Update Junos, VyOS, FSOS and libvirt notes

config/network/fs-fsos-switches.md

@@ -0,0 +1,169 @@
+---
+title: FS FSOS Switches
+breadcrumbs:
+- title: Configuration
+- title: Network
+---
+{% include header.md %}
+
+### Using
+{:.no_toc}
+
+- FS S3700-24T4F
+
+## Info
+
+- The CLI is very Cisco IOS-like.
+- The default credentials are username `admin` and password `admin`.
+- The default mgmt. IP address is `192.168.1.1/24`.
+- By default, SSH, Telnet and HTTP servers are accessible using the default mgmt. address and credentials.
+- The default VLAN is VLAN1.
+
+### Supported Security Mechanisms
+
+For the FS S3700-24T4F.
+
+**TODO**
+
+## Initial Setup
+
+1. Connect to the switch using serial.
+    - Using RS-232 w/ RJ45, baud 115200, 8 data bits, no parity bits, 1 stop bit, no flow control.
+    - Use `Ctrl+H` for backspace.
+1. Login with username `admin` and password `admin`.
+1. Enter exec mode: `enable`
+1. (Optional) Show version: `show version`
+    - See the note below on how to upgrade it.
+1. Enable password services:
+    1. Enable prompting for password after command: `service password-hidden`
+    1. Enable automatic hashing of passwords (using some weak alg.): `service password-encryption`
+1. Add user: `username <username> password 0 <password>`
+1. Disable admin user: `no username admin`
+1. (Optional) Setup authentication (defaults to local):
+    1. Disable enable authn: `aaa authentication enable default none`
+    1. Enable login authn using local users: `aaa authentication login default local`
+1. Disable HTTP server:
+    1. `no ip http server`
+    1. `no ip http language`
+1. Enable SSH and disable Telnet:
+    1. Enable SSH server (enabled by default): `ip sshd enable`
+    1. Set SSH version: `ip sshd version 2`
+    1. Disable SSH RC4 cipher: `ip sshd disable-rc4`
+    1. Save the current key pair to flash to avoid regenerating it: `ip sshd save`
+    1. (Optional) Enable SFTP: `ip sshd sftp`
+    1. Disable Telnet: `no ip telnet enable`
+1. Disable unused interfaces:
+    1. Enter physical interface range (e.g. `int range g0/25-28`).
+    1. Disable them: `shutdown`
+1. Setup physical interface (applies motsly to other interfaces too):
+    1. Set description: `description <description>`
+    1. Enable or disable: `[no] shutdown`
+1. Setup LAGs:
+    1. Enter port agg. interface: `interface port-aggregator <n>`
+    1. Set load balancing/hashing method: `aggregator-group load-balance both-ip`
+    1. Change LACP timeout to fast (1s) or slow (30s): `agg-period <seconds>`
+    1. Enter a physical interface range.
+    1. Set agg. group and mode: `aggregator-group <n> mode lacp`
+    1. Show LACP status: `show aggregator-group brief`
+1. Setup VLANs:
+    1. Define VLAN: `vlan <VID>`
+    1. Enter VLAN interface: `interface VLAN<VID>`
+    1. **TODO** Member interfaces etc.
+1. Setup L3 interface:
+    1. Enter the interface (physical, VLAN, etc.).
+    1. Set the IPv4 address: `ip address <address> <subnet>`
+    1. Set the IPv6 address: `ipv6 address <address>/<prefix-length>`
+    1. Explicitly enable IPv6: `ipv6 enable`
+    1. Disable directed broadcasts: `no ip directed-broadcast`
+    1. **TODO** Test IPv6.
+1. Disable default VLAN:
+    1. Enter VLAN: `int VLAN1`
+    1. Disable it: `shutdown`
+    1. **TODO** Needs testing.
+1. Set hostname: **TODO**
+1. Set mgmt. addresses: **TODO**
+1. Set default and static routes: **TODO**
+1. Set DNS servers: **TODO**
+1. Set time and NTP servers: **TODO**
+1. (Optional) Add MOTD: `greeting <text-line>` (for each line, no quotes required)
+1. Enable LLDP: `lldp run`
+1. Enable SNMP:
+    1. Enable RO for `public` community: `snmp-server community 0 public ro`
+    1. **TODO** Filter slow OIDs.
+1. Setup STP (802.1W/RSTP): **TODO**
+1. Enable flow control:
+    1. Enter a physical interface range.
+    1. Enable auto mode: `flow-control auto`
+1. Enable storm control:
+    1. Enter an interface range.
+    1. Enable for broadcast: `storm-control broadcast threashold <n>` (units of 64kb/s)
+    1. Enable for unknown-destination unicast: `storm-control unicast threashold <n>` (units of 64kb/s)
+    1. (Optional) Enable for multicast: `storm-control multicast threashold <n>` (units of 64kb/s)
+    1. **TODO** Test.
+1. Enable port security:
+    1. Enter an interface range.
+    1. Enable dynamic mode: `switchport port-security mode dynamic`
+    1. Enable maximum addresses: `switchport port-security dynamic maximum <1>`
+    1. **TODO** Test timeout etc.
+1. Setup IGMP and MLD snooping: **TODO**
+1. Setup security mechanisms (DHCP snooping, IPSG, DAI, IPv6 stuff, etc.): **TODO**
+1. (Optional) Setup RADIUS: **TODO**
+1. (Optional) Setup TACACS+:
+    1. Enable and set server: `tacacs-server host <server> key 0 <key-or-prompt>`
+    1. Set login authn to use TACACS+ and fallback to local: `aaa authentication login default group tacacs+ local`
+    1. **TODO** Set authz too?
+    1. **TODO** Add accounting too?
+    1. **TODO** Test.
+1. Set terminal idle timer:
+    1. Enter console line: `line console 0`
+    1. Set timeout: `exec-timeout <seconds>`
+    1. Enter VTY lines: `line vty 0 31`
+    1. Set timeout (again).
+1. Save the config: `write all`
+
+## Commands
+
+- Configuration:
+    - Show startup config: `show configuration`
+    - Show running config: `show running-config`
+    - Show interface config: `show {conf | run} <interface>`
+    - Save configuration: `write all`
+    - Format system: `format` (**TODO**: Does it keep the software image?)
+- Interfaces:
+    - Show L2 brief: `show int brief`
+    - Show L3 brief: `show ip int brief`
+- LACP:
+    - Show semi-detailed overview: `show aggregator-group [n] brief`
+    - Show member ports: `show aggregator-group [n] summary`
+- Reboot: `reboot`
+
+### Configuration Mode
+
+- Enter interface range: `interface range <type><slot>/<port-range>[,<port-range>]*` (e.g. `interface range g0/1-3,5`)
+
+## Tasks
+
+### Configure With ZTP
+
+**TODO**
+
+### Upgrade Firmware
+
+#### Via Web Panel
+
+1. Log into the Web panel.
+1. Go to "System Mgr.", "System Software".
+1. Select the software image (`FS-something.bin`) and check automatic reboot.
+1. Start the upgrade and do *not* leave the webpage until it tells you to.
+1. Verify.
+
+#### Via CLI
+
+1. Put the image file on a TFTP server.
+1. Download it to the switch: `copy tftp:<file> flash:<file> <host>`
+    - Make sure it has a descriptive name like `S3700-24T4F_V63289.bin`.
+1. Set to boot the new image (conf mode): `boot system flash <file>`
+1. Reboot: `reboot`
+1. Verify: `show version`
+
+{% include footer.md %}

config/network/juniper-junos-general.md

@@ -33,14 +33,15 @@ breadcrumbs:
     - `|`: Can be used to filter the output.
 - Open CLI in operational mode (from shell): `cli`
 - Open shell (from op mode):
-    - Local: `start shell`
+    - Local: `start shell user root`
     - VC: `request session member <vc-member-id>`
 - Enter configuration mode (from op mode): `configure`
 - Exit any mode: `exit`
 - Show configuration:
-    - From op mode: `show configuration [statement]`
-    - From config mode: `show [statement]`
-    - Show changes: `show | compare`
+    - From (op mode): `show configuration [statement]`
+    - From (conf mode): `show [statement]`
+    - Show changes (conf mode): `show | compare`
+    - Show as set-statements (op mode): `show configuration | display set`
 - Run op command in config mode: `run <command>`
 - Navigate config mode:
     - The config is structures as nested container statements and leaf statements.
@@ -50,6 +51,7 @@ breadcrumbs:
 - Commit config changes: `commit [comment <comment>] [confirmed] [and-quit]`
     - `confirmed` automatically rolls back the commit if it is not confirmed within a time limit.
     - `and-quit` will quit configuration mode after a successful commit.
+- Delete all existing configuration while in config mode: `load override terminal`, then Ctrl+D.
 
 ### Booting
 
@@ -80,6 +82,14 @@ Wait for the "The operating system has halted." text before pulling the power, s
 - Show routing engine usage: `show chassis routing-engine`
 - Show effective configuration (with inheritance): `show <configuration> | display inheritance`
 
+### Move Config
+
+- Copy config from host to device over SCP:
+    1. Copy (host): `scp <config> <device>:/config/juniper.conf.new`
+    1. Load (conf mode): `load override /config/juniper.conf.new`
+    1. Show changes and commit.
+    1. Delete tmp config (op mode): `file delete /config/juniper.conf.new`
+
 ### Interfaces
 
 - Show interfaces:
@@ -106,7 +116,7 @@ Wait for the "The operating system has halted." text before pulling the power, s
 ### Reset Root Password
 
 1. Power on the device and prepare for the next step.
-1. Press space quickly as the "Hit [Enter] to boot immediately, or space bar for command prompt." message is shown. You should immediately enter a `loader>` prompt.
+1. Press space quickly as the "Hit \[Enter\] to boot immediately, or space bar for command prompt." message is shown (right before the kernel is loaded). You should immediately enter a `loader>` prompt.
 1. Run `boot -s` to boot into single-user mode.
 1. When prompted for a shell, enter `recovery`.
 1. Wait for the device to fully boot.
@@ -122,31 +132,31 @@ Note: USB3 drives may not work properly. Use USB2 drives.
 1. Show current storage devices: `ls -l /dev/da*`
 1. Insert the drive. It should print a few lines to the console.
 1. Show current storage devices again and find the new device.
-1. Create a dir to mount it to: `mkdir /var/tmp/usb1`
-1. Mount it: `mount_msdosfs <device> /var/tmp/usb1`
+1. Mount it: `mkdir /var/tmp/usb0 && mount_msdosfs <device> /var/tmp/usb0` (arbitrary path)
+1. Check that it's mounted properly: `ls -l /var/tmp/usb0`
 1. Do stuff with it.
-1. Unmount it: `umount /dev/tmp/usb1`
+1. Unmount it: `umount /var/tmp/usb0 && rmdir /var/tmp/usb0`
 
 ### Upgrade Junos Using a USB Drive
 
 1. Format the USB drive using FAT32.
 1. Copy the software file to the drive.
 1. Mount the USB drive:
-    - Example: `mkdir /var/tmp/usb0` and `mount_msdosfs /dev/da1s1 /var/tmp/usb0`
+    - TL;DR: `mkdir /var/tmp/usb0 && mount_msdosfs <device> /var/tmp/usb0`
     - See [mount a USB drive](#mount-a-usb-drive).
+1. Check the contents: `ls -l /var/tmp/usb0`
 1. Copy the file to internal storage: `cp /var/tmp/usb0/jinstall* /var/tmp/`
-    - Run `ls -l /var/tmp/usb0` to get the full name of the file, you'll need it later.
-1. Unmount and remove the USB drive: `umount /var/tmp/usb1`
-1. Install (op mode): `request system software add <file> no-copy reboot`
+1. Unmount and remove the USB drive: `umount /var/tmp/usb0 && rmdir /var/tmp/usb0`
+1. Enter op CLI: `cli`
+1. Install: `request system software add <file> no-copy reboot`
     - If it complains about certificate problems, consider disabling verification using `no-validate`.
     - It will reboot before and after.
     - It may produce some insignificant errors in the process (commands not found etc.).
 1. Verify that the system is booted from the active partition of the internal media: `show system storage partitions`
-1. Verify that the current Junos version is correct: `show system snapshot media internal`
-1. Copy to the alternate root partition: `request system snapshot slice alternate`
-    - May take several minutes.
-1. Verify that the active and backup partitions have the same Junos version: `show system snapshot media internal`
-    - If this fails, wait a bit and try again. The copy may still be working.
+1. Verify that the current Junos version for the primary partition is correct: `show system snapshot media internal`
+1. Copy to the alternate root partition (may take several minutes): `request system snapshot slice alternate`
+1. Verify that the primary and backup partitions have the same Junos version: `show system snapshot media internal`
+    - If it fails, wait a bit and try again. The copy may still be happening.
 
 If the method above did not work, try this instead to completely format and flash the device.
 

config/network/juniper-junos-switches.md

@@ -19,44 +19,42 @@ breadcrumbs:
 
 - EX3300 w/ Junos 15.1R7
 
-### WIP
-{:.no_toc}
-
-This page is super not done. Just random notes for now.
-
 ## Resources
 
-- [Quieter fans for Juniper EX3300 switch (Jade.WTF)](https://jade.wtf/tech-notes/quiet-ex3300/)
+- [Juniper EX3300 Fan Mod](/guides/network/juniper-ex3300-fanmod/)
 
 ## Initial Setup
 
 1. Connect to the switch using serial (RS-232 w/ RJ45, baud 9600, 8 data bits, no parity, 1 stop bits, no flow control).
 1. Login with username `root` and no password. You'll enter the shell.
 1. Enter the operation mode: `cli`
+1. Disable default virtual chassis ports (VCPs) if not used:
+    1. Enter op mode.
+    1. Show VCPs: `show virtual-chassis vc-port`
+    1. Remove VCPs: `request virtual-chassis vc-port delete pic-slot <pic-slot> port <port-number>`
+    1. Show again to make sure they disappear. This may take a few seconds.
 1. Enter configuration mode: `configure`
-    - Use `exit` to return to CLI.
-1. Set root password: `set system root-authentication plain-text-password`
-1. Setup a non-root user: `set system login user <user> [full-name <full-name>] class super-user authentication plain-text-password`
-1. Disable root login from SSH: `set system services ssh root-login deny`
+    - Use `exit` to return to op. mode.
 1. Set host name: `set system host-name <host-name>`
 1. Set domain name: `set system domain-name <domain-name>`
+1. Enable auto snapshotting and restoration on corruption: `set system auto-snapshot`
+1. Disable DHCP auto image upgrade: `delete chassis auto-image-upgrade`
+1. Set root password: `set system root-authentication plain-text-password` (prompts for password)
+1. Setup a non-root user: `set system login user <user> [full-name <full-name>] class super-user authentication plain-text-password` (prompts for password)
+1. Enable SSH server: `set system services ssh`
+1. Disable root login from SSH: `set system services ssh root-login deny`
 1. Set loopback addresses:
     1. `set interfaces lo0.0 family inet address 127.0.0.1/32`
     1. `set interfaces lo0.0 family inet6 address ::1/128`
-1. Set DNS: `set system name-server <addr>` (once for each address)
+1. Set DNS servers: `set system name-server <addr>` (once for each address)
 1. Set time:
     1. (Optional) Set time locally: `set date <YYYYMMDDhhmm.ss>`
     1. Set server to use while booting: `set system ntp boot-server <address>`
     1. Set server to use periodically: `set system ntp server <address>`
     1. Set time zone: `set system time-zone Europe/Oslo` (example)
     1. Note: After committing, use `show ntp associations` to verify NTP.
-1. Disable default virtual chassis ports (VCPs) if not used:
-    1. Enter op mode.
-    1. Show VCPs: `show virtual-chassis vc-port`
-    1. Remove VCPs: `request virtual-chassis vc-port delete pic-slot <pic-slot> port <port-number>`
-    1. Show again to make sure they disappear. This may take a few seconds.
-1. Delete default interfaces configs: `wildcard range delete interface ge-0/0/[0-47]` (example, repeat for all FPSc/PICs)
-1. Disable unused interfaces: `wildcard range set interface ge-0/0/[0-47] disable` (example, repeat for all FPSc/PICs)
+1. Delete default interfaces configs: `wildcard range delete interface ge-0/0/[0-47]` (example, repeat for all FPCs/PICs)
+1. Disable unused interfaces: `wildcard range set interface ge-0/0/[0-47] disable` (example, repeat for all FPCs/PICs)
 1. Disable dedicated management port and alarm:
     1. Disable: `set int me0 disable`
     1. Delete logical interface: `delete int me0.0`
@@ -95,10 +93,9 @@ This page is super not done. Just random notes for now.
 1. Setup static IP routes:
     1. IPv4 default gateway: `set routing-options rib inet.0 static route 0.0.0.0/0 next-hop <next-hop>`
     1. IPv6 default gateway: ``set routing-options rib inet6.0 static route ::0/0 next-hop <next-hop>``
+1. Enable Ethernet flow control: **TODO**
 1. Configure RSTP: **TODO**
 1. Configure SNMP (public RO): `set snmp community public authorization read-only`
-1. Enable auto snapshotting and restoration on corruption: `set system auto-snapshot`
-1. Disable DHCP auto image upgrade: `delete chassis auto-image-upgrade`
 1. Setup event policies: **TODO**
 1. Commit configuration: `commit [confirmed]`
 1. Backup config to rescue config: `request system configuration rescue save`

config/network/vyos.md

@@ -23,8 +23,8 @@ See [Installation (VyOS)](https://docs.vyos.io/en/latest/install.html).
 1. Burn and boot from it (it's a live image).
 1. Log in using user `vyos` and password `vyos`.
 1. Run `install image` to run the permanent installation wizard.
-    - Keep the suggested image name.
-    - Use the `/opt/vyatta/etc/config.boot.default` default config file.
+    - Keep the suggested image name to keep track of versions.
+    - If asked about which config to copy, any one is fine.
 1. Remove the live image and reboot.
 
 ## Initial Configuration
@@ -44,10 +44,10 @@ An example of a full configuration. Except intuitive stuff I forgot to mention.
     1. Domain name: `set system domain-name <domain-name>`
 1. Set the DNS servers: `set system name-server <ip-address>` (for each server)
 1. Set the time zone: `set system time-zone Europe/Oslo` (Norway)
-1. Set NTP servers:
+1. (Optional) Replace the NTP servers:
     1. Remove default NTP servers: `delete system ntp <server>` (for each server)
     1. Add new NTP servers: `set system ntp server ntp.justervesenet.no` (example)
-1. Enable Ctrl+Alt+Del reboot: `set system options ctrl-alt-del-action reboot` (or `ignore`)
+1. (Optional) Enable Ctrl+Alt+Del reboot: `set system options ctrl-alt-del-action reboot` (or `ignore`)
 1. Replace default user:
     1. Add new user with password: `set system login user <username> authentication plaintext-password "<password>"` (remember quotation marks if it contains spaces)
     1. Commit and log into the new user.
@@ -74,9 +74,15 @@ An example of a full configuration. Except intuitive stuff I forgot to mention.
 1. Set default routes: `set protocols static route[6] <0.0.0.0/0|::/0> next-hop <next-hop>` (for IPv4 and IPv6)
 1. (Optional) Set black hole route: `set protocols static route[6] <prefix> blackhole` (for IPv4 and IPv6)
 1. Enable LLDP: `set service lldp interface all`
-1. Enable SSHD:
-    1. Enable: `set service ssh`
-    1. More options: [VyOS SSH](https://docs.vyos.io/en/latest/services/ssh.html)
+1. Setup SSHD:
+    1. Enable server: `set service ssh`
+    1. (Optional) Commit and log in through SSH instead of the console.
+    1. (Optional) Add your personal pubkey by entering it:
+        1. Enter section: `edit system login user <user> authentication public-keys <some-key-id>`
+        1. Set key type: `set type ssh-rsa`
+        1. Set key (only the Base64-encoded part): `set key <key>`
+    1. (Optional) Add your personal pubkey bu downloading it: `loadkey <username> <URI>`
+    1. Disable password login (pubkeys only): `set service ssh disable-password-authentication`
 1. Enable unicast reverse path forwarding (uRPF) globally: `set firewall source-validation strict`
 1. Set firewall options:
     1. Enter firewall section.
@@ -133,6 +139,6 @@ Reboot the device and wait for the boot screen. In the boot screen, select the "
 
 ## Random Notes
 
-- The DHCPv4 relay requires the interface towards the upstream DHCP server to be included in the relay interfaces. Otherwise the responses from the upstream server will be dropped.
+- The DHCPv4 relay requires the interface towards the upstream DHCP server to be included in the relay interfaces. Otherwise the responses from the upstream server will be dropped. The relay is also very bugged at the moment so I'd recommend not using it until it gets fixed. See [T377](https://phabricator.vyos.net/T377) and [T1276](https://phabricator.vyos.net/T1276).
 
 {% include footer.md %}

config/virt-cont/libvirt-kvm.md

@@ -22,6 +22,19 @@ Using **Debian**.
 1. Install without extra stuff (like GUIs): `apt-get install --no-install-recommends iptables bridge-utils qemu-system qemu-utils libvirt-clients libvirt-daemon-system virtinst libosinfo-bin`
 1. (Optional) Install `dnsmasq-base` for accessing guests using their hostnames.
 1. (Optional) Add users to the `libvirt` group to allow them to manage libvirt without sudo.
+1. Set up the default network:
+    1. It's already created, using NAT, DNS and DHCP.
+    1. If not using dnsmasq, disable DNS and DHCP:
+        1. Open the config: `virsh net-edit default`
+        1. Disable DNS: Set `<dns enable='no'/>`.
+        1. Disable DHCP: Remove `<dhcp>...</dhcp>`.
+        1. Restart libvirtd.
+    1. Start it: `virsh net-start default`
+    1. (Optional) Autostart it: `virsh net-autostart default`
+1. Set up the default storage pool:
+    1. Create it: `virsh pool-define-as default --type=dir --target=/var/lib/libvirt/images`
+    1. Start it: `virsh pool-start default`
+    1. Autostart it: `virsh pool-autostart default`
 
 ## Usage
 
@@ -40,19 +53,23 @@ Using **Debian**.
     - Enter: `virsh console <vm>`
     - Exit: `Ctrl+]` (US) or `Ctrl+¨` (NO)
 - Create VM:
-    - Example: `virt-install --name=example-vm --network=network=default,model=virtio --os-variant=debian10 --ram=$((1*1024)) --vcpus=1 --disk=path=/var/lib/libvirt/images/example-vm.qcow2,bus=virtio,size=5 --graphics=none --check=all=off --extra-args="console=ttyS0" --location=debian-10.7.0-amd64-netinst.iso`
+    - Example: `virt-install --name=example-vm --os-variant=debian10 --ram=$((1*1024)) --vcpus=1 --disk=path=/var/lib/libvirt/images/example-vm.qcow2,bus=virtio,size=5 --network=network=default,model=virtio --graphics=none --extra-args="console=ttyS0" --location=debian-10.7.0-amd64-netinst.iso`
     - The disk path should match a storage pool path.
     - Show available OS variants: `osinfo-query os`
-    - This will automatically open a console for the VM. Specify `--noautoconsole` to avoid that.
+    - To disable various checks, specify `--check=all=off`.
+    - To use a host bridge instead of a libvirt network, specify `--network=bridge=something` instead of `--network=network=something`.
+    - To avoid opening a console (or waiting if there is no console), specify `--noautoconsole` to avoid that.
     - If it "can't find the kernel" when using `--location`, use `--cdrom` instead. This disallows using arguments like `--extra-args`, so you'll need to find another console.
     - Make sure the ISO is readable by the QEMU user.
-    - To install using a VNC screen instead of console (e.g. if you need richer graphics or when using `--cdrom` and no console is allocated), replace `--graphics=none` with `--noautoconsole --graphics=vnc,password=<password>`. It only binds to localhost by default, so use something like SSH port forwarding (`ssh -L 5900:127.0.0.1:5900 <user>@<addr>`) to access it remotely.
+    - To install using a VNC screen instead of console (e.g. if you need richer graphics or when using `--cdrom` and no console is allocated), replace `--graphics=none` with `--noautoconsole --graphics=vnc,password=<password>`. It only binds to localhost by default, so use something like SSH port forwarding (`ssh -L 5900:127.0.0.1:5900 <user>@<addr>`) to access it remotely. Remember to disable it in the VM config when no longer needed.
 - Clone VM:
     1. Create a source/template VM and make sure it's not running.
     1. Clone it: `virt-clone --original=<source-vm> --name=<vm> -f <vm>.qcow2`
 - Remove VM: `virsh undefine <vm>`
 - Set VM to automatically start (or disable it): `virsh autostart [--disable] <vm>`
-- Edit VM config: `virsh edit <vm>`
+- Edit VM config:
+    1. Open tmp. config in editor: `virsh edit <vm>`
+    1. Shutdown and start the VM (rebooting it doesn't work).
 - Show VM config: `virsh dumpxml <vm>`
 - Show VM graphics URI: `virsh domdisplay <vm>`
     - For VNC, the shown port is offset from port 5900.
@@ -61,16 +78,14 @@ Using **Debian**.
 
 ### Networking
 
-- Set up networking on host:
-    1. Enable IP forwarding on the system (IPv4 and IPv6).
-    1. Create bridges to connect VMs to networks.
-    1. Add firewall rules to allow traffic.
+- The default network interface is `virbr0`, called `default` in libvirt.
 - Show networks: `virsh net-list`
 - Show network config: `virsh net-dumpxml <network>`
 - Edit network config (without applying it): `virsh net-edit <network>`
 - Apply changed network config: Restart libvirt or reboot the system.
-- The default network interface is `virbr0`, called `default` in libvirt.
-- Enable the default network: `virsh net-start default && virsh net-autostart default`
+- Create bridge connected to physical NIC:
+    - Note: If you're connected remotely, try to avoid locking yourself out.
+    - Create bridge on the host: See [BridgeNetworkConnections (Debian Wiki)](https://wiki.debian.org/BridgeNetworkConnections) or something.
 
 ### Storage
 
@@ -80,10 +95,6 @@ Using **Debian**.
 - Volume basics:
     - Show volumes: `virsh list-vol <pool> [--details]`
     - Show volume info: `virsh vol-info <file>`
-- Create default storage pool:
-    1. Create it: `virsh pool-define-as default --type=dir --target=/var/lib/libvirt/images`
-    1. Start it: `virsh pool-start default`
-    1. Autostart it: `virsh pool-autostart default`
 - Resize disk: `qemu-img resize <file> <size-change>` (e.g. +1G)
 - Cold backup of VM:
     - Make sure the VM is stopped so that the disk image is consistent.