The following sections detail what is new in this document.
Extreme Networks offers universal hardware products that support more than one Network Operating System (NOS) personality. These hardware products ship with a default NOS personality but you can select a non-default personality.
The primary method to select a NOS personality for the hardware is by using ExtremeCloud IQ. If the network is not accessible, or if you do not use Extreme Networks management software, you can change the NOS personality by using CLI commands in the running NOS. For more information about ExtremeCloud IQ, go to https://www.extremenetworks.com/extremecloud-iq/.
The first universal hardware product to support more than one NOS personality is the 5520 Series.
For more information, see Network Operating System Personalities.
This release adds support to configure the IPsec encryption key length as either 128 bit or 256 bit.
This enhancement was originally available as a demonstration feature in VOSS 8.2. This enhancement is generally available in VOSS Release 8.3.
For more information, see the following sections:
5520 Series is a new hardware family of switches that supports both ExtremeXOS and VOSS. VOSS 8.2.5 supports the following models:
5520-24T: 24 10/100/1000BASE-T full-duplex (FDX), half-duplex (HDX), MACsec-capable ports and 2 QSFP28 Universal Ethernet ports
5520-24W: 24 10/100/1000BASE-T FDX/HDX 802.3bt Type 4 PoE MACsec-capable ports and 2 QSFP28 Universal Ethernet ports
5520-48T: 48 10/100/1000BASE-T FDX/HDX MACsec-capable ports, and 2 QSFP28 Universal Ethernet ports
5520-48W: 48 10/100/1000BASE-T FDX/HDX 802.3bt Type 4 PoE MACsec-capable ports and 2 QSFP28 Universal Ethernet ports
5520-12MW-36W: 12 100 Mbps/1 Gbps/2.5 Gbps/5 Gbps 802.3bt Type 4 PoE MACsec-capable ports, 36 10/100/1000BASE-T FDX/HDX 802.3bt Type 4 PoE MACsec-capable ports, and 2 QSFP28 Universal Ethernet ports
5520-24X: 24 100/1000BASE-X/10GBASE-X SFP+ ports and 2 QSFP28 Universal Ethernet ports
5520-48SE: 48 100/1000BASE-X MACsec-capable SFP ports and 2 QSFP28 Universal Ethernet ports
Each model provides one Versatile Interface Module (VIM) slot. You can install any one of the following VIMs in the VIM slot to provide flexible linkage to other switches or devices over a range of media:
5520-VIM-4X: Four 1 Gbps/10 Gbps SFP+ ports
5520-VIM-4XE: Four 1 Gbps/10 Gbps LRM/MACsec-capable SFP+ ports
5520-VIM-4YE: Four 10 Gbps/25 Gbps MACsec-capable SFP28 ports
Feature documentation is updated to include support statements specific to the new hardware.
XA1400 Series, VSP 4900 Series, and VSP 7400 Series switches support IPsec authentication and encryption of Fabric Extend tunnels using pre-shared keys for authentication. This release introduces a more secure authentication method through digital certificate support for IPsec.
This release enhances digital certificate support on all switches. You can configure an encrypted SHA-256 fingerprint to validate the certificate authority (CA) certificate chain and to avoid manual transfer of the root certificate file.
For more information, see Digital Certificates for IPsec Authentication and Digital Certificate/PKI.
This enhancement was originally available as a demonstration feature in VOSS 8.2; this enhancement is now generally available and can be used in production environments. You can now use a single IP address in a subnet shared by all Controllers by configuring the DvR IP to be the same as the DvR gateway IP.
This feature does not apply to VSP 4450 Series or XA1400 Series.
For more information, see Distributed Virtual Routing.
This release extends the Dynamic Nickname Assignment behavior, and provides the user with a prefix parameter to assign up to 256 groups with 4,096 nicknames each.
For more information, see Dynamic Nickname Assignment.
Extreme Integrated Application Hosting (IAH) enhancements were originally available as a demonstration feature in VOSS 8.2; these enhancements are now generally available and can be used in production environments. The enhancements are provided on the following platforms:
VSP4900-24XE
VSP4900-12MXU-12XE
VSP 7432CQ
VSP 7400-48Y
You can configure the following enhancements:
IAH ports 1/s1 and 1/s2 to accommodate different connect types.
VT-d connect type on either 1/s1 or 1/s2 IAH ports.
Up to two VT-d connect types.
The Network Interface Card (NIC) type of the virtual port.
For more information, see Extreme Integrated Application Hosting.
For XA1400 Series, to improve throughput of an FE tunnel over a WAN circuit, VOSS added IPsec compression and the ability to adjust the TCP maximum segment size (MSS).
For more information, see the following:
Adjust the TCP Maximum Segment Size (using CLI)
Adjust the TCP Maximum Segment Size (using EDM)
The Fabric IPsec Gateway feature introduces a Virtual Machine that supports aggregation of Fabric Extend Tunnels with fragmentation, reassembly, and Internet Protocol Security (IPsec) encryption functions. Starting with VOSS 8.3, the Fabric IPsec Gateway feature is available for VSP 4900 Series switches. The same virtual machine continues to be available for VSP 7400 Series switches.
For more information, see Fabric IPsec Gateway Fundamentals.
VSP 4900 Series and 5520 Series add support for MAC security limit-learning. Use this feature to limit the number of MAC addresses a port can learn.
For more information, see VLAN MAC-layer Filtering Database and MAC Security.
This release modifies the following commands, which previously displayed the password in clear text as part of the configuration method, to instead prompt for the password and hide the characters as you type them:
web-server password
snmp-server user
For more information, see the following sections:
VOSS Release 8.3 provides 60W PoE support for classes 5 and 6 on VSP 4900-12MXU-12XE.
For more information, see Power over Ethernet Fundamentals.
Fabric Extend (FE) enables the extension of Fabric Connect networking over Layer 2 or Layer 3 core IP networks. You can configure a VLAN IP interface as the FE tunnel source IP address on a device. You must configure the VLAN in the same VRF as the ISIS tunnel source IP address.
Note
This feature is generally available for the following products in VOSS Release 8.3:
5520 Series
VSP 4450 Series
VSP 4900 Series
VSP 7200 Series
VSP 7400 Series
VSP 8200 Series
VSP 8400 Series
This feature was previously generally available on XA1400 Series only.
For more information, see the following sections:
This release expands support for VOSS switches to the network edge and simplifies deployment and network operation processes. For information about feature support, see VOSS Feature Support Matrix.
The system implements a port-based Auto-sense functionality to support zero touch capabilities when deploying a fabric-based network. Auto-sense introduces a port state machine that allows the port to change its state based on sensing what it is connected to. Port states can be IS-IS links, FA links, IP Phone links, and user links with or without network access control enabled. Additionally, Auto-sense establishes an automatic onboarding I-SID 15999999 on VLAN 4048 for automatic reachability of the network management segment.
Note
For bridged or routed reachability of the management servers (DHCP, RADIUS, Extreme Management Center, or ExtremeCloud IQ) the onboarding I-SID must be manually mapped to the management segment on at least one BEB in the network prior to zero touch deployments of new switches. Additionally, you must enable a Dynamic Nickname server on at least one node.
The following features and enhancements are introduced to support VOSS switches on the network edge and to support network automation:
IP Phone Support as part of Auto-sense
This feature focuses on automating IP Phone connectivity on the network to the VOSS switches.
For more information, see IP Phone Support.
RADIUS and EAP Enhancements
Enhancements to EAP and RADIUS-based authentication and attribute exchange automates the movement, addition, or changes of hosts at the VOSS network edge.
For more information, see the following sections:
RADIUS Dynamic User-Based Policies
RADIUS Dynamic User-Based Policies are an addition to the Extensible Authentication Protocol (EAP) feature. RADIUS Dynamic User-Based Policies implement a dynamic method to apply filter ACL rules to EAP and NEAP authenticated user traffic.
For more information, see RADIUS Dynamic User-Based Policies.
UPnP Filtering
This feature provides an easy way to filter out Universal Plug-and-Play (uPnP) traffic without having to configure an ACL. uPnP Filtering drops all incoming multicast packets received by a switch on an IGMP-enabled interface if the multicast destination IP address is 239.255.255.250.
uPnP Filtering is disabled by default. When an IGMP interface is created, uPnP Filtering is enabled automatically on the interface for the destination multicast IP address range 239.255.255.250/32. You can use CLI or EDM to configure a different destination multicast IP address range.
For more information, see the following sections:
Zero Touch Fabric Configuration Enhancements
Zero Touch Fabric Configuration enhancements remove support for the fabric parameter from the boot config flags factorydefaults command in this release. Now, when you boot a switch without an existing primary or secondary configuration file, the system initiates zero touch functionality, that triggers Zero Touch Fabric Configuration.
For more information, see the following sections: