Restrictions and Expected Behaviors

This section lists known restrictions and expected behaviors that can first appear to be issues.

For Port Mirroring considerations and restrictions, see VOSS User Guide.

General Restrictions and Expected Behaviors

The following table provides a description of the restriction or behavior.

Table 1. General restrictions

Issue number

Description

Workaround

If you access the Extreme Integrated Application Hosting virtual machine using virtual-service tpvm console and use the Nano text editor inside the console access, the command ^o<cr> does not write the file to disk.

None.

VOSS-7

Even when you change the LLDP mode of an interface from CDP to LLDP, if the remote side sends CDP packets, the switch accepts them and refreshes the existing CDP neighbor entry.

Disable LLDP on the interface first, and then disable CDP and re-enable LLDP.

VOSS-687

EDM and CLI show different local preference values for a BGP IPv6 route.

EDM displays path attributes as received and stored in the BGP subsystem. If the attribute is from an eBGP peer, the local preference displays as zero.

CLI displays path attributes associated with the route entry, which can be modified by a policy. If a route policy is not configured, the local preference shows the default value of 100.

None.

VOSS-1954

After you log in to EDM, if you try to refresh the page by clicking on the refresh button in the browser toolbar, it will redirect to a blank page. This issue happens only for the very first attempt and only in Firefox.

To refresh the page and avoid this issue, use the EDM refresh button instead of the browser refresh button. If you do encounter this issue, place your cursor in the address bar of the browser, and press Enter. This will return you to the EDM home page.

VOSS-2166

The IPsec security association (SA) configuration has a NULL Encryption option under the Encrpt-algo parameter. Currently, you must fill the encrptKey and keyLength sub-parameters to set this option; however, these values are not used for actual IPsec processing as it is a NULL encryption option. The NULL option is required to interoperate with other vendors whose IPsec solution only supports that mode for encryption.

There is no functional impact due to this configuration and it only leads to an unnecessary configuration step. No workaround required.

VOSS-21946

When you create a vrf using the POSTMAN API platform, special characters, such as \\\\ and ### included in the URL are ignored.

None.

VOSS-5197

A BGP peer-group is uniquely identified by its name and not by its index. It is possible that the index that is configured for a peer-group changes between system reboots; however this has no functional impact.

None.

VOSS-7553

Option to configure the default queue profile rate-limit and weight values are inconsistent between EDM and CLI. Option to configure default values is missing in EDM.

None.

VOSS-7640

The same route is learned via multiple IPv6 routing protocols (a combination of two of the following : RIPng, OSPFv3 and BGPv6).

In this specific case, an eBGP (current best – preference 45) route is replaced by and iBGP (preference 175) which in turn is replaced by and OSPFv3 (external 2) route (preference 125). 

None.

VOSS-7647

With peer group configuration, you cannot configure Update Source interface with IPv6 loopback address in EDM.

Use CLI.

VOSS-9174

OVSDB remote VTEP and MAC details can take between 5 to 10 minutes to populate and display after a HW-VTEP reboots.

Known issue in VMware NSX 6.2.4. You can upgrade to NSX 6.4 to resolve this issue.

VOSS-9462

OVSDB VNID I-SID MAC bindings are not populated on HW-VTEPs after configuration changes.

Known issue in VMware NSX 6.2.4. You can upgrade to NSX 6.4 to resolve this issue.

VOSS-10168

The system CLI does not prevent you from using the same IP address for the VXLAN Gateway hardware VTEP replication remote peer IP and OOB Management IP.

Manually check the IP configured as the OOB Management IP. Do not use the OOB Management IP address as the replication remote peer IP address.

VOSS-11817

The OVS connect-type for virtual service Vports is designed in such a way that it connects to any generic virtual machine (VM) guest OS version using readily available Ethernet device drivers. This design approach provides initial connectivity to the VM in a consistent manner.

A consequence of this approach is that Vports created with connect-type OVS will show up as 1 Gbps interfaces in the VM even though the underlying Ethernet connection supports 10 Gbps .

If additional performance is desired, upgrade the VM guest OS with an Ethernet device driver that supports 10 Gbps interfaces.

VOSS-12151

If logical switch has only hardware ports binding, and not VM behind software VTEP, Broadcast, Unknown Unicast, and Multicast (BUM) traffic does not flow between host behind two hardware VTEP.

The NSX replicator node handles the BUM traffic. NSX does not create the replicator node unless a VM is present. In an OVSDB topology, it is expected that at least one VM connects to the software VTEP. This issue is an NSX-imposed limitation.

After you connect the VM to the software VTEP, the issue is not seen.

VOSS-17871

Starting with VOSS 8.1.5, internal system updates have resulted in a more accurate accounting of memory utilization. This can result in a higher baseline memory utilization reported although actual memory usage is not impacted.

Update any network management alarms that are triggered by value with the new baseline.

VOSS-18523

When you configure a port using Zero Touch Provisioning Plus (ZTP+) with ExtremeCloud IQ Site Engine, the port cannot be part of both a tagged VLAN and an untagged VLAN.

n/a

VOSS-18851

Do not define a static route in which the NextHop definition uses an Inter-VRF redistributed route. Such a definition would require the system to perform a double lookup. When you attempt to define a static route in this way, an error message is generated.

Define the static route in such a way that it does not require Inter-VRF redistributed routing.

VOSS-21620

When interior nodes are running software earlier than Release 8.4 and a Multi-area takeover occurs between the boundary nodes (when the non-designated boundary node transitions to designated) in the network, the interior nodes might detect a false duplicate case between the stale LSP of the old virtual node and the new virtual node. This has no functional impact in the network.

n/a

wi01068569

The system displays a warning message that routes will not inject until the apply command is issued after the enable command. The warning applies only after you enable redistribution, and not after you disable redistribution. For example: Switch:1(config)#isis apply redistribute direct vrf 2

n/a

wi01112491

IS-IS enabled ports cannot be added to an MLT. The current release does not support this configuration.

n/a

wi01122478

Stale SNMP server community entries for different VRFs appear after reboot with no VRFs. On a node with a valid configuration file saved with more than the default vrf0, SNMP community entries for that VRF are created and maintained in a separate text file, snmp_comm.txt, on every boot. The node reads this file and updates the SNMP communities available on the node. As a result, if you boot a configuration that has no VRFs, you can still see SNMP community entries for VRFs other than the globalRouter vrf0 .

n/a

wi01137195

A static multicast group cannot be configured on a Layer 2 VLAN before enabling IGMP snooping on the VLAN. After IGMP snooping is enabled on the Layer 2 VLAN for the first time, static multicast group configuration is allowed, even when IGMP snooping is disabled later on that Layer 2 VLAN.

n/a

wi01141638

When a VLAN with 1000 multicast senders is deleted, the console or Telnet session stops responding and SNMP requests time out for up to 2 minutes.

n/a

wi01142142

When a multicast sender moves from one port to another within the same BEB or from one vIST peer BEB to another, with the old port operationally up, the source port information in the output of the show ip igmp sender command is not updated with new sender port information.

You can perform one of the following workarounds:

  • On an IGMP snoop-enabled interface, you can flush IGMP sender records.

    Caution:

    Flushing sender records can cause a transient traffic loss.

  • On an IGMP-enabled Layer 3 interface, you can toggle the IGMP state.

    Caution:

    Expect traffic loss until IGMP records are built after toggling the IGMP state.

wi01171670

Telnet packets get encrypted on MACsec-enabled ports.

None.

wi01210217

The command show eapol auth-stats displays LAST-SRC-MAC for NEAP sessions incorrectly.

n/a

wi01212034

When you disable EAPoL globally:

  • Traffic is allowed for static MAC configured on EAPoL enabled port without authentication.

  • Static MAC config added for authenticated NEAP client is lost.

n/a

wi01212247

BGP tends to have many routes. Frequent additions or deletions impact network connectivity. To prevent frequent additions or deletions, reflected routes are not withdrawn from client 2 even though they are withdrawn from client 1. Disabling route-reflection can create a black hole in the network.

Bounce the BGP protocol globally.

wi01212585

LED blinking in EDM is representative of, but not identical to, the actual LED blinking rates on the switch.

n/a

wi01213066 wi01213374

EAP and NEAP are not supported on brouter ports.

n/a

wi01213336

When you configure tx mode port mirroring on T-UNI and SPBM NNI ports, unknown unicast, broadcast and multicast traffic packets that ingress these ports appear on the mirror destination port, although they do not egress the mirror source port. This is because tx mode port mirroring happens on the mirror source port before the source port squelching logic drops the packets at the egress port. 

n/a

wi01219658

The command show khi port-statistics does not display the count for NNI ingress control packets going to the CP.

n/a

wi01219295

SPBM QOS: Egress UNI port does not follow port QOS with ingress NNI port and Mac-in-Mac incoming packets.

n/a

wi01223526

ISIS logs duplicate system ID only when the device is a direct neighbor.

n/a

wi01223557

Multicast outage occurs on LACP MLT when simplified vIST peer is rebooted. 

You can perform one of the following workarounds:

  • Enable PIM on the edge.

  • Ensure that IST peers are either RP or DR but not both.

wi01224683 wi01224689

Additional link bounce can occur on 10 Gbps ports when toggling links or during cable re-insertion.

Additional link bounce can occur with 40 Gbps optical cables and 40 Gbps break-out cables, when toggling links or during cable re-insertion.

n/a

wi01229417

Origination and termination of IPv6 6-in-4 tunnel is not supported on a node with vIST enabled.

None.

wi01232578

When SSH keyboard-interactive-auth mode is enabled, the server generates the password prompt to be displayed and sends it to the SSH client. The server always sends an expanded format of the IPv6 address. When SSH keyboard-interactive-auth mode is disabled and password-auth is enabled, the client itself generates the password prompt, and it displays the IPv6 address format used in the ssh command.

None.

VOSS-26218

In a scaled environment, running the show io l2-tables command reiteratively can cause the switch to reboot.

For scaled scenarios, do not run the show io l2-tables command in a loop.

VOSS-31214

With the upgrade to Mocana 7, RadSec Proxy certificates must conform to the following SP 800-132 specifications for PBKDFv2 parameters:
  • salt length of at least 128 bits
  • derived key length of at least 112 bits
  • iteration count of at least 1000

When you generate public or private key-pairs protected by a password with older versions of OpenSSL, the default PKCS5_SALT_LEN is 8 bytes, which results in TLS failures.

You can perform one of the following workarounds:

  • Recompile OpenSSL to use a PKCS5_SALT_LEN value of 16 bytes and generate new certificates.
  • Use a newer version of OpenSSL that is FIPS approved.
  • Generate the keys without password protection.

Redirect Next-hop Filter Restrictions

This feature does not behave the same way on all platforms:

On VSP 7400 Series, the redirect next-hop filter redirects packets with a time-to-live (TTL) of 1 rather than sending them to the CPU where the CPU would generate ICMP TTL expired messages. IP Traceroute does not correctly report the hop. For more information, see VOSS User Guide.

Filter Restrictions

The following table identifies known restrictions.

Table 2. ACL restrictions

Applies To

Restriction

All platforms

Only port-based ACLs are supported on egress. VLAN-based ACLs are not supported.

All platforms

IPv6 ingress and IPv6 egress QoS ACL/filters are not supported.

Note: IPv6 ACL DSCP Remarking is supported on VSP 7400 Series.

All platforms

Control packet action is not supported on InVSN Filter or IPv6 filters generally.

All platforms

IPv4/IPv6 VLAN based ACL filters will be applied on traffic received on all the ports if it matches VLAN ID associated with the ACL.

VSP 7400 Series

VLAN ID and VLAN_DOT1p attributes for untagged traffic are not supported for ingress/egress filters.

All platforms

Scaling numbers are reduced for IPv6 filters. 

All platforms

The InVSN Filter does supports IP Shortcut traffic only on both UNI and NNI ports, but does not support IP Shortcut traffic on UNI ports only and NNI ports only.

All platforms

The InVSN Filter does not filter packets that arrive on NNI ingress ports but are bridged to other NNI ports or are for transit traffic.

All platforms

You can insert an InVSN ACL type for a Switched UNI only if the Switched UNI I-SID is associated with a platform VLAN.

Table 3. ACE restrictions

Applies To

Restriction

All platforms

When an ACE with action count is disabled, the statistics associated with the ACE are reset.

All platforms

Only security ACEs are supported on egress. QoS ACEs are not supported.

All platforms

ICMP type code qualifier is supported only on ingress filters.

All platforms

For port-based ACLs, you can configure VLAN qualifiers. Configuring port qualifiers are not permitted. 

All platforms

For VLAN-based ACLs, you can configure port qualifiers. Configuring VLAN qualifiers are not permitted.

All platforms

Egress QoS filters are not supported for IPv6 filters.

All platforms

Source/Destination MAC addresses cannot be added as attributes for IPv6 filters ACEs.