...

These notes summarizes PICOS 2.11 new features, new hardware, known bugs, and bug fixes. Best practices recommend that you read all the content before upgrading to this release. For more detailed feature information, refer to the configuration guides.

New Software Features

...

These notes summarizes PICOS 2.11.25 new features, new hardware, known bugs, and bug fixes. Best practices recommend that you read all the content before upgrading to this release. For more detailed feature information, refer to the configuration guides.

New Software Features

Layer 2 and Layer 3

Linux Platform

Disable/Enable IP Routing

Add a command which can globally enable/disable IP routing.By default, IP routing is disabled.

Limit Maximum Number of VRRP Interfaces

User can configure maximum 128 VRRP interfaces which is also the maximum number of L3 interfaces.

Tagged/Untagged with Voice-VLAN

If configured "tagged" on a specific port for voice-vlan, will include voice-vlan in the Network Policy TLV sent to the connected endpoint device such as IP phone.And only frames tagged with voice-vlan are sent out to the connected IP phone. Otherwise, Network Policy TLV doesn't include the voice-vlan. And untagged frames are sent out to the connected IP phone.

PVST Manual-Forwarding

Allow user to configure manual-forwarding on a port enabled PVST.

TACACS+ Failover Enhancement

Try TACACS+ servers one by one to do authentication if number of TACACS+ servers configured. Local authentication is used only if all TACACS+ servers are not reachable. If the TACACS+ server is not reachable for authorization, will go back to Linux shell. But in the case that PicOS enters CLI directly, will log off.

MSH8920 - BPDU & LACP Tunneling on Static LAG

On MSH8920, allow user to configure BPDU & tunneling on static LAG port.

Enhancement for PVST/MSTP information in tech_support

Include complete PVST/MSTP information on each VLAN and interface in the tech_support log file.

Refreshing MAC Learning on MLAG Pair Switches

To make sure consistence of MAC table between the 2 MLAG switches, MAC addresses on one MLAG switch will be refreshed depending on the MAC addresses on the peering MLAG switch every 30 minutes.

Remove SSH/Telnet Connection Number Limiting

The connection number of SSH/Telnet can be unlimited by setting the rate-limit of SSH/Telnet as 0.

PoE - Power Negotiation

To support power provision via PoE for Cisco 8861 VoIP phone with 8860 key expansion, support power negotiation via LLDP optional 802.3 Power-via-MDI TLV.

Show Entire Spanning-tree PVST Infomation

Add new command - "show spanning-tree pvst interface vlan all" - to display the entire spanning tree PVST information in addition to per-VLAN PVST information.

DHCP Snooping over MLAG

With DHCP snooping enabled on the MLAG pair switches, ensure DHCP DISCOVERY can go up to DHCP server via trust ports and similarly DHCP OFFER can go down to hosts via MLAG ports.

Kontron - CDP and LLDP Tunneling

Add CDP and LLDPDU tunneling in addition to BPDU and LACP tunneling.

Boeing - Add new OIDs to UCB MIB

Add new OIDs to UCB SNMP MIB:
    - CPU - ssCpuRawSystem, ssCpuRawIdle
    - Memory - memTotalReal, memAvailReal, memTotalFree

OEM - Display timestamp in syslog Message in Millisecond

Keep local syslog message and remote syslog message with consistent format. Format the timestamp into millisecond for the local and remote syslog message.It's an customization feature for Enterprise customers.

OEM - Show System Date in Milliseconds

Display the date/time in milli-seconds, which is supported in the OEM version for Enterprise customers.

Remark DSCP with ACL Rule

Apply action of DSCP remarking to ACL rule with command alike "set firewall filter xx sequence xx then dscp xx"

Configure rate-limit on Egress Queues

Allow to apply rate-limit on each egress queue of a physical interface. It indicates that the traffic in a specific egress queue that exceeds the configured rate-limit will be dropped.

GE Interfaces on AG5628 and AS7312

Allow to configure the speed of 25G interfaces of hardware models with Tomahawk+ - AS5648 and AS7312 - to 1Gbps.

Send Traps if CPU Utilization Thredhold is Exceeded

For seek of TCA (Threshold Crossing Alarm), switch will send SNMP traps for CPU threshold when
    - Total CPU utilization rises above high_threshold
    - Total CPU utilization falls below low_threshold
high_threshold and low_threshold can be configured.

Issue a SNMP Trap if L2 Table Threshold is Exceeded

For seek of TCA (Threshold Crossing Alarms), switch will send SNMP traps if threshold of L2 table is exceeded. The threshold is defined as the percentage of maximum capacity of L2 table.User can change the threshold.

Allow Hyphen "-" in VLAN Name

Allow to include hyphen "-" in VLAN name such as following command,
admin@Xorplus# set vlans vlan-id 10 vlan-name "office-sales"

Add entPhysicalTable per RFC 6933

Support entPhysicalTable (such as entPhysicalDescr, entPhysicalSoftwareRev, entPhysicalSerialNum, entPhysicalMfgName, entPhysicalModelName) included in SNMP Entity MIB (RFC 6933).

Configure Rate Limit by Reference of Percentage

Allow user to configure rate limit on a specific port by reference of percentage of the maximum speed which can be supported by the port.

Add auto Mode to Voice VLAN

Add support for voice-vlan "auto" mode in addition to "untagged" and "tagged" modes. By default, auto mode is enabled on a port configured voice VLAN. Under auto mode, for attached endpoint device that are LLDP-MED capable, voice traffic is requested to be tagged with voice VLAN; otherwise, Voice traffic from attached endpoint devices that are not LLDP-MED capable will be untagged.

Disable SNMP Traps Related to LLDP

Add a command to allow user to disable SNMP trap related to LLDP as following:
set protocols lldp snmp-trap false

Enhancement on Displaying PoE Information

Add 2 columns, "Reserved" and "PD-Class", to the output of "run show poe interface XXXX".

IGMP Snooping over MLAG

If enable IGMP snooping on both MLAG spine switches, IGMP messages including report and query and leave received from an MLAG port on one spine switch should sync up with the peer spine switch which will updates multicast group information. The sources and clients of one multicast group attached to MLAG spine or leaf switches can communicate with each other.

TACACS+ - Add New Command local-auth-fallback

Configure and enable TACACS+. Login to PicOS On in-band/management interface. If TACACS+ server is not reachable or unavailable, will allow to fallback to local authentication if local-auth-fallback enabled.

MSH8920 - upgrade2 creates ext3 filesystem for new partition 

This problem has been fixed in 2.11.9.5.

9763

2.11.15

OVS and OpenFlow

...

OVS 2.6 Upgrade

The base code of OVS is upgraded to open source OVS 2.6. There are some feature differences with open source OVS 2.3. We add command which used to switch to the base code of open source OVS 2.6. Have the details at,
http://intranet.pica8.com/display/PicOS211sp/Switching+Open+vSwitch+version

...

Enable/Disable CoS with VLAN PCP

Under OVS mode, frames can go to different egress queues depending on CoS mapping with VLAN PCP (Priority Code Point). For example, if PCP value 5 is mapped to queue 6, the frame with PCP value 5 will enter egress queue 6. By default, the CoS mapping with VLAN PCP is disabled. All frames of which the PCP values are changed to 0 are put in queue 0.

...

Add New Match Modes

Add new match modes for LuxarTech NPB application such as mac_x, ip_x and l2l4. Have details at,
 http://intranet.pica8.com/display/PicOS211sp/Optimizing+TCAM+Usage

...

VNTAG Support

User can match VNTAG fields in a flow entry. Additionally, ECMP and LAG hashing can be calculated based on VNTAG fields.

...

Configure Polling Interval on Interface/Flow Counter

Allow user to set the update interval of counters of interface or flow.

...

Buffer Management Goes Back to 2.7.1S1G in 2.11.3.vzsdn.5

When uprgade to 2.11.3.vzsdn.4 from 2.7.1S9 on AS5712_54X, customer reported that the capability of maximum burst absorption can not meet the requirement as in 2.7.1S19 in certain cases because we changed the behavior of buffer management in 2.8.x. For example, if multiple 1G traffics with continuous burst come in and go out of one port, there would have increasing number of packets dropped. By request from customer, the mode of buffer management is returned to the behavior of 2.7.1S9.

...

Set Rate-limit on Port under OVS Mode 

Limit maxmum rate on specific port under OVS mode.

...

Command "switch-to-ovs-2.6" Fails 

PicOS 2.11.x has 2 versions of OVS - 2.3 and 2.6. Command "switch-to-ovs-2.6" is used to switch to OVS 2.6 from OVS 2.3. 

...

Support L2GRE on AS4610

Enable L2GRE under OVS/OpenFLow mode on AS4610.

...

Linux Platform

...

upgrade2 - New Way of Upgrade

Add an extra upgrade tool - upgrade2. If upgrade goes wrong with upgrade2 because of unexpected reason, will return to the current version of PicOS.

...

Kontron - Upgrade Linux Kernel to LTS Version

Upgrade the Linux Kernel to a long-term support version - 4.14.3.

...

Kontron - Dump Binary Data of FPGA

Provide access to the whole register for FPGA in sysfs,
admin@Xorplus$hexdump -C -s 0x31 -n 1 /sys/class/fpga/fpga0/raw

...

Add New Option to upgrade2

Upgrade2 takes the current configurations and moves to upgrade version. It's possible that there are deprecated or unsupported configurations from a version change such as from 2.12 to 2.11. Provide new option and allow upgrade version to ignore the deprecated or unsupported configurations.

Additionally, allow picos-rollback to take the current configuration to previous version. And the previous version can also ignore the deprecated or unsupported configurations.

...

Display Content of System EEPROM

Add a new sysfs file -  /sys/class/hwinfo/onie-syseeprom - to display the content of system EEPROM.

...

Enable OverlayFS on N3048EP-ON

OverlayFS is a memory based file system, which can cache any write operation without write the data onto the underlying physical storage. OverlayFS is a different way to load PicOS on the switches which do not come with USB based NAND such as N3048EP-ON.

...

Update Authentication Behavior of TACACS+/RADIUS

Authentication behavior of TACACS+/RADIUS is updated as following:
On console port, if TACACS+/RADIUS service is reachable, user can only be authenticated against TACACS+/RADIUS server. Otherwise if TACACS+/RADIUS service is unreachable, issue a log message and fallback to local authentication.
On management interface, whether in-band or out-of-band, if TACACS+/RADIUS service is reachable, user can only be authenticated against TACACS+/RADIUS server. Otherwise if TACACS+/RADIUS service is unreachable, issue a log message and do nothing else.

...

Disable upgrade1 on MSH8920

On MSH8920, upgrade1 is disabled. Only upgrade2 is available. Additionally, the step in upgrade2 to prepare backup partition is removed because that might take much longer to trigger watchdog to reboot. And the backup partition is only needed for upgrade1.

...

convert the 2.11.7.2 pica_startup.boot to 2.7.2S1F

Add a tool - convert-conf - which is used to remove the configuration items in 2.11.7.2 pica_startup.boot which are unknown for 2.7.2S1F.  Add an option to upgrade2 to allow user to specify the startup configuration file which will be brought back to 2.7.2s1f.

...

Add PoE checking to system-diag

PoE checking is added system-diag which is executed before starting PicOS. 

...

Keep Specified Backup Files when Upgrade to New Version

Add an option to upgrade/upgrade2 to allow user to specify a file list which will be kept when upgrade to new version.After add and delete multicast route

...

MSH8920 - Upgrade2 is Broken by Watch Dog Resetting

The watch dog is started in uboot on MSH8920. It takes so long to prepare the backup partition due to upgrade2 that watch dog resets the CPU and then reboots the system. So a watch dog refreshing demon is added to send keeping alive messages to the watch dog immediately after Linux platform boots up.

...

MSH8920 - Add Wtmp Rotation to Crontab

By default, CRON will check the size of /tmp/log/wtmp every 5 minutes. If its size is larger than 5M, rotation will be executed. User can adjust the interval and the size for /tmp/log/wtmp by modifying  /etc/crontab and /etc/logrotate2.conf. 

...

Secure Password

Secure the password by importing tally2 and cracklib into rootfs.

...

Hardware

...

Port to Dell N3048EP-ON

Please refer to the document N3048EP-ON Switch Port Name Description.

...

Support DELL S4148F-ON

The S4148F-ON supports 48 x 10G SFP+, and 4 x 100G / 6 x 40G QSFP physical layer interfaces with PICOS.

...

Port PICOS to N3048ET-ON

N3048ET-ON is one model of LEEDS N30xx platforms of Dell. It has 48 1Gbps ports for copper with 2 comb Cu ports, one 20Gbps expansion slots for SFP+, 2 10G Base-T modules, and 2 mini-SAS type stacking ports.

...

Fixed Issues

Linux Platform

...

Bug ID

...

Release

...

Description

...

Licensing Policy is Updated

In addition to the 4 first ports, extra 2 high speed uplink ports are allowed to be enabled bypassing license checking.

...

Reboot Fails to Bring up PICOS L2/L3 Processes

It only happens on S4048-ON and S4148F-ON. After reboot, the console keeps displaying the following messages: 
Mar 29 2019 19:20:27 dev2-si kern.err :ismt_smbus 0000:00:13.0: completion wait timed out 
Mar 29 2019 19:20:28 dev2-si kern.err :ismt_smbus 0000:00:13.0: completion wait timed out 
It is caused by hardware limitation of S4048-ON and S4148F-ON. Namely if turn on/off i2c too fast, it may flap. the solution is to tune delay time (i2c_ismt.delay) to 8k ns.

...

User operator is not Allowed to Login by Default 

User operator is not allowed to login with default password "pica8". That would be a security concern. User operator can be given a password explicitly by admin. 

...

Disable TCP SACK

Several TCP networking vulnerabilities associated with TCP SACK are identified (https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md). As a work around, TCP SACK is disabled in rootfs of PICOS. 

...

Raise kernel:__div64_32 Exception Under OVS Mode on PPC Platforms

This issue is raised by overflow of tick based cputime. As a work around, it can be mitigated if enable kernal CONFIG_HZ_250 and set CONFIG_HZ to 250 instead to 1000. With this fix, in theory, the issue will not happen within 6 years.

...

Host Name is Truncated in rsyslog Messages 

Full host name is not included in the rsyslog messages. 

...

System Management

...

Support AG7648

The AG7648 is top of rack (ToR) switch designed for data centers.It has 48 10GbE SFP+ ports and six 40GbE QSFP ports.The AG7648 provides comprehensive hardware capability on supporting layer 2 and layer 3 features.

...

Clean up the Data when Remove an User

Clean up the corresponding data at /pica/config if an user is removed.

...

MSH8920 - Configure FEC on 10G Febric

Enable/Unable FEC on 10G fabric ports, which is only available on MSH8920.

...

Indicate That the Interface is Down Due to BPDU Guard

If an interface is brought down by BPDU guard, include the information in the output of "show interface ......".

...

Kontron - Present portmap Running Configuration

Present portmap setting even if default value - 9x40G_FABRIC - configured with "show | display all".

...

Kontron - keep executing the rest of the commands in the execution file even if encounter the "same value"

The execute CLI command stops when there exist "WARNING: The same value ..." message. Kontron asks to continue executing the rest in the file.

...

Power Outages Cause Corruption of pica_start.conf 

The file pica_start.conf is damaged because it is updated by rc.sh but not flushed to the flash when outage happens.Boot process hangs with the damaged pica_start.conf.

...

Clean up Associated ACL Rules When Delete MLAG

When delete a MLAG, the associated ACL rules should be removed. Otherwiese, specific traffic from the peer link will be dropped.

...

 DHCP Request are Send When ZTP is Disabled and IP is Configured Statically

DHCP DISCOVERY should not be sent out if ZTP is disabled and static IP address is configured to management interface.

...

Boot Failure Caused by Configuration File Corrupted

It is possible that PicOS hangs up if power outage happens during boot process, which might damage the config files which is being written.

...

More Than 2 wtmp Files

It's possible to have more than 2 wtmp files in /tmp/log/wtmp. That does not work as designed.

...

 Do not Remark Voice Traffic DSCP by Default

It will not update the DSCP of voice packet to 46 by default. User can remark the DSCP of voice traffic with command,
# set vlans voice-vlan dscp [0..63]

...

Management Interface eth0 is Up even if No cable Plugged in

There is no cable plugged into switch's management interface eth0. But the management interface is up when use Linux tool such as "ifconfig" to display the status of eth0.

...

Voice VLAN - Remove Default OUIs

OUI is used to identify the attached voice devices such as IP phone. By removing the default OUIs, allow user to configure up to 10 different OUIs.

...

Kernel Log-Level is Decoupled from the XorPlus Log-Leve

PicOS keeps sending the "kern.debug" messages to syslog server even though the log-level is Info set in XorPlus CLI. The root cause of the problem is because the log-level in XorPlus does not apply to Kernel.

...

PoE - threshold-mode Setting Does not Work

It does not work to set threshold-mode to 1 on all PoE ports with command "set poe interface all threshold-mode 1".

...

Corruption of Startup Configuration File

It's possible that startup configuration file pica_startup.boot could be corrupted if power cycle or power outage happens during PicOS boot process. To fix this issue, firstly, will not write back to pica_startup.boot when PicOS boots up. Secondly, will load backup configuration if pica_startup.boot is corrupted.

...

Remove Date Checking of the License if Downgrade to Previous Version

It does not make sense to check the date of end support of license when downgrade to previous version.

...

upgrade2 is Broken if There is a Large File in /home/admin

If there is a large file in /home/admin, upgrade2 might be broken by an error of out of memory when tar and compress the file and copy to the second partition. To fix this issue, on the one hand, copy the backup files to the target partition directly instead of tar & gzip & untar; on the other hand, clean up cache memory with /proc/sys/vm/drop_caches.

...

[N3132] Management Interface is Changed to eth0

The management interface on N3132 is changed to eth0 from eth1. The startup configuration will be lost if upgrade to 2.11.19. To restore the startup configuration, customer should replace "eth1" with "eth0" in a seperate copy of pica_startup.boot and then put it to /pica/config after upgrade. 

...

AS5600/2.11.16 ONIE Installation Failure 

AS5600/2.11.16 PICOS ONIE Installer fails. Fixed in 2.11.19.

...

Upgrade to 3.1.0+ on EFI Platform 

We have one version of S4148 which boots into EFI (Extensible Firmware Interface) mode. Upgrade to 3.1.0 from 2.11.19 will work on EFI platforms or non-EFI platforms.

...

Disable Weak Ciphers for SSHD 

Enterprise customers prefer to have the weak ciphers disabled by default for ssh server. So, disable the following ciphers in PICOS: arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, aes256-cbc,arcfour. 

...

CPU Utilization is Reported to Reach 100%

It indicates that CPU utilization reaches 100% by checking "/tmp/system/cpuusage". In fact, it's a false alarm from pica_monitor.

Layer 2 and Layer 3 Features

...

Mac Leaning Command Does Not Work at Once

When disable MAC learning on a specific port such as, 

admin@XorPlus# set interface gigabit-ethernet xe-1/1/2.1 mac-learning false

MAC entries do not disappear from the mac table immediately.

...

MSH8920 - Add option to allow BPDU & LACP to Bypass CPU

On MSH8920, BPDU & LACPDU can be flooded out of switch instead of being trapped to CPU.

...

PICOS stops host load balance if VRRP is configured

PICOS used to trap all of the VRRP packets to CPU even if they are the host VRRP Keepalive packets for load balance. The fix is to add source MAC address matching field to the VRRP filter.

...

IGMP Snooping Does NOT Work

After enabling IGMP Snoop, the client is unable to join the group any more.

...

Duplicate SNMP Traps of LLDP Update

In case of neighbor device with multiple sub-interfaces,the switch will send out an SNMP traps if receive a LLDP PDU including a different port ID with previous one. Eventually,ton of SNMP traps are issued.

...

Dropping LLDP frames with unknown TLVs

If receive a LLDP PDU with an unknown TLV, the unknown TLV should be skipped instead of dropping the total LLDP frame.

...

Status of Voice VLAN is Not Correct

If the voice VLAN ID is changed on a specific port, in certain circumstance, the status of voice VLAN is always "working" even the LLDP neighbor is disappeared.

...

Ignore VRRP Authentication Packets

PicOS does not support VRRP authentication. Issue explicit syslog message if receive VRRP Authentication Packets.

...

LLDP Frames Dropped by LLDP Module

LLDP module can only process one packet per 1 second in state machine,so there will be packets dropped when more than 1 packet per 1 second per interface. In case of peer device with sub-interfaces configured, the switch sometimes ages out and then re-adds LLDP neighbors even though it is receiving regular LLDP updates for each neighbor every 30 seconds.

...

IGMP Snooping - Source MAC Address of IGMP Leave Message

If enable IGMP snooping on a switch, because the IGMP leave message sent out of mrouter interface(s) is generated by IGMP snooping, the source MAC address of the IGMP leave message should be the MAC address of the switch instead of the multicast client host.

...

PIM neighbor can not be Established Between two PIM Router

With IGMP snooping enabled, PIM protocol packets are trapped to CPU. IGMP snooping uses PIM hello message to learn mrouter interfaces automatically. And then, PIM protocol packets are dropped. To fix this issue, PIM protocol packets are flooded out of the switch meanwhile duplicate copies are destined to CPU.

...

Configure IP address to management interface before starting PicOS

If the static IP address is confiured to management interface, the static IP address will be activated on eth0 before starting PicOS. Ensure that user can access the hardware model even if PicOS is failed to boot up. 

...

Migrate UDLD fix of 2.7.2S1G to 2.11.7.2

This version (2.11.7.2) of PICOS release will always send out UDLD PDU with Pica8 OUI (0x486E73). But it needs to use the OUI in the UDLD PDU to figure out if the peer device is PICOS 2.7.2S1F (OUI=0x486E73) or Cisco (OUI=0x00000C), and use the corresponding method to calculate the checksum. Anyway, 2.11.7.2 can talk to both 2.7.2S1F (backward compatible) and the future release (forward compatible) via UDLD.

...

Enable and disable a port when STP is turned on interrupts the traffic

When disable the port with traffic, it switches to the other port after ~550-600ms. But when enable it again, it interrupts the whole traffic.The mac entries are messed up. 

...

Buffer Management - Refine Headroom and Flow Control

The maximum size of headroom is increased.  If enable flow control and configure speed of the port, the size of headroom is 0.

...

MLAG - Traffic is Broken when Bring Up One Down MLAG Link

Initially one link of a MLAG is down. And then bring it up, the traffic from upstream device is broken for 5 - 6 seconds.

...

MLAG - Traffic is Broken when Master Spine Shuts Down

With reload delay configured, the traffic from downstream device is broken for 12 seconds when the master spine shuts down.

...

Root Guard

If enble root guard on a port, the port will be blocked if received a BPDU with high bridge priority. That can deny devices behind such ports from participation in STP. The blocking is removed as soon as the device ceases to send superior BPDUs. 

...

VLAN Membership Issue with DHCP Discovery Packets

If enable DHCP snooping, DHCP DISCOVERY packets with unexpected VLAN ID can be received on a port and flooded out of the ports configured with different VLAN memberships. For example, an DHCP DISCOVERY packet tagged with VLAN 608 can ingress ge-1/1/2 and then egress on te-1/1/49 even thought the VLAN608 is only configured for te-1/1/49. e expected only tagged packets on VLAN 19 and VLAN 20 to be allowed to ingress on ge-1/1/2.

...

CLI Session Hangs Due to PoE Display

CLI hangs when execute command "show poe interface all".

...

STP Process Crashes on 2.11.5.cloudistics.0/as5812_54x

Cloudistics reports problems related to STP process (pica_mstp) crash. User can restart STP feature from CLI, but the CLI show the protocol is MSTP instead of the configured STP. User has to delete the current force-version and set it back. Then, the show and configuration are consistent.

...

Don't Allow to Configure Different Filters to the Same VLAN Interface

Add the configuraiton checking which does not allow to configure different firewall filters to the same VLAN interface on ingress side or egress side.

...

"set system hostname" Does not Update /etc/hostname

Boeing reported that the hostname in /etc/hostname file is not updated with “set system hostname” command,  this causes DHCP requests sent on eth0 to advertise as “xorplus.chs.sc.boeing.com” since the hostname in /etc/hostname is "xorplus"

...

RR Scheduler Does not Work

The RR (Round Robin) scheduler configured to the egress queues behaviors as the mode of SP (Strict Priority) scheduler.

...

MSH8920 - Fail to activate LACP and BPDU L2-transparency

If "set protocols lacp||stp message-in disable true", the frames of BPDU and LACP are not flooded out of the switch instead of being trapped to CPU.

...

Xorp_policy Crash

If configure static routes, xorp_policy will crash and generate coredump file when it shuts down.

...

Maximum Power Setting on UPoE Ports

The Maximum power that can be provided by an UPoE power of AS4610-54P is 51 watts instead of  64 watts. So the range of max-power of a specific port is changed to [1..51].

...

The Default Value of lldp-negotiation is TRUE

To symplify the PoE configurtion, the default value of lldp-negotiation for the setting of global/all and local/per-port is changed to true.  

...

Phone classified as CDP If LLDP Enabled Capabilities are not Set Correctly

Customer has phones which do not set LLDP Enabled Capabilities:Telephone correctly (Not Enabled), but the LLDPDU includes Network Policy TLV requesting policy for Voice application. PICOS LLDP/CDP would classify these phones as CDP phones and send untagged voice related traffic to these phones, which is not expected by the phones because of the LLDP-MED negotiation. PICOS should classify the device as a LLDP-MED phone, if the switch receives LLDPDUs from the phone with LLDP-MED Network Policy TLVs for Voice, EVEN IF the base LLDP has “Enabled Capabilities::Telephone=NO”. The logic is that if the device is requesting LLDP-MED Network Policy for Voice, then it must be a phone, and this overrides the fact that Enabled-Capability::Telephone=NO.

...

PoE Power Provision Error If the Phone Has Different Chassis IDs with Different IP Addresses

The attached phone sends LLDPDUs with 2 different Chassis IDs which are the values of the IP addresses. Initially, the Chassis ID/IP address is 0.0.0.0 and then becomes such as 104..255.99.11 when the phone gets an actual IP address from the DHCP sever. The initial LLDPDU with 0.0.0.0 requests 12.1 watt. And the following LLDPDU with 104..255.99.11 requests 15.1 watt. Unfortunately, the LLDPDU with 104..255.99.11 is ignored. PicOS switch should continuously check the the TLV of Power Via MDI and provide the power requested by the TLV from the incoming LLDPDU.

...

Add ifSpeed and ifHighSpeed for Port with 25G and 100G Speed

ifspeed/ifhighspeed MIB value for port with 25G and 100G is not the value as expected, so we add ifSpeed and ifHighSpeed for port with 25G and 100G speed to make the MIB value correct.

...

Add VLAN Display in Dot1x MAB Table

Present dynamic VLAN of the connected deviced authenticated by MAB. 
admin@Xorplus# run show dot1x mab interface 
Interface Mac Authenticated Dynamic-Vlan 
-------------- ----------------- ------------- ------------ 
ge-1/1/33 00:00:06:00:00:07 true 20 

...

802.1x Precedes MAB 

To follow the behavior of Cisco, 802.1x will precede MAB if both 802.1x and MAB are available. 

...

Add the Service Type Attribute in Access Request Message 

Add Service Type attribute in the access request messages sent out to RADIUS to differentiate MAB and 802.1x.

...

[AS4610-54P]Phone won't power up randomly after disabling & reenabling PoE on UPOE ports. 

Cisco 8845 IP Phone was powered up and working properly on a UPoE ports (ports ge-1/1/44, ge-1/1/48). After disabling and reenabling PoE, somehow it's possible the phone will no longer power up. 

...

 Don't Allow to Configure 802.1X to LAG Member Port 

Add config checking to prevent LAG member port from being enabled 802.1X.

...

ECMP max Path Should not Be Changed When Disable Symmetric Hashing

After commit "delete interface ecmp hash-mapping symmetric" successfully, CLI will prompt message "ECMP max path has been changed, please reboot the system for changes to take effect!". It should not change the ECMP max path if disable symmetric hashing. 

...

Port is not Deleted when Change the User Status

A port is secured by 802.1X and configured with a dynamic VLAN such as VLAN 8. And then the dynamic VLAN is changed to VLAN 9 on the side of RADIUS server such as PacketFence. The re-authentication doesn't change the dynamic VLAN of the port to VLAN 9 on the side of Pica8 switch.

...

L2/L3 Protocol Packets cannot Be Trapped to CPU on Delta Models

L2 BPDU and L3 protocol packets cannot be trapped to CPU occasionally on Delta models including AG9032 and AG548.

...

SNMP Trap is not Send out if RPSU Powered On/Off 

SNMP trap - rpsuStatusChangePowerOff or rpsuStatusChangePowerOn - is not sent out if RPSU powed on or off. 

...

Traffic Failed to Be Mapped to Correct Queue

For TD+ models, if set a forwarding-class with local-priority such as 2 and associate the specific traffic with this forwarding-class, by counter of BCM shell, the traffic goes to egress queue 0 instead 2.

...

[PVST]Wrong Port Role

In a network topology, Pica8 switch is connected to a Cisco switch. PVST is enabled on the both switch. When get a port on the Pica8 switch down and then up, somehow the role of another port of the Pica8 switch is not correct.

...

Fail to query out SNMP OID - RFC1213-MIB::atPhysAddress and IP-MIB::ipNetToMediaPhysAddress.

...

Include "#" in Shared Key of TACACS+ Session
Allow character "#" to be included in shared key of TACACS+ session.

...

Routing Protocols

...

Error BGP Statistics

When create both IPv4 and IPv6 sessions between 2 BGP peering switches, the number of BGP routes including received prefixes and accepted prefixes and active prefixes is incorrect.

Open vSwitch and OpenFlow

...

Statistics Error on Tunnel Packets

Drop counter on ingress side still goes up even if the tunnel packets are forwarded out of switch correctly.

...

Command ovs-pica-save/ovs-pica-load does not Work Occasionally

Command ovs-pica-save/ovs-pica-load is not so reliable. It is possible that ovs-pica-save/ovs-pica-load fails even though it shows successfully.

...

DHCP Cycle in CrossFlow Mode

Under CrossFlow mode, with DHCP snooping enabled, DHCP control packets might cycle on a self-loop connection.

...

Install the Flow Entry to ASIC Even If User Try to Set DSCP to 0

PICOS/OVS is not allowed to install the flow entry to ASIC with "set_field:0-\>ip_dscp" as following: 

$ ovs-ofctl add-flow br0 in_port=2049,ip,actions=set_field:0-\>ip_dscp,normal 

Additionally, PICOS/OVS is not allowed to configure a flow entry to ASIC with action such as "set_field:24-\>ip_dscp" which has the same value of in match criteria "ip_dscp=24" as following:

ovs-ofctl add-flow br0 in_port=2049,vlan_tci=0x1000/0x1000,ip, ip_dscp=24,actions=set_field:24-\>ip_dscp,normal 

...

Linux is in Panic

It's possible that Linux runs into panic due to a null pointer referenced in Fan driver code under the circumstance of race condition of different threads.

...

ARP Proxy Does not Work on Tunnel Port

If enable ARP proxy enable on tunnel's network port, it will send out arp reply packet which has a tunnel header.

...

Support 6k Flow Entries for AS5812 and AS6812

Allow to configure maximum 6k flow entries on AS5812_54T and AS5812_54X and AS6812.

...

AS5812 OVS Sflow Function Fails to Generate Flow Samples

In OVS 2.6, sflow only generates counter samples (CNTR) but not flow samples (FLOW).  

...

Refine the Performance by Adding Large Amount of Flow Entries

In case of same priority, the time to add 4k flow entries is reduced dramatically on AS5812.

...

It Takes Too Long to Deletes 6k Flows on AS5812 and AS6812

It takes 20 minutes to delete 6k flow entries. It's too long.

...

Convert OVSDB to Match New Schema in Upgrade2

PicOS OVS uses OVSDB to restore the configurations. It's possible that the schema of the OVSDB would be changed because new cofinguation commands might be added to the new version of PicOS. To bring the OVSDB into the new version of PicOS by upgrade2, the OVSDB should be converted to adapt the the new schema of the new version of PicOS. 

...

Enable In-band under Match Mode 

OpenFlow in-band controller connection is enabled under match mode. 

...

Update Action in the Hardware Flows if Delete/Add Port to the Bridge

Delete a port from the bridge, the action of the hardware flows with the specific port as output should be updated as "drop". If the port is added back to the bridge, the hardware flows should come back to the original ones. 

...

Delete L2GRE Ports

If add and then delete a L2GRE port, the configuration associated with this L2GRE port in MPLS_ENTRY is not be removed.

...

Security

...

Apply Policer to Aggregate Traffic

If configure a policer to a couple of ACL rules, the policer will applied to the aggregate traffics instead of each traffic matching specific ACL rule independently.

Miscellaneous

Issue SNMP Trap if LAG Member Port Links Up/Down

As a common physical port, if a member port of a LAG is up or down, an SNMP trap should be issued.

Protocol Packets are Counted to Discarded

L2 protocol frames and L3 protocol packets including bpdu, lacp, lldp, mlag, bgp, bfd, ospf, RIP, dhcp, igmp, pim, arp, which are trapped to CPU but not replicated and sent to egress side, are counted to Discarded packets.

SNMP - Value of ifLastChange is Always 0

The value of ifLastChange (OID: 1.3.6.1.2.1.2.2.1.9) should be the time the interface being in the current operational state.

SNMP - Value of sysUpTime is not in Timetick

The value of sysUpTime (OID:1.3.6.1.2.1.1.3) should be in timetick instead of integer.

Ampcon

Fixed Issues

Linux Platform

Layer 2 and Layer 3 Features