New in this Document

The following sections detail what is new in this document.

Auto-sense NNI LLDP Signaling for Zero-touch Fabric Connect Support

This release implements support for the Link Layer Discovery Protocol (LLDP) Fabric Connect Type–Length–Value (TLV) on the VSP 8600 Series. The LLDP Fabric Connect TLV contains details about the pre-configured B-VLANs and system ID that a system sends to other devices in a network topology.

For more information, see the following sections:

Factorydefaults Flag Behavior Enhancements

The factorydefaults boot flag now removes the runtime, primary, and backup configuration files, resets all local default user account passwords, and removes all digital certificates. The Radsec, IPsec, IKE, OSPF, SNMP, SSL, SSH, OVSDB, and NTP files are also removed. The CLI displays a warning that the configurations, passwords, and files will be reset, and the system logs an informational message. The configuration and file removals occur during the next boot sequence when the factorydefaults boot flag is enabled. After the switch reboots, the security mode setting is retained. To enable Zero Touch Onboarding after a factorydefaults boot, reboot the switch again without saving a configuration.

For more information, see the following sections: .

Force Default Password Change on First Login

In previous releases, you could use a default password to initially access the CLI. Now a password change is required to access the CLI on first login after a factory default or if your switch has no primary or backup configuration files. The system provides three attempts to change the password. If unsuccessful, you are taken back to the login prompt but you are not locked out. You cannot use an empty password. A password change is required irrespective of security mode, console, SSH, or Telnet access.

For more information see, CLI Passwords.

IPv6 OSPFv3 Neighbor Advertisements without R-bit

This release introduces OSPFv3 neighbor advertisements without R-bit. If an OSPFv3 neighbor does not provide the R-bit in the Network Discovery (ND) packet, the system enables R-bit for every OSPFv3 neighbor with dependent routes to avoid deletion resulting from inactivity. An OSPFv3 neighbor without R-bit that experiences a timeout can now trigger the Network Unreachability Detection (NUD), instead of being deleted.

For more information, see OSPFv3

IPv6 OSPFv3 on CLIP Interfaces

This release adds support for Open Shortest Path First Version 3 (OSPFv3) configuration on circuitless IP (CLIP) interfaces for the Global Router or a specific Virtual Router Forwarding (VRF) instance. The switch supports a maximum of 64 OSPFv3 CLIP interfaces.

Key Health Indicator Enhancements

This release adds a Key Health Indicator (KHI) new parameter rx-queue to the command show khi performance to display the queue performance and utilization statistics on the switch.

For more information, see Display KHI Performance Information.

MACsec Key Agreement on VSP 8600 Series

MACsec Key Agreement (MKA) protocol discovers mutually authenticated MACsec peers, and elects one as a key server. The key server generates and distributes Secure Association Keys (SAKs), which are used at both ends of an Ethernet link to encrypt and decrypt frames. The key server periodically generates and distributes SAKs to maintain the link for as long as MACsec is enabled.

MACsec Key Agreement (MKA) is now supported on the VSP 8600 Series switches.

For more information about MKA, see MACsec Key Agreement Protocol.

MACsec on 8606CQ IOC Module Channelized Ports

MACsec is now supported for channelized ports on an 8606CQ IOC module. MACsec is supported on 8606CQ channelized ports in 4x10 Gbps or 4x25 Gbps configurations. If you enable channelization on a port, the MACsec configuration migrates from the main port to the first subport. If you disable channelization on a port, the MACsec configuration migrates from the first subport to the main port.

For more information, see MACsec Fundamentals.

New Features with High Availability-CPU (HA-CPU) Support

The following new features have HA-CPU support:
Note

Note

All IPv6 applications have partial HA-CPU support. The system synchronizes user configuration data, including IPv6 addresses and static routes from the primary CPU to the standby CPU. The system does not synchonize dynamic data from protocol learning. After a CPU failover, the IPv6 applications must restart and rebuild data tables, which causes an interruption of traffic that is dependent on the IPv6 protocol or applications with partial HA support.

  • Factory Default flag behavior enhancements

  • SHA512 secure password hashing

  • MACsec Key Agreement (MKA)

  • IPv6 OSPFv3 neighbor advertisements without R-bit

  • IPv6 OSPFv3 support on circuitless IP interfaces

For more information see, High Availability-CPU (HA-CPU)

NTP Authentication Key Obfuscation

In earlier releases, the secret key displayed in clear text on the console and in the configuration file when you assigned an authentication key to the server using the ntp server command.

In this release, the secret key is encrypted and is not visible on the console or in the configuration file. Asterisks now display as the secret key. The show ntp key CLI command output no longer displays the secret key field. The keysecret field in EDM is also removed.

For more information, see the following sections: .

SHA512 Password Hashing

SHA2 512-bit password hashing is available as a security enhancement beyond the previous default SHA1 160-bit password hashing method. The new CLI command password hash is introduced to change the password hash between SHA1 and SHA2. The new default is SHA2 for new switches running this release.

If you change the password hash level, the system deletes all custom users and old password files. After a password hash level change, on first login each default user must change their password. If hsecure mode is enabled, a user password history is saved. You can view the currently configured password hash level with the command show cli password or show running-config module cli.
Note

Note

Switches upgraded to this release retain SHA1 password hashes and custom users, until a factory default reset or until the password hash level is changed. During a factory default reset, SHA2 512-bit becomes the default password hash, all custom users are deleted, and SHA1 passwords are removed.

In the case of a software downgrade to a release before VSP 8600 Series Release 8.1, all SHA2 password hashes roll back to SHA1 hashes with default passwords.
For more information, see the following sections: