Programmable Internetworking & Communication Operating System Docs ... Click Spaces -> Space Directory to see docs for all releases ...
Page tree
Skip to end of metadata
Go to start of metadata

These notes summarizes PICOS 2.11 new features, new hardware, known bugs, and bug fixes. Best practices recommend that you read all the content before upgrading to this release. For more detailed feature information, refer to the configuration guides.

New Software Features

Layer 2 and Layer 3

Bug IDReleaseDescription
Disable/Enable IP Routing
Add a command which can globally enable/disable IP routing.By default, IP routing is disabled.
Limit Maximum Number of VRRP Interfaces
User can configure maximum 128 VRRP interfaces which is also the maximum number of L3 interfaces.
Tagged/Untagged with Voice-VLAN
If configured "tagged" on a specific port for voice-vlan, will include voice-vlan in the Network Policy TLV sent to the connected endpoint device such as IP phone.And only frames tagged with voice-vlan are sent out to the connected IP phone. Otherwise, Network Policy TLV doesn't include the voice-vlan. And untagged frames are sent out to the connected IP phone.
PVST Manual-Forwarding
Allow user to configure manual-forwarding on a port enabled PVST.
TACACS+ Failover Enhancement
Try TACACS+ servers one by one to do authentication if number of TACACS+ servers configured. Local authentication is used only if all TACACS+ servers are not reachable. If the TACACS+ server is not reachable for authorization, will go back to Linux shell. But in the case that PicOS enters CLI directly, will log off.
MSH8920 - BPDU & LACP Tunneling on Static LAG
On MSH8920, allow user to configure BPDU & tunneling on static LAG port.
Enhancement for PVST/MSTP information in tech_support
Include complete PVST/MSTP information on each VLAN and interface in the tech_support log file.
Refreshing MAC Learning on MLAG Pair Switches
To make sure consistence of MAC table between the 2 MLAG switches, MAC addresses on one MLAG switch will be refreshed depending on the MAC addresses on the peering MLAG switch every 30 minutes.
Remove SSH/Telnet Connection Number Limiting
The connection number of SSH/Telnet can be unlimited by setting the rate-limit of SSH/Telnet as 0.
PoE - Power Negotiation
To support power provision via PoE for Cisco 8861 VoIP phone with 8860 key expansion, support power negotiation via LLDP optional 802.3 Power-via-MDI TLV.
Show Entire Spanning-tree PVST Infomation
Add new command - "show spanning-tree pvst interface vlan all" - to display the entire spanning tree PVST information in addition to per-VLAN PVST information.
DHCP Snooping over MLAG
With DHCP snooping enabled on the MLAG pair switches, ensure DHCP DISCOVERY can go up to DHCP server via trust ports and similarly DHCP OFFER can go down to hosts via MLAG ports.
Kontron - CDP and LLDP Tunneling
Add CDP and LLDPDU tunneling in addition to BPDU and LACP tunneling.
Boeing - Add new OIDs to UCB MIB
Add new OIDs to UCB SNMP MIB: - CPU - ssCpuRawSystem, ssCpuRawIdle - Memory - memTotalReal, memAvailReal, memTotalFree
OEM - Display timestamp in syslog Message in Millisecond
Keep local syslog message and remote syslog message with consistent format. Format the timestamp into millisecond for the local and remote syslog message.It's an customization feature for Enterprise customers.
OEM - Show System Date in Milliseconds
Display the date/time in milli-seconds, which is supported in the OEM version for Enterprise customers.
Remark DSCP with ACL Rule
Apply action of DSCP remarking to ACL rule with command alike "set firewall filter xx sequence xx then dscp xx"
Configure rate-limit on Egress Queues
Allow to apply rate-limit on each egress queue of a physical interface. It indicates that the traffic in a specific egress queue that exceeds the configured rate-limit will be dropped.
GE Interfaces on AG5628 and AS7312
Allow to configure the speed of 25G interfaces of hardware models with Tomahawk+ - AS5648 and AS7312 - to 1Gbps.
Send Traps if CPU Utilization Thredhold is Exceeded
For seek of TCA (Threshold Crossing Alarm), switch will send SNMP traps for CPU threshold when - Total CPU utilization rises above high_threshold - Total CPU utilization falls below low_threshold high_threshold and low_threshold can be configured.
Issue a SNMP Trap if L2 Table Threshold is Exceeded
For seek of TCA (Threshold Crossing Alarms), switch will send SNMP traps if threshold of L2 table is exceeded. The threshold is defined as the percentage of maximum capacity of L2 table.User can change the threshold.
Allow Hyphen "-" in VLAN Name
Allow to include hyphen "-" in VLAN name such as following command, admin@Xorplus# set vlans vlan-id 10 vlan-name "office-sales"
Add entPhysicalTable per RFC 6933
Support entPhysicalTable (such as entPhysicalDescr, entPhysicalSoftwareRev, entPhysicalSerialNum, entPhysicalMfgName, entPhysicalModelName) included in SNMP Entity MIB (RFC 6933).


Support UPoE

Support UPoE on N3048EP-ON and AS4610-54P and AS4610-30P.

Configure Rate Limit by Reference of Percentage
Allow user to configure rate limit on a specific port by reference of percentage of the maximum speed which can be supported by the port.
Add auto Mode to Voice VLAN
Add support for voice-vlan "auto" mode in addition to "untagged" and "tagged" modes. By default, auto mode is enabled on a port configured voice VLAN. Under auto mode, for attached endpoint device that are LLDP-MED capable, voice traffic is requested to be tagged with voice VLAN; otherwise, Voice traffic from attached endpoint devices that are not LLDP-MED capable will be untagged.
Disable SNMP Traps Related to LLDP
Add a command to allow user to disable SNMP trap related to LLDP as following: set protocols lldp snmp-trap false
Enhancement on Displaying PoE Information
Add 2 columns, "Reserved" and "PD-Class", to the output of "run show poe interface XXXX".
IGMP Snooping over MLAG
If enable IGMP snooping on both MLAG spine switches, IGMP messages including report and query and leave received from an MLAG port on one spine switch should sync up with the peer spine switch which will updates multicast group information. The sources and clients of one multicast group attached to MLAG spine or leaf switches can communicate with each other.
TACACS+ - Add New Command local-auth-fallback
Configure and enable TACACS+. Login to PicOS On in-band/management interface. If TACACS+ server is not reachable or unavailable, will allow to fallback to local authentication if local-auth-fallback enabled.

Press "Enter" key to stop the process of upgrade2

The process of upgrade2 can be aborted before reboot into the update version of PicOS with the prompt message "PRESS ANY KEY TO STOP REBOOT".


Configure the rate-limit of filter rules by reference of kbps

Allow to configure rate-limit of ACL filter rules by reference of kbps in addition to pps.



Set Auto Negociation Speeds

Allow user to configure the speeds which can be advertised to the connected device under auto-negotiation mode.


Performance Refinement - ARP Handling

Reduce the time to handle the packet-in ARPs. Allow larger number of protocol packets destined to CPU.


Performance Refinement - Sync up ARP on Active-Active VRRP Devices

The time used to syn up ARP on active-active VRRP devices is reduced drastically.


Support VRRPv3

PicOS supports both VRRPv2 and VRRPv3. The advantage of VRRPv3 is that it supports both IPv4 and IPv6 address families.


MLAG - Sync up MAC Addresses Learned on Orphan Ports the Peer Switch

MAC addresses which are learned on the single-homed ports of one spine switch of MLAG should be synchronized to the peer-link port of the other spine switch. 


Add a Description Field after the Command "run request system reboot" 

Add a description field after the command "run request system reboot" and add this text to the log message. This help Operations track the reason for the reboot through log messages.


MSH8920 - Extend L2-transparency to cover LLDP and CDP

L2-transparency is enabled for LLDP and CDP. Namely, If "set protocols lldp||cdp message-in disable true", the frames of LLDP and CDP will be flooded out of the switch instead of being trapped to CPU.


MSH8920 - xe-1/1/2.1 does not work after installing PICOS at its very first time; it needs an extra reboot to starts it

This problem has been fixed in


MSH8920 - upgrade2 creates ext3 filesystem for new partition 
This problem has been fixed in

802.1X - Support MAB Authentication, Dynamic VLAN and CoA Function

Extend the 802.1X feature to support MAB authentication, dynamic VLAN and CoA function.


Support 1G speed with DELTA 10G RJ45 Module

Parameters of this module is as following:

Leo Vendor Name : DELTA 

Vendor PartNr : LCP-10GRJ3SRT

Serial Number : 183209100001

Cable Length : 300m


Configure Rate-limit and Burst on Port

Add commands to configure rate-limit and burst to the port on ingress side and egress side. Both L2/L3 and OVS support this new feature.


Hashing with Sorted LAG Member

 In generic, specific traffic will be forwarded out of a LAG member port depending on hashing algorithm with the key configuration. Certain behavior is defined between 2 LAGs with same number of member ports. Assuming ae1 has 4 member ports (1, 2, 3, 4) and ae2 also has 4 member ports (5, 6, 7, 8), with lag_members_sorted enabled, if a traffic is hashed out of port 2 for ae1, the traffic will be hashed out of port 6 for ae2. 


Cable Diagnostics using TDR on RJ45 Interface

Support cable diagnostic function using TDR on RJ45 ports. 


Add a New Command to Configure NAS-IP 

Add a CLI command to let the user configure the NAS-IP address: 
"set protocols dot1x aaa radius nas-ip x.x.x.x" 
This command is to set the nas-ip field in RADIUS access-request message.


Update "run show bgp routes"

Keep the existing “peer” column, but change the heading to “Router ID”. Add a column before the “Router ID” column above, with the heading “Peer”, listing the configured peer IP address of the received routes.

105492.11.21Display all settings in the result of "show all" and "show all|display set" 
Display all settings including default settings in the result config tree of "show all" or result set commands of "show all|display set" respectively. 

New Additions to NAC

NAC can operates under multi-domain mode or single-host mode with new features including dynamic/downloadable filter and central web authentication. 

113222.11.23[NAC] Server Fail VLAN and 802.1x fallback
If RADIUS server is not reachable, the client will fall back to the server fail VLAN. If reject by 802.1x authentication, the client will try web authentication.
111462.11.24Source Interface to TACACS+/RADIUS Server
Allow user to configure an interface with IP address which is used to talk with TACACS+/RADIUS server.
113952.11.24 Present the Reason if Port Get Down by CoA
Present the reason (CoA-Disable-Port) if a Port is Down caused by CoA when execute "run show interface gigabit-ethernet xxxx".
113942.11.25 Secure Keys in Configuration
Present encripted code of share-key of RADIUS/TACAS+ and authentication-key and privacy-key of SNMP. 
111442.11.24VRRPv2 Authentication
Secure VRRP session with MD5 authentication. That is only enabled for VRRPv2.

Add New Columns to "run show lldp neighbor"
Add to columns - "Platform" and "Capability" - to the output of "run show lldp neighbor"


NAC - Invalid Downloadable ACL
If an invalid downloadable ACL is included in the returned access-accept RADIUS message, the suplicant client will be denied from the network access. And the invalid downloadable ACL will be marked when run "run show dot1x interface gigabit-ethernet XXX".


Show "service-tag"
Add new Cli command - "run show system hwinfo service-tag" - to show service-tag. 


Restore License and User Password Automatically
On OverlayFS platforms such as N3048 and N3132, license key and the updated user password for first login will not be lost if reboot system even though "save_config" is not executed.

117982.11.25.2Dynamical VLAN Overrides Voice VLAN
If the returned RADIUS access accept message includes an extra Pica8 vendor-specific-attribute (VSA)“pica8-traffic-class=voice”, the dynamic VLAN will take precedence over the locally configured voice VLAN.
104372.11.25.3RADIUS Accounting for 802.1x and MAB
PICOS switch sends start/stop accounting message to RADIUS server for supplicant's 802.1x/MAB authenticaiton session.
121322.11.25.3Response to session-timeout Attribute
If the returned access-accept RADIUS message has attribute session-timeout after MAB/802.1x authentication, the authenticated session will be expired after a period of session-timeout and start a new authentication process.
119762.11.25.3Show DACL Counters
Allow user to show the counter of downloadable/dynamic NAC ACLs.

OVS and OpenFlow

Bug IDReleaseDescription
OVS 2.6 Upgrade
The base code of OVS is upgraded to open source OVS 2.6. There are some feature differences with open source OVS 2.3. We add command which used to switch to the base code of open source OVS 2.6. Have the details at,
Enable/Disable CoS with VLAN PCP
Under OVS mode, frames can go to different egress queues depending on CoS mapping with VLAN PCP (Priority Code Point). For example, if PCP value 5 is mapped to queue 6, the frame with PCP value 5 will enter egress queue 6. By default, the CoS mapping with VLAN PCP is disabled. All frames of which the PCP values are changed to 0 are put in queue 0.
Add New Match Modes
Add new match modes for LuxarTech NPB application such as mac_x, ip_x and l2l4. Have details at,
VNTAG Support
User can match VNTAG fields in a flow entry. Additionally, ECMP and LAG hashing can be calculated based on VNTAG fields.
Configure Polling Interval on Interface/Flow Counter
Allow user to set the update interval of counters of interface or flow.

Set Rate-limit on Port under OVS Mode 

Limit maxmum rate on specific port under OVS mode.


Command "switch-to-ovs-2.6" Fails 

PicOS 2.11.x has 2 versions of OVS - 2.3 and 2.6. Command "switch-to-ovs-2.6" is used to switch to OVS 2.6 from OVS 2.3. 


Support L2GRE on AS4610

Enable L2GRE under OVS/OpenFLow mode on AS4610.

112652.11.23Optimize Bootup Process of OVS
By changing the way of initialization of ports added to the bridge, it only takes half long to boot up OVS.
114382.11.24Maximum Number of Groups
Allow to configure maximum 2k groups under OVS mode.

Linux Platform

Bug IDReleaseDescription
upgrade2 - New Way of Upgrade
Add an extra upgrade tool - upgrade2. If upgrade goes wrong with upgrade2 because of unexpected reason, will return to the current version of PicOS.
Kontron - Upgrade Linux Kernel to LTS Version
Upgrade the Linux Kernel to a long-term support version - 4.14.3.
Kontron - Dump Binary Data of FPGA
Provide access to the whole register for FPGA in sysfs, admin@Xorplus$hexdump -C -s 0x31 -n 1 /sys/class/fpga/fpga0/raw
Add New Option to upgrade2
Upgrade2 takes the current configurations and moves to upgrade version. It's possible that there are deprecated or unsupported configurations from a version change such as from 2.12 to 2.11. Provide new option and allow upgrade version to ignore the deprecated or unsupported configurations. Additionally, allow picos-rollback to take the current configuration to previous version. And the previous version can also ignore the deprecated or unsupported configurations.
Display Content of System EEPROM
Add a new sysfs file - /sys/class/hwinfo/onie-syseeprom - to display the content of system EEPROM.

Enable OverlayFS on N3048EP-ON

OverlayFS is a memory based file system, which can cache any write operation without write the data onto the underlying physical storage. OverlayFS is a different way to load PicOS on the switches which do not come with USB based NAND such as N3048EP-ON.

Update Authentication Behavior of TACACS+/RADIUS
Authentication behavior of TACACS+/RADIUS is updated as following: On console port, if TACACS+/RADIUS service is reachable, user can only be authenticated against TACACS+/RADIUS server. Otherwise if TACACS+/RADIUS service is unreachable, issue a log message and fallback to local authentication. On management interface, whether in-band or out-of-band, if TACACS+/RADIUS service is reachable, user can only be authenticated against TACACS+/RADIUS server. Otherwise if TACACS+/RADIUS service is unreachable, issue a log message and do nothing else.
Disable upgrade1 on MSH8920
On MSH8920, upgrade1 is disabled. Only upgrade2 is available. Additionally, the step in upgrade2 to prepare backup partition is removed because that might take much longer to trigger watchdog to reboot. And the backup partition is only needed for upgrade1.

convert the pica_startup.boot to 2.7.2S1F

Add a tool - convert-conf - which is used to remove the configuration items in pica_startup.boot which are unknown for 2.7.2S1F.  Add an option to upgrade2 to allow user to specify the startup configuration file which will be brought back to 2.7.2s1f.


Add PoE checking to system-diag

PoE checking is added system-diag which is executed before starting PicOS. 


Keep Specified Backup Files when Upgrade to New Version

Add an option to upgrade/upgrade2 to allow user to specify a file list which will be kept when upgrade to new version.After add and delete multicast route


MSH8920 - Upgrade2 is Broken by Watch Dog Resetting

The watch dog is started in uboot on MSH8920. It takes so long to prepare the backup partition due to upgrade2 that watch dog resets the CPU and then reboots the system. So a watch dog refreshing demon is added to send keeping alive messages to the watch dog immediately after Linux platform boots up.


MSH8920 - Add Wtmp Rotation to Crontab

By default, CRON will check the size of /tmp/log/wtmp every 5 minutes. If its size is larger than 5M, rotation will be executed. User can adjust the interval and the size for /tmp/log/wtmp by modifying  /etc/crontab and /etc/logrotate2.conf. 


Secure Password

Secure the password by importing tally2 and cracklib into rootfs.

121292.11.25.3Use Space Key to Terminate Countdown
Due to upgrade2 process, will enter 10 seconds countdown before rebooting the system. User can only press space key instead of any key to end the countdown and abort the upgrade process.


Bug IDReleaseDescription

Port to Dell N3048EP-ON

Please refer to the document N3048EP-ON Switch Port Name Description.

Support DELL S4148F-ON

The S4148F-ON supports 48 x 10G SFP+, and 4 x 100G / 6 x 40G QSFP physical layer interfaces with PICOS.


Port PICOS to N3048ET-ON

N3048ET-ON is one model of LEEDS N30xx platforms of Dell. It has 48 1Gbps ports for copper with 2 comb Cu ports, one 20Gbps expansion slots for SFP+, 2 10G Base-T modules, and 2 mini-SAS type stacking ports.
109052.11.21Support N3024ET-ON 
Powered by BCM56342, N3024ET-ON can have 24x1G Cu ports and and 4x10G ports. 

Fixed Issues

Linux Platform

Bug ID



Licensing Policy is Updated
In addition to the 4 first ports, extra 2 high speed uplink ports are allowed to be enabled bypassing license checking.

Reboot Fails to Bring up PICOS L2/L3 Processes

It only happens on S4048-ON and S4148F-ON. After reboot, the console keeps displaying the following messages: 
Mar 29 2019 19:20:27 dev2-si kern.err :ismt_smbus 0000:00:13.0: completion wait timed out 
Mar 29 2019 19:20:28 dev2-si kern.err :ismt_smbus 0000:00:13.0: completion wait timed out 
It is caused by hardware limitation of S4048-ON and S4148F-ON. Namely if turn on/off i2c too fast, it may flap. the solution is to tune delay time (i2c_ismt.delay) to 8k ns.


User operator is not Allowed to Login by Default 

User operator is not allowed to login with default password "pica8". That would be a security concern. User operator can be given a password explicitly by admin. 


Disable TCP SACK

Several TCP networking vulnerabilities associated with TCP SACK are identified ( As a work around, TCP SACK is disabled in rootfs of PICOS. 


Raise kernel:__div64_32 Exception Under OVS Mode on PPC Platforms

This issue is raised by overflow of tick based cputime. As a work around, it can be mitigated if enable kernal CONFIG_HZ_250 and set CONFIG_HZ to 250 instead to 1000. With this fix, in theory, the issue will not happen within 6 years.


Host Name is Truncated in rsyslog Messages 

Full host name is not included in the rsyslog messages. 

114262.11.24Fan Speed Changes too Fastly on Certain Unit of N3132
It's possible that the fan speed changes too fastly on some units of N3132. From our test, it doesn't heppen on all units of N3132.

System Management

Bug IDReleaseDescription
Support AG7648
The AG7648 is top of rack (ToR) switch designed for data centers.It has 48 10GbE SFP+ ports and six 40GbE QSFP ports.The AG7648 provides comprehensive hardware capability on supporting layer 2 and layer 3 features.
Clean up the Data when Remove an User
Clean up the corresponding data at /pica/config if an user is removed.
MSH8920 - Configure FEC on 10G Febric
Enable/Unable FEC on 10G fabric ports, which is only available on MSH8920.
Indicate That the Interface is Down Due to BPDU Guard
If an interface is brought down by BPDU guard, include the information in the output of "show interface ......".
Kontron - Present portmap Running Configuration
Present portmap setting even if default value - 9x40G_FABRIC - configured with "show | display all".
Kontron - keep executing the rest of the commands in the execution file even if encounter the "same value"
The execute CLI command stops when there exist "WARNING: The same value ..." message. Kontron asks to continue executing the rest in the file.
Power Outages Cause Corruption of pica_start.conf 
The file pica_start.conf is damaged because it is updated by but not flushed to the flash when outage happens.Boot process hangs with the damaged pica_start.conf.
Clean up Associated ACL Rules When Delete MLAG
When delete a MLAG, the associated ACL rules should be removed. Otherwiese, specific traffic from the peer link will be dropped.
 DHCP Request are Send When ZTP is Disabled and IP is Configured Statically
DHCP DISCOVERY should not be sent out if ZTP is disabled and static IP address is configured to management interface.
Boot Failure Caused by Configuration File Corrupted
It is possible that PicOS hangs up if power outage happens during boot process, which might damage the config files which is being written.
More Than 2 wtmp Files
It's possible to have more than 2 wtmp files in /tmp/log/wtmp. That does not work as designed.
 Do not Remark Voice Traffic DSCP by Default
It will not update the DSCP of voice packet to 46 by default. User can remark the DSCP of voice traffic with command, # set vlans voice-vlan dscp [0..63]
Management Interface eth0 is Up even if No cable Plugged in
There is no cable plugged into switch's management interface eth0. But the management interface is up when use Linux tool such as "ifconfig" to display the status of eth0.
Voice VLAN - Remove Default OUIs
OUI is used to identify the attached voice devices such as IP phone. By removing the default OUIs, allow user to configure up to 10 different OUIs.
Kernel Log-Level is Decoupled from the XorPlus Log-Leve
PicOS keeps sending the "kern.debug" messages to syslog server even though the log-level is Info set in XorPlus CLI. The root cause of the problem is because the log-level in XorPlus does not apply to Kernel.
PoE - threshold-mode Setting Does not Work
It does not work to set threshold-mode to 1 on all PoE ports with command "set poe interface all threshold-mode 1".
Corruption of Startup Configuration File
It's possible that startup configuration file pica_startup.boot could be corrupted if power cycle or power outage happens during PicOS boot process. To fix this issue, firstly, will not write back to pica_startup.boot when PicOS boots up. Secondly, will load backup configuration if pica_startup.boot is corrupted.

Remove Date Checking of the License if Downgrade to Previous Version

It does not make sense to check the date of end support of license when downgrade to previous version.


upgrade2 is Broken if There is a Large File in /home/admin

If there is a large file in /home/admin, upgrade2 might be broken by an error of out of memory when tar and compress the file and copy to the second partition. To fix this issue, on the one hand, copy the backup files to the target partition directly instead of tar & gzip & untar; on the other hand, clean up cache memory with /proc/sys/vm/drop_caches.


[N3132] Management Interface is Changed to eth0

The management interface on N3132 is changed to eth0 from eth1. The startup configuration will be lost if upgrade to 2.11.19. To restore the startup configuration, customer should replace "eth1" with "eth0" in a seperate copy of pica_startup.boot and then put it to /pica/config after upgrade. 


AS5600/2.11.16 ONIE Installation Failure 

AS5600/2.11.16 PICOS ONIE Installer fails. Fixed in 2.11.19.


Upgrade to 3.1.0+ on EFI Platform 

We have one version of S4148 which boots into EFI (Extensible Firmware Interface) mode. Upgrade to 3.1.0 from 2.11.19 will work on EFI platforms or non-EFI platforms.


Disable Weak Ciphers for SSHD 

Enterprise customers prefer to have the weak ciphers disabled by default for ssh server. So, disable the following ciphers in PICOS: arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, aes256-cbc,arcfour. 


CPU Utilization is Reported to Reach 100%

It indicates that CPU utilization reaches 100% by checking "/tmp/system/cpuusage". In fact, it's a false alarm from pica_monitor.

Layer 2 and Layer 3 Features

Bug IDReleaseDescription
Mac Leaning Command Does Not Work at Once
When disable MAC learning on a specific port such as, admin@XorPlus# set interface gigabit-ethernet xe-1/1/2.1 mac-learning false MAC entries do not disappear from the mac table immediately.
MSH8920 - Add option to allow BPDU & LACP to Bypass CPU
On MSH8920, BPDU & LACPDU can be flooded out of switch instead of being trapped to CPU.
PICOS stops host load balance if VRRP is configured

PICOS used to trap all of the VRRP packets to CPU even if they are the host VRRP Keepalive packets for load balance. The fix is to add source MAC address matching field to the VRRP filter.
IGMP Snooping Does NOT Work
After enabling IGMP Snoop, the client is unable to join the group any more.
Duplicate SNMP Traps of LLDP Update
In case of neighbor device with multiple sub-interfaces,the switch will send out an SNMP traps if receive a LLDP PDU including a different port ID with previous one. Eventually,ton of SNMP traps are issued.
Dropping LLDP frames with unknown TLVs
If receive a LLDP PDU with an unknown TLV, the unknown TLV should be skipped instead of dropping the total LLDP frame.
Status of Voice VLAN is Not Correct
If the voice VLAN ID is changed on a specific port, in certain circumstance, the status of voice VLAN is always "working" even the LLDP neighbor is disappeared.
Ignore VRRP Authentication Packets
PicOS does not support VRRP authentication. Issue explicit syslog message if receive VRRP Authentication Packets.
LLDP Frames Dropped by LLDP Module
LLDP module can only process one packet per 1 second in state machine,so there will be packets dropped when more than 1 packet per 1 second per interface. In case of peer device with sub-interfaces configured, the switch sometimes ages out and then re-adds LLDP neighbors even though it is receiving regular LLDP updates for each neighbor every 30 seconds.
IGMP Snooping - Source MAC Address of IGMP Leave Message
If enable IGMP snooping on a switch, because the IGMP leave message sent out of mrouter interface(s) is generated by IGMP snooping, the source MAC address of the IGMP leave message should be the MAC address of the switch instead of the multicast client host.
PIM neighbor can not be Established Between two PIM Router
With IGMP snooping enabled, PIM protocol packets are trapped to CPU. IGMP snooping uses PIM hello message to learn mrouter interfaces automatically. And then, PIM protocol packets are dropped. To fix this issue, PIM protocol packets are flooded out of the switch meanwhile duplicate copies are destined to CPU.

Configure IP address to management interface before starting PicOS

If the static IP address is confiured to management interface, the static IP address will be activated on eth0 before starting PicOS. Ensure that user can access the hardware model even if PicOS is failed to boot up. 


Migrate UDLD fix of 2.7.2S1G to

This version ( of PICOS release will always send out UDLD PDU with Pica8 OUI (0x486E73). But it needs to use the OUI in the UDLD PDU to figure out if the peer device is PICOS 2.7.2S1F (OUI=0x486E73) or Cisco (OUI=0x00000C), and use the corresponding method to calculate the checksum. Anyway, can talk to both 2.7.2S1F (backward compatible) and the future release (forward compatible) via UDLD.


Enable and disable a port when STP is turned on interrupts the traffic

When disable the port with traffic, it switches to the other port after ~550-600ms. But when enable it again, it interrupts the whole traffic.The mac entries are messed up. 


Buffer Management - Refine Headroom and Flow Control

The maximum size of headroom is increased.  If enable flow control and configure speed of the port, the size of headroom is 0.


MLAG - Traffic is Broken when Bring Up One Down MLAG Link

Initially one link of a MLAG is down. And then bring it up, the traffic from upstream device is broken for 5 - 6 seconds.


MLAG - Traffic is Broken when Master Spine Shuts Down

With reload delay configured, the traffic from downstream device is broken for 12 seconds when the master spine shuts down.


Root Guard

If enble root guard on a port, the port will be blocked if received a BPDU with high bridge priority. That can deny devices behind such ports from participation in STP. The blocking is removed as soon as the device ceases to send superior BPDUs. 


VLAN Membership Issue with DHCP Discovery Packets

If enable DHCP snooping, DHCP DISCOVERY packets with unexpected VLAN ID can be received on a port and flooded out of the ports configured with different VLAN memberships. For example, an DHCP DISCOVERY packet tagged with VLAN 608 can ingress ge-1/1/2 and then egress on te-1/1/49 even thought the VLAN608 is only configured for te-1/1/49. e expected only tagged packets on VLAN 19 and VLAN 20 to be allowed to ingress on ge-1/1/2.


CLI Session Hangs Due to PoE Display

CLI hangs when execute command "show poe interface all".


STP Process Crashes on 2.11.5.cloudistics.0/as5812_54x

Cloudistics reports problems related to STP process (pica_mstp) crash. User can restart STP feature from CLI, but the CLI show the protocol is MSTP instead of the configured STP. User has to delete the current force-version and set it back. Then, the show and configuration are consistent.


Don't Allow to Configure Different Filters to the Same VLAN Interface

Add the configuraiton checking which does not allow to configure different firewall filters to the same VLAN interface on ingress side or egress side.


"set system hostname" Does not Update /etc/hostname

Boeing reported that the hostname in /etc/hostname file is not updated with “set system hostname” command,  this causes DHCP requests sent on eth0 to advertise as “” since the hostname in /etc/hostname is "xorplus"


RR Scheduler Does not Work

The RR (Round Robin) scheduler configured to the egress queues behaviors as the mode of SP (Strict Priority) scheduler.


MSH8920 - Fail to activate LACP and BPDU L2-transparency

If "set protocols lacp||stp message-in disable true", the frames of BPDU and LACP are not flooded out of the switch instead of being trapped to CPU.


Xorp_policy Crash

If configure static routes, xorp_policy will crash and generate coredump file when it shuts down.


Maximum Power Setting on UPoE Ports

The Maximum power that can be provided by an UPoE power of AS4610-54P is 51 watts instead of  64 watts. So the range of max-power of a specific port is changed to [1..51].


The Default Value of lldp-negotiation is TRUE

To symplify the PoE configurtion, the default value of lldp-negotiation for the setting of global/all and local/per-port is changed to true.  


Phone classified as CDP If LLDP Enabled Capabilities are not Set Correctly

Customer has phones which do not set LLDP Enabled Capabilities:Telephone correctly (Not Enabled), but the LLDPDU includes Network Policy TLV requesting policy for Voice application. PICOS LLDP/CDP would classify these phones as CDP phones and send untagged voice related traffic to these phones, which is not expected by the phones because of the LLDP-MED negotiation. PICOS should classify the device as a LLDP-MED phone, if the switch receives LLDPDUs from the phone with LLDP-MED Network Policy TLVs for Voice, EVEN IF the base LLDP has “Enabled Capabilities::Telephone=NO”. The logic is that if the device is requesting LLDP-MED Network Policy for Voice, then it must be a phone, and this overrides the fact that Enabled-Capability::Telephone=NO.

PoE Power Provision Error If the Phone Has Different Chassis IDs with Different IP Addresses

The attached phone sends LLDPDUs with 2 different Chassis IDs which are the values of the IP addresses. Initially, the Chassis ID/IP address is and then becomes such as 104..255.99.11 when the phone gets an actual IP address from the DHCP sever. The initial LLDPDU with requests 12.1 watt. And the following LLDPDU with 104..255.99.11 requests 15.1 watt. Unfortunately, the LLDPDU with 104..255.99.11 is ignored. PicOS switch should continuously check the the TLV of Power Via MDI and provide the power requested by the TLV from the incoming LLDPDU.

Add ifSpeed and ifHighSpeed for Port with 25G and 100G Speed

ifspeed/ifhighspeed MIB value for port with 25G and 100G is not the value as expected, so we add ifSpeed and ifHighSpeed for port with 25G and 100G speed to make the MIB value correct.


Add VLAN Display in Dot1x MAB Table

Present dynamic VLAN of the connected deviced authenticated by MAB. 
admin@Xorplus# run show dot1x mab interface 
Interface Mac Authenticated Dynamic-Vlan 
-------------- ----------------- ------------- ------------ 
ge-1/1/33 00:00:06:00:00:07 true 20 


802.1x Precedes MAB 

To follow the behavior of Cisco, 802.1x will precede MAB if both 802.1x and MAB are available. 


Add the Service Type Attribute in Access Request Message 

Add Service Type attribute in the access request messages sent out to RADIUS to differentiate MAB and 802.1x.


[AS4610-54P]Phone won't power up randomly after disabling & reenabling PoE on UPOE ports. 

Cisco 8845 IP Phone was powered up and working properly on a UPoE ports (ports ge-1/1/44, ge-1/1/48). After disabling and reenabling PoE, somehow it's possible the phone will no longer power up. 


 Don't Allow to Configure 802.1X to LAG Member Port 

Add config checking to prevent LAG member port from being enabled 802.1X.


ECMP max Path Should not Be Changed When Disable Symmetric Hashing

After commit "delete interface ecmp hash-mapping symmetric" successfully, CLI will prompt message "ECMP max path has been changed, please reboot the system for changes to take effect!". It should not change the ECMP max path if disable symmetric hashing. 


Port is not Deleted when Change the User Status

A port is secured by 802.1X and configured with a dynamic VLAN such as VLAN 8. And then the dynamic VLAN is changed to VLAN 9 on the side of RADIUS server such as PacketFence. The re-authentication doesn't change the dynamic VLAN of the port to VLAN 9 on the side of Pica8 switch.


L2/L3 Protocol Packets cannot Be Trapped to CPU on Delta Models

L2 BPDU and L3 protocol packets cannot be trapped to CPU occasionally on Delta models including AG9032 and AG548.


SNMP Trap is not Send out if RPSU Powered On/Off 

SNMP trap - rpsuStatusChangePowerOff or rpsuStatusChangePowerOn - is not sent out if RPSU powed on or off. 


Traffic Failed to Be Mapped to Correct Queue

For TD+ models, if set a forwarding-class with local-priority such as 2 and associate the specific traffic with this forwarding-class, by counter of BCM shell, the traffic goes to egress queue 0 instead 2.


[PVST]Wrong Port Role

In a network topology, Pica8 switch is connected to a Cisco switch. PVST is enabled on the both switch. When get a port on the Pica8 switch down and then up, somehow the role of another port of the Pica8 switch is not correct.


Fail to Query ipNetToMediaPhysAddress and atPhysAddress on AG5648

Fail to query out SNMP OID - RFC1213-MIB::atPhysAddress and IP-MIB::ipNetToMediaPhysAddress.

112812.11.23[Lenovo PVST compatibility] “Organization Code” field in 802.2 LLC packet
PICOS sets “Organization Code” field in 802.2 LLC packet to 00:00:00. Lenovo only recognize PVST+ packets if the “Organization Code” is 00:00:0C (Cisco systems, inc.).
112922.11.23The Length of the Dynamic VLAN Name
The maximum length of the dynamic VLAN name should be 32 as the same maximum length of local VLAN name.
113492.11.23 DHCP Vendor-Class Option on N3132
DHCP Vendor-Class option is corrected as "PICOS n3132".
114072.11.24NAC Enhancement
CoA for a specific client will not affect other clients connected to the same port of the switch. If returned CoA has re-authentication action, the switch will start new authentication immediately.
114272.11.24Print Too Much VRRP Log Messages
It's not necessary to issue a warning log message if receive an invalid VRRP packet.

Include "#" in Shared Key of TACACS+ Session
Allow character "#" to be included in shared key of TACACS+ session.

117182.11.25.1 Crash Caused by DHCP/ICMP
Enable DHCP snooping/relay. If received an DHCP OFFER and then immediately an ICMP, it is possible the process pica_sif would crash.
117382.11.25.2 Port Hangs after dot1x CoA-terminate and CoA bounce-port for MAB Authenticated Phone
If the configured voice VLAN is equal to the dynamic VLAN for a specific port and connected client device, the port is somehow stuck when receive a CoA terminate message. 
120152.11.25.3DHCP Discovery Packets are Discarded When it Fails to Reach NAC Server
The client will fall back to server-fail-vlan when the NAC server is not reachable. In this case, it should allow the client to reach the DHCP server even if DHCP snooping is enabled.

Routing Protocols

Bug IDReleaseDescription
Error BGP Statistics
When create both IPv4 and IPv6 sessions between 2 BGP peering switches, the number of BGP routes including received prefixes and accepted prefixes and active prefixes is incorrect.

Open vSwitch and OpenFlow

Bug IDReleaseDescription
Statistics Error on Tunnel Packets
Drop counter on ingress side still goes up even if the tunnel packets are forwarded out of switch correctly.
Command ovs-pica-save/ovs-pica-load does not Work Occasionally
Command ovs-pica-save/ovs-pica-load is not so reliable. It is possible that ovs-pica-save/ovs-pica-load fails even though it shows successfully.
DHCP Cycle in CrossFlow Mode
Under CrossFlow mode, with DHCP snooping enabled, DHCP control packets might cycle on a self-loop connection.
Install the Flow Entry to ASIC Even If User Try to Set DSCP to 0
PICOS/OVS is not allowed to install the flow entry to ASIC with "set_field:0-\>ip_dscp" as following: $ ovs-ofctl add-flow br0 in_port=2049,ip,actions=set_field:0-\>ip_dscp,normal Additionally, PICOS/OVS is not allowed to configure a flow entry to ASIC with action such as "set_field:24-\>ip_dscp" which has the same value of in match criteria "ip_dscp=24" as following: ovs-ofctl add-flow br0 in_port=2049,vlan_tci=0x1000/0x1000,ip, ip_dscp=24,actions=set_field:24-\>ip_dscp,normal
Linux is in Panic
It's possible that Linux runs into panic due to a null pointer referenced in Fan driver code under the circumstance of race condition of different threads.

ARP Proxy Does not Work on Tunnel Port

If enable ARP proxy enable on tunnel's network port, it will send out arp reply packet which has a tunnel header.

Support 6k Flow Entries for AS5812 and AS6812

Allow to configure maximum 6k flow entries on AS5812_54T and AS5812_54X and AS6812.

AS5812 OVS Sflow Function Fails to Generate Flow Samples

In OVS 2.6, sflow only generates counter samples (CNTR) but not flow samples (FLOW).  

Refine the Performance by Adding Large Amount of Flow Entries

In case of same priority, the time to add 4k flow entries is reduced dramatically on AS5812.

It Takes Too Long to Deletes 6k Flows on AS5812 and AS6812

It takes 20 minutes to delete 6k flow entries. It's too long.

Convert OVSDB to Match New Schema in Upgrade2

PicOS OVS uses OVSDB to restore the configurations. It's possible that the schema of the OVSDB would be changed because new cofinguation commands might be added to the new version of PicOS. To bring the OVSDB into the new version of PicOS by upgrade2, the OVSDB should be converted to adapt the the new schema of the new version of PicOS. 

Enable In-band under Match Mode 

OpenFlow in-band controller connection is enabled under match mode. 


Update Action in the Hardware Flows if Delete/Add Port to the Bridge

Delete a port from the bridge, the action of the hardware flows with the specific port as output should be updated as "drop". If the port is added back to the bridge, the hardware flows should come back to the original ones. 


Delete L2GRE Ports

If add and then delete a L2GRE port, the configuration associated with this L2GRE port in MPLS_ENTRY is not be removed.

107012.11.21OVS Web automatically logout after specific time with no activity 
After login the OVS Web UI, if don't access to it, the WebUI should be disconnected automatically after specified timeout (60 seconds). 
112312.11.23 Issue Error Log messages If Insert Too Many 1000BASE-T SFP Modules to AS7312-54X
If inserted too many (>25) 1000BASE-T SFP modules to AS7312-54X, somehow the OVS threads could be blocked and some actions such as flow modification will take much longer.
112662.11.23"Permission Error" is Returned by Adding Flow
When repeat adding/deleting 900 flow entries on AS7312-54X, it's possible to return "permissions error" by adding new flows.
113822.11.24OVS Crash
This crash can be reproduced when sflow is enabled meanwhile a flow entry is added as following:
ovs-ofctl add-flow br0 priority=10,actions=drop


Bug IDReleaseDescription
Apply Policer to Aggregate Traffic
If configure a policer to a couple of ACL rules, the policer will applied to the aggregate traffics instead of each traffic matching specific ACL rule independently.


Bug IDReleaseDescription
Issue SNMP Trap if LAG Member Port Links Up/Down
As a common physical port, if a member port of a LAG is up or down, an SNMP trap should be issued.
Protocol Packets are Counted to Discarded
L2 protocol frames and L3 protocol packets including bpdu, lacp, lldp, mlag, bgp, bfd, ospf, RIP, dhcp, igmp, pim, arp, which are trapped to CPU but not replicated and sent to egress side, are counted to Discarded packets.
SNMP - Value of ifLastChange is Always 0
The value of ifLastChange (OID: should be the time the interface being in the current operational state.
SNMP - Value of sysUpTime is not in Timetick
The value of sysUpTime (OID: should be in timetick instead of integer.

[AG9032] PICOS Can't Boot up 

PICOS 2.11.16 cannot boot up on AG9032. Certain Delta switches such as AG9032 request to reset MAC via CPLD from software when reboot system by "reboot -f".

  • No labels