Versions Compared

Version Old Version 2 New Version Current
Changes made by

Tracy Yang (Unlicensed)

Tracy Yang

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

These notes summarizes PICOS 3.8 new features, new hardware, known bugs, and bug fixes. Best practices recommend that you read all the content before upgrading to this release. For more detailed feature information, refer to the configuration guides.

Table of Contents

New Software Features

Layer 2 and Layer 3

...

NTP config commands are changed
NTP server IP and source interface are configured as following commands.
set system ntp server-ip x.x.x.x
set system ntp source-interface xxxx
If the NTP source interface is configured, the source interface will be used for the NTP connection.

...

  • Removed the global setting to enable DHCP snooping on all VLANs. 
  • A pattern instead of a string can be configured to option 82. 
  • In case of VRRP, the IP address of DHCP relay agent can be the virtual IP address of the VRRP group. 
  • New MLAG DHCP Sync message is defined to sync DHCP messages between the 2 MLAG spines. 

...

  • The Cli commands of DHCP snooping & relay are changed in 3.7.0. It will fail when upgrade to 3.7.0 if the old version includes the configurations of DHCP snooping & relay. 
  • Additionally, Cli commands of MLAG are changed in 3.6.x. So it will fail to upgrade to 3.7.0 if the versions is older than 3.6.x with MLAG configuration. 
  • In case of upgrade from 2.11.x, please refer to Upgrading PICOS from Release 2.11.x Using Upgrade.

...

SNMP ACLs Applied as per Community or Security User Name

The snmp-acl can be configured as per SNMP community or security user. Namely, it will allow a community or security user to have its own white IP list which will overwrite the global snmp-acl configuration. Please refer to the document Configuring SNMP ACL to have more details.

...

Management VRF

Management VRF is designed to seperate management traffic and dataplane traffic completely for sake of security. The key points are as following:
if mgmt-vrf is enabled, the management interfaces such as eth0 is in mgmt-vrf. Other VLAN interfaces cannot be added to mgmt-vrf.
Dynamic and static routes can not be configured to mgmt-vrf.
Management services start up in the default VRF by default. They can be moved to mgmt-vrf manually if needed.
Please have detailed information by referring to the document at VRF+Configuration+Guide.

...

OSPF over VRF

OSPF can be enabled on a specific VRF. Policy statements can be applied to the OSPF instance as per VRF. Please have detailed information by referring to the document at OSPF (Open Shortest Path First).

...

Split 100G port into 2 x 50G ports
An 100G port can be split into 2x50G or 4x25G or 4x10G on AS7726_32X under L2/L3 mode.

...

DHCP Server under L2/L3 

A simple version of DHCP server is introduced into PICOS under L2/L3 mode. In particular, this DHCP server supports to assign IPv4 addresses for hosts in one specific VRF for Internet access. Please refer to the document at Configuring DHCP Server.

...

MLAG Enhancement

Refined the behavior in case that configurations are not consistent on the peering MLAG spines. PICOS will keep MAC addresses syncing on MLAG interfaces even if configurations are not consistent on the peering MLAG spines unless MLAG TCP connection is broken. With regarding to spanning tree, based on the type of inconsistent configurations on the MLAG spines, will take actions as following:

Do nothing and keep the traffic going

shut down the specific MLAG port

Block associate VLANs configured on the peer-link

Please refer to Principle of MLAG for the details.

...

It allows to add 80 maximum dACL abbreviated rules on ClearPass by abbreviating the key words of the downloadable ACL. This change is compatible with the old version of downloadable ACL. That indicates the old key words of downloadable ACL can still work.

...

The host name of CWA (Central Web Authentication) server is included in the re-directional URL in the returned RADIUS access-accept message from the NAC server. Therefore, the IP address of CWA server can be resolved by the configured DNS. The configuration commands for IP address and L4 port of CWA are hidden.

set protocols dot1x web server-ip XXXX

set protocols dot1x web port XXXX

...

Consecutive Detect Number

Add consecutive detect number to the output of "run show dot1x server".

...

Add idle-timeout for CLI on Console Port

Login to the switch on console port. If the configured timeout is expired, CLI will exit.

...

MLAG Peer Gateway

Maximum 500 L3 VLAN interfaces are allowed to be configured on each MLAG spine switch. The IP address of each L3 VLAN interface can be used as the gateway of the downlink hosts. Please refer to document at Principle of MLAG.

...

Allow 802.1X to Work with Local Firewall

Support both of 802.1X dynamic/downloadable ACLs and local firewall filter on-switch security and QoS ACLs on the same ports.

...

DNS Domain Search List 
Add a CLI command "set system dns-search-list xxxx" to configure the search list of DNS lookup with the host name.  

Open vSwitch and OpenFlow

...

TTP Improvement

New tables, Bridging_Flow_Table, Egress_Port_Flow_Table, Egress_Port_Group_Flow_Table, Egress_VLAN_Xlate_Flow_Table, Egress_ACL_Flow_Table, are added under TTP (TTP Table Type Pattern) mode. Please refer to Configuring TTP for the detailed update.

Linux Platform

...

Hardware

...

Support N3224P-ON

N3224P-ON supports 24x10G Cu ports with 802.3bt Type-4 99W PoE and 4x25G SFP28 ports and 2x100G QSFG28 ports in the rear.

...

N3224F-ON supports 24x1G SFP ports and 4x10G SFP+ ports and 2x100G QSFG28 stacking ports in the rear.

...

Support S5232F-ON

S5232F-ON supports 32x100G QSFP28 port and 2X10G SFP+ ports.

...

AG5648 Support in 3.7.4

Add AG5648 back to the list of hardware support in 3.7.4.

...

Support AS4630-54NPE

AS4630-54NPE consists of 36x2.5G BASE-T ports, 12x10G BASE-T ports, 4x25G SFP25 uplink ports and 2x100G QSFP28 uplink ports.

...

Support N2248PX-ON & N2248X-ON
N2248PX-ON & N2248X-ON support 48x2.5G RJ45 ports and 4x25G SFP28 ports and 2x40GbE QSFP ports. N2248PX-ON is a PoE switch with 24 RJ45 ports supporting 30W PoE and the other 24 RJ45 ports supporting 60W PoE.

...

Fixed Issues

Layer 2 and Layer 3 Features

...

Disable NTP by default
NTP should be disabled by default. NTP only be enabled when NTP server is configured.

...

Multicasting Traffic flooded within the VLAN Even Enabled IGMP Snooping
If configure vlan-interface over a specific VLAN, unknown multicasting traffic will be flooded within this VLAN even though IGMP snooping is enabled on this VLAN. Fixed in 3.7.1.3.

...

Don't Discard IP Fragments of NAC Messages

Under in-band connection, the IP fragments of NAC messages should not be dropped.

...

Client Device Loses NAC authentication After session-timeout

After authentication session-timeout such as 1 hour by default, the client device authentication is terminated. And it cannot get authenticated any longer in particular circumstance. This issue is fixed in 3.7.4.

...

MAC address learned on the VXLAN network port of one MLAG spine is not synced up to the peering MLAG spine even though VXLAN configuration is consistent on the 2 MLAG spines. Additionally, MAC address on network port is shown as type of "Dynamic" or "Sync" on both MLAG spines when execute "run show vxlan address-table". This issue is fixed in 3.7.4.

...

Traffic Loop Appears if Flip VXLAN Network Port

VXLAN is configured on the 2 MLAG spines. The traffic from the peer link should be blocked on the VXLAN network port unless the corresponding VXLAN network port on the peering spine is down. However, by flipping the VXLAN netowrk port on one spine, the mechanism to block the traffic from peer link might not work and lead to traffic loop. This issue is fixed in 3.7.4.

...

Add global configuration commands for recovery-timeout and session-timeout of NAC session.

...

Remove syslog Messages for NAC Debugging

Remove the trivial log messages for NAC debugging, which are boring and confusing.

...

PICOS CLI Command "commit confirmed" Doesn't Work in "cli -c ..."

PICOS CLI command "commit confirmed" doesn't work in command "cli -c ..." for example,

cli -c "configure;set vlans vlan-id 1888; commit confirm 10"

Configuration rollback will not be triggered. This issue can also be reproduced in ansible environment.

...

MSTI Validation When Show MSTP Interface Status

When show insterface status of a MSTP instance with command "run show spanning-tree mstp interface msti xxx", will prompt an error message if the specified MSTI is invalid.

...

Port with Root Guard Enabled

If the role of a port with root guard enabled is changed, the port will be blocked and marked as "ROOT_NC".

...

It Takes Longer to Stop PICOS with Web Authentication Enabled

It takes much longer to stop PICOS if enable web authentication on a specific port. This issue is fixed in the 3.7.5.

...

Remove an LCMGR LOG Message

Remove rsyslog message "[LCMGR]BCM_FIELD_RANGE_SRCPORT id 0x5a0000xx" which is confusing and non-sense.

Open vSwitch and OpenFlow

...

Bug ID

...

Release

...

Description

...

SNMP Port Statistics Error.
The numbers of SNMP MIB OIDs (iso.3.6.1.2.1.31.1.1.1.x.x) associated with port statistics are not right.

...

Enable web GUI for OVS configuration on N3200 platforms.

...

FEC (Forward Error Correction) can only be applied on 100G port configured with 100Gbps speed.

Hardware

...

Update Fan Status if Stop Working
When one of the fans stops working or is pulled out, fan status should be reflected immediately when execute "run show system fan".

Linux Platform

...

Bug ID

...

Release

...

Description

...

UEFI Boot Entry Displayed as 'grub'
UEFI boot entry of PICOS is changed as "picos" in efibootmgr under ONIE.

...

FAN Tray Airflow Direction on N3248TE

Support both FAN airflow direction, Back to Front (B2F) and Front to Back (F2B), on N3248TE.

...

upgrade/upgrade2 cannot Work with an Ansible Playbook 

upgrade/upgrade2 can return to shell prompt by executing "reboot" background. The Ansible playbook which is used to do upgrade will not hang to expect the shell prompt.

...

Connect Cable on the Port Which Disabled, the Port Status will Be 'up'

On N3224PX-ON, connect cable on the port which disabled, the port status will be 'up'.

AmpCon

...

Bug ID

...

Release

...

Description

...

Roll Back Config if Upgrade Fails
The AmpCon agent will roll back to the original configuration if upgrade fails in case such as vpn connection failure.

CLI Changes

...

These notes summarizes PicOS 3.8 new features, new hardware, known bugs, and bug fixes. Best practices recommend that you read all the content before upgrading to this release. For more detailed feature information, refer to the configuration guides.

Table of Contents

New Features

Layer 2 and Layer 3

Ticket IDReleaseDescription
128143.8.0

VXLAN Routing
The VTEP enabled VXLAN routing behaves as a VXLAN L3 gateway under centralized routing mode. Please have detailed at VXLAN Routing.

130983.8.0

Enable VXLAN on NAC Ports
VXLAN is not allowed to be configured on the ports with NAC, such as 802.1x and MAB and web authentication, enabled. This restriction is removed in release 3.8.0.

131013.8.0

DNS Domain Search List
Add a CLI command "set system dns-search-list xxxx" to configure the search list of DNS lookup with the host name.

131953.8.0.4

Multi-line Announcement

The content of login announcement with multiple lines can be configured by new added CLI command "set system login multiline-announcement ...".

136183.8.0.4

Specify Source Interface for SNMP Trap Configuration

Support to specify source interface for SNMP Traps. The source interface could be loopback or l3-interface. The specified source interface is used to derive the source IP address for the SNMP traps sent, so that traps received from each switch will always have a single consistent source IP address.

135973.8.0.4

SNMPwalk Fails

It's possible that SNMPwalk fails when switch has multiple VLANs enabled inband because the returned SNMP reply message can only be sent back via the l3 interface on which the associate SNMP query message is received. It is fixed in 3.8.0.4 by lookup the l3 routing tables to send the SNMP reply messages to SNMPwalk client.

131953.8.0.4

Multi-line Banner

The content of banner with multiple lines can be configured by new added CLI command "set system login multiline-banner ...".

Hardware

Ticket IDReleaseDescription
124963.8.0

Support AS5835-54T
AS5835-54T consists of 48X10G RJ ports and 6X100G QSFP28 uplink ports on the front panel.


Fixed Issues

Layer 2 and Layer 3 Features

Ticket IDReleaseDescription
131063.8.0

Cannot Read out EEPROM Data on AS7326-56X
The I2C address is changed on the new model of AS7326-56X.  The driver code is modified to fix this issue on the update model of AS7326.

131723.8.0.1Aquantia PHY Firmware is Not in SPI Flash on N3224PX-ON
Ports cannot link up if Aquantia firmware is not loaded to the RAM of the external PHY on N3224PX-ON. In case that Aquantia PHY firmware is not in SPI flash attached to the external PHY, PicOS will get CLD image of Aquantia PHY firmware programmed into the SPI flash. And then reset the external PHY to load Aquantia PHY firmware and make ports up automatically.
131713.8.0.1Cannot Forward Traffic if Link Speed is 5G on N3224PX-ON
If link speed is negotiated to 5G with a connected device, the traffic from the attached device cannot be forwarded. This issue was fixed in 3.8.0.1.
131613.8.0.1Cannot Recognize PoE Device of Class 4-8 on N3224PX-ON
By testing with PoE tester, PD class 4-8 cannot be recognized on N3224PX-ON. This issue was fixed in 3.8.0.1.
131733.8.0.1NAC: Downloadable ACL Rules with L4 Port Range don't Work on Trident3-X3 Platforms
A DACL rules to match a L4 port range cannot be applied to the ASIC hardware on Trident3-X3 Platforms such as Dell N32XX and EdgeCore AS4630. This issue was fixed in 3.8.0.1.
131593.8.0.1PoE Cannot Work on N3132PX-ON
PoE cannot work on specific port randomly on N3132PX-ON. This issue was fixed in 3.8.0.1.
132073.8.0.1

Static MAC Address is Changed to Dynamic on MLAG peer-link Port 

On an MLAG spine switch called spine A for convenience of expression, configure a static MAC address on the peer-link port. If this MAC address is learned on a single-homed port on the peering spine switch, it will be synchronized to spine A on peer-link port. And then the type of this configured static MAC address on the peer-link port is changed to dynamic.

134363.8.0.3

Cannot Access to SNMP Agent

If enable management VRF and Inband connection as following CLI commands, SNMP agent will not be accessed.

set system inband enable true

set system management-vrf enable true

134193.8.0.3

The Size of NETCONF.events Increases Indefinitely

If configure NETCONF on the switch, the size of NETCONF log file /tmp/stream/NETCONF.events will increase indefinitely. Add a mechanism of rotation to fix this issue. Keep the size of this file within 2M.

134573.8.0.3

Crash if Configure port-mode via NETCONF

The NETCONF process might crash if configure port-mode to "trunck" and then back to "access" repeatedly via NETCONF.

136393.8.0.4

VXLAN Cannot Work on LAG Port

Supposing a LAG is in the network interface of a specific VXLAN instance, if get a member port of this LAG down and then up, the incoming traffic on the access port cannot go into the VXLAN tunnel. This issue is fixed in 3.8.0.4.

136543.8.0.4

802.1X Authorization Failure on VXLAN Access Port

When reset VXLAN configuration from Ampcon SDN controller, 802.1x authorization on the VXLAN access port may be failed. This issue is fixed in 3.8.0.4.

135863.8.0.4

Different MAC Addresses of VRRP IP Returned

In case of active-active VRRP over MLAG, when a client requests the MAC address binding to VRRP virtual IP address via ARP/NS, different MAC address may be returned. This issue is fixed in 3.8.0.4.

136583.8.0.4

Upgrade Failure on SquashFS Platforms

On SquashFS platforms, N3100 and N3000, with customer's configuration, upgrade from 2.11.25.x to 3.8.x will fail. This issue is fixed in 3.8.0.4.

131583.8.0.4

Ports Cannot Link up on S5248

Ports 13~16 and 37~40 and 48 cannot link up.

137723.8.0.6

Traffic with Duplicate Source MAC Received on both MLAG Spine Switches

In some kind of abnormal circumstance, traffic with duplicate source MAC address may be received on both MLAG spine switches at the same time. Therefore, in a specific MALG spine switch, this MAC address will be moved between a single-homed port and the peer-link port. If this kind of traffic is only received on a spine switch after a while, on the other spine switch, the MAC address should be learned on the peer-link port only.

129213.8.0.6

Login ACL Rules Should not Applied to SNMP Access

The configured login ACL rules are also applied to SNMP access. This issue is fixed in 3.8.0.6.

137133.8.0.6

OpenVPN iptables Rules Removed When Restart PicOS

The iptables rules allowing OpenVPN connection between local AmpCon agent and the remote AmpCon server is removed when PicOS is restarted with command such as "systemctrl restart picos". AmpCon agent will have no way to connect to the remote AmpCon server. This issue is fixed in 3.8.0.6.

136893.8.0.6

Have VXLAN Traffic Loop if Underlay Routing Being Changed

If underlay routing is being changed constantly, a traffic loop of VXLAN overlay may appear. Namely, on a specific VTEP, a MAC address of a host is learned on both access port and the network port with regarding a VXLAN instance.

136913.8.0.6

Access Port Disappear After Add/Delete VXLAN Repeatedly

Repeat the procedure, delete VXLAN configuration and then rollback, access ports in a VXLAN instance may disappear when "run show vxlan vni xxxx".

138503.8.0.7

RADIUS/TACACS+ Authentication for NETCONF Session

Authenticated RADIUS/TACACS+ users can access to PicOS switch via NETCONF.

138163.8.0.7

Public Key Authentication for NETCONF Session

Users authenticated via public key can access to PicOS switch via NETCONF. Please note the public keys of a specific user are supposed to be restored at the home directory, i.e ~/.ssh/authorized_keys.

139093.8.0.8te-1/1/48 Cannot Link Up on S5248F
Traffic cannot go through the link connecting port te-1/1/48 to other ports on S5248-ON even though te-1/1/48 is up.
116263.8.0.12

Fix CoPP Statistics Error

When "run show copp statistics", may display arbitrary statistics numbers over CoPP protocol classes. This issue is fixed in 3.8.0.12.

144833.8.0.12

Memory Leak Caused by NETCONF Process

When a NETCONF client accesses to the switch via RADIUS authentication repeatedly, memory leak may occur in process pica_netconf. This issue is fixed in 3.8.0.12.

145013.8.0.12

Keep Sending RADIUS Request Messages

If configure RADIUS authentication and then enable NETCONF, the switch will keep sending RADIUS request Messages out. This issue is fixed in 3.8.0.12.

145073.8.0.12

Drastic Variation over CPU Utilization

The number of CPU utilization may change drastically and fastly on AS4610. This issue is fixed in 3.8.0.12.

155373.8.0.13

[Radius] Decryption Failure Occurs When Request Packets with Empty Passwords are Sent

Solution: After receiving an Access-Accept packet from the server, the switch no longer generates redundant Access-Request packets with incorrect passwords. This issue is fixed in 3.8.0.13.

146173.8.0.13

Usermap File Grows Endlessly when There are Repeated SSH Attempts to the Switch

The usermap file grows endlessly when there are repeated SSH attempts to the switch. This issue is fixed in 3.8.0.13.

175563.8.0.13[atto-research] AS4610 DMA Crash


OVS Features

Bug IDReleaseDescription
131503.8.0

OVS Web Service is Still up Even If It is Disabled in PicOS Configuration

The lighttpd service is brought up by systemd because the setting of the option "WantedBy" in lighttpd.service, which walks around the toggle option (ovs_enable_lighttpd=false) in /etc/picos/picos_start.conf.