New in this Document

The following sections detail what is new in this document.

Audit Generation Improvements

In this release, audit logs are improved to inform you of the following:

Auto-sense MIB

An SNMP MIB is now available for Auto-sense functionality that was introduced in VOSS 8.3. With the introduction of this MIB, you can manage Auto-sense functionality using Enterprise Device Manager (EDM) for the following:

DHCP Relay Support For UDP Source Port 67

In earlier releases, Dynamic Host Configuration Protocol (DHCP) relay implementation used, by default, port 68 as the User Datagram Protocol (UDP) source port to forward Bootstrap Protocol (BOOTP) messages. Now DHCP relay can optionally use port 67 as the UDP source port to forward BOOTP messages.

For more information, see the following sections:

Digital Certificate Enhancements

This release includes the following digital certificate enhancements:

For more information, see the following sections:

DvR and IPv6 VRRP Coexistence on the Same I-SID

You can now configure IPv6 interface, IPv6 Virtual Router Redundancy Protocol (VRRP), and IPv6 Dynamic Host Configuration Protocol (DHCP) relay on the same Distributed Virtual Routing (DvR)-enabled VLAN or I-SID.

For more information, see the following sections:

Dynamic Change Options for a Management Instance Attributes

In earlier releases, you could not change the properties of an existing Management Instance interface without rebooting the switch.

You can now dynamically change the attributes of a Management Instance while you actively manage the switch over that same Management Instance without requiring the switch to reboot. For example, if your switch onboards using VLAN 4048, you can change that Management Instance VLAN to a new VLAN.

You can change the following attributes for the Management Instance:

For more information, see the following sections:

Enhanced Secure Mode Sensitive File Protection

This release introduces the following enhancements:

For more information, see the following sections:

Extreme Integrated Application Hosting Virtual Service CLI Enhancement

You can now provision the Fabric IPsec Gateway from the VOSS CLI using the virtual-service WORD<1-128> figw-cli WORD<1-256> command.

For more information, see Run a VM command from VOSS CLI.

Factorydefaults Flag Behavior Enhancements

The factorydefaults boot flag now removes the runtime, primary, and backup configuration files, resets all local default user account passwords, and removes all digital certificates. The Radsec, IPsec, IKE, OSPF, SNMP, SSL, SSH, OVSDB, and NTP files are also removed. The CLI displays a warning that the configurations, passwords, and files will be reset, and the system logs an informational message. The configuration and file removals occur during the next boot sequence when the factorydefaults boot flag is enabled. After the switch reboots, the configuration is removed, but the security mode setting is retained. To enable Zero Touch Onboarding after a factorydefaults boot, reboot the switch again without saving a configuration.

For more information, see Boot Sequence.

Force User to Change Password on First Login

In previous releases, you could use a default password to initially access the CLI. Now a password change is required to access the CLI on first login after a factory default or if your switch has no primary or backup configuration files. The system provides three attempts to change the password. If unsuccessful, you are taken back to the login prompt but you are not locked out. You cannot use an empty password. A password change is required irrespective of security mode, console, SSH, or Telnet access.

For more information see, CLI Passwords.

Fragmented ICMP Packet Filtering

Internet Control Message Protocol (ICMP) fragmentation distributed denial-of-service (DDoS) attacks can flood the destination resources with fragmented packets and overwhelm the network because of massive volumes of traffic. With Fragmented ICMP packet filtering, the system inspects each incoming IPv4 or IPv6 ICMP packet to determine if it should drop the packet or forward it. This feature is disabled by default.

Ingress Policer/Port Rate Limiter on 5420 Series, 5520 Series, VSP 4900 Series, and VSP 7400 Series

With ingress policer/port rate functionality, you can limit the bandwidth of traffic for a port or for a flow that matches an ACL ACE. A policer can be attached directly to an ACL ACE entry to perform flow-based rate limiting. You can configure the service rate and peak rate using CLI and EDM.

Ingress policer/port rate functionality is supported on the following hardware platforms:

IPv6 ACL DSCP Remarking

IPv6 ACLs support Differentiated Services Code Point (DSCP) remarking. You can now configure IPv6 ACL QoS ACE actions for VSP 4900 Series, VSP 7400 Series, VSP 8404C, 5520 Series, and 5420 Series.

For more information, see the following sections:

Last Resort User in Enhanced Secure Mode

In earlier releases, the privilege user was used as the emergency admin if the administrator access level was disabled. Now, the privilege user is no longer used as the emergency admin and the administrator access level cannot be disabled by any means.

For more information, see Enhanced Secure Mode.

Link Debounce on 5420 Series, 5520 Series, VSP 7200 Series, VSP 8200 Series, and VSP 8400 Series

This release introduces support for the Link Debounce feature for the following platforms:

This functionality is already supported on VSP 4450 Series, VSP 4900 Series, and VSP 7400 Series.

For more information, see the following sections:

MACsec Key Agreement on VSP 4900 Series and 5520 Series

MACsec Key Agreement (MKA) protocol discovers mutually authenticated MACsec peers, and elects one as a key server. The key server generates and distributes Secure Association Keys (SAKs), which are used at both ends of an Ethernet link to encrypt and decrypt frames. The key server periodically generates and distributes SAKs to maintain the link for as long as MACsec is enabled.

MKA is now supported on the following VSP 4900 Series and 5520 Series switches and Versatile Interface Modules (VIMs):

For more information about MKA, see MACsec Key Agreement Protocol.

MACsec on 5420 Series (Pre-Shared Static Keys)

5420 Series switches now support Media Access Control Security (MACsec) in VOSS software. You must configure the boot flag using the command boot config flags macsec to enable MACsec on any of the ports.

For more information, see the following sections:

Management I-SID Assignment to DvR Leaf

In earlier releases, when you configured a Management Instance VLAN interface on a DvR Leaf node, you specified the VLAN ID. Now you can configure a Management Instance VLAN simply by specifying the I-SID.

For more information, see Management I-SID Assignment to DvR Leaf.

NTP Authentication Key Obfuscation

In earlier releases, the secret key displayed in clear text on the console and in the configuration file when you assigned an authentication key to the server using the ntp server command.

In this release, the secret key is encrypted and is not visible on the console or in the configuration file. Asterisks now display as the secret key. The show ntp key CLI command output no longer displays the secret key field. The keysecret field in EDM is also removed.

For more information, see the following sections:

OSPFv2 MIB (RFC 4750)

This release introduces support for additional SNMP Managed Information Base (MIB) objects and traps defined in RFC 4750 OSPFv2 MIB.

For more information, see the following sections:

Other Changes

In this release, the sys sys-default command is deprecated.

The following example output displays when you enter the sys sys-default command:

WARNING: The “sys-default” command has been deprecated. Please use the “boot config flags factorydefaults” command instead

For more information about the boot config flags factorydefaults command, see Boot Sequence.

Password Enhancements for Enhanced Secure Mode

This release introduces password enhancements for enhanced secure mode. The system now enforces a minimum password change, which defines that 8 characters must differ within the same position from the old password.

For more information, see Password Requirements.

PIM Infinite Threshold Policy for IPv4 and IPv6

In earlier releases, the switch did not support a threshold bit rate in relation to shortest path tree (SPT) switchover. Multicast traffic immediately switched over to the shortest and best path from the source to the receiver.

Now, you can enable the PIM Infinite Threshold Policy feature for IPv4 and IPv6 to prevent SPT switchover. Multicast traffic follows the shared tree path through a Rendezvous Point (RP) instead of switching over to SPT.

The PIM Infinite Threshold Policy feature applies to PIM sparse mode (SM) only.

RESTCONF APIs Enhancement

In earlier releases, VOSS implemented the following RESTCONF modules:

In this release, VOSS implements additional RESTCONF modules:

For more information, see Representational State Transfer Configuration Protocol (RESTCONF) Fundamentals.

Routing on Private VLANs

You can route traffic out of a private VLAN (PVLAN) by applying an IP address to a PVLAN. IP routing is supported on private VLANs for edge switches. With PVLAN packet routing, two hosts located in different private VLANs can communicate over the network.

This feature is not supported on VSP 4450 Series, and XA1400 Series.

For more information, see Private VLAN Configuration Rules.

SFP28 DAC Handling in SFP28 and SFP+ ports

When you insert an SFP28 DAC in an SFP28 port, it is detected as a 25 Gbps device, by default. You can optionally configure the port speed to 10 Gbps, using the speed command, if you want to use SFP28 DACs at 10 Gbps.

For more information, see Configure Auto-Negotiation Advertisements.

Simplified DvR Leaf Configuration Option on Bootup

In earlier releases, when you enabled the dvr-leaf-mode boot flag to configure the node as a DvR leaf, you were required to reboot the switch. Now you can configure the node as a DvR leaf node without rebooting, as long as there is no unsupported configuration discovered on the switch.

For more information, see the following sections:

TCP Maximum Segment Size on 5420 Series and 5520 Series

The ability to adjust the TCP maximum segment size (MSS) is added for 5520 Series and 5420 Series. This functionality was already supported on VSP 4900 Series, VSP 7400 Series, and XA1400 Series.

For more information, see the following sections: