Programmable Internetworking & Communication Operating System Docs ... Click Spaces -> Space Directory to see docs for all releases ...
PICOS-3.7.2_Configuration_Guide
Page tree
Skip to end of metadata
Go to start of metadata

These notes summarizes PICOS 3.7 new features, new hardware, known bugs, and bug fixes. Best practices recommend that you read all the content before upgrading to this release. For more detailed feature information, refer to the configuration guides.


New Software Features

Layer 2 and Layer 3

Bug IDReleaseDescription
123333.7.0

NTP config commands are changed
NTP server IP and source interface are configured as following commands.
set system ntp server-ip x.x.x.x
set system ntp source-interface xxxx
If the NTP source interface is configured, the source interface will be used for the NTP connection.

118153.7.0Refine DHCP Relay and Snooping
  • Removed the global setting to enable DHCP snooping on all VLANs. 
  • A pattern instead of a string can be configured to option 82. 
  • In case of VRRP, the IP address of DHCP relay agent can be the virtual IP address of the VRRP group. 
  • New MLAG DHCP Sync message is defined to sync DHCP messages between the 2 MLAG spines. 
With DHCP relay or snooping configurations, will have problem when upgrade to 3.7.0. Please have the details by referring to the document DHCP Configuration.
122643.7.0MSTP over MLAG
MSTP cannot work over MLAG in 3.6.x by new implementation of MLAG. In 3.7.0 we get it back.
123613.7.0 Priority of Multiple NAC Servers
Allow user to configure the priority of multiple NAC servers. The reachable NAC server with highest priority will be used for NAC authentication.
-3.7.0Upgrade to 3.7.0
  • The Cli commands of DHCP snooping & relay are changed in 3.7.0. It will fail when upgrade to 3.7.0 if the old version includes the configurations of DHCP snooping & relay. 
  • Additionally, Cli commands of MLAG are changed in 3.6.x. So it will fail to upgrade to 3.7.0 if the versions is older than 3.6.x with MLAG configuration. 
  • In case of upgrade from 2.11.x, please refer to Upgrading PICOS from Release 2.11.x Using Upgrade.
124023.7.0PoE Redundancy/Aggressive Mode on Dell Hardware Models
Add back PoE redundancy/aggressive mode for Dell hardware models. With 2 PSUs power good, PoE maximum power under redundancy mode will be different from aggressive mode.
124673.7.0Enhancements on Server-Fail Recovery Methods
Three methods, namely auto, manual and timer, can be configured for the client to get out from the RADIUS server failure. By default, manual comes into effective. Please have details at NAC Configuration Commands.
123113.7.0Enable Duplex Negotiation on SFP+ Port
Enable the auto negotiation for duplex on the SFP+ port at the 1G speed on AS5812_54X.
123943.7.0Manage license key from PICOS CLI
Allow to add/delete/show license key from operational mode of PICOS Cli.
1. license install <license-path-name>
2. license show
3. license remove
126063.7.1Dynamic ARP Inspection
Dynamic ARP inspection (DAI) is a security mechanism that is used to reject invalid and malicious ARP packets. ARP packets of which the MAC or IP is not detected by DHCP snooping will be dropped.
125903.7.1Port Security
Extend the functionalities of port security to all support platforms.
121543.7.1Handle EAP-logoff in NAC
If receive an EAP-Logoff on a specific port, the session of the associate supplicant will be terminated.
127003.7.1.3

SNMP ACLs Applied as per Community or Security User Name

The snmp-acl can be configured as per SNMP community or security user. Namely, it will allow a community or security user to have its own white IP list which will overwrite the global snmp-acl configuration. Please refer to the document Configuring SNMP ACL to have more details.

-3.7.2

Management VRF

Management VRF is designed to seperate management traffic and dataplane traffic completely for sake of security. The key points are as following:
if mgmt-vrf is enabled, the management interfaces such as eth0 is in mgmt-vrf. Other VLAN interfaces cannot be added to mgmt-vrf.
Dynamic and static routes can not be configured to mgmt-vrf.
Management services start up in the default VRF by default. They can be moved to mgmt-vrf manually if needed.
Please have detailed information by referring to the document at VRF Configuration Guide.

108073.7.2

OSPF over VRF

OSPF can be enabled on a specific VRF. Policy statements can be applied to the OSPF instance as per VRF. Please have detailed information by referring to the document at OSPF (Open Shortest Path First).

127413.7.2Issue a Warning rsyslog Message if MLAG Associate Configuration Not Consistent
If configuration on the 2 MLAG spines is not consistent, will issue a warning rsyslog message.
108223.7.2Return to Default Configuration
PICOS can go back to the default configuration much easier with the new added CLI command "rollback default".
76503.7.2Provide Bash Command History
CLI "bash" commands can be displayed by up arrow function to enable to rollback to previous commands in history.
78733.7.2Display Warning Message when if Closing Quotation Mark Missing
It is an enhancement of CLI syntax check. CLI will prompt an error message if the closing or begining quotation mark is missing.

Open vSwitch and OpenFlow

Bug IDReleaseDescription
124763.7.1Configure a Port to Different Bonds
A port can be added to multiple bonds. Will issue a warning log message if add a pop_vxlan/pop_l2gre flow with input matching a bond which shares member ports with other bond(s).

Linux

Bug IDReleaseDescription
118463.7.0Package X86 Platforms into One Single Image
All X86 platforms are packaged into one ONIE image file. So we will only release this one single package for all support X86 platforms. Please have the detailed list of X86 platforms at Installing PICOS on Bare Metal Switches.
124993.7.0 Boot into OVS or L2/L3 after ONIE Installation
Add a menu to ONIE installation process with 2 options which can make PICOS to boot into L2/L3 or OVS as following:
[1] PICOS L2/L3 (default)
[2] PICOS Open vSwitch/OpenFlow
Enter your choice (1,2):
By default, PICOS boots into L2/L3.

Hardware

Bug IDReleaseDescription
117733.7.0Porting N3248X-ON 
Dell N3248X-ON is a 1G/2.5G/5G/10G Multi-Gig switch model which has 48x10G Cu ports and 4x25G SFP28 and 2x100G QSFG28 stacking ports in the rear.
114483.7.0 Support AS4630-54PE
AS4630-54PE has 48x1G PoE Ethernet ports and 4x25GSFP28 ports and 2x100G stacking ports.
118063.7.1Support N3208PX-ON
N3208PX-ON suppurts 4x1G Cu ports and 4x5G Cu ports whth 802.3bt Type-4 99W PoE capability and 2x10G SFP+ ports.
125333.7.2

Support N3224P-ON

N3224P-ON supports 24x10G Cu ports with 802.3bt Type-4 99W PoE and 4x25G SFP28 ports and 2x100G QSFG28 ports in the rear.

125863.7.2Support N3248TE-ON
N3248TE-ON supports 48x1G Cu ports and 4x10G SFP+ ports and 2x100G QSFG28 ports in the rear.

Fixed Issues

Layer 2 and Layer 3 Features

Bug IDReleaseDescription
124013.7.0

Disable NTP by default
NTP should be disabled by default. NTP only be enabled when NTP server is configured.

123293.7.0DOT1X Authentication Failed When Configure Two Reachable Servers
The client will fail to be authenticated if multiple configured RADIUS servers are reachable.
122573.7.0Aruba AP-515 Fails to Receive Power
Somehow Aruba AP-515 can not receive power from N3048 UPoE ports (ge-1/1/1 to ge-1/1/12).
125083.7.0Lower the Level of a LOG Message
Lower the level of the log message, such as "The mac address 00:24:14:b3:68:3a is NAC session,ignore it", to "TRACE".
126143.7.1Login Announcement (Banner) not Showing Up
If activate TACACS+, the configured announcement (banner) can not show up when login to the switch. Fixed in 3.7.1.
126353.7.1Fail to Add a Term of Policy Statement
Configure a term of policy statement "set policy policy-statement statement term t1" and exit Cli such as reboot the switch. And then if configure another term of the same policy statement, will fail and print error message "Command failed: create_term failed: ... Term already present in position ..." .
92453.7.1LLDP Statistics Error
If disable LLDP, the LLDP counters should be cleaned up.
121713.7.1Delete loopback IP Address with VXLAN Configuration
Allow to delete the IP address configured on the loopback interface if it is not applied to a VXLAN instance.
126993.7.1.3

Multicasting Traffic flooded within the VLAN Even Enabled IGMP Snooping
If configure vlan-interface over a specific VLAN, unknown multicasting traffic will be flooded within this VLAN even though IGMP snooping is enabled on this VLAN. Fixed in 3.7.1.3.

127223.7.2Check VLAN when Apply a Synced MAC to L2 Table on a MLAG Spine
The virtual MAC address on a switch with VRRP enabled is created based on configured VRID. Under active-active mode of VRRP, if a virtual MAC address is learned on a MLAG spine (device A), it will be synced to the peering spine (device B). In case that on device B the same virtual MAC address of a different VLAN with the same VRID is synced from device A, this virtual MAC address will not be applied to the hardware L2 table because PICOS doesn't check the VLAN when install the synced MAC address to the hardware L2 table. This issue is fixed in 3.7.2.

Open vSwitch and OpenFlow

Bug ID

Release

Description

122353.7.0

SNMP Port Statistics Error.
The numbers of SNMP MIB OIDs (iso.3.6.1.2.1.31.1.1.1.x.x) associated with port statistics are not right.

124313.7.0Remove Remote Options from OVSDB_OPTS
It is not necessary to start OVSDB with these remote options, "--remote=ptcp:${ovs_switch_tcp_port}:127.0.0.1 --remote=ptcp:${ovs_switch_tcp_port}:[::1]", because,
the most popular listening port (6640) is used by default settings
user config "ovs-vsctl set-manager ptcp:6640" will not come up to effective because that will be overwriten by OVSDB_OPTS.
If we remove them, user can configure the remote parameters flexibly by
ovs-vsctl set-manager ptcp:6640

Hardware

Bug IDReleaseDescription
126113.7.1Fan Speed on N3132 and N3048
The fan speed on N3048 can not be lower than 7000RPM. On N3132 the fan speed is presented as 0 when execute "run show system fan". Fixed in 3.7.1.
124983.7.1Wrong CPLD Version Number
Invalid number 0x0 is shown in the output of system diagnosis on S5200 and N3132. Fixed in 3.7.1.
124893.7.1ONIE Crash When Install PicOS on S5200
If upgdate ONIE from 3.40.1.1-4 or 3.40.1.1-5 to 3.40.1.1-6, after PICOS installation, ONIE boot in grub menu is damaged. And cann't go into ONIE. Fixed in 3.7.1.
125143.7.1ONIE Installation Fails with ECC Error
After install PICOS on N3048 under ONIE, PICOS cannot boot up by prompting ECC error. Fixed in 3.7.1.

Linux Platform

Bug ID

Release

Description

128393.7.2.2

I/O Error Messages During PICOS Installation and Upgrade on Dell Platforms

Linux command ‘partprobe’ is used to inform the kernel of partition table changes during PICOS installation and upgrade. On Dell N32XX and N22XX switch models, a restricted memory block is accessed by this command. That will print the error messages as following:

[29962.202703] print_req_error: I/O error, dev mmcblk0rpmb, sector 0
Warning: Error fsyncing/closing /dev/mmcblk0rpmb: Input/output error

PICOS installation and upgrade will not be affected by this error message. This issue is planed to be fixed in 3.7.3. 

AmpCon

Bug ID

Release

Description

125693.7.1

Roll Back Config if Upgrade Fails
The AmpCon agent will roll back to the original configuration if upgrade fails in case such as vpn connection failure.

CLI Changes

Type of the ChangeCommandVersionDescriptionsFeatureLink of the Config Guide
Hiddenset interface gigabit-ethernet xxxx port-security mac-address xxxx vlan xxxx sticky true/false3.7.1Sticky can not be configured on a specific MAC address.Port SecurityPort Security Configuration: /display/PicOS37sp/Port+Security+Configuration
Port Security Commands:/display/PicOS37sp/Port+Security+Commands
Hiddenset interface aggregate-ethernet xxx port-security xxx 3.7.1Port security can not be configured on a LAG port.Port Security
Hiddenset protocol arp interfae xxxx inspection xxx 3.7.1DAI cannot be configured on vlan-interface.ARP InspectionConfiguring ARP Inspection: /display/PicOS37sp/Dynamic+ARP+Inspection
ARP Inspection Commands:    /display/PicOS37sp/Protocol+Configuration+Commands
Newset protocols arp inspection access-list <acl-name> ip <ipv4-addr> mac-address <mac-addr>
set protocols arp inspection vlan <vlan-id> access-list <acl-name>		3.7.1DAI supports ARP access lists for non-DHCP environments.ARP Inspection
Removedclear port-security address xxx vlan xxx
clear port-security interface all/gigabit-ethernet xxx
clear port-security port-error all 		3.7.1N/APort SecurityPort Security Configuration: /display/PicOS37sp/Port+Security+Configuration
Port Security Commands:/display/PicOS37sp/Port+Security+Commands
New clear port-security dynamic address xxx vlan xxx
clear port-security sticky address xxx vlan xxx
clear port-security dynamic interface all all/gigabit-ethernet xxx
clear port-security sticky interface all all/gigabit-ethernet xxx
clear port-security port-error interface all/gigabit-ethernet xxx 		3.7.1N/APort Security
Newshow arp inspection3.7.1N/AARP InspectionConfiguring ARP Inspection: /display/PicOS37sp/Dynamic+ARP+Inspection
ARP Inspection Commands:    /display/PicOS37sp/Protocol+Configuration+Commands
  • No labels

Copyright © 2019 PICA8 Inc. All Rights Reserved.