This section lists known restrictions and expected behaviors that can first appear to be issues.
For Port Mirroring considerations and restrictions, see VOSS User Guide.
The following table provides a description of the restriction or behavior.
|
Issue number |
Description |
Workaround |
|---|---|---|
|
— |
If you access the Extreme Integrated Application Hosting virtual machine using virtual-service tpvm console and use the Nano text editor inside the console access, the command ^o<cr> does not write the file to disk. |
None. |
|
VOSS-7 |
Even when you change the LLDP mode of an interface from CDP to LLDP, if the remote side sends CDP packets, the switch accepts them and refreshes the existing CDP neighbor entry. |
Disable LLDP on the interface first, and then disable CDP and re-enable LLDP. |
|
VOSS-687 |
EDM and CLI show different local preference values for a BGP IPv6 route. EDM displays path attributes as received and stored in the BGP subsystem. If the attribute is from an eBGP peer, the local preference displays as zero. CLI displays path attributes associated with the route entry, which can be modified by a policy. If a route policy is not configured, the local preference shows the default value of 100. |
None. |
|
VOSS-1954 |
After you log in to EDM, if you try to refresh the page by clicking on the refresh button in the browser toolbar, it will redirect to a blank page. This issue happens only for the very first attempt and only in Firefox. |
To refresh the page and avoid this issue, use the EDM refresh button instead of the browser refresh button. If you do encounter this issue, place your cursor in the address bar of the browser, and press Enter. This will return you to the EDM home page. |
|
VOSS-2166 |
The IPsec security association (SA) configuration has a NULL Encryption option under the Encrpt-algo parameter. Currently, you must fill the encrptKey and keyLength sub-parameters to set this option; however, these values are not used for actual IPsec processing as it is a NULL encryption option. The NULL option is required to interoperate with other vendors whose IPsec solution only supports that mode for encryption. |
There is no functional impact due to this configuration and it only leads to an unnecessary configuration step. No workaround required. |
|
VOSS-21946 |
When you create a vrf using the POSTMAN API platform, special characters, such as \\\\ and ### included in the URL are ignored. |
None. |
|
VOSS-2185 |
MAC move of the client to the new port does not automatically happen when you move a Non-EAP client authenticated on a specific port to another EAPoL or Non-EAP enabled port. |
As a workaround, perform one of the following tasks:
|
|
VOSS-5197 |
A BGP peer-group is uniquely identified by its name and not by its index. It is possible that the index that is configured for a peer-group changes between system reboots; however this has no functional impact. |
None. |
|
VOSS-7553 |
Option to configure the default queue profile rate-limit and weight values are inconsistent between EDM and CLI. Option to configure default values is missing in EDM. |
None. |
|
VOSS-7640 |
The same route is learned via multiple IPv6 routing protocols (a combination of two of the following : RIPng, OSPFv3 and BGPv6). In this specific case, an eBGP (current best – preference 45) route is replaced by and iBGP (preference 175) which in turn is replaced by and OSPFv3 (external 2) route (preference 125). |
None. |
|
VOSS-7647 |
With peer group configuration, you cannot configure Update Source interface with IPv6 loopback address in EDM. |
Use CLI. |
|
VOSS-9174 |
OVSDB remote VTEP and MAC details can take between 5 to 10 minutes to populate and display after a HW-VTEP reboots. |
Known issue in VMware NSX 6.2.4. You can upgrade to NSX 6.4 to resolve this issue. |
|
VOSS-9462 |
OVSDB VNID I-SID MAC bindings are not populated on HW-VTEPs after configuration changes. |
Known issue in VMware NSX 6.2.4. You can upgrade to NSX 6.4 to resolve this issue. |
|
VOSS-10168 |
The system CLI does not prevent you from using the same IP address for the VXLAN Gateway hardware VTEP replication remote peer IP and OOB Management IP. |
Manually check the IP configured as the OOB Management IP. Do not use the OOB Management IP address as the replication remote peer IP address. |
|
VOSS-11817 |
The OVS connect-type for virtual service Vports is designed in such a way that it connects to any generic virtual machine (VM) guest OS version using readily available Ethernet device drivers. This design approach provides initial connectivity to the VM in a consistent manner. A consequence of this approach is that Vports created with connect-type OVS will show up as 1 Gbps interfaces in the VM even though the underlying Ethernet connection supports 10 Gbps . |
If additional performance is desired, upgrade the VM guest OS with an Ethernet device driver that supports 10 Gbps interfaces. |
|
VOSS-12151 |
If logical switch has only hardware ports binding, and not VM behind software VTEP, Broadcast, Unknown Unicast, and Multicast (BUM) traffic does not flow between host behind two hardware VTEP. The NSX replicator node handles the BUM traffic. NSX does not create the replicator node unless a VM is present. In an OVSDB topology, it is expected that at least one VM connects to the software VTEP. This issue is an NSX-imposed limitation. |
After you connect the VM to the software VTEP, the issue is not seen. |
|
VOSS-12395 |
You cannot use the following cables on 10 Gb fiber interfaces, or 40 Gb channelized interfaces, with the QSA28 adapter:
|
n/a |
|
VOSS-17871 |
Starting with VOSS 8.1.5, internal system updates have resulted in a more accurate accounting of memory utilization. This can result in a higher baseline memory utilization reported although actual memory usage is not impacted. |
Update any network management alarms that are triggered by value with the new baseline. |
|
VOSS-18523 |
When you configure a port using Zero Touch Provisioning Plus (ZTP+) with ExtremeCloud IQ ‑ Site Engine, the port cannot be part of both a tagged VLAN and an untagged VLAN. |
n/a |
|
VOSS-18409 |
On the XA1400 Series switches, only one Central Processing Unit (CPU) core is assigned for control plane protocol processing. In a highly scaled scenario, a port toggling or negative scenario keeps the CPU core busy in updating the software datapath entries. Similarly, some show CLI commands that require a lot of data gathering keep the CPU core busy. In such a scenario, the main task which is responsible for handling protocol packets like Bidirectional Forwarding Detection, Intermediate-System-to-Intermediate-System, Virtual Link Aggregation Control Protocol, and so on is busy. |
For scaled scenarios on XA1400 Series switches, the CLI commands that have large sections of output, for example, show fulltech, show io spb tables, and show tech, the output must be redirected into a file. |
|
VOSS-18774 |
SSL negotiation fails when using OpenSSL client version 1.1.1. With OpenSSL 1.1.1, the server-name extension is used. This extension needs to equal the domain name in the server certificate, otherwise the certificate lookup on the server fails because the FIPS 140-2 certified cryptographic module processes the server-name extension. |
Can connect using: bash# openssl s_client -connect <domain-name>:443 |
|
VOSS-18851 |
Do not define a static route in which the NextHop definition uses an Inter-VRF redistributed route. Such a definition would require the system to perform a double lookup. When you attempt to define a static route in this way, an error message is generated. |
Define the static route in such a way that it does not require Inter-VRF redistributed routing. |
|
VOSS-21620 |
When interior nodes are running software earlier than Release 8.4 and a Multi-area takeover occurs between the boundary nodes (when the non-designated boundary node transitions to designated) in the network, the interior nodes might detect a false duplicate case between the stale LSP of the old virtual node and the new virtual node. This has no functional impact in the network. |
n/a |
|
wi01068569 |
The system displays a warning message that routes will not inject until the apply command is issued after the enable command. The warning applies only after you enable redistribution, and not after you disable redistribution. For example: Switch:1(config)#isis apply redistribute direct vrf 2 |
n/a |
|
wi01112491 |
IS-IS enabled ports cannot be added to an MLT. The current release does not support this configuration. |
n/a |
|
wi01122478 |
Stale SNMP server community entries for different VRFs appear after reboot with no VRFs. On a node with a valid configuration file saved with more than the default vrf0, SNMP community entries for that VRF are created and maintained in a separate text file, snmp_comm.txt, on every boot. The node reads this file and updates the SNMP communities available on the node. As a result, if you boot a configuration that has no VRFs, you can still see SNMP community entries for VRFs other than the globalRouter vrf0 . |
n/a |
|
wi01137195 |
A static multicast group cannot be configured on a Layer 2 VLAN before enabling IGMP snooping on the VLAN. After IGMP snooping is enabled on the Layer 2 VLAN for the first time, static multicast group configuration is allowed, even when IGMP snooping is disabled later on that Layer 2 VLAN. |
n/a |
|
wi01141638 |
When a VLAN with 1000 multicast senders is deleted, the console or Telnet session stops responding and SNMP requests time out for up to 2 minutes. |
n/a |
|
wi01142142 |
When a multicast sender moves from one port to another within the same BEB or from one vIST peer BEB to another, with the old port operationally up, the source port information in the output of the show ip igmp sender command is not updated with new sender port information. |
You can perform one of the following workarounds:
|
|
wi01145099 |
IP multicast packets with a time-to-live (TTL) equal to 1 are not switched across the SPB cloud over a Layer 2 VSN. They are dropped by the ingress BEB. |
To prevent IP multicast packets from being dropped, configure multicast senders to send traffic with TTL greater than 1. |
|
wi01159075 |
VSP 4450GTX-HT-PWR+: Mirroring functionality is not working for RSTP BPDUs. |
None. |
|
wi01171670 |
Telnet packets get encrypted on MACsec-enabled ports. |
None. |
|
wi01198872 |
On VSP 4450 Series, a loss of learned MAC addresses occurs in a vIST setup beyond 10k addresses. In a SPB setup the MAC learning is limited to 13k MAC addresses, due to the limitation of the internal architecture when using SPB. Moreover, as vIST uses SPB and due to the way vIST synchronizes MAC addresses with a vIST pair, the MAC learning in a vIST setup is limited to 10K Mac addresses. |
None. |
|
wi01210217 |
The command show eapol auth-stats displays LAST-SRC-MAC for NEAP sessions incorrectly. |
n/a |
|
wi01211415 |
In addition to the fan modules, each power supply also has a fan. The power supply stops working if a power supply fan fails, but there is no LED or software warning that indicates this failure. |
Try to recover the power supply fan by resetting the switch. If the fan does not recover, then replace the faulty power supply. |
|
wi01212034 |
When you disable EAPoL globally:
|
n/a |
|
wi01212247 |
BGP tends to have many routes. Frequent additions or deletions impact network connectivity. To prevent frequent additions or deletions, reflected routes are not withdrawn from client 2 even though they are withdrawn from client 1. Disabling route-reflection can create a black hole in the network. |
Bounce the BGP protocol globally. |
|
wi01212585 |
LED blinking in EDM is representative of, but not identical to, the actual LED blinking rates on the switch. |
n/a |
|
wi01213040 |
When you disable auto-negotiation on both sides, the 10 Gbps copper link does not come up. |
n/a |
|
wi01213066 wi01213374 |
EAP and NEAP are not supported on brouter ports. |
n/a |
|
wi01213336 |
When you configure tx mode port mirroring on T-UNI and SPBM NNI ports, unknown unicast, broadcast and multicast traffic packets that ingress these ports appear on the mirror destination port, although they do not egress the mirror source port. This is because tx mode port mirroring happens on the mirror source port before the source port squelching logic drops the packets at the egress port. |
n/a |
|
wi01219658 |
The command show khi port-statistics does not display the count for NNI ingress control packets going to the CP. |
n/a |
|
wi01219295 |
SPBM QOS: Egress UNI port does not follow port QOS with ingress NNI port and Mac-in-Mac incoming packets. |
n/a |
|
wi01223526 |
ISIS logs duplicate system ID only when the device is a direct neighbor. |
n/a |
|
wi01223557 |
Multicast outage occurs on LACP MLT when simplified vIST peer is rebooted. |
You can perform one of the following workarounds:
|
|
wi01224683 wi01224689 |
Additional link bounce can occur on 10 Gbps ports when toggling links or during cable re-insertion. Additional link bounce can occur with 40 Gbps optical cables and 40 Gbps break-out cables, when toggling links or during cable re-insertion. |
n/a |
|
wi01229417 |
Origination and termination of IPv6 6-in-4 tunnel is not supported on a node with vIST enabled. |
None. |
|
wi01232578 |
When SSH keyboard-interactive-auth mode is enabled, the server generates the password prompt to be displayed and sends it to the SSH client. The server always sends an expanded format of the IPv6 address. When SSH keyboard-interactive-auth mode is disabled and password-auth is enabled, the client itself generates the password prompt, and it displays the IPv6 address format used in the ssh command. |
None. |
|
wi01234289 |
HTTP management of the ONA is not supported when it is deployed with a VSP 4450 Series device. |
None. |
|
VOSS-26218 |
In a scaled environment, running the show io l2-tables command reiteratively can cause the switch to reboot. |
For scaled scenarios, do not run the show io l2-tables command in a loop. |
Caution
The VSP 4450GTX-HT-PWR+ has operating temperature and power restrictions. For safety and optimal operation of the device, ensure that the prescribed thresholds are strictly adhered to.
The following table provides a description of the restriction or behavior and the work around, if one exists.
|
Behavior |
Description |
Workaround |
|---|---|---|
|
For high-temperature threshold |
The VSP 4450GTX-HT-PWR+ supports a temperature range of 0°C to 70°C. In the alpha release, power supply does not shut down at an intended over-temperature threshold of 79°C. |
To prevent equipment damage, ensure that the operating temperature is within the supported temperature range of 0°C to 70°C. |
|
For power supply wattage threshold |
Software functionality to reduce the POE power budget based on the number of operational power supplies and operating temperature is not available in the Alpha SW image. |
Ensure that the POE device power draw is maintained at the following when the device is at temperatures between 61°C and 70°C:
|
|
For inoperable external USB receptacle |
The VSP 4450GTX-HT-PWR+ has an empty external USB receptacle that was not available in GTS models. Software to support the use of the external USB receptacle is not yet available in the Alpha SW image. Therefore the USB port is inoperable. |
No workarounds are provided with the alpha image. |
VOSS 4.1.0.0 and VOSS 4.2.0.0 SSH server and SSH client support password authentication mode.
VOSS 4.2.1.0 changed the SSH server from password authentication to keyboard-interactive. VOSS 4.2.1.0 changed the SSH client to automatically support either password authentication or keyboard-interactive mode.
In VOSS 4.2.1.0, you cannot configure the SSH server to support password authentication. This limitation creates a backward compatibility issue for SSH clients that do not support keyboard-interactive mode, including SSH clients that are part of pre-VOSS 4.2.1.0 software releases. For example, VOSS 4.1.0.0 SSH clients, VOSS 4.2.0.0 SSH clients, and external SSH clients that only support password authentication cannot connect to VOSS 4.2.1.0 SSH servers.
This issue is addressed in software release VOSS 4.2.1.1 and later. The default mode of the SSH server starting from VOSS 4.2.1.1 is changed back to password authentication. Beginning with VOSS 5.0, you can use a CLI command to change the SSH server mode to keyboard-interactive.
For more information about how to configure the SSH server authentication mode, see VOSS User Guide.
See the following table to understand SSH connections between specific client and server software releases.
|
Client software release |
Server software release |
Support |
|---|---|---|
|
VOSS 4.1.0.0 |
VOSS 4.2.0.0 |
Supported |
|
VOSS 4.1.0.0 |
VOSS 4.2.1.0 |
Not supported |
|
VOSS 4.2.0.0 |
VOSS 4.2.1.0 |
Not supported |
|
VOSS 4.1.0.0 |
VOSS 4.2.1.1 |
Supported |
|
VOSS 4.2.0.0 |
VOSS 4.2.1.1 |
Supported |
This feature allows multiple switches running Fabric Extend IP to be directly connected over a Layer 2 broadcast domain without the need for loopback VRFs in Release 6.0 or later.
Releases earlier than 6.0 have a single next hop/ARP restriction that require the use of loopback VRFs to deploy Fabric Extend IP over ELAN/VPLS.
For more information, see VOSS User Guide.
This feature does not behave the same way on all platforms:
VSP 4450 Series and VSP 7400 Series
The redirect next-hop filter redirects packets with a time-to-live (TTL) of 1 rather than sending them to the CPU where the CPU would generate ICMP TTL expired messages. IP Traceroute does not correctly report the hop. For more information, see VOSS User Guide.
VSP 7200 Series and VSP 8000 Series
The redirect next-hop filter does not redirect packets with a time-to-live (TTL) of 1 nor does it send them to the CPU where the CPU would generate ICMP TTL expired messages. IP Traceroute reports a timeout for the hop. For more information, see VOSS User Guide.
If you enable Application Telemetry, IPv6 Source Guard commands and configurations are blocked and not available on VSP 4450 Series, VSP 7200 Series, and VSP 8000 Series switches.
The following table identifies known restrictions.
|
Applies To |
Restriction |
|---|---|
|
All platforms |
Only port-based ACLs are supported on egress. VLAN-based ACLs are not supported. |
|
All platforms |
IPv6 ingress and IPv6 egress QoS ACL/filters are not supported. Note: IPv6 ACL DSCP Remarking is supported on VSP 4900
Series, VSP 7400
Series, and VSP
8404C.
|
|
All platforms |
Control packet action is not supported on InVSN Filter or IPv6 filters generally. |
|
All platforms |
IPv4/IPv6 VLAN based ACL filters will be applied on traffic received on all the ports if it matches VLAN ID associated with the ACL. |
|
VSP 7200 Series VSP 7400 Series VSP 8000 Series |
VLAN ID and VLAN_DOT1p attributes for untagged traffic are not supported for ingress/egress filters. |
|
All platforms |
Scaling numbers are reduced for IPv6 filters. |
|
All platforms |
The InVSN Filter does supports IP Shortcut traffic only on both UNI and NNI ports, but does not support IP Shortcut traffic on UNI ports only and NNI ports only. |
|
All platforms |
The InVSN Filter does not filter packets that arrive on NNI ingress ports but are bridged to other NNI ports or are for transit traffic. |
|
All platforms |
You can insert an InVSN ACL type for a Switched UNI only if the Switched UNI I-SID is associated with a platform VLAN. |
|
Applies To |
Restriction |
|---|---|
|
All platforms |
When an ACE with action count is disabled, the statistics associated with the ACE are reset. |
|
All platforms |
Only security ACEs are supported on egress. QoS ACEs are not supported. |
|
All platforms |
ICMP type code qualifier is supported only on ingress filters. |
|
All platforms |
For port-based ACLs, you can configure VLAN qualifiers. Configuring port qualifiers are not permitted. |
|
All platforms |
For VLAN-based ACLs, you can configure port qualifiers. Configuring VLAN qualifiers are not permitted. |
|
All platforms |
Egress QoS filters are not supported for IPv6 filters. |
|
All platforms |
Source/Destination MAC addresses cannot be added as attributes for IPv6 filters ACEs. |
|
VSP 4450 Series VSP 7200 Series VSP 8000 Series |
If more than 256 IPv6 filters are configured, the number of IPv4 filters is reduced. |
|
VSP 4450 Series VSP 7200 Series VSP 8000 Series |
If you enable Application Telemetry, IPv6 security filter commands and configurations are blocked and not available. |