The following sections detail what is new in this document.
In this release, audit logs are improved to inform you of the following:
configuration errors during certificate installation
different mismatches or errors in secure applications that use Public Key Identification (PKI), such as SSH x509, Web TLS, IPsec IKE, and Syslog
An SNMP MIB is now available for Auto-sense functionality that was introduced in VOSS 8.3. With the introduction of this MIB, you can manage Auto-sense functionality using Enterprise Device Manager (EDM) for the following:
In earlier releases, Dynamic Host Configuration Protocol (DHCP) relay implementation used, by default, port 68 as the User Datagram Protocol (UDP) source port to forward Bootstrap Protocol (BOOTP) messages. Now DHCP relay can optionally use port 67 as the UDP source port to forward BOOTP messages.
This release includes the following digital certificate enhancements:
You can configure up to eight certificate authority (CA) trustpoint servers.
You can configure the CA trustpoint or offline identity for secure applications that use digital certificates, such as SSH x509, Web TLS, IPsec IKE, Syslog, and IPsec Fabric Extend strongSwan.
You can configure up to 10 subject names or subject alternative names (SAN) as device identity.
You can generate up to 10 RSA keys identified by key name.
You can generate a certificate signing request (CSR) with a specified key and subject identity.
You can specify a subject and a key to install offline subject certificates for a previously generated CSR.
For more information, see the following sections:
You can now configure IPv6 interface, IPv6 Virtual Router Redundancy Protocol (VRRP), and IPv6 Dynamic Host Configuration Protocol (DHCP) relay on the same Distributed Virtual Routing (DvR)-enabled VLAN or I-SID.
For more information, see the following sections:
In earlier releases, you could not change the properties of an existing Management Instance interface without rebooting the switch.
You can now dynamically change the attributes of a Management Instance while you actively manage the switch over that same Management Instance without requiring the switch to reboot. For example, if your switch onboards using VLAN 4048, you can change that Management Instance VLAN to a new VLAN.
You can change the following attributes for the Management Instance:
Management Instance VLAN:
VLAN ID
IPv4 address
default gateway
I-SID (on a DvR Leaf)
ports-tagged
ports-untagged
IPv4 address
vrf
IPv4 address
default gateway
For more information, see the following sections:
This release introduces the following enhancements:
Sensitive files and paths are now protected for switches in enhanced secure mode. The home directory for enhanced secure mode is changed from /intflash to /intflash/shared.
You cannot access sensitive files using Telnet, SSH, FTP, SFTP, TFTP, and SCP connections.
Updated the ssh dsa-user-key|rsa-user-key command to copy the public key from /intflash/.ssh to /inflash/shared. The no ssh dsa-user-key|rsa-user-key command is also updated to delete the public key from /intflash/shared. These commands are now available on switches in enhanced secure mode.
Added the new ssh install-user-key command to import or remove the imported SSH, RSA, or DSA public or private keys. This command is available on switches in enhanced secure mode.
Implemented critical security parameters (CSP) zeroization for plain text keys, SSH, Digicert, RADSec, SLA Mon, RESTCONF, and OVSDB. When a key or certificate is uninstalled or overwritten, the corresponding file is removed. For switches in enhanced secure mode, the passwords file is removed and recreated each time the file is accessed.
Log files are now protected to prevent deletion and leaving all actions from being traced. Additional restrictions are added to Telnet, SSH, FTP, SFTP, TFTP, and SCP applications to protect the current log file from deletion. In previous releases, the Administrator access level role could access the remove and delete log commands. In this release, the Administrator access level role no longer has access to these commands.
The home directory for log files generation is changed from /intflash to /intflash/shared. This also applies to switches in enhanced secure mode.
For more information, see the following sections:
You can now provision the Fabric IPsec Gateway from the VOSS CLI using the virtual-service WORD<1-128> figw-cli WORD<1-256> command.
For more information, see Run a VM command from VOSS CLI.
The factorydefaults boot flag now removes the runtime, primary, and backup configuration files, resets all local default user account passwords, and removes all digital certificates. The Radsec, IPsec, IKE, OSPF, SNMP, SSL, SSH, OVSDB, and NTP files are also removed. The CLI displays a warning that the configurations, passwords, and files will be reset, and the system logs an informational message. The configuration and file removals occur during the next boot sequence when the factorydefaults boot flag is enabled. After the switch reboots, the configuration is removed, but the security mode setting is retained. To enable Zero Touch Onboarding after a factorydefaults boot, reboot the switch again without saving a configuration.
For more information, see Boot Sequence.
In previous releases, you could use a default password to initially access the CLI. Now a password change is required to access the CLI on first login after a factory default or if your switch has no primary or backup configuration files. The system provides three attempts to change the password. If unsuccessful, you are taken back to the login prompt but you are not locked out. You cannot use an empty password. A password change is required irrespective of security mode, console, SSH, or Telnet access.
For more information see, CLI Passwords.
Internet Control Message Protocol (ICMP) fragmentation distributed denial-of-service (DDoS) attacks can flood the destination resources with fragmented packets and overwhelm the network because of massive volumes of traffic. With Fragmented ICMP packet filtering, the system inspects each incoming IPv4 or IPv6 ICMP packet to determine if it should drop the packet or forward it. This feature is disabled by default.
With ingress policer/port rate functionality, you can limit the bandwidth of traffic for a port or for a flow that matches an ACL ACE. A policer can be attached directly to an ACL ACE entry to perform flow-based rate limiting. You can configure the service rate and peak rate using CLI and EDM.
Ingress policer/port rate functionality is supported on the following hardware platforms:
VSP 4900 Series
IPv6 ACLs support Differentiated Services Code Point (DSCP) remarking. You can now configure IPv6 ACL QoS ACE actions for VSP 4900 Series, VSP 7400 Series, VSP 8404C, 5520 Series, and 5420 Series.
For more information, see the following sections:
In earlier releases, the privilege user was used as the emergency admin if the administrator access level was disabled. Now, the privilege user is no longer used as the emergency admin and the administrator access level cannot be disabled by any means.
For more information, see Enhanced Secure Mode.
This release introduces support for the Link Debounce feature for the following platforms:
5420 Series
5520 Series
VSP 7200 Series
VSP 8200 Series
VSP 8400 Series
This functionality is already supported on VSP 4450 Series, VSP 4900 Series, and VSP 7400 Series.
For more information, see the following sections:
MACsec Key Agreement (MKA) protocol discovers mutually authenticated MACsec peers, and elects one as a key server. The key server generates and distributes Secure Association Keys (SAKs), which are used at both ends of an Ethernet link to encrypt and decrypt frames. The key server periodically generates and distributes SAKs to maintain the link for as long as MACsec is enabled.
MKA is now supported on the following VSP 4900 Series and 5520 Series switches and Versatile Interface Modules (VIMs):
VSP4900-24XE
VSP4900-12MXU-12XE
VSP4900-48P
5520-24T
5520-24W
5520-12MW-36W
5520-48SE
5520-48T
5520-48W
VIM5-4XE
VIM5-4YE
5520-VIM-4XE
5520-VIM-4YE
For more information about MKA, see MACsec Key Agreement Protocol.
5420 Series switches now support Media Access Control Security (MACsec) in VOSS software. You must configure the boot flag using the command boot config flags macsec to enable MACsec on any of the ports.
For more information, see the following sections:
In earlier releases, when you configured a Management Instance VLAN interface on a DvR Leaf node, you specified the VLAN ID. Now you can configure a Management Instance VLAN simply by specifying the I-SID.
For more information, see Management I-SID Assignment to DvR Leaf.
In earlier releases, the secret key displayed in clear text on the console and in the configuration file when you assigned an authentication key to the server using the ntp server command.
In this release, the secret key is encrypted and is not visible on the console or in the configuration file. Asterisks now display as the secret key. The show ntp key CLI command output no longer displays the secret key field. The keysecret field in EDM is also removed.
This release introduces support for additional SNMP Managed Information Base (MIB) objects and traps defined in RFC 4750 OSPFv2 MIB.
For more information, see the following sections:
In this release, the sys sys-default command is deprecated.
The following example output displays when you enter the sys sys-default command:
WARNING: The “sys-default” command has been deprecated. Please use the “boot config flags factorydefaults” command instead
For more information about the boot config flags factorydefaults command, see Boot Sequence.
This release introduces password enhancements for enhanced secure mode. The system now enforces a minimum password change, which defines that 8 characters must differ within the same position from the old password.
For more information, see Password Requirements.
In earlier releases, the switch did not support a threshold bit rate in relation to shortest path tree (SPT) switchover. Multicast traffic immediately switched over to the shortest and best path from the source to the receiver.
Now, you can enable the PIM Infinite Threshold Policy feature for IPv4 and IPv6 to prevent SPT switchover. Multicast traffic follows the shared tree path through a Rendezvous Point (RP) instead of switching over to SPT.
The PIM Infinite Threshold Policy feature applies to PIM sparse mode (SM) only.
In earlier releases, VOSS implemented the following RESTCONF modules:
OpenConfig – System (aaa)
OpenConfig – LLDP
OpenConfig – VLAN
In this release, VOSS implements additional RESTCONF modules:
OpenConfig - Extreme Network Service
OpenConfig - Relay Agent
OpenConfig - Interfaces Port
OpenConfig - Interfaces LAG
OpenConfig - Platform
OpenConfig - Network Instance
OpenConfig - Spanning Tree Protocol
For more information, see Representational State Transfer Configuration Protocol (RESTCONF) Fundamentals.
You can route traffic out of a private VLAN (PVLAN) by applying an IP address to a PVLAN. IP routing is supported on private VLANs for edge switches. With PVLAN packet routing, two hosts located in different private VLANs can communicate over the network.
This feature is not supported on VSP 4450 Series, and XA1400 Series.
For more information, see Private VLAN Configuration Rules.
When you insert an SFP28 DAC in an SFP28 port, it is detected as a 25 Gbps device, by default. You can optionally configure the port speed to 10 Gbps, using the speed command, if you want to use SFP28 DACs at 10 Gbps.
For more information, see Configure Auto-Negotiation Advertisements.
In earlier releases, when you enabled the dvr-leaf-mode boot flag to configure the node as a DvR leaf, you were required to reboot the switch. Now you can configure the node as a DvR leaf node without rebooting, as long as there is no unsupported configuration discovered on the switch.
For more information, see the following sections:
The ability to adjust the TCP maximum segment size (MSS) is added for 5520 Series and 5420 Series. This functionality was already supported on VSP 4900 Series, VSP 7400 Series, and XA1400 Series.