Programmable Internetworking & Communication Operating System Docs ... Click Spaces -> Space Directory to see docs for all releases ...
Page tree
Skip to end of metadata
Go to start of metadata

These notes summarizes PICOS 3.7 new features, new hardware, known bugs, and bug fixes. Best practices recommend that you read all the content before upgrading to this release. For more detailed feature information, refer to the configuration guides.


New Software Features

Layer 2 and Layer 3

Bug IDReleaseDescription
123333.7.0

NTP config commands are changed
NTP server IP and source interface are configured as following commands.
set system ntp server-ip x.x.x.x
set system ntp source-interface xxxx
If the NTP source interface is configured, the source interface will be used for the NTP connection.

118153.7.0Refine DHCP Relay and Snooping
  • Removed the global setting to enable DHCP snooping on all VLANs. 
  • A pattern instead of a string can be configured to option 82. 
  • In case of VRRP, the IP address of DHCP relay agent can be the virtual IP address of the VRRP group. 
  • New MLAG DHCP Sync message is defined to sync DHCP messages between the 2 MLAG spines. 
With DHCP relay or snooping configurations, will have problem when upgrade to 3.7.0. Please have the details by referring to the document DHCP Configuration.
122643.7.0MSTP over MLAG
MSTP cannot work over MLAG in 3.6.x by new implementation of MLAG. In 3.7.0 we get it back.
123613.7.0 Priority of Multiple NAC Servers
Allow user to configure the priority of multiple NAC servers. The reachable NAC server with highest priority will be used for NAC authentication.
-3.7.0Upgrade to 3.7.0
  • The Cli commands of DHCP snooping & relay are changed in 3.7.0. It will fail when upgrade to 3.7.0 if the old version includes the configurations of DHCP snooping & relay. 
  • Additionally, Cli commands of MLAG are changed in 3.6.x. So it will fail to upgrade to 3.7.0 if the versions is older than 3.6.x with MLAG configuration. 
  • In case of upgrade from 2.11.x, please refer to Upgrading PICOS from Release 2.11.x Using Upgrade.
124023.7.0PoE Redundancy/Aggressive Mode on Dell Hardware Models
Add back PoE redundancy/aggressive mode for Dell hardware models. With 2 PSUs power good, PoE maximum power under redundancy mode will be different from aggressive mode.
124673.7.0Enhancements on Server-Fail Recovery Methods
Three methods, namely auto, manual and timer, can be configured for the client to get out from the RADIUS server failure. By default, manual comes into effective.
123113.7.0Enable Duplex Negotiation on SFP+ Port
Enable the auto negotiation for duplex on the SFP+ port at the 1G speed on AS5812_54X.
123943.7.0Manage license key from PICOS CLI
Allow to add/delete/show license key from operational mode of PICOS Cli.
1. license install <license-path-name>
2. license show
3. license remove
126063.7.1Dynamic ARP Inspection
Dynamic ARP inspection (DAI) is a security mechanism that is used to reject invalid and malicious ARP packets. ARP packets of which the MAC or IP is not detected by DHCP snooping will be dropped.
125903.7.1Port Security
Extend the functionalities of port security to all support platforms.
121543.7.1Handle EAP-logoff in NAC
If receive an EAP-Logoff on a specific port, the session of the associate supplicant will be terminated.
127003.7.1.3

SNMP ACLs Applied as per Community or Security User Name

The snmp-acl can be configured as per SNMP community or security user. Namely, it will allow a community or security user to have its own white IP list which will overwrite the global snmp-acl configuration. Please refer to the document Configuring SNMP ACL to have more details.

-3.7.2

Management VRF

Management VRF is designed to seperate management traffic and dataplane traffic completely for sake of security. The key points are as following:
if mgmt-vrf is enabled, the management interfaces such as eth0 is in mgmt-vrf. Other VLAN interfaces cannot be added to mgmt-vrf.
Dynamic and static routes can not be configured to mgmt-vrf.
Management services start up in the default VRF by default. They can be moved to mgmt-vrf manually if needed.
Please have detailed information by referring to the document at VRF+Configuration+Guide.

108073.7.2

OSPF over VRF

OSPF can be enabled on a specific VRF. Policy statements can be applied to the OSPF instance as per VRF. Please have detailed information by referring to the document at OSPF (Open Shortest Path First).

127413.7.2Issue a Warning rsyslog Message if MLAG Associate Configuration Not Consistent
If configuration on the 2 MLAG spines is not consistent, will issue a warning rsyslog message.
108223.7.2Return to Default Configuration
PICOS can go back to the default configuration much easier with the new added CLI command "rollback default".
76503.7.2Provide Bash Command History
CLI "bash" commands can be displayed by up arrow function to enable to rollback to previous commands in history.
78733.7.2Display Warning Message when if Closing Quotation Mark Missing
It is an enhancement of CLI syntax check. CLI will prompt an error message if the closing or begining quotation mark is missing.
127133.7.3Private VLAN
Private VLAN provides a mechanism to limit traffics into different sub-domains within a VALN broadcast domain via isolated VLAN and community VLANs. Please refer to Private VLAN Configuration Guide.
127903.7.3The License Type is 1G for N32XX
License type is is changed to 1G on hardware Dell models including N3248PXE-ON, N3248X-ON, N3224PX-ON.
127713.7.3New CLI Commands under Operational Mode
New CLI commands are added for the functionalities of scp, upgrade2, banner before login under CLI operational mode. Please refer to System Management Commands.
127433.7.3Compatibility of AmpCon with Management VRF
Management VRF was added in 3.7.2. AmpCon should be compatible with management VRF. Specifically, if management VRF is enabled, AmpCon agent on the switch side should lookup the routes in management VRF to build VPN connection with AmpCon server.
126493.7.3Add a Build-in User "net-admin"
By default, TACACS+ user with privilege-level equal to 1 will be mapped to this internal user "net-admin" which is not allowed to drop into Linux shell. So TACAS+ user with privilege-level 2-14 will be mapped to local user operator. Additionally, "net-admin" cannot login into PICOS by local authentication.
105353.7.3Add HardwareId in Pica8 Private SNMP MIB
Hardware ID can be queried by OID (iso.3.6.1.4.1.35098.1.17.0 ) from Pica8 private SNMP MIB.
127423.7.3.4

Split 100G port into 2 x 50G ports
An 100G port can be split into 2x50G or 4x25G or 4x10G on AS7726_32X under L2/L3 mode.

129523.7.4

DHCP Server under L2/L3 

A simple version of DHCP server is introduced into PICOS under L2/L3 mode. In particular, this DHCP server supports to assign IPv4 addresses for hosts in one specific VRF for Internet access. Please refer to the document at Configuring DHCP Server.

129383.7.4

MLAG Enhancement

Refined the behavior in case that configurations are not consistent on the peering MLAG spines. PICOS will keep MAC addresses syncing on MLAG interfaces even if configurations are not consistent on the peering MLAG spines unless MLAG TCP connection is broken. With regarding to spanning tree, based on the type of inconsistent configurations on the MLAG spines, will take actions as following:

Do nothing and keep the traffic going

shut down the specific MLAG port

Block associate VLANs configured on the peer-link

Please refer to Principle of MLAG for the details.

128903.7.4

Abbreviate the Downloadable ACL Rule

It allows to add 80 maximum dACL abbreviated rules on ClearPass by abbreviating the key words of the downloadable ACL. This change is compatible with the old version of downloadable ACL. That indicates the old key words of downloadable ACL can still work.

128833.7.4

Resolve the IP of CWA Server with DNS

The host name of CWA (Central Web Authentication) server is included in the re-directional URL in the returned RADIUS access-accept message from the NAC server. Therefore, the IP address of CWA server can be resolved by the configured DNS. The configuration commands for IP address and L4 port of CWA are hidden.

set protocols dot1x web server-ip XXXX

set protocols dot1x web port XXXX

128843.7.4

Consecutive Detect Number

Add consecutive detect number to the output of "run show dot1x server".

128943.7.4

Add idle-timeout for CLI on Console Port

Login to the switch on console port. If the configured timeout is expired, CLI will exit.

130703.7.5

MLAG Peer Gateway

Maximum 500 L3 VLAN interfaces are allowed to be configured on each MLAG spine switch. The IP address of each L3 VLAN interface can be used as the gateway of the downlink hosts. Please refer to document at Principle of MLAG.

130723.7.5

Allow 802.1X to Work with Local Firewall

Support both of 802.1X dynamic/downloadable ACLs and local firewall filter on-switch security and QoS ACLs on the same ports.

Open vSwitch and OpenFlow

Bug IDReleaseDescription
124763.7.1Configure a Port to Different Bonds
A port can be added to multiple bonds. Will issue a warning log message if add a pop_vxlan/pop_l2gre flow with input matching a bond which shares member ports with other bond(s).
129503.7.4

TTP Improvement

New tables, Bridging_Flow_Table, Egress_Port_Flow_Table, Egress_Port_Group_Flow_Table, Egress_VLAN_Xlate_Flow_Table, Egress_ACL_Flow_Table, are added under TTP (TTP Table Type Pattern) mode. Please refer to Configuring TTP for the detailed update.

Linux Platform

Bug IDReleaseDescription
118463.7.0Package X86 Platforms into One Single Image
All X86 platforms are packaged into one ONIE image file. So we will only release this one single package for all support X86 platforms. Please have the detailed list of X86 platforms at Installing PICOS on Bare Metal Switches.
124993.7.0 Boot into OVS or L2/L3 after ONIE Installation
Add a menu to ONIE installation process with 2 options which can make PICOS to boot into L2/L3 or OVS as following:
[1] PICOS L2/L3 (default)
[2] PICOS Open vSwitch/OpenFlow
Enter your choice (1,2):
By default, PICOS boots into L2/L3.
123763.7.3PICOS Switch Should Have Unique Host Key
A different host key Will be generated when PICOS is installed to a switch.

Hardware

Bug IDReleaseDescription
117733.7.0Porting N3248X-ON 
Dell N3248X-ON is a 1G/2.5G/5G/10G Multi-Gig switch model which has 48x10G Cu ports and 4x25G SFP28 and 2x100G QSFG28 stacking ports in the rear.
114483.7.0 Support AS4630-54PE
AS4630-54PE has 48x1G PoE Ethernet ports and 4x25GSFP28 ports and 2x100G stacking ports.
118063.7.1Support N3208PX-ON
N3208PX-ON suppurts 4x1G Cu ports and 4x5G Cu ports whth 802.3bt Type-4 99W PoE capability and 2x10G SFP+ ports.
125333.7.2

Support N3224P-ON

N3224P-ON supports 24x10G Cu ports with 802.3bt Type-4 99W PoE and 4x25G SFP28 ports and 2x100G QSFG28 ports in the rear.

125863.7.2Support N3248TE-ON
N3248TE-ON supports 48x1G Cu ports and 4x10G SFP+ ports and 2x100G QSFG28 ports in the rear.
128353.7.4

Support N3224F-ON

N3224F-ON supports 24x1G SFP ports and 4x10G SFP+ ports and 2x100G QSFG28 stacking ports in the rear.

129573.7.4

Support S5232F-ON

S5232F-ON supports 32x100G QSFP28 port and 2X10G SFP+ ports.

126963.7.4

AG5648 Support in 3.7.4

Add AG5648 back to the list of hardware support in 3.7.4.

138583.7.5

Support AS4630-54NPE

AS4630-54NPE consists of 36x2.5G BASE-T ports, 12x10G BASE-T ports, 4x25G SFP25 uplink ports and 2x100G QSFP28 uplink ports.

Fixed Issues

Layer 2 and Layer 3 Features

Bug IDReleaseDescription
124013.7.0

Disable NTP by default
NTP should be disabled by default. NTP only be enabled when NTP server is configured.

123293.7.0DOT1X Authentication Failed When Configure Two Reachable Servers
The client will fail to be authenticated if multiple configured RADIUS servers are reachable.
122573.7.0Aruba AP-515 Fails to Receive Power
Somehow Aruba AP-515 can not receive power from N3048 UPoE ports (ge-1/1/1 to ge-1/1/12).
125083.7.0Lower the Level of a LOG Message
Lower the level of the log message, such as "The mac address 00:24:14:b3:68:3a is NAC session,ignore it", to "TRACE".
126143.7.1Login Announcement (Banner) not Showing Up
If activate TACACS+, the configured announcement (banner) can not show up when login to the switch. Fixed in 3.7.1.
126353.7.1Fail to Add a Term of Policy Statement
Configure a term of policy statement "set policy policy-statement statement term t1" and exit Cli such as reboot the switch. And then if configure another term of the same policy statement, will fail and print error message "Command failed: create_term failed: ... Term already present in position ..." .
92453.7.1LLDP Statistics Error
If disable LLDP, the LLDP counters should be cleaned up.
121713.7.1Delete loopback IP Address with VXLAN Configuration
Allow to delete the IP address configured on the loopback interface if it is not applied to a VXLAN instance.
126993.7.1.3

Multicasting Traffic flooded within the VLAN Even Enabled IGMP Snooping
If configure vlan-interface over a specific VLAN, unknown multicasting traffic will be flooded within this VLAN even though IGMP snooping is enabled on this VLAN. Fixed in 3.7.1.3.

127223.7.2Check VLAN when Apply a Synced MAC to L2 Table on a MLAG Spine
The virtual MAC address on a switch with VRRP enabled is created based on configured VRID. Under active-active mode of VRRP, if a virtual MAC address is learned on a MLAG spine (device A), it will be synced to the peering spine (device B). In case that on device B the same virtual MAC address of a different VLAN with the same VRID is synced from device A, this virtual MAC address will not be applied to the hardware L2 table because PICOS doesn't check the VLAN when install the synced MAC address to the hardware L2 table. This issue is fixed in 3.7.2.
127623.7.3Stop Empty TACACS+ Authorization Requests after Login to the Switch
A TACACS+ user is mapped to a local user such as admin or operator or guess depending on the user's privilege-level configured on TACACS+ server side. PICOS will send an empty authorization request (service= shell, cmd=NULL) to the TACACS+ server to have the privilege-level of a specific TACACS+ user during the authentication process. After login to the switch, this empty authorization request should not be sent out to the TACACS+ server.
124823.7.3Switch Gets Reboot If More Than Available Power is Requested via PoE
This issue can be reproduced under the extreme conditions on N3248PXE-ON. Connect POE load tester to all 48 ports and request power from all ports with maximum power of 90watts each. PICOS will reboot when Cli commands such as "run show poe interface all". This issue is fixed potentially with #12637.
129483.7.4Ports Bounce When Change Member Port(s) of a LAG
All other ports will flip if a member port of a LAG is changed to a different LAG. This issue, fixed in 3.7.4, only happens on AS4610.
129283.7.4

Don't Discard IP Fragments of NAC Messages

Under in-band connection, the IP fragments of NAC messages should not be dropped.

128773.7.4

Client Device Loses NAC authentication After session-timeout

After authentication session-timeout such as 1 hour by default, the client device authentication is terminated. And it cannot get authenticated any longer in particular circumstance. This issue is fixed in 3.7.4.

128663.7.4

MAC Syncing on VXLAN Network Ports Between MLAG Spines

MAC address learned on the VXLAN network port of one MLAG spine is not synced up to the peering MLAG spine even though VXLAN configuration is consistent on the 2 MLAG spines. Additionally, MAC address on network port is shown as type of "Dynamic" or "Sync" on both MLAG spines when execute "run show vxlan address-table". This issue is fixed in 3.7.4.

128783.7.4

Traffic Loop Appears if Flip VXLAN Network Port

VXLAN is configured on the 2 MLAG spines. The traffic from the peer link should be blocked on the VXLAN network port unless the corresponding VXLAN network port on the peering spine is down. However, by flipping the VXLAN netowrk port on one spine, the mechanism to block the traffic from peer link might not work and lead to traffic loop. This issue is fixed in 3.7.4.

128873.7.4

Global Settings for recovery-timeout and session-timeout

Add global configuration commands for recovery-timeout and session-timeout of NAC session.

128853.7.4

Remove syslog Messages for NAC Debugging

Remove the trivial log messages for NAC debugging, which are boring and confusing.

130003.7.4

PICOS CLI Command "commit confirmed" Doesn't Work in "cli -c ..."

PICOS CLI command "commit confirmed" doesn't work in command "cli -c ..." for example,

cli -c "configure;set vlans vlan-id 1888; commit confirm 10"

Configuration rollback will not be triggered. This issue can also be reproduced in ansible environment.

127543.7.5

MSTI Validation When Show MSTP Interface Status

When show insterface status of a MSTP instance with command "run show spanning-tree mstp interface msti xxx", will prompt an error message if the specified MSTI is invalid.

125773.7.5

Port with Root Guard Enabled

If the role of a port with root guard enabled is changed, the port will be blocked and marked as "ROOT_NC".

130323.7.5

It Takes Longer to Stop PICOS with Web Authentication Enabled

It takes much longer to stop PICOS if enable web authentication on a specific port. This issue is fixed in the 3.7.5.

130343.7.5

Remove an LCMGR LOG Message

Remove rsyslog message "[LCMGR]BCM_FIELD_RANGE_SRCPORT id 0x5a0000xx" which is confusing and non-sense.

Open vSwitch and OpenFlow

Bug ID

Release

Description

122353.7.0

SNMP Port Statistics Error.
The numbers of SNMP MIB OIDs (iso.3.6.1.2.1.31.1.1.1.x.x) associated with port statistics are not right.

124313.7.0Remove Remote Options from OVSDB_OPTS
It is not necessary to start OVSDB with these remote options, "--remote=ptcp:${ovs_switch_tcp_port}:127.0.0.1 --remote=ptcp:${ovs_switch_tcp_port}:[::1]", because,
the most popular listening port (6640) is used by default settings
user config "ovs-vsctl set-manager ptcp:6640" will not come up to effective because that will be overwriten by OVSDB_OPTS.
If we remove them, user can configure the remote parameters flexibly by
ovs-vsctl set-manager ptcp:6640
127153.7.3Cannot Match dl_vlan in a Flow with Virtual Port
To match a virtual port such as LAG or bond or tunnel port with in_port in a flow entry, dl_vlan in this flow entry doesn't work. This issue is fixed in 3.7.3.
128953.7.4

Web GUI for OVS Configuration on N3200

Enable web GUI for OVS configuration on N3200 platforms.

129533.7.4

FEC is only Applied on 100G Port

FEC (Forward Error Correction) can only be applied on 100G port configured with 100Gbps speed.

Hardware

Bug IDReleaseDescription
126113.7.1Fan Speed on N3132 and N3048
The fan speed on N3048 can not be lower than 7000RPM. On N3132 the fan speed is presented as 0 when execute "run show system fan". Fixed in 3.7.1.
124983.7.1Wrong CPLD Version Number
Invalid number 0x0 is shown in the output of system diagnosis on S5200 and N3132. Fixed in 3.7.1.
124893.7.1ONIE Crash When Install PicOS on S5200
If upgdate ONIE from 3.40.1.1-4 or 3.40.1.1-5 to 3.40.1.1-6, after PICOS installation, ONIE boot in grub menu is damaged. And cann't go into ONIE. Fixed in 3.7.1.
125143.7.1ONIE Installation Fails with ECC Error
After install PICOS on N3048 under ONIE, PICOS cannot boot up by prompting ECC error. Fixed in 3.7.1.
126373.7.3Refine Fan Speed Control
Refine the speed control of the fans based on the hardware specification documents. The key changes are as following:
Set the PWM of system fans with 5 levels based on the temperatures mesured by the thermal sensors.
As a protection mechanism, PICOS will shut down if the temperature of any tracked thermal sensor is over the value of shutdown threshold.
Update temperature shutdown shreshold of PoE controller to 125C.
PSU fan speed control is also covered in this enhancement.
128383.7.3.1CPLD Version Number in PICOS
CPLD version number should be displayed such as 1.7 instead of 0x107 in System Diagnosis.
128913.7.3.1

Update Fan Status if Stop Working
When one of the fans stops working or is pulled out, fan status should be reflected immediately when execute "run show system fan".

Linux Platform

Bug ID

Release

Description

128393.7.3

I/O Error Messages During PICOS Installation and Upgrade on Dell Platforms

Linux command ‘partprobe’ is used to inform the kernel of partition table changes during PICOS installation and upgrade. On Dell N32XX and N22XX switch models, a restricted memory block is accessed by this command. That will print the error messages as following:

[29962.202703] print_req_error: I/O error, dev mmcblk0rpmb, sector 0
Warning: Error fsyncing/closing /dev/mmcblk0rpmb: Input/output error

PICOS installation and upgrade will not be affected by this error message. This issue is planed to be fixed in 3.7.3. 

128933.7.3.1

UEFI Boot Entry Displayed as 'grub'
UEFI boot entry of PICOS is changed as "picos" in efibootmgr under ONIE.

129073.7.4

FAN Tray Airflow Direction on N3248TE

Support both FAN airflow direction, Back to Front (B2F) and Front to Back (F2B), on N3248TE.

129463.7.4

upgrade/upgrade2 cannot Work with an Ansible Playbook 

upgrade/upgrade2 can return to shell prompt by executing "reboot" background. The Ansible playbook which is used to do upgrade will not hang to expect the shell prompt.

130863.7.5

Connect Cable on the Port Which Disabled, the Port Status will Be 'up'

On N3224PX-ON, connect cable on the port which disabled, the port status will be 'up'.


AmpCon

Bug ID

Release

Description

125693.7.1

Roll Back Config if Upgrade Fails
The AmpCon agent will roll back to the original configuration if upgrade fails in case such as vpn connection failure.

CLI Changes

Type of the ChangeCommandVersionDescriptionsFeatureLink of the Config Guide
Hiddenset interface gigabit-ethernet xxxx port-security mac-address xxxx vlan xxxx sticky true/false3.7.1Sticky can not be configured on a specific MAC address.Port SecurityPort Security Configuration: /display/PicOS37sp/Port+Security+Configuration
Port Security Commands:/display/PicOS37sp/Port+Security+Commands
Hiddenset interface aggregate-ethernet xxx port-security xxx 3.7.1Port security can not be configured on a LAG port.Port Security
Hiddenset protocol arp interfae xxxx inspection xxx 3.7.1DAI cannot be configured on vlan-interface.ARP InspectionConfiguring ARP Inspection: /display/PicOS37sp/Dynamic+ARP+Inspection
ARP Inspection Commands:    /display/PicOS37sp/Protocol+Configuration+Commands
Newset protocols arp inspection access-list <acl-name> ip <ipv4-addr> mac-address <mac-addr>
set protocols arp inspection vlan <vlan-id> access-list <acl-name>
3.7.1DAI supports ARP access lists for non-DHCP environments.ARP Inspection
Removedclear port-security address xxx vlan xxx
clear port-security interface all/gigabit-ethernet xxx
clear port-security port-error all 
3.7.1N/APort SecurityPort Security Configuration: /display/PicOS37sp/Port+Security+Configuration
Port Security Commands:/display/PicOS37sp/Port+Security+Commands
New clear port-security dynamic address xxx vlan xxx
clear port-security sticky address xxx vlan xxx
clear port-security dynamic interface all all/gigabit-ethernet xxx
clear port-security sticky interface all all/gigabit-ethernet xxx
clear port-security port-error interface all/gigabit-ethernet xxx 
3.7.1N/APort Security
Newshow arp inspection3.7.1N/AARP InspectionConfiguring ARP Inspection: /display/PicOS37sp/Dynamic+ARP+Inspection
ARP Inspection Commands:    /display/PicOS37sp/Protocol+Configuration+Commands
  • No labels