op-mode:T3477: Correction of reset command syntax as per latest (#1676)

Co-authored-by: Mila <lyudmila.ndl@gmail.com>

docs/configuration/protocols/bgp.rst

@@ -1016,7 +1016,7 @@ Show
          Origin IGP, metric 0, valid, external, best (First path received)
          Last update: Wed Jan  6 12:18:53 2021
 
-.. opcmd:: show ip bgp cidr-only
+.. opcmd:: show bgp cidr-only
 
    This command displays routes with classless interdomain routing (CIDR).
 
@@ -1091,27 +1091,22 @@ Show
 Reset
 =====
 
-.. opcmd:: reset <ip|ipv6> bgp <address> [soft [in|out]]
+.. opcmd:: reset bgp <ipv4|ipv6> <address> [soft [in|out]]
 
    This command resets BGP connections to the specified neighbor IP address.
    With argument :cfgcmd:`soft` this command initiates a soft reset. If
    you do not specify the :cfgcmd:`in` or :cfgcmd:`out` options, both
    inbound and outbound soft reconfiguration are triggered.
 
-.. opcmd:: reset ip bgp all
+.. opcmd:: reset bgp all
 
    This command resets all BGP connections of given router.
 
-.. opcmd:: reset ip bgp dampening
-
-   This command uses to clear BGP route dampening information and to
-   unsuppress suppressed routes.
-
-.. opcmd:: reset ip bgp external
+.. opcmd:: reset bgp <ipv4|ipv6> external
 
    This command resets all external BGP peers of given router.
 
-.. opcmd:: reset ip bgp peer-group <name> [soft [in|out]]
+.. opcmd:: reset bgp <ipv4|ipv6> peer-group <name> [soft [in|out]]
 
    This command resets BGP connections to the specified peer group.
    With argument :cfgcmd:`soft` this command initiates a soft reset. If
@@ -1136,6 +1131,7 @@ A simple eBGP configuration:
   set protocols bgp neighbor 192.168.0.2 ebgp-multihop '2'
   set protocols bgp neighbor 192.168.0.2 remote-as '65535'
   set protocols bgp neighbor 192.168.0.2 update-source '192.168.0.1'
+  set protocols bgp neighbor 192.168.0.2 address-family ipv4-unicast
   set protocols bgp address-family ipv4-unicast network '172.16.0.0/16'
   set protocols bgp parameters router-id '192.168.0.1'
 
@@ -1147,6 +1143,7 @@ A simple eBGP configuration:
   set protocols bgp neighbor 192.168.0.1 ebgp-multihop '2'
   set protocols bgp neighbor 192.168.0.1 remote-as '65534'
   set protocols bgp neighbor 192.168.0.1 update-source '192.168.0.2'
+  set protocols bgp neighbor 192.168.0.1 address-family ipv4-unicast
   set protocols bgp address-family ipv4-unicast network '172.17.0.0/16'
   set protocols bgp parameters router-id '192.168.0.2'
 

docs/configuration/vrf/index.rst

@@ -122,6 +122,27 @@ routing protocol inside a given vrf:
 - :ref:`routing-ospfv3`: ``set vrf name <name> protocols ospfv3 ...``
 - :ref:`routing-static`: ``set vrf name <name> protocols static ...``
 
+Services
+-------
+
+Currently the following services can be created isolated in VRFs
+
+- :ref:`dhcp-server`
+
+The CLI configuration is same as mentioned in above articles. The only
+difference is, that each service used, must be prefixed with the `vrf
+name <name>` command.
+
+Example
+^^^^^^^
+
+The following commands would be required to set options for a given service
+inside a given vrf:
+
+- :ref:`dhcp-server`: ``set vrf name <name> service dhcp-server ...``
+- :ref:`dhcp-server`: ``set vrf name <name> service dhcpv6-server ...``
+
+
 Operation
 =========
 

docs/operation/index.rst

@@ -8,5 +8,6 @@ Operation Mode
 
    information
    boot-options
+   upgrade-recovery
    password-recovery
    raid

docs/operation/upgrade-recovery.rst

@@ -0,0 +1,64 @@
+.. _upgrade_recovery:
+
+
+##############################
+Recovery after Failed Upgrades
+##############################
+
+This section explains **VyOS’s upgrade recovery**, which restores the system to the last working version after a failed upgrade. It covers the following points:
+
+* :ref:`Configuration:  <configuration>` How to enable upgrade recovery
+* :ref:`How it Works: <how_it_works>` Overview of the recovery process
+* :ref:`Cancelling Recovery: <cancelling_recovery>` Overview of the recovery process
+ 
+
+
+.. _configuration:
+
+*************
+Configuration
+*************
+.. warning:: Upgrade recovery is disabled by default. To use it, **enable it first**.
+
+To enable upgrade recovery, run the following command:
+
+.. cfgcmd::
+
+   set system option reboot-on-upgrade-failure [timeout <min>]
+
+* ``timeout <min>:`` The time in minutes (from 5 to 30) you have to cancel upgrade recovery. See :ref:`Cancelling Recovery <cancelling_recovery>`.
+ 
+.. _how_it_works:
+
+************
+How it Works
+************
+After a VyOS upgrade, the system monitors the boot process. Upon detecting a boot failure, VyOS initiates a revert to the last working version and displays the following warning:
+
+.. code-block:: none
+
+   Booting failed, reverting to previous image
+   Automatic reboot in xx minutes
+   Use "reboot cancel" to cancel
+
+If no action is taken, the reboot happens automatically after the configured timeout. Upon successful recovery and reboot, the following message appears: 
+ 
+.. code-block:: none
+
+   WARNING: Image update to "VyOS 1.5.xxxx" failed
+   Please check the logs:
+   /usr/lib/live/mount/persistence/boot/NAME/rw/var/log
+   Message is cleared on next reboot!
+     
+.. _cancelling_recovery:
+
+*******************
+Cancelling Recovery
+*******************
+Upon detecting a boot failure, you have the predefined timeout to cancel upgrade recovery. This is useful if you want to troubleshoot the faulty VyOS version on your own.
+
+To cancel upgrade recovery, run the following command:
+
+.. code-block:: none
+
+   reboot cancel

docs/vpp/configuration/dataplane/cpu.rst

@@ -1,4 +1,4 @@
-:lastproofread: 2025-09-04
+:lastproofread: 2025-09-05
 
 .. _vpp_config_dataplane_cpu:
 
@@ -12,18 +12,30 @@ VPP can utilize multiple CPU cores to enhance packet processing performance. Pro
 
 There are several parameters that can be configured to optimize CPU usage for VPP.
 
+.. important::
+
+   Please read carefully the system configuration settings page before making any changes to CPU settings: :doc:`system`.
+
+If CPU settings are not configured, VPP will start a single main thread on core 1 (``main-core``), without any additional worker threads.
+
 CPU Configuration Parameters
 ============================
 
-main-core
-^^^^^^^^^
+Mandatory settings
+------------------
 
-The main core is responsible for handling control plane operations and managing worker threads. It should be set to a core that is not heavily utilized by other processes. If not set, VPP will automatically select a core `1`.
+``main-core``
+^^^^^^^^^^^^^
+
+The main core is responsible for handling control plane operations, managing worker threads, and processing packets. It should be set to a core that is not heavily utilized by other processes. The option should be always set if you apply any other CPU settings.
 
 .. cfgcmd:: set vpp settings cpu main-core <core-number>
 
-corelist-workers
-^^^^^^^^^^^^^^^^
+Manual cores selection
+----------------------
+
+``corelist-workers``
+^^^^^^^^^^^^^^^^^^^^
 
 This parameter specifies the list of CPU cores that will be used as worker threads for packet processing.
 
@@ -36,8 +48,8 @@ Automatic cores selection
 
 There is a possibility to let VPP select CPU cores automatically. This can be done by configuring the following two parameters:
 
-skip-cores
-^^^^^^^^^^
+``skip-cores``
+^^^^^^^^^^^^^^
 
 This parameter allows you to specify number of first CPU cores that should be excluded from being used for main or worker threads. The main thread will be assigned to the first available core after the skipped ones, and worker threads will be assigned to subsequent cores.
 
@@ -45,8 +57,8 @@ This parameter allows you to specify number of first CPU cores that should be ex
 
 Exclude cores that are reserved for other critical system processes to ensure that VPP does not interfere with their operation.
 
-workers
-^^^^^^^
+``workers``
+^^^^^^^^^^^
 
 This parameter allows you to specify the number of worker threads that should be created. Each worker thread will be assigned to a separate CPU core after the skipped and main ones.
 

docs/vpp/configuration/dataplane/lcp.rst

@@ -26,15 +26,15 @@ Pay attention that disabling this option leads to loss of connectivity to destin
 
 Other configuration section crucial for integration between VPP and Kernel is netlink settings. It allows to configure how VPP management listen to netlink events and how it processes them.
 
-.. cfgcmd:: set vpp settings lcp batch-delay-ms <value>
+.. cfgcmd:: set vpp settings lcp netlink batch-delay-ms <value>
 
 This parameter specifies the delay in milliseconds between processing batch netlink messages. If you expect to get frequent and intensive netlink events, you may need to decrease this value to ensure that VPP processes netlink events in a timely manner.
 
-.. cfgcmd:: set vpp settings lcp batch-size <value>
+.. cfgcmd:: set vpp settings lcp netlink batch-size <value>
 
 This parameter specifies the maximum number of netlink messages to process in a single batch. If you have a high volume of netlink events, increasing this value can improve throughput by allowing more messages to be processed at once. However, setting it too high may increase latency for individual messages.
 
-.. cfgcmd:: set vpp settings lcp rx-buffer-size <value>
+.. cfgcmd:: set vpp settings lcp netlink rx-buffer-size <value>
 
 This parameter specifies the size of the receive buffer for netlink messages. Increasing this value can help accommodate bursts of netlink messages, but setting it too high may lead to increased memory usage.
 

docs/vpp/configuration/dataplane/system.rst

@@ -52,3 +52,115 @@ Both settings are automatically calculated based on configured hugepages.
 Kernel Tuning
 =============
 
+VPP performance greatly benefits from proper kernel tuning, especially CPU isolation and disabling unnecessary kernel features. These optimizations ensure dedicated CPU cores are available exclusively for VPP dataplane processing without interference from the kernel scheduler or other system processes.
+
+.. warning::
+
+   Kernel tuning changes require a system reboot to take effect.
+
+   Improper CPU isolation can lead to system instability if essential system processes are starved of CPU resources.
+
+CPU Isolation and Optimization
+-------------------------------
+
+CPU isolation is crucial for VPP performance as it dedicates specific CPU cores exclusively to VPP dataplane processing. The isolated cores are removed from the kernel scheduler and will not run regular system processes.
+
+**Disable NMI Watchdog**
+
+The NMI (Non-Maskable Interrupt) watchdog can interfere with VPP performance by generating interrupts on isolated cores and is not compatible with nohz-full mode:
+
+.. cfgcmd:: set system option kernel cpu disable-nmi-watchdog
+
+   Disables the NMI watchdog for detecting hard CPU lockups. This prevents unnecessary interrupts on VPP worker cores.
+
+**CPU Core Isolation**
+
+.. cfgcmd:: set system option kernel cpu isolate-cpus <cpu-range>
+
+   Isolates specified CPUs from the kernel scheduler. Isolated cores will not run regular system processes and are dedicated to applications like VPP.
+
+   The ``<cpu-range>`` can be:
+   
+   * Single core: ``2``
+   * Range: ``2-5``
+   * Mixed: ``1,3-5,7``
+
+   ..important:: 
+
+      Always reserve at least 1-2 cores for the operating system to ensure system stability. For example, on a 4-core system, isolate cores 2-3 for VPP and leave cores 0-1 for the OS.
+
+      Assign the first isolated core as the VPP main core and the remaining isolated cores as VPP worker cores. Ensure that VPP CPU assignments match the isolated CPU range.
+
+**Adaptive-Tick Mode**
+
+.. cfgcmd:: set system option kernel cpu nohz-full <cpu-range>
+
+   Enables adaptive-tick mode (NO_HZ_FULL) for specified CPUs. This causes the kernel to avoid sending scheduling-clock interrupts to CPUs that have only one runnable task, significantly reducing interrupt overhead for dedicated workloads like VPP.
+
+   Use the same CPU range as configured for ``isolate-cpus``.
+
+**RCU Callback Offloading**
+
+.. cfgcmd:: set system option kernel cpu rcu-no-cbs <cpu-range>
+
+   Offloads Read-Copy-Update (RCU) callback processing from specified CPUs. This ensures that RCU callbacks do not prevent the specified CPUs from entering dyntick-idle or adaptive-tick mode, which is essential for nohz-full functionality.
+
+   Use the same CPU range as configured for ``isolate-cpus``.
+
+System Optimization
+--------------------
+
+Additional kernel optimizations can further improve VPP performance by disabling unnecessary features and reducing system overhead.
+
+**Disable High Precision Event Timer**
+
+.. cfgcmd:: set system option kernel disable-hpet
+
+   Disables the High Precision Event Timer (HPET). HPET can cause additional interrupts and overhead that may impact VPP performance.
+
+**Disable Machine Check Exceptions**
+
+.. cfgcmd:: set system option kernel disable-mce
+
+   Disables Machine Check Exception (MCE) reporting and handling. While MCE provides hardware error detection, it can introduce latency in high-performance scenarios.
+
+**Disable CPU Power Saving**
+
+.. cfgcmd:: set system option kernel disable-power-saving
+
+   Disables CPU power saving mechanisms (C-states). This keeps CPU cores at maximum performance levels, eliminating latency from power state transitions.
+
+**Disable Soft Lockup Detection**
+
+.. cfgcmd:: set system option kernel disable-softlockup
+
+   Disables the soft lockup detector for kernel threads. This prevents false positives when VPP worker threads are busy processing packets.
+
+**Disable CPU Mitigations**
+
+.. cfgcmd:: set system option kernel disable-mitigations
+
+   Disables all optional CPU mitigations for security vulnerabilities (e.g., Spectre, Meltdown). This may improve performance on some platforms.
+
+Optimal Configuration Example
+-----------------------------
+
+For a system with 4 CPU cores (0-3) where cores 2-3 are dedicated to VPP:
+
+.. code-block:: none
+
+   # Kernel CPU optimizations
+   set system option kernel cpu disable-nmi-watchdog
+   set system option kernel cpu isolate-cpus '2-3'
+   set system option kernel cpu nohz-full '2-3'
+   set system option kernel cpu rcu-no-cbs '2-3'
+   
+   # System optimizations
+   set system option kernel disable-hpet
+   set system option kernel disable-mce
+   set system option kernel disable-power-saving
+   set system option kernel disable-softlockup
+   
+   # VPP CPU assignment (matches isolated cores)
+   set vpp settings cpu main-core '2'
+   set vpp settings cpu corelist-workers '3'

docs/vpp/configuration/nat/nat44.rst

@@ -21,7 +21,7 @@ Configuration of NAT44 involves few steps:
 2. Create NAT rules for SNAT and/or DNAT.
 
 Dynamic and Static Operations
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+=============================
 
 NAT44 configuration can be done in one of two ways or in both ways simultaneously:
 
@@ -33,12 +33,12 @@ To configure dynamic NAT, you need to define a pool of public IP addresses that
 Static rules are more suitable for scenarios where you need to provide consistent and predictable mappings between private and public IP addresses, also they are the only way to configure DNAT.
 
 Interfaces Configuration
-------------------------
+========================
 
 The first step in configuring NAT44 is defining which interfaces handle inside (private) and outside (public) traffic. VyOS uses these interface designations to determine the direction of translation.
 
 Inside Interfaces
-^^^^^^^^^^^^^^^^^
+-----------------
 
 Inside interfaces connect to private networks where hosts need source NAT to access external networks.
 
@@ -48,8 +48,8 @@ Inside interfaces connect to private networks where hosts need source NAT to acc
 
 Traffic flowing **from** inside interfaces gets source NAT applied, translating private source addresses to public addresses from the translation pool.
 
-Outside Interfaces  
-^^^^^^^^^^^^^^^^^^
+Outside Interfaces
+------------------
 
 Outside interfaces connect to public networks where external hosts may need to access internal services.
 
@@ -60,7 +60,7 @@ Outside interfaces connect to public networks where external hosts may need to a
 Traffic flowing **to** outside interfaces can trigger destination NAT based on static rules, allowing external access to internal services.
 
 Interface Roles and Traffic Flow
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+--------------------------------
 
 .. note::
 
@@ -79,7 +79,7 @@ Interface Roles and Traffic Flow
 4. **Static NAT**: Requires explicit configuration for outside→inside traffic
 
 Multiple Interface Support
-^^^^^^^^^^^^^^^^^^^^^^^^^^
+--------------------------
 
 You can configure multiple interfaces as inside or outside to support complex network topologies:
 
@@ -94,12 +94,12 @@ You can configure multiple interfaces as inside or outside to support complex ne
    set vpp nat44 interface outside eth3
 
 Address Pool Configuration
---------------------------
+==========================
 
 Address pools define ranges of IP addresses that can be used for NAT translations. VyOS NAT44 supports two types of address pools, each serving different purposes.
 
 Translation Pools
-^^^^^^^^^^^^^^^^^
+-----------------
 
 Translation pools are used for dynamic source NAT (SNAT). They provide a range of public IP addresses that can be dynamically assigned to private hosts when they access external networks.
 
@@ -125,7 +125,7 @@ Translation pools are used for dynamic source NAT (SNAT). They provide a range o
    set vpp nat44 address-pool translation interface eth1
 
 Twice-NAT Pools
-^^^^^^^^^^^^^^^
+---------------
 
 Twice-NAT pools are used when performing both source and destination NAT on the same traffic flow. This is particularly useful in scenarios where you need to:
 
@@ -152,7 +152,7 @@ Twice-NAT pools are used when performing both source and destination NAT on the
    set vpp nat44 address-pool twice-nat interface eth2
 
 Pool Requirements
-^^^^^^^^^^^^^^^^^
+-----------------
 
 .. important::
 
@@ -162,7 +162,7 @@ Pool Requirements
    * Interface-based pools automatically include main (first) IP address assigned to the specified interface
 
 Pool Selection Priority
-^^^^^^^^^^^^^^^^^^^^^^^
+-----------------------
 
 When multiple pools are configured, VyOS uses the following selection priority:
 
@@ -175,7 +175,7 @@ When multiple pools are configured, VyOS uses the following selection priority:
     As soon as you have configured interfaces and pool, the NAT44 is operational.
 
 Static Rules Configuration
---------------------------
+==========================
 
 Static NAT rules provide predictable and consistent mappings between private and public IP addresses. They are essential for:
 
@@ -186,7 +186,7 @@ Static NAT rules provide predictable and consistent mappings between private and
 Unlike dynamic NAT that uses a pool of addresses, static rules create one-to-one mappings that persist until explicitly removed.
 
 Basic Static Rule Configuration
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+-------------------------------
 
 To create a static NAT rule, you need to define the local (internal) and external (public) address mappings:
 
@@ -207,7 +207,7 @@ Where:
 This basic configuration creates a static one-to-one mapping. Traffic from outside to the external IP will be translated to the internal IP, and vice versa.
 
 Port-based Static Rules
-^^^^^^^^^^^^^^^^^^^^^^^
+-----------------------
 
 For more granular control, you can create port-specific static rules. This is useful when you want to publish specific services:
 
@@ -234,15 +234,21 @@ For more granular control, you can create port-specific static rules. This is us
 Where:
 
 * ``<internal-port>`` and ``<external-port>`` are the port numbers used by the connection
-* ``<protocol>`` specifies the protocol (tcp, udp, icmp) - if not specified, the rule applies to all protocols
+* ``<protocol>`` specifies the protocol (tcp, udp, icmp)
+
+.. important::
+
+   If you do not specify ports and protocol, the rule will apply to all traffic between the specified internal and external addresses.
+
+   Rules must contain either both ports and protocol or neither.
 
 Advanced Static Rule Options
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+----------------------------
 
 VyOS NAT44 supports several advanced options for static rules:
 
 Twice-NAT
-~~~~~~~~~
+^^^^^^^^^
 
 Twice-NAT performs both source and destination NAT. So when an external host accesses an internal service, a source IP of such connection is translated to an address from the twice-NAT address pool.
 
@@ -255,7 +261,7 @@ The twice-NAT option can be enabled with the following command:
    set vpp nat44 static rule <rule-number> options twice-nat
 
 Self Twice-NAT
-~~~~~~~~~~~~~~
+^^^^^^^^^^^^^^
 
 Self Twice-NAT is used when a local host needs to access itself via the external address:
 
@@ -270,7 +276,7 @@ This option rewrites source IP addresses on packets sent only from a local addre
    Using self-twice-nat option requires to set interface connected to the local network as both inside and outside interface, because both source and destination NAT need to be applied.
 
 Out-to-In Only
-~~~~~~~~~~~~~~
+^^^^^^^^^^^^^^
 
 Restricts the rule to only apply to traffic from outside to inside interfaces:
 
@@ -281,7 +287,7 @@ Restricts the rule to only apply to traffic from outside to inside interfaces:
 This prevents the creation of sessions from the inside interface, making it purely a DNAT rule.
 
 Force Twice-NAT Address
-~~~~~~~~~~~~~~~~~~~~~~~
+^^^^^^^^^^^^^^^^^^^^^^^
 
 When using twice-nat, you can force the use of a specific IP address from the twice-nat address pool:
 
@@ -298,8 +304,8 @@ To document your rules, you can add a description:
 
    set vpp nat44 static rule <rule-number> description <description>
 
-Configuration Examples
-^^^^^^^^^^^^^^^^^^^^^^
+Static Rules Configuration Examples
+-----------------------------------
 
 **Full one-to-one NAT mapping:**
 
@@ -338,13 +344,170 @@ Configuration Examples
    
    ``set vpp nat44 address-pool twice-nat address <twice-nat-ip-range>``
 
+Exclude Rules Configuration
+===========================
+
+Exclude rules allow you to prevent specific traffic from undergoing NAT translation. This is particularly useful for:
+
+* **Router management**: Allowing SSH access to the router itself from external networks
+* **Service bypass**: Excluding specific services from NAT processing
+* **Traffic forwarding**: Allowing forwarded traffic to bypass NAT with 1-to-1 mapping
+
+Exclude rules take precedence over both dynamic and static NAT rules, ensuring that matching traffic bypasses NAT processing. For forwarded traffic, exclude rules create invisible 1-to-1 mappings that allow packets to pass through without NAT modifications.
+
+Basic Exclude Rule Configuration
+--------------------------------
+
+To create an exclude rule, you need to specify the traffic characteristics that should bypass NAT. You can configure exclude rules in two ways:
+
+**Option 1: Using local address**
+
+.. cfgcmd::
+
+   set vpp nat44 exclude rule <rule-number> local-address <internal-ip>
+
+**Option 2: Using external interface**
+
+.. cfgcmd::
+
+   set vpp nat44 exclude rule <rule-number> external-interface <interface-name>
+
+Where:
+
+* ``<rule-number>`` is a unique identifier for the exclude rule
+* ``<internal-ip>`` is the local IP address that should be excluded from NAT
+* ``<interface-name>`` is the external interface where the traffic originates
+
+.. important::
+
+   You must use either ``local-address`` OR ``external-interface`` in an exclude rule, but not both simultaneously. These options are mutually exclusive.
+
+Port-specific Exclude Rules
+---------------------------
+
+For more granular control, you can exclude only specific ports and protocols. You can combine port and protocol specifications with either local-address or external-interface:
+
+**With local address:**
+
+.. cfgcmd::
+
+   set vpp nat44 exclude rule <rule-number> local-address <internal-ip>
+
+.. cfgcmd::
+
+   set vpp nat44 exclude rule <rule-number> local-port <port-number>
+
+.. cfgcmd::
+
+   set vpp nat44 exclude rule <rule-number> protocol <protocol>
+
+**With external interface:**
+
+.. cfgcmd::
+
+   set vpp nat44 exclude rule <rule-number> external-interface <interface-name>
+
+.. cfgcmd::
+
+   set vpp nat44 exclude rule <rule-number> local-port <port-number>
+
+.. cfgcmd::
+
+   set vpp nat44 exclude rule <rule-number> protocol <protocol>
+
+Where:
+
+* ``<port-number>`` is the specific port to exclude (1-65535)
+* ``<protocol>`` can be ``tcp``, ``udp``, ``icmp``, or ``all`` (default)
+
+Rule Documentation
+------------------
+
+Add descriptions to your exclude rules for better management:
+
+.. cfgcmd::
+
+   set vpp nat44 exclude rule <rule-number> description <description>
+
+Exclude Rules Configuration Examples
+------------------------------------
+
+**Exclude SSH access to router:**
+
+.. code-block:: none
+
+   # Allow external SSH access to router without NAT
+   set vpp nat44 exclude rule 10 local-address 192.168.1.1
+   set vpp nat44 exclude rule 10 local-port 22
+   set vpp nat44 exclude rule 10 protocol tcp
+   set vpp nat44 exclude rule 10 description "SSH access to router"
+
+**Exclude SNMP monitoring:**
+
+.. code-block:: none
+
+   # Allow SNMP monitoring without NAT translation
+   set vpp nat44 exclude rule 20 local-port 161
+   set vpp nat44 exclude rule 20 protocol udp
+   set vpp nat44 exclude rule 20 external-interface eth1
+   set vpp nat44 exclude rule 20 description "SNMP monitoring"
+
+**Exclude all traffic to router management interface:**
+
+.. code-block:: none
+
+   # Exclude all traffic to router's management IP
+   set vpp nat44 exclude rule 30 local-address 192.168.100.1
+   set vpp nat44 exclude rule 30 description "Management interface bypass"
+
+**Exclude all traffic from external interface:**
+
+.. code-block:: none
+
+   # Exclude all traffic from external interface (alternative approach)
+   set vpp nat44 exclude rule 31 external-interface eth1
+   set vpp nat44 exclude rule 31 description "External interface bypass"
+
+**Exclude forwarded traffic for specific service:**
+
+.. code-block:: none
+
+   # Allow external access to internal server without NAT translation
+   set vpp nat44 exclude rule 40 local-address 192.168.1.50
+   set vpp nat44 exclude rule 40 local-port 8080
+   set vpp nat44 exclude rule 40 protocol tcp
+   set vpp nat44 exclude rule 40 description "Direct access to internal service"
+
+Common Use Cases
+----------------
+
+**Router Administration:**
+
+Exclude rules are essential when you need to manage the router from external networks. Without exclude rules, NAT would attempt to translate the router's own traffic, potentially breaking management connections.
+
+**Service Monitoring:**
+
+Network monitoring systems often need direct access to router services. Exclude rules ensure that monitoring traffic bypasses NAT translation.
+
+**Routing Protocols:**
+
+Some routing protocols or network services may require direct communication without NAT interference.
+
+**Traffic Forwarding:**
+
+Exclude rules also work for forwarded traffic between networks. Without exclude rules, traffic from external to local networks must either match a static rule or be dropped. With exclude rules, traffic can bypass NAT processing with invisible 1-to-1 mappings.
+
+.. important::
+
+   Exclude rules affect both traffic destined for the router itself and forwarded traffic flowing through the router. For forwarded traffic, exclude rules create transparent 1-to-1 mappings that allow packets to pass without NAT modifications, while from the outside perspective, the traffic appears to bypass NAT entirely.
+
 Advanced NAT44 Settings
------------------------
+=======================
 
 VyOS provides additional NAT44 settings for fine-tuning performance and behavior. These settings are configured under the VPP settings hierarchy.
 
 Session Timeouts
-^^^^^^^^^^^^^^^^
+----------------
 
 NAT44 maintains translation sessions with configurable timeout values for different protocols:
 
@@ -374,7 +537,7 @@ NAT44 maintains translation sessions with configurable timeout values for differ
    set vpp settings nat44 timeout icmp 30
 
 Session Limits
-^^^^^^^^^^^^^^
+--------------
 
 Control the maximum number of concurrent NAT sessions:
 
@@ -392,7 +555,7 @@ This setting helps prevent memory exhaustion and ensures predictable performance
    set vpp settings nat44 session-limit 100000
 
 Forwarding Behavior
-^^^^^^^^^^^^^^^^^^^
+-------------------
 
 By default, VyOS NAT44 forwards packets that don't match any NAT rules according to the routing table. This behavior can be controlled:
 
@@ -410,7 +573,7 @@ By default, VyOS NAT44 forwards packets that don't match any NAT rules according
 * **Security isolation**: Preventing any non-NAT traffic from traversing the device
 
 Worker Assignment
-^^^^^^^^^^^^^^^^^
+-----------------
 
 For advanced performance tuning, you can assign NAT44 processing to specific worker threads:
 
@@ -433,7 +596,7 @@ For advanced performance tuning, you can assign NAT44 processing to specific wor
    Worker assignment is an advanced feature typically used in high-performance deployments where you want to dedicate specific CPU cores to NAT processing. Most deployments don't require this configuration.
 
 Complete Configuration Example
-------------------------------
+==============================
 
 Here's a complete example showing how to configure VyOS NAT44 for a typical network setup:
 
@@ -466,6 +629,17 @@ Here's a complete example showing how to configure VyOS NAT44 for a typical netw
    set vpp nat44 address-pool translation address 203.0.113.10-203.0.113.50
    set vpp nat44 address-pool twice-nat address 203.0.113.100-203.0.113.110
 
+   # Exclude rules for router management
+   set vpp nat44 exclude rule 10 local-address 203.0.113.1
+   set vpp nat44 exclude rule 10 local-port 22
+   set vpp nat44 exclude rule 10 protocol tcp
+   set vpp nat44 exclude rule 10 description "SSH access to router"
+
+   set vpp nat44 exclude rule 11 local-address 203.0.113.1
+   set vpp nat44 exclude rule 11 local-port 443
+   set vpp nat44 exclude rule 11 protocol tcp
+   set vpp nat44 exclude rule 11 description "HTTPS access to router web interface"
+
    # Static rule for web server (HTTP)
    set vpp nat44 static rule 100 local address 192.168.1.10
    set vpp nat44 static rule 100 local port 80
@@ -500,11 +674,12 @@ Here's a complete example showing how to configure VyOS NAT44 for a typical netw
    set vpp nat44 static rule 300 description "API service (No Internet access for it)"
 
 Best Practices and Troubleshooting
-----------------------------------
+==================================
 
 Recommendations
-^^^^^^^^^^^^^^^
+---------------
 
+* **Use exclude rules** for router management services like SSH
 * **Use out-to-in-only** for services that do not need access to external networks
 * **Limit port ranges** in static rules to only necessary ports
 * **Document all rules** using descriptions for easier management
@@ -512,7 +687,7 @@ Recommendations
 * **Configure appropriate pool sizes** based on expected concurrent connections in your network
 
 Common Configuration Issues
-^^^^^^^^^^^^^^^^^^^^^^^^^^^
+---------------------------
 
 **Static rules not working:**
 
@@ -526,8 +701,20 @@ Common Configuration Issues
 2. Verify static rules have the correct twice-nat option
 3. Check that both translation and twice-nat pools are properly defined
 
+**Router management access issues:**
+
+1. Verify exclude rules are configured for management services
+2. Check that local-address matches the router's interface IP
+3. Ensure external-interface is correctly specified
+
+**Forwarded traffic from external networks not bypassing NAT:**
+
+1. Verify exclude rules are configured for the specific traffic flow
+2. Check that local-address matches the destination IP in the internal network
+3. Ensure protocol and port specifications match the traffic requirements
+
 Operational Commands
-^^^^^^^^^^^^^^^^^^^^
+====================
 
 Monitor NAT44 status and active connections using VyOS operational commands: