New and Corrected Features in Switch Engine 33.1.100

This section lists the new and corrected features supported in the 33.1.100 software:

Updated Password Policies

The following additional password policies have been added in this release to provide more security for user and password combinations:
  • The password cannot be the same as the user name.
  • Characters in the password cannot be repeated in succession, for example "aa" or "11".
  • Characters cannot be sequential beyond three characters, for example "abcd" or "1234".
  • A password cannot be reused within 90 days.

Updated SNMPv3 Password and Key policies

The following additional SNMPv3 password and key policies have been added in this release to provide more security:

CLI Command to Enable or Disable All Management Access Modes

The following command can be used to enable or disable all the management access modes in the switch: 

enable/disable switch access
Entering the previous command results in the following actions:
  • Enable/disable ssh2 (which also disables SFTP)
  • Enable/disable telnet
  • Enable/disable web (http|https), which also disables REST-API
  • Enable/disable SNMP access

Confidential Information Stored on the Switch Is not Accessibe

The confidential information,sucg as all passwords, keys (symmetric and shared), and SNMP authentication details stored in the switch are not displayed in the configuration or CLI output with simple encoding, like BASE64. They are salted and encrypted by an entropy provider that is SP800-90B compliant.

Administrator Notification When Audit Trail Exceeds a Limit

The administrator is notified when the audit trail size exceeds 90% or more of the disk capacity.

FIPS Mode Is Enabled When Korean CC Mode Is Enabled

When Korean CC mode is enabled on the switch from the CLI, FIPS mode is also enabled. FIPS mode remains enabled when switch is unconfigured after it was configured for Korean CC mode.

Notes for openssl Upgrade to 3.0.1

The following notes apply to an upgrade to openssl 3.0.1:

The following TLS ciphers are supported in 33.1.100:

TLSv1.2:
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLSv1.3:
  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256
  • TLS_AES_128_GCM_SHA256
  • TLS_AES_128_CCM_8_SHA256
  • TLS_AES_128_CCM_SHA256

CLI Commands for Security Profiles

This release has been updated so that a security profile can be configured for the switch for added security. When enabled, the profile remains enabled after upgrading the switch operating system and unconfiguring the switch.

The following command displays the security profile that is currently configured:
show security profile
In this example output, no profiles have been configured:
5420F-24S-4XE-SwitchEngine.10 # show security profile
Security profile (current)      : Off
Security profile (configured)   : Off

In this example output, the Korean CC profile has been configured and the switch Has been rebooted: 

5420F-24S-4XE-SwitchEngine.2 # show security profile
Security profile (current)      : Korean Common Criteria
Security profile (configured)   : Korean Common Criteria

The following command configures the Korean CC security profile:

configure security profile [korean-cc]

The following command can be used to unconfigure the security profile:

Note

Note

This command returns the switch to factory default settings.
unconfigure switch erase [all | nvram]

Software and Hardware Self-Test CLI Commands

A new hardware self-test is run during system initialization. The self-test checks the status of the CPU, memory, flash memory, network interface, and power, and then creates a report with pass/fail results of the self-test. The report can be displayed in the CLI and summary results are included in the audit log.

The following command displays the hardware self-test results on a standalone switch:

show diagnostics boot-time

Example:

# show diagnostics boot-time 
 
Switch: 5520-48T-ACDC
Time:   Thu May 23 18:47:34 2024
 
Component             Result  Details
====================  ======  =================================================
CPU                   PASS                                                      
Memory                PASS                                                      
Storage               PASS                                                      
Power                 FAIL    PSU-1: Powered On, PSU-2: Power Failed                   
Mgmt interface        PASS    Mgmt interface present, Link Up

There is an existing CLI command that performs a software self-test, consisting of software diagnostic checks, and then creates a summarized report on the results of the self-test. The report is displayed in the CLI command output and in the audit log. The same software self-tests are now performed as part of the boot process of the switch.

The following command displays the software self-test results on a standalone switch:

show process

Example:

# show process
Process Name     Version  Restart    State             Start Time        Group
-------------------------------------------------------------------------------
aaa              3.0.0.4     0    Ready        Sat Dec 11 22:42:28 2021  Vital
acl              3.0.0.2     0    Ready        Sat Dec 11 22:42:28 2021  Vital
bfd              1.0.0.1     0    Ready        Sat Dec 11 22:42:28 2021  Vital
bgp              4.0.0.2     0    Ready        Sat Dec 11 22:42:28 2021  Vital
brm              1.0.0.0     0    Ready        Sat Dec 11 22:42:29 2021  Vital
cfgmgr           3.0.0.21    0    Ready        Sat Dec 11 22:42:28 2021  Vital
cli              3.0.0.22    0    Ready        Sat Dec 11 22:42:28 2021  Vital
devmgr           3.0.0.2     0    Ready        Sat Dec 11 22:42:28 2021  Vital
dirser           3.0.0.2     0    Ready        Sat Dec 11 22:42:27 2021  Vital
dosprotect       3.0.0.1     0    Ready        Sat Dec 11 22:42:28 2021  Vital
dot1ag           1.0.0.1     0    Ready        Sat Dec 11 22:42:29 2021  Vital
eaps             3.0.0.8     0    Ready        Sat Dec 11 22:42:28 2021  Vital
edp              3.0.0.2     0    Ready        Sat Dec 11 22:42:28 2021  Vital
elrp             3.0.0.1     0    Ready        Sat Dec 11 22:42:28 2021  Vital
elsm             3.0.0.1     0    Ready        Sat Dec 11 22:42:28 2021  Vital
ems              3.0.0.2     0    Ready        Sat Dec 11 22:42:28 2021  Vital
epm              3.0.0.4     0    Ready        Sat Dec 11 22:42:26 2021  Vital
erps             1.0.0.0     0    Ready        Sat Dec 11 22:42:29 2021  Vital
esrp             3.0.0.4     0    Ready        Sat Dec 11 22:42:28 2021  Vital
ethoam           1.0.0.1     0    Ready        Sat Dec 11 22:42:28 2021  Vital
etmon            1.0.0.1     0    Ready        Sat Dec 11 22:42:28 2021  Vital
exacl            3.0.0.2     0    Ready        Sat Dec 11 22:42:27 2021  Kernel
exdhcpsnoop      1.0.0.1     0    Ready        Sat Dec 11 22:42:27 2021  Kernel
exdos            3.0.0.2     0    Ready        Sat Dec 11 22:42:26 2021  Kernel
exfib            1.0.0.2     0    Ready        Sat Dec 11 22:42:27 2021  Kernel
exfipSnoop       1.0.0.0     0    Ready        Sat Dec 11 22:42:27 2021  Kernel
exosmc           3.0.0.2     0    Ready        Sat Dec 11 22:42:27 2021  Kernel
exosq            3.0.0.2     0    Ready        Sat Dec 11 22:42:26 2021  Kernel
exsflow          1.0.0.2     0    Ready        Sat Dec 11 22:42:27 2021  Kernel
exsnoop          3.0.0.2     0    Ready        Sat Dec 11 22:42:27 2021  Kernel
exsshd           6.5.1.69    0    Ready        Sat Dec 11 22:42:29 2021  Other
exvlan           3.0.0.2     0    Ready        Sat Dec 11 22:42:27 2021  Kernel
fcoe             1.0.0.0     0    Ready        Sat Dec 11 22:42:29 2021  Vital
fdb              7.1.0.0     0    Ready        Sat Dec 11 22:42:28 2021  Vital
gptp             1.0.0.0     0    Ready        Sat Dec 11 22:42:29 2021  Vital
hal              3.0.0.2     0    Ready        Sat Dec 11 22:42:28 2021  Vital
hclag            1.0.0.0     0    Ready        Sat Dec 11 22:42:29 2021  Vital
idMgr            1.0.1.1     0    Ready        Sat Dec 11 22:42:29 2021  Vital
ipSecurity       1.0.0.1     0    Ready        Sat Dec 11 22:42:29 2021  Vital
ipfix            3.0.0.2     0    Ready        Sat Dec 11 22:42:28 2021  Vital
isis             1.0.0.2     0    Ready        Sat Dec 11 22:42:29 2021  Vital
ismb             1.0.0.0     0    Ready        Sat Dec 11 22:42:29 2021  Vital
lacp             3.0.0.1     0    Ready        Sat Dec 11 22:42:28 2021  Vital
lldp             1.2.0.0     0    Ready        Sat Dec 11 22:42:28 2021  Vital
mcmgr            4.0.0.2     0    Ready        Sat Dec 11 22:42:28 2021  Vital
mpls             Not Started 0    No license   Not Started               Vital
mrp              1.0.0.0     0    Ready        Sat Dec 11 22:42:29 2021  Vital
msdp             1.0.0.2     0    Ready        Sat Dec 11 22:42:28 2021  Vital
netLogin         2.1.0.1     0    Ready        Sat Dec 11 22:42:28 2021  Vital
netTools         3.0.0.2     0    Ready        Sat Dec 11 22:42:28 2021  Vital
nettx            3.0.0.2     0    Ready        Sat Dec 11 22:42:26 2021  Kernel
nodealias        1.0.0.1     0    Ready        Sat Dec 11 22:42:29 2021  Vital
nodealias_snoop  1.0.0.1     0    Ready        Sat Dec 11 22:42:27 2021  Kernel
nodemgr          3.0.0.2     0    Ready        Sat Dec 11 22:42:28 2021  Vital
ntp              4.2.6.3     0    Ready        Sat Dec 11 22:42:29 2021  Vital
ospf             3.0.0.3     0    Ready        Sat Dec 11 22:42:28 2021  Vital
ospfv3           3.0.0.2     0    Ready        Sat Dec 11 22:42:28 2021  Vital
otm              1.0.0.1     0    Ready        Sat Dec 11 22:42:29 2021  Vital
pim              3.0.0.2     0    Ready        Sat Dec 11 22:42:28 2021  Vital
polMgr           3.0.0.2     0    Ready        Sat Dec 11 22:42:28 2021  Vital
policy           1.0.0.1     0    Ready        Sat Dec 11 22:42:29 2021  Vital
pwmib            1.0.0.0     0    Ready        Sat Dec 11 22:42:28 2021  Vital
rip              3.0.0.2     0    Ready        Sat Dec 11 22:42:28 2021  Vital
ripng            3.0.0.1     0    Ready        Sat Dec 11 22:42:28 2021  Vital
rtmgr            4.0.0.2     0    Ready        Sat Dec 11 22:42:28 2021  Vital
snmpMaster       4.0.0.2     0    Ready        Sat Dec 11 22:42:28 2021  Vital
snmpSubagent     3.0.0.2     0    Ready        Sat Dec 11 22:42:28 2021  Vital
stp              3.0.4.4     0    Ready        Sat Dec 11 22:42:28 2021  Vital
techSupport      1.0.0.0     0    Ready        Sat Dec 11 22:42:28 2021  Vital
telnetd          3.0.0.2     0    Ready        Sat Dec 11 22:42:28 2021  Other
tftpd            3.0.0.2     0    Ready        Sat Dec 11 22:42:28 2021  Vital
thttpd           1.0.0.0     0    Ready        Sat Dec 11 22:42:29 2021  Other
twamp            1.0.0.1     0    Ready        Sat Dec 11 22:42:29 2021  Vital
upm              1.0.0.1     0    Ready        Sat Dec 11 22:42:29 2021  Vital
vlan             4.1.0.3     0    Ready        Sat Dec 11 22:42:28 2021  Vital
vmt              1.0.1.1     0    Ready        Sat Dec 11 22:42:29 2021  Vital
vrrp             3.0.0.5     0    Ready        Sat Dec 11 22:42:28 2021  Vital
vsm              1.0.0.2     0    Ready        Sat Dec 11 22:42:29 2021  Vital
xmlc             1.0.1.0     0    Ready        Sat Dec 11 22:42:29 2021  Vital
xmld             1.0.0.0     0    Ready        Sat Dec 11 22:42:28 2021  Vital
9039069-00 Rev AA