> counters
  vyos@vyos:~$ clear firewall name <ipv4 ruleset name> rule <rule#> counters
--- a/docs/vpn/dmvpn.rst
+++ b/docs/vpn/dmvpn.rst
@ -47,7 +47,7 @@ can be set to "0.0.0.0". If you do set the `remote-ip` directive at any point, t
 HUB Configuration
 ^^^^^^^^^^^^^^^^^
-.. code-block:: sh
+.. code-block:: console
  interfaces
      tunnel <tunN> {
@ -119,7 +119,7 @@ HUB Configuration
 HUB Example Configuration:
-.. code-block:: sh
+.. code-block:: console
  set interfaces ethernet eth0 address '198.51.100.41/30'
  set interfaces ethernet eth1 address '192.168.1.1/24'
@ -171,7 +171,7 @@ SPOKE Configuration
 SPOKE1 Configuration:
-.. code-block:: sh
+.. code-block:: console
  interfaces
      tunnel <tunN> {
@ -248,7 +248,7 @@ SPOKE1 Configuration:
 SPOKE1 Example Configuration
-.. code-block:: sh
+.. code-block:: console
  set interfaces ethernet eth0 address 'dhcp'
  set interfaces ethernet eth1 address '192.168.2.1/24'
@ -294,7 +294,7 @@ SPOKE1 Example Configuration
 SPOKE2 Configuration
-.. code-block:: sh
+.. code-block:: console
  interfaces
      tunnel <tunN> {
@ -371,7 +371,7 @@ SPOKE2 Configuration
 SPOKE2 Example Configuration
-.. code-block:: sh
+.. code-block:: console
  set interfaces ethernet eth0 address 'dhcp'
  set interfaces ethernet eth1 address '192.168.3.1/24'
--- a/docs/vpn/gre-ipsec.rst
+++ b/docs/vpn/gre-ipsec.rst
@ -40,7 +40,7 @@ and the RIGHT router is 203.0.113.45
 On the LEFT:
-.. code-block:: sh
+.. code-block:: console
  # GRE tunnel
  set interfaces tunnel tun0 encapsulation gre
@ -90,7 +90,7 @@ RIGHT router has a dynamic address on eth0.
 On the LEFT:
-.. code-block:: sh
+.. code-block:: console
  set interfaces loopback lo address 192.168.99.1/32
@ -101,7 +101,7 @@ On the LEFT:
 On the RIGHT:
-.. code-block:: sh
+.. code-block:: console
  set interfaces loopback lo address 192.168.99.2/32
@ -119,7 +119,7 @@ address, so we'll have to use RSA keys.
 First, on both routers run the operational command "generate vpn rsa-key bits
 2048". You may choose different length than 2048 of course.
-.. code-block:: sh
+.. code-block:: console
  vyos@left# run generate vpn rsa-key bits 2048
  Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key
@ -131,7 +131,7 @@ First, on both routers run the operational command "generate vpn rsa-key bits
 Then on the opposite router, add the RSA key to your config.
-.. code-block:: sh
+.. code-block:: console
  set vpn rsa-keys rsa-key-name LEFT rsa-key KEYGOESHERE
@ -140,7 +140,7 @@ for the peer on the dynamic side.
 On the LEFT (static address):
-.. code-block:: sh
+.. code-block:: console
  set vpn rsa-keys rsa-key-name RIGHT rsa-key <PUBLIC KEY FROM THE RIGHT>
@ -165,7 +165,7 @@ On the LEFT (static address):
 On the RIGHT (dynamic address):
-.. code-block:: sh
+.. code-block:: console
  set vpn rsa-keys rsa-key-name LEFT rsa-key <PUBLIC KEY FROM THE LEFT>
--- a/docs/vpn/l2tp.rst
+++ b/docs/vpn/l2tp.rst
@ -12,7 +12,7 @@ L2TP over IPsec
 Example for configuring a simple L2TP over IPsec VPN for remote access (works
 with native Windows and Mac VPN clients):
-.. code-block:: sh
+.. code-block:: console
  set vpn ipsec ipsec-interfaces interface eth0
  set vpn ipsec nat-traversal enable
@ -43,7 +43,7 @@ As well as the below to allow NAT-traversal:
 Example:
-.. code-block:: sh
+.. code-block:: console
  set firewall name OUTSIDE-LOCAL rule 40 action 'accept'
  set firewall name OUTSIDE-LOCAL rule 40 protocol 'esp'
@ -61,7 +61,7 @@ Example:
 To allow VPN-clients access via your external address, a NAT rule is required:
-.. code-block:: sh
+.. code-block:: console
  set nat source rule 110 outbound-interface 'eth0'
  set nat source rule 110 source address '192.168.255.0/24'
@ -71,7 +71,7 @@ To allow VPN-clients access via your external address, a NAT rule is required:
 VPN-clients will request configuration parameters, optionally you can DNS
 parameter to the client.
-.. code-block:: sh
+.. code-block:: console
  set vpn l2tp remote-access dns-servers server-1 '8.8.8.8'
  set vpn l2tp remote-access dns-servers server-2 '8.8.4.4'
@ -82,7 +82,7 @@ parameter to the client.
 Established sessions can be viewed using the **show vpn remote-access**
 operational command, or **show l2tp-server sessions**
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos:~$ show vpn remote-access
   ifname | username | calling-sid  |      ip       | rate-limit | type | comp | state  |  uptime
@ -97,7 +97,7 @@ LNS are often used to connect to a LAC (L2TP Access Concentrator).
 Below is an example to configure a LNS:
-.. code-block:: sh
+.. code-block:: console
  set vpn l2tp remote-access outside-address 192.0.2.2
  set vpn l2tp remote-access outside-nexthop 192.168.255.1
@ -126,7 +126,7 @@ Bandwidth Shaping for local users
 The rate-limit is set in kbit/sec.
-.. code-block:: sh
+.. code-block:: console
  set vpn l2tp remote-access outside-address 192.0.2.2
  set vpn l2tp remote-access outside-nexthop 192.168.255.1
@ -151,14 +151,14 @@ exists within the configuration, however they are not used if the mode has been
 changed from local to radius. Once changed back to local, it will use all local
 accounts again.
-.. code-block:: sh
+.. code-block:: console
  set vpn l2tp remote-access authentication mode <local|radius>
 Since the RADIUS server would be a single point of failure, multiple RADIUS
 servers can be setup and will be used subsequentially.
-.. code-block:: sh
+.. code-block:: console
  set vpn l2tp remote-access authentication radius server 10.0.0.1 key 'foo'
  set vpn l2tp remote-access authentication radius server 10.0.0.2 key 'foo'
@ -173,7 +173,7 @@ If you are using OSPF as IGP always the closets interface connected to the RADIU
 server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests to a
 single source IP e.g. the loopback interface.
-.. code-block:: sh
+.. code-block:: console
  set vpn l2tp remote-access authentication radius source-address 10.0.0.3
@ -188,14 +188,14 @@ RADIUS bandwidth shaping attribute
 To enable bandwidth shaping via RADIUS, the option rate-limit needs to be enabled.
-.. code-block:: sh
+.. code-block:: console
  set vpn l2tp remote-access authentication radius rate-limit enable
 The default RADIUS attribute for rate limiting is ``Filter-Id``, but you may also
 redefine it.
-.. code-block:: sh
+.. code-block:: console
  set vpn l2tp remote-access authentication radius rate-limit attribute Download-Speed
--- a/docs/vpn/openvpn.rst
+++ b/docs/vpn/openvpn.rst
@ -68,7 +68,7 @@ in our configuration.
 Local Configuration:
-.. code-block:: sh
+.. code-block:: console
  set interfaces openvpn vtun1 mode site-to-site
  set interfaces openvpn vtun1 protocol udp
@ -82,7 +82,7 @@ Local Configuration:
 Remote Configuration:
-.. code-block:: sh
+.. code-block:: console
  set interfaces openvpn vtun1 mode site-to-site
  set interfaces openvpn vtun1 protocol udp
@ -104,7 +104,7 @@ For Encryption:
 This sets the cipher when NCP (Negotiable Crypto Parameters) is disabled or
 OpenVPN version < 2.4.0.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos# set interfaces openvpn vtun1 encryption cipher
  Possible completions:
@ -123,7 +123,7 @@ This sets the accepted ciphers to use when version => 2.4.0 and NCP is
 enabled (which is default). Default NCP cipher for versions >= 2.4.0 is
 aes256gcm. The first cipher in this list is what server pushes to clients.
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos# set int open vtun0 encryption ncp-ciphers
  Possible completions:
@ -138,7 +138,7 @@ aes256gcm. The first cipher in this list is what server pushes to clients.
 For Hashing:
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos# set interfaces openvpn vtun1 hash
  Possible completions:
@ -157,13 +157,13 @@ network of 10.1.0.0/16:
 Local Configuration:
-.. code-block:: sh
+.. code-block:: console
  set protocols static interface-route 10.1.0.0/16 next-hop-interface vtun1
 Remote Configuration:
-.. code-block:: sh
+.. code-block:: console
  set protocols static interface-route 10.0.0.0/16 next-hop-interface vtun1
@ -206,7 +206,7 @@ closing on connection resets or daemon reloads.
   0 on one side of the connection (to disable it), the chosen value on the
   other side will determine when the renegotiation will occur.
-.. code-block:: sh
+.. code-block:: console
  set interfaces openvpn vtun10 mode server
  set interfaces openvpn vtun10 local-port 1194
@ -216,7 +216,7 @@ closing on connection resets or daemon reloads.
 Then we need to specify the location of the cryptographic materials. Suppose
 you keep the files in `/config/auth/openvpn`
-.. code-block:: sh
+.. code-block:: console
  set interfaces openvpn vtun10 tls ca-cert-file /config/auth/openvpn/ca.crt
  set interfaces openvpn vtun10 tls cert-file /config/auth/openvpn/server.crt
@ -229,7 +229,7 @@ specify the subnet for client tunnel endpoints. Since we want clients to access
 a specific network behind out router, we will use a push-route option for
 installing that route on clients.
-.. code-block:: sh
+.. code-block:: console
  set interfaces openvpn vtun10 server push-route 192.168.0.0/16
  set interfaces openvpn vtun10 server subnet 10.23.1.0/24
@ -241,7 +241,7 @@ need configuration for each client to achieve this.
 .. note:: Clients are identified by the CN field of their x.509 certificates,
   in this example the CN is ``client0``:
-.. code-block:: sh
+.. code-block:: console
  set interfaces openvpn vtun10 server client client0 ip 10.23.1.10
  set interfaces openvpn vtun10 server client client0 subnet 10.23.2.0/25
@ -250,7 +250,7 @@ OpenVPN **will not** automatically create routes in the kernel for client
 subnets when they connect and will only use client-subnet association
 internally, so we need to create a route to the 10.23.0.0/20 network ourselves:
-.. code-block:: sh
+.. code-block:: console
  set protocols static interface-route 10.23.0.0/20 next-hop-interface vtun10
@ -269,13 +269,13 @@ Authentication is done by using the ``openvpn-auth-ldap.so`` plugin which is
 shipped with every VyOS installation. A dedicated configuration file is required.
 It is best practise to store it in ``/config`` to survive image updates
-.. code-block:: sh
+.. code-block:: console
  set interfaces openvpn vtun0 openvpn-option "--plugin /usr/lib/openvpn/openvpn-auth-ldap.so /config/auth/ldap-auth.config"
 The required config file may look like:
-.. code-block:: sh
+.. code-block:: console
  <LDAP>
  # LDAP server URL
@ -302,7 +302,7 @@ Active Directory
 Despite the fact that AD is a superset of LDAP
-.. code-block:: sh
+.. code-block:: console
  <LDAP>
    # LDAP server URL
@ -336,7 +336,7 @@ Despite the fact that AD is a superset of LDAP
 If you only want to check if the user account is enabled and can authenticate
 (against the primary group) the following snipped is sufficient:
-.. code-block:: sh
+.. code-block:: console
  <LDAP>
    URL ldap://dc01.example.com
@ -355,7 +355,7 @@ If you only want to check if the user account is enabled and can authenticate
 A complete LDAP auth OpenVPN configuration could look like the following example:
-.. code-block:: sh
+.. code-block:: console
  vyos@vyos# show interfaces openvpn
   openvpn vtun0 {
@ -398,7 +398,7 @@ using their CN attribute in the SSL certificate.
 Server
 ------
-.. code-block:: sh
+.. code-block:: console
  set interfaces openvpn vtun10 encryption cipher 'aes256'
  set interfaces openvpn vtun10 hash 'sha512'
@ -422,7 +422,7 @@ Server
 Client
 ------
-.. code-block:: sh
+.. code-block:: console
  set interfaces openvpn vtun10 encryption cipher 'aes256'
  set interfaces openvpn vtun10 hash 'sha512'
--- a/docs/vpn/pptp.rst
+++ b/docs/vpn/pptp.rst
@ -12,7 +12,7 @@ If no gateway-address is set within the configuration, the lowest IP out of the
 server example
 ^^^^^^^^^^^^^^
-.. code-block:: sh
+.. code-block:: console
  set vpn pptp remote-access authentication local-users username test password 'test'
  set vpn pptp remote-access authentication mode 'local'
@ -28,7 +28,7 @@ client example (debian 9)
 Install the client software via apt and execute pptpsetup to generate the configuration.
-.. code-block:: sh
+.. code-block:: console
  apt-get install pptp-linux
  pptpsetup --create TESTTUNNEL --server 10.1.1.120 --username test --password test --encrypt
@ -39,7 +39,7 @@ The command pon TESTUNNEL establishes the PPTP tunnel to the remote system.
 All tunnel sessions can be checked via:
-.. code-block:: sh
+.. code-block:: console
  run sh pptp-server sessions
   ifname | username | calling-sid |      ip      | type | comp | state  |  uptime
--- a/docs/vpn/site2site_ipsec.rst
+++ b/docs/vpn/site2site_ipsec.rst
@ -116,7 +116,7 @@ Example:
 * right subnet: `10.0.0.0/24` site2,remote office side
 * right local_ip: `203.0.113.2` # remote office side WAN IP
-.. code-block:: sh
+.. code-block:: console
  # server config
  set vpn ipsec esp-group office-srv-esp compression 'disable'
@ -166,7 +166,7 @@ Example:
 Show status of new setup:
-.. code-block:: sh
+.. code-block:: console
  vyos@srv-gw0:~$ show vpn ike sa
  Peer ID / IP                            Local ID / IP
@ -186,7 +186,7 @@ Show status of new setup:
 If there is SNAT rules on eth1, need to add exclude rule
-.. code-block:: sh
+.. code-block:: console
  # server side
  set nat source rule 10 destination address '10.0.0.0/24'
@ -203,7 +203,7 @@ If there is SNAT rules on eth1, need to add exclude rule
 To allow traffic to pass through to clients, you need to add the following
 rules. (if you used the default configuration at the top of this page)
-.. code-block:: sh
+.. code-block:: console
  # server side
  set firewall name OUTSIDE-LOCAL rule 32 action 'accept'
@ -231,7 +231,7 @@ Imagine the following topology
 **left**
-.. code-block:: sh
+.. code-block:: console
  set interfaces vti vti10 address '10.0.0.2/31'
@ -265,7 +265,7 @@ Imagine the following topology
 **right**
-.. code-block:: sh
+.. code-block:: console
  set interfaces vti vti10 address '10.0.0.3/31'
--- a/docs/vpn/wireguard.rst
+++ b/docs/vpn/wireguard.rst
@ -21,7 +21,7 @@ within VyOS.
 It will be used per default on any configured wireguard interface, even if
 multiple interfaces are being configured.
-.. code-block:: sh
+.. code-block:: console
  wg01:~$ configure
  wg01# run generate wireguard keypair
@ -29,7 +29,7 @@ multiple interfaces are being configured.
 The public key is being shared with your peer(s), your peer will encrypt all
 traffic to your system using this public key.
-.. code-block:: sh
+.. code-block:: console
  wg01# run show wireguard pubkey
  u41jO3OF73Gq1WARMMFG7tOfk7+r8o8AzPxJ1FZRhzk=
@ -45,7 +45,7 @@ their own keypairs.
 The commands below will generate 2 keypairs, which are not related 
 to each other.
-.. code-block:: sh
+.. code-block:: console
  wg01:~$ configure
  wg01# run generate wireguard named-keypairs KP01
@ -69,7 +69,7 @@ below is always the public key from your peer, not your local one.
 **local side**
-.. code-block:: sh
+.. code-block:: console
  set interfaces wireguard wg01 address '10.1.0.1/24'
  set interfaces wireguard wg01 description 'VPN-to-wg02'
@ -89,7 +89,7 @@ traffic.
 To use a named key on an interface, the option private-key needs to be set.
-.. code-block:: sh
+.. code-block:: console
  set interfaces wireguard wg01 private-key KP01
  set interfaces wireguard wg02 private-key KP02
@ -100,7 +100,7 @@ which needs to be shared with the peer.
 **remote side**
-.. code-block:: sh
+.. code-block:: console
  set interfaces wireguard wg01 address '10.2.0.1/24'
  set interfaces wireguard wg01 description 'VPN-to-wg01'
@ -113,7 +113,7 @@ which needs to be shared with the peer.
 Assure that your firewall rules allow the traffic, in which case you have a
 working VPN using wireguard.
-.. code-block:: sh
+.. code-block:: console
  wg01# ping 10.2.0.1
  PING 10.2.0.1 (10.2.0.1) 56(84) bytes of data.
@ -128,7 +128,7 @@ working VPN using wireguard.
 An additional layer of symmetric-key crypto can be used on top of the
 asymmetric crypto, which is optional.
-.. code-block:: sh
+.. code-block:: console
  wg01# run generate wireguard preshared-key
  rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc=
@ -137,7 +137,7 @@ Copy the key, as it is not stored on the local file system. Make sure you
 distribute that key in a safe manner, it's a symmetric key, so only you and
 your peer should have knowledge of its content.
-.. code-block:: sh
+.. code-block:: console
  wg01# set interfaces wireguard wg01 peer to-wg02 preshared-key 'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc='
  wg02# set interfaces wireguard wg01 peer to-wg01 preshared-key 'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc='
@ -149,7 +149,7 @@ With WireGuard, a Road Warrior VPN config is similar to a site-to-site VPN.  It
 In the following example, the IPs for the remote clients are defined in the peers.  This would allow the peers to interact with one another.
-.. code-block:: sh
+.. code-block:: console
    wireguard wg0 {
        address 10.172.24.1/24
@ -173,7 +173,7 @@ In the following example, the IPs for the remote clients are defined in the peer
 The following is the config for the iPhone peer above.  It's important to note that the ``AllowedIPs`` setting 
 directs all IPv4 and IPv6 traffic through the connection.
-.. code-block:: sh
+.. code-block:: console
    [Interface]
    PrivateKey = ARAKLSDJsadlkfjasdfiowqeruriowqeuasdf=
@ -189,7 +189,7 @@ directs all IPv4 and IPv6 traffic through the connection.
 This MacBook peer is doing split-tunneling, where only the subnets local to the server go over the connection.
-.. code-block:: sh
+.. code-block:: console
    [Interface]
    PrivateKey = 8Iasdfweirousd1EVGUk5XsT+wYFZ9mhPnQhmjzaJE6Go=
@ -207,7 +207,7 @@ Operational commands
 **Show interface status**
-.. code-block:: sh
+.. code-block:: console
  vyos@wg01# run show interfaces wireguard wg01
  interface: wg1
@ -233,14 +233,14 @@ Operational commands
 **Show public key of the default key**
-.. code-block:: sh
+.. code-block:: console
  vyos@wg01# run show wireguard keypair pubkey default
  FAXCPb6EbTlSH5200J5zTopt9AYXneBthAySPBLbZwM=
 **Show public key of a named key**
-.. code-block:: sh
+.. code-block:: console
  vyos@wg01# run show wireguard keypair pubkey KP01
  HUtsu198toEnm1poGoRTyqkUKfKUdyh54f45dtcahDM=
@ -248,7 +248,7 @@ Operational commands
 **Delete wireguard keypairs**
-.. code-block:: sh
+.. code-block:: console
  vyos@wg01# wireguard keypair default