Sun Microsystems N1216V, N1216, N1400, N2040, N2120 Release Notes

...
Sun Microsystems, Inc. www.sun.com
Submit comments about this document at: http://www.sun.com/hwdocs/feedback
Sun™Secure Application Switch—
Release Notes for v3.2.1
Please
Recycle
Copyright 2007Sun Microsystems, Inc.,4150 NetworkCircle, SantaClara, California95054, U.S.A.All rightsreserved. Sun Microsystems, Inc.has intellectualproperty rightsrelating to technology embodied in the product that is described in this document. In
particular,and withoutlimitation, theseintellectual property rightsmay includeone ormore of the U.S. patents listed at http://www.sun.com/patents andone ormore additionalpatents or pending patentapplications in the U.S. and in other countries.
U.S. GovernmentRights -Commercial software. Government users aresubject tothe SunMicrosystems, Inc.standard license agreementand applicable provisions ofthe FAR and its supplements.
This distributionmay includematerials developedby third parties. Regular expression supportis providedby thePCRE librarypackage, whichis opensource software, written by Philip Hazel, and copyright by
the Universityof Cambridge,England -ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre. Parts ofthe product maybe derivedfrom BerkeleyBSD systems,licensed from theUniversity ofCalifornia. UNIXis aregistered trademark in
the U.S.and inother countries,exclusively licensedthrough X/Open Company, Ltd. Sun, SunMicrosystems and the Sun logo are trademarks or registeredtrademarks ofSun Microsystems, Inc.in theU.S. andother countries. Products covered by and information contained in this service manual arecontrolled byU.S. ExportControl laws and may be subject to the
export orimport lawsin othercountries. Nuclear, missile, chemical biological weapons or nuclearmaritime enduses orend users,whether direct or indirect, are strictlyprohibited. Exportor reexport tocountries subjectto U.S.embargo or to entities identified onU.S. exportexclusion lists, including,but notlimited to,the deniedpersons andspecially designatednationals listsis strictlyprohibited.
DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANYIMPLIED WARRANTY OF MERCHANTABILITY, FITNESSFOR A PARTICULAR PURPOSEOR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.
Copyright 2007Sun Microsystems, Inc.,4150 NetworkCircle, SantaClara, Californie95054, Etats-Unis.Tous droits réservés. Sun Microsystems, Inc.détient lesdroits depropriété intellectuels relatifs à la technologie incorporée dans le produit quiest décritdans ce
document. Enparticulier,et cesans limitation,ces droits depropriété intellectuelle peuvent inclure un ou plus des brevetsaméricains listésà l’adresse http://www.sun.com/patentset unou lesbrevets supplémentaires oules applicationsde brevet enattente auxEtats -Unis etdans les autres pays.
Cette distributionpeut comprendre descomposants développéspar destierces parties. Des partiesde ceproduit pourront êtredérivées dessystèmes BerkeleyBSD licenciéspar l'Universitéde Californie.UNIX estune marque
déposée auxEtats-Unis etdans d'autres payset licenciéeexclusivement parX/Open Company,Ltd. Sun, SunMicrosystems et le logo Sun sont des marques de fabrique ou des marquesdéposées deSun Microsystems,Inc. auxEtats-Unis etdans
d'autres pays. Les produits quifont l'objetde cemanuel d'entretienet lesinformations qu'ilcontient sontregis par la legislation americaine en matiere de
controle des exportations et peuvent etre soumis au droitd'autres paysdans ledomaine desexportations etimportations. Lesutilisations finales, ouutilisateurs finaux,pour desarmes nucleaires, desmissiles, desarmes biologiqueset chimiquesou dunucleaire maritime, directement ou indirectement, sont strictement interdites. Lesexportations oureexportations versdes payssous embargo desEtats-Unis, ou vers desentites figurantsur leslistes d'exclusiond'exportation americaines,y compris,mais demaniere non exclusive, la liste de personnes qui font objetd'un ordre dene pasparticiper,d'une facondirecte ou indirecte,aux exportationsdes produitsou desservices quisont regi parla legislation americaineen matiere decontrole desexportations etla listede ressortissants specifiquementdesignes, sontrigoureusement interdites.
LA DOCUMENTATION EST FOURNIE "EN L'ETAT"ET TOUTES AUTRESCONDITIONS, DECLARATIONS ET GARANTIES EXPRESSES OU TACITESSONT FORMELLEMENTEXCLUES, DANSLA MESUREAUTORISEE PARLA LOIAPPLICABLE, Y COMPRIS NOTAMMENT TOUTE GARANTIE IMPLICITE RELATIVE A LA QUALITE MARCHANDE, A L'APTITUDE A UNE UTILISATIONPARTICULIERE OUA L'ABSENCE DECONTREFACON.
iii
Contents
Product Web Page 1
Related Documentation 2
How to Obtain Updates From Sun 2
Contacting Sun Technical Support 3
Sun Welcomes Your Comments 3
New Features in This Release 3
Configuration Synchronization 4
Behavior Change: Show runningConfig saveToFile Command 4
Behavior Change: Show switchservices chassis cpuLoad Command 4
Behavior Change: Default vRouter for Virtual Services 4
Long-Lived Sessions 4
SNAT Active Standby Behavior in Redundant Configuration 5
Outgoing DNAT IP Address Is the Same as Virtual Service IP Address 5
Auto Dump 5
Supported Hardware 5
Transceivers 6
Software Information 6
Migrating From Software Version 2.0 to Version 3.2.1 7
Archiving a Version 2.0 Configuration 7
iv Sun Secure Application Switch – Release Notes for v3.2.1 • August 2007
Installing Version 3.2.1 Software 8
Importing a Version 2.0 Configuration 8
Migrating From Software Version 3.0 or 3.1 to Version 3.2.1 13
Configuration Modification 13
Installing Version 3.2.1 Software 14
Importing a Version 3.0 or 3.1 Configuration 15
System Management 16
Command-line Interface (CLI) 17
Web Interface 17
SNMP 17
Supported Operating Systems and Web Browsers 18
Operating Systems and Web Browsers 18
Flash Software 18
Known Issues With This Release 19
ACLs 19
ARP 19
Configuration 20
Firewall Load Balancing 20
FTP 20
Health Checks 20
Load Balancing 21
Ports 21
RealService 21
Routing 22
Traceroute and InterRealm Routing (IRR) 22
Web Interface 22
Configuration Scaling 23
Management 23
Contents v
Virtualization 23
L2 to L3 Scale 23
Load Balance Configuration 24
Documentation Updates 24
Configuration and Implementation Guide and Getting Started Guides (Translated
Versions) 25
vi Sun Secure Application Switch – Release Notes for v3.2.1 • August 2007
vii
Regulatory Compliance Statements
Your Sun product is marked to indicate its compliance class:
Federal Communications Commission (FCC) — USA
Industry Canada Equipment Standard for Digital Equipment (ICES-003) — Canada
Voluntary Control Council for Interference (VCCI) — Japan
Bureau of Standards Metrology and Inspection (BSMI) — Taiwan
Please read the appropriate section that corresponds to the marking on your Sun product before attempting to install the product.
FCC Class A Notice
This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions:
1. This device may not cause harmful interference.
2. This device must accept any interference received, including interference that may cause undesired operation.
Note: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy, and if it is not installed and used in accordance with the instruction manual, it may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case the user will be required to correct the interference at his own expense.
Modifications: Any modifications made to this device that are not approved by Sun Microsystems, Inc. may void the authority granted to the user by the FCC to operate this equipment.
ICES-003 Class A Notice - Avis NMB-003, Classe A
This Class A digital apparatus complies with Canadian ICES-003.
Cet appareil numérique de la classe A est conforme à la norme NMB-003 du Canada.
viii Sun Secure Application Switch – Release Notes for v3.2.1 • August 2007
BSMI Class A Notice
The following statement is applicable to products shipped to Taiwan and marked as Class A on the product compliance label.
GOST-R Certification Mark
ix
Declaration of Conformity
EMC
USA—FCC Class A
This equipment complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions:
1. This equipment may not cause harmful interference.
2. This equipment must accept any interference that may cause undesired operation.
European Union
This equipment complies with the following requirements of the EMC Directive 89/336/EEC:
As Telecommunication Network Equipment (TNE) in both Telecom Centers and Other Than Telecom Centers per (as applicable):
As Information Technology Equipment (ITE) Class A per (as applicable):
Compliance Model Number: N1216 and N1400 Product Name: Sun Secure Application Switch
N1216 (N1216, N1216V) N1400 (N1000, N1400V)
EN300-386 V.1.3.2 (2003-2005) Required Limits:
EN55022:1994+A1:1995+A2:1997 Class A EN61000-3-2:2000 Pass EN61000-3-3:1995+A1:2000 Pass IEC61000-4-2 6 kV (Direct), 8 kV (Air) IEC61000-4-3 3 V/m 80-1000 MHz, 10 V/m 800-960 MHz and 1400-
2000 MHz IEC61000-4-4 1 kV AC and DC Power Lines, 0.5 kV Signal Lines, IEC61000-4-5 2 kV AC Line-Gnd, 1 kV AC Line-Line and Outdoor
Signal Lines, 0.5 kV Indoor Signal Lines > 10m. IEC61000-4-6 3 V IEC61000-4-11 Pass
EN55022:1994+A1:1995+A2:1997 ENG6100-3-2:2000
ENG61000-3-3:1995+A1:2000
Class A Pass
Pass
EN55024:1998+A1: 2001+A2:2003
Required Limits
IEC61000-4-2 4 kV (Direct), 8 kV (Air) IEC61000-4-3 3 V/m IEC61000-4-4 1 kV AC Power Lines, 0.5 kV Signal and DC Power
Lines
IEC61000-4-5 1 kV AC Line-Line and Outdoor Signal Lines, 2 kV
AC Line-Gnd, 0.5 kV DC Power Lines
IEC61000-4-6 3 V
x Sun Secure Application Switch – Release Notes for v3.2.1 • August 2007
Safety
This equipment complies with the following requirements of the Low Voltage Directive 73/23/EEC:
Supplementary Information: This product was tested and complies with all the requirements for the CE Mark.
IEC61000-4-8 1 A/m IEC61000-4-11 Pass
EC Type Examination Certificates:
EN60950:2001 1st Edition TÜV Rheinland Certificate No. S72051919 EN60950:2001, 1st Edition CB Scheme Certificate No. US-TÜVR-2479 Evaluated to all CB Countries UL 60950:1st Edition 2001, CSA C22.2 No 60950-01-03 File: CO 72051920 01
/S/ /S/
Dennis P. Symanski DATE Manager, Compliance Engineering Sun Microsystems, Inc. 4150 Network Circle, MPK15-102 Santa Clara, CA 95054 USA Tel: 650-786-3255 Fax: 650-786-3723
Donald Cameron DATE Program Manager/Quality Systems Sun Microsystems Scotland, Limited Blackness Road, Phase I, Main Bldg Springfield, EH49 7LR Scotland, United Kingdom Tel: +44 1 506 672 539 Fax: +44 1 506 670 011
xi
Declaration of Conformity
EMC
USA—FCC Class A
This equipment complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions:
1. This equipment may not cause harmful interference.
2. This equipment must accept any interference that may cause undesired operation.
European Union
This equipment complies with the following requirements of the EMC Directive 89/336/EEC:
As Telecommunication Network Equipment (TNE) in both Telecom Centers and Other Than Telecom Centers per (as applicable):
As Information Technology Equipment (ITE) Class A per (as applicable):
Compliance Model Number: N2040; N2120 Product Name: Sun Secure Application Switch
- N2000 Series
EN300-386 V.1.3.2 (2003-2005) Required Limits:
EN55022:1994+A1:1995+A2:1997 Class A EN61000-3-2:2000 Pass EN61000-3-3:1995+A1:2000 Pass IEC61000-4-2 6 kV (Direct), 8 kV (Air) IEC61000-4-3 3 V/m 80-1000 MHz, 10 V/m 800-960 MHz and 1400-
2000 MHz IEC61000-4-4 1 kV AC and DC Power Lines, 0.5 kV Signal Lines, IEC61000-4-5 2 kV AC Line-Gnd, 1 kV AC Line-Line and Outdoor
Signal Lines, 0.5 kV Indoor Signal Lines > 10m. IEC61000-4-6 3 V IEC61000-4-11 Pass
EN55022:1994+A1:1995+A2:1997 ENG6100-3-2:2000
ENG61000-3-3:1995+A1:2000
Class A Pass
Pass
EN55024:1998+A1: 2001+A2:2003
Required Limits
IEC61000-4-2 4 kV (Direct), 8 kV (Air) IEC61000-4-3 3 V/m IEC61000-4-4 1 kV AC Power Lines, 0.5 kV Signal and DC Power
Lines
IEC61000-4-5 1 kV AC Line-Line and Outdoor Signal Lines, 2 kV
AC Line-Gnd, 0.5 kV DC Power Lines
IEC61000-4-6 3 V
xii Sun Secure Application Switch – Release Notes for v3.2.1 • August 2007
Safety
This equipment complies with the following requirements of the Low Voltage Directive 73/23/EEC:
Supplementary Information: This product was tested and complies with all the requirements for the CE Mark.
IEC61000-4-8 1 A/m IEC61000-4-11 Pass
EC Type Examination Certificates:
EN60950:2000 3rd Edition TÜV Rheinland Certificate No. S 72042727 EN60950:1999 3rd Edition CB Scheme Certificate No. US-TÜVR-2047 Evaluated to all CB Countries UL 60950:2000 1st Edition, CSA C22.2 No 60950-00-00 File: E 234800-A1-UL-1
/S/ /S/
Dennis P. Symanski DATE Manager, Compliance Engineering Sun Microsystems, Inc. 4150 Network Circle, MPK15-102 Santa Clara, CA 95054 USA Tel: 650-786-3255 Fax: 650-786-3723
Donald Cameron DATE Program Manager/Quality Systems Sun Microsystems Scotland, Limited Blackness Road, Phase I, Main Bldg Springfield, EH49 7LR Scotland, United Kingdom Tel: +44 1 506 672 539 Fax: +44 1 506 670 011
1
Sun Secure Application Switch – Release Notes for v3.2.1
These Release Notes support the N1000 and N2000 Series. The Sun Secure Application Switch – Release Notes for v3.2.1 contains the latest information and known issues for
the Sun Secure Application Switch for version 3.2.1 software.
The Sun Secure Application Switch is an intelligent application switch that provides advanced Layer 3 to Layer 7 (L3 to L7) load balancing and advanced Secure Sockets Layer (SSL) acceleration with reencryption. The switch provides these services on a flexible, virtualized basis, within the convenience of a single enclosure, and with industry-leading speed, security, and availability.
The Sun Secure Application Switch includes the N1000 Series and the N2000 Series. The N1000 Series includes the N1216 and the N1400 switch. The N2000 Series includes the N2040 switch and the N2120 switch. When it is necessary to differentiate between the switches, the model numbers are used in this document.
Product Web Page
You can access updated product information, updated documentation, MIB information, and other relevant information about the Sun Secure Application Switch at the following URL:
http://www.sun.com/products/networking/switches/
2 Sun Secure Application Switch – Release Notes for v3.2.1 • August 2007
Related Documentation
The Sun Secure Application Switch documentation listed here is available online at:
http://www.sun.com/products/networking/switches/
How to Obtain Updates From Sun
You can obtain updates and patches from your Sun authorized sales representative, service provider, or by downloading them from the SunSolve Online
SM
Web site at
the following URL:
http://sunsolve.sun.com/
For patch information instructions, see the README file that accompanies each patch.
For downloads of released software, visit the Sun Download Center at the following URL:
http://www.sun.com/downloads
TABLE P-1 Related Documentation
Title Part Number Format Location
*
* You can also order at no cost a Documentation CD (part numberX3796A) that includes these documents. Go to
http://www.sun.com/products/networking/switches for additional information.
Sun Secure Application Switch – Getting Started Guide
819-3042 Printed
PDF
Ship Kit Online
Sun Secure Application Switch ­Configuration and Implementation Guide
819-7595 PDF Online
Sun Secure Application Switch - Release Notes for v3.2.1 (This Document)
819-6643 Printed
PDF
(3.x) Ship Kit Online
Sun Secure Application Switch - Command Reference for v3.2
819-3047 HTML Online
Sun Secure Application Switch - Online Help for v3.2
819-3048 HTML Within the
application
Sun Secure Application Switch – Release Notes for v3.2.1 3
Contacting Sun Technical Support
If you have technical questions about this product that are not answered in this document, go to:
http://www.sun.com/service/contacting
Sun Welcomes Your Comments
Sun is interested in improving its documentation and welcomes your comments and suggestions. You can submit your comments by going to:
http://www.sun.com/hwdocs/feedback
Please include the title and part number of your document with your feedback:
Sun Secure Application Switch – Release Notes for v3.2.1, part number 819-6643
New Features in This Release
The 3.2.1 release includes the following new software features.
“Configuration Synchronization” on page 4
“Behavior Change: Show runningConfig saveToFile Command” on page 4
“Behavior Change: Show switchservices chassis cpuLoad Command” on page 4
“Behavior Change: Default vRouter for Virtual Services” on page 4
“Long-Lived Sessions” on page 4
“SNAT Active Standby Behavior in Redundant Configuration” on page 5
“Outgoing DNAT IP Address Is the Same as Virtual Service IP Address” on
page 5
“Auto Dump” on page 5
4 Sun Secure Application Switch – Release Notes for v3.2.1 • August 2007
Configuration Synchronization
For information about Configuration Synchronization, refer to the Sun Secure Application Switch - Configuration and Implementation Guide, part number 819-7595.
Behavior Change: Show runningConfig saveToFile Command
In version 3.2.1, the defaultValues and nameValuePairs are included by default when a show runningConfig saveToFile command is executed. In previous versions of the software, you had to manually set defaultValues and nameValuePairs to true to include this information.
Behavior Change: Show switchservices chassis cpuLoad Command
In version 3.2.1, the show switchservices chassis cpuLoad command no longer exists. Use the show switchservices chassis module command instead to perform similar actions.
Behavior Change: Default vRouter for Virtual Services
When creating a virtual service, the default vRouter has changed from system:shared to the user defined vRouter that is associated with the vSwitch.
Long-Lived Sessions
If long-lived session is enabled, up to 30,000 of a media module network processor’s 500,000 active flow sessions can be reserved for long-lived usage. As new flows are required, the oldest inactive sessions are purged first. Long-lived sessions apply to L4SLB and L3SLB Virtual services. The default setting for long-lived sessions is disabled. When the feature is disabled, flow sessions will exist for 90 seconds with no activity. FWLB sessions are long-lived by default.
Sun Secure Application Switch – Release Notes for v3.2.1 5
SNAT Active Standby Behavior in Redundant Configuration
In redundant configuration applications, the back-up switch now implements SNAT in standby mode so all SNAT traffic received at the back-up switch will be redirected to the master switch. The SNAT IP addresses must be the same between both switches.
Outgoing DNAT IP Address Is the Same as Virtual Service IP Address
A DNAT entry can have the same IP address as a virtual service.
Auto Dump
When an error occurs on a function card, the relevant log files are automatically created and generated.
Supported Hardware
The Sun Secure Application Switch consists of two hardware platforms.
Sun N1000 Series includes the N1216 and the N1400 models.
The N1216 provides two pluggable Gigabit Ethernet (copper or fiber) ports,
sixteen 10/100-Mbps ports, and a full complement of system and port status LEDs.
The N1400 provides 4 Gigabit Ethernet (copper or fiber) ports and a full
complement of system and port status LEDs. The N1400 is rackmountable and operates on standard AC voltages (115 or 230 VAC) using a single power supply.
Sun N2000 Series includes the N2120 and N2040 models.
The Sun N2120 provides 12 small form-factor pluggable (SFP) Gigabit Ethernet
(copper or fiber) ports.
The Sun N2040 provides 40 10/100-Mbps ports and 4 SFP Gigabit Ethernet
(copper or fiber) ports.
6 Sun Secure Application Switch – Release Notes for v3.2.1 • August 2007
Both systems are rackmountable and operate on standard AC voltages (115 or 230 VAC) in either redundant or non-redundant power configurations.
For a review of the Sun Secure Application Switch hardware, refer to the Sun Secure Application Switch – Getting Started Guide.
Transceivers
Sun has tested the ports on the front of the system with the following transceivers, which are listed by type, vendor, vendor part number, and Sun X Option number.
Fiber
FINSAR, FTRJ-8519P1 BNL, X2001A
FINSAR, FTLF-8519P2BCL, X2001AZ
FIBERXON, FTM-8012C-SLG, X2001AZ
Copper
FINSAR, FCMJ-8521-3, X2002A
FINSAR, FCLF8521-3, X2002AZ
FIBERXON, FTM-C012R-LMG, X2002AZ
You can use other transceivers, but only the ones listed above have been fully tested. If required, you can purchase these transceivers from Sun or directly from approved vendors.
Software Information
This software release (V3_2R1) works with both the N1000 Series and N2000 Series.
If you currently have 2.0 software on your switch, refer to the section, “Migrating
From Software Version 2.0 to Version 3.2.1”, for upgrade information.
If you currently have 3.0 or 3.1 software on your switch, refer to the section,
“Migrating From Software Version 3.0 or 3.1 to Version 3.2.1” for upgrade
information.
Sun Secure Application Switch – Release Notes for v3.2.1 7
Migrating From Software Version 2.0 to Version 3.2.1
This section is relevant only if you are upgrading an N2000 Series from version 2.0 software to version 3.2.1 software.
Note – The software version command allows you to specify the version of
software used on the switch. In software version 2.x, this command automatically loaded the latest patch for the version of software specified. In version 3.2.1, the software version command explicitly loads the software version specified; it does not automatically include the latest patch.
Archiving a Version 2.0 Configuration
You can copy your configuration file for backup or archive purposes. You have two options:
Make a copy of the cdb.dat file. Note that this file is machine-specific and can
only be restored to the original machine on which it was used.
1. Telnet to the Sun Secure Application Switch.
2. Access the directory containing the cdb.dat file
sun(config)# cd/ftl0/config
3. Copy the cdb.dat file to a local destination.
sun(config)# cp cdb.dat <cdbFileName.dat>
4. Make a “portable” configuration file using the show runningConfig command.
Be sure to enable the nameValuePairs option, similar to the following:
sun(config)# show runningConfig saveToFile <myConfig.txt> password <myPassword> nameValuePairs true
Note – The cdb.dat file is copied into the /config directory but the text files is
saved in the /ftl0/user/home directory.
8 Sun Secure Application Switch – Release Notes for v3.2.1 • August 2007
Installing Version 3.2.1 Software
If you have version 2.0 software installed on your Sun Secure Application Switch and you want to upgrade to version 3.2.1 software, do the following:
Note – If you have software version V2_0R4 or later, you can bypass Step 1 and
proceed to Step 2.
1. If you have software version V2_0R3 or earlier, you must obtain and install the compression utility patch from SunSolve Online (119731) before upgrading to version 3.2.1.
You can access the SunSolve Online Web site at the following URL:
http://sunsolve.sun.com
2. Obtain and install the V3_2R1 software release from the Sun Download Center.
You can access the Sun Download Center Web site at the following URL:
http://www.sun.com/downloads
After the page loads, click Networking and scroll down to Network Connectivity, to access the software link.
3. Reboot the switch.
After installing the version 3.2.1 software, the configuration database will automatically be upgraded to the 3.x format.
Note – The .cdb file name will remain the same after the upgrade.
Importing a Version 2.0 Configuration
If you have installed version 3.2.1 onto a switch that was already equipped with version 2.0, the configuration database is automatically upgraded.
If you need to import a “portable” version 2.0 configuration into a version 3.x system, you can choose either of the following options:
Verify that the Interactive feature is turned off.
At the switch prompt, type the following text then press the Enter key:
sun(config)# interactive off
Import the running configuration with stopOnError set to false, similar to the
following:
Sun Secure Application Switch – Release Notes for v3.2.1 9
sun(config)# import runningConfig FromFile <myConfig.txt> password <
myPassword> stopOnError false
Perform the following manual edits detailed below.
1. Update any filterProfile rules that perform vSwitch or vRouter filtering.
The vSwitchName and vRouterName fields have been combined into a single field
vSwitchAndVRouter. The old value format looks similar to the following:
#
# Profiles to cause event filtering #
rule position 1 action drop vSwitchName IDS vRouterName default
The new value "vSwitch:vRouter" looks similar to the following:
rule position 1 action drop vSwitchAndVRouter IDS:default
2. Update any objectRules that use the HTTP_VERSION predicate variable.
The HTTP_VERSION variable has been removed and replaced with more refined variables.
For objectRules used in requestPolicies, use REQUEST_VERSION.
For objectRules used in responsePolicies, use RESPONSE_VERSION.
The old value is similar to the following:
# # Expressions used to classify the application data stream #
loadBalance objectRule name orVersion predicate {HTTP_VERSION eq "1.0"}
The new value is similar to the following:
loadBalance objectRule name orVersion predicate {REQUEST_VERSION eq "1.0"}
3. Update any realServices that perform clientAddressTranslation.
In this step, you have to change the following commands:
a. Change the clientAddressTranslation enabled command to
clientAddressTranslationMask 0.0.0.0
b. Change the clientAddressTranslation disabled command to
clientAddressTranslationMask 255.255.255.255
The old value format looks similar to the following:
10 Sun Secure Application Switch – Release Notes for v3.2.1 • August 2007
# # Real service parameters # loadBalance realService name rs-lnx1 hostName lnx1 clientAddressTranslation enabled proxyIpPool pipHR
The new value format looks similar to the following:
loadBalance realService name rs-lnx1 hostName lnx1 clientAddressTranslationMask 0.0.0.0 proxyIpPool pipHR
4. Remove any lines for the loadBalance vsGroup.
These lines might appear multiple times, since this action happens once for each vSwitch. The following is an example of what requires deletion:
# # Virtual Service Group Configuration # loadBalance vsGroup name default virtualServices {vs1;vs2}
5. Update the command for any advanced virtual service settings.
In this step, you have to change the following commands:
a. If disableSynCookies is present, reverse the value (change true to false or
false to true). These lines might appear multiple times, up to once per virtual service.
The old value format looks similar to the following:
# Virtual service advanced settings # advanced ... disableSynCookies false ...
The new value format looks similar to the following:
advanced ... disableSynCookies true ...
b. If clientFirstProtocol is present, reverse the value (change true to false or
false to true). These lines might appear multiple times, up to once per virtual service.
The old value format looks similar to the following:
# Virtual service advanced settings # advanced ... clientFirstProtocol true...
The new value format looks similar to the following:
Sun Secure Application Switch – Release Notes for v3.2.1 11
advanced ... clientFirstProtocol false ...
6. Remove any lines for TCP connections.
These lines might appear multiple times, since this action happens once for each vRouter. The following is an example of what requires deletion:
# # TCP Connections # tcp connections localAddress 0.0.0.0 localPort 22 remoteAddress 0.0.0.0 remotePort 0 state listen
tcp connections localAddress 0.0.0.0 localPort 23 remoteAddress 0.0.0.0 remotePort 0 state listen
tcp connections localAddress 0.0.0.0 localPort 80 remoteAddress 0.0.0.0 remotePort 0 state listen
tcp connections localAddress 0.0.0.0 localPort 443 remoteAddress 0.0.0.0 remotePort 0 state listen
tcp connections localAddress 10.8.170.123 localPort 23 remoteAddress 129.148.185.228 remotePort 1516 state established
7. Update the command for the OSPF advertisements.
In this step, you have to change the following commands:
a. Change the advertise-ase command to advertise ase.
# #OSPF advertise ASE routes
#
ospf advertise-ase staticRt enabled
#
The new value format looks similar to the following:
ospf advertise ase staticRt enabled
b. Change the advertise-nssa command to advertise nssa.
The old value format looks similar to the following:
# #OSPF advertise NSSA routes
#
12 Sun Secure Application Switch – Release Notes for v3.2.1 • August 2007
ospf advertise-nssa staticRt enabled
# The new value format looks similar to the following:
ospf advertise nssa staticRt enabled
8. Remove any lines for SSHd sessions.
The following is an example of what requires deletion:
# # SSH sessions # sessions clientIp 129.148.30.128 clientPort 33127 sesStatus active
sessions clientIp 129.148.30.128 clientPort 33127
exit;
sessions clientIp 129.148.30.165 clientPort 41440 sesStatus active
sessions clientIp 129.148.30.165 clientPort 41440
exit;
9. Verify that the configuration file was imported correctly.
sun(config)# show runningConfig password <MyPassword>
10. Remove advanced options for non-terminated virtualServices: L4SLB and TDLB
In this example:
Incorrect:
# # Virtual Service configuration #
loadBalance virtualService name L4SLB_VS appServiceType L4SLB \
ipAddress 10.1.0.213 serviceGroupName L4SLB_VS adminState \
enabled disableDelay 0 protocol TCP port 80 vRouter \
LB_ServiceLan:default clientSrcIPRange 0.0.0.0-255.255.255.255 \
synRateLimit unlimited
loadBalance virtualService name L4SLB_VS
# # Virtual service advanced settings #
Sun Secure Application Switch – Release Notes for v3.2.1 13
advanced tcbTemplateKey 0 ipTos Normal xmtRetryLimit 4 estRetryLimit 4 \
shortRxTimer 32_seconds longRxTimer 64_seconds rcvWnd 20480 xmtRTT \
1500_msec smmStreamLimit 1xRcvWnd estShortTimeout ExpRetr \
rcvWndDisabled false rcvMss 1460 xmtMss 1460 enableHttpMode false \
initParseWithData false rxUseLongTime false disableSynCookies false \
clientFirstProtocol true
exit; exit;
Correct:
# # Virtual Service configuration #
loadBalance virtualService name L4SLB_VS appServiceType L4SLB \
ipAddress 10.1.0.213 serviceGroupName L4SLB_VS adminState \
enabled disableDelay 0 protocol TCP port 80 vRouter \
LB_ServiceLan:default clientSrcIPRange 0.0.0.0-255.255.255.255 \
synRateLimit unlimited
loadBalance virtualService name L4SLB_VS
# # Virtual service advanced settings #
Migrating From Software Version 3.0 or
3.1 to Version 3.2.1
Configuration Modification
The functionality of the URI Path field used in object rules has changed in software version 3.2.1. If you are upgrading from software version 3.0 or 3.1 to 3.2.1 and object rules contain the URI_PATH you must change the object rule expressions before upgrading.
14 Sun Secure Application Switch – Release Notes for v3.2.1 • August 2007
In version 3.0 and 3.1, the URI_PATH includes the path and filename. For example, if a file is archived as http://Host/Directory/File.html, the URI_PATH is /Directory/File.html and the URI_BASENAME is File.
In contrast, the URI_PATH in software version 3.2.1 contains the characters after the host (or port number) and up to the file name, including the slash separator. For example, if your file is archived as http://Host/Directory/File.html, the URI_PATH is /Directory/ and the URI_BASENAME is File.
Note – The behavior of the URI Path as it pertains to object rules is the same in
software versions 2.x and 3.2. Therefore, if you are upgrading from 2.x to 3.2.1, object rule expression changes are not required.
Installing Version 3.2.1 Software
1. Obtain and install the V3_2R1 software release from the Sun Download Center.
You can access the Sun Download Center Web site at the following URL:
http://www.sun.com/downloads
After the page loads, click Networking and scroll down to Network Connectivity to access the software link.
2. Reboot the switch.
After installing the version 3.2.1 software, the configuration database will automatically be upgraded to the 3.0 format.
3. Remove advanced options for non-terminated virtual services: L3SLB, L4SLB, FWLB, and TDLB.
Incorrect:
# # Virtual Service configuration #
loadBalance virtualService name L4SLB_VS appServiceType L4SLB \
ipAddress 10.1.0.213 serviceGroupName L4SLB_VS adminState \
enabled disableDelay 0 protocol TCP port 80 vRouter \
LB_ServiceLan:default clientSrcIPRange 0.0.0.0-255.255.255.255 \
synRateLimit unlimited
loadBalance virtualService name L4SLB_VS
Sun Secure Application Switch – Release Notes for v3.2.1 15
# # Virtual service advanced settings #
advanced tcbTemplateKey 0 ipTos Normal xmtRetryLimit 4 estRetryLimit 4 \
shortRxTimer 32_seconds longRxTimer 64_seconds rcvWnd 20480 xmtRTT \
1500_msec smmStreamLimit 1xRcvWnd estShortTimeout ExpRetr \
rcvWndDisabled false rcvMss 1460 xmtMss 1460 enableHttpMode false \
initParseWithData false rxUseLongTime false disableSynCookies false \
clientFirstProtocol true
exit; exit;
Correct:
# # Virtual Service configuration #
loadBalance virtualService name L4SLB_VS appServiceType L4SLB \
ipAddress 10.1.0.213 serviceGroupName L4SLB_VS adminState \
enabled disableDelay 0 protocol TCP port 80 vRouter \
LB_ServiceLan:default clientSrcIPRange 0.0.0.0-255.255.255.255 \
synRateLimit unlimited
loadBalance virtualService name L4SLB_VS
# # Virtual service advanced settings #
Note – The .cdb file name will remain the same after the upgrade.
Importing a Version 3.0 or 3.1 Configuration
If you have installed version 3.2.1 onto a switch that was already equipped with version 3.0 or 3.1, the configuration database is automatically upgraded.
If you need to import a “portable” version 3.x configuration into a version 3.2.1 system, you can choose either of the following options:
Verify that the Interactive feature is turned off.
At the switch prompt, type the following text then press the Enter key:
16 Sun Secure Application Switch – Release Notes for v3.2.1 • August 2007
sun(config)# interactive off
Import the running configuration with stopOnError set to false, similar to the
following:
sun(config)# import runningConfig FromFile <
myConfig.txt>
password <
myPassword> stopOnError false
Perform the following manual editsRemove on any non-terminated virtualServices: L3SLB, L4SLB, TDLB, FWLB
In this example:
# # Virtual Service configuration #
loadBalance virtualService name WMA-STREAM-HTTP_213 appServiceType L4SLB \
ipAddress 10.49.0.213 serviceGroupName WMA-STREAM-HTTP adminState \
enabled disableDelay 0 protocol TCP port 80 vRouter \
LB_ServiceLan:default clientSrcIPRange 0.0.0.0-255.255.255.255 \
synRateLimit unlimited
loadBalance virtualService name WMA-STREAM-HTTP_213
# # Virtual service advanced settings #
System Management
Administrators can use multiple management tools to support the Sun Secure Application Switch in a network. These tools include:
Command-Line Interface (CLI)
Web interface
SNMP applications
Sun Secure Application Switch – Release Notes for v3.2.1 17
Command-line Interface (CLI)
The command-line interface (CLI) uses an industry-standard design that enables you to configure and manage the Sun Secure Application Switch by typing keyboard commands. You access the CLI over a direct console connection to the RS-232 port on the front of the system, or over a Telnet or SSH connection. A connection to the CLI is indicated by the
sun> prompt on your screen.
The CLI uses a hierarchical design that enables you to move deeper into the command hierarchy as you build the configuration. The CLI uses the command prompt to display your current location within the hierarchy. Simple commands enable you to navigate to the appropriate context. See the Sun Secure Application Switch – Command Reference for information about the CLI and the Sun Secure Application Switch commands.
Web Interface
The Sun Secure Application Switch Manager Web interface is a graphical user interface (GUI) that enables you to configure and manage the Sun Secure Application Switch using a browser. The Web interface supports all management capabilities provided by the CLI. Instead of entering information on a command line, you navigate menus and supply information in data entry fields. See the Sun Secure Application Switch – Online Help for more information about the Web interface.
SNMP
The Simple Network Management Protocol (SNMP) enables you to communicate with the SNMP agent on the Sun Secure Application Switch system from a remote management station. This enables you to retrieve information about managed objects on the system as well as change configuration settings.
The Sun Secure Application Switch supports the following SNMP versions:
SNMPv1
SNMPv2c
SNMPv3
The Sun Secure Application Switch supports the standard SNMP commands: GET, GETNEXT, GETBULK, SET. It does not, however, support any of the INFORM commands.
18 Sun Secure Application Switch – Release Notes for v3.2.1 • August 2007
Supported Operating Systems and Web Browsers
The following operating systems and Web browsers have been tested and work with the Sun Secure Application Switch for version 3.2.1 software.
Operating Systems and Web Browsers
Microsoft Windows (98, 2000, XP, Vista)
Internet Explorer 5.5, 6.x, and 7.x
Netscape
TM
6.2, 7.x
Mozilla
TM
1.x
Firefox 1.x and 2.x
Opera 6.x, 7.x, 8.x, and 9.x
Macintosh (OSX v10.1)
Internet Explorer 5.2
Netscape 7.x
Mozilla 1.x
Firefox 1.x
Red Hat Linux
Netscape 7.1
Mozilla 1.x
Opera 6.x
Solaris (9 and 10)
Mozilla 1.4 and 1.7
Firefox 1.x
Flash Software
The minimum Macromedia Flash version required is version 6.0.65.0. Newer versions of Flash (such as 7.x, 8.x, and 9.x) also work.
Sun Secure Application Switch – Release Notes for v3.2.1 19
Known Issues With This Release
This section describes the known problems, restrictions, and limitations in Release
3.2 (V3_2R1) on the Sun Secure Application Switch. For tracking purposes, an internal Sun reference number is included at the end of each item in this section.
ACLs
ACLs will not block traffic that is generated internally within the Sun Secure Application Switch, such as RIP advertisements, outgoing Spanning Tree BPDUs, etc. (2225/6351897)
The number of ACLs that can be applied to interfaces across the switch will vary with the complexity of the rules that are applied. If the internal table limits are exceeded, an error will be generated and reported through the syslog facility. (4226/156609)
Routed traffic on a single vRouter only hits either the ingress (inbound) or the egress (outbound) when it should hit both rules. The first rule loaded (either ingress or egress) will match the incoming packet flow. (6614/6351901)
ARP
ARP responses with multicast MAC addresses are not automatically installed. To resolve this issue, manually enter the static ARP. For example, firewall clusters can be configured to send multicast ARPs.
If using VLANS, also manually add the multicast address to the VLAN by using the
vlan address command, similar to the following examples:
sun(config-vswitch-backend-vRouter-default)# ip arp static 1.1.1.1
mac 01:00:00:00:00:01
sun(config-vswitch-backend vRouter-default)# vlan 10 address static 01:00:00:00:00:01 eth.11
sun(config-vswitch-backend vRouter-default)# vlan 10 address static 01:00:00:00:00:01 lag.server
(7274/6506711)
20 Sun Secure Application Switch – Release Notes for v3.2.1 • August 2007
Configuration
When modifying load balance configurations on the target switch wild cards cannot be used. The desired parameter(s) need to be modified individually.
sun(config)# vswitch testing loadBalance realService rs2|rs3 adminState disabled
(7561/6505411)
Before using configuration synchronization in manual mode, you must disable autodump. Once the manual synchronizations are complete, autodump can be enabled. Failure to disable autodump prior to a manual synchronization results in false autodump occurrences. Do the following to disable autodump:
sun(config)# switchServices chassis debug autoDump adminState disabled
(7626)
Firewall Load Balancing
When defining firewall real services, create a static route on the switch for each of the firewalls. In the case where the firewall is the default gateway, a default route for each firewall should be defined. If a firewall real service is disabled or deleted the associated route for the firewall must be deleted as well. (7250/6483927)
FTP
The FTP client on the switch is not accessible through the Web interface. The FTP client must be used within the CLI. (3778/6351865)
Health Checks
If you are using a script for Scripted Health Checks and one of the lines of the script fails, there is a potential for the CLI process to continually restart. This issue could happen for a variety of reasons, including an unresponsive server. If the CLI process is repeatedly restarting, correct the problem by removing the Scripted Health Check and use standard Health Checks. (7210/6471331)
If more than one service group is using the same Scripted Health Check and it is not explicitly defined, the service group fails due to a script failure. To avoid this issue, the path to the Scripted Health Check must be explicit within the Health Check configuration. The following is a correct example of an explicit Health Check:
Sun Secure Application Switch – Release Notes for v3.2.1 21
sun(config-vSwitch-example loadBalance)# healthCheckProfile hc.shrc script scriptFile /ftl0/user/local/shrc.tcl
(7625/6592850)
Load Balancing
Opera Web browsers continue to request TCP data even when receiving a TCP-RST. This can cause the browser to appear hung. (2844/6351904)
UDP load balancing (including RADIUS and DNS) does not support frames with IP options. (4469/6351907)
For two or more FTPBL VirtualServices with the same IP address and different ports, you cannot assign the same or overlapping ftpDataPortRanges. (7552/6505412)
Ports
Auto-negotiation does not work using the NS-83820 Fiber NIC and the Finisar SFF optical GBIC (part number FTRJ-8519-3). The SFF optical GBIC PicoLight, (part numbers: PL-XPL-00-S13-05 & PL-XPL-S23-28) will auto-negotiate with the NS-83820 Fiber NIC. (5682/6351875)
Jumbo frames directed to the switch IP address are dropped. (1665/6351881)
RealService
If you attempt to disable a RealService or host that is used by a Virtual service (VS) with the longRxTimer value set longer than the default (64 seconds), an error message will be displayed. To disable the RealService, you must remove it from the service group, then disable it. (7328/6507197)
FWLB connections are long-lived, thus affecting the session counters for real services. The initial FWLB flow is persistent (long-lived), which counts as one connection. This causes the Cumulative Open Sessions and Current Open Sessions to increment. When more packets go through that same flow, a 90-second session flow is created, which also counts as an opened connection. These flows will also increment the Cumulative Open/Current Open Session counters. New flows with the same source/destination address, protocol and vRouter ID will hit the FWLB persistent entry and immediately create specific 90-second session flows (refreshed by traffic). The Cumulative Open/Current Open Session counters will increment. If traffic subsides, all the 90-second session flows time out, incrementing the Cumulative Closed Session counter, leaving the persistent FWLB flows still as open
22 Sun Secure Application Switch – Release Notes for v3.2.1 • August 2007
sessions. Then if the FW service is administratively disabled or deleted, those persistent flows are closed too. The Cumulative Open/Current Open Session counters then decrement to 0. (7555/6505413)
Routing
If a static ARP entry is deleted, the switch does not send an ARP request for the given host. To resolve this issue, ping the host from the switch and the ARP will be sent. (7124/6427618)
Directed broadcasts are not forwarded across IP interfaces. (2059/6351885)
The on-board traceroute command fails in an on-board IP interface. The ICMP ping command can be used. (5092/6351887)
The switch does not always respond to ICMP Address Mask requests properly. (3946/6351890)
OSPF type 2 AS external routes always use a metric of 1 regardless of the configured metric. (5693/6351891)
The switch will erroneously add a host route to the route table based on a received RIP update when the switch has already received a RIP update containing a route with a short mask for the same gateway. This compliance problem should have no negative network impact. (2457/6351892)
Traceroute and InterRealm Routing (IRR)
There exists two know issues with traceroute and InterRealm Routing:
When traceroute is performed from an external host (PC) and the path uses IRR,
ICMP TTL expired or port unreachable messages (when using UDP traceroute) are not sent back to the external client.
When traceroute is performed from the external host to an IRR interface, the
response comes from the destination IP address. This is incorrect since the packet sent had a TTL of 1 and the destination is 3 hops away. Each incremental router hop should send a response to the traceroute request. (6989/6505415)
Web Interface
Most browsers exhibit a security issue regarding the way basic authentication is implemented by continuing to send the old credentials after an error message is received. To avoid this issue, you must close the browser window used to connect to the switch to maintain security and prevent unauthorized access. Mozilla is the only browser that does not exhibit this issue. (1199/6351852)
Sun Secure Application Switch – Release Notes for v3.2.1 23
Displaying statistics using line graphs will preserve all history of graphed data, which will continuously consume memory on your PC if left unattended. (2299/6351855)
Using the Web Interface, the dashboard has a slow memory leak, which is also present after the session times out due to inactivity. If the GUI is left open for long periods of time, such as overnight, this may cause workstation performance to deteriorate until the browser window is closed. (5927/6351858)
Online Help requires that JavaScript
TM
is enabled on your Web browser.
(2104/1351860)
Configuration Scaling
Management
System vSwitch:
One management vRouter
Four shared vRouters
100 user accounts (used for login access to the switch)
10 concurrent CLI sessions
10 concurrent HTTP management sessions
Virtualization
User-defined vSwitches:
One user-defined vSwitch for the N2120, N2040, and N1400
Ten user-defined vSwitches, with the optional virtualization key on the N2120,
N2040, and N1400
L2 to L3 Scale
Ports per LAG: 16
LAGs: 22
Ports or LAGs: 44 per VLAN
24 Sun Secure Application Switch – Release Notes for v3.2.1 • August 2007
VLANs: 512 per vSwitch, 4095 total
ARP entries: 3000 per vRouter
ACL lists: 4 per vRouter
ACL rules: 256 per ACL list
IP interfaces: 128 per vRouter
Static routes: 200 per vRouter
MAC entries: 16,000 total
Load Balance Configuration
Maximum number of virtual services: 1024 per vSwitch, 2048 total
Service groups: 512 per vSwitch, 4096 total
Hosts: 1024 per vSwitch
Real services: 1024 per vSwitch, 8192 total
Maximum number of real services in a service group: 1024
Request policies: 1024 per vSwitch, 4096 total
Response policies: 1024 per vSwitch
Request transforms: 1024 per vSwitch
Response transforms: 1024 per vSwitch
Object rules: 1000 per vSwitch
Configurable health checks: 512 per vSwitch
Active health checks: 1024 per vSwitch
Keep-alives (1 probe or 1 list of up to 5 HTTP probes): 1 per vSwitch
1024-bit certificates: 512 per vSwitch
Note – The scaling numbers outlined above are individually achievable, but
maximum configurations combining all of the scale factors are not achievable.
Documentation Updates
This section describes updates to the Sun Secure Application Switch documentation. Please refer to the following Sun Web site for the most recent versions of the documentation for this product:
Sun Secure Application Switch – Release Notes for v3.2.1 25
http://www.sun.com/products/networking/switches/
Configuration and Implementation Guide and Getting Started Guides (Translated Versions)
Table P-2 in the Configuration and Implementation Guides and all translated versions of the Getting Started Guide (part numbers 819-3966-12, 819-3967-12, 819­3968-12, 819-3969-12, 819-3970-12, 819-3971-12, and 819-3972-12) contain outdated references to related documentation.
The correct references to related documents are shown below.
TABLE P-2 Related Documentation
Title Part Number Format Location
*
*
For 3.x, you can also order at no cost a Documentation CD (part number X3796A) that includes these documents. Go to http://www.sun.com/products/networking/switches for information
For 4.x, you can also order at no cost a Documentation CD (part number X3797A) that includes these documents. Go to http://www.sun.com/products/networking/switches for information.
Sun Secure Application Switch - Getting Started Guide
819-3042 Printed
PDF
Ship Kit Online
Sun Secure Application Switch ­Configuration and Implementation Guide
819-7595 PDF Online
Sun Secure Application Switch - Release Notes for v3.2.1
819-6643 Printed
PDF
(3.x) Ship Kit Online
Sun Secure Application Switch - Release Notes for v4.0
819-7244 Printed
PDF
(4.x) Ship Kit Online
Sun Secure Application Switch - Command Reference for v3.2
819-3047 HTML Online
Sun Secure Application Switch - Command Reference for v4.0
819-7594 HTML Online
Sun Secure Application Switch - Online Help for v3.2
819-3048 HTML Within the
application
Sun Secure Application Switch - Online Help for v4.0
819-7596 HTML Within the
application
26 Sun Secure Application Switch – Release Notes for v3.2.1 • August 2007
Loading...