Versions Compared

Version Old Version 1 New Version 2
Changes made by

Tracy Yang

Tracy Yang

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

These notes summarizes PICOS 34.7 0 new features, new hardware, known bugs, and bug fixes. Best practices recommend that you read all the content before upgrading to this release. For more detailed feature information, refer to the configuration guides.

Table of Contents

New Software Features

Layer 2 and Layer 3

...

NTP config commands are changed
NTP server IP and source interface are configured as following commands.
set system ntp server-ip x.x.x.x
set system ntp source-interface xxxx
If the NTP source interface is configured, the source interface will be used for the NTP connection.

...

  • Removed the global setting to enable DHCP snooping on all VLANs. 
  • A pattern instead of a string can be configured to option 82. 
  • In case of VRRP, the IP address of DHCP relay agent can be the virtual IP address of the VRRP group. 
  • New MLAG DHCP Sync message is defined to sync DHCP messages between the 2 MLAG spines. 

...

  • The Cli commands of DHCP snooping & relay are changed in 3.7.0. It will fail when upgrade to 3.7.0 if the old version includes the configurations of DHCP snooping & relay. 
  • Additionally, Cli commands of MLAG are changed in 3.6.x. So it will fail to upgrade to 3.7.0 if the versions is older than 3.6.x with MLAG configuration. 
  • In case of upgrade from 2.11.x, please refer to Upgrading PICOS from Release 2.11.x Using Upgrade.

...

SNMP ACLs Applied as per Community or Security User Name

The snmp-acl can be configured as per SNMP community or security user. Namely, it will allow a community or security user to have its own white IP list which will overwrite the global snmp-acl configuration. Please refer to the document Configuring SNMP ACL to have more details.

...

Management VRF

Management VRF is designed to seperate management traffic and dataplane traffic completely for sake of security. The key points are as following:
if mgmt-vrf is enabled, the management interfaces such as eth0 is in mgmt-vrf. Other VLAN interfaces cannot be added to mgmt-vrf.
Dynamic and static routes can not be configured to mgmt-vrf.
Management services start up in the default VRF by default. They can be moved to mgmt-vrf manually if needed.
Please have detailed information by referring to the document at VRF+Configuration+Guide.

...

OSPF over VRF

OSPF can be enabled on a specific VRF. Policy statements can be applied to the OSPF instance as per VRF. Please have detailed information by referring to the document at OSPF (Open Shortest Path First).

...

Split 100G port into 2 x 50G ports
An 100G port can be split into 2x50G or 4x25G or 4x10G on AS7726_32X under L2/L3 mode.

...

DHCP Server under L2/L3 

A simple version of DHCP server is introduced into PICOS under L2/L3 mode. In particular, this DHCP server supports to assign IPv4 addresses for hosts in one specific VRF for Internet access. Please refer to the document at Configuring DHCP Server.

...

MLAG Enhancement

Refined the behavior in case that configurations are not consistent on the peering MLAG spines. PICOS will keep MAC addresses syncing on MLAG interfaces even if configurations are not consistent on the peering MLAG spines unless MLAG TCP connection is broken. With regarding to spanning tree, based on the type of inconsistent configurations on the MLAG spines, will take actions as following:

Do nothing and keep the traffic going

shut down the specific MLAG port

Block associate VLANs configured on the peer-link

Please refer to Principle of MLAG for the details.

...

It allows to add 80 maximum dACL abbreviated rules on ClearPass by abbreviating the key words of the downloadable ACL. This change is compatible with the old version of downloadable ACL. That indicates the old key words of downloadable ACL can still work.

...

The host name of CWA (Central Web Authentication) server is included in the re-directional URL in the returned RADIUS access-accept message from the NAC server. Therefore, the IP address of CWA server can be resolved by the configured DNS. The configuration commands for IP address and L4 port of CWA are hidden.

set protocols dot1x web server-ip XXXX

set protocols dot1x web port XXXX

...

Consecutive Detect Number

Add consecutive detect number to the output of "run show dot1x server".

...

Add idle-timeout for CLI on Console Port

Login to the switch on console port. If the configured timeout is expired, CLI will exit.

Open vSwitch and OpenFlow

...

TTP Improvement

New tables, Bridging_Flow_Table, Egress_Port_Flow_Table, Egress_Port_Group_Flow_Table, Egress_VLAN_Xlate_Flow_Table, Egress_ACL_Flow_Table, are added under TTP (TTP Table Type Pattern) mode. Please refer to Configuring TTP for the detailed update.

Linux Platform

...

Hardware

...

Support N3224P-ON

N3224P-ON supports 24x10G Cu ports with 802.3bt Type-4 99W PoE and 4x25G SFP28 ports and 2x100G QSFG28 ports in the rear.

...

N3224F-ON supports 24x1G SFP ports and 4x10G SFP+ ports and 2x100G QSFG28 stacking ports in the rear.

...

Support S5232F-ON

S5232F-ON supports 32x100G QSFP28 port and 2X10G SFP+ ports.

...

AG5648 Support in 3.7.4

Add AG5648 back to the list of hardware support in 3.7.4.

Fixed Issues

Layer 2 and Layer 3 Features

...

Disable NTP by default
NTP should be disabled by default. NTP only be enabled when NTP server is configured.

...

Multicasting Traffic flooded within the VLAN Even Enabled IGMP Snooping
If configure vlan-interface over a specific VLAN, unknown multicasting traffic will be flooded within this VLAN even though IGMP snooping is enabled on this VLAN. Fixed in 3.7.1.3.

...

Don't Discard IP Fragments of NAC Messages

Under in-band connection, the IP fragments of NAC messages should not be dropped.

...

Client Device Loses NAC authentication After session-timeout

After authentication session-timeout such as 1 hour by default, the client device authentication is terminated. And it cannot get authenticated any longer in particular circumstance. This issue is fixed in 3.7.4.

...


MAC address learned on the VXLAN network port of one MLAG spine is not synced up to the peering MLAG spine even though VXLAN configuration is consistent on the 2 MLAG spines. Additionally, MAC address on network port is shown as type of "Dynamic" or "Sync" on both MLAG spines when execute "run show vxlan address-table". This issue is fixed in 3.7.4.

...

Traffic Loop Appears if Flip VXLAN Network Port

VXLAN is configured on the 2 MLAG spines. The traffic from the peer link should be blocked on the VXLAN network port unless the corresponding VXLAN network port on the peering spine is down. However, by flipping the VXLAN netowrk port on one spine, the mechanism to block the traffic from peer link might not work and lead to traffic loop. This issue is fixed in 3.7.4.

...

Add global configuration commands for recovery-timeout and session-timeout of NAC session.

...

Remove syslog Messages for NAC Debugging

Remove the trivial log messages for NAC debugging, which are boring and confusing.

...

PICOS CLI Command "commit confirmed" Doesn't Work in "cli -c ..."

PICOS CLI command "commit confirmed" doesn't work in command "cli -c ..." for example,

cli -c "configure;set vlans vlan-id 1888; commit confirm 10"

Configuration rollback will not be triggered. This issue can also be reproduced in ansible environment.

Open vSwitch and OpenFlow

...

Bug ID

...

Release

...

Description

...

SNMP Port Statistics Error.
The numbers of SNMP MIB OIDs (iso.3.6.1.2.1.31.1.1.1.x.x) associated with port statistics are not right.

...

Enable web GUI for OVS configuration on N3200 platforms.

...

FEC (Forward Error Correction) can only be applied on 100G port configured with 100Gbps speed.

Hardware

...

Update Fan Status if Stop Working
When one of the fans stops working or is pulled out, fan status should be reflected immediately when execute "run show system fan".

Linux Platform

...

Bug ID

...

Release

...

Description

...

UEFI Boot Entry Displayed as 'grub'
UEFI boot entry of PICOS is changed as "picos" in efibootmgr under ONIE.

...

FAN Tray Airflow Direction on N3248TE

Support both FAN airflow direction, Back to Front (B2F) and Front to Back (F2B), on N3248TE.

...

upgrade/upgrade2 cannot Work with an Ansible Playbook 

upgrade/upgrade2 can return to shell prompt by executing "reboot" background. The Ansible playbook which is used to do upgrade will not hang to expect the shell prompt.

AmpCon

...

Bug ID

...

Release

...

Description

...

Roll Back Config if Upgrade Fails
The AmpCon agent will roll back to the original configuration if upgrade fails in case such as vpn connection failure.

CLI Changes

...

FRR Integration 

By integrating FRR, the following L3 features are provided. 

  • BGP 
  • OSPFv2 
  • Static routing 
  • PIM and IGMP 
  • VRF 
  • VRF-aware L3 protocols - BGP and OSPF and PIM and Static routing 
  • Route Filtering  
  • Route map  
  • Prefix list 
  • BGP specific community-list and as-path-list. 
  • EVPN with multi-protocol BGP (MP-BGP) 
  • EVPN type-2, EVPN type-3 and EVPN type-5 
  • EVPN BUM Traffic with PIM-SM 

Please note, the CLI commands are NOT compatible with previous versions. 

Debian 10 Migration 

  • ROOTFS is based on latest Debian stable release, buster, currently 10.9. 
  • Python 3.7.3 is added. By default, python is linked to python2 at version 2.7.16. 
  • Security update 
  • Linux kernel is updated to 5.4 LTS release, currently 5.4.105 
  • Fixed CVE-2020-25705, included in 5.4.73 
  • Fixed CVE-2017-5715 
  • Openssl updated to 1.1.1d at 1.1.1d-0+deb10u6 
  • Ntp updated to 4.2.8p12+dfsg-4 

VXLAN Update 

  • Only one VLAN can be mapped to a specific VXLAN VNI. And a pair of VLAN and port is not allowed to be mapped to a VXLAN VNI, which is available in previous versions. 
  • With EVPN, configuring VXLAN via OVSDB remotely is not supported. CLI command, “set protocols ovsdb …", does not function. 

L3 Interface 

Configuration of VLAN interface is restructured. Vif is removed from vlan-interface configuration.   

Loopback over VRF 

One and only one Layer 3 loopback interface is allowed to be configured on a specific VRF. 

Management VRF Update 

By default, management VRF is not enabled. Management interface and other L3 interfaces share the same route table (table 254) in the Linux kernel on the software side. Management VRF is recommended to be enabled if management interface is used to access the switch. 

Known Limitations 

  • Upgrade to PICOS 4.0.0 is not supported. 
  • ARM platforms will be supported in the next release. 
  • NETCONF is not supported in PICOS 4.0.0. 
  • SNMP MIBs specific to L3 protocol are not supported. 
  • IPv6 is not supported.