Sun Microsystems N1216V, N1216, N1400, N2040, N2120 Release Notes

...

Download

Sun Microsystems, Inc. www.sun.com

Submit comments about this document at: http://www.sun.com/hwdocs/feedback

Sun™Secure Application Switch—

Release Notes for v3.2.1

Part No. 819-6643-12 August 2007, Revision A

Please

Recycle

Copyright 2007Sun Microsystems, Inc.,4150 NetworkCircle, SantaClara, California95054, U.S.A.All rightsreserved. Sun Microsystems, Inc.has intellectualproperty rightsrelating to technology embodied in the product that is described in this document. In

particular,and withoutlimitation, theseintellectual property rightsmay includeone ormore of the U.S. patents listed at http://www.sun.com/patents andone ormore additionalpatents or pending patentapplications in the U.S. and in other countries.

U.S. GovernmentRights -Commercial software. Government users aresubject tothe SunMicrosystems, Inc.standard license agreementand applicable provisions ofthe FAR and its supplements.

This distributionmay includematerials developedby third parties. Regular expression supportis providedby thePCRE librarypackage, whichis opensource software, written by Philip Hazel, and copyright by

the Universityof Cambridge,England -ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre. Parts ofthe product maybe derivedfrom BerkeleyBSD systems,licensed from theUniversity ofCalifornia. UNIXis aregistered trademark in

the U.S.and inother countries,exclusively licensedthrough X/Open Company, Ltd. Sun, SunMicrosystems and the Sun logo are trademarks or registeredtrademarks ofSun Microsystems, Inc.in theU.S. andother countries. Products covered by and information contained in this service manual arecontrolled byU.S. ExportControl laws and may be subject to the

export orimport lawsin othercountries. Nuclear, missile, chemical biological weapons or nuclearmaritime enduses orend users,whether direct or indirect, are strictlyprohibited. Exportor reexport tocountries subjectto U.S.embargo or to entities identiﬁed onU.S. exportexclusion lists, including,but notlimited to,the deniedpersons andspecially designatednationals listsis strictlyprohibited.

DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANYIMPLIED WARRANTY OF MERCHANTABILITY, FITNESSFOR A PARTICULAR PURPOSEOR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.

Copyright 2007Sun Microsystems, Inc.,4150 NetworkCircle, SantaClara, Californie95054, Etats-Unis.Tous droits réservés. Sun Microsystems, Inc.détient lesdroits depropriété intellectuels relatifs à la technologie incorporée dans le produit quiest décritdans ce

document. Enparticulier,et cesans limitation,ces droits depropriété intellectuelle peuvent inclure un ou plus des brevetsaméricains listésà l’adresse http://www.sun.com/patentset unou lesbrevets supplémentaires oules applicationsde brevet enattente auxEtats -Unis etdans les autres pays.

Cette distributionpeut comprendre descomposants développéspar destierces parties. Des partiesde ceproduit pourront êtredérivées dessystèmes BerkeleyBSD licenciéspar l'Universitéde Californie.UNIX estune marque

déposée auxEtats-Unis etdans d'autres payset licenciéeexclusivement parX/Open Company,Ltd. Sun, SunMicrosystems et le logo Sun sont des marques de fabrique ou des marquesdéposées deSun Microsystems,Inc. auxEtats-Unis etdans

d'autres pays. Les produits quifont l'objetde cemanuel d'entretienet lesinformations qu'ilcontient sontregis par la legislation americaine en matiere de

controle des exportations et peuvent etre soumis au droitd'autres paysdans ledomaine desexportations etimportations. Lesutilisations ﬁnales, ouutilisateurs ﬁnaux,pour desarmes nucleaires, desmissiles, desarmes biologiqueset chimiquesou dunucleaire maritime, directement ou indirectement, sont strictement interdites. Lesexportations oureexportations versdes payssous embargo desEtats-Unis, ou vers desentites ﬁgurantsur leslistes d'exclusiond'exportation americaines,y compris,mais demaniere non exclusive, la liste de personnes qui font objetd'un ordre dene pasparticiper,d'une facondirecte ou indirecte,aux exportationsdes produitsou desservices quisont regi parla legislation americaineen matiere decontrole desexportations etla listede ressortissants speciﬁquementdesignes, sontrigoureusement interdites.

LA DOCUMENTATION EST FOURNIE "EN L'ETAT"ET TOUTES AUTRESCONDITIONS, DECLARATIONS ET GARANTIES EXPRESSES OU TACITESSONT FORMELLEMENTEXCLUES, DANSLA MESUREAUTORISEE PARLA LOIAPPLICABLE, Y COMPRIS NOTAMMENT TOUTE GARANTIE IMPLICITE RELATIVE A LA QUALITE MARCHANDE, A L'APTITUDE A UNE UTILISATIONPARTICULIERE OUA L'ABSENCE DECONTREFACON.

iii

Contents

Product Web Page 1

Related Documentation

The Sun Secure Application Switch documentation listed here is available online at:

http://www.sun.com/products/networking/switches/

How to Obtain Updates From Sun

You can obtain updates and patches from your Sun authorized sales representative, service provider, or by downloading them from the SunSolve Online

Web site at

the following URL:

http://sunsolve.sun.com/

For patch information instructions, see the README file that accompanies each patch.

For downloads of released software, visit the Sun Download Center at the following URL:

http://www.sun.com/downloads

TABLE P-1 Related Documentation

Title Part Number Format Location

* You can also order at no cost a Documentation CD (part numberX3796A) that includes these documents. Go to

http://www.sun.com/products/networking/switches for additional information.

Sun Secure Application Switch – Getting Started Guide

819-3042 Printed

PDF

Ship Kit Online

Sun Secure Application Switch Configuration and Implementation Guide

819-7595 PDF Online

Sun Secure Application Switch - Release Notes for v3.2.1 (This Document)

819-6643 Printed

PDF

(3.x) Ship Kit Online

Sun Secure Application Switch - Command Reference for v3.2

819-3047 HTML Online

Sun Secure Application Switch - Online Help for v3.2

819-3048 HTML Within the

application

Sun Secure Application Switch – Release Notes for v3.2.1 3

Contacting Sun Technical Support

If you have technical questions about this product that are not answered in this document, go to:

http://www.sun.com/service/contacting

Sun Welcomes Your Comments

Sun is interested in improving its documentation and welcomes your comments and suggestions. You can submit your comments by going to:

http://www.sun.com/hwdocs/feedback

Please include the title and part number of your document with your feedback:

Sun Secure Application Switch – Release Notes for v3.2.1, part number 819-6643

New Features in This Release

The 3.2.1 release includes the following new software features.

■ “Configuration Synchronization” on page 4

■ “Behavior Change: Show runningConfig saveToFile Command” on page 4

■ “Behavior Change: Show switchservices chassis cpuLoad Command” on page 4

■ “Behavior Change: Default vRouter for Virtual Services” on page 4

■ “Long-Lived Sessions” on page 4

■ “SNAT Active Standby Behavior in Redundant Configuration” on page 5

■ “Outgoing DNAT IP Address Is the Same as Virtual Service IP Address” on

page 5

■ “Auto Dump” on page 5

4 Sun Secure Application Switch – Release Notes for v3.2.1 • August 2007

Configuration Synchronization

For information about Configuration Synchronization, refer to the Sun Secure Application Switch - Configuration and Implementation Guide, part number 819-7595.

Behavior Change: Show runningConfig saveToFile Command

In version 3.2.1, the defaultValues and nameValuePairs are included by default when a show runningConfig saveToFile command is executed. In previous versions of the software, you had to manually set defaultValues and nameValuePairs to true to include this information.

Behavior Change: Show switchservices chassis cpuLoad Command

In version 3.2.1, the show switchservices chassis cpuLoad command no longer exists. Use the show switchservices chassis module command instead to perform similar actions.

Behavior Change: Default vRouter for Virtual Services

When creating a virtual service, the default vRouter has changed from system:shared to the user defined vRouter that is associated with the vSwitch.

Long-Lived Sessions

If long-lived session is enabled, up to 30,000 of a media module network processor’s 500,000 active flow sessions can be reserved for long-lived usage. As new flows are required, the oldest inactive sessions are purged first. Long-lived sessions apply to L4SLB and L3SLB Virtual services. The default setting for long-lived sessions is disabled. When the feature is disabled, flow sessions will exist for 90 seconds with no activity. FWLB sessions are long-lived by default.

Sun Secure Application Switch – Release Notes for v3.2.1 5

SNAT Active Standby Behavior in Redundant Configuration

In redundant configuration applications, the back-up switch now implements SNAT in standby mode so all SNAT traffic received at the back-up switch will be redirected to the master switch. The SNAT IP addresses must be the same between both switches.

Outgoing DNAT IP Address Is the Same as Virtual Service IP Address

A DNAT entry can have the same IP address as a virtual service.

Auto Dump

When an error occurs on a function card, the relevant log files are automatically created and generated.

Supported Hardware

The Sun Secure Application Switch consists of two hardware platforms.

■ Sun N1000 Series includes the N1216 and the N1400 models.

■ The N1216 provides two pluggable Gigabit Ethernet (copper or fiber) ports,

sixteen 10/100-Mbps ports, and a full complement of system and port status LEDs.

■ The N1400 provides 4 Gigabit Ethernet (copper or fiber) ports and a full

complement of system and port status LEDs. The N1400 is rackmountable and operates on standard AC voltages (115 or 230 VAC) using a single power supply.

■ Sun N2000 Series includes the N2120 and N2040 models.

■ The Sun N2120 provides 12 small form-factor pluggable (SFP) Gigabit Ethernet

(copper or fiber) ports.

■ The Sun N2040 provides 40 10/100-Mbps ports and 4 SFP Gigabit Ethernet

(copper or fiber) ports.

6 Sun Secure Application Switch – Release Notes for v3.2.1 • August 2007

Both systems are rackmountable and operate on standard AC voltages (115 or 230 VAC) in either redundant or non-redundant power configurations.

For a review of the Sun Secure Application Switch hardware, refer to the Sun Secure Application Switch – Getting Started Guide.

Transceivers

Sun has tested the ports on the front of the system with the following transceivers, which are listed by type, vendor, vendor part number, and Sun X Option number.

Fiber

■ FINSAR, FTRJ-8519P1 BNL, X2001A

■ FINSAR, FTLF-8519P2BCL, X2001AZ

■ FIBERXON, FTM-8012C-SLG, X2001AZ

Copper

■ FINSAR, FCMJ-8521-3, X2002A

■ FINSAR, FCLF8521-3, X2002AZ

■ FIBERXON, FTM-C012R-LMG, X2002AZ

You can use other transceivers, but only the ones listed above have been fully tested. If required, you can purchase these transceivers from Sun or directly from approved vendors.

Software Information

This software release (V3_2R1) works with both the N1000 Series and N2000 Series.

■ If you currently have 2.0 software on your switch, refer to the section, “Migrating

From Software Version 2.0 to Version 3.2.1”, for upgrade information.

■ If you currently have 3.0 or 3.1 software on your switch, refer to the section,

“Migrating From Software Version 3.0 or 3.1 to Version 3.2.1” for upgrade

information.

Sun Secure Application Switch – Release Notes for v3.2.1 7

Migrating From Software Version 2.0 to Version 3.2.1

This section is relevant only if you are upgrading an N2000 Series from version 2.0 software to version 3.2.1 software.

Note – The software version command allows you to specify the version of

software used on the switch. In software version 2.x, this command automatically loaded the latest patch for the version of software specified. In version 3.2.1, the software version command explicitly loads the software version specified; it does not automatically include the latest patch.

Archiving a Version 2.0 Configuration

You can copy your configuration file for backup or archive purposes. You have two options:

■ Make a copy of the cdb.dat file. Note that this file is machine-specific and can

only be restored to the original machine on which it was used.

1. Telnet to the Sun Secure Application Switch.

2. Access the directory containing the cdb.dat file

sun(config)# cd/ftl0/config

3. Copy the cdb.dat ﬁle to a local destination.

sun(config)# cp cdb.dat <cdbFileName.dat>

4. Make a “portable” configuration file using the show runningConfig command.

Be sure to enable the nameValuePairs option, similar to the following:

sun(config)# show runningConfig saveToFile <myConfig.txt> password <myPassword> nameValuePairs true

Note – The cdb.dat file is copied into the /config directory but the text files is

saved in the /ftl0/user/home directory.

8 Sun Secure Application Switch – Release Notes for v3.2.1 • August 2007

Installing Version 3.2.1 Software

If you have version 2.0 software installed on your Sun Secure Application Switch and you want to upgrade to version 3.2.1 software, do the following:

Note – If you have software version V2_0R4 or later, you can bypass Step 1 and

proceed to Step 2.

1. If you have software version V2_0R3 or earlier, you must obtain and install the compression utility patch from SunSolve Online (119731) before upgrading to version 3.2.1.

You can access the SunSolve Online Web site at the following URL:

http://sunsolve.sun.com

2. Obtain and install the V3_2R1 software release from the Sun Download Center.

You can access the Sun Download Center Web site at the following URL:

http://www.sun.com/downloads

After the page loads, click Networking and scroll down to Network Connectivity, to access the software link.

3. Reboot the switch.

After installing the version 3.2.1 software, the configuration database will automatically be upgraded to the 3.x format.

Note – The .cdb file name will remain the same after the upgrade.

Importing a Version 2.0 Configuration

If you have installed version 3.2.1 onto a switch that was already equipped with version 2.0, the configuration database is automatically upgraded.

If you need to import a “portable” version 2.0 configuration into a version 3.x system, you can choose either of the following options:

■ Verify that the Interactive feature is turned off.

At the switch prompt, type the following text then press the Enter key:

sun(config)# interactive off

■ Import the running configuration with stopOnError set to false, similar to the

following:

Sun Secure Application Switch – Release Notes for v3.2.1 9

sun(config)# import runningConfig FromFile <myConfig.txt> password <

myPassword> stopOnError false

■ Perform the following manual edits detailed below.

1. Update any filterProfile rules that perform vSwitch or vRouter filtering.

The vSwitchName and vRouterName fields have been combined into a single field

vSwitchAndVRouter. The old value format looks similar to the following:

# Profiles to cause event filtering #

rule position 1 action drop vSwitchName IDS vRouterName default

The new value "vSwitch:vRouter" looks similar to the following:

rule position 1 action drop vSwitchAndVRouter IDS:default

2. Update any objectRules that use the HTTP_VERSION predicate variable.

The HTTP_VERSION variable has been removed and replaced with more refined variables.

■ For objectRules used in requestPolicies, use REQUEST_VERSION.

■ For objectRules used in responsePolicies, use RESPONSE_VERSION.

The old value is similar to the following:

# # Expressions used to classify the application data stream #

loadBalance objectRule name orVersion predicate {HTTP_VERSION eq "1.0"}

The new value is similar to the following:

loadBalance objectRule name orVersion predicate {REQUEST_VERSION eq "1.0"}

3. Update any realServices that perform clientAddressTranslation.

In this step, you have to change the following commands:

a. Change the clientAddressTranslation enabled command to

clientAddressTranslationMask 0.0.0.0

b. Change the clientAddressTranslation disabled command to

clientAddressTranslationMask 255.255.255.255

The old value format looks similar to the following:

10 Sun Secure Application Switch – Release Notes for v3.2.1 • August 2007

# # Real service parameters # loadBalance realService name rs-lnx1 hostName lnx1 clientAddressTranslation enabled proxyIpPool pipHR

The new value format looks similar to the following:

loadBalance realService name rs-lnx1 hostName lnx1 clientAddressTranslationMask 0.0.0.0 proxyIpPool pipHR

4. Remove any lines for the loadBalance vsGroup.

These lines might appear multiple times, since this action happens once for each vSwitch. The following is an example of what requires deletion:

# # Virtual Service Group Configuration # loadBalance vsGroup name default virtualServices {vs1;vs2}

5. Update the command for any advanced virtual service settings.

In this step, you have to change the following commands:

a. If disableSynCookies is present, reverse the value (change true to false or

false to true). These lines might appear multiple times, up to once per virtual service.

The old value format looks similar to the following:

# Virtual service advanced settings # advanced ... disableSynCookies false ...

The new value format looks similar to the following:

advanced ... disableSynCookies true ...

b. If clientFirstProtocol is present, reverse the value (change true to false or

false to true). These lines might appear multiple times, up to once per virtual service.

The old value format looks similar to the following:

# Virtual service advanced settings # advanced ... clientFirstProtocol true...

The new value format looks similar to the following:

Sun Secure Application Switch – Release Notes for v3.2.1 11

advanced ... clientFirstProtocol false ...

6. Remove any lines for TCP connections.

These lines might appear multiple times, since this action happens once for each vRouter. The following is an example of what requires deletion:

# # TCP Connections # tcp connections localAddress 0.0.0.0 localPort 22 remoteAddress 0.0.0.0 remotePort 0 state listen

tcp connections localAddress 0.0.0.0 localPort 23 remoteAddress 0.0.0.0 remotePort 0 state listen

tcp connections localAddress 0.0.0.0 localPort 80 remoteAddress 0.0.0.0 remotePort 0 state listen

tcp connections localAddress 0.0.0.0 localPort 443 remoteAddress 0.0.0.0 remotePort 0 state listen

tcp connections localAddress 10.8.170.123 localPort 23 remoteAddress 129.148.185.228 remotePort 1516 state established

7. Update the command for the OSPF advertisements.

In this step, you have to change the following commands:

a. Change the advertise-ase command to advertise ase.

# #OSPF advertise ASE routes

ospf advertise-ase staticRt enabled

The new value format looks similar to the following:

ospf advertise ase staticRt enabled

b. Change the advertise-nssa command to advertise nssa.

The old value format looks similar to the following:

# #OSPF advertise NSSA routes

12 Sun Secure Application Switch – Release Notes for v3.2.1 • August 2007

ospf advertise-nssa staticRt enabled

# The new value format looks similar to the following:

ospf advertise nssa staticRt enabled

8. Remove any lines for SSHd sessions.

The following is an example of what requires deletion:

# # SSH sessions # sessions clientIp 129.148.30.128 clientPort 33127 sesStatus active

sessions clientIp 129.148.30.128 clientPort 33127

exit;

sessions clientIp 129.148.30.165 clientPort 41440 sesStatus active

sessions clientIp 129.148.30.165 clientPort 41440

exit;

9. Verify that the configuration file was imported correctly.

sun(config)# show runningConfig password <MyPassword>

10. Remove advanced options for non-terminated virtualServices: L4SLB and TDLB

In this example:

Incorrect:

# # Virtual Service configuration #

loadBalance virtualService name L4SLB_VS appServiceType L4SLB \

ipAddress 10.1.0.213 serviceGroupName L4SLB_VS adminState \

enabled disableDelay 0 protocol TCP port 80 vRouter \

LB_ServiceLan:default clientSrcIPRange 0.0.0.0-255.255.255.255 \

synRateLimit unlimited

loadBalance virtualService name L4SLB_VS

# # Virtual service advanced settings #

Sun Secure Application Switch – Release Notes for v3.2.1 13

advanced tcbTemplateKey 0 ipTos Normal xmtRetryLimit 4 estRetryLimit 4 \

shortRxTimer 32_seconds longRxTimer 64_seconds rcvWnd 20480 xmtRTT \

1500_msec smmStreamLimit 1xRcvWnd estShortTimeout ExpRetr \

rcvWndDisabled false rcvMss 1460 xmtMss 1460 enableHttpMode false \

initParseWithData false rxUseLongTime false disableSynCookies false \

clientFirstProtocol true

exit; exit;

Correct:

# # Virtual Service configuration #

loadBalance virtualService name L4SLB_VS appServiceType L4SLB \

ipAddress 10.1.0.213 serviceGroupName L4SLB_VS adminState \

enabled disableDelay 0 protocol TCP port 80 vRouter \

LB_ServiceLan:default clientSrcIPRange 0.0.0.0-255.255.255.255 \

synRateLimit unlimited

loadBalance virtualService name L4SLB_VS

# # Virtual service advanced settings #

Migrating From Software Version 3.0 or

3.1 to Version 3.2.1

Configuration Modification

The functionality of the URI Path field used in object rules has changed in software version 3.2.1. If you are upgrading from software version 3.0 or 3.1 to 3.2.1 and object rules contain the URI_PATH you must change the object rule expressions before upgrading.

14 Sun Secure Application Switch – Release Notes for v3.2.1 • August 2007

In version 3.0 and 3.1, the URI_PATH includes the path and filename. For example, if a file is archived as http://Host/Directory/File.html, the URI_PATH is /Directory/File.html and the URI_BASENAME is File.

In contrast, the URI_PATH in software version 3.2.1 contains the characters after the host (or port number) and up to the file name, including the slash separator. For example, if your file is archived as http://Host/Directory/File.html, the URI_PATH is /Directory/ and the URI_BASENAME is File.

Note – The behavior of the URI Path as it pertains to object rules is the same in

software versions 2.x and 3.2. Therefore, if you are upgrading from 2.x to 3.2.1, object rule expression changes are not required.

Installing Version 3.2.1 Software

1. Obtain and install the V3_2R1 software release from the Sun Download Center.

You can access the Sun Download Center Web site at the following URL:

http://www.sun.com/downloads

After the page loads, click Networking and scroll down to Network Connectivity to access the software link.

2. Reboot the switch.

After installing the version 3.2.1 software, the configuration database will automatically be upgraded to the 3.0 format.

3. Remove advanced options for non-terminated virtual services: L3SLB, L4SLB, FWLB, and TDLB.

Incorrect:

# # Virtual Service configuration #

loadBalance virtualService name L4SLB_VS appServiceType L4SLB \

ipAddress 10.1.0.213 serviceGroupName L4SLB_VS adminState \

enabled disableDelay 0 protocol TCP port 80 vRouter \

LB_ServiceLan:default clientSrcIPRange 0.0.0.0-255.255.255.255 \

synRateLimit unlimited

loadBalance virtualService name L4SLB_VS

Sun Secure Application Switch – Release Notes for v3.2.1 15

# # Virtual service advanced settings #

advanced tcbTemplateKey 0 ipTos Normal xmtRetryLimit 4 estRetryLimit 4 \

shortRxTimer 32_seconds longRxTimer 64_seconds rcvWnd 20480 xmtRTT \

1500_msec smmStreamLimit 1xRcvWnd estShortTimeout ExpRetr \

rcvWndDisabled false rcvMss 1460 xmtMss 1460 enableHttpMode false \

initParseWithData false rxUseLongTime false disableSynCookies false \

clientFirstProtocol true

exit; exit;

Correct:

# # Virtual Service configuration #

loadBalance virtualService name L4SLB_VS appServiceType L4SLB \

ipAddress 10.1.0.213 serviceGroupName L4SLB_VS adminState \

enabled disableDelay 0 protocol TCP port 80 vRouter \

LB_ServiceLan:default clientSrcIPRange 0.0.0.0-255.255.255.255 \

synRateLimit unlimited

loadBalance virtualService name L4SLB_VS

# # Virtual service advanced settings #

Note – The .cdb file name will remain the same after the upgrade.

Importing a Version 3.0 or 3.1 Configuration

If you have installed version 3.2.1 onto a switch that was already equipped with version 3.0 or 3.1, the configuration database is automatically upgraded.

If you need to import a “portable” version 3.x configuration into a version 3.2.1 system, you can choose either of the following options:

■ Verify that the Interactive feature is turned off.

At the switch prompt, type the following text then press the Enter key:

16 Sun Secure Application Switch – Release Notes for v3.2.1 • August 2007

sun(config)# interactive off

■ Import the running configuration with stopOnError set to false, similar to the

following:

sun(config)# import runningConfig FromFile <

myConfig.txt>

password <

myPassword> stopOnError false

Perform the following manual editsRemove on any non-terminated virtualServices: L3SLB, L4SLB, TDLB, FWLB

In this example:

# # Virtual Service configuration #

loadBalance virtualService name WMA-STREAM-HTTP_213 appServiceType L4SLB \

ipAddress 10.49.0.213 serviceGroupName WMA-STREAM-HTTP adminState \

enabled disableDelay 0 protocol TCP port 80 vRouter \

LB_ServiceLan:default clientSrcIPRange 0.0.0.0-255.255.255.255 \

synRateLimit unlimited

loadBalance virtualService name WMA-STREAM-HTTP_213

# # Virtual service advanced settings #

System Management

Administrators can use multiple management tools to support the Sun Secure Application Switch in a network. These tools include:

■ Command-Line Interface (CLI)

■ Web interface

■ SNMP applications

Sun Secure Application Switch – Release Notes for v3.2.1 17

Command-line Interface (CLI)

The command-line interface (CLI) uses an industry-standard design that enables you to configure and manage the Sun Secure Application Switch by typing keyboard commands. You access the CLI over a direct console connection to the RS-232 port on the front of the system, or over a Telnet or SSH connection. A connection to the CLI is indicated by the

sun> prompt on your screen.

The CLI uses a hierarchical design that enables you to move deeper into the command hierarchy as you build the configuration. The CLI uses the command prompt to display your current location within the hierarchy. Simple commands enable you to navigate to the appropriate context. See the Sun Secure Application Switch – Command Reference for information about the CLI and the Sun Secure Application Switch commands.

Web Interface

The Sun Secure Application Switch Manager Web interface is a graphical user interface (GUI) that enables you to configure and manage the Sun Secure Application Switch using a browser. The Web interface supports all management capabilities provided by the CLI. Instead of entering information on a command line, you navigate menus and supply information in data entry fields. See the Sun Secure Application Switch – Online Help for more information about the Web interface.

SNMP

The Simple Network Management Protocol (SNMP) enables you to communicate with the SNMP agent on the Sun Secure Application Switch system from a remote management station. This enables you to retrieve information about managed objects on the system as well as change configuration settings.

The Sun Secure Application Switch supports the following SNMP versions:

■ SNMPv1

■ SNMPv2c

■ SNMPv3

The Sun Secure Application Switch supports the standard SNMP commands: GET, GETNEXT, GETBULK, SET. It does not, however, support any of the INFORM commands.

18 Sun Secure Application Switch – Release Notes for v3.2.1 • August 2007

Supported Operating Systems and Web Browsers

The following operating systems and Web browsers have been tested and work with the Sun Secure Application Switch for version 3.2.1 software.

Operating Systems and Web Browsers

■ Microsoft Windows (98, 2000, XP, Vista)

■ Internet Explorer 5.5, 6.x, and 7.x

■ Netscape

6.2, 7.x

■ Mozilla

1.x

■ Firefox 1.x and 2.x

■ Opera 6.x, 7.x, 8.x, and 9.x

■ Macintosh (OSX v10.1)

■ Internet Explorer 5.2

■ Netscape 7.x

■ Mozilla 1.x

■ Firefox 1.x

■ Red Hat Linux

■ Netscape 7.1

■ Mozilla 1.x

■ Opera 6.x

■ Solaris (9 and 10)

■ Mozilla 1.4 and 1.7

■ Firefox 1.x

Flash Software

The minimum Macromedia Flash version required is version 6.0.65.0. Newer versions of Flash (such as 7.x, 8.x, and 9.x) also work.

Sun Secure Application Switch – Release Notes for v3.2.1 19

Known Issues With This Release

This section describes the known problems, restrictions, and limitations in Release

3.2 (V3_2R1) on the Sun Secure Application Switch. For tracking purposes, an internal Sun reference number is included at the end of each item in this section.

ACLs

ACLs will not block traffic that is generated internally within the Sun Secure Application Switch, such as RIP advertisements, outgoing Spanning Tree BPDUs, etc. (2225/6351897)

The number of ACLs that can be applied to interfaces across the switch will vary with the complexity of the rules that are applied. If the internal table limits are exceeded, an error will be generated and reported through the syslog facility. (4226/156609)

Routed traffic on a single vRouter only hits either the ingress (inbound) or the egress (outbound) when it should hit both rules. The first rule loaded (either ingress or egress) will match the incoming packet flow. (6614/6351901)

ARP

ARP responses with multicast MAC addresses are not automatically installed. To resolve this issue, manually enter the static ARP. For example, firewall clusters can be configured to send multicast ARPs.

If using VLANS, also manually add the multicast address to the VLAN by using the

vlan address command, similar to the following examples:

sun(config-vswitch-backend-vRouter-default)# ip arp static 1.1.1.1

mac 01:00:00:00:00:01

sun(config-vswitch-backend vRouter-default)# vlan 10 address static 01:00:00:00:00:01 eth.11

sun(config-vswitch-backend vRouter-default)# vlan 10 address static 01:00:00:00:00:01 lag.server

(7274/6506711)

20 Sun Secure Application Switch – Release Notes for v3.2.1 • August 2007

Configuration

When modifying load balance configurations on the target switch wild cards cannot be used. The desired parameter(s) need to be modified individually.

sun(config)# vswitch testing loadBalance realService rs2|rs3 adminState disabled

(7561/6505411)

Before using configuration synchronization in manual mode, you must disable autodump. Once the manual synchronizations are complete, autodump can be enabled. Failure to disable autodump prior to a manual synchronization results in false autodump occurrences. Do the following to disable autodump:

sun(config)# switchServices chassis debug autoDump adminState disabled

(7626)

Firewall Load Balancing

When defining firewall real services, create a static route on the switch for each of the firewalls. In the case where the firewall is the default gateway, a default route for each firewall should be defined. If a firewall real service is disabled or deleted the associated route for the firewall must be deleted as well. (7250/6483927)

FTP

The FTP client on the switch is not accessible through the Web interface. The FTP client must be used within the CLI. (3778/6351865)

Health Checks

If you are using a script for Scripted Health Checks and one of the lines of the script fails, there is a potential for the CLI process to continually restart. This issue could happen for a variety of reasons, including an unresponsive server. If the CLI process is repeatedly restarting, correct the problem by removing the Scripted Health Check and use standard Health Checks. (7210/6471331)

If more than one service group is using the same Scripted Health Check and it is not explicitly defined, the service group fails due to a script failure. To avoid this issue, the path to the Scripted Health Check must be explicit within the Health Check configuration. The following is a correct example of an explicit Health Check:

Sun Secure Application Switch – Release Notes for v3.2.1 21

sun(config-vSwitch-example loadBalance)# healthCheckProfile hc.shrc script scriptFile /ftl0/user/local/shrc.tcl

(7625/6592850)

Load Balancing

Opera Web browsers continue to request TCP data even when receiving a TCP-RST. This can cause the browser to appear hung. (2844/6351904)

UDP load balancing (including RADIUS and DNS) does not support frames with IP options. (4469/6351907)

For two or more FTPBL VirtualServices with the same IP address and different ports, you cannot assign the same or overlapping ftpDataPortRanges. (7552/6505412)

Ports

Auto-negotiation does not work using the NS-83820 Fiber NIC and the Finisar SFF optical GBIC (part number FTRJ-8519-3). The SFF optical GBIC PicoLight, (part numbers: PL-XPL-00-S13-05 & PL-XPL-S23-28) will auto-negotiate with the NS-83820 Fiber NIC. (5682/6351875)

Jumbo frames directed to the switch IP address are dropped. (1665/6351881)

RealService

If you attempt to disable a RealService or host that is used by a Virtual service (VS) with the longRxTimer value set longer than the default (64 seconds), an error message will be displayed. To disable the RealService, you must remove it from the service group, then disable it. (7328/6507197)

FWLB connections are long-lived, thus affecting the session counters for real services. The initial FWLB flow is persistent (long-lived), which counts as one connection. This causes the Cumulative Open Sessions and Current Open Sessions to increment. When more packets go through that same flow, a 90-second session flow is created, which also counts as an opened connection. These flows will also increment the Cumulative Open/Current Open Session counters. New flows with the same source/destination address, protocol and vRouter ID will hit the FWLB persistent entry and immediately create specific 90-second session flows (refreshed by traffic). The Cumulative Open/Current Open Session counters will increment. If traffic subsides, all the 90-second session flows time out, incrementing the Cumulative Closed Session counter, leaving the persistent FWLB flows still as open

22 Sun Secure Application Switch – Release Notes for v3.2.1 • August 2007

sessions. Then if the FW service is administratively disabled or deleted, those persistent flows are closed too. The Cumulative Open/Current Open Session counters then decrement to 0. (7555/6505413)

Routing

If a static ARP entry is deleted, the switch does not send an ARP request for the given host. To resolve this issue, ping the host from the switch and the ARP will be sent. (7124/6427618)

Directed broadcasts are not forwarded across IP interfaces. (2059/6351885)

The on-board traceroute command fails in an on-board IP interface. The ICMP ping command can be used. (5092/6351887)

The switch does not always respond to ICMP Address Mask requests properly. (3946/6351890)

OSPF type 2 AS external routes always use a metric of 1 regardless of the configured metric. (5693/6351891)

The switch will erroneously add a host route to the route table based on a received RIP update when the switch has already received a RIP update containing a route with a short mask for the same gateway. This compliance problem should have no negative network impact. (2457/6351892)

Traceroute and InterRealm Routing (IRR)

There exists two know issues with traceroute and InterRealm Routing:

■ When traceroute is performed from an external host (PC) and the path uses IRR,

ICMP TTL expired or port unreachable messages (when using UDP traceroute) are not sent back to the external client.

■ When traceroute is performed from the external host to an IRR interface, the

response comes from the destination IP address. This is incorrect since the packet sent had a TTL of 1 and the destination is 3 hops away. Each incremental router hop should send a response to the traceroute request. (6989/6505415)

Web Interface

Most browsers exhibit a security issue regarding the way basic authentication is implemented by continuing to send the old credentials after an error message is received. To avoid this issue, you must close the browser window used to connect to the switch to maintain security and prevent unauthorized access. Mozilla is the only browser that does not exhibit this issue. (1199/6351852)

Sun Secure Application Switch – Release Notes for v3.2.1 23

Displaying statistics using line graphs will preserve all history of graphed data, which will continuously consume memory on your PC if left unattended. (2299/6351855)

Using the Web Interface, the dashboard has a slow memory leak, which is also present after the session times out due to inactivity. If the GUI is left open for long periods of time, such as overnight, this may cause workstation performance to deteriorate until the browser window is closed. (5927/6351858)

Online Help requires that JavaScript

is enabled on your Web browser.

(2104/1351860)

Configuration Scaling

Management

System vSwitch:

■ One management vRouter

■ Four shared vRouters

■ 100 user accounts (used for login access to the switch)

■ 10 concurrent CLI sessions

■ 10 concurrent HTTP management sessions

Virtualization

User-defined vSwitches:

■ One user-defined vSwitch for the N2120, N2040, and N1400

■ Ten user-defined vSwitches, with the optional virtualization key on the N2120,

N2040, and N1400

L2 to L3 Scale

■ Ports per LAG: 16

■ LAGs: 22

■ Ports or LAGs: 44 per VLAN

24 Sun Secure Application Switch – Release Notes for v3.2.1 • August 2007

■ VLANs: 512 per vSwitch, 4095 total

■ ARP entries: 3000 per vRouter

■ ACL lists: 4 per vRouter

■ ACL rules: 256 per ACL list

■ IP interfaces: 128 per vRouter

■ Static routes: 200 per vRouter

■ MAC entries: 16,000 total

Load Balance Configuration

■ Maximum number of virtual services: 1024 per vSwitch, 2048 total

■ Service groups: 512 per vSwitch, 4096 total

■ Hosts: 1024 per vSwitch

■ Real services: 1024 per vSwitch, 8192 total

■ Maximum number of real services in a service group: 1024

■ Request policies: 1024 per vSwitch, 4096 total

■ Response policies: 1024 per vSwitch

■ Request transforms: 1024 per vSwitch

■ Response transforms: 1024 per vSwitch

■ Object rules: 1000 per vSwitch

■ Configurable health checks: 512 per vSwitch

■ Active health checks: 1024 per vSwitch

■ Keep-alives (1 probe or 1 list of up to 5 HTTP probes): 1 per vSwitch

■ 1024-bit certificates: 512 per vSwitch

Note – The scaling numbers outlined above are individually achievable, but

maximum configurations combining all of the scale factors are not achievable.

Documentation Updates

This section describes updates to the Sun Secure Application Switch documentation. Please refer to the following Sun Web site for the most recent versions of the documentation for this product:

Sun Secure Application Switch – Release Notes for v3.2.1 25

http://www.sun.com/products/networking/switches/

Configuration and Implementation Guide and Getting Started Guides (Translated Versions)

Table P-2 in the Configuration and Implementation Guides and all translated versions of the Getting Started Guide (part numbers 819-3966-12, 819-3967-12, 8193968-12, 819-3969-12, 819-3970-12, 819-3971-12, and 819-3972-12) contain outdated references to related documentation.

The correct references to related documents are shown below.

TABLE P-2 Related Documentation

Title Part Number Format Location

For 3.x, you can also order at no cost a Documentation CD (part number X3796A) that includes these documents. Go to http://www.sun.com/products/networking/switches for information

For 4.x, you can also order at no cost a Documentation CD (part number X3797A) that includes these documents. Go to http://www.sun.com/products/networking/switches for information.

Sun Secure Application Switch - Getting Started Guide

819-3042 Printed

PDF

Ship Kit Online

Sun Secure Application Switch Configuration and Implementation Guide

819-7595 PDF Online

Sun Secure Application Switch - Release Notes for v3.2.1

819-6643 Printed

PDF

(3.x) Ship Kit Online

Sun Secure Application Switch - Release Notes for v4.0

819-7244 Printed

PDF

(4.x) Ship Kit Online

Sun Secure Application Switch - Command Reference for v3.2

819-3047 HTML Online

Sun Secure Application Switch - Command Reference for v4.0

819-7594 HTML Online

Sun Secure Application Switch - Online Help for v3.2

819-3048 HTML Within the

application

Sun Secure Application Switch - Online Help for v4.0

819-7596 HTML Within the

application

26 Sun Secure Application Switch – Release Notes for v3.2.1 • August 2007

Sun Microsystems N1216V, N1216, N1400, N2040, N2120 Release Notes

Specifications and Main Features

Frequently Asked Questions

User Manual