Versions Compared

Version Old Version 2 New Version 3
Changes made by

Tracy Yang

Tracy Yang

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

These notes summarizes PICOS 3.8 new features, new hardware, known bugs, and bug fixes. Best practices recommend that you read all the content before upgrading to this release. For more detailed feature information, refer to the configuration guides.

Table of Contents

New

...

Features

Layer 2 and Layer 3

Abbreviate the Downloadable ACL Rule

It allows to add 80 maximum dACL abbreviated rules on ClearPass by abbreviating the key words of the downloadable ACL. This change is compatible with the old version of downloadable ACL. That indicates the old key words of downloadable ACL can still work.

Resolve the IP of CWA Server with DNS

The host name of CWA (Central Web Authentication) server is included in the re-directional URL in the returned RADIUS access-accept message from the NAC server. Therefore, the IP address of CWA server can be resolved by the configured DNS. The configuration commands for IP address and L4 port of CWA are hidden.

set protocols dot1x web server-ip XXXX

set protocols dot1x web port XXXX

Bug IDReleaseDescription
12333128143.78.0

NTP config commands are changed
NTP server IP and source interface are configured as following commands.
set system ntp server-ip x.x.x.x
set system ntp source-interface xxxx
If the NTP source interface is configured, the source interface will be used for the NTP connection.

118153.7.0Refine DHCP Relay and Snooping
  • Removed the global setting to enable DHCP snooping on all VLANs. 
  • A pattern instead of a string can be configured to option 82. 
  • In case of VRRP, the IP address of DHCP relay agent can be the virtual IP address of the VRRP group. 
  • New MLAG DHCP Sync message is defined to sync DHCP messages between the 2 MLAG spines. 
With DHCP relay or snooping configurations, will have problem when upgrade to 3.7.0. Please have the details by referring to the document DHCP Configuration.
122643.7.0MSTP over MLAG
MSTP cannot work over MLAG in 3.6.x by new implementation of MLAG. In 3.7.0 we get it back.
123613.7.0 Priority of Multiple NAC Servers
Allow user to configure the priority of multiple NAC servers. The reachable NAC server with highest priority will be used for NAC authentication.
-3.7.0Upgrade to 3.7.0
  • The Cli commands of DHCP snooping & relay are changed in 3.7.0. It will fail when upgrade to 3.7.0 if the old version includes the configurations of DHCP snooping & relay. 
  • Additionally, Cli commands of MLAG are changed in 3.6.x. So it will fail to upgrade to 3.7.0 if the versions is older than 3.6.x with MLAG configuration. 
  • In case of upgrade from 2.11.x, please refer to Upgrading PICOS from Release 2.11.x Using Upgrade.
124023.7.0PoE Redundancy/Aggressive Mode on Dell Hardware Models
Add back PoE redundancy/aggressive mode for Dell hardware models. With 2 PSUs power good, PoE maximum power under redundancy mode will be different from aggressive mode.
124673.7.0Enhancements on Server-Fail Recovery Methods
Three methods, namely auto, manual and timer, can be configured for the client to get out from the RADIUS server failure. By default, manual comes into effective.
123113.7.0Enable Duplex Negotiation on SFP+ Port
Enable the auto negotiation for duplex on the SFP+ port at the 1G speed on AS5812_54X.
123943.7.0Manage license key from PICOS CLI
Allow to add/delete/show license key from operational mode of PICOS Cli.
1. license install <license-path-name>
2. license show
3. license remove
126063.7.1Dynamic ARP Inspection
Dynamic ARP inspection (DAI) is a security mechanism that is used to reject invalid and malicious ARP packets. ARP packets of which the MAC or IP is not detected by DHCP snooping will be dropped.
125903.7.1Port Security
Extend the functionalities of port security to all support platforms.
121543.7.1Handle EAP-logoff in NAC
If receive an EAP-Logoff on a specific port, the session of the associate supplicant will be terminated.
127003.7.1.3

SNMP ACLs Applied as per Community or Security User Name

The snmp-acl can be configured as per SNMP community or security user. Namely, it will allow a community or security user to have its own white IP list which will overwrite the global snmp-acl configuration. Please refer to the document Configuring SNMP ACL to have more details.

-3.7.2

Management VRF

Management VRF is designed to seperate management traffic and dataplane traffic completely for sake of security. The key points are as following:
if mgmt-vrf is enabled, the management interfaces such as eth0 is in mgmt-vrf. Other VLAN interfaces cannot be added to mgmt-vrf.
Dynamic and static routes can not be configured to mgmt-vrf.
Management services start up in the default VRF by default. They can be moved to mgmt-vrf manually if needed.
Please have detailed information by referring to the document at VRF+Configuration+Guide.

108073.7.2

OSPF over VRF

OSPF can be enabled on a specific VRF. Policy statements can be applied to the OSPF instance as per VRF. Please have detailed information by referring to the document at OSPF (Open Shortest Path First).

127413.7.2Issue a Warning rsyslog Message if MLAG Associate Configuration Not Consistent
If configuration on the 2 MLAG spines is not consistent, will issue a warning rsyslog message.
108223.7.2Return to Default Configuration
PICOS can go back to the default configuration much easier with the new added CLI command "rollback default".
76503.7.2Provide Bash Command History
CLI "bash" commands can be displayed by up arrow function to enable to rollback to previous commands in history.
78733.7.2Display Warning Message when if Closing Quotation Mark Missing
It is an enhancement of CLI syntax check. CLI will prompt an error message if the closing or begining quotation mark is missing.
127133.7.3Private VLAN
Private VLAN provides a mechanism to limit traffics into different sub-domains within a VALN broadcast domain via isolated VLAN and community VLANs. Please refer to Private VLAN Configuration Guide.
127903.7.3The License Type is 1G for N32XX
License type is is changed to 1G on hardware Dell models including N3248PXE-ON, N3248X-ON, N3224PX-ON.
127713.7.3New CLI Commands under Operational Mode
New CLI commands are added for the functionalities of scp, upgrade2, banner before login under CLI operational mode. Please refer to System Management Commands.
127433.7.3Compatibility of AmpCon with Management VRF
Management VRF was added in 3.7.2. AmpCon should be compatible with management VRF. Specifically, if management VRF is enabled, AmpCon agent on the switch side should lookup the routes in management VRF to build VPN connection with AmpCon server.
126493.7.3Add a Build-in User "net-admin"
By default, TACACS+ user with privilege-level equal to 1 will be mapped to this internal user "net-admin" which is not allowed to drop into Linux shell. So TACAS+ user with privilege-level 2-14 will be mapped to local user operator. Additionally, "net-admin" cannot login into PICOS by local authentication.
105353.7.3Add HardwareId in Pica8 Private SNMP MIB
Hardware ID can be queried by OID (iso.3.6.1.4.1.35098.1.17.0 ) from Pica8 private SNMP MIB.
127423.7.3.4

Split 100G port into 2 x 50G ports
An 100G port can be split into 2x50G or 4x25G or 4x10G on AS7726_32X under L2/L3 mode.

129523.7.4

DHCP Server under L2/L3 

A simple version of DHCP server is introduced into PICOS under L2/L3 mode. In particular, this DHCP server supports to assign IPv4 addresses for hosts in one specific VRF for Internet access. Please refer to the document at Configuring DHCP Server.

129383.7.4

MLAG Enhancement

Refined the behavior in case that configurations are not consistent on the peering MLAG spines. PICOS will keep MAC addresses syncing on MLAG interfaces even if configurations are not consistent on the peering MLAG spines unless MLAG TCP connection is broken. With regarding to spanning tree, based on the type of inconsistent configurations on the MLAG spines, will take actions as following:

Do nothing and keep the traffic going

shut down the specific MLAG port

Block associate VLANs configured on the peer-link

Please refer to Principle of MLAG for the details.

128903.7.4128833.7.4
128843.7.4

Consecutive Detect Number

Add consecutive detect number to the output of "run show dot1x server".

128943.7.4

Add idle-timeout for CLI on Console Port

Login to the switch on console port. If the configured timeout is expired, CLI will exit.

130703.7.5

MLAG Peer Gateway

Maximum 500 L3 VLAN interfaces are allowed to be configured on each MLAG spine switch. The IP address of each L3 VLAN interface can be used as the gateway of the downlink hosts. Please refer to document at Principle of MLAG.

130723.7.5

Allow 802.1X to Work with Local Firewall

Support both of 802.1X dynamic/downloadable ACLs and local firewall filter on-switch security and QoS ACLs on the same ports.

131013.7.5.1

DNS Domain Search List VXLAN Routing
The VTEP enabled VXLAN routing behaves as a VXLAN L3 gateway under centralized routing mode. Please have detailed at VXLAN Routing.

130983.8.0

Enable VXLAN on NAC Ports
VXLAN is not allowed to be configured on the ports with NAC, such as 802.1x and MAB and web authentication, enabled. This restriction is removed in release 3.8.0.

131013.8.0

DNS Domain Search List
Add a CLI command "set system dns-search-list xxxx" to configure the search list of DNS lookup with the host name

.  

Open vSwitch and OpenFlow

Bug IDReleaseDescription
124763.7.1Configure a Port to Different Bonds
A port can be added to multiple bonds. Will issue a warning log message if add a pop_vxlan/pop_l2gre flow with input matching a bond which shares member ports with other bond(s).
129503.7.4

TTP Improvement

New tables, Bridging_Flow_Table, Egress_Port_Flow_Table, Egress_Port_Group_Flow_Table, Egress_VLAN_Xlate_Flow_Table, Egress_ACL_Flow_Table, are added under TTP (TTP Table Type Pattern) mode

.

Please refer to Configuring TTP for the detailed update.

Linux Platform

...

Hardware

Support N3224F-ON

N3224F-ON supports 24x1G SFP ports and 4x10G SFP+ ports and 2x100G QSFG28 stacking ports in the rear.

Bug IDReleaseDescription
11773124963.7.0Porting N3248X-ON 
Dell N3248X-ON is a 1G/2.5G/5G/10G Multi-Gig switch model which has 48x10G Cu ports and 4x25G SFP28 and 2x100G QSFG28 stacking ports in the rear.		114483.7.8.0

Support

AS4630

AS5835-

54PE

54T

AS4630-54PE has 48x1G PoE Ethernet ports and 4x25GSFP28 ports and 2x100G stacking ports.
118063.7.1Support N3208PX-ON
N3208PX-ON suppurts 4x1G Cu ports and 4x5G Cu ports whth 802.3bt Type-4 99W PoE capability and 2x10G SFP+ ports.
125333.7.2

Support N3224P-ON

N3224P-ON supports 24x10G Cu ports with 802.3bt Type-4 99W PoE and 4x25G SFP28 ports and 2x100G QSFG28 ports in the rear.

125863.7.2Support N3248TE-ON
N3248TE-ON supports 48x1G Cu ports and 4x10G SFP+ ports and 2x100G QSFG28 ports in the rear.
128353.7.4
129573.7.4

Support S5232F-ON

S5232F-ON supports 32x100G QSFP28 port and 2X10G SFP+ ports.

126963.7.4

AG5648 Support in 3.7.4

Add AG5648 back to the list of hardware support in 3.7.4.

138583.7.5

Support AS4630-54NPE

AS4630-54NPE consists of 36x2.5G BASE-T ports, 12x10G BASE-T ports, 4x25G SFP25 uplink ports and 2x100G QSFP28 uplink ports.

122243.7.5

Support N2248PX-ON & N2248X-ON
N2248PX-ON & N2248X-ON support 48x2.5G RJ45 ports and 4x25G SFP28 ports and 2x40GbE QSFP ports. N2248PX-ON is a PoE switch with 24 RJ45 ports supporting 30W PoE and the other 24 RJ45 ports supporting 60W PoE.

115783.7.5Support N2224PX-ON & N2224X-ON
N2224PX-ON & N2224X-ON support 24x2.5G RJ45 ports and 4x25GbE SFP28 ports and 2x40G QSFP ports. N2224PX-ON is a PoE switch with 12 RJ45 ports supporting 30W PoE, the other 12 RJ45 ports supporting 60W PoE.

AS5835-54T consists of 48X10G RJ ports and 6X100G QSFP28 uplink ports on the front panel.


Fixed Issues

Layer 2 and Layer 3 Features

...

UEFI Boot Entry Displayed as 'grub'
UEFI boot entry of PICOS is changed as "picos" in efibootmgr under ONIE.

...

FAN Tray Airflow Direction on N3248TE

Support both FAN airflow direction, Back to Front (B2F) and Front to Back (F2B), on N3248TE.

...

upgrade/upgrade2 cannot Work with an Ansible Playbook 

upgrade/upgrade2 can return to shell prompt by executing "reboot" background. The Ansible playbook which is used to do upgrade will not hang to expect the shell prompt.

...

Connect Cable on the Port Which Disabled, the Port Status will Be 'up'

On N3224PX-ON, connect cable on the port which disabled, the port status will be 'up'.

AmpCon

...

Bug ID

...

Release

...

Description

...

Roll Back Config if Upgrade Fails
The AmpCon agent will roll back to the original configuration if upgrade fails in case such as vpn connection failure.

CLI Changes

Type of the ChangeCommandVersionDescriptionsFeatureLink of the Config GuideHiddenset interface gigabit-ethernet xxxx port-security mac-address xxxx vlan xxxx sticky true/false3.7.1Sticky can not be configured on a specific MAC address.Port SecurityPort Security Configuration: /display/PicOS37sp/Port+Security+Configuration
Port Security Commands:/display/PicOS37sp/Port+Security+CommandsHiddenset interface aggregate-ethernet xxx port-security xxx 3.7.1Port security can not be configured on a LAG port.Port SecurityHiddenset protocol arp interfae xxxx inspection xxx 3.7.1DAI cannot be configured on vlan-interface.ARP InspectionConfiguring ARP Inspection: /display/PicOS37sp/Dynamic+ARP+Inspection
ARP Inspection Commands:    /display/PicOS37sp/Protocol+Configuration+CommandsNewset protocols arp inspection access-list <acl-name> ip <ipv4-addr> mac-address <mac-addr>
set protocols arp inspection vlan <vlan-id> access-list <acl-name>3.7.1DAI supports ARP access lists for non-DHCP environments.ARP InspectionRemovedclear port-security address xxx vlan xxx
clear port-security interface all/gigabit-ethernet xxx
clear port-security port-error all 3.7.1N/APort SecurityPort Security Configuration: /display/PicOS37sp/Port+Security+Configuration
Port Security Commands:/display/PicOS37sp/Port+Security+CommandsNew clear port-security dynamic address xxx vlan xxx
clear port-security sticky address xxx vlan xxx
clear port-security dynamic interface all all/gigabit-ethernet xxx
clear port-security sticky interface all all/gigabit-ethernet xxx
clear port-security port-error interface all/gigabit-ethernet xxx 3.7.1N/APort SecurityNewshow arp inspection3.7.1N/AARP InspectionConfiguring ARP Inspection: /display/PicOS37sp/Dynamic+ARP+Inspection
ARP Inspection Commands:    /display/PicOS37sp/Protocol+Configuration+CommandsDOT1X Authentication Failed When Configure Two Reachable Servers
The client will fail to be authenticated if multiple configured RADIUS servers are reachable.MAC Syncing on VXLAN Network Ports Between MLAG Spines

MAC address learned on the VXLAN network port of one MLAG spine is not synced up to the peering MLAG spine even though VXLAN configuration is consistent on the 2 MLAG spines. Additionally, MAC address on network port is shown as type of "Dynamic" or "Sync" on both MLAG spines when execute "run show vxlan address-table". This issue is fixed in 3.7.4.

Global Settings for recovery-timeout and session-timeout

Add global configuration commands for recovery-timeout and session-timeout of NAC session.

Bug IDReleaseDescription
12401131063.7.0

Disable NTP by default
NTP should be disabled by default. NTP only be enabled when NTP server is configured.

123293.7.0
122573.7.0Aruba AP-515 Fails to Receive Power
Somehow Aruba AP-515 can not receive power from N3048 UPoE ports (ge-1/1/1 to ge-1/1/12).
125083.7.0Lower the Level of a LOG Message
Lower the level of the log message, such as "The mac address 00:24:14:b3:68:3a is NAC session,ignore it", to "TRACE".
126143.7.1Login Announcement (Banner) not Showing Up
If activate TACACS+, the configured announcement (banner) can not show up when login to the switch. Fixed in 3.7.1.
126353.7.1Fail to Add a Term of Policy Statement
Configure a term of policy statement "set policy policy-statement statement term t1" and exit Cli such as reboot the switch. And then if configure another term of the same policy statement, will fail and print error message "Command failed: create_term failed: ... Term already present in position ..." .
92453.7.1LLDP Statistics Error
If disable LLDP, the LLDP counters should be cleaned up.
121713.7.1Delete loopback IP Address with VXLAN Configuration
Allow to delete the IP address configured on the loopback interface if it is not applied to a VXLAN instance.
126993.7.1.3

Multicasting Traffic flooded within the VLAN Even Enabled IGMP Snooping
If configure vlan-interface over a specific VLAN, unknown multicasting traffic will be flooded within this VLAN even though IGMP snooping is enabled on this VLAN. Fixed in 3.7.1.3.

127223.7.2Check VLAN when Apply a Synced MAC to L2 Table on a MLAG Spine
The virtual MAC address on a switch with VRRP enabled is created based on configured VRID. Under active-active mode of VRRP, if a virtual MAC address is learned on a MLAG spine (device A), it will be synced to the peering spine (device B). In case that on device B the same virtual MAC address of a different VLAN with the same VRID is synced from device A, this virtual MAC address will not be applied to the hardware L2 table because PICOS doesn't check the VLAN when install the synced MAC address to the hardware L2 table. This issue is fixed in 3.7.2.
127623.7.3Stop Empty TACACS+ Authorization Requests after Login to the Switch
A TACACS+ user is mapped to a local user such as admin or operator or guess depending on the user's privilege-level configured on TACACS+ server side. PICOS will send an empty authorization request (service= shell, cmd=NULL) to the TACACS+ server to have the privilege-level of a specific TACACS+ user during the authentication process. After login to the switch, this empty authorization request should not be sent out to the TACACS+ server.
124823.7.3Switch Gets Reboot If More Than Available Power is Requested via PoE
This issue can be reproduced under the extreme conditions on N3248PXE-ON. Connect POE load tester to all 48 ports and request power from all ports with maximum power of 90watts each. PICOS will reboot when Cli commands such as "run show poe interface all". This issue is fixed potentially with #12637.
129483.7.4Ports Bounce When Change Member Port(s) of a LAG
All other ports will flip if a member port of a LAG is changed to a different LAG. This issue, fixed in 3.7.4, only happens on AS4610.
129283.7.4

Don't Discard IP Fragments of NAC Messages

Under in-band connection, the IP fragments of NAC messages should not be dropped.

128773.7.4

Client Device Loses NAC authentication After session-timeout

After authentication session-timeout such as 1 hour by default, the client device authentication is terminated. And it cannot get authenticated any longer in particular circumstance. This issue is fixed in 3.7.4.

128663.7.4
128783.7.4

Traffic Loop Appears if Flip VXLAN Network Port

VXLAN is configured on the 2 MLAG spines. The traffic from the peer link should be blocked on the VXLAN network port unless the corresponding VXLAN network port on the peering spine is down. However, by flipping the VXLAN netowrk port on one spine, the mechanism to block the traffic from peer link might not work and lead to traffic loop. This issue is fixed in 3.7.4.

128873.7.4
128853.7.4

Remove syslog Messages for NAC Debugging

Remove the trivial log messages for NAC debugging, which are boring and confusing.

130003.7.4

PICOS CLI Command "commit confirmed" Doesn't Work in "cli -c ..."

PICOS CLI command "commit confirmed" doesn't work in command "cli -c ..." for example,

cli -c "configure;set vlans vlan-id 1888; commit confirm 10"

Configuration rollback will not be triggered. This issue can also be reproduced in ansible environment.

127543.7.5

MSTI Validation When Show MSTP Interface Status

When show insterface status of a MSTP instance with command "run show spanning-tree mstp interface msti xxx", will prompt an error message if the specified MSTI is invalid.

125773.7.5

Port with Root Guard Enabled

If the role of a port with root guard enabled is changed, the port will be blocked and marked as "ROOT_NC".

130323.7.5

It Takes Longer to Stop PICOS with Web Authentication Enabled

It takes much longer to stop PICOS if enable web authentication on a specific port. This issue is fixed in the 3.7.5.

130343.7.5

Remove an LCMGR LOG Message

Remove rsyslog message "[LCMGR]BCM_FIELD_RANGE_SRCPORT id 0x5a0000xx" which is confusing and non-sense.

Open vSwitch and OpenFlow

...

Bug ID

...

Release

...

Description

...

SNMP Port Statistics Error.
The numbers of SNMP MIB OIDs (iso.3.6.1.2.1.31.1.1.1.x.x) associated with port statistics are not right.

...

Enable web GUI for OVS configuration on N3200 platforms.

...

FEC (Forward Error Correction) can only be applied on 100G port configured with 100Gbps speed.

Hardware

...

Update Fan Status if Stop Working
When one of the fans stops working or is pulled out, fan status should be reflected immediately when execute "run show system fan".

Linux Platform

...

Bug ID

...

Release

...

Description

...

8.0

Cannot Read out EEPROM Data on AS7326-56X
The I2C address is changed on the new model of AS7326-56X.  The driver code is modified to fix this issue on the update model of AS7326.