These notes summarizes PICOS 2.11 new features, new hardware, known bugs, and bug fixes. Best practices recommend that you read all the content before upgrading to this release. For more detailed feature information, refer to the configuration guides.
New Software Features
Layer 2 and Layer 3
Disable/Enable IP Routing
Limit Maximum Number of VRRP Interfaces
Tagged/Untagged with Voice-VLAN
TACACS+ Failover Enhancement
MSH8920 - BPDU & LACP Tunneling on Static LAG
Enhancement for PVST/MSTP information in tech_support
Refreshing MAC Learning on MLAG Pair Switches
Remove SSH/Telnet Connection Number Limiting
PoE - Power Negotiation
Show Entire Spanning-tree PVST Infomation
DHCP Snooping over MLAG
Kontron - CDP and LLDP Tunneling
Boeing - Add new OIDs to UCB MIB
OEM - Display timestamp in syslog Message in Millisecond
OEM - Show System Date in Milliseconds
Remark DSCP with ACL Rule
Configure rate-limit on Egress Queues
GE Interfaces on AG5628 and AS7312
Send Traps if CPU Utilization Thredhold is Exceeded
Issue a SNMP Trap if L2 Table Threshold is Exceeded
Allow Hyphen "-" in VLAN Name
Add entPhysicalTable per RFC 6933
Support UPoE on N3048EP-ON and AS4610-54P and AS4610-30P.
Configure Rate Limit by Reference of Percentage
Add auto Mode to Voice VLAN
Disable SNMP Traps Related to LLDP
Enhancement on Displaying PoE Information
IGMP Snooping over MLAG
TACACS+ - Add New Command local-auth-fallback
Press "Enter" key to stop the process of upgrade2
The process of upgrade2 can be aborted before reboot into the update version of PicOS with the prompt message "PRESS ANY KEY TO STOP REBOOT".
Configure the rate-limit of filter rules by reference of kbps
Allow to configure rate-limit of ACL filter rules by reference of kbps in addition to pps.
Set Auto Negociation Speeds
Allow user to configure the speeds which can be advertised to the connected device under auto-negotiation mode.
Performance Refinement - ARP Handling
Reduce the time to handle the packet-in ARPs. Allow larger number of protocol packets destined to CPU.
Performance Refinement - Sync up ARP on Active-Active VRRP Devices
The time used to syn up ARP on active-active VRRP devices is reduced drastically.
PicOS supports both VRRPv2 and VRRPv3. The advantage of VRRPv3 is that it supports both IPv4 and IPv6 address families.
MLAG - Sync up MAC Addresses Learned on Orphan Ports the Peer Switch
MAC addresses which are learned on the single-homed ports of one spine switch of MLAG should be synchronized to the peer-link port of the other spine switch.
Add a Description Field after the Command "run request system reboot"
Add a description field after the command "run request system reboot" and add this text to the log message. This help Operations track the reason for the reboot through log messages.
MSH8920 - Extend L2-transparency to cover LLDP and CDP
L2-transparency is enabled for LLDP and CDP. Namely, If "set protocols lldp||cdp message-in disable true", the frames of LLDP and CDP will be flooded out of the switch instead of being trapped to CPU.
802.1X - Support MAB Authentication, Dynamic VLAN and CoA Function
Extend the 802.1X feature to support MAB authentication, dynamic VLAN and CoA function.
Support 1G speed with DELTA 10G RJ45 Module
Parameters of this module is as following:
Leo Vendor Name : DELTA
Vendor PartNr : LCP-10GRJ3SRT
Serial Number : 183209100001
Cable Length : 300m
Configure Rate-limit and Burst on Port
Add commands to configure rate-limit and burst to the port on ingress side and egress side. Both L2/L3 and OVS support this new feature.
Hashing with Sorted LAG Member
In generic, specific traffic will be forwarded out of a LAG member port depending on hashing algorithm with the key configuration. Certain behavior is defined between 2 LAGs with same number of member ports. Assuming ae1 has 4 member ports (1, 2, 3, 4) and ae2 also has 4 member ports (5, 6, 7, 8), with lag_members_sorted enabled, if a traffic is hashed out of port 2 for ae1, the traffic will be hashed out of port 6 for ae2.
Cable Diagnostics using TDR on RJ45 Interface
Support cable diagnostic function using TDR on RJ45 ports.
Add a New Command to Configure NAS-IP
Add a CLI command to let the user configure the NAS-IP address:
OVS and OpenFlow
OVS 2.6 Upgrade
Enable/Disable CoS with VLAN PCP
Add New Match Modes
Configure Polling Interval on Interface/Flow Counter
Set Rate-limit on Port under OVS Mode
Limit maxmum rate on specific port under OVS mode.
Command "switch-to-ovs-2.6" Fails
PicOS 2.11.x has 2 versions of OVS - 2.3 and 2.6. Command "switch-to-ovs-2.6" is used to switch to OVS 2.6 from OVS 2.3.
Support L2GRE on AS4610
Enable L2GRE under OVS/OpenFLow mode on AS4610.
upgrade2 - New Way of Upgrade
Kontron - Upgrade Linux Kernel to LTS Version
Kontron - Dump Binary Data of FPGA
Add New Option to upgrade2
Display Content of System EEPROM
Enable OverlayFS on N3048EP-ON
OverlayFS is a memory based file system, which can cache any write operation without write the data onto the underlying physical storage. OverlayFS is a different way to load PicOS on the switches which do not come with USB based NAND such as N3048EP-ON.
Update Authentication Behavior of TACACS+/RADIUS
Disable upgrade1 on MSH8920
convert the 184.108.40.206 pica_startup.boot to 2.7.2S1F
Add a tool - convert-conf - which is used to remove the configuration items in 220.127.116.11 pica_startup.boot which are unknown for 2.7.2S1F. Add an option to upgrade2 to allow user to specify the startup configuration file which will be brought back to 2.7.2s1f.
Add PoE checking to system-diag
PoE checking is added system-diag which is executed before starting PicOS.
Keep Specified Backup Files when Upgrade to New Version
Add an option to upgrade/upgrade2 to allow user to specify a file list which will be kept when upgrade to new version.After add and delete multicast route
MSH8920 - Upgrade2 is Broken by Watch Dog Resetting
The watch dog is started in uboot on MSH8920. It takes so long to prepare the backup partition due to upgrade2 that watch dog resets the CPU and then reboots the system. So a watch dog refreshing demon is added to send keeping alive messages to the watch dog immediately after Linux platform boots up.
MSH8920 - Add Wtmp Rotation to Crontab
By default, CRON will check the size of /tmp/log/wtmp every 5 minutes. If its size is larger than 5M, rotation will be executed. User can adjust the interval and the size for /tmp/log/wtmp by modifying /etc/crontab and /etc/logrotate2.conf.
Secure the password by importing tally2 and cracklib into rootfs.
Port to Dell N3048EP-ON
Please refer to the document N3048EP-ON Switch Port Name Description.
Support DELL S4148F-ON
The S4148F-ON supports 48 x 10G SFP+, and 4 x 100G / 6 x 40G QSFP physical layer interfaces with PICOS.
Clean up the Data when Remove an User
MSH8920 - Configure FEC on 10G Febric
Indicate That the Interface is Down Due to BPDU Guard
Kontron - Present portmap Running Configuration
Kontron - keep executing the rest of the commands in the execution file even if encounter the "same value"
Power Outages Cause Corruption of pica_start.conf
Clean up Associated ACL Rules When Delete MLAG
DHCP Request are Send When ZTP is Disabled and IP is Configured Statically
Boot Failure Caused by Configuration File Corrupted
More Than 2 wtmp Files
Do not Remark Voice Traffic DSCP by Default
Management Interface eth0 is Up even if No cable Plugged in
Voice VLAN - Remove Default OUIs
Kernel Log-Level is Decoupled from the XorPlus Log-Leve
PoE - threshold-mode Setting Does not Work
Corruption of Startup Configuration File
Remove Date Checking of the License if Downgrade to Previous Version
It does not make sense to check the date of end support of license when downgrade to previous version.
upgrade2 is Broken if There is a Large File in /home/admin
If there is a large file in /home/admin, upgrade2 might be broken by an error of out of memory when tar and compress the file and copy to the second partition. To fix this issue, on the one hand, copy the backup files to the target partition directly instead of tar & gzip & untar; on the other hand, clean up cache memory with /proc/sys/vm/drop_caches.
[N3132] Management Interface is Changed to eth0
The management interface on N3132 is changed to eth0 from eth1. The startup configuration will be lost if upgrade to 2.11.19. To restore the startup configuration, customer should replace "eth1" with "eth0" in a seperate copy of pica_startup.boot and then put it to /pica/config after upgrade.
AS5600/2.11.16 ONIE Installation Failure
AS5600/2.11.16 PICOS ONIE Installer fails. Fixed in 2.11.19.
Upgrade to 3.1.0+ on EFI Platform
We have one version of S4148 which boots into EFI (Extensible Firmware Interface) mode. Upgrade to 3.1.0 from 2.11.19 will work on EFI platforms or non-EFI platforms.
Disable Weak Ciphers for SSHD
Enterprise customers prefer to have the weak ciphers disabled by default for ssh server. So, disable the following ciphers in PICOS: arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, aes256-cbc,arcfour.
Layer 2 and Layer 3 Features
Mac Leaning Command Does Not Work at Once
MSH8920 - Add option to allow BPDU & LACP to Bypass CPU
PICOS stops host load balance if VRRP is configured PICOS used to trap all of the VRRP packets to CPU even if they are the host VRRP Keepalive packets for load balance. The fix is to add source MAC address matching field to the VRRP filter.
IGMP Snooping Does NOT Work
Duplicate SNMP Traps of LLDP Update
Dropping LLDP frames with unknown TLVs
Status of Voice VLAN is Not Correct
Ignore VRRP Authentication Packets
LLDP Frames Dropped by LLDP Module
IGMP Snooping - Source MAC Address of IGMP Leave Message
PIM neighbor can not be Established Between two PIM Router
Configure IP address to management interface before starting PicOS
If the static IP address is confiured to management interface, the static IP address will be activated on eth0 before starting PicOS. Ensure that user can access the hardware model even if PicOS is failed to boot up.
Migrate UDLD fix of 2.7.2S1G to 18.104.22.168
This version (22.214.171.124) of Verizon-ITNUC release will always send out UDLD PDU with Pica8 OUI (0x486E73). But it needs to use the OUI in the UDLD PDU to figure out if the peer device is PICOS 2.7.2S1F (OUI=0x486E73) or Cisco (OUI=0x00000C), and use the corresponding method to calculate the checksum. Anyway, 126.96.36.199 can talk to both 2.7.2S1F (backward compatible) and the future release (forward compatible) via UDLD.
Enable and disable a port when STP is turned on interrupts the traffic
When disable the port with traffic, it switches to the other port after ~550-600ms. But when enable it again, it interrupts the whole traffic.The mac entries are messed up.
Buffer Management - Refine Headroom and Flow Control
The maximum size of headroom is increased. If enable flow control and configure speed of the port, the size of headroom is 0.
MLAG - Traffic is Broken when Bring Up One Down MLAG Link
Initially one link of a MLAG is down. And then bring it up, the traffic from upstream device is broken for 5 - 6 seconds.
MLAG - Traffic is Broken when Master Spine Shuts Down
With reload delay configured, the traffic from downstream device is broken for 12 seconds when the master spine shuts down.
If enble root guard on a port, the port will be blocked if received a BPDU with high bridge priority. That can deny devices behind such ports from participation in STP. The blocking is removed as soon as the device ceases to send superior BPDUs.
VLAN Membership Issue with DHCP Discovery Packets
If enable DHCP snooping, DHCP DISCOVERY packets with unexpected VLAN ID can be received on a port and flooded out of the ports configured with different VLAN memberships. For example, an DHCP DISCOVERY packet tagged with VLAN 608 can ingress ge-1/1/2 and then egress on te-1/1/49 even thought the VLAN608 is only configured for te-1/1/49. e expected only tagged packets on VLAN 19 and VLAN 20 to be allowed to ingress on ge-1/1/2.
CLI Session Hangs Due to PoE Display
CLI hangs when execute command "show poe interface all".
STP Process Crashes on 2.11.5.cloudistics.0/as5812_54x
Cloudistics reports problems related to STP process (pica_mstp) crash. User can restart STP feature from CLI, but the CLI show the protocol is MSTP instead of the configured STP. User has to delete the current force-version and set it back. Then, the show and configuration are consistent.
Don't Allow to Configure Different Filters to the Same VLAN Interface
Add the configuraiton checking which does not allow to configure different firewall filters to the same VLAN interface on ingress side or egress side.
"set system hostname" Does not Update /etc/hostname
Boeing reported that the hostname in /etc/hostname file is not updated with “set system hostname” command, this causes DHCP requests sent on eth0 to advertise as “xorplus.chs.sc.boeing.com” since the hostname in /etc/hostname is "xorplus"
RR Scheduler Does not Work
The RR (Round Robin) scheduler configured to the egress queues behaviors as the mode of SP (Strict Priority) scheduler.
MSH8920 - Fail to activate LACP and BPDU L2-transparency
If "set protocols lacp||stp message-in disable true", the frames of BPDU and LACP are not flooded out of the switch instead of being trapped to CPU.
If configure static routes, xorp_policy will crash and generate coredump file when it shuts down.
Maximum Power Setting on UPoE Ports
The Maximum power that can be provided by an UPoE power of AS4610-54P is 51 watts instead of 64 watts. So the range of max-power of a specific port is changed to [1..51].
The Default Value of lldp-negotiation is TRUE
To symplify the PoE configurtion, the default value of lldp-negotiation for the setting of global/all and local/per-port is changed to true.
Phone classified as CDP If LLDP Enabled Capabilities are not Set Correctly
Verizon has phones which do not set LLDP Enabled Capabilities:Telephone correctly (Not Enabled), but the LLDPDU includes Network Policy TLV requesting policy for Voice application. PICOS LLDP/CDP would classify these phones as CDP phones and send untagged voice related traffic to these phones, which is not expected by the phones because of the LLDP-MED negotiation. PICOS should classify the device as a LLDP-MED phone, if the switch receives LLDPDUs from the phone with LLDP-MED Network Policy TLVs for Voice, EVEN IF the base LLDP has “Enabled Capabilities::Telephone=NO”. The logic is that if the device is requesting LLDP-MED Network Policy for Voice, then it must be a phone, and this overrides the fact that Enabled-Capability::Telephone=NO.
PoE Power Provision Error If the Phone Has Different Chassis IDs with Different IP Addresses
The attached phone sends LLDPDUs with 2 different Chassis IDs which are the values of the IP addresses. Initially, the Chassis ID/IP address is 0.0.0.0 and then becomes such as 104..255.99.11 when the phone gets an actual IP address from the DHCP sever. The initial LLDPDU with 0.0.0.0 requests 12.1 watt. And the following LLDPDU with 104..255.99.11 requests 15.1 watt. Unfortunately, the LLDPDU with 104..255.99.11 is ignored. PicOS switch should continuously check the the TLV of Power Via MDI and provide the power requested by the TLV from the incoming LLDPDU.
Add ifSpeed and ifHighSpeed for Port with 25G and 100G Speed
ifspeed/ifhighspeed MIB value for port with 25G and 100G is not the value as expected, so we add ifSpeed and ifHighSpeed for port with 25G and 100G speed to make the MIB value correct.
Add VLAN Display in Dot1x MAB Table
Present dynamic VLAN of the connected deviced authenticated by MAB.
802.1x Precedes MAB
To follow the behavior of Cisco, 802.1x will precede MAB if both 802.1x and MAB are available.
Add the Service Type Attribute in Access Request Message
Add Service Type attribute in the access request messages sent out to RADIUS to differentiate MAB and 802.1x.
[AS4610-54P]Phone won't power up randomly after disabling & reenabling PoE on UPOE ports.
Cisco 8845 IP Phone was powered up and working properly on a UPoE ports (ports ge-1/1/44, ge-1/1/48). After disabling and reenabling PoE, somehow it's possible the phone will no longer power up.
Don't Allow to Configure 802.1X to LAG Member Port
Add config checking to prevent LAG member port from being enabled 802.1X.
ECMP max Path Should not Be Changed When Disable Symmetric Hashing
After commit "delete interface ecmp hash-mapping symmetric" successfully, CLI will prompt message "ECMP max path has been changed, please reboot the system for changes to take effect!". It should not change the ECMP max path if disable symmetric hashing.
Port is not Deleted when Change the User Status
A port is secured by 802.1X and configured with a dynamic VLAN such as VLAN 8. And then the dynamic VLAN is changed to VLAN 9 on the side of RADIUS server such as PacketFence. The re-authentication doesn't change the dynamic VLAN of the port to VLAN 9 on the side of Pica8 switch.
Error BGP Statistics
Open vSwitch and OpenFlow
Statistics Error on Tunnel Packets
Command ovs-pica-save/ovs-pica-load does not Work Occasionally
DHCP Cycle in CrossFlow Mode
Install the Flow Entry to ASIC Even If User Try to Set DSCP to 0
Linux is in Panic
ARP Proxy Does not Work on Tunnel Port
If enable ARP proxy enable on tunnel's network port, it will send out arp reply packet which has a tunnel header.
Support 6k Flow Entries for AS5812 and AS6812
Allow to configure maximum 6k flow entries on AS5812_54T and AS5812_54X and AS6812.
AS5812 OVS Sflow Function Fails to Generate Flow Samples
In OVS 2.6, sflow only generates counter samples (CNTR) but not flow samples (FLOW).
Refine the Performance by Adding Large Amount of Flow Entries
In case of same priority, the time to add 4k flow entries is reduced dramatically on AS5812.
It Takes Too Long to Deletes 6k Flows on AS5812 and AS6812
It takes 20 minutes to delete 6k flow entries. It's too long.
Convert OVSDB to Match New Schema in Upgrade2
PicOS OVS uses OVSDB to restore the configurations. It's possible that the schema of the OVSDB would be changed because new cofinguation commands might be added to the new version of PicOS. To bring the OVSDB into the new version of PicOS by upgrade2, the OVSDB should be converted to adapt the the new schema of the new version of PicOS.
Enable In-band under Match Mode
OpenFlow in-band controller connection is enabled under match mode.
Update Action in the Hardware Flows if Delete/Add Port to the Bridge
Delete a port from the bridge, the action of the hardware flows with the specific port as output should be updated as "drop". If the port is added back to the bridge, the hardware flows should come back to the original ones.
Apply Policer to Aggregate Traffic
Issue SNMP Trap if LAG Member Port Links Up/Down
Protocol Packets are Counted to Discarded
SNMP - Value of ifLastChange is Always 0
SNMP - Value of sysUpTime is not in Timetick
[AG9032] PICOS Can't Boot up
PICOS 2.11.16 cannot boot up on AG9032. Certain Delta switches such as AG9032 request to reset MAC via CPLD from software when reboot system by "reboot -f".