Restrictions and Expected Behaviors

This section lists known restrictions and expected behaviors that can first appear to be issues.

For Port Mirroring considerations and restrictions, see VOSS User Guide.

General Restrictions and Expected Behaviors

The following table provides a description of the restriction or behavior.

Table 1. General restrictions

Issue number

Description

Workaround

If you access the Extreme Integrated Application Hosting virtual machine using virtual-service tpvm console and use the Nano text editor inside the console access, the command ^o<cr> does not write the file to disk.

None.

VOSS-7

Even when you change the LLDP mode of an interface from CDP to LLDP, if the remote side sends CDP packets, the switch accepts them and refreshes the existing CDP neighbor entry.

Disable LLDP on the interface first, and then disable CDP and re-enable LLDP.

VOSS-687

EDM and CLI show different local preference values for a BGP IPv6 route.

EDM displays path attributes as received and stored in the BGP subsystem. If the attribute is from an eBGP peer, the local preference displays as zero.

CLI displays path attributes associated with the route entry, which can be modified by a policy. If a route policy is not configured, the local preference shows the default value of 100.

None.

VOSS-1954

After you log in to EDM, if you try to refresh the page by clicking on the refresh button in the browser toolbar, it will redirect to a blank page. This issue happens only for the very first attempt and only in Firefox.

To refresh the page and avoid this issue, use the EDM refresh button instead of the browser refresh button. If you do encounter this issue, place your cursor in the address bar of the browser, and press Enter. This will return you to the EDM home page.

VOSS-2166

The IPsec security association (SA) configuration has a NULL Encryption option under the Encrpt-algo parameter. Currently, you must fill the encrptKey and keyLength sub-parameters to set this option; however, these values are not used for actual IPsec processing as it is a NULL encryption option. The NULL option is required to interoperate with other vendors whose IPsec solution only supports that mode for encryption.

There is no functional impact due to this configuration and it only leads to an unnecessary configuration step. No workaround required.

VOSS-21946

When you create a vrf using the POSTMAN API platform, special characters, such as \\\\ and ### included in the URL are ignored.

None.

VOSS-2185

MAC move of the client to the new port does not automatically happen when you move a Non-EAP client authenticated on a specific port to another EAPoL or Non-EAP enabled port.

As a workaround, perform one of the following tasks:

  • Clear the non-EAP session on the port that the client is first authenticated on, before you move the client to another port.

  • Create a VLAN on the switch with the same VLAN ID as that dynamically assigned by the RADIUS server during client authentication. Use the command vlan create <2-4059> type port-mstprstp <0–63>. Ensure that the new port is a member of this VLAN.

VOSS-5197

A BGP peer-group is uniquely identified by its name and not by its index. It is possible that the index that is configured for a peer-group changes between system reboots; however this has no functional impact.

None.

VOSS-7553

Option to configure the default queue profile rate-limit and weight values are inconsistent between EDM and CLI. Option to configure default values is missing in EDM.

None.

VOSS-7640

The same route is learned via multiple IPv6 routing protocols (a combination of two of the following : RIPng, OSPFv3 and BGPv6).

In this specific case, an eBGP (current best – preference 45) route is replaced by and iBGP (preference 175) which in turn is replaced by and OSPFv3 (external 2) route (preference 125). 

None.

VOSS-7647

With peer group configuration, you cannot configure Update Source interface with IPv6 loopback address in EDM.

Use CLI.

VOSS-9174

OVSDB remote VTEP and MAC details can take between 5 to 10 minutes to populate and display after a HW-VTEP reboots.

Known issue in VMware NSX 6.2.4. You can upgrade to NSX 6.4 to resolve this issue.

VOSS-9462

OVSDB VNID I-SID MAC bindings are not populated on HW-VTEPs after configuration changes.

Known issue in VMware NSX 6.2.4. You can upgrade to NSX 6.4 to resolve this issue.

VOSS-10168

The system CLI does not prevent you from using the same IP address for the VXLAN Gateway hardware VTEP replication remote peer IP and OOB Management IP.

Manually check the IP configured as the OOB Management IP. Do not use the OOB Management IP address as the replication remote peer IP address.

VOSS-11817

The OVS connect-type for virtual service Vports is designed in such a way that it connects to any generic virtual machine (VM) guest OS version using readily available Ethernet device drivers. This design approach provides initial connectivity to the VM in a consistent manner.

A consequence of this approach is that Vports created with connect-type OVS will show up as 1 Gbps interfaces in the VM even though the underlying Ethernet connection supports 10 Gbps .

If additional performance is desired, upgrade the VM guest OS with an Ethernet device driver that supports 10 Gbps interfaces.

VOSS-12151

If logical switch has only hardware ports binding, and not VM behind software VTEP, Broadcast, Unknown Unicast, and Multicast (BUM) traffic does not flow between host behind two hardware VTEP.

The NSX replicator node handles the BUM traffic. NSX does not create the replicator node unless a VM is present. In an OVSDB topology, it is expected that at least one VM connects to the software VTEP. This issue is an NSX-imposed limitation.

After you connect the VM to the software VTEP, the issue is not seen.

VOSS-12395

You cannot use the following cables on 10 Gb fiber interfaces, or 40 Gb channelized interfaces, with the QSA28 adapter:

  • 1, 3, and 5 meter QSFP28 25 Gb DAC

  • 20 meter QSFP28 25 Gb AOC

n/a

VOSS-17871

Starting with VOSS 8.1.5, internal system updates have resulted in a more accurate accounting of memory utilization. This can result in a higher baseline memory utilization reported although actual memory usage is not impacted.

Update any network management alarms that are triggered by value with the new baseline.

VOSS-18523

When you configure a port using Zero Touch Provisioning Plus (ZTP+) with ExtremeCloud IQ ‑ Site Engine, the port cannot be part of both a tagged VLAN and an untagged VLAN.

n/a

VOSS-18409

On the XA1400 Series switches, only one Central Processing Unit (CPU) core is assigned for control plane protocol processing. In a highly scaled scenario, a port toggling or negative scenario keeps the CPU core busy in updating the software datapath entries. Similarly, some show CLI commands that require a lot of data gathering keep the CPU core busy. In such a scenario, the main task which is responsible for handling protocol packets like Bidirectional Forwarding Detection, Intermediate-System-to-Intermediate-System, Virtual Link Aggregation Control Protocol, and so on is busy.

For scaled scenarios on XA1400 Series switches, the CLI commands that have large sections of output, for example, show fulltech, show io spb tables, and show tech, the output must be redirected into a file.

VOSS-18774

SSL negotiation fails when using OpenSSL client version 1.1.1.

With OpenSSL 1.1.1, the server-name extension is used. This extension needs to equal the domain name in the server certificate, otherwise the certificate lookup on the server fails because the FIPS 140-2 certified cryptographic module processes the server-name extension.

Can connect using: bash# openssl s_client -connect <domain-name>:443

VOSS-18851

Do not define a static route in which the NextHop definition uses an Inter-VRF redistributed route. Such a definition would require the system to perform a double lookup. When you attempt to define a static route in this way, an error message is generated.

Define the static route in such a way that it does not require Inter-VRF redistributed routing.

VOSS-21620

When interior nodes are running software earlier than Release 8.4 and a Multi-area takeover occurs between the boundary nodes (when the non-designated boundary node transitions to designated) in the network, the interior nodes might detect a false duplicate case between the stale LSP of the old virtual node and the new virtual node. This has no functional impact in the network.

n/a

wi01068569

The system displays a warning message that routes will not inject until the apply command is issued after the enable command. The warning applies only after you enable redistribution, and not after you disable redistribution. For example: Switch:1(config)#isis apply redistribute direct vrf 2

n/a

wi01112491

IS-IS enabled ports cannot be added to an MLT. The current release does not support this configuration.

n/a

wi01122478

Stale SNMP server community entries for different VRFs appear after reboot with no VRFs. On a node with a valid configuration file saved with more than the default vrf0, SNMP community entries for that VRF are created and maintained in a separate text file, snmp_comm.txt, on every boot. The node reads this file and updates the SNMP communities available on the node. As a result, if you boot a configuration that has no VRFs, you can still see SNMP community entries for VRFs other than the globalRouter vrf0 .

n/a

wi01137195

A static multicast group cannot be configured on a Layer 2 VLAN before enabling IGMP snooping on the VLAN. After IGMP snooping is enabled on the Layer 2 VLAN for the first time, static multicast group configuration is allowed, even when IGMP snooping is disabled later on that Layer 2 VLAN.

n/a

wi01141638

When a VLAN with 1000 multicast senders is deleted, the console or Telnet session stops responding and SNMP requests time out for up to 2 minutes.

n/a

wi01142142

When a multicast sender moves from one port to another within the same BEB or from one vIST peer BEB to another, with the old port operationally up, the source port information in the output of the show ip igmp sender command is not updated with new sender port information.

You can perform one of the following workarounds:

  • On an IGMP snoop-enabled interface, you can flush IGMP sender records.

    Caution:

    Flushing sender records can cause a transient traffic loss.

  • On an IGMP-enabled Layer 3 interface, you can toggle the IGMP state.

    Caution:

    Expect traffic loss until IGMP records are built after toggling the IGMP state.

wi01145099

IP multicast packets with a time-to-live (TTL) equal to 1 are not switched across the SPB cloud over a Layer 2 VSN. They are dropped by the ingress BEB.

To prevent IP multicast packets from being dropped, configure multicast senders to send traffic with TTL greater than 1.

wi01159075

VSP 4450GTX-HT-PWR+: Mirroring functionality is not working for RSTP BPDUs.

None.

wi01171670

Telnet packets get encrypted on MACsec-enabled ports.

None.

wi01198872

On VSP 4450 Series, a loss of learned MAC addresses occurs in a vIST setup beyond 10k addresses.

In a SPB setup the MAC learning is limited to 13k MAC addresses, due to the limitation of the internal architecture when using SPB. Moreover, as vIST uses SPB and due to the way vIST synchronizes MAC addresses with a vIST pair, the MAC learning in a vIST setup is limited to 10K Mac addresses.

None.

wi01210217

The command show eapol auth-stats displays LAST-SRC-MAC for NEAP sessions incorrectly.

n/a

wi01211415

In addition to the fan modules, each power supply also has a fan. The power supply stops working if a power supply fan fails, but there is no LED or software warning that indicates this failure.

Try to recover the power supply fan by resetting the switch. If the fan does not recover, then replace the faulty power supply.

wi01212034

When you disable EAPoL globally:

  • Traffic is allowed for static MAC configured on EAPoL enabled port without authentication.

  • Static MAC config added for authenticated NEAP client is lost.

n/a

wi01212247

BGP tends to have many routes. Frequent additions or deletions impact network connectivity. To prevent frequent additions or deletions, reflected routes are not withdrawn from client 2 even though they are withdrawn from client 1. Disabling route-reflection can create a black hole in the network.

Bounce the BGP protocol globally.

wi01212585

LED blinking in EDM is representative of, but not identical to, the actual LED blinking rates on the switch.

n/a

wi01213040

When you disable auto-negotiation on both sides, the 10 Gbps copper link does not come up.

n/a

wi01213066 wi01213374

EAP and NEAP are not supported on brouter ports.

n/a

wi01213336

When you configure tx mode port mirroring on T-UNI and SPBM NNI ports, unknown unicast, broadcast and multicast traffic packets that ingress these ports appear on the mirror destination port, although they do not egress the mirror source port. This is because tx mode port mirroring happens on the mirror source port before the source port squelching logic drops the packets at the egress port. 

n/a

wi01219658

The command show khi port-statistics does not display the count for NNI ingress control packets going to the CP.

n/a

wi01219295

SPBM QOS: Egress UNI port does not follow port QOS with ingress NNI port and Mac-in-Mac incoming packets.

n/a

wi01223526

ISIS logs duplicate system ID only when the device is a direct neighbor.

n/a

wi01223557

Multicast outage occurs on LACP MLT when simplified vIST peer is rebooted. 

You can perform one of the following workarounds:

  • Enable PIM on the edge.

  • Ensure that IST peers are either RP or DR but not both.

wi01224683 wi01224689

Additional link bounce can occur on 10 Gbps ports when toggling links or during cable re-insertion.

Additional link bounce can occur with 40 Gbps optical cables and 40 Gbps break-out cables, when toggling links or during cable re-insertion.

n/a

wi01229417

Origination and termination of IPv6 6-in-4 tunnel is not supported on a node with vIST enabled.

None.

wi01232578

When SSH keyboard-interactive-auth mode is enabled, the server generates the password prompt to be displayed and sends it to the SSH client. The server always sends an expanded format of the IPv6 address. When SSH keyboard-interactive-auth mode is disabled and password-auth is enabled, the client itself generates the password prompt, and it displays the IPv6 address format used in the ssh command.

None.

wi01234289

HTTP management of the ONA is not supported when it is deployed with a VSP 4450 Series device.

None.

VOSS-26218

In a scaled environment, running the show io l2-tables command reiteratively can cause the switch to reboot.

For scaled scenarios, do not run the show io l2-tables command in a loop.

VSP 4450GTX-HT-PWR+ Restrictions

Caution

Caution

The VSP 4450GTX-HT-PWR+ has operating temperature and power restrictions. For safety and optimal operation of the device, ensure that the prescribed thresholds are strictly adhered to.

The following table provides a description of the restriction or behavior and the work around, if one exists.

Table 2. VSP 4450GTX-HT-PWR+ restrictions

Behavior

Description

Workaround

For high-temperature threshold

The VSP 4450GTX-HT-PWR+ supports a temperature range of 0°C to 70°C. In the alpha release, power supply does not shut down at an intended over-temperature threshold of 79°C.

To prevent equipment damage, ensure that the operating temperature is within the supported temperature range of 0°C to 70°C.

For power supply wattage threshold

Software functionality to reduce the POE power budget based on the number of operational power supplies and operating temperature is not available in the Alpha SW image.

Ensure that the POE device power draw is maintained at the following when the device is at temperatures between 61°C and 70°C:

  • 400W — with 1 operational power supply

  • 832W — with 2 operational power supplies

For inoperable external USB receptacle

The VSP 4450GTX-HT-PWR+ has an empty external USB receptacle that was not available in GTS models. Software to support the use of the external USB receptacle is not yet available in the Alpha SW image. Therefore the USB port is inoperable.

No workarounds are provided with the alpha image.

SSH Connections

VOSS 4.1.0.0 and VOSS 4.2.0.0 SSH server and SSH client support password authentication mode.

VOSS 4.2.1.0 changed the SSH server from password authentication to keyboard-interactive. VOSS 4.2.1.0 changed the SSH client to automatically support either password authentication or keyboard-interactive mode.

In VOSS 4.2.1.0, you cannot configure the SSH server to support password authentication. This limitation creates a backward compatibility issue for SSH clients that do not support keyboard-interactive mode, including SSH clients that are part of pre-VOSS 4.2.1.0 software releases. For example, VOSS 4.1.0.0 SSH clients, VOSS 4.2.0.0 SSH clients, and external SSH clients that only support password authentication cannot connect to VOSS 4.2.1.0 SSH servers.

This issue is addressed in software release VOSS 4.2.1.1 and later. The default mode of the SSH server starting from VOSS 4.2.1.1 is changed back to password authentication. Beginning with VOSS 5.0, you can use a CLI command to change the SSH server mode to keyboard-interactive.

For more information about how to configure the SSH server authentication mode, see VOSS User Guide.

See the following table to understand SSH connections between specific client and server software releases.

Table 3. SSH connection support

Client software release

Server software release

Support

VOSS 4.1.0.0

VOSS 4.2.0.0

Supported

VOSS 4.1.0.0

VOSS 4.2.1.0

Not supported

VOSS 4.2.0.0

VOSS 4.2.1.0

Not supported

VOSS 4.1.0.0

VOSS 4.2.1.1

Supported

VOSS 4.2.0.0

VOSS 4.2.1.1

Supported

Fabric Extend IP over ELAN/VPLS

This feature allows multiple switches running Fabric Extend IP to be directly connected over a Layer 2 broadcast domain without the need for loopback VRFs in Release 6.0 or later.

Releases earlier than 6.0 have a single next hop/ARP restriction that require the use of loopback VRFs to deploy Fabric Extend IP over ELAN/VPLS.

For more information, see VOSS User Guide.

Redirect Next-hop Filter Restrictions

This feature does not behave the same way on all platforms:

IP Source Guard Restrictions

If you enable Application Telemetry, IPv6 Source Guard commands and configurations are blocked and not available on VSP 4450 Series, VSP 7200 Series, and VSP 8000 Series switches.

Filter Restrictions

The following table identifies known restrictions.

Table 4. ACL restrictions

Applies To

Restriction

All platforms

Only port-based ACLs are supported on egress. VLAN-based ACLs are not supported.

All platforms

IPv6 ingress and IPv6 egress QoS ACL/filters are not supported.

Note: IPv6 ACL DSCP Remarking is supported on VSP 4900 Series, VSP 7400 Series, and VSP 8404C.

All platforms

Control packet action is not supported on InVSN Filter or IPv6 filters generally.

All platforms

IPv4/IPv6 VLAN based ACL filters will be applied on traffic received on all the ports if it matches VLAN ID associated with the ACL.

VSP 7200 Series

VSP 7400 Series

VSP 8000 Series

VLAN ID and VLAN_DOT1p attributes for untagged traffic are not supported for ingress/egress filters.

All platforms

Scaling numbers are reduced for IPv6 filters. 

All platforms

The InVSN Filter does supports IP Shortcut traffic only on both UNI and NNI ports, but does not support IP Shortcut traffic on UNI ports only and NNI ports only.

All platforms

The InVSN Filter does not filter packets that arrive on NNI ingress ports but are bridged to other NNI ports or are for transit traffic.

All platforms

You can insert an InVSN ACL type for a Switched UNI only if the Switched UNI I-SID is associated with a platform VLAN.

Table 5. ACE restrictions

Applies To

Restriction

All platforms

When an ACE with action count is disabled, the statistics associated with the ACE are reset.

All platforms

Only security ACEs are supported on egress. QoS ACEs are not supported.

All platforms

ICMP type code qualifier is supported only on ingress filters.

All platforms

For port-based ACLs, you can configure VLAN qualifiers. Configuring port qualifiers are not permitted. 

All platforms

For VLAN-based ACLs, you can configure port qualifiers. Configuring VLAN qualifiers are not permitted.

All platforms

Egress QoS filters are not supported for IPv6 filters.

All platforms

Source/Destination MAC addresses cannot be added as attributes for IPv6 filters ACEs.

VSP 4450 Series

VSP 7200 Series

VSP 8000 Series

If more than 256 IPv6 filters are configured, the number of IPv4 filters is reduced.

VSP 4450 Series

VSP 7200 Series

VSP 8000 Series

If you enable Application Telemetry, IPv6 security filter commands and configurations are blocked and not available.