Enterasys C2G124-24, C2H124-48, C2G124-48, C2G124-48P, C2H124-48P Release Note

...
C2G124-24
C2G124-48
C2G124-48P
C2H124-48
C2H124-48P
C2K122-24
C2G134-24P
C2G170-24
C3G124-24P
C3G124-24
C3G124-48
C3G124-48P
Enterasys Networks recommends that you thoroughly review this release note prior to installing or upgrading this product. There may be a more up-to-date version of this Release Note. Please go to the Enterasys web site to ensure that this is the latest revision of the Release Note (http://www.enterasys.com/support/).
Status
Version No.
Type
Release Date
Current Version
5.01.06.0007
Maintenance Release
August 2008
Previous Version
5.01.06.0006
Maintenance Release
August 2008
Previous Version
5.01.05.0004
Maintenance Release
July 2008
Previous Version
5.01.04.0001
Maintenance Release
June 2008
Previous Version
5.01.03.0007
Maintenance Release
May 2008
Previous Version
5.01.03.0003
Maintenance Release
May 2008
Previous Version
5.01.02.0007
Maintenance Release
March 2008
Previous Version
5.01.01.0051
Maintenance Release
March 2008
Previous Version
5.01.01.0049
Maintenance Release
February 2008
Previous Version
5.01.01.0047
Maintenance Release
January 2008
Previous Version
5.01.01.0040
Maintenance Release
December 2007
Previous Version
5.01.01.0039
Feature Release
December 2007
Previous Version
5.00.75
Customer Release
August 2007
Previous Version
5.00.59
Customer Release
March 2007
Previous Version
5.00.32
Customer Release
January 2007
Previous Version
5.00.28
Customer Release
December 2006
Previous Version
4.00.31
Customer Release
August 2006
Previous Version
4.00.24
Customer Release
July 2006
Previous Version
3.03.33
Customer Release
April 2006
CUSTOMER RELEASE NOTES
Enterasys® SecureStack™ C2
Firmware Version 5.01.06.0007
August 2008
INTRODUCTION:
This document provides specific information for version 5.01.06.0007 of firmware for the following SecureStack C2 products:
FIRMWARE SPECIFICATION:
08/13/2008 P/N: 9038155-52 Subject to Change Without Notice Page: 1 of 41
F0615-O
Status
Version No.
Type
Release Date
Previous Version
3.03.27
Customer Release
March 2006
Previous Version
3.02.32
Customer Release
February 2006
Previous Version
3.02.30
Customer Release
January 2006
Previous Version
3.01.94
Customer Release
January 2006
Previous Version
3.01.91
Customer Release
November 2005
Previous Version
3.01.90
Customer Release
November 2005
Previous Version
3.01.80
Customer Release
October 2005
Previous Version
3.01.71
Customer Release
August 2005
Previous Version
3.01.52
Customer Release
July 2005
Previous Version
3.01.45
Customer Release
June 2005
Previous Version
3.01.20
Customer Release
June 2005
Previous Version
3.00.52
Customer Release
May 2005
Previous Version
3.00.50
Customer Release
May 2005
Previous Version
2.01.37
Customer Release
April 2005
Previous Version
2.01.26
Customer Release
March 2005
Previous Version
2.01.24
Customer Release
March 2005
Previous Version
2.01.22
Customer Release
March 2005
Previous Version
2.01.20
Customer Release
February 2005
Previous Version
2.00.48
Customer Release
December 2004
Previous Version
1.01.12
Customer Release
November 2004
Previous Version
1.01.11
Customer Release
October 2004
Previous Version
1.00.20
Customer Release
July 2004
NMS Platform
Version No.
NetSight Automated Security Manager
3.1.1
NetSight Console
3.1.1
NetSight Inventory Manager
3.1.1
NetSight Policy Manager
3.1.1
NetSight NAC Manager
3.1.1
CUSTOMER RELEASE NOTES
BOOTPROM COMPATIBILITY:
This version of firmware is compatible with all boot code versions.
NETWORK MANAGEMENT SOFTWARE SUPPORT:
If you install this image, you may not have control of all the latest features of this product until the next version(s) of network management software. Please review the software release notes for your specific network management platform for details.
08/13/2008 P/N: 9038155-52 Subject to Change Without Notice Page: 2 of 41
F0615-O
Existing Product Features
20 Gbps Full Duplex (40 Gbps bidirectional) Stacking Interconnect
Support for mixing SecureStack C3 with a SecureStack C2 stack
802.1D
MGBIC support: MGBIC-LC01, MGBIC-LC03, MGBIC-LC09, MGBIC-02, MGBIC-08, MGBIC-MT01
802.1Q – VLAN tagging and identification
16K MAC Address Table
802.1p – Traffic Management / Mapping to 6 queues
Selectable MAC hashing algorithms
802.3x Flow Control
Auto Negotiation
802.3ad – Dynamic and Static Creation for Link Aggregation (6 LAGs, 8 ports per LAG)
8 Priority Queues Per port
802.1s – Multiple Spanning Tree Protocol (up to 4 instances)
Queuing Control Strict & Weighted Round Robin
802.1w – Rapid Spanning Tree
Jumbo Frames (up to 9K)
Spanning Tree Backup Root
Ability to set port advertise ability via CLI
Legacy Path Cost
Multi-method Authentication
STP Pass Thru
User + IP Phone Authentication
SpanGuard
802.1X Authentication
Loop Protect
Multiple RFC3580 users per Gigabit port (up to 6)
RFC3580 VLAN Authentication using MAC Authentication
CoS Inbound Rate Limiting in mixed C2/C3 stacks
LLDP
L2 Policy rules in mixed C2/C3 stacks
Link Flap Detection
802.1X IP Phone Authentication
Per Port Broadcast Suppression
Non Strict 802.1X default RFC 3580 With Auth Failure
Port Mirroring (up to 8 ports anywhere in the stack)
RADIUS Client
Private Port (Private VLAN)
Turn off RADIUS Authentication (RADIUS Realm)
Cabletron Discovery Protocol (CDP)
Session-Timeout and Termination-Action RADIUS Attributes Support
Cisco Discovery Protocol (CDP) v1/2
MAC Authentication / MAC Authentication Masking
Cisco IP Phone Discovery
MAC Authentication retained after age out
GVRP
RADIUS Accounting for MAC Authentication
IGMP v1/v2/v3 Snooping
Web Authentication (PWA)
Syslog
Web Redirect – PWA+ and URL redirection
CLI Management
EAP Pass Thru
Telnet Support
Dynamic and Static MAC Locking
SSH Support
New Mac Trap
IPv4/IPv6 Dual Host Management Support
Dynamic VLAN Assignment (RFC 3580)
WebView
Dynamic Egress
SSL Interface to WebView
RMON (4 groups)
Text-based Configuration Upload/Download
RMON View in the CLI With Persistent Sets
Discard VLAN Tagged Frames
RMON Packet Capture/Filtering Sampling
Policy Manager Support
SNMPv1, SNMPv2c, SNMPv3
Enterasys Policy – Single User
Simple Network Time Protocol (SNTP)
Priority Classification L2-L4
Alias Port Naming
SUPPORTED FUNCTIONALITY:
CUSTOMER RELEASE NOTES
08/13/2008 P/N: 9038155-52 Subject to Change Without Notice Page: 3 of 41
F0615-O
Existing Product Features
VLAN Classification
Ability to Set Time and Date via the MIB
VLAN-to-Policy Mapping on a per Port Basis
Configurable Login Banner
ToS Rewrite
Node/Alias Table
COS MIB – inbound rate limiting
Clear config/clear config all will retain host IP
IP Routing
DHCP Server
Routing Protocols: RIP, OSPF, VRRP, DVMRP, IRDP, PIM-SM
ACLs
Multiple IP helper addresses per Interface (up to 6)
SMON MIB support for Port Mirroring
CoS MIB based Flood Control (broadcast, multicast, and unknown unicast)
CPU/Memory utilization monitoring via SNMP
CUSTOMER RELEASE NOTES
INSTALLATION AND CONFIGURATION NOTES:
Please refer to http://www.enterasys.com/download/#switches for the latest firmware updates to the SecureStack C2. In general, the SecureStack C2 product will be shipped to you pre-configured with this version of firmware. If you would like to upgrade an existing SecureStack C2 product, please follow the TFTP download instructions that are included in your Configuration Guide.
TFTP download instructions are also available on the Enterasys support web site at:
http://knowledgebase.enterasys.com/esupport/esupport.asp?ID=ent19703.
Soft copies of the Configuration Guide are available at no cost to the user on the Enterasys Networks web site,
http://www.enterasys.com/support/manuals. To order hard copies of the Configuration Guide, contact your
Enterasys representative. Please refer to http://www.enterasys.com/download/download.cgi?lib=c2 and choose the ―archive‖ link to view
information on changes previous to the release information listed in this document. The SecureStack C2 family of stackable switches is managed by a single IP address for a stack of up to 8
switches. In order to download the new software to a stack of C2 switches, simply follow the instructions to upgrade a
switch with new software and then the system will automatically download the new software to all the members in the stack controlled by that stack manager.
UPGRADING FROM PREVIOUS VERSIONS
Additional steps are required when upgrading from 1.xx.xx software to 2.xx.xx or higher software versions. These steps will not be required in subsequent releases.
Upgrading from 1.xx.xx to 2.xx.xx
To upgrade from a 1.xx.xx version to a 2.xx.xx version follow the steps below:
1. Save the config onto the C2 stack.
2. Download the new image onto the stack without resetting the unit.
3. Load the locally stored configuration file back onto the switch/stack use the command ―configure configs/<filename>‖.
4. When prompted that this will clear the configuration and reset the stack, type ―y‖ to continue.
The stack will reset, the current config will be cleared, the new image will start up, and the stack will automatically program itself with the previous configuration.
If the CLI is monitored during this process, the user will see that all Diffserv commands will display error messages stating the command is unknown. This message should be ignored and is for information only.
08/13/2008 P/N: 9038155-52 Subject to Change Without Notice Page: 4 of 41
F0615-O
Feature
Capacity
ARP Dynamic
2024
ARP Static
512
Route Table
2500
OSPF Areas
4
CUSTOMER RELEASE NOTES
Upgrading from the 2.00.48 release to the 2.01.20 release requires some additional steps for users who utilize GVRP. When upgrading to the 2.01.20 image, the user should only reconfigure GVRP on inter-switch links (ISLs). GVRP was enabled by default in the 2.00.48 image on all edge ports; only non-default commands are displayed in the config, so only the set GVRP disable commands would be listed in a config file created in a 2.00.48 image.
In the 2.01.20 image, the situation is the opposite. Any ―GVRP disable‖ commands are ignored. For any ports on which the user wants GVRP ―enabled‖, the user must log back in and reconfigure those ports to ―enable‖. Any ports which the user wants to be ―disabled‖ will require no action.
Configuration files that were created in the 1.xx.xx track can be applied to a switch/stack using the 2.xx.xx track, however the steps defined above for configuring GVRP must be observed.
Upgrading from 2.xx.xx to 3.xx.xx
Release 3 contains an improved method of stack communications which resolves some stack related issues seen in unusual circumstances with Release 1 and Release 2 code. This new communication is not compatible with the methods used in Release 1 and Release 2 code. Therefore, when upgrading the stack to Release 3, it is important that you ensure the new code has been successfully downloaded to all members of the stack before issuing a stack reset (which will cause the stack to begin using the just downloaded code). If all members are not successfully updated before issuing a reset, units not updated will need to be removed from the stack and upgraded individually.
To upgrade to Release 3, it is highly recommended that you first upgrade to the latest Release 2 code (02.01.37) as detailed above. This release contains additional safeguards that check that proper code versions exist on all members of a stack.
To upgrade from a 2.xx.xx version to a 3.xx.xx version follow the steps below:
1. At switch prompt, execute the ―dir‖ command. This will display the file names of the images existing on device.
2. If running version 2.01.37 and a backup image exists, use the ―delete <file name>‖ command to remove the backup image.
Use the ―copy tftp://<tftp server IP>/<path>/<image name> system:image‖ command to download the new
Release 3 image. This image is downloaded, sent to all stack members, and marked as a ―backup‖ code
image. If this download to any of the stack members is unsuccessful, an error message should be generated.
3. Issue the ―show version‖ command to verify that the new Release 3 code image exists on all stack
members as the ―backup‖ image. If not, you should manually push this code to any stack member that is not properly updated using the ―set switch copy-fw‖ command.
4. Once all stack members contain the new software image, use the ―set boot system <image name>‖ command to set the newly downloaded image as the ―active‖ image.
5. Stack will reboot using the updated code.
If you have a unit that is running Release 2 or older software, and you want to use the unit in a stack running Release 3 software, you must boot the unit as a standalone unit and update its code to Release 3 before cabling it into the existing stack.
Router Capacities
The following table defines the router capacities:
08/13/2008 P/N: 9038155-52 Subject to Change Without Notice Page: 5 of 41
F0615-O
Feature
Capacity
Total OSPF LSA Type
2500
OSPF LSA Type 1 – Router Links
No restriction can equal 2500
OSPF LSA Type 2 – Networks Links
No restriction can equal 2500
OSPF LSA Type 3 – Summary Networks
No restriction can equal 2500
OSPF LSA Type 4 – Summary ASBRs
No restriction can equal 2500
OSPF LSA Type 5 – AS External Links
No restriction can equal 2500
OSPF LSA Type 7 – NSSA External Links
No restriction can equal 2500
OSPF LSA Type 9 – Opaque Subnet-only
Not Supported
OSPF LSA Type 10 – Opaque Area
Not Supported
OSPF LSA Type 11 – Opaque AS
Not Supported
OSPF ECMP paths
4
Static routes
64
RIP routes
2500
IP Interfaces
24
Secondary Interfaces
31
VRRP Interfaces
20
IP Helper Address
6 per interface
Access Rules (inbound only)
100
Access Rules – Per ACL
9
IGMP Groups
256
DVMRP Routes
256
FIRMWARE CHANGES AND ENHANCEMENTS:
Changes and Enhancements in 5.01.06.0007
11052 Resolved an issue introduced in release 5.01.06.0006 that affected reassembly of IP fragments directed at a routed interface or the host address of the switch.
Changes and Enhancements in 5.01.06.0006
10690 Corrected an issue where the flowcontrol pause packets were transmitted too early leading to packet loss.
10704 Corrected an issue whereby running macauth and dot1x simultaneously would cause port policies to be removed.
10809 Corrected a CLI issue where restoring a config file containing an extra space before the end of line generated errors.
10816 Corrected an issue where ―clear port lacp port" did not restore default port LACP settings.
10848 Changed the MST configuration name default string from the bridge MAC address to a more generic name ―default".
10852 Corrected a potential memory leak associated with OSPF which prevented an interface from reaching full adjacency.
10874 Corrected an issue when under certain circumstances the SNTP client stopped processing requests.
10906 Corrected an issue that could prevent policy configurations from being loaded by the switch.
10972 Corrected an issue which could result in the loss of SNMP management.
Changes and Enhancements in 5.01.05.0004
10061 Added a CLI prompt message to "set port vlan‖ informing users that setting VLAN membership for dynamic VLANs is
not supported.
10542 Corrected an issue where clients performing 802.1X authentication on ports configured for multiauth failed to obtain DHCP IP addresses after a device reset.
CUSTOMER RELEASE NOTES
08/13/2008 P/N: 9038155-52 Subject to Change Without Notice Page: 6 of 41
F0615-O
Changes and Enhancements in 5.01.05.0004
10061 Added a CLI prompt message to "set port vlan‖ informing users that setting VLAN membership for dynamic VLANs is
not supported.
10201 Corrected an issue where "set switch movemanagement" caused the policy application to fail.
10440 Corrected an issue where "[no] ip routing" command was not linked to the MIB-2 IpForwarding object.
10521 Resolved an issue which prevented DHCP clients from obtaining IP addresses from the DHCP server.
10700 Corrected an issue which prevented the "host ip" value to be properly restored from a saved configuration file.
10056 Enhanced 802.1x authentication whereby the switch continues to send periodic Unicast Request Identity frames after the first client authenticates. Previously the switch stopped sending EAP frames after the first successful authentication.
10356 Corrected an issue where enabling port mirroring would stop traffic flow across ports that were not members of the mirror group.
10712 / 10676 Corrected an issue where default policies were removed thus preventing 802.1x clients from authenticating.
10597 Resolved an issue in multiuserauth mode whereby an inactive user was dropped from the egress vlan list and could no longer transmit packets out the egress vlan.
10655 Resolved an issue where client authentication failed when the management ip address was not configured.
Changes and Enhancements in 5.01.04.0001
10140 Corrected an issue with the LLDP MIB implementation that could result in the loss of SNMP management or high CPU utilization.
10396 Corrected an issue whereby after an initial invalid RADIUS request fails, subsequent valid requests were rejected for the same user due to caching of the initial RADIUS state attribute.
10551 Corrected an issue with displaying the correct LACP partner key when doing a ―show port lacp port
<port string> status summary‖ command.
10443 Corrected an issue with the ―clear radius server‖ command that could result in a reset.
10627/10697/10250 Corrected an issue whereby disabling dot1x on an authenticated port could affect SNMP management or cause a reset.
10314 Corrected an issue where ports could fail to 802.1x authenticate valid users if mac locking was enabled.
10324 Corrected an erroneous interface message timeout reset (NIM timeout event) caused during management changes of complex interface configurations.
10554 Corrected an issue causing an SSH login to appear to hang in configurations where the motd banner and length are set.
10501 Corrected an issue where ―show mac type self command‖ would fail to show local mac addresses.
10498 Corrected a display issue with the ―show config all spantree‖ command caused by a page break
truncating the output.
10535 Added the ability to set the PVID on a port with a VLAN learned via GVRP. A new informational
message ―INFO: PVID has been set. VLAN membership cannot be set on dynamic VLAN‖ alerts the
administrator that PVID is settable on a dynamic VLAN but VLAN membership is not configurable.
10227 Corrected issue with RADIUS server redundancy which could prevent users from authenticating via the secondary server.
10486 Corrected an issue where ACL entries restored using a configuration file could fail to be applied.
CUSTOMER RELEASE NOTES
08/13/2008 P/N: 9038155-52 Subject to Change Without Notice Page: 7 of 41
F0615-O
Changes and Enhancements in 5.01.03.0007
Removed a change introduced in 5.01.03.0003 that was intended to correct an issue with persistence of port advertised capability on combo ports. This change introduced an auto negotiation problem on Combo POE ports where for 100Mb clients may fail to link on these ports.
Changes and Enhancements in 5.01.03.0003
Corrected an issue in the Policy MIB where the etsysPortPolicyProfileSummaryTable (1.3.6.1.4.1.5624.1.2.6.3.3) failed to return a value for etsysPortPolicyProfileSummaryOperID.
Corrected issue that prevented multiple 802.1x Policy authentications on a single port.
Corrected an issue where receiving constant pauses frames on a port could cause Spanning Tree instability on the switch.
Corrected a potential reset associated with one form of interface message timeout ―NIM: Timeout event‖.
Corrected an issue with GVRP that could cause a failure to properly configure egress on learned VLANs.
Corrected an issue where the port inlinepower admin state was not persistent.
Corrected an issue in the readability of output of the ―show config vlan‖ command.
Corrected an issue where ASM is unable to apply actions to ports.
Corrected an issue concerning the ―set ip protocol‖ command. If the static IP address of a switch is stored in a
configuration file, then the IP is changed to be acquired using DHCP, the original IP can now be restored using the saved configuration file.
Corrected an issue with persistence of port advertised capability on combo ports.
Corrected an issue where high rates of multicast traffic caused pause frames to be generated on the upper ports (25-48) of 48 port devices.
Corrected an issue with the RADIUS reauthentication timer. During an unrecognized overflow condition which occurred approximately once every 49 days, the switch would constantly attempt to authenticate all RADIUS supplicants. This would last for a period equal to the authentication time.
Corrected an issue in Policy that could prevent the application of a profile after a system reboot. Previously a hardware error would be given indicating a failure to set a profile on a port.
Changes and Enhancements in 5.01.02.0007
Corrected an issue where permanent licenses were incorrectly detected as having expired.
Corrected an issue with the ―show mac port‖ command displaying output from multiple ports.
Corrected an issue where SSH IdleTimeOut was not initialized, causing a failure to timeout SSH sessions.
Corrected a potential memory corruption and reset associated with the MAC authentication process.
Corrected a potential NIM timeout event reset associated with deleting interfaces with large numbers of VLANs (>1000).
Corrected an issue where Dynamic Egress failed if a rule to discard tagged packets was applied to the port.
Corrected a display issue where clearing default role on a port with Policy Manager, prevented the display of user roles.
Corrected an issue in DVMRP where if a session is stopped and a new channel is selected to the same multicast server, the stream associated with the new group was dropped.
Corrected an issue where IfSpeed and IfHighSpeed MIB objects incorrectly report port speed on 10Gig interfaces.
Corrected an issue in the MAU-MIB ability to set dot3MauType to dot3MauType1000BaseTFD.
CUSTOMER RELEASE NOTES
08/13/2008 P/N: 9038155-52 Subject to Change Without Notice Page: 8 of 41
F0615-O
Changes and Enhancements in 5.01.02.0007
Corrected an issue that could result in the inability to apply previously acceptable policies to ports after a system reboot.
Corrected an issue that prevented proper operation of IGMP Snooping on ports that had authenticated to a new VLAN.
Enabled the ability to syslog messages greater than 124 Characters in length. Previously some messages may have been truncated.
Changes and Enhancements in 5.01.01.0051
Corrected an issue in the Enterasys CoS MIB that could prevent new CoS MIB settings from being applied and enforced from Policy Manager. This issue was originally introduced in the 5.01.01.0047 firmware.
Changes and Enhancements in 5.01.01.0049
Corrected an issue with Bridge MIB that inverted the reading and setting of VLAN tagged egress. Untagged egress would read as tagged. Tagged VLAN egress would read as untagged. Setting tagged egress would result in untagged egress. Setting untagged egress would result in tagged egress. This issue was introduced in the previous release (5.01.01.0047)
Corrected an issue in the display of SNMP configuration that could cause a system reset when the ―show
configuration‖ command was issued. This issue was introduced in the previous release (5.01.01.0047)
Changes and Enhancements in 5.01.01.0047
Added Support for CoS MIB based flood control of broadcast, multicast and unknown unicast traffic. (See
Appendix A of the Release Notes for configuration information).
Added SMON MIB support for management of Port Mirroring. (See Appendix A of the Release Notes for configuration information).
Added support for monitoring resource utilization via the etsysResourceUtilizationMIB.
Corrected a CLI issue that prevented insertion of text without erasing the remainder of the command line.
Corrected a reset issue with the ―show config outfile command‖.
Corrected an issue that prevented the clearing of the admin login using the ―clear system login‖ command.
Corrected a display issue in the ―show system utilization process‖ command.
Corrected an issue with counting RMON Statistics for 1024-1518 octet packets.
Corrected an issue with forwarding static multicast addresses after a reset.
Modified the Span Guard port lockout state to disable the port if the spanguardtimeout is set to zero. This will prevent any control traffic on this port from being processed when locked.
Moved the informational message ―ewaNewConnection EmWeb socket accept() failed:
S_errno_EWOULDBLOCK‖ to the informational level (7) for Syslog.
Corrected a potential loss of Spanning Tree configuration when upgrading from earlier images.
Corrected a CLI display issue with the ―show inlinepower‖ command when the command is executed over an SSH session.
Added CLI support for the port string format of type ge.1-2.1.
Corrected an issue migrating policy TCI rule configurations when upgrading system firmware from earlier images.
Corrected an issue that caused loss of SNMP configuration when restoring a configuration file.
Jumbo packets are now counted as errors when jumbo packets are disabled on the switch.
CUSTOMER RELEASE NOTES
08/13/2008 P/N: 9038155-52 Subject to Change Without Notice Page: 9 of 41
F0615-O
Changes and Enhancements in 5.01.01.0047
Corrected an issue that prevented Syslog messages generated from routing protocols.
Modified the SNTP poll interval to be set as a power of 2, to conform to RFC1305.
Previous images supported only a single permit or deny any rule per ACL. The SecureStack-C2 will now support one each for ICMP, UDP, TCP, and IP.
Improved the resiliency of the host process by ensuring control traffic (e.g. BPDUs) gets higher priority during heavy traffic loads.
Corrected an issue were RIPv2 routes with a 32 bit mask were not accepted.
Corrected an issue were Policy rule counts could potentially be updated incorrectly when a rule was removed. This could have prevented new rules from being added.
Changes and Enhancements in 5.01.01.0040
Corrected a shared-memory timing issue that in rare circumstances could affect management access to the switches after a reset. The new code ensures that shared memory is accessed in an orderly fashion by multiple processes during startup.
Changes and Enhancements in 5.01.01.0039
Implemented the new Enterasys standard version numbering system on the SecureStack C2.
Changed the default logging severity level to 6. The result of this will be that more informational messages may be seen in Syslog and CLI than in previous images. However, this does not affect the operation of the switch.
Added support for LACP short timers.
When a fiber port is disabled, both the transmit and receive links of the port will now be disabled.
Multi-word VLAN name assignments are supported and persistent when encapsulated in quotes.
Users can ping the host IP address from any port in a mixed stack as long as the port has the proper VLAN egress configuration.
Resolved an issue with policy where in certain configurations port policy assignments weren‘t being removed
properly.
Fix an issue with policy based inbound rate limiting which was preventing rate limits from being enforced.
Support has been added for RFC 3580, VLAN authorization in conjunction with MAC Authentication services.
With a basic PWA configuration on the stack, users can now access the PWA login page by simply entering the PWA server IP address instead of being required to enter the entire URL.
Modifying the MACLock Firstarrival value will limit the number of users allowed network access on the port. Changes to this value will be enforced on the number of current users as well as new users.
Corrected the reporting of physical port and LAG port speeds using the ifSpeed MIB..
When executing the command ―show config‖, the output will encrypt the passwords of SNMP users.
Resolved an issue where MAC Authenticated devices that were continuously sending data were required to re­authenticate every 10 minutes or so even though re-authentications has been disabled.
Multi-word SNMPv3 group names can now be configured and deleted as long as the group names are encapsulated in quotes.
The CLI output of the ―show cdp‖, ―show port egress‖, and ―show mac port <port>‖ commands will now be
managed properly by the terminal display value set using the ―set length‖ command.
Removed an additional offset seen in the display output of the SNMP configuration when executing the CLI command ―show config‖ or ―show config snmp‖.
Modifying the lacptimeout value will no longer require globally disabling and re-enabling LACP to be enforced.
LAG ports which are spread across multiple units in a stack have been made more resilient in the event of a failure of one of the stack members.
Corrected an issue caused by an incorrect port index being used which presented itself as the Syslog message Invalid hpc_index of 0‖.
Added support for the dot1dStpPortPathCost mib.
CUSTOMER RELEASE NOTES
08/13/2008 P/N: 9038155-52 Subject to Change Without Notice Page: 10 of 41
F0615-O
Changes and Enhancements in 5.01.01.0039
When configuring multiple RADIUS servers on the SecureStack, the RADIUS index will be used to determine the sequencing of which RADIUS server the RADIUS Access Request packets will be sent to when a client attempts to authenticate.
Users now have the ability to set objects via name for RMON Alarms, such as ―set rmon alarm properties 1
object ifOperStatus.1‖.
A static LAG between multiple units of a SecureStack switch and a Cisco 2950 switch will now recover after a "set switch movemanagement" command is executed.
Static ARP entries are preserved across resets.
Corrected an IP assignment issue that occurred when more than one user authenticated via 802.1X from the same computer and was assigned to a different VLAN.
RMON Packet capture now displays bidirectional traffic.
When using policies with the untagged-vlan option, the VLAN egress will now be properly assigned when the policy is applied.
Corrects an issue with multiauth, where after an extended period time users trying to authenticate on the network get stuck in a connecting state and were unable to gain network access.
The "show mac" and "show arp" commands will continue to reflect accurate information on all physical ports which have MAC Authentication enabled.
Corrected an issue in SNTP that prevented time synchronization to a broadcast SNTP server.
When polling the dot1dStpVersion oid, it will return the proper value for the Spanning Tree version configured on the stack.
Resolved an issue where after rebooting a PC and re-authenticating, user‘s ports were not being assigned the appropriate policy.
Values for the MIB-2 counters will remain persistent regardless of link state.
The SecureStack will cease sending SNTP requests to SNTP servers which have been removed from the device configuration.
User configured forbidden egress settings will remain persistent in the device configuration and take precedence over dynamic VLAN assignments learned via GVRP.
Implemented dynamic rule allocation based on Policy type to manage policy resources.
The node alias create time information is now measured in Ticks as defined in the MIBs for ctAliasTimeFilter and ctAliasMacAddressTime.
Corrected an issue where the ―show mac type self‖ command would not use the default of all ports when a port string was not entered.
When polling the dot1dTpFdbPort MIB, the results will be returned in ascending order.
Logging commands will remain persistent after executing the ―set switch movemanagement‖ command.
The RADIUS Filter-ID case is no longer case sensitive.
Configuring a metric for a static route is now supported.
Resolved an issue with the C2H124-48 which prevented tagged traffic from being routed across static routes.
Corrected a display issue in the format of the ―show ip ospf database‖ command.
When configuring symmetrical VRRP for load balancing such that the interface on a VLAN is master for one instance and backup for another instance of VRRP, the display of the ―show ip vrrp‖ command will now accurately reflect the correct VLAN ID for both instances.
ACLs applied to VLAN 1 will now be added to the device configuration.
Modified the VRRP application‘s behavior during the SecureStack bootup process to strengthen the protocol‘s stability.
The switch ―clear arp all‖ and router ―clear arp-cache‖ commands will clear all dynamic ARP entries.
Corrected an issue in authentication that would prevent routed frames from being forwarded.
Administrators can contact and manage their SecureStack switch using a VRRP virtual IP address if the device is the owner and Master of the virtual IP.
Resolved an issue where in certain OSPF configurations an interface would never reach a full adjacency and remain stuck in ―Exchange Start‖ state.
CUSTOMER RELEASE NOTES
08/13/2008 P/N: 9038155-52 Subject to Change Without Notice Page: 11 of 41
F0615-O
Changes and Enhancements in 5.01.01.0039
RIP authentication keys up to sixteen characters are now supported.
Corrected an issue with calculating reauthentication periods when the internal real time clock rolls over. Approximately once every 50 days, for a time equal to the configured reauthentication period, all users with reauthentication enabled will continuously attempt to authenticate.
Corrected an issue in the IPNettoMedia MIB that prevented the ability to query the host ARP cache using SNMP.
Corrected an issue in the Bridge MIB implementation that could prevent querying learned MAC addresses using SNMP
Corrected an issue in SNTP that prevented time synchronization to an SNTP server sending unicast traffic.
Corrected a CLI display issue with the alignment of output from the ―show inlinepower‖ command.
Corrected a CLI issue that allowed the user to edit only the first ten lines of an Access Control List.
Corrected an issue in the Access Control List implementation that prevented permit/deny rules containing the source wildcard ―any‖ from being applied.
Corrected the potential loss of a policy mask resource that could prevent some previously acceptable policy configurations from being applied. This issue was introduced with the forwarding of multicast addresses in the range of 01-80-C2-00-00-00 to 01-80-C2-00-00-FF. If you need to forward these multicast addresses you must now enable the ―set mac unreserved-flood‖ command.
Corrected an issue where an ACL would only be applied to untagged traffic.
Corrected an issue in authentication that would prevent routed frames from being forwarded.
Corrected a potential reset condition that occurred when clearing the RMON history using the ―clear rmon
history to-defaults‖ command.
Corrected an issue that occurred when processing an invalid policy role received from RADIUS. The switch now applies the default port role, where previously the existing port role was unchanged.
Corrected a display issue where the operational status of a port would incorrectly be shown as ―up‖.
Updated the Syslog event format to comply with the RFC 3164 standard.
Added a new feature enhancement to support LACP short timers.
Corrected an issue with RMON packet capture displaying only ingress packets.
Corrected a potential memory leak associated with SNMP calls with exception conditions.
The OSPF cost command ―ip ospf cost 1‖ will no longer be automatically added when creating a loopback interface.
Corrected an issue in the ―set policy profile‖ command that could prevent users from cutting and pasting
configurations.
Corrected an issue in setting SNTP server precedence. We now allow up to 10 entries.
Corrected a display issue with the CLI help for the ―show mac type ?‖ command.
Corrected an issue where access lists that are applied to ports that only contain a LAG do not get displayed in the configuration.
Corrected an issue where the MIB object ifOperStatus of the host port would always return ―down‖.
Corrected an issue in the DHCP server CLI that could prevent long strings from being entered.
Corrected an issue that prevented management contact of a VRRP address on a non-virtual IP interface.
Updated the SNTP poll interval value to be configured as a power of 2, with a valid range between six and ten as described in RFC-1305 (i.e., a poll interval set to ―6‖ would be equal to 2^6 or 64 seconds). If upgrading from configuration which has a SNTP poll-interval set outside of the valid range of between 6 and 10, the default of 6 (2^6 = 64 seconds) will be set.
The SecureStack device will no longer send SNTP requests to SNTP servers which have been deleted from the device configuration.
Corrected processing of packets with network directed broadcast addresses to enable support for the SNTP Broadcast mode.
Resolved a Policy issue where PCs were not being correctly reassigned to the default policy if they were rebooted.
CUSTOMER RELEASE NOTES
08/13/2008 P/N: 9038155-52 Subject to Change Without Notice Page: 12 of 41
F0615-O
Changes and Enhancements in 5.01.01.0039
Rectified an issue where policies using the untagged-vlan option were not writing the correct VLAN egress into the device hardware.
The aging process for MAC Authentication has been modified. If a MAC address is learned on multiple VLANs, but only remains active on one VLAN (such as having been reassigned to a new VLAN after MAC Authenticating), the device will now age out the correct MAC address entry by keying on the MAC address/VLAN id pair.
GVRP will no longer have an effect on static VLAN settings manually configured by the administrator.
Noticeably improved the routing performance of clients which are using MAC Authentication.
Changes and Enhancements in 5.00.75
New Boot PROM added to address issues in manufacturing test.
Corrected an issue where WebView and Telnet session termination could result in a reset.
Corrected an issue in the handling of RADIUS packets with incorrect attribute lengths that may result in a reset.
Modified the ―show radius‖ command so that RADIUS servers are always displayed in precedence order.
Corrected an issue where unauthenticated users are potentially unable to access the network through a static policy.
Resolved an issue with configuring an SNMP user with a remote engine id, md5 authentication, and a password. If authpassword was exactly 12 characters long, the command was taken, but the password was not written to the device configuration. If the config is saved and then later restored, the command line for this SNMP user would fail, since there was no password retained in the config file.
Corrected an issue where IGMP multicast streamed packets can be seen on untagged ports when the link is pulled and inserted on an untagged port.
Corrected an issue where dynamic egress could prevent setting a port to egress tagged.
Corrected an issue that prevented SSH logout when the logout timer expired.
Corrected a display issue in CLI help for ―set ssh‖ and ―set switch‖ commands.
Corrected a firmware upgrade issue on Fast Ethernet boards that could change the tagged status of routed ports.
Corrected an issue where IGMP multicast streamed packets can be seen on untagged ports when the link is pulled and inserted on an untagged port.
Corrected an issue that could cause instability when stacking units 8 high.
Corrected an issue with Multiple User Authentication where the switch may continue to attempt to MAC authenticate a user that has already been authenticated using 802.1X.
Corrected an issue with the policy precedence order of IP destination rules. If multiple rules were created with more than 4 masks, the longest prefix match was not followed.
Corrected an issue with MIB implementation of MAC locking. The etsysMACLockingEnable oid was not supported.
Corrected an issue with the router ―set length‖ CLI command that could prevent the display of learned MACs.
Corrected an issue where the partial completion of the ―set port duplex‖ CLI command could cause a reset.
Allowed the banner length to be configured for more than 128 characters.
Removed the SSH logout message when a user exits an SSH session. This can be interpreted as an error by some tools.
Corrected a CLI issue that could incorrectly display the subnet mask of devices configured to receive traps.
Corrected an issue where static ARP entries may not be persistent.
Corrected an issue where GVRP can overwrite static forbidden VLAN egress configurations.
Corrected an issue where the display of RMON counters for unicast packets can show negative values.
Corrected an issue where some multicast addresses may be forwarded out ports blocked by Spanning Tree.
Corrected an issue where policy enforcement could cause high CPU utilization.
In the previous version 5.00.63, an issue during the GVRP join process would cause the egress port settings to be inadvertently changed to ―tagged‖. This issue has been corrected.
Added ability to age out firstarrival maclock entries.
Added support for multiauth idle-timeout.
CUSTOMER RELEASE NOTES
08/13/2008 P/N: 9038155-52 Subject to Change Without Notice Page: 13 of 41
F0615-O
Changes and Enhancements in 5.00.75
Added automatic tagged egress to the specified VLAN when a per-port VLAN-to-Policy mapping is assigned.
Corrected potential memory leak in CDP application.
Corrected an issue where VRRP may not transition to the backup router.
Added method to remove priority setting from the configuration file without requiring clearing the configuration.
Added the ability to forward IS-IS multicast packets which can use the destination MAC address of either 01:80:C2:00:00:14 or 01:80:C2:00:00:15.
Corrected issue in enhanced PWA mode that could cause a user to be incorrectly redirected to the PWA login.
Corrected issue where 802.1X authentications may not show up in the MultiAuth Authentication Table.
Corrected issue where Link Aggregation ports may not correctly report port speed.
Corrected issue where link down on a physical port may not clear all MAC addresses in the forwarding database associated with the port.
Corrected issue that could potentially prevent Policy enforcement.
Corrected issue that could cause delay in link on MGBIC ports.
Corrected potential issue with reporting incorrect port speed and duplex when using MGBICs.
Corrected issue with reporting of ifOperStatus as Up instead of dormant on physical ports belonging to a link aggregation group.
Corrected potential issue in ―User Plus Phone Authentication‖ where the switch could fail to restore an admin
policy to a port after the user becomes unauthenticated.
Corrected issues where host generated ARP request packets could be egressed out a port blocked by Spanning Tree.
Corrected issue where an SNMP V3 group name created with 2 words encased in quotes would not have the quotes saved in the show config outfile.
Corrected issue first introduced in release 5.00.69, that could prevent communication to routed interfaces on the switch.
Corrected issue with host ARP processing that could potentially result in a reset.
Corrected an issue with the setting of authentication traps not being persistent across resets.
Corrected an issue where the ―show ip ospf database‖ command could cause the console to lock.
Corrected an issue with the Enterasys Syslog MIB which could prevent setting Syslog servers via SNMP.
Corrected an issue where internally-generated ARP requests could be forwarded out ports in a Spanning Tree discarding state.
Corrected the output formatting of the ―show port status‖ command.
Corrected an issue with saving and restoring multi-word SNMP group names.
Corrected a display issue regarding ARP timeout values.
Corrected a formatting error in the output of the ―show logging buffer‖ command when the default output length is changed.
Corrected an issue that could prevent communication (telnet or ping) to a routed interface.
Corrected an issue in system initialization that could incorrectly change tagged vlan egress on a port to untagged.
Corrected an issue that could prevent web management when using an SSL connection.
Corrected a potential reset condition when processing high rates of DHCP relay requests.
Changes and Enhancements in 5.00.59
VLAN egress lists with large numbers of individual ports will now be correctly assigned when loading a saved configuration onto a SecureStack device using Inventory Manager.
Secondary IP addresses on routed interfaces can be configured as VRID IP address owners when implementing VRRP on the SecureStack C2 or C3.
Modified the VRRP functionality of the SecureStack C2 and C3 to allow multiple virtual IPs to be configured on one VRID.
CUSTOMER RELEASE NOTES
08/13/2008 P/N: 9038155-52 Subject to Change Without Notice Page: 14 of 41
F0615-O
Changes and Enhancements in 5.00.59
The command ―clear rmon stats to-defaults‖ will correctly reset rmon statistics to zero for all ports.
The SecureStack will now send Syslog messages for each of the configurable applications to a remote Syslog server.
Modified the help displayed for the ―set radius realm any‖ command to correctly reflect all the configurable options available for this sub-command.
Administrators have the option to disable inbound telnet and still manage the SecureStack via WebView.
The ifMauAutoNegConfig MIB will now correctly report the port status when polled.
Non-default port queuing assignments will be retained when upgrading code on the SecureStacks.
The output of "show config all vlanauthorization" now reflects the correct port settings for vlanauthorization.
When the dot1x reauth action is invoked either by CLI or MIB, the dynamic Policy ID will be cleared.
If a user authenticates with dot1x and a dynamic policy is assigned, disabling dot1x (eapol) will cause the dynamic policy assignment to be removed.
For those customers using MAC Authentication masking, once a user is MAC authenticated using a configured bit mask, the switch will cease sending redundant authentication requests to the server.
The SecureStack now supports the configuration of 100 rules per profile.
If a user has maclocking enabled, and the number of MAC addresses learned on a port exceeds the configured firstarrival value, the first MAC address causing the firstarrival value to be exceeded will be displayed as a violating MAC address in the output of ―show maclock stations‖. If the user then increases the firstarrival value to be larger than the number of MAC address learned on the port, the violating MAC address will now be cleared.
If maclocking is enabled both globally and per port, the etsysMACLockingLockedEntryCause OID will now report accurate data.
The ―set port disable‖ command will now disable the port from learning entries in the forwarding database as
well as disable the physical Ethernet link.
The ―set switch description‖ command used to rename member units in the stack is now supported.
When upgrading the SecureStack C2 or C3 to the current code, all configured routing interfaces will remain persistent.
Changes and Enhancements in 5.00.32
Support for setting static multicast IP addresses (―set igmpsnooping add-static‖) has been added.
Restored packet buffer optimization not included in earlier patch releases.
Multiple users who are sharing a computer will have the correct policy assignment and network connectivity applied when each user uses their login into the PC.
Clients using 802.1x authentication connecting to ports configured for multiauth can be reliably authenticated and will have the correct policy assignment applied.
When a SecureStack C2 or C3 is using a virtual IP address as its gateway and the virtual IP master fails over to the virtual IP backup, user connectivity to the host will be maintained.
An issue whereby incorrect data was being displayed after querying the STP MIB, has been fixed.
An issue when clearing counters on a port would result in a counter discontinuity has been fixed.
An issue where creating a 23rd interface would cause a reset has been fixed.
An issue where ifInDiscards were counted erroneously has been fixed.
An issue whereby invalid info from dot1qVlanCurrentUntaggedPorts was being reported has been fixed.
If member ports of a LAG are spread across multiple stacked members and one of the stacked members is reset, the LAG port members on the reset switch will rejoin the LAG once the switch becomes operational again.
The etsysCosIrlViolationTable MIB will now return accurate data points when polled.
If an authenticated device is replaced on a port which is configured with dual user authentication, the new device will be required to revalidate its authentication credentials.
An issue has been resolved whereby in specific configurations the switch would occasionally transmit RADIUS Identity requests with failure frames for valid users.
Administrators can now configure PoE ports to support either pre-standard (default) or IEEE PoE mode on any PoE port using the ―set inlinepower [auto | ieee]‖ command.
CUSTOMER RELEASE NOTES
08/13/2008 P/N: 9038155-52 Subject to Change Without Notice Page: 15 of 41
F0615-O
Changes and Enhancements in 5.00.32
Issues have been resolved with loading saved configurations which contained the RADIUS option ―realm network-access‖ or policy rules containing ―admin-profile vlantag <VLAN> admin-pid <PID>‖.
The switch now supports the ability to configure two default routes in the router CLI.
The output of the ―dir‖ command will display the active and backup image loaded on the device when they are
loaded via the CLI or SNMP.
When terminating an authenticated session from Policy Manager, both the 802.1X session and the dynamically assigned policy are now removed from the port.
If access to the RADIUS server had been lost while an 802.1x supplicant tried to authenticate, when connectivity to the RADIUS server is restored, the switch will now respond to the RADIUS access-challenge, thus allowing the authentication process to proceed.
Once authenticated, a user will have the default policy assignment removed from their port, and the appropriate dynamic policy, per their authentication credentials, applied to the port.
Mixed Stacking
5.0 will be required to mix C2 hardware with C3 hardware. C3 stack containing C2H will impose:
1. A single role (Policy) limitation of 100 rules and 10 masks.
2. A system limitation of 100 unique rules and 18 unique masks.
3 No DA/SA, Ethertype or ICMP type rules
4. Maximum of 15 roles
5. No metering C3 stack containing a C2G will impose:
1. A single role limitation of 100 rules and 10 masks.
2. A system limitation of 768 unique rules.
3. No DA/SA or Ethertype rules
4. Maximum of 15 roles
5. No metering
The C3 product should be the master when mixing with a C2 stack.
Corrected subneted rule precedence for Policy ipsourcesocket and ipdestsocket to be based on role precedence and mask length instead of order of configuration.
802.1X clients MAC address database entries are no longer permanently learned if maclocking is enabled
globally and the individual port maclocking is disabled.
Enabling MAC Authentication on ports which already have learned MAC addresses will no longer cause learned traffic to flood over stack.
The reserved multicast address 01-80-C2-00-00-11 will now be forwarded through the SecureStack C2.
After clearing port counters, the time displayed for ―Counter Discontinuity‖ is correctly reset to 0.
Resolved an issue which would cause the stack to reset after creating twenty-three routing interfaces.
Changes and Enhancements in 4.00.31
The switch will now include the correct port number in the NAS-Port-Id attribute field when sending a RADIUS Authentication Request to a RADIUS server.
The CLI now supports the ―set tftp retries‖ and ―set tftp timeout‖ commands for configuring these settings to non­default values.
Optimized the performance of the ―set port vlan‖ command to ensure the action completes its execution in a
timely manner when enforced within an environment containing a large number of VLANs.
The SecureStack C2 will now display all ports when accessing the FlexView ―Port Spanningtree Information‖ tab.
Support for the configuration of non-default UDP port settings for SNMP access has been added with this release.
CUSTOMER RELEASE NOTES
08/13/2008 P/N: 9038155-52 Subject to Change Without Notice Page: 16 of 41
F0615-O
Changes and Enhancements in 4.00.31
When a MAC Locking violation occurs on the SecureStack C2, and traps are enabled, the violating MAC address listed in the trap will be accurately reported.
Resolved an issue found in previous releases where STP configuration could be lost during a firmware upgrade.
Corrected an issue where after an excessive number of attempts to authenticate via RADIUS by a user, the device would fail to send out a RADIUS request packet to the RADIUS server.
Policy assignments are correctly updated on ports when link is removed or the session is terminated.
Multiple users who share a computer will be applied the correct policy assignment and network connectivity when each user logs into the PC.
Resolved an issue which prevented PWA from redirecting the user to a requested webpage if a PWA banner was configured and the URL was greater than one directory deep.
When the SecureStack C2 is configured as a multicast querier and the last member of a multicast group leaves, the SecureStack will no longer continue to flood multicast traffic to the port.
Changes and Enhancements in 4.00.24
The SecureStack C2 switch now supports creation of single port LAGs with HP ProCurve devices.
PWA has been improved to ensure access to the PWA authentication server, even under heavy traffic loads.
Configuring the SecureStack C2 switch with a non-default ―set length‖ value will no longer prematurely close telnet sessions when executing commands which output large amounts of data.
The SecureStack C2 switch will support the configuration of weighted round robin (default) or strict priority queuing.
An issue has been fixed whereby flow control packets were flooded to the front panel ports degrading the rate at which traffic could traverse the CPU.
When executing a ―set‖, ―show‖, or ―clear‖ VLAN command on a list of VLANs, the VLANs can be listed in either ascending or descending order.
The ―show vlan portinfo vlan‖ command will accurately display the egress list for the VLAN(s) specified.
The set maclock command now supports using either hyphens or colons to separate the bytes of a MAC address.
The command ―set webview enable ssl-only‖ has been added to the list of command options. When the ―set webview enable ssl-only‖ command is enabled in conjunction with the ―set ssl enable‖ command, the user will only be allowed to access WebView using HTTPS (SSL - TCP port 443), HTTP (TCP port 80) will be disabled
for webview access. If the command ―set ssl enable‖ is configured in conjunction with ―set webview disable ssl­only‖ (the default setting), then WebView will be accessible by either HTTPS or HTTP.
Modifications have been implemented to make the interaction of GVRP and dynamic LAG creation more resilient.
If a user globally disables maclocking or disables it on a port, the CLI output of "show maclock stations" will no longer list MAC addressed on the affected ports as having an ―Active‖ status.
The SecureStack C2 switch now supports up to three ip-helper addresses per routed interface. This advanced functionality replaces the global ip-helper address command which was supported in earlier images.
The Power Supply Status and Fan Status of all stack members can now be examined by executing the ―show
system‖ command via the CLI or by accessing the ―Power Supply‖ screen of WebView.
The default speed and duplex settings for the C2K122-24 ten gigabyte interfaces will no longer appear in the
output of ―show config‖.
ToS values of zero are now accurately displayed as ―0‖ in the output of the CLI command ―show cos settings‖.
If the primary and secondary servers are configured on the device, the device will attempt to contact the secondary RADIUS server if the primary server becomes unavailable.
CUSTOMER RELEASE NOTES
08/13/2008 P/N: 9038155-52 Subject to Change Without Notice Page: 17 of 41
F0615-O
Changes and Enhancements in 4.00.24
When the C2 generates RADIUS Access-Requests during host console authentication, the SecureStack will now set the correct NAS-Port-Type and Service-Type attributes within the packet.
The dot1dStpPortDesignatedBridge OID will now return data for both linked and unlinked ports. Addressing this error resolves the automatic linking NetSight Topology Manager, and eliminates the bad queries observed while accessing the Port Spanning Tree information in NetSight Console‘s FlexView.
Port priority-queue mapping which has been saved is now reapplied to the port configuration during bootup.
When a port is removed from a LAG, the designated root path cost will be recalculated to the correct value and the STP BDPUs will reflect this adjusted value.
The ―set system location‖ command now supports a string up to 254 characters in length.
Port counters are now cleared when the link state of a port transitions to ―down‖.
When a topology change occurs, the device will no longer transmit an invalid trap reporting the dot1qVlanIndex has an invalid type.
The ―set port advertise‖ and ―clear port advertise‖ commands now support configuration of port ranges.
The SecureStack C2 switch now supports non-default facility settings when defining remote Syslog servers.
MAC addresses will only be learned on dynamic VLANs if local users exist on those VLANs.
If maclocking is enabled both globally and per port, the etsysMACLockingLockedEntryCause OID will be populated appropriately whether static entries are present in the MIB or not.
The command ―show macauthentication sessions‖ will now accurately reflect all authenticated users even after
following multiple toggles of the MAC locking and MAC Authentication functionality.
When the last client in a multicast group leaves the group, its entry will now be correctly aged out of the multicast forwarding database.
Flow Control Pause packets are now managed appropriately by the SecureStack C2 switch.
When executing the ―show port lacp port <port-string> counters‖ command, the SecureStack C2 switch validates the port-string option contains a valid port number or range before responding to the command.
Performing the command "clear ip ospf process <process-id>" has been corrected so it will only reset the ospf process running on the device; this entails clearing the ospf tables and restarting the opsf neighbor adjacencies.
The default behavior of spanning tree ADMINEDGE begins with the value set to FALSE initially after the device is powered up. If a spanning tree BDPU is not received on the port within a few seconds, the ADMINEDGE setting changes to TRUE. In the previous release, this process had taken 7-12 seconds, but with this release the time period for this process to complete has been reduced to 4 seconds. This matches the behavior displayed in the Enterasys DFE product line.
When the SecureStack C2 switch receives EAPOL packets on ports set to ―discard‖, the device will now drop these packets.
The values displayed for ―In Discards‖ and ―In Errors‖ are now accurately reported by their respective MIBs as well as the output of the ―show port counters‖ CLI command.
Fixed corner case where I2C BUS could get hung reading SFP type.
Changes and Enhancements in 3.03.33
WebView access has been modified to withhold the display of any device information until the user has provided their access credentials.
The F-Secure SSH application is supported on the SecureStack products.
Resolved an issue with CDP which could cause the device CPU utilization to rise to 100%.
The SecureStack C2 switch correctly governs the period of time for which the TC bit will be marked in a spanning tree BDPU when a port transitions to forwarding state.
Port speed and port duplex settings can be modified using WebView.
When polling the sysObjectId OID, the C2G170-24 will respond correctly identifying the device model.
CUSTOMER RELEASE NOTES
08/13/2008 P/N: 9038155-52 Subject to Change Without Notice Page: 18 of 41
F0615-O
Changes and Enhancements in 3.03.33
The ―clear SNMP access‖ commands have been removed from the default configuration.
Login accounts on the device will be managed in the following manner: Accounts with ―read-write‖ or ―read-only‖ permissions will be locked out after the number of sequential failed
login attempts exceeds the configured login attempts value. Once the account has been locked out, a user account with ―super-user‖ credentials must log into the device and re-enable the ―read-write‖ / ―read-only‖ account. The expiration of the lockout timer will have no effect on the state of accounts with these access permissions.
Accounts with ―super-user‖ permission will be locked out for the duration of the lockout timer after the number of sequential failed login attempts exceeds the configured login attempts value. Once this timer has expired, the ―super-user‖ account will automatically be re-enabled.
Changes and Enhancements in 3.03.27
Resolved an issue where the device in certain scenarios could become unmanageable after accessing WebView.
The C2 now supports default LAG key, which enables LAGs to be dynamically created.
Static LAG configurations will remain persistent and functional following a reboot.
When a ―verify‖ function is performed by NetSight Policy Manager on a C2 configured with VLAN-to-Role mapping, the C2 will now return the correct result.
Support has been added to allow users to configure per port advertise ability via the CLI.
When clearing the configuration of a device, both commands ―clear config‖ and ―clear config all‖ will now retain
the configured host IP address of the device.
Users now have the ability to remove a specific sid from an MSTI via the CLI.
An 802.1X authentication (PEAP) username will allow a maximum of 63 characters.
If a local routed VLAN interface is configured as a layer 3 IGMP Querier, the interface will only forward multicast traffic on that interface if a member port has requested to join a multicast stream.
The ―set width‖ and ―set history‖ commands are now persistent when using the ―default‖ option. If the option
―default‖ is not configured, then the settings are only in effect until the device is reset.
The ―set length‖ command is now persistent.
A policy can now be applied to a port when RADIUS Server sends either a ‗Decorated‘ or 'Undecorated' Filter-
ID.
Users can now display the RADIUS session-timeout reauth value using the ―show dot1x auth-config <port> command.
The dot1dStpPortDesignatedPort MIB will now show the port ID of a linked port‘s designated port. For a bridge port it will show the designated port ID, and for an edge port it will show the edge ports port ID.
The exclamation point, ―!‖, is now supported as a valid character in CLI configuration. It can now be used in a device configuration such as when configuring security keys, group names, etc.
Numerous improvements have been made to the CLI and WebView for spanning tree statistics and configuration.
The output of the CLI command "show spantree stats" will now display the "Designated Root Priority" correctly when the device is connected to another bridge that is root and has a non-default priority value.
Users can now remove a range of ports from a LAG. In previous images, member ports of a LAG could only be removed individually.
The path cost to root across a LAG will be calculated based on the number of ports within the LAG.
Connectivity issues when using Putty for SSH connections to the host have been resolved.
The node/alias tables on the C2 will now reflect both real-time and historical entries.
CUSTOMER RELEASE NOTES
08/13/2008 P/N: 9038155-52 Subject to Change Without Notice Page: 19 of 41
F0615-O
Changes and Enhancements in 3.03.27
The OIDs for sysLocation, sysContact, and sysName now support a maximum string length of 255 characters each.
If the stack is part of a spanning tree region and it is changed to stpcompatible (forced version 0), it will be removed from the region since it is now considered a single spanning tree device. If, however, it is set back to MSTP, it will now correctly re-enter the MSTP region.
Clear policy port will now correctly remove the policy assignment specified.
Support for spanning tree tctrapsuppress and protomigration have been added to the CLI.
The output of ―show port lacp port <port> counters‖ now clearly defines each port number within a stack.
The ―show spantree portadmin‖ command has been added to the CLI.
Changes have been implemented to make the move management command more resilient.
Support has been added to allow users to set the host VLAN via the dot1qPvid OID.
When an authenticated user is moved from one port to another, the etsysMultiAuthSessionStationAuthStatus MIB entry will now change to reflect authTerminated(5), and Policy Manager will display the session in black, which indicates an inactive (previously authenticated) session.
The ifMtu OID now correctly returns the maximum supported ifMtu size for each port.
The ipNetToMediaTable MIB now associates entries to the host port.
When a change in the selection of the stack manager occurs via the movemanagement command, the new master will now send out a gratuitous ARP packet.
The PWA port control options have been changed to match those found on the Enterasys DFE switches.
When a SecureStack device suffers from a power system failure, the system will now send trap from the etsysPsePowerNotification MIB, which can be correctly decoded by NetSight Console.
Changes and Enhancements in 3.02.32
When a ―verify‖ function is performed by NetSight Policy Manager on a C2 configured with VLAN-to-Role mapping, the C2 will now return the correct result.
The C2 now has the ability to handle multiple 802.1X authentication attempts without requiring that they be separated by a logoff frame.
Changes and Enhancements in 3.02.30
In previous versions a condition could occur in which a unit could leave and rejoin the stack, this has been corrected.
When deleting an MSTI the fault which resulted in an error message being displayed on the CLI has been resolved.
Deleting Multiple Spanning Tree Instances will no longer result in error messages being displayed for each VLAN which was a member of the deleted MSTI.
If the switch has its configuration changed from MSTP to RSTP, the device will correctly remove itself from any MST regions.
When executing the show spantree stats command with the active option, both global and port information will be displayed.
If the switch is the root of an MSTI, the correct port role/state will now be applied when joining a region.
The SecureStack only supports a maximum of 10 locally saved configuration files. If a user tries to tftp an eleventh configuration file onto the device, the CLI will now display an error message stating the maximum number of saved files has been reached.
Users can now set the default value of backup root status for an MST instance using the CLI command ―clear spantree backuproot‖.
Support for spanning tree bridgeprioritymode has been added to the device.
Support has been added for the ctEntStateOperEnabled and ctEntStateOperDisabled traps. These traps announce if a unit has dropped from the stack due to a failure or if a unit has joined to the stack.
CUSTOMER RELEASE NOTES
08/13/2008 P/N: 9038155-52 Subject to Change Without Notice Page: 20 of 41
F0615-O
Changes and Enhancements in 3.02.32
The ―exclude‖ parameter of the command ―set SNMP view‖ will now correctly limit the device MIB subtrees which
can be accessed by an SNMP user.
An issue has been resolved which previously prevented administrators from configuring port mirroring on C2H124-48 units for ports greater than port 24.
Support has been added for port alias which allows users to configure their own unique text ―alias‖ for different ports on the device.
When 802.1X is enabled at the device level, if you change the port mode from ―force-auth‖ to ―auto‖, the dot1xAuthPaeState will correctly change from ―forceauth‖ to ―Initialize‖.
When a user has been authenticated successfully via 802.1X on a port, the dot1xAuthPaeState is now set to ―Authenticated(5)‖.
When the ifInDiscards OID is queried, the switch will now return accurate data. The ifOutQLen and ifSpecific OIDs have been deprecated and will not be supported.
When setting up an SNMP view, the device can now handle any referenced subtree OID which contains more than a single octet.
When configuring MAC locking, after locking the first arrival address, if the user enters the command ―show
maclock <port>‖, the first arrival address will no longer be shown as a violating address.
When restoring the config on a C2 device with SNMPv3 using NetSight Inventory Manager, the Inventory Manager can now reestablish contact with the device after the reset following the restore operation without added assistance.
The C2 now has support for specifying precedence values when configuring multiple SNTP servers.
Earlier versions of code had saved configured default logging facility settings as invalid values. This image will recognize both these invalid values and the correct values, so when the device is upgraded or has a saved configuration loaded onto it, the default logging facility will be correctly programmed.
A problem has been addressed where use of the Automated Security Manager ―Undo‖ button could lead to a user not being able to authenticate to a fully functional role.
A corner case issue has been resolved where in certain configurations a newly created VLAN would not forward traffic until the switch was rebooted.
Settings made to the ctAlias MIB will now be reflected correctly in the CLI.
A problem has been addressed where if a user misconfigured a LAG with the same admin key going to different switches, a LAG was incorrectly formed.
MAC authenticated users who are assigned to a VLAN containing a locally configured router interface will no longer cause the routed interface to change to a down state.
RADIUS access request packets will now contain the correct NAS-IP-Address and NAS-Port-Id information.
If a directly connected RIP interface looses link, the router can now learn alternative routes to the network through its other RIP interfaces.
If a C2 is acting as a switch in a VRRP network and the VRRP master moves to another port, the C2 will correctly update its tables with this information.
Changes and Enhancements in 3.01.91
When an 802.1X authenticated user logs off of their PC, the C2 will now send an EAP end frame which correctly terminates the 802.1X session.
Changes and Enhancements in 3.01.90
If IGMP snooping is enabled in an L2 environment, with a multicast server and client on a VLAN, the traffic will only be directed to those clients on the VLAN who have requested to join the stream.
When MAC authentication is enabled on a port, any MAC addresses which had been previously learned on the port by the FDB will be removed, and will have to be relearned.
MAC authenticated sessions are no longer deleted if the MAC entry ages out. MAC authenticated sessions will only be removed on link down.
Setting the port MAC authentication quiet period is now supported via the CLI.
CUSTOMER RELEASE NOTES
08/13/2008 P/N: 9038155-52 Subject to Change Without Notice Page: 21 of 41
F0615-O
Changes and Enhancements in 3.01.90
A variety of enhancements have been made to MAC authentication. MAC authentication can be configured as a single user per port or in ―piggy-back‖ mode where once an initial user is authenticated, multiple users can share the same port and policy assignment assigned to the port. In either implementation, the user can configure the port to have a default policy for unauthenticated users or define no default policy essentially locking any users off the port until they are authenticated. These four possible configurations are explained in more detail below:
MAC authentication, Single User mode, no piggy-back:
This requires no configuration change for existing implementations. o No default policy applied
Traffic will not be forwarded until the MAC address is authenticated. If the authentication attempt of the first MAC address received on the port fails, the port will wait for the quiet period to expire before sending the next MAC address received to the RADIUS server for authentication.
o Default policy is applied
Traffic will be forwarded per the default policy. Any MAC address received on the port will be added to the filter database (FDB). An authentication request for this MAC address will then be sent to the RADIUS server. If the authentication attempt fails, the device will delete the MAC address from the FDB, and repeat the process with the next MAC address received on the port.
MAC auth Single User mode, with piggy-back
MAC Locking must be enabled on the port. The user can limit the maximum number of addresses that can be learned on the port using the first arrival setting.
o No default policy applied
There will be no traffic forwarded on the port until a MAC address is authenticated. When the first MAC address is received on the port, a request will be sent to the RADIUS server. If the authentication attempt fails, the port will wait until quiet period expires and then remove the MAC address from FDB. The device will then take the next MAC address received on the port and restart the process. Once one MAC address is authenticated on the port, additional MAC addresses can be added to FDB without going through the authentication process up to the configured firstarrival setting (default 600 per port).
o Default policy is applied
Traffic will be forwarded on the port per the default policy until a MAC address on this port has been authenticated. When the first MAC address is received on the port it will be added to the FDB, and a request will be sent to the RADIUS server. If the authentication attempt fails, the device will wait until the quiet period expires, and will then repeat this process using the next MAC address it finds in the FDB for this port. Once one MAC address is authenticated on the port, additional MAC addresses can be added to FDB without going through the authentication process up to the configured firstarrival setting (default 600 per port).
The SecureStack C2 will now accept DVMRP Graft packets which contain either a source IP host or Source IP Network.
The device now supports the ability to hardset mini-GBIC ports to forced 1000 mbps. To force 1000 on an SFP module, disable auto-negotiation for that port (or combo-port). In that state, fixed RJ45 copper ports (if they are combo ports) behave as expected (you can force them to 10 or 100 Mbps, full or half duplex). If an SFP module is present, the port is automatically set to forced 1000 mbps, full duplex, ―master‖.
Changes and Enhancements in 3.01.80
If a link is established between a C2G124-xx and a C2H124-xx using an MGBIC MT-01, and the C2H124-xx is reset, the link will correctly be reestablished when the C2H124-xx comes back online.
Saved configurations which contain user-defined SNMPv3 users, will now be correctly loaded when applying the configuration to the device.
The buffer management scheme has been modified to allow a single port to use more of the common buffer pool.
PWA will now work correctly in a routed environment.
CUSTOMER RELEASE NOTES
08/13/2008 P/N: 9038155-52 Subject to Change Without Notice Page: 22 of 41
F0615-O
Changes and Enhancements in 3.01.71
An issue was resolved with this code where in specific circumstances, a MAC authenticated user was required to reauthorize their client every 5 minutes.
This image resolves an issue where in certain network configurations running MAC authentication, clients would be unable to access network resources or re-authenticate.
Users who are dynamically added to a VLAN on which the host has been statically added will now have the ability to have connectivity to the host.
User mobility now works correctly in association with MAC authentication.
Policy profile names which include spaces are now supported.
When a C2 resides in a VRRP environment, connectivity to the host will now remain resilient after a VRRP master failover.
The device now supports the ability to be configured to transmit SNMPv3 inform messages to a remote network monitoring application.
Clearing previously-configured SNMP access groups will no longer cause an error message to be displayed.
Disabling auto-negotiation on the SFP ports via the ifMauAutoNegAdminStatus OID is not supported and will fail. In earlier versions of code, this action would have resulted in device resetting.
The device will no longer clear the host ARP table when pinging from the console, and will now display all learned entries in the host ARP table when executing the switch command ―show arp‖.
In previous images, users were only allowed to create 99 rules in a policy even though 100 rules were supported. This issue has been corrected with this release.
The C2 will now add the configured static default route to a regular RIP update when redistribution of static routes is enabled.
Policy profiles configured for VLANs 1-4093 are now supported. If one of these profiles is matched, the traffic will be marked appropriately and will egress out the correct VLAN.
When C2RPS-POE is connected to a SecureStack device and power is discontinued or provided on the SecureStack C2, itself, or the backup power supply (C2RPS-POE), an enterprise MIB trap will be generated detailing this event.
When polled, the entity MIB will display accurate descriptions of any installed MGBICs which have link.
The following Spanning Tree MIB objects are now correctly displayed in hundredths of a second: dot1dStpMaxAge dot1dStpHelloTime dot1dStpHoldTime dot1dStpForwardDelay dot1dStpBridgeMaxAge dot1dStpBridgeHelloTime dot1dStpBridgeForwardDelay
Entering CTRL-S using CLI will no longer cause any affect to users who concurrently access the host using WebView or Telnet applications.
Enabling EAPOL on LAG ports is now supported.
User-configuration of static ARP entries is now supported on SecureStack devices.
Users now have the ability to remove ports individually from a policy profile using the command ―clear policy port‖.
Changes and Enhancements in 3.01.52
Two concurrent SSH sessions are now supported.
A potential problem has been corrected where multiple concurrent SSH sessions being heavily utilized could cause a reset. This has been resolved.
A fix has been added that prevents excessive Linkup/Linkdown traps from causing a reset.
In previous versions, if a port was dynamically added to a VLAN and the host port was manually added to the same VLAN, it was not possible to ping the host port from the port that had been dynamically added to that VLAN. This has been resolved.
In previous versions, under extremely high traffic load the console could indicate a memPartAlloc memory error message and reset. This has been resolved.
CUSTOMER RELEASE NOTES
08/13/2008 P/N: 9038155-52 Subject to Change Without Notice Page: 23 of 41
F0615-O
Changes and Enhancements in 3.01.52
A problem existed in previous versions, under extremely high traffic load the stack manager could become isolated from the stack causing a second manager to become elected. This has been resolved.
The master will now correctly prioritize and process STP packets under extremely high traffic loads. In earlier versions this had occasionally resulted in a reset and a new master being selected.
In previous versions, a LAG port could experience instability under extremely high traffic rates. This has been resolved.
In rare situations an issue has been seen which would cause ports which were using MAC authentication to lock up and cease passing traffic. This issue has been resolved with this release.
Changes and Enhancements in 3.01.45
Support for ToS Rewrite has been added to the platform. The feature can be configured via CLI, MIBs, or policy manager.
Pressing the reset button will now clear the configured boot menu password as well as the configured login passwords.
If a user removes the transmit link of an SFP fiber connection and then removes receive link of the fiber connection, the LED on the device will now correctly show the link as down.
The ―show config‖ command now supports the option to display only specific functionalities configured on the
device, i.e., ―show config policy‖.
Support has been added to allow a user to configure the maximum number of node/alias entries which will be learn per port. The default setting is 32.
An issue which prevented a user from loading a file onto the C2 from the current directory of some Linux UNIX machines has been resolved.
A problem existed with policy whereby rules set against a TCP port would also be enforced against the same UDP port and vice versa. The issue has been resolved with this release so only packets matching the specific criteria specified will be affected by the rule.
If a user creates a port mirror and then deletes the port mirror, this will no longer cause the device to reset.
Numerous enhancements to MAC authentication have been added to make the feature more resilient.
Changes and Enhancements in 3.01.20
Support for the C2G124-24 unit with 24 gig SFP ports.
This image enables the use of shared rules and masks on FE ports. A single group of 8 FE ports can share up to the total limit supported for a stack of 100 unique rules and 18 masks. Any single FE port cannot use more than 100 rules or 10 masks. Any policy set that exceeds these limits for a role will be rejected. Any stack which contains FE ports will be subject the combined role limitations of 100 unique rules and 18 unique masks.
If a user attempts to apply a policy which will cause the stack to exceed the policy limits, the set will fail. The rules which exceeded the limit will fail, an error indication will be printed to the CLI, and Policy Manager will be sent an error via SNMP.
SNMPv3 users and groups can now be created without being required to execute the nonvolatile option.
An issue has been resolved which could cause the device to reset if a user executed a ―clear SNMP view‖
command.
The SSH version on the device is now compliant with SSHv2.
The ―clear policy port‖ command will now correctly remove a port from a configured policy.
The command ―set system password length‖ will now execute correctly when entered via the CLI or loaded from
a saved configuration file.
An issue has been resolved which prevented Policy Manager or a Console FlexView from correctly reading the RADIUS Server MIB.
The PWA port-control commands are now correctly displayed in the ―show config‖ output. This will allow these settings to be correctly programmed when loading a saved configuration onto the device.
If the user attempts to TFTP the current.log file, the C2 stack will now gather the current.log files from all members of a stack and send a single composite ―current.log‖ to the TFTP server.
CUSTOMER RELEASE NOTES
08/13/2008 P/N: 9038155-52 Subject to Change Without Notice Page: 24 of 41
F0615-O
Changes and Enhancements in 3.00.71
A problem which resulted in user-configured passwords being lost when upgrading from 02.01.37 to 03.00.50 has been resolved.
The dot1x command for auth-config settings is now correctly displayed in the ―show config‖ output. This will allow these settings to be properly programmed into the device when loading a saved configuration.
Changes and Enhancements in 3.00.50
New Capabilities:
Support for layer 3 functionality including: RIPv1/v2, ACLs, IRDP, IGMPv2/v3, and traceroute. OSPF, DVMRP, and VRRP are supported, but require the purchase of a license key to access these functionalities.
A problem causing NetSight Inventory Manager to return an invalid URL message when executing a C2 configuration upload has been resolved.
The C2 running configuration has been modified to correctly display any OSPF areaid an interface may be configured for, including area 0.0.0.0.
An issue has been resolved whereby if a user had MAC authentication enabled and moved the stack
management to another device via the ―set switch movemanagement‖ command; an error message would be
displayed.
Policy PVID 4095 currently takes precedence over drop rules.
Policy precedence ignores the first rule during a multiple rule hit.
A problem causing port mirroring to not work, or to only display traffic from the host has been resolved.
The C2 will no longer send IGMP Membership Queries with a source IP of 0.0.0.0.
A problem with WebView causing slowness in host function has been resolved.
An issue has been resolved where if a user had MAC authentication and dynamic policy assignment enabled,
this would cause the message ―failed to notify management of learned addresses‖ to scroll across the screen.
The ―set policy rule 1 port‖ command is not supported and has been removed in this release.
An issue has been resolved in this release where when executing the command ―show vlan static‖ the output will
correctly list the gigabit ports as ge.unit.port.
When assigning switch characteristics to a port, a user can now freely use port ranges instead of having to assign the characteristics to each port individually (i.e., ―set gvrp disable ge.1.49-50‖).
An issue existed whereas when upgrading the C2 from 1.1.11 to 2.00.48 port(s) become unusable until additional resets are made. This issue has been resolved when upgrading from 2.xx.xx to 3.00.50, but may still occur when upgrading from 01.xx.xx. It is recommended when upgrading from 1.xx.xx to 3.00.50 that a user first upgrade to 2.01.37 to avoid experiencing this issue.
Changes and Enhancements in 2.01.37
A function has been added to support dual images, allowing the user to choose which image to boot. After downloading the second image to the device, the user can select to boot from the backup image using the ―set
boot system‖ command. The user can also use the ―show boot system‖ command to display the current system image. The ―dir‖ command will list the both the active and backup image on the unit. To remove a backup
image, the user must execute the command ―delete <image name>‖. Only the backup image may be deleted.
A function has been added for configuring daylight savings time on the device. The CLI command set for this
function includes ―set summertime enable | disable,‖ ―set summertime recurring‖ (for setting starting and ending times at a specific day of the month and hour each year, without having to reset annually), ―set summertime
date,‖ (for non-recurring settings that must be reset annually), ―clear summertime‖, and ―show summertime.‖
The commands must be configured in the order shown:
1. set summertime recurring | date (specific starting and ending dates)
2. set summertime enable
3. set time
CUSTOMER RELEASE NOTES
08/13/2008 P/N: 9038155-52 Subject to Change Without Notice Page: 25 of 41
F0615-O
Changes and Enhancements in 2.01.37
A function has been added which allows the user to revert back to the old device configuration. The user has the
option of turning the default ―auto save‖ mode off by issuing the ―set SNMP persistmode manual‖ command.
When manual save mode is enabled, the ―save config‖ command must be issued to make configuration changes
persistent. The CLI command set for this function also includes ―set SNMP persistmode auto‖, which resets the
mode to auto save, and ―show SNMP persistmode.‖ Configuration steps to disable the ―auto-save‖ are:
1. set SNMP persistmode manual
2. save config
Note: At this point the system will not automatically save any changes unless the ―save config‖ command is
executed or the ―reset‖ command is followed up by entering ―yes‖ when prompted to save changes.
MIB support has been added for the dot1dTpFdbTable.
MIB support has been added for the dot1dTpAgingTime.
A problem causing the node/alias table to age out has been resolved.
A problem causing the ifType and ifName OIDs to return incorrect values for the 10-Gig ports on C2K122-24 units has been resolved.
The number of nodes supported per port in the node/alias table has been changed to 32 to make support consistent with other Enterasys products.
A problem causing SNMP replies to be sent out to the ―old‖ root port after link loss has been resolved.
A problem causing a Syslog error to occur when joining two standalone units into a stack has been resolved.
Previously if a user attempted to add a powered up unit acting as master to an existing stack the CLI Syslog would display an error message. This has been resolved in the 2.01.37 release.
A method has been added to save the config manually, not automatically.
A problem where PWA would still allow a port to be authenticated even after the PWA session was terminated has been resolved.
A problem where the Spanning Tree LAG adminpathcost to be ignored after reset has been resolved.
A problem where the ARP cache would not update when a new ISL port becomes active has been resolved.
A problem causing the dot1dTpFdbTable to respond to a snmpnext, but to fail to do so for a snmpget has been resolved.
A problem causing the Spanning Tree root cost to be incorrect when removed from the region has been resolved.
A problem allowing the user to disable auto-negotiation on a MGBIC shared SFP port has been resolved.
A ―show radius accounting status‖ command has been added.
A problem causing stack communication issues, RPC timeouts, and master reset has been resolved.
A problem with CDP denoting the switch as SecureFast switch 1.8 or greater has been resolved.
Changes and Enhancements in 2.01.24
Support has been added for NetSight Automated Security Manager version 2.0 or later.
A problem causing a new configuration file to delete user-created passwords has been resolved.
CLI commands to set and show node alias on a per-port basis have been added.
CLI references to setting policies or VLAN assignments based on source IP or MAC address has been removed, as this functionality was never supported on C2 modules. The user can only configure rules to change the CoS or drop the packet based on source IP or source MAC address.
Two commands previously existed which had similar functionalities: ―set policy rule admin-profile‖ and ―set policy
port‖. The ―set policy rule admin-profile‖ command has been removed since it was not supported.
Configured ―set policy port‖ commands are displayed incorrectly in the ―show config‖ output. These commands are displayed as ―set policy rule admin‖ commands. Therefore, any configurations saved by using ―show config outfile‖ will also fail. This will be fixed in the 03.00.xx release.
Changes and Enhancements in 2.01.22
The user will now be prompted for a password in order to access the boot menu. The minimum character length is 10, and the default password is ―administrator‖. Once the menu is accessed, the user can change the password. With this fix, the boot code version has changed to 01.00.23.
CUSTOMER RELEASE NOTES
08/13/2008 P/N: 9038155-52 Subject to Change Without Notice Page: 26 of 41
F0615-O
Changes and Enhancements in 2.01.22
A new enhanced buffer mode function is available, which allows a standalone switch to support maximum buffers in its default transmit queues. Six of the available transmit queues are not set as ―default‖ and the remaining 2 queues are reserved for higher priority tagged traffic. This function can be enabled or disabled using the ―set system enhancedbuffermode enable | disable‖ command from admin access mode. When the set command is issued, the unit will prompt before resetting and rebooting in enhanced buffer mode. Default state is
disabled. Current state can be displayed using ―show system enhancedbuffermode‖ or ―show config‖.
Important: Units must be operating as standalone switches when running in enhanced buffer mode. Stacking in this mode is not supported.
A new ―save config‖ command is now available This saves the running configuration on all stack members.
The FDB age time can now be set using the dot1dTpAgingTime MIB.
A problem causing the switch to actively reply when Telnet is disabled has been resolved.
A problem causing the switch to send a page stating Webview is disabled has been resolved.
An OID has been implemented in the switch which can be polled via SNMP to return the switch‘s default gateway IP.
A problem with setting the IP address on the switch, which caused an additional IP destination to be seen until the switch is reloaded, has been resolved.
An SNTP UTC offset for log time stamps is now supported.
A problem with the C2G134-24P units displaying the wrong sysObjectId has been resolved.
A problem causing all LEDs to be affected when a MGBIC was installed on a C2G134-24P device has been resolved.
Changes and Enhancements in 2.01.20
The command ―show switch stack-port‖ has been added to allow a user to view various data flow and error counters on stack ports.
GVRP is enabled globally, but disabled on all ports by default. It is recommended that users enable GVRP on inter-switch links (ISLs), and leave it disabled on all other edge ports within the stack. Large numbers of ports with large numbers of VLANs can consume a large amount of CPU process time, causing the device to drop dynamic VLANs.
It is recommended that users do not create rules which use priority 7. The protocol packets which keep the stack integrity use priority 7 and high amounts of traffic with this priority setting may affect stack resiliency.
Unit buffers have been optimized to improve stack throughput for transfers using large block sizes.
A problem with the ―set SNMP access‖ has been corrected.
A problem preventing LAG creation if non-default adminkey was changed has been corrected.
A problem with the advertised ability MIB not being persistent has been corrected.
A problem causing the inability to set SNMPv3 targetparams has been corrected.
A problem causing the C2G124 to not link up when auto-negotiation was disabled has been corrected.
A problem with unlearned unicast packets preventing the stack from linking up has been corrected.
A problem with modules not supporting static trunking has been corrected.
A problem with the ―set length 20‖ command not working with ―show config‖ has been corrected.
A problem causing the inability to disable IGMP via CLI interface mode has been corrected.
Changes and Enhancements in Previous Releases
The ―show slot‖ command found in previous images has been changed to ―show switch hardware‖ to follow the
syntax of other CLI commands.
Beginning with the 2.00.xx release the C2 family supports Enterasys Secure Networks capability. This includes support of user policies.
Configuration of Node/Alias is supported via both MIBs and CLI, however display of the Node/Alias table is limited to SNMP only.
Spanning Tree and Link Aggregation Group commands are now available via the CLI.
MAC port locking is supported in this release. However, support is limited to dynamically learned addresses only. Static locking will be supported in a future release.
The ―DiffServ‖ functions supported in previous releases have been removed.
CUSTOMER RELEASE NOTES
08/13/2008 P/N: 9038155-52 Subject to Change Without Notice Page: 27 of 41
F0615-O
Changes and Enhancements in Previous Releases
Default gateway and default route information is now available via CLI, but was not in previous releases.
A problem with the switch displaying improper information using the ―show inline power‖ command has been
corrected. The command now returns the proper amount of total power for the device.
A problem with edge port STP topology change counters incrementing incorrectly has been corrected.
A problem with the password reset not operating properly has been corrected.
A problem with disabling port mirroring causing a port to be inoperable has been corrected.
A problem displaying SNMP targetparams correctly has been corrected.
A problem preventing the user from creating a static VLAN after a dynamic VLAN had been created has been corrected.
A problem where auto negotiation was disabled for the four MGBIC ports has been corrected.
The event log will now time stamp error messages with the current time/date.
A problem where logging in as ―rw‖ allowed the user to change the ―admin‖ password has been corrected.
Viewing the ARP cache for the switch via CLI is now supported.
A problem with the output of the ―show igmpsnooping mfdb‖ has been corrected.
An issue requiring the user to configure LAGs in the non-default VLAN first has been corrected.
The ―flowlimit‖ commands are now named ―flowcontrol‖.
Known Issues in 5.01.06.0007
There are no new known restrictions or limitations associated with this release.
Known Issues in Previous Releases
When using macauthentication, if the multiauth session-timeout is set through the CLI, users are not able to re­authenticate once the session timeout expires.
Workaround: Use the Radius server to configure the session timeout instead of the CLI on the switch. The session-timeout works correctly when returned by the Radius server, allowing users to re-authenticate.
Setting of port advertised capability on Combo ports is not persistent.
When a VLAN tunnel is applied, traffic is egressed untagged as expected. ―Show vlanauthorization‖ will display the correct VLAN and MAC address; however ―show vlan‖ and ―show port egress‖ will not display tunnel ports.
When configuring a login banner ensure that the banner message is properly configured with a beginning double quote and ending double quote. The message itself cannot contain any additional double quotation marks.
RIP auto-summarization affects both RIPv1 and RIPv2 routes by default.
If the host IP address or the router IP interface used for management is in a zero subnet (i.e. 10.0.x.x/16), ARPs will resolve, and the host will be unable to ping devices within the subnet.
PIM-SM commands are not displayed in the device configuration.
ICMP packets containing the record route or timestamp options will not be forwarded by the device.
If a secondary address is added to an interface advertising RIPv2 via the ―redistribute connect‖ command, the
router will send an initial RIP response packet which includes the secondary address, but in the subsequent updates the route is not advertised.
The SecureStack does not send router Syslog messages.
Policy assignments for authenticated users will be dropped if the multiauth precedence of their ports is modified.
A locally configured DCHP server will not respond to a DHCP request for an IP address if the MAC address of the client is statically configured on the server and the DHCP request uses option-61, client identifier.
The SecureStack will not add a host route to its routing table for a subnet it already knows about.
When CoS based rate limiting is enabled, port based rate limiting is not supported.
MAC Addresses listed in a ―Violating‖ state according to Port MAC Locking can still dot1x authenticate on the port but the user will not have access on the network.
If you set a port to lacp passive using the command ―clear port lacp port ge.1.1 aadminstate lacpactive‖ the
command ―clear port lacp port ge.1.1 aadminstate lacptimeout‖ will also be added to the configuration. If you
unset the command it will remove the second command automatically from the configuration file.
KNOWN RESTRICTIONS AND LIMITATIONS:
CUSTOMER RELEASE NOTES
08/13/2008 P/N: 9038155-52 Subject to Change Without Notice Page: 28 of 41
F0615-O
Known Issues in Previous Releases
In certain specific Policy configurations, if a user is authenticated and assigned a VLAN via Policy and then moves to another port, the user will be able to reauthenticate but won‘t receive a VLAN assignment via Policy.
When SNTP is enabled on a B3 that is routing but does not have a switch IP address configured, the SecureStack will fail to synchronize its local time with the SNTP server.
An rmon alarm will not be triggered for a rising threshold when the startup parameter is configured for ―either‖.
When the rmon alarm value has incremented higher than the Rising Threshold, the rmon event for a rising threshold will not be triggered. When the rmon alarm value drops below the Falling Threshold, the rmon event for a falling threshold will be triggered.
When the SecureStack is configured as a DHCP server, it does not respond to DHCP Discover packets sent by Avaya IP Phones (model 96xx) if option 242 is configured. The DHCP server will respond correctly if option 176 is set instead.
The SecureStack will sometimes give erroneous error messages when setting RADIUS Accounting retries or timeouts, though the commands will correctly be applied to the device configuration.
The command ―clear nodealias config <port>‖ will not clear non-default maxentries values. The nodealias
maxentries value can be set back to its default of 32 by executing the command ―set nodealias maxentries 32
<port>‖.
By default, dot1x on the stacks has maximum requests set to 2, but after only one failed login request the stacks go to a quiet period.
When a port mirror is created the mirror destination port is removed from vlan 1 egress list after a reboot.
If an admin user has been locked out of the device CLI, pressing the password reset button will remove the password configuration, but it does not re-enable the admin super-user account.
The ―show spantree ports active‖ command may erroneously display some ports as active. If a port was once active and later goes down, the system will still show the port on the ―active‖ list.
The RMON Falling Alarm event will trigger at each interval, even if traffic rates do not exceed the threshold. Additionally the RMON Alarm appears to be using the Falling Threshold as the interval instead of using the actual interval of 15 seconds.
The MIB dot1dTpFdbTable does not return any values.
If a policy rule is created for ipsource/ipdest socket with 48 bit mask, and socket is 0 (x.x.x.x:0), the rule will instead act on all traffic matching the 32 bit mask IP address regardless of socket value.
When policy is applied to a port, admin rules are created for the port. If a policy is removed from a port (clear policy port / clear policy all-rules) or if user became unauthenticated removing policy from the port, the admin rule for the port remains.
Tagged network traffic which is sent through a port mirror exits the destination port of the port mirror displaying the packet‘s 802.1Q tag.
The order of configuration of masked rules causes different forwarding behavioreven though the end configuration is the same.
If the dot1dStpPortDesignatedRoot MIB is queried, the designated bridge will be returned and not the root bridge.
If a cos settings‘ ToS value is configured to use the last two bits of the ToS field, these two bits will not get marked. For example ToS value 3, will result to 0x00. TOS value 255 will result to 0xFC.
When configuring routing on a mixed stack of C2 and C3 units, OSPF is only supported on the C3 units. OSPF adjacencies will not form on C2 slave units. OSPF adjacencies will correctly form on pure C2 stacks.
If the user sets the CLI length value to a value other than zero and enters the command ―show mac port‖ the
device will fail to display the MAC address information associated with the port specified and instead will display a message stating ―there is no MAC addresses matching your criteria.‖
The SecureStack will remove all dynamic MAC addresses learned on a LAG port from the forwarding database when only an individual port on the LAG bounces. These MAC addresses will then need to be relearned by the device.
If you have a LAG between a SecureStack device and an Enterasys DFE device on which you disable lacp (set port lacp port) on LAG member ports on the DFE and then re-enable them, the LAG will not properly reform on the SecureStack.
The C2/C3 mixed stack does not support L2 rules, however they show as an option, this option should not be used as it is not supported.
CUSTOMER RELEASE NOTES
08/13/2008 P/N: 9038155-52 Subject to Change Without Notice Page: 29 of 41
F0615-O
Known Issues in Previous Releases
With a basic PWA configuration on the C3 (enhance mode is disabled) the user is unable to get to the PWA login page—even if the full URL for the PWA login page is used. Only after enabling enhanced mode can the user get to the PWA login page.
C2 rate limiting only supports 120 limiting instances per stack.
The C2H and C2G should support 100 rules associated with one policy role. After configuring the C2 as such, it gives a hardware error when trying to apply the policy to a port with one 100 rules.
Although the C2H124-48/48P displays the commands for COS metering, it is not supported.
The CLI commands ―show config‖ and ―show running-config‖ will not always reflect all of the ACLs which have been applied to the routing interfaces.
When vlanauthorization creates VLANs from the tunnel attribute returned by radius, they are created as permanent VLANs. Since they are permanent, the vlan and egress configuration created dynamically from the RADIUS attribute will be stored in the configuration file permanently as well. If a user were to save a configuration file and then reload this file, VLANs and egress would be created even though they may no longer be used on that port.
When adding a new unit to an existing stack the ctEntStateNotifications mib does not send a trap reporting the addition of the new unit.
The CLI settings for logging local Syslog messages to console does not work.
Policy Manager reports incorrect packet count when port usage is queried on an 802.1X authenticated user.
GVRP frames not forwarded when GVRP disabled.
Packets less than 64 bytes or greater than 1518 will not be counted by IfInErrors MIB.
When a user has multiauth configured, and two authenticated users on a port, the etsysMultiAuthSession MIB will only report one user when polled by Policy Manager.
All the VLANs learned via GVRP will appear in the GVRP MIBs regardless of there being local users attached to those VLANs or not.
The PWA duration times may increase to values over 60 minutes when executing the ―show PWA session‖ command.
Attempting to change the Primary RADIUS Server to the Secondary RADIUS server or vice versa, does not work.
Enabling RMON capture on an interface will cause packets to be duplicated on the interface while the functionality is enabled.
Only RMON offset values of 1-1518 are supported.
The ―set port priority‖ command will not change the 802.1p priority tag on tagged traffic with a default priority tag.
The command only has an effect on how untagged traffic will be prioritized as it passes internally through the SecureStack C2 switch.
Each physical port of the SecureStack C2 switch will now support six configurable priority queues per port. The capability will be unlocked upon upgrade if the SecureStack C2 switch has no previously configured priority-queue mapping. If the device configuration contains previously configured priority-queue mapping, the functionality can be exposed by executing the command ―clear port priority-queue <port(s)>‖.
When modifying the 802.1p priority to transmit queue mapping using the ―set port priority-queue‖ command, changes made to Fast Ethernet ports are global to all Fast Ethernet ports within the stack. Changes made to gigabyte ports are unique to the port(s) specified.
The ―set port vlan‖ command requires that the VLAN(s) specified when executing the command must already be preconfigured statically on the device.
CUSTOMER RELEASE NOTES
08/13/2008 P/N: 9038155-52 Subject to Change Without Notice Page: 30 of 41
F0615-O
Known Issues in Previous Releases
The SecureStack C2 switch now has support for RMON Capture Packet/Filter Sampling through both the CLI and MIBs, but with the following constraints:
RMON Capture Packet/Filter Sampling and Port Mirroring cannot be enabled on the same interface
concurrently.
The user can capture a total of 100 packets on an interface, no more and no less.
o The captured frames will be as close to sequential as the hardware will allow. o Only one interface can be configured for capturing at a time. o Once 100 frames have been captured by the hardware the application will stop without manual
intervention.
As described in the MIB, the filter is only applied after the frame is captured, thus only a subset of the
frames captured will be available for display. There is only one Buffer Control Entry supported. Due to the limitations of the hardware, the Buffer Control Entry table will have limits on a few of its
elements:
o MaxOctetsRequested can only be set to the value -1 which indicates the application will capture
as many packets as possible given its restrictions.
o CaptureSliceSize can only be set to 1518. o The Full Action element can only be set to ―lock‖ since the device does not support wrapping the
capture buffer. Due to hardware limitations, the only frame error counted is oversized frames. The application does not support Events, therefore the following elements of the Channel Entry Table are
not supported: TurnOnEventIndex, TurnOffEventIndex, EventIndex, and EventStatus.
There is only one Channel Entry available at a time.
o There are only three Filter Entries available, and a user can associate all three Filter Entries with
the Channel Entry.
Configured channel, filter, and buffer information will be saved across resets, but not frames within the capture buffer.
When a user authenticates via dot1x, the initial value of dot1xAuthSessionTime for the authenticated port ranges from 10 minutes to 17 minutes. After the initial value is incorrectly set, the counter will increment normally.
When creating an inter-switch link (ISL) between two SecureStack PoE units via RJ45 or RJ21 ports, the CLI occasionally will report the ports as delivering minute amounts of power across the ISL or may display "Other Fault" errors. This has been determined to be a limitation of the PoE driver, and should have no effect on function of the port.
RMON automatically creates entries for stats using indexes associated with each port. If any of the automatically created indexes are cleared and then associated with a new entry, the new entries will not be persistent. Upon resetting the device, RMON will automatically create entries for each port using the initial default indexes. To avoid this situation, always use an index of 450 or greater when creating new entries.
Users cannot set port advertise ability settings on copper MGBICs.
If port mirroring is enabled on devices which have spanning tree disabled and spanning tree bpdu-forwarding enabled, the destination mirror port will initially display one additional BPDU packet for each member of the port mirror.
When issuing the command "set macauthentication portreauthentication <port>", the sessions currently existing on the port specified will be reset in addition to having the MACs re-authenticate.
The command ―show policy rule admin-profile‖ will only display phone policies.
There currently is no method to clear lacp port counters.
CUSTOMER RELEASE NOTES
08/13/2008 P/N: 9038155-52 Subject to Change Without Notice Page: 31 of 41
F0615-O
Known Issues in Previous Releases
Per port broadcast suppression has been implemented on the SecureStack, and is hardset to be globally
enabled. The global command ―set broadcast [enable | disable]‖ has been removed. If you would like to disable
broadcast suppression, you can get the same result by setting the threshold limit for each port to the maximum number of packets which can be received per second:
Fast Ethernet: 148810 Gigabyte: 1488100 10 gigabyte: 14881000
The default broadcast suppression threshold for all ports has been set to 14881 to allow the device to be backward compatible with previous images.
Enterasys recommends administrators consider the following recommendations before configuring the SecureStack-C2 for a PIM-SM environment.
1) A C2 cannot be configured as a Candidate-RP or a Candidate-BSR.
2) A C2 should not be the first hop router for a multicast stream. In other words, the multicast stream should not originate on a C2.
3) A C2 should not be positioned in the core of PIM-SM topology, and should only be positioned at the edge device in PIM-SM topology. In other words, the C2 should only be used to deliver multicast streams to end clients.
The path cost of a LAG port will be displayed as zero when it is not an active link.
The VLAN-to-Policy mapping feature currently supported on SecureStack C2/B2 is a global setting which affects all ports and cannot be configured on a single port.
If the singleportlag variable is set to disable and link failures reduce the number of ports which compose a dynamic LAG to one, the member ports will revert back to normal port status.
If MSTP has maps that are associated with GVRP-generated VLANs and GVRP communication is lost, the MSTP maps will be removed from the configuration. It is recommended that users only create MSTP maps on statically­created VLANs.
Setting an extensive number of policy rules via the CLI can cause momentary loss of CLI and SNMP management.
The Policy functionality can only assign ports to VLANs which have been statically created.
GVRP created VLANs are not persistent after a reboot.
Only statically created VLANs are supported with Dynamic Egress.
Static MAC locking list MAC address entries in the "show MAC" output as "other‖, and will not remove them on link down.
C2G134-24P and the C2G124-48 may show link state incorrectly when using MGBICS if auto negotiation is turned off on the MGBIC ports.
Authentication delays can occur under large volumes of unauthorized traffic.
If a VLAN classification rule (using the Ethertype field) is associated to a policy role, this classification rule has higher precedence than all forward and drop classification rules in the policy role.
NetSight ASM currently does not make concessions for support of ―User + IP Phone‖ Authentication on the
SecureStack C2 and B2 platforms. Therefore, if either a PC or an IP phone is detected as sourcing a security
violation, NetSight ASM 2.1 will find the offending device‘s MAC address on the port of connection and apply the
Quarantine policy role to this port, quarantining the PC. As a result of the statically configured VLAN-to-policy
mapping being configured on the port, the SecureStack C2 and B2 will still assign the IP phone‘s tagged traffic to
the specified policy role, while the PC is quarantined. Therefore, it is important to understand that the PC may be quarantined for security violations sourced by either the PC or the IP phone on a port, while the IP phone will remain un-quarantined.
Furthermore, a problem exists if a new IP phone is connected to a quarantined port or an existing IP phone loses its configuration. In either of these situations, the IP phone transmits its traffic as untagged and will not become operational on the network if the Quarantine policy role is configured to deny access to network resources the IP phone utilizes to obtain its configuration.
Users are able to reach PWA login screen in strict mode, but they will not be able to authenticate.
CUSTOMER RELEASE NOTES
08/13/2008 P/N: 9038155-52 Subject to Change Without Notice Page: 32 of 41
F0615-O
Known Issues in Previous Releases
The 03.02.30 code contains a new PoE driver which will require additional bootup time as the driver is being updated on PoE units within the stack. Once the initial boot of the code has completed the delay should never be seen again.
A RADIUS authenticated users session will not timeout on the expiration of the idle timeout.
RIP stops calculating cost properly if cost ever equaled 16. If route cost is reduced below 16, the cost will not be propagated downstream properly.
The C2 does not allow secondary interfaces to be configured as owners of a virtual IP. The secondary interfaces can only be configured as backups of the virtual IP.
The command ―set macauthentication portinitialize <port-string>‖ does not remove any currently active sessions.
Authenticated PWA sessions are not removed upon the expiration of the session timeout value returned from the RADIUS server.
Users can now configure ―vlantag‖ tag rules for administering a phone policy, but the ―vlantag‖ option is no longer supported for a policy profile index.
The MAC authentication portquietperiod defaults to 30 seconds.
A new user will not be able to re-authenticate under an existing session name until the current user logs off that name.
If a FID is mapped to a sid through WebView, the action is executed, however if there are any fids currently mapped to the sid they will be removed. Only the most recent mapping will be preserved.
Dynamic and static (admin) assignment of rule types is only supported for port-strings. The CLI output of ―show policy capabilities‖ falsely lists numerous other rule types as supporting this functionality.
The host should not be configured with an ip address which contains .255 in any of the four octets. The device will view any packets sent to this address as a subnet broadcast and the packets will be dropped, thus causing the device to become unmanageable.
Downgrading code the on C2 device may result in loss of some configuration. If a user would like to downgrade they should save their configuration, load the previous version of code on their device, set this older version of code to be the boot code, and then reload the saved configuration onto the device. Note that you will not be able to do this remotely unless you have remote console support.
If a user telnets to another device from the C2 and connectivity is interrupted to the device (i.e., spanning tree failover) it takes approximately 9 minutes to close the telnet session. During this time the user cannot perform any actions through the current connection.
If the CoS state is disabled but a CoS priority has been configured, the switch will continue to forward packets with the CoS priority, however the ToS field will not be modified.
When setting the ip address on the device with the CLI command ―set ip address… ―, if the gateway is entered
before the mask, an error is returned and the ip address, mask and gateway are not configured. The user must enter the host ip, then mask, then gateway for the command to be accepted.
If PWA is in auto mode for a port, and default policy is applied, attempting to remove the default policy fails until PWA is disabled either by port or globally.
ACLs are not supported on routed VLANs which incorporate LAG ports.
Applying a policy to a destination port of a port mirror is not supported. Attempting to perform this will result in the C2 resetting.
Policy ethertype rule does not VLAN classify SNAP packets. If a policy rule is configured for ethertype, SNAP packets will not be VLAN classified according to their ethertype. AppleTalk ARP packets are SNAP encapsulated.
The OSPF ABR doesn‘t insert the default route into the NSSA when using the command ―area 0.0.0.8 nssa‖. The default does get inserted when using the command ―area 0.0.0.8 nssa default-information-originate‖.
Policy VLAN egress is not supported.
When issuing the command ―show ip dvmrp route‖ the ―via neighbor‖ field returns a network prefix rather than the IP address of the next hop gateway.
The output of ―show ip mroute‖ will incorrectly display the source mask address as 0.0.0.0.
The C2 does not support the ability for a user to configure the host‘s gateway to be a local routed interface IP. The host‘s gateway must exist on a different device in the network if one is configured.
Port LEDs on the C2G134-24P are green if a port has a link regardless of if the link is PoE or data.
The C2 device is now propagating GVRP packets containing any known VLANs. If the user creates a VLAN without adding ports to the egress list, it will begin propagating GVRP packets with that VLAN.
CUSTOMER RELEASE NOTES
08/13/2008 P/N: 9038155-52 Subject to Change Without Notice Page: 33 of 41
F0615-O
Known Issues in Previous Releases
If a policy is assigned to a port, and PVID status is set to enable, the port PVID cannot be configured. The ―set port vlan‖ command appears to be successful when assigning the PVID, but port VLAN cannot be set until policy PVID status is set to disable.
A policy rule can be created for ethertype 0x0800 and masked to 8 bits. An ethertype rule may fail to classify all 0x80xx traffic, such as ARP packets (0x0806). A masked ethertype rule will only classify exact match (16 bits) 0x0800.
ARP packets are not classified based on policy IP source/destination rules.
Policy CoS override takes precedence over most policy rules. This feature exists only for when rules do not match policy bound classification rules. MAC and IP address rules do take precedence over the policy profile CoS as expected.
A C2 which is configured as an OSPF stub or NSSA area may drop a learned default route.
The mroute table source network field displays the host ip address, not the host network.
Setting the Policy Bridgeport rule is not supported via the CLI.
Invalid policy rules exist if units are removed from stack.
Port counters and RMON counter may display differing values.
Area default-cost parameter isn‘t used when the ABR router is configured for an nssa.
The ―set rate limit‖ command only works with tagged packets or packets with priority zero set. Rate limiting is fully supported through use of the COS MIB.
C2 does not redistribute default route via OSPF redistribution.
If a user attempts to back rev from 3.00.50, only the previous patch release, 2.01.37, is supported. However, if back revving from 3.00.52, patch releases 3.00.50 and 2.01.37 are supported.
When a user has been authenticated successfully to a DENY_ALL policy via PWA, the user cannot load the Logout webpage.
When the device is configured for manual SNMP persistmode, if the user attempts to change the boot system image, the device will not prompt the user to save changes or warn the user that changes will be lost.
Before executing the ―set switch movemanagment‖ command, the user should execute the ―save config‖ file to
ensure no recent changes are lost.
The C2 does not currently support the ability to configure a critical IP address.
The user can apply an ACL to a routed VLAN interface or a policy to a port. However, the device does not support enabling both features simultaneously on a port that is part of a routed VLAN interface.
OSPF only supports simple authentication on virtual links. MD5 authentication is not supported over OSPF virtual links.
To enable IGMP on a routed interface, the user must command ―ip igmp‖, as well as the interface command ―ip
igmp enable‖ for the device to start sending / processing igmp multicast traffic. IGMP is disabled by default both
globally and on a per interface basis.
To enable DVMRP on a routed interface, the user must have an advanced license key configured on the device and execute the following steps:
1. Execute the global command ―ip igmp‖
2. Execute the global command ―ip dvmrp‖
3. On each interface running DVMRP, execute the command ―ip igmp enable‖
4. On each interface running DVMRP, execute the command ―ip dvmrp enable‖.
DVMRP is disabled by default both globally and on each interface.
The C2 only supports one default route. If a default route is configured on the router it will take precedence over the default route configured for the host IP.
The OSPF areaid of a routed VLAN is configured on each interface. On other ETS products this is usually done under the global ospf commands. If the user does not configure an areaid on a routed interface running OSPF, the default areaid of 0.0.0.0 will be used.
When creating a stub or NSSA area, in order to remove the existing Summary or External LSAs, before they age out naturally, all of the stub/NSSA area routers can either be reset, or the user can stop and restart the OSPF process. Otherwise, after 3600 seconds have passed the MaxAged Summary or External LSAs will be removed automatically.
If secondary IP addresses are configured on a RIP interface, some of the subnets may be missing from the RIP advertisements.
CUSTOMER RELEASE NOTES
08/13/2008 P/N: 9038155-52 Subject to Change Without Notice Page: 34 of 41
F0615-O
Known Issues in Previous Releases
The CLI allows the user to create conflicting rate limiting configurations.
Auto negotiation cannot be disabled on ports 45-46-47-48 on the C2G124-48 and C2G124-48P. This restriction also means that those ports cannot be manually set to a specific speed and duplex.
After setting the port to 10 MB full duplex, if the switch is reset, the port will come up as 100 full.
Policy roles and rules cannot be applied to ports that are members of a link aggregation group.
When the user tries to add a LAG port that hasn‘t been created to a policy profile that has been configured, an
error message is returned, but it does not show up in the policy rule table.
When a policy profile is set and rules are added, and then ports are added to the policy, a message is returned. This message is also seen when the stack is rebooted.
Users who have not yet been authenticated using PWA ―auto mode‖ are allowed to ping the switch IP.
There is an occasional problem where the web authentication logout screen is not displayed. The user is indeed logged out, but the logout screen is not displayed.
Entering the boot menu without specific instructions from technical support can cause unexpected behavior in the switch.
When PWA ―gueststatus‖ is enabled (set to ―authnone‖), the guest defined by ―guestname‖ can login, but other
valid users cannot.
ARP frames are dropped unless a policy explicitly permits ARP frames to pass.
Dynamic MAC address locking will learn a MAC address on a continual basis if a learned MAC address is moved to another port.
Setting MAC locking ―first arrival‖ to ―0‖ does not deny the first MAC address learned on a port from passing traffic.
When a new member stack is added to a switch and the new member does not have the same software installed as the stack manager, a mismatch message will appear. To update the unit, the user must copy the new software to the new member switch via the CLI. The command ―set switch copy-fw‖ will copy the image onto all units whose image does not match the manager. The stack must then be reset once this command has finished executing for the command to take effect.
If there is an image mismatch or configuration mismatch between stack members, those member units whose
configuration and/or version do not match the switch will not join the stack. The user must use the ―set switch
copy-fw‖ command to copy the image onto the member units (as stated above). If the configurations do not match, they must clear the configuration on the stack and reconfigure the stack.
A VLAN cannot be disabled via CLI and/or WebView, SNMP must be used.
Configuration is saved locally to the manager of the stack every two minutes. Propagation of the configuration to the other stack units occurs on across the stack every 30 minutes. If changes have been made, they will not be persistent 30 minutes has expired and the config is copied to all members‘ NVRAM. A user can initiate the device
to immediately propagate a copy of the configuration to all stack members by executing the command ―save
config‖ or by executing a manual reset by using the ―reset‖ command. A manual reset of the stack using the reset
command will force the configuration to be saved to all units and then will reset the stack.
IGMP snooping cannot be controlled via WebView.
The ―show logging buffer‖ command, by default, will now only show ―critical‖ failures and user login/logout timestamps. This setting can be modified.
WebView does not allow a FID to be mapped to a SID. This function is supported via SNMP and CLI.
Policy rule precedence is not working properly with an ―ethertype‖ rule mapped to a VLAN and an IP protocol type
rule conflict. The ip protocol type rule has precedence over the ―ethertype‖ rule, but the device does not enforce
this precedence properly.
The C2 has the ability to classify packets to a particular VLAN based on Receive Port and by Ethertype. In order to take advantage of the Ethertype VLAN classification type, the switch hardware must be of a specific revision or higher. The revision information is included in the table below.
C2G124-48, C2G124-48P HW Revision Level 0C (zero C) and above
C2G124-24, C2H124-48, C2H124-48P HW Revision Level 0A (zero A) and above
Web Authentication does not support accounting.
CUSTOMER RELEASE NOTES
08/13/2008 P/N: 9038155-52 Subject to Change Without Notice Page: 35 of 41
F0615-O
Known Issues in Previous Releases
A stack of eight units high can be created with any combination of units. However a stack of units consisting of eight C2G124-48s, eight C2G134-4P, or eight C2K122-24s is not supported. A stack of seven C2G124­48s/C2K122-24s/C2G134-24Ps and one C2G124-24 are supported. Any combination of units is supported, but a configuration with eight 48-Port 10/100/1000, eight C2G134-24Ps, or C2K122-24s stack units is not supported.
WebView does not timeout after being idle. It is recommended that the user logout when they have finished using WebView.
Setting the system lockout time is not supported.
VLAN ID 4094 is not supported and is reserved for other use in the system.
After a change from a primary to a backup stack manager, the ―show version‖ command may not show the proper
version information for all units in the stack. Some units may be omitted from the displayed results.
RFC No.
Title
RFC 1213
MIBII
RFC 1493
Bridge MIB
RFC 2819
RMON MIB
RFC 2613
SMON MIB (portCopyConfig)
RFC 2668
Ethernet-Like MIB
RFC 2233
ifMIB
RFC 2863
ifMIB
RFC 2620
RADIUS Accounting MIB
RFC 2618
Radius Authentication MIB
RFC 3621
Power Ethernet MIB
IEEE 802.1X MIB
802.1-PAE-MIB
IEEE 802.3ad MIB
IEEE 8023-LAG-MIB
RFC 2674
802.1p/Q BridgeMIB
RFC 2737
Entity MIB (physical branch only)
RFC 2933
IGMP MIB
RFC 2271
SNMP Framework MIB
RFC 3413
SNMP Applications MIB
RFC 3414
SNMP Usm MIB
RFC 3415
SNMP Vacm MIB
RFC 3584
SNMP Community MIB
RFC 1248
OSPF Version 2 MIB
RFC 1724
RIP Version 2 MIB
RFC 2787
VRRP MIB
RFC 2465
IPv6 MIB
RFC 2466
ICMPv6 MIB
CUSTOMER RELEASE NOTES
For the most up-to-date information concerning known issues, go to the Global Knowledgebase section at
http://www.enterasys.com/support/. For the latest copy of this release note, go to http://www.enterasys.com/services/support/downloads/. To report an issue not listed in this document or in the
Global Knowledgebase, contact our Technical Support Staff. STANDARD MIB SUPPORT:
08/13/2008 P/N: 9038155-52 Subject to Change Without Notice Page: 36 of 41
F0615-O
Title
ctbroadcast mib
ctRatePolicing mib
ctQBridgeMIBExt mib
ctCDP mib
ctAliasMib
ctTxQArb mib
ctDownLoad mib
etsysRadiusAuthClientMIB
etsysRadiusAuthClientEncryptMIB
etsysPolicyProfileMIB
etsysPwaMIB
etsysSyslogClientMIB
etsysConfigurationManagementMIB
etsysMACLockingMIB
etsysSnmpPersistenceMIB
etsysMstpMIB
etsysMACAuthenticationMIB
etsysletfBridgeMibExtMIB
etsysMultiAuthMIB
etsysSntpClientMIB
etsysIeee8023LagMibExtMIB
etsysVlanAuthorizationMIB
etsysCosMIB
etsysResourceUtilizationMIB
RFC No.
Title
RFC 1213
ColdStart
Link Up
Link Down
Authentication Failure
RFC 1493
New Root
Topology Change
RFC 1757
RisingAlarm
FallingAlarm
CUSTOMER RELEASE NOTES
ENTERASYS NETWORKS PRIVATE ENTERPRISE MIB SUPPORT:
Enterasys Networks Private Enterprise MIBs are available in ASN.1 format from the Enterasys Networks web site at: http://www.enterasys.com/support/mibs/ . Indexed MIB documentation is also available.
SNMP TRAP SUPPORT:
08/13/2008 P/N: 9038155-52 Subject to Change Without Notice Page: 37 of 41
F0615-O
Attribute
RFC Source
Calling-Station-Id
RFC 2865, RFC 3580
Class
RFC 2865
EAP-Message
RFC 3579
Filter-ID
RFC 2865, RFC 3580
Framed-MTU
RFC 2865, RFC 3580
Message-Authenticator
RFC 3579
NAS-Identifier
RFC 2865, RFC 3580
NAS-IP-Address
RFC 2865, RFC 3580
NAS-Port
RFC 2865, RFC 3580
NAS-Port-Id
RFC 2865, RFC 3580
NAS-Port-Type
RFC 2865, RFC 3580
Session-Timeout
RFC 2865
State
RFC 2865
Termination-Action
RFC 2865, RFC 3580
Tunnel Attributes
RFC 2867, RFC 2868, RFC 3580
User-Name
RFC 2865, RFC 3580
Attribute
RFC Source
Acct-Session-Id
RFC 2866
Acct-Terminate-Cause
RFC 2866
RADIUS Authentication and Authorization Attributes
RADIUS Accounting Attributes
CUSTOMER RELEASE NOTES
GLOBAL SUPPORT:
By Phone: 978-684-1000
1-800-872-8440 (toll-free in U.S. and Canada)
For the Enterasys Networks Support toll-free number in your country: http://www.enterasys.com/support/
By Email: support@enterasys.com
By Web: http://www.enterasys.com/support/
By Fax: 978-684-1499 By Mail: Enterasys Networks, Inc.
50 Minuteman Road Andover, MA 01810 (USA)
For information regarding the latest software available, recent release note revisions, or if you require additional assistance, please visit the Enterasys Networks Support web site.
08/13/2008 P/N: 9038155-52 Subject to Change Without Notice Page: 38 of 41
F0615-O
CUSTOMER RELEASE NOTES
Appendix A
Configuring CoS-Based Flood Control
Overview
This function allows the user to control broadcast, unknown unicast, and/or multicast flooding. It prevents configured ports from being disrupted by a traffic storm by rate-limiting packets through those interfaces.
Procedure
1. Enable CoS on the switch. (Default state is disabled.)
set cos state enable
2. Create a CoS flood control port resource. This will specify flood control rate limiters that can be mapped to specific ports:
set cos port-resource flood-ctrl group-type-index {unicast | multicast | broadcast | all} rate rate
group-type-index - Specifies an inbound rate limiting port group/type index. Valid entries are in the form of group#.port.type. Valid values for group# can range from 0 to 7. Valid values for porttype can range from 0 to 1, although only port type 0 is currently supported. For example, port group 1 would be specified as 1.0.
rate – Specifies a rate limit in packets per second.
Example
This sets a port resource broadcast rate limiter (index 1.0) of 5 packets per second.
set cos port-resource flood-ctrl 1.0 broadcast rate 5
3. Assign the flood control port resource to specific ports.
set cos port-config flood-ctrl group-type-index {name name | ports port­list}[append]
Example This adds ports ge.1.2 and ge.2.2 to the previously created port resource broadcast rate limiter 1.0. These ports will now be in a CoS port group configured with the assigned rate limiter.
set cos port-config flood-ctrl 1.0 ports ge.1.2;ge.2.2 append
4. (Optional) Show the flood control settings.
show cos port-resource flood-ctrl [group-type-index] show cos port-config flood-ctrl [group-type-index]
If group-type-index is not specified, all configured resources will be displayed.
08/13/2008 P/N: 9038155-52 Subject to Change Without Notice Page: 39 of 41
F0615-O
CUSTOMER RELEASE NOTES
5. (Optional) Clear flood control settings.
clear cos port-resource flood-ctrl {all | group-type-index {unicast | multicast | broadcast | all}} clear cos port-config flood-ctrl {all | group-type-index {entry | name | ports}}
entry - Clears all settings associated with the specified group-type-index name - Clears the name associated with the specified group-type-index ports - Clears all ports associated with the specified group-type-index
Configuring SMON MIB Port Mirroring
Overview
SMON port mirroring support on Enterasys SecureStack B2, B3, C2 and C3 devices allows you to redirect traffic on ports remotely using SMON MIBs. This is useful for troubleshooting or problem solving when network management through the console port, telnet, or SSH is not feasible.
Procedures
Perform the following steps to configure and monitor port mirroring using SMON MIB objects. To create and enable a port mirroring instance:
1. Open a MIB browser, such as Netsight MIB Tools.
2. In the MIB directory tree, navigate to the portCopyEntry folder and expand it.
3. Select the portCopyStatus MIB.
4. Enter a desired source and target port in the Instance field using the format source.target.
Example: 3.2 would create a relationship where source port ge.1.3 would be mirrored to target port ge.1.2.
NOTE: In order to configure a port mirroring relationship, both source and destination interfaces must be enabled and operational (up).
5. Enter MIB option 4 (createAndGo) and perform an SNMP Set operation.
6. (Optional) Use the CLI to verify the port mirroring instance has been created and enabled as shown in the
following example:
C3(su)->show port mirroring Port Mirroring ============== Source Port = ge.1.3 Target Port = ge.1.2 Frames Mirrored = Rx and Tx Port Mirroring status enabled
To create a port mirroring instance without automatically enabling it:
1. Complete steps 1-4 above.
2. Enter MIB option 5 (createAndWait) and perform an SNMP Set operation.
3. (Optional) Use the CLI to verify the port mirroring instance has been created set to disabled mode as
shown in the following example:
08/13/2008 P/N: 9038155-52 Subject to Change Without Notice Page: 40 of 41
F0615-O
CUSTOMER RELEASE NOTES
C3(su)->show port mirroring Port Mirroring ============== Source Port = ge.1.3 Target Port = ge.1.2 Frames Mirrored = Rx and Tx Port Mirroring status disabled
4. When you are ready to enable this instance, enter MIB option 1 (active) and perform an SNMP Set
operation.
5. (Optional) Use the CLI to verify the port mirroring instance has been enabled. To delete a port mirroring instance:
1. Select a previously created port mirroring instance in your MIB browser.
2. Enter MIB option 6 (destroy) and perform an SNMP Set operation.
3. (Optional) Use the CLI to verify the port mirroring instance has been deleted as shown in the following
example:
C3(su)->show port mirroring No Port Mirrors configured.
08/13/2008 P/N: 9038155-52 Subject to Change Without Notice Page: 41 of 41
F0615-O
Loading...