The following sections detail what is new in this document.
In certain situations where MACsec encrypted packets traverse intermediate non-MACsec switches, QoS visibility is lost.
This feature uses confidentiality-offset to specify that the first 30 or 50 bytes within the MACsec frame transmit without encryption, thus leaving the 802.1Q VLAN tag p-bits in the clear so that the intermediate switch can differentiate between encrypted traffic. With the 802.1Q p-bits in the clear, internal QoS priority for MACsec packets on intermediate switches can be automatically assigned.
For more information, see Automatic QoS Priority for MACsec Packets on Intermediate Switches.
Example scenarios are added to help debug possible failure cases in single and multi-area configurations. For more information, see Dynamic Nickname Assignment.
This release includes the ability to configure the mac-offset parameter for mvpn-isid from EDM. In previous releases, this functionality was available through CLI only. For more information, see Configure IP Multicast config-lite for Fabric Connect.
Software Release Notes
Documentation collections
Hardware and Software Compatibility Matrices
Documentation for Extreme optics
RESTCONF Reference Documentation
The support portal for Software, MIB, Vulnerability/CVE and Field Notices
GitHub information for GNS3 images
If you have installed an Extreme-branded transceiver in a port, then you can view information about the transceiver by selecting the Vendor Part Number on the DDI/SFP tab of the Port pane.
For more information, see View DDI Information.
Beginning with this release, you can use the following existing CLI commands in Global Configuration mode:
virtual-service copy-file WORD<1-256> WORD<1-256>
virtual-service WORD<1-128> console
virtual-service WORD <1-128> install package WORD<1-512>
virtual-service WORD<1-128> uninstall
Procedures are updated to reflect two mode support. Upgrade procedures use Global Configuration mode only to reduce mode changes.
For more information, see Virtual Services Configuration using CLI and Upgrade a Fabric IPsec Gateway VM.
The output for the show application iqagent status CLI command is updated to provide additional information if IQ Agent is enabled but disconnected. The same information is also available in EDM. This change requires ExtremeCloud IQ Agent 0.5.55 or later.
For more information, see ExtremeCloud IQ Support.
The Extreme-Dynamic-ACL RADIUS attribute now supports a list parameter. Use the list parameter to contain ports or masks and group similar ACE commands to avoid the packet limitation. Only one list parameter can exist in one Extreme-Dynamic-ACL. The length of an individual ACE command from an Extreme-Dynamic-ACL VSA message is increased from 128 to 255 characters.
For more information, see Extreme-Dynamic-ACL.
The following list identifies more granular options that enhance the factory default flag behaviors:
config-only — Boots the switch with a blank configuration. This parameter preserves configuration files, primary and secondary configuration file names, user accounts and passwords, digital certificates, IKE/OSPF/IS-IS keys, and SNMP communities. All ports are disabled and assigned to VLAN 1. License files are not removed. Use this parameter as a temporary troubleshooting option to test or investigate if something is wrong with the configuration without permanently removing the configuration files, user accounts, and other preserved items.
reset-all-files — Equivalent to a switch that ships from the factory. The switch has no configuration files, default user accounts, default security mode, Auto-sense-enabled ports, and performs a ZTP+ configuration after reboot. The 30-day factory license is also reset.
If required, you must revoke the license file.
Note
You can also use a new unconfigure switch command to achieve the same behavior.
zero-touch — Boots the switch with a default configuration that enables Auto-sense. This parameter resets secure files but keeps the security mode and performs a ZTP+ configuration after reboot. License files are not removed.
For more information, see Boot Flag Configuration using CLI and Configure Boot Flags.
In this release, the system prompts you to change the admin and read-only user default passwords when you use the web-server enable command to enable the web management interface.
For more information, see Enable the Web Management Interface.
5720-VIM-6YE adds LRM support using an LRM/MACsec adapter, part 10965. The adapter includes two SFP+ host ports and two SFP/SFP+ network/link ports. Host ports use a proprietary 10 Gbps direct attach cable (DAC) to connect to the host (5720-VIM-6YE). You must connect both host ports to trigger PHY initialization and you must insert the DAC in the adapter before you insert the DAC in the VIM.
Both host ports and an auxiliary USB port provide power to the adapter. As a best practice, always use the USB port to provide power.
This release includes new CLI commands to upgrade the internal PHY firmware for the adapter and to view the firmware status.
Note
MACsec functionality of the adapter is not supported, with no impact on MACsec support of the VIM itself.
For more information, see Two-Port External LRM/MACsec Adapter and Upgrade the LRM/MACsec Adapter PHY Firmware.
Auto-set vim-speed on 25G VIMs based on inserted transceiver type.
The switch now automatically configures the Versatile Interface Module (VIM) speed based on the detected optics, which makes it easier to deploy and to maintain the module.
Auto-set vim-speed is enabled by default.
Note
This feature only applies to 5520 Series and 5720 Series.
Auto-channelize QSFP+ and QSFP28 ports when QSA adapter or breakout cable is detected and the port operates in Auto-sense mode.
Quad Small Form-factor Pluggable (QSFP) Plus adapter to Small Form-factor Pluggable (SFP) Plus adapter
This enhancement means that you no longer have to configure channelization on supported ports.
Together these enhancements make it even easier to deploy and use your switch.
This release makes the following security-related enhancements:
Secure syslog automatically reconnects after a connectivity failure
In previous releases, if connectivity failed, the switch disabled the syslog host automatically and you needed to manually retry the connection. Now, if connectivity fails, the syslog host remains enabled and the switch attempts to reconnect with the syslog server every two minutes.
SSH rekeying applies to Secure Copy (SCP) and Secure File Transfer Protocol (SFTP).
Previously, the SSH rekey data limit and time interval applied only to the SSH server and client.
If the switch operates in Enhanced Secure Mode (ESM), 3des-cbc and blowfish-cbc encryption types are disabled by default.
A new log message displays if an SSH packet exceeding 32,768 bytes is received, in both ESM and non ESM modes. In previous releases, the switch silently discarded received SSH packets exceeding 32,768 bytes. For information about log messages, see Fabric Engine Alarms and Logs Reference .
In both ESM and non ESM modes, the switch limits the supported algorithms for Remote Access Dial-In User Services (RADIUS) Security (RADsec) proxy to the following ciphers:
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES128-SHA256
DHE-RSA-AES256-SHA256
DHE-RSA-AES256-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA
Note
For RADSec implementations, as a best practice, use radsecproxy version 1.9.1 or later.
The switch no longer advertises P-192 and P-224 Transport Layer Security (TLS) elliptic curves; the switch advertises P-256, P-384, and P-521. As a best practice with RADsec, manually force the TLS version 1.2 negotiation by adding to the RADsec proxy server configuration file.
New warning messages display if the switch operates in Enhanced Secure Mode and uses unsecure algorithms. For information about log messages, see Fabric Engine Alarms and Logs Reference .
For more information, see the following sections: