New in this Document

Anycast IP Gateway

Anycast IP Gateway provides robust active-active router instances with shortest path forwarding. This feature is beneficial for deployments that share I-SIDs among many sites.

Anycast IP Gateway provides the ability to run multiple parallel IPv4 routers as a virtual router to provide default IP gateway functionality, and implement distributed routing. All configured routers can take part in the routing of packets they receive with the destination address of the gateway MAC.

For more information, see Anycast IP Gateway.

Client Visibility

This software supports the following client visibility enhancements:

• Node Alias:

  With Node Alias functionality, you can discover information about the end systems in the network on a per-port basis. As the packets from the end systems transit through the Node Alias-enabled port, the switch stores key attributes in a database that you can query to retrieve specific system information. Node Alias provides the infrastructure for DHCP Fingerprinting.

• DHCP Fingerprinting:

  DHCP Fingerprinting provides information about the device that sent a DHCP request.

• Node Alias

• Node Alias Configuration using CLI

• Node Alias Configuration using EDM

Fabric Enhancements

The software supports the following Fabric enhancements:

• For more information, see Virtual NNI Links for Multi-Area Boundary Nodes.

• Fabric scaling—You can use the show khi resource-scaling command to display information to determine the resources available for Fabric scaling.

  For more information, see Display Fabric KHI Resource Scaling.

• Flex UNI CLI commands—The following commands include a field to display if Flex UNI or Fabric Attach is enabled on an interface:

  • show interfaces gigabitethernet state
  • show interfaces gigabitethernet vlan

• IS-IS IPv4 route preference—This release adds support to configure a route preference to differentiate between internal and external IS-IS routes.

  For more information, see Configure IP Route Preferences.

• IS-IS tags for IPv4 routes redistributed into IS-IS—You can now apply a tag for routes that BGP or OSPF redistribute into IS-IS, and enable route filtering for those tags. This configuration ensures that if one BEB redistributes a route into IS-IS from either protocol, other BEBs do not redistribute tagged IS-IS routes back into BGP or OSPF. You can also create route-map policies to match the IS-IS tag. To view the tag for a route, use the show isis lsdb ip-unicast or show isis lsdb detail command.

  

  Caution

  To use IS-IS Route Tagging on GRT IS-IS routes, you must also configure the metric-type as external. If you want to use IS-IS tags on GRT as internal routes, all Fabric nodes must be above a minimum software version. Any switch in the SPB Fabric that runs earlier software versions triggers an exception if you use metric type internal. To ensure this does not occur, if you attempt to configure a tag and the metric-type is not external, the switch reminds you to upgrade the software on all devices. You must ensure all devices in the network run the minimum required software.

  For more information, see IS-IS Route Tagging.

Fabric with ExtremeCloud SD-WAN Enhancements

This release adds the following ExtremeCloud SD-WAN enhancements:

• Auto-sense SD-WAN state now configures a static host route (/32) for each Fabric Extend tunnel destination to reach the next-hop SD-WAN Appliance. In earlier releases, only a single static default route was configured.
• Local Breakout —Use a Local Breakout (LBO) configuration for the following use cases:
  • Send Internet-destined traffic directly to the Internet at the branch, through the SD-WAN Appliance and not through the Fabric.
  • Provide the SD-WAN Appliance management access to a Fabric service for management and for NTP server reachability.
• Management instance—Upon detection of an SD-WAN Appliance, Auto-sense creates an SD-WAN specific management interface, Mgmt-sdwan, over which management applications, such as the SSH client, can reach the SD-WAN Appliance.
• VRF support—You can now specify the VRF name that Auto-sense uses for the SD-WAN configuration.

For more information, see Fabric Extend (FE) States and SD-WAN.

General Enhancements

The software supports the following enhancements:

• Ability to clear SCP and SFTP sessions—This release adds the clear ssh scp <0-7> and clear ssh sftp <0-7> commands to clear SCP and SFTP sessions.

  For more information, see Clear SSH Sessions.

• CLI syntax for ports—Commands that previously accepted a port range now also support the use of "all" for all ports on the same slot, or all ports on the switch. The updated port syntaxes are as follows:

  • {slot/port[-slot/port][,...]} is now {slot/port[-slot/port][,...]}{[slot/all][all]}
  • {slot/port[/sub-port][-slot/port[/sub-port]][,...]} is now {slot/port[/sub-port][-slot/port[/sub-port]][,...]}{[slot/all][all]}

• Dynamic ACLs-Action "count" for ACE—The Extreme-Dynamic-ACL RADIUS VSA now automatically adds the count parameter to ACEs even if you do not specify it explicitly.

  For more information, see Extreme-Dynamic-ACL.

• EAP and NEAP Client Re-Authentication—You can configure the value, using CLI, EDM or RADIUS VSA, to 0, which means the session does not age out.

  

  Caution

  Preventing re-authentication can introduce a security risk.

  For more information, see the following sections:

  • NEAP Client Re-Authentication
  • Extreme-Dynamic-Config

• MLT name length—The MLT name is increased from 20 to 64 characters. With the exception of the show mlt [name] command, show command output uses the MLT ID rather than the name.

  For more information, see Display MLT Names.

• Rate-limit for unknown unicast traffic enhancement—You can now configure a separate rate limit for broadcast and unknown unicast traffic. In an earlier release, the configured rate limit applied to combined broadcast and unknown unicast traffic.

  For more information, see the following sections:

  • QoS Support for 10 GbE Interface in 1GbE mode

  • Broadcast, Unknown Unicast, and Multicast Traffic Bandwidth Limiters per Ingress Port

  • Configure Broadcast, Unknown Unicast, and Multicast Bandwidth Limiting (using CLI)

  • Configure Port Rate Limits (using EDM)

• Segmented Management Interface to record destination IP on UDP messages and respond on same IP interface—This release resolves asymetrical routing for management applications that use UDP, such as TFTP, RADIUS dynamic server, or SNMP. The Segmented Management Interface now stores the destination IP of the incoming UDP message and responds using the interface as the source IP.

• Upgrade to Linux kernel to 5.10—This release upgrades Linux kernel from 5.4 to 5.10.

Inclusion of 9.0.3

This release includes the following feature support introduced in VOSS 9.0.3:

• Fail Open I-SID enhancement—You can configure the Fail Open I-SID as the same I-SID value assigned by RADIUS VSA.

• LLDP-MED enhancement—You can configure LLDP-MED network policies on ports using EDM.

• RADIUS Dynamic Server—You can configure up to eight clients.

• Multi-Area enhancements for VSP 7400 Series:

  • Increase the number of nodes that can function as boundary nodes from two to four.

  • Ability to configure virtual NNI links for Multi-Area boundary nodes.

• ExtremeCloud SD-WAN enhancements:

  • Auto-sense port Multi-area SPB support—On boundary nodes, you can configure in which IS-IS area Auto-sense creates an ExtremeCloud SD-WAN-learned interface.

  • ExtremeCloud SD-WAN Bypass and MPLS support—Auto-sense automatically configures Link Debounce on the switch port that connects to SD-WAN Appliance.

• ZTP+ Enhancement—CLIP can be used for switch management.

For more information, see VOSS Release Notes.

Security Enhancements

The software supports the following security enhancements:

• OCSP support for RADSec certificates—You can use the radius server host WORD<0-113> used-by cli secure-ocsp command to enable RADIUS Online Certificate Status Protocol (OCSP) checking.

  For more information, see the following sections:

  • Enable OCSP Checking (CLI)
  • Add a RADIUS Server (EDM)

• CA field in root and intermediate certifcates—The system checks basic constraints prior to checking the certificates. Ensure the CA field is True for every root and intermediate certificate in the certificate chain, including older certificates. If the CA field is False for the root certificate in the certificate chain, RESTCONF TLS server state is down.

  For more information about digital certificates, see Digital Certificate Upgrade Considerations.

• Certificate Signing Request (CSR) to use SHA256 for the signature algorithm