advertisement
HPE 5130EI-CMW710-R3207 and R3207-US
Release Notes
The information in this document is subject to change without notice.
© Copyright 2016, 2017 Hewlett Packard Enterprise Development LP
Contents
Version information ············································································· 1
Hardware feature updates ···································································· 8
i
Software feature and command updates··············································· 11
MIB updates ···················································································· 11
Operation changes············································································ 14
Restrictions and cautions ··································································· 16
Open problems and workarounds ························································ 17
List of resolved problems ··································································· 17
ii
Support and other resources ······························································ 47
Appendix A Feature list ······································································ 49
Appendix B Upgrading software ·························································· 58
iii
iv
List of tables
v
Introduction
This document describes the features, restrictions and guidelines, open problems, and workarounds for version HPE 5130EI-CMW710-R3207 and R3207-US. For the sake of brevity, it can be assumed that all fixes and features of R3207 also apply to R3207-US. Before you use this version on a live network, back up the configuration and test the version to avoid software upgrade affecting your live network.
Use this document in conjunction with HPE 5130EI-CMW710-R3207 Release Notes (Soft ware
Feature Changes) and the documents listed in " Related documents ."
Version information
Version number
HPE Comware Software, Version 7.1.070, Release 3207
Note: You can see the version number with the command di splay version in any view. Please see
Note①.
Version history
IMPORTANT:
The software feature changes listed in the version history table for each version are not complete.
To obt ain complete information about all software feature changes in each version, see the Soft ware
Feature Changes document for this release notes.
Table 1 Version history
Version number
Last version
Release
Date
Release type
5130EI-CMW71
0-R3207
R3115P08
5130EI-CMW71
0-R3115P08
R3115P07
5130EI-CMW71
0-R3115P07
R3115P06
2017-04-27
Release version
2017-03-20
Release version
2017-02-16
Release version
Remarks
This version fixed bugs and introduced feature changes.
New features include:
•
Fundamentals features
•
IRF features
•
Layer 2-LAN switching features
There are also modified features.
Fixed bugs.
This version fixed bugs and introduced feature changes.
New features include:
•
ISP domain for users assigned to nonexistent domains
Fixed bugs.
Modified feature:
•
The login success message for
802.1X users
•
The login failure message for
1
Version number
Last version
Release
Date
Release type
5130EI-CMW71
0-R3115P06
R3115P05 2016-12-22
Release version
5130EI-CMW71
0-R3115P05
R3115P03 2016-10-24
Release version
5130EI-CMW71
0-R3115P03
R3115P01 2016-09-27
Release version
5130EI-CMW71
0-R3115P01
R3115 2016-08-16
Release version
5130EI-CMW71
0-R3115
R3113P05 2016-07-15
Release version
5130EI-CMW71
0-R3113P05
R3113P03 2016-06-15
Release version
Remarks
802.1X users
Fixed bugs.
New feature:
•
802.1X MAC address binding
Modified feature:
•
Password configuration for MAC authentication MAC-based user accounts
•
Setting the fixed-area ratio for a queue
•
Setting the maximum shared-area ratio for a queue
•
Setting the total shared-area ratio
•
Burst feature
Fixed bugs.
Modified feature
•
Operating information collection
•
Maximum length of jumbo frames allowed by an Ethernet interface
•
Controlling SSH client access to the SSH server
•
Debugging switches
Fixed bugs.
Modified feature
•
Configuring a test profile for
RADIUS server status detection
•
NTP support for ACL
Fixed bugs.
New feature
•
Configuring traffic policing for all incoming traffic by using the non-MQC approach
•
Bandwidth guaranteeing group
•
Ignoring the ingress ports of ARP packets during user validity check
Modified feature
Fixed bugs.
New features
•
Including user IP addresses in realtime accounting packets for
MAC authentication users with dynamic IP addresses
•
Configuring periodic MAC reauthentication
Modified feature:
•
Kernel thread deadloop detection
Fixed bugs.
New features
•
PD detection mode
2
Version number
Last version
5130EI-CMW71
0-R3113P02
R3112
Release
Date
Release type
5130EI-CMW71
0-R3113P03
R3113P02 2016-05-27
Release version
2016-05-06
Release version
5130EI-CMW71
0-R3112
R3111P07 2016-03-18
Release version
5130EI-CMW71
0-R3111P07
R3111P03 2016-02-03
Release version
5130EI-CMW71
0-R3111P03
R3111P02 2015-12-31
Release version
Remarks
Fixed bugs.
Fixed bugs.
New features
•
Automatic negotiation for speed downgrading
•
RADIUS stop-accounting packet buffering
•
HWTACACS stop-accounting packet buffering
•
Support of 802.1X for redirect URL assignment
•
Support of MAC authentication for redirect URL assignment
•
Support of port security for redirect
URL assignment in specific modes
•
SAVI
Modified feature
•
CDP compatibility for LLDP
Fixed bugs.
Modified feature
•
Displaying the number of online
802.1X users
•
Displaying the number of online
MAC authentication users
•
Displaying the number of online
Web authentication users
Fixed bugs.
New feature
•
Enabling bridging on an Ethernet interface
•
Sending EAP-Success packets to
802.1X users in critical VLAN
•
Triple authentication
•
Enabling SNMP notifications for port security
•
Enabling SNMP notifications for
RRPP
Modified feature
•
Configuring the HTTPS listening port number for the local portal
Web server
•
Specifying ECDSA algorithms with different public key lengths
•
Fixed bugs.
New feature
•
Web authentication
•
Allowing link aggregation member ports to be in the deployed flow tables
•
Transceiver module alarm
3
Version number
Last version
Release
Date
Release type
5130EI-CMW71
0-R3111P02
5130EI-CMW71
0-R3111P01
R3111P01
R3110
2015-12-28
2015-12-18
Release version
Release version
5130EI-CMW71
0-R3110
R3109P16 2015-11-30
Release version
5130EI-CMW71
0-R3109P16
R3109P14 2015-11-17
Release version
5130EI-CMW71
0-R3109P14
R3109P09 2015-10-31
Release version
Remarks
suppression
Modified feature
•
802.1X guest VLAN assignment delay
Fixed bugs.
Fixed bugs.
Fixed bugs.
New features:
•
Enabling SNMP notifications for new-root election and topology change events
•
IP address pool authorization by
AAA
•
Port-specific 802.1X periodic reauthentication timer
•
Manual reauthentication for all online 802.1X users on a port
•
IPsec support for Suite B
•
SSH support for Suite B
•
Public key management support for Suite B
•
PKI support for Suite B
•
SSL support for Suite B
Modified feature:
•
FIPS self-tests
•
Configuring the CDP-compatible operating mode for LLDP
Fixed bugs.
New features:
•
Packet Capture
Fixed bugs.
New features:
•
Including client IP addresses in realtime accounting packets for
802.1X clients with dynamic IP addresses
•
Enabling MAC authentication multi-VLAN mode on a port
•
RADIUS DAE server
•
RADIUS server status detection
•
RADIUS server load sharing
•
802.1X guest VLAN assignment delay
•
Sending 802.1X protocol packets without VLAN tags
•
802.1X critical voice VLAN
•
MAC authentication critical voice
VLAN
•
Parallel processing of MAC
4
Version number
Last version
Release
Date
5130EI-CMW71
0-R3109P09
R3109P07 2015-9-14
Release version
5130EI-CMW71
0-R3109P05
R3109P04
5130EI-CMW71
0-R3109P04
R3109P03
2015-6-16
2015-5-28
Release version
Release version
5130EI-CMW71
0-R3109P03
R3109P01 2015-5-15
Release version
5130EI-CMW71
0-R3109P01
R3108P03 2015-4-2
Release type
5130EI-CMW71
0-R3109P07
R3109P05 2015-7-31
Release version
Release version
Remarks
authentication and 802.1X authentication
•
RA guard logging feature
•
Displaying RA guard statistics
•
Clearing RA guard statistics
•
Configuring log suppression for a module
Modified features:
•
802.1X command output
•
MAC authentication command output
•
Displaying interface information
•
Configuring the types of advertisable LLDP TLVs on a port
•
Specifying RADIUS servers
•
Configuring SSH access control
Removed features:
•
Enabling PoE for a PSE
•
Fixed bugs.
•
HPE rebranding
New features:
•
L2PT
Fixed bugs.
New features:
•
MAC authentication offline detection
Fixed bugs.
Fixed bugs.
Fixed bugs.
New features:
•
RA Guard
Modified feature: Configuring the TCP maximum segment size (MSS)
Fixed bugs.
New features:
•
RADIUS voice VLAN attribute for
802.1X and MAC authentication
•
802.1X online user handshake reply
Modified feature:
•
Specifying startup images
Fixed bugs.
5
Version number
Last version
Release
Date
Release type
5130EI-CMW71
0-R3108P03
R3108P01 2015-2-13
Release version
5130EI-CMW71
0-R3108P01
R3106 2014-12-12
5130EI-CMW71
0-R3106P01
5130EI-CMW71
0-R3106
R3106 2014-8-9
First release 2014-7-28
Release version
Release version
Release version
Remarks
New features:
•
Disabling SSL 3.0
•
Login delay
•
ND Snooping
Fixed bugs.
Fixed bugs.
Add new hardware support
First release
Hardware and software compatibility matrix
CAUTION:
To avoid an upgrade failure, use Table 2 to verify the hardware and software compatibility before
performing an upgrade.
Table 2 Hardware and software compatibility matrix
Item
Product family
Hardware platform
Specifications
5130 EI Series
HPE 5130-24G-4SFP+ EI Switch JG932A
HPE 5130-24G-SFP-4SFP+ EI Switch JG933A
HPE 5130-48G-4SFP+ EI Switch JG934A
HPE 5130-24G-PoE+-4SFP+ (370W) EI Switch JG936A
HPE 5130-48G-PoE+-4SFP+ (370W) EI Switch JG937A
HPE 5130-24G-2SFP+-2XGT EI Switch JG938A
HPE 5130-48G-2SFP+-2XGT EI Switch JG939A
HPE 5130-24G-PoE+-2SFP+-2XGT (370W) EI Switch JG940A
HPE 5130-48G-PoE+-2SFP+-2XGT (370W) EI Switch JG941A
HPE 5130-24G-4SFP+ EI Brazil Switch JG975A
HPE 5130-48G-4SFP+ EI Brazil Switch JG976A
HPE 5130-24G-PoE+-4SFP+ (370W) EI Brazil Switch JG977A
HPE 5130-48G-PoE+-4SFP+ (370W) EI Brazil Switch JG978A
Minimum memory requirements
Minimum Flash requirements
Boot ROM version
1 GB
512 M
Version 145 or higher (Note: Use the display version command in any view to view the version information. Please see Note
)
6
Item
Host software &
SHA256 checksum iMC version
Specifications
5130EI-CMW710-R3207.ipe
5130EI-CMW710-R3207-US.ipe
99ECAA20F5D410DBF011DCA79BD8F60811F1926F1E412FEC9DF5653D575A439F
5130ei-cmw710-packet-capture-r3207-US.bin
C897B96446C888184613F4ADEDB2656EC89EF9978EDB7C4AE00A30F75EC4B70D iMC BIMS 7.2 (E0402) iMC EAD 7.2 (E0402) iMC EIA(TAM) 7.2 (E0402) iMC EIA(UAM) 7.2 (E0402) iMC PLAT 7.2 (E0403P04) iMC QoSM 7.2 (E0403) iMC RAM 7.2 (E0402) iMC SHM 7.2 (E0402) iNode PC 7.2 (E0401) iNode version
Web version None
Remarks None
Display the system software and Boot ROM versions of 5130EI:
<Sysname> display version
HPE Comware Software, Version 7.1.070, Release 3207 ------ Note
Copyright (c) 2010-2017 Hewlett Packard Enterprise Development LP
HPE 5130-48G-PoE+-4SFP+ (370W) EI Switch uptime is 0 weeks, 0 days, 0 hours, 5 minutes
Last reboot reason : User reboot
Boot image: flash:/5130ei-cmw710-boot-r3207.bin
Boot image version: 7.1.070, Release 3207
Compiled Apr 14 2017 16:00:00
System image: flash:/5130ei-cmw710-system-r3207.bin
System image version: 7.1.070, Release 3207
Compiled Apr 14 2017 16:00:00
Slot 2:
Uptime is 0 weeks,0 days,0 hours,5 minutes
5130-48G-PoE+-4SFP+ (370W) EI JG937A with 1 Processor
BOARD TYPE: 5130-48G-PoE+-4SFP+ (370W) EI JG937A
DRAM: 1024M bytes
FLASH: 512M bytes
PCB 1 Version: VER.A
Bootrom Version: 145 ------ Note
CPLD 1 Version: 002
Release Version: HPE 5130-48G-PoE+-4SFP+ (370W) EI JG937A-3207
Patch Version : None
Reboot Cause : UserReboot
[SubSlot 0] 48GE+4SFP Plus
7
Upgrade restrictions and guidelines
Before performing a software upgrade, it is important to refer to the Software Feature Changes document for any feature changes in the new version. Also check the most recent version of the
related documents (see " Related documents ") available on the HPE website for more information
about feature configuration and commands.
Hardware feature updates
Hardware feature updates inR3207
None
Hardware feature updates inR3115P08
None
Hardware feature updates inR3115P07
None
Hardware feature updates inR3115P06
None
Hardware feature updates inR3115P05
None
Hardware feature updates inR3115P03
None
Hardware feature updates inR3115P01
None
Hardware feature updates inR3115
None
Hardware feature updates inR3113P05
R3113P05 supports the following new hardware:
8
•
Flashes that support 4-bit ECC check:
MICRON: MT29F4G08ABADAWP:D
SPANSION: S34ML01G200TFI003
•
Flashes that support 8-bit ECC check:
MXIC: MX30LF4G28AB
Hardware feature updates inR3113P03
None
Hardware feature updates inR3113P02
None
Hardware feature updates inR3112
None
Hardware feature updates inR3111P07
None
Hardware feature updates inR3111P03
None
Hardware feature updates inR3111P02
None
Hardware feature updates inR3111P01
None
Hardware feature updates inR3110
None
Hardware feature updates inR3109P16
None
Hardware feature updates inR3109P14
None
9
Hardware feature updates inR3109P09
None
Hardware feature updates inR3109P07
None
Hardware feature updates inR3109P05
None
Hardware feature updates inR3109P04
None
Hardware feature updates inR3109P03
None
Hardware feature updates inR3109P01
None
Hardware feature updates inR3108P03
None
Hardware feature updates inR3108P01
Added support for HP 5130-24G-2S FP+-2XGT EI Switch JG938A,HP 5130-48G-2SFP+ -2XGT EI
Switch JG939A,HP 5130-24G-PoE+-2SFP+-2XGT (370W) EI Switch JG940A, HP
5130-48G-PoE+-2SFP+-2XGT (370W) EI Switch JG941A.
Hardware feature updates inR3106P01
Added support for HP 5130-24G-4S FP+ EI Brazil Switch JG975A, HP 5130-48G-4SFP+ EI Brazil
Switch JG976A,HP 5130-24G-P oE+-4SFP+ (370W) EI B razil Switch JG977A, HP
5130-48G-PoE+-4SFP+ (370W) EI Brazil Switch JG978A.
Hardware feature updates inR3106
•
First release.
10
Software feature and command updates
For more information about the software feature and command update history, see HPE
5130EI-CMW710-R3207 Release Notes (Software Feature Changes).
MIB updates
Table 3 MIB updates
Item MIB file
5130EI-CMW710-R3207
New None
Modified None
5130EI-CMW710-R3115P08
New None
Modified None
5130EI-CMW710-R3115P07
New None
Modified None
5130EI-CMW710-R3115P06
New None
Modified None
5130EI-CMW710-R3115P05
New None
Modified None
5130EI-CMW710-R3115P03
New None
Modified None
5130EI-CMW710-R3115P01
New None
Modified None
5130EI-CMW710-R3115
None None
None None
5130EI-CMW710-R3113P05
New None
Modified None
5130EI-CMW710-R3113P03
New New
Module
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
New
Description
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
New
11
Item
Modified
MIB file
Modified
5130EI-CMW710-R3113P02
New None
Modified None
5130EI-CMW710-R3112
New None
Modified None
5130EI-CMW710-R3111P07
New None
Modified None
5130EI-CMW710-R3111P03
New None
Modified None
5130EI-CMW710-R3111P02
New None
Modified None
5130EI-CMW710-R3111P01
Module
Modified
None
None
None
None
None
None
None
None
None
None
Description
Modified
None
None
None
None
None
None
None
None
None
None
New hh3c-port-security.
mib
HH3C-PORT-S
ECURITY-MIB
Added descriptions and support for the following
Trap: hh3cSecureAddressLearned hh3cSecureViolation hh3cSecureLoginFailure hh3cSecureLogon hh3cSecureLogoff hh3cSecureRalmLoginFailure hh3cSecureRalmLogon hh3cSecureRalmLogoff
None Modified None
5130EI-CMW710-R3110
None
New hh3c-splat-inf-new.
mib
HH3C-LswINF-
MIB hh3c-lsw-dev-adm.
mib
HH3C-LSW-DE
V-ADM-MIB
None
Added descriptions and support for the following
MIBs: hh3cifPktBufTable
Added descriptions and support for the following
MIBs: hh3cLswSlotPktBufFree hh3cLswSlotPktBufInit hh3cLswSlotPktBufMin hh3cLswSlotPktBufMiss
None Modified None
5130EI-CMW710-R3109P16
New New New New
12
Item
Modified
MIB file
Modified
5130EI-CMW710-R3109P14
New New
Modified Modified
5130EI-CMW710-R3109P09
New New
Modified Modified
5130EI-CMW710-R3109P07
New None
Modified None
5130EI-CMW710-R3109P05
New None
Modified None
5130EI-CMW710-R3109P04
New None
Modified None
5130EI-CMW710-R3109P03
New None
Modified None
5130EI-CMW710-R3109P01
New None
Module
Modified
New
Modified
New
Modified
None
None
None
None
None
None
None
None
None
Description
Modified
New
Modified
New
Modified
None
None
None
None
None
None
None
None
Modified rfc1213-mib.docx IP-MIB
None ipForwarding (1.3.6.1.2.1.4.1) Only support read operation ipDefaultTTL (1.3.6.1.2.1.4.2) Only support read operation
5130EI-CMW710-R3108P03
New None
Modified None
5130EI-CMW710-R3108P01
New None
Modified None
5130EI-CMW710-R3106P01
New None
Modified None
5130EI-CMW710-R3106
New First release
Modified First release
None
None
None
None
None
None
None
None
None
None
None
None
First release
First release
First release
First release
13
Operation changes
Operation changes in R3207
None
Operation changes in R3115P08
•
The bpdu-drop any command in Layer 2 Ethernet interface view added support for dropping PVST and PVST+ packets.
Operation changes in R3115P07
None
Operation changes in R3115P06
None
Operation changes in R3115P05
None
Operation changes in R3115P03
None
Operation changes in R3115P01
None
Operation changes in R3115
None
Operation changes in R3113P05
None
Operation changes in R3113P03
None
14
Operation changes in R3113P02
None
Operation changes in R3112
None
Operation changes in R3111P07
None
Operation changes in R3111P03
Added support on Port Security logging.
Operation changes in R3111P02
None
Operation changes in R3111P01
None
Operation changes in R3110
None
Operation changes in R3109P16
None
Operation changes in R3109P14
None
Operation changes in R3109P09
Changed the OpenFlow packet-in rate limit from 200 PPS to 1000 PPS.
Operation changes in R3109P07
The priorities of ACL resources were modified to save ACL resources.
Added support for issuing commands to an SSH server.
15
•
Before modification, an SSH user cannot issue commands to a switch acting as an SSH server through SSH parameters.
•
After modification, an SSH user can issue commands in batches to an SS H server through SS H parameters.
Operation changes in R3109P05
None
Operation changes in R3109P04
None
Operation changes in R3109P03
Added support for portal configuration in the Web interface
•
Before modification, portal configuration is not supported in the Web interface.
•
After modification, portal configuration is supported in the Web interface.
Operation changes in R3109P01
None
Operation changes in R3108P03
None
Operation changes in R3108P01
None
Operation changes in R3106P01
None
Operation changes in R3106
First release.
Restrictions and cautions
1.
If the authorization VLAN does not exist, the access device first creates the VLAN and then assigns the user access interface as an untagged member to the VLAN. If the authorization
VLAN already exists, the access device directly assigns the user access interface as an untagged member to the VLAN.
16
2.
To deploy Web authentication on a trunk or hybrid port, make sure the port PVID, the authorization VLAN ID, and the user VLAN ID are the same.
3.
The offline detect timer for MAC authentication and the aging timer for dynamic MAC address entries must be set to the same value.
4.
When you downgrade a soft ware package with the B ootROM version 142 or a later version to a software package with the BootROM version earlier than 142, the BootROM version 122, 130,
132, or 134 is not downgraded together with the software package version.
Open problems and workarounds
None
List of resolved problems
Resolved problems in R3207
None
Resolved problems in R3115P08
201703060242
•
Symptom: Packet loss occurs on an edge aggregate interface if the interface has not received
LACPDUs within the LACP timeout interval.
•
Condition: This symptom might occur if an edge aggregate interface has not received
LACPDUs within the LACP timeout interval.
201703060053
•
Symptom: The switch is connected to a Cisco IP phone installed with a key expansion module.
When PoE is enabled on the interface connected to the phone, the phone can be powered on, but the key expansion module cannot start.
•
Condition: This symptom might occur if the following operations are performed:
a. Connect the switch to a Cisco IP phone installed with a key expansion module.
b. Enable PoE on the interface connected to the phone.
c. Set the maximum power for the PoE-enabled interface.
201508120317
•
Symptom: The switch uses a software version earlier than R3109P09, and PoE and LLDP are bled on an interface. When the interface flaps, the switch irregularly generates the
CFGMAN_CFGCHANGED message to report configuration changes.
•
Condition: This symptom might occur if the following conditions exist:
The switch uses a software version earlier than R3109P09.
PoE and LLDP are enabled on an interface, and the interface flaps.
201607280306
•
Symptom: SSH connections cannot be established if no Suite B cryptographic suite is specified for SSH.
•
Condition: This symptom might occur if no Suite B cryptographic suite is specified for SSH.
17
201606130301
•
Symptom: An authentication server cannot be removed from a TACACS scheme in the Web interface.
•
Condition: This symptom might occur if an authentication server is removed from a TACACS scheme in the Web interface.
201606080536
•
Symptom: An AudioCodes IP phone sending CDP packets cannot be assigned to the critical voice VLAN.
•
Condition: This symptom might occur if an AudioCodes IP phone sends CDP packets.
Resolved problems in R3115P07
201701170366
•
Symptom: The user VLAN information in user event logs is inconsistent with the authorization
VLAN information that the server issues to users.
•
Condition: This symptom might occur if the server issues authorization VLAN information to users that pass authentication.
201701040586
•
Symptom: The display vlan brief command cannot display information about VLANs numbered the multiple of 41.
•
Condition: This symptom might occur if the number of VLANs on the switch reaches the upper limit.
201611220420
•
Symptom: The console port of an IRF master might be inaccessible.
•
Condition: This symptom might occur if the tty and comsh processes run on different CPU cores.
201611110196
•
Symptom: In certain conditions, the display stp brief command displays incorrect status information for a port.
•
Condition: This symptom might occur if the following operations are performed:
a. Enable STP on the switch and its peer device.
b. Enable loop detection on the port connected to the peer device, and disable STP on the peer device.
c. Execute the display stp brief command for the port.
201702060403
•
Symptom: The 5130-24G-2SFP+-2XGT EI JG938A/5130-48G-2SFP+-2XGT EI
JG939A/130-24G-P oE+-2SFP+-2XGT (370W) EI JG940A/5130-48G-PoE+-2SFP+-2XGT
(370W) EI JG941A switch might lose software image files and configuration files.
•
Condition: None.
201702130126
•
Symptom: In certain conditions, an IRF fabric cannot be pinged after it reboots.
•
Condition: This symptom might occur if port security is enabled on the IRF fabric, and the maximum number of secure MAC addresses allowed on a port is set to 1.
18
201701190157
•
Symptom: In certain conditions, users cannot come online after the IRF fabric that the users access is rebooted.
•
Condition: This symptom might occur if the following conditions exist:
Port security is enabled on the IRF fabric, and port security in userlogin-secure mode is enabled on the port that the users access.
The IRF fabric is rebooted.
201702090546/201701100036
•
Symptom: After an IRF fabric is rebooted, some subordinate switches fail to respond, and the
CLI of these switches is inaccessible. Output from the display device command shows that these switches are in Fault state.
•
Condition: This symptom might occur if the following conditions exist:
a. The IRF fabric contains dual-chip switches.
b. The IRF fabric is rebooted.
201701180065
•
Symptom: Multicast traffic fails to be forwarded out of an aggregate interface.
•
Condition: This symptom occurs if the status of one member port in the aggregation group changes from Unselected to Selected after the device learns multicast routes. The aggregate interface is an outgoing interface of one of the multicast routes.
201701170120
•
Symptom: A memory leakage occurs on the device.
•
Condition: This symptom occurs if MFF in the automatic mode is enabled and then disabled repeatedly.
201701060282
•
Symptom: The device generates the log message "RESEND_RADIUS:Failed to allocate
PktID".
•
Condition: This symptom occurs if a large number of users come online and go offline frequently when the primary RADIUS accounting server and secondary RADIUS accounting servers are unreachable.
Resolved problems in R3115P06
201611090264
•
Symptom: An SFTP user assigned the network-operator user role has access to some commands that are supposed to be inaccessible to the user role.
•
Condition: This symptom occurs if the SFTP user passes either publickey or password-publickey authentication to log in to the device and is assigned the network-operator user role.
201611070270
•
Symptom: CVE-2016-8858
•
Condition: A remote user can send specially crafted data during the key exchange process to trigger a flaw in kex_input_kexinit() and consume excessive memory on the target system. This can be exploited to consume up to 384 MB per connection.
201609300342
•
Symptom: A memory leakage occurs in the stpd process.
19
•
Condition: This symptom occurs if the spanning tree feature is enabled on the device and the spanning tree operating mode is changed.
201611080056
•
Symptom: CVE-2016-5195
•
Condition: Race condition in mm/gup.c in the Linux kernel 2.x through 4.x before 4.8.3 allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping.
201611220390
•
Symptom: Authentication for new portal users fails when a large number of online portal users are logging out.
•
Condition: This symptom might occur if the following conditions exist:
The RADIUS server provides accounting services for portal users.
A large number of online portal users log out.
201611220420
•
Symptom: An IRF fabric cannot be accessed through the console port of the master.
•
Condition: This symptom might occur if an IRF fabric is accessed through the console port of the master.
201611220435
•
Symptom: After a two-chassis IRF fabric is rebooted, interface indexes change and Smart Link settings are lost.
•
Condition: This symptom might occur if the following operations are performed:
a. Delete the startup.mdb and ifindex.dat files on the IRF member switches.
b. Save the configuration and reboot the IRF fabric.
c. When the IRF member switches are rebooting, press Ctrl+B to access the Boot ROM menu of one IRF member switch. The other member switch is successfully rebooted.
201612080146
•
Symptom: The switch stops responding when the scripts are executed to repeatedly display memory information about the ipoe and ifmgr processes.
•
Condition: This symptom might occur if the scripts are executed to repeatedly display memory information about the ipoe and ifmgr processes.
201611220280
•
Symptom: After an IRF fabric is rebooted, the VPN instance information on the master is incorrect.
•
Condition: This symptom might occur if the following operations are performed on an IRF fabric:
a. Create tunnel interfaces.
b. Reboot the IRF fabric.
201612070648
•
Symptom: 802.1X users fail 802.1X authentication.
•
Condition: This symptom occurs if the primary RADIUS server frequently becomes unreachable and a large number of 802.1X users frequently come online and go offline.
201609120255
•
Symptom: A large number of RXLOS interruptions occur on a transceiver module, which causes a high CPU usage and then causes the device to reboot.
20
•
Condition: This symptom occurs if the devic e is connected to a port of a test device through the transceiver module.
201612090524
•
Symptom: In log messages, the VLA N ID of a user is not the authorization V LAN ID assigned t o the user.
•
Condition: This symptom might occur if a user passes access authentication and is assigned to the authorization VLAN issued by the server.
201612080309
•
Symptom: The NTP server sends the switch NTP packets that have the leap flag set to 01, but the local leap indicat or of the switch is 00, and the leap flag of NTP packets sent by the switch is
00.
•
Condition: This symptom might occur if the following conditions exist:
a. A PC is directly connected to the switch's management interface and is configured as an
NTP client.
b. An NTP server sends the switch NTP packets with the leap flag set to 01.
201612060351
•
Symptom: The dynamic MAC count is always displayed as 0.
•
Condition: This symptom might occur if the display openflow instance command is used to display detailed information of an OpenFlow instance.
201612050429
•
Symptom: Port isolation does not take effect. Traffic statistics exist on other aggregation group member ports.
•
Condition: This symptom might occur if the following operations are performed:
a. Configure an aggregation group and configure port isolation on its member ports.
b. Shut down all member ports by using the shutdown command or unplugging network cables.
c. Restore the member ports to the up state.
d. Send traffic to an aggregation group member port.
201611250474
•
Symptom: The device adds two layers of VLAN tags to an untagged packet.
•
Condition: This symptom might occur if the following conditions exist:
a. Switch A and Switch B are directly connected through trunk ports. The trunk ports permit a
VLAN.
b. Configure an access port on Switch A and Switch B, and assign the access ports to the
VLAN. Configure QinQ and L2PT on the access ports.
c. Send untagged L2PT protocol packets to the access ports.
201611180294
•
Symptom: A port goes down.
•
Condition: This symptom might occur if the following operations are performed:
a. Enable port security on the port and configure the limit on the number of secure MAC addresses.
b. Send packets according to the configured limit on the number of secure MAC addresses.
201611090199
•
Symptom: The debugging information has extra spaces.
21
•
Condition: This symptom might occur if the following operations are performed:
a. A user logs in to the device by using SSH.
b. The user enters incorrect passwords for three times.
c. The user fails to log in and is added to the blacklist.
d. The debugging information of the server is viewed.
201610150081
•
Symptom: Some users pass the authentication, but the MAC addresses of these users are not learned.
•
Condition: This symptom might occur if the following conditions exist:
Five devices form an IRF fabric, including four S5130-52S-EI switches and one
S5130-28S-EI switch.
Import the user configuration and enable MAC authentication on all ports.
Use an auxiliary device to bring up all the devices and perform authentication. The authentication users on each device are the same. As a result, these users are frequently moved among different devices.
Send authentication traffic for a period of time. Then, stop authentication traffic on four devices, and leave authentication traffic on only one device.
201610260405
•
Symptom: A user fails to log in to the device.
•
Condition: This symptom might occur if the following conditions exist:
a. The tcp syn-cookies enable command is executed.
b. The Telnet client is not directly connected to the device.
c. The user uses an IPv6 address to log in to the device by using SSH or Telnet.
201609230450
•
Symptom: When a large number of IP v6 ND messages are learned and aged, traffic forwarding might fail because ARP/ND entries fail to be issued.
•
Condition: This symptom might occur if a large number of IPv6 ND messages are learned and aged.
201607180428
•
Symptom: IS-IS neighborship can be established. However, routing information cannot be obtained.
•
Condition: This symptom might occur if the NX9000 device sends prot ocol packets with the MT
IS TLV whose length is 2 bytes. HPE devices consider the length as invalid. As a result, the
LSPs are considered as incorrect and dropped.
201603140259
•
Symptom: The device operates improperly because the fast forwarding entries and sessions generated after tunnel encapsulation are incorrectly associated.
•
Condition: This symptom might occur if the byte sequence is not convert ed for some fields in IP headers when fast forwarding entries and sessions are generated before tunnel encapsulation.
201610260040
•
Symptom: The logbuffer cannot continue to record more logs.
•
Condition: This symptom might occur if the following conditions exist:
The info-center syslog min-age command is not configured.
Adjust the system running time to be earlier than the system time.
22
The logbuffer is full.
201610260323
•
Symptom: The system prompts that the characters fail to be input.
•
Condition: This symptom might occur if you enter special characters when configuring a description on a client running the Windows 10 operating system.
201610260451
•
Symptom: A user cannot use the correct username and password to log in to the device through the management interface or console interface.
•
Condition: This symptom might occur if the password-control enable command is used to enable password control on the device and a large number of users use incorrect usernames and passwords to log in to the device.
TB201610140261
•
Symptom: CVE-2016-6304
•
Condition: Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and
1.1.0 before 1.1. 0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions.
TB201610140261
•
Symptom: CVE-2016-6306
•
Condition: The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c.
201607280524
•
Symptom: CVE-2016-2177
•
Condition: OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact by leveraging unexpected malloc behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c.
201605090045
•
Symptom: The unsupported QCN and DCBX options are configurable on the LLDP TLV configuration page of the Web interface.
•
Condition: This symptom might occur if the following operations are performed:
a. Access the device through the Web interface.
b. On the Net work > LLDP > LLDP-TLV page, select an interface, select 802.1TLVs QCN and
DCBX, and apply the settings.
Resolved problems in R3115P05
201608170166
•
Symptom: After the IMC server issues the class attribute to the NAS, the RADIUS accounting requests that the NAS sends to the server do not carry the class attribute.
•
Condition: This symptom might occur if the IMC server issues the class attribute to the NAS after users pass RADIUS authentication.
201610090108
•
Symptom: Two users who use the same MAC address exist on the switch when certain conditions exist.
23
•
Condition: This symptom might occur if the following conditions exist:
a. Both MAC authentication and 802.1X aut hentication are performed for the users, and MAC authentication is successful.
b. MAC move is enabled on interfaces.
201609300434
•
Symptom: On an IRF fabric, OUI addresses are lost after a master/subordinate switchover.
•
Condition: This symptom might occur if the following conditions exist:
a. The number of OUI addresses reaches the upper limit on the IRF fabric.
b. A master/subordinate switchover occurs after the configuration is saved.
201609200500
•
Symptom: The following symptoms might occur when a PBR policy is configured through the
Web interface:
On the PBR configuration page, select Match IPv4 ACL to enter the ACL configuration page. A user stays on the ACL configuration page after the user adds an ACL successfully.
A user is redirected to the Web interface home page after the user adds a PBR policy that only has next hop information because the system does not check for empty fields for PBR policy configuration.
•
Condition: This symptom might occur if a PBR policy is configured through the Web interface.
201609220002
•
Symptom: In the help information of the jumboframe enable command, the maximum frame length is not 12000.
•
Condition: This symptom might occur if the help information is displayed for the jumboframe
enable command.
201609020107
•
Symptom: When the EAD assistant redirect URL is configured through the Web interface, the system displays the "configuration already exists" message even if the configuration does not exist or take effect.
•
Condition: This symptom might occur if the EAD assistant redirect URL is configured through the Web interface.
201607040335
•
Symptom: A user cannot join the critical VLAN of MAC authentication when certain conditions exist.
•
Condition: This symptom might occur if the following conditions exist:
a. The user fails MAC authentication and is assigned to the guest VLAN.
b. The authentication server becomes unavailable.
c. The reset mac-authentication guest-vlan command is executed.
201606270081
•
Symptom: The switch does not process EAPOL v3 packets of 802.1X authentication and displays the "Invalid protocol version ID" message.
•
Condition: This symptom might occur if the switch receives EAPOL v3 packets of 802.1X authentication.
201603140511
•
Symptom: When LLDP is disabled globally, the CPU usage of the LLDP process immediately increases to 20%-30%.
24
•
Condition: This symptom might occur if LLDP is disabled globally.
201610150081
•
Symptom: When certain conations exist, an IRF fabric does not have MAC address entries for users who pass MAC authentication. As a result, the users cannot access the network.
•
Condition: This symptom might occur if the following conditions exist:
MAC authentication is enabled on all ports of the IRF fabric.
A large number of users move frequently, or ports go down and come up frequently.
Resolved problems in R3115P03
201607280521
•
Symptom: CVE-2012-0036
•
Condition: Fixed vulnerability in curl and libc url 7.2x before 7.24.0 that allows remote attackers to conduct data-injection attacks via a crafted URL, as demonstrated by a CRLF injection attack on the (1) IMAP, (2) POP3, or (3) SMTP protocol.
201606280241
•
Symptom: CVE-2016-4953
•
Condition: Fixed vulnerability in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service by sending a spoofed packet with incorrect authentication data at a certain time.
201606280241
•
Symptom: CVE-2016-4954
•
Condition: Fixed vulnerability in ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service by sending spoofed packets from source IP addresses in a certain scenario.
201606280241
•
Symptom: CVE-2016-4956
•
Condition: Fixed vulnerability in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service via a spoofed broadcast packet.
201608290241
•
Symptom: CVE-2009-3238
•
Condition: The get_random_int function in the Linux kernel before 2.6.30 produces insufficiently random numbers, which allows attackers to predict the return value, and possibly defeat protection mechanisms.
201609060439
•
Symptom: The operating status of BFD MAD for IRF is Faulty.
•
Condition: This symptom occurs if BAD MAD is enabled for both the IRF fabric and the peer device and the IRF fabric receives BFD MAD packets from the peer device.
201607010063
•
Symptom: Prompt messages occur in wrong order when the device decompresses a software image. The message that prompts users whether to delete the .ipe file appears before the message that prompts users to verify the legitimacy of the software image.
•
Condition: This symptom occurs if the software of a member device is upgraded at the CLI by using the boot-loader command.
25
201609070269
•
Symptom: PD detection and classification on a port are affected after PoE performs power negotiation on the port.
•
Condition: None.
201608310495
•
Symptom: The error message "Scanning is interrupted" occurs during ARP scanning.
•
Condition: This symptom occurs if ARP scanning for secondary address ranges is configured after the device software is upgraded to R3109P03 or a later software version.
201608250027
•
Symptom: The configuration of voice VLANs fails.
•
Condition: This symptom occurs if voice VLANs are configured in batch in the Web interface.
201507220217
•
Symptom: Maximum PI power negotiation fails on an interface configured with PoE.
•
Condition: This symptom occurs if the maximum PI power is automatically deployed on the interface and the device is rebooted after the configuration is saved.
Resolved problems in R3115P01
201605050154
•
First found-in version: 5130EI-CMW710-R3113P02
•
Symptom: After the COA issues an authorization ACL, the session-timeout timer and the offlin e function do not operate correctly for the authentication users.
•
Condition: This symptom occurs if the switch has MAC authentication or 802.1X authentication enabled.
201607190589
•
Symptom: When a port enabled with 802.1X authentication is repeatedly shut down and brought up, the 802.1X client directly connected to the port is logged off for authorization failure.
•
Condition: This symptom might occur if a port enabled with 802.1X authentication is repeatedly shut down and brought up, and an 802.1X client is directly connected to the port.
201605180172
•
Symptom: The undo speed auto downgrade and speed auto downgrade commands are executed on all ports of the device, and the running configuration is saved. After a reboot, automatic negotiation for speed downgrading is not enabled on all ports.
•
Condition: This symptom might occur if the following operations are performed:
•
Execute the undo speed auto downgrade and speed auto downgrade commands on all ports.
•
Save the running configuration and reboot the switch.
201604260394
•
Symptom: The short LACP timeout interval (3 seconds) is set on member ports of an aggregat e interface. When the aggregate interface is down, traffic interruption lasts for 3 seconds instead of 6 seconds.
•
Condition: This symptom might occur if the short LACP timeout interval (3 seconds) is set on member ports of an aggregate interface.
26
201605090525
•
Symptom: CVE-2015-8138
•
Condition: Fixed vulnerability in ntpd which attackers may be able to disable time synchronization by sending a crafted NTP packet to the NTP client.
201605090525
•
Symptom: CVE-2015-7979
•
Condition: Fixed vulnerability in ntpd allows attackers to s end s pecial crafted broadcast packets to broadcast clients, which may cause the affected NTP clients to become out of sync over a longer period of time.
201605090525
•
Symptom: CVE-2015-7974
•
Condition: Fixed vulnerability in NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key.
201605090525
•
Symptom: CVE-2015-7973
•
Condition: Fixed vulnerability when NTP is configured in broadcast mode, a man-in-the-middle attacker or a malicious client could replay packets received from the broadcast server to all
(other) clients, which cause the time on affected clients to become out of sync over a longer period of time.
201605170547
•
Symptom: CVE-2016-1550
•
Condition: Fixed vulnerability in ntpd function allow an attacker to conduct a timing attack to compute the value of the valid authentication digest causing forged packets to be accepted by ntpd.
201605170547
•
Symptom: CVE-2016-1551
•
Condition: Fixed vulnerability in ntpd allows unauthenticated network attackers to spoof refclock packets to ntpd processes on systems that do not implement bogon filtering.
201605170547
•
Symptom: CVE-2016-2519
•
Condition: Fixed vulnerability in ntpd will abort if an attempt is made to read an oversized value.
201605170547
•
Symptom: CVE-2016-1547
•
Condition: Fixed vulnerability where an off-path attacker can deny service to ntpd clients by demobilizing preemptable associations using spoofed crypto-NAK packets.
201605170547
•
Symptom: CVE-2016-1548
•
Condition: Fixed vulnerability where an attacker can change the time of an ntpd client or deny service to an ntpd client by forcing it to change from basic client/server mode to interleaved symmetric mode.
201605170547
•
Symptom: CVE-2015-7704
27
•
Condition: Fixed vulnerability in ntpd that a remote attacker could use, to send a packet to an ntpd client that would increase the client's polling interval value, and effectively disable synchronization with the server.
Resolved problems in R3115
201605250614
•
Symptom: The speed auto a b or speed auto a b c command is configured for an interface.
After a reboot, only the speed auto b or speed auto c setting takes effect.
•
Condition: his symptom might occur if the following operations are performed:
•
Configure the speed auto a b or speed auto a b c command on the interface.
a. Save the configuration.
b. Reboot the device and use the .cfg configuration file to restore the configuration.
201606070566
•
Symptom: CVE-2016-2105
•
Condition: Fixed vulnerability in “EVP Encode” in OpenSSL before 1.0.1t and 1.0.2 before
1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data.
201606070566
•
Symptom: CVE-2016-2106
•
Condition: Fixed vulnerability in “EVP Encrypt” in OpenSSL before 1.0.1t and 1.0.2 before
1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data.
201606070566
•
Symptom: CVE-2016-2107
•
Condition: Fixed vulnerability in OpenSSL before 1.0.1t and 1.02h allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session.
201606070566
•
Symptom: CVE-2016-2108
•
Condition: Fixed vulnerability in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remot e attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption).
201606070566
•
Symptom: CVE-2016-2109
•
Condition: Fixed vulnerability in “asn” before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding.
201606070566
•
Symptom: CVE-2016-2176
•
Condition: Fixed vulnerability in “X509” in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from memory or cause a denial of service
28
Resolved problems in R3113P05
201605030246
•
Symptom: When a P C is quickly plugged and unplugged, the switch considers the PC as online.
•
Condition: This symptom occurs if the following conditions exist:
The switch has both MAC authentication and 802.1X authentication enabled.
The PC performs MAC authentication.
The interface connecting to the PC has the unicast trigger or MAC authentication delay function configured.
201606010228
•
Symptom: An interface cannot correctly forward multicast packets.
•
Condition: This symptom occurs if both 802.1X authentication and MAC authentication are enabled on the interface and a user successfully passes MAC authentication.
201605060393
•
Symptom: After a master/subordinate switchover, the VLAN configurations of interfaces are lost.
•
Condition: This symptom occurs if the IRF subordinate member switch is rebooted and a master/subordinate switchover is performed.
201605170504
•
Symptom: In a three-chassis IRF fabric, after the master member is powered off and subordinate member 1 becomes the new master member, the VLAN configurations of interfaces on subordinate member 2 are lost.
•
Condition: This symptom occurs if the following operations are performed:
a. Use three switches to build an IRF fabric in a daisy-chain topology.
b. Power on the master member.
c. Power on subordinate member 1 and then subordinate member 2.
d. Save the configuration after the IRF fabric is formed.
201601090054
•
Symptom: When TCP port X is enabled, TCP port X + 2048*N is also enabled (N is an arbitrary integer).
•
Condition: This symptom occurs if TCP port X is enabled, for example, TCP port 23 is enabled by using the telnet server enable command.
201603100197
•
Symptom: On an inactivity aging-enabled interface, sticky MAC addresses age out before the secure MAC aging timer set by using the port-security timer autolearn aging command expires.
•
Condition: This symptom might occur if the following operations are performed on an interface:
Enable port security and inactivity aging.
Use the port-security timer autolearn aging command to set the secure MA C aging timer.
29
Resolved problems in R3113P03
201604091715
•
Symptom: When a 10G Base-T port is connected to a specific device model, speed autonegotiation takes 20 to 30 seconds and the negotiation result can only be 1 Gbps.
•
Condition: This symptom might occur if a 10G Base-T port is connected to a specific device model.
Resolved problems in R3113P02
201604110101
•
Symptom: After a period of time, PCs cannot join the 802.1X guest VLAN.
•
Condition: This symptom occurs if the following conditions exist:
The switch has both 802.1X authentication and MAC authentication enabled.
The switch connects to multiple PCs through a hub.
The PCs fail to pass the MAC authentication.
201605180172
•
Symptom: After the switch is rebooted, the speed downgrading autonegotiation configuration is undo speed auto downgrade on an interface that is configured with the speed auto downgrade command.
•
Condition: This symptom occurs if the following operations are performed
201602010060
•
Symptom: After the configuration of an IRF fabric is restored by using .cfg files, RIP route filtering configuration is lost.
•
Condition: This symptom might occur if the following operations are performed:
a. Enable RIP on an IRF fabric.
b. Configure the filter-policy import or filter-policy export command for an interface on a subordinate switch.
c. Restore the configuration of the IRF fabric by using .cfg files.
201603010580
•
Symptom: The VLAN dropdown list is unavailable on the Network > IPv6 > ND > New
Neighbor Entry page of the Web interface.
•
Condition: This symptom might occur if IP v6 neighbor entries are configured on the Network >
IPv6 > ND > New Neighbor Entry page of the Web interface.
201508190171
•
Symptom: After the MAC address entry and ARP entry of a MAC authentication user age out, the switch cannot generate new MAC address entry and ARP entry for the user.
•
Condition: This symptom might occur if the following conditions exist:
MAC authentication is enabled, and MAC authentication offline detection is disabled.
The MAC address entry and ARP entry of a MAC authentication user age out.
201507300295
•
Symptom: When DHCP snooping is enabled on an IRF fabric using the ring topology, IRF member switches reboot repeatedly.
30
•
Condition: This symptom might occur if DHCP snooping is enabled on an IRF fabric using the ring topology.
201604140100
•
Symptom: MAC authentication users cannot come online if the server issues the Cisco-AVPair attribute to the switch.
•
Condition: This symptom might occur if the server issues the Cisco-AVPair attribute to the switch.
201603120042
•
Symptom: The switch does not respond to the security commands input by a console user.
•
Condition: This symptom might occur if the following conditions exist:
LLDP and access authentication are enabled on the switch.
The intrusion protection action is set to disable on an interface, and intrusion protection is triggered because the phone connected to the interface fails authentication.
201603230420
•
Symptom: CVE-2016-0705
•
Condition: Fixed vulnerability when OpenSSL parses malformed DSA private keys and could lead to a DoS attack or memory corruption for applications that receive DSA private keys from untrusted sources.
201603230420
•
Symptom: CVE-2016-0798
•
Condition: Fixed vulnerability in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory consumption) by providing an invalid username in a connection attempt.
201603230420
•
Symptom: CVE-2016-0797
•
Condition: Fixed vulnerability in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allow remote attackers to cause a denial of service (heap memory corruption or NULL pointer dereference).
201603230420
•
Symptom: CVE-2016-0799
•
Condition: Fixed vulnerability in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g improperly calculates string lengths, which allows remote attackers to cause a denial of servic e which could lead to memory allocation failure or memory leaks.
201603230420
•
Symptom: CVE-2016-0702
•
Condition: Fixed vulnerability in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g which makes it easier for local users to discover RSA keys leveraging cache-bank conflicts, aka a
"CacheBleed" attack.
201603230420
•
Symptom: CVE-2016-2842
•
Condition: Fixed vulnerability in the doapr_outch function in crypto/bio/b_print.c, which allows remote attackers to cause a denial of service (out-of-bounds write or memory consumption) or possibly have unspecified other impact via a long string.
31
201603170138
•
Symptom: CVE-2016-0701
•
Condition: Fixed vulnerability in the DH_check_pub_key function which makes it easier for remote attackers to discover a private DH (Diffie-Hellman) exponent by making multiple handshakes with a peer that chose an inappropriate number. This issue affects OpenSSL version 1.0.2. and addressed in 1.0.2f. OpenSSL 1.0.1 is not affected by this CVE.
201603170138
•
Symptom: CVE-2015-3197
•
Condition: Fixed vulnerability when using SSLv2 which can be exploited in a man-in-the-middle attack, if device has disabled ciphers.
201512280388
•
Symptom: 802.1X users are reauthenticated.
•
Condition: This symptom occurs if the following conditions exist:
The keep-online feature is enabled for 802.1X users.
Online 802.1X users receive EAPOL-Start packets.
201602040568
•
Symptom: An IP phone is reauthenticated every 30 seconds when the Web authentication server is unreachable.
•
Condition: This symptom occurs if the IP phone is connected to a port enabled with 802.1X authentication and Web authentication.
201602160644
•
Symptom: The ARP packets received from a peer device are not broadcasted in a VLAN.
•
Condition: This symptom occurs if ARP snooping is enabled in the VLAN.
201510150328
•
Symptom: The undo ssl version { tls1.0 | tls1.1 } disable command configuration does not take effect.
•
Condition: This symptom occurs if the switch is operating in FIPS mode or non-FIPS mode.
201512290192
•
Symptom: CVE-2015-3194
•
Condition: Fixed vulnerability whic h can be exploited in a DoS attack, if devic e is presented wit h a specific ASN.1 signature using the RSA.
201512290192
•
Symptom: CVE-2015-3195
•
Condition: Fixed vulnerability with malformed OpenSSL X509_ATTRIBUTE structure used by the PKCS#7 and CMS routines which may cause memory leak.
201512290192
•
Symptom: CVE-2015-3196
•
Condition: Fixed vulnerability where a race condition can occur when specific PSK identity hints are received.
201512290192
•
Symptom: CVE-2015-1794
•
Condition: Fixed vulnerability if a client receives a ServerKeyExchange for an anonymous
Diffie-Hellman (DH) ciphersuite which can cause possible Denial of Service (DoS) attack.
32
Resolved problems in R3112
201602040025
•
Symptom: After the lldp notification med-topology-change enable command is executed on a PoE-capable switch, the LLDP process exits unexpectedly and the IP phones connected to the PIs of the switch cannot operate correctly.
•
Condition: This symptom might occur if the command is executed on a P oE-capable switch and
IP phones are connected to the PIs of the switch.
201601110412
•
Symptom: The CPU usage of an IRF fabric is high if LLDP is enabled on a large number of up interfaces.
•
Condition: This symptom might occur if LLDP is enabled for a large number of up interfaces on an IRF fabric.
201602170470
•
Symptom: The add or remove DNS server IP operation fails on the Network > DNS page of the
Web interface.
•
Condition: This symptom might occur if a DNS server IP address is added or removed on the
Network > DNS page of the Web interface.
201601270478
•
Symptom: The Resources > PKI page of the Web interface stays in the loading status.
•
Condition: This symptom might occur if the Resources > PKI page of the Web interface is accessed.
201603100197
•
Symptom: On an inactivity aging-enabled interface, sticky MAC addresses age out before the secure MAC aging timer set by using the port-security timer autolearn aging command expires.
•
Condition: This symptom might occur if the following operations are performed on an interface:
Enable port security and inactivity aging.
Use the port-security timer autolearn aging command to set the secure MA C aging timer.
201601280398
•
Symptom: When the Firefox brows er is used to access the Web interfac e, the dropdown lists on some pages are unavailable.
•
Condition: This symptom might occur if the Firefox browser is used to perform one of the following operations:
Add IPv4 static routes on the Network > Static Routing page.
Create a rate limit for an interface on the QoS > Rate Limit page.
Configure IRF port bindings on the Device > IRF page.
Resolved problems in R3111P07
201512130013
•
Symptom: An interface in a VLAN mapped to an MSTI fails to be assigned to the MSTI.
33
•
Condition: This symptom might occur if the link type of the interface is changed between trunk and access repeatedly.
201601130674
•
Symptom: After a user exits the console login page, the user cannot log in to the switch again through the console port.
•
Condition: This symptom occurs if the re store factory-default command is executed to restore factory default configuration.
201601180281
•
Symptom: A Web page is incorrectly displayed. To display the correct page, you must refresh the page.
•
Condition: This symptom occurs if you access the Device, Network, or QoS page first through
Web and then access other pages.
201512230197
•
Symptom: The PoE status is incorrectly displayed for an interface.
•
Condition: This symptom occurs if you access the PoE configuration page of a PoE switch through Web.
201511160443
•
Symptom: During 802.1X authentication that uses the EAP method, the RADIUS packets exchanged in one user authentication process might be sent to different servers.
•
Condition: This symptom occurs if RADIUS server load sharing is enabled on the switch.
201507310169
•
Symptom: The subordinate IRF member switch might reboot unexpectedly.
•
Condition: This symptom might occur if patches are repeatedly installed and removed in an IRF fabric.
Resolved problems in R3111P03
201511300121
•
Symptom: The switch acting as an NTP client cannot be synchronized to an NTP server.
•
Condition: This symptom occurs if the NTP server is a Cisco device.
201510300354
•
Symptom: A user goes offline immediately after the user comes online through 802.1X authentication.
•
Condition: This symptom occurs if the following conditions exist:
Another user comes online through MAC authentication before the 802.1X user.
The 802.1X user is assigned the same VLAN as the MAC-authenticated user.
201512090334
•
Symptom: The operation of backing up the configuration file fails.
•
Condition: This symptom occurs if the following conditions exist:
The MIB node hh3cCfgOperateS erverAddress is configured to specify the file backup server.
The IP address of the file backup server is in the range of x.x.x.224 to x.x.x.255.
34
201511180177
•
Symptom: A port cannot exit the guest VLAN.
•
Condition: This symptom occurs if the following conditions exist:
The switch is enabled with 802.1X.
The port joins the 802.1X guest VLAN.
The MAC address of the MAC-VLAN entry has been learned by another port.
201511190408
•
Symptom: CVE-2015-7871
•
Condition: Cause ntpd to accept time from unauthenticated peers.
201511190408
•
Symptom: CVE-2015-7704
•
Condition: An ntpd client forged by a DDoS attacker located anywhere on the Internet, that can exploit NTP's to disable NTP at a victim client or it may also trigger a firewall block for packets from the target machine.
201511190408
•
Symptom: CVE-2015-7705
•
Condition: The DDoS attacker can send a device a high volume of ntpd queries that are spoofed to look like they come from the client. The servers then start rate-limiting the client.
201511190408
•
Symptom: CVE-2015-7855
•
Condition: Ntpd mode 6 or mode 7 packet containing an unusually long data value could possibly use cause NTP to crash, resulting in a denial of service.
201501160412
•
Symptom: The switch cannot send trap messages if it is rebooted after SNMP is configured.
The switch can send trap messages correctly if it is rebooted again.
•
Condition: This symptom might occur if the following operations have been performed:
Configure SNMP.
Save the configuration and reboot the switch.
Enter the CLI and do not execute any commands.
201511230171
•
Symptom: The CPU occupied by the aclmgrd process is not released. As a result, the CPU usage of the switch is high.
•
Condition: This symptom occurs if master/subordinate switchover occurs in an IRF fabric.
Resolved problems in R3111P02
201512200032
•
Symptom: On an IRF fabric enabled with 802.1X or MA C authentication, the CP U usage is high on the member switches that do not reboot after an active/standby MPU switchover occurs.
•
Condition: This symptom might occur if 802.1X or MAC authentication is configured on the IRF fabric, and an active/standby MPU switchover occurs.
35
Resolved problems in R3111P01
201512040456
•
Symptom: A subordinate switch in an IRF fabric reboots repeatedly.
•
Condition: This symptom occurs if the .mdb file is deleted and the IRF fabric is power cycled.
201505150471
•
Symptom: A subordinate switch in an IRF fabric cannot discover neighbors because it cannot forward LLDP frames.
•
Condition: This symptom occurs if the l2protocol lldp tunnel dot1q command is configured on an interface on the subordinate switch.
201511190389
•
Symptom: The CPU usage of an IRF fabric is high.
•
Condition: This symptom occurs if the following conditions exist:
A VLAN interface on the IRF fabric is configured with an IP address.
A member switch in the IRF fabric is configured as a DHCP server.
Resolved problems in R3110
201511190084
•
Symptom: The switch treats an Apply-Actions instruction in an OpenFlow flow entry as a
Write-Actions instruction.
•
Condition: This symptom occurs if the controller deploys a flow entry with an Apply-Actions instruction.
201510280475
•
Symptom: A user goes offline immediately after the user comes online through 802.1X authentication.
•
Condition: This symptom occurs if the switch uses a RADIUS scheme and local accounting for
802.1X authentication.
201511180069
•
Symptom: The first 24 ports on a 52-port switch cannot communicate with the last 24 ports on the switch.
•
Condition: This symptom might occur if the switch is rebooted repeatedly.
201508170320
•
Symptom: The value of the entPhysicalVendorType node for a transceiver module cannot be obtained through a MIB tool.
•
Condition: This symptom occurs if the following operations have been performed:
Use the combo enable fiber command on a combo interface to activate its fiber combo port.
Install the transceiver module into the fiber combo port.
201511170067
•
Symptom: OpenFlow flow entries fail to be deployed.
•
Condition: This symptom occurs if the controller deploys flow entries without actions to a flow table other than the first flow table of the multiple flow tables.
36
Resolved problems in R3109P16
201507160220
•
Symptom: CVE-2014-8176
•
Condition: If a DTLS peer receives application data between the ChangeCipherSpec and
Finished messages. May result in a segmentation fault or potentially, memory corruption.
201507160220
•
Symptom:CVE-2015-1788
•
Condition: When processing an ECParameters structure OpenSSL enters an infinite loop. This can be used to perform denial of service against any system which processes public keys, certificate requests or certificates.
201507160220
•
Symptom: CVE-2015-1789
•
Condition: X509_cmp_time does not properly check the length of the AS N1_TIME string and/or accepts an arbitrary number of fractional seconds in the time string. An attacker can use this to craft malformed certificates and CRLs of various sizes and potentially cause a segmentation fault, resulting in a DoS on applications that verify certificates or CRLs.
201507160220
•
Symptom: CVE-2015-1790
•
Condition: The PKCS#7 parsing code does not handle missing inner EncryptedContent correctly. An attacker can craft malformed PKCS#7 blobs with missing content and trigger a
NULL pointer dereference on parsing.
201507160220
•
Symptom: CVE-2015-1791
•
Condition: If a NewSessionTicket is received by a multi-threaded client when attempting to reuse a previous ticket then a race condition can occur potentially leading to a double free of the ticket data.
201507160220
•
Symptom: CVE-2015-1792
•
Condition: When verifying a signedData message the CMS code can enter an infinite loop. This can be used to perform denial of service against any system which verifies signedData messages using the CMS code.
Resolved problems in R3109P14
201504130201
•
Symptom: After successful 802.1X authentication, a port sets the tagging status to untagged for packets of a voice VLAN. As a result, IP phones receive untagged packets.
•
Condition: This symptom might occur if the following conditions exist:
802.1X authentication and voice VLAN are configured on the port.
The device-traffic-class=voice attribute is configured on the authentication server.
201509020039
•
Symptom: User authentication fails.
37
•
Condition: This symptom occurs if the switch uses an ACS 5.6 server to perform AAA authentication.
201509160335
•
Symptom: User authentication fails.
•
Conditions: This symptom occurs if the PEAP authentication method is used to perform 802.1 X authentication.
201509100463
•
Symptom: The OpenFlow process restarts when the switch is receiving flow entries from the controller.
•
Condition: This symptom might occur if the switch is receiving flow entries from the controller.
201509110280
•
Symptom: The switch performs 802.1X reauthentication when it receives an EAPOL-Start message from a Windows client. After several reauthentication failures, the Windows client is put in silent state, and its NIC becomes unavailable.
•
Condition: This symptom might occur if the following conditions exist:
802.1X authentication and voice VLAN are configured on the switch.
The authentication server is unreachable, and the Windows client is in the 802.1X critical
VLAN.
201509260060
•
Symptom: The Web interface is slow in refreshing webpages or does not respond when PoE is configured for an IRF fabric.
•
Condition: This symptom might occur if the Web interface is used to configure PoE for an IRF fabric.
201510130396
•
Symptom: Some services might operate incorrectly or the switch might reboot unexpectedly.
•
Condition: This symptom occurs when a MIB management tool is used to obtain the power supply information of the switch.
Resolved problems in R3109P09
201509010289
•
Symptom: The switch logs out a MAC-authenticated user that sends packets to the switch before the offline detect timer expires.
•
Condition: This symptom might occur if MAC authentication is configured.
201508080233
•
Symptom: The switch cannot start up.
•
Condition: This symptom occurs if the switch's flash memory is corrupted.
201508310155
•
Symptom: An interface advertises an Auto-negotiation TLV with an incorrect value and fails to negotiate with the peer interface.
•
Condition: This symptom occurs when LLDP is enabled globally and on the interface.
38
201508120317
•
Symptom: The poe max power configuration is automatically generated for an interface after the connected IP phone sends an LLDP frame to request power.
•
Condition: This symptom might occur if the connected IP phone sends an LLDP frame to request power from the interface.
201509010156
Symptom: The following switch models support the power design daughter card:
•
HP 5130-24G-PoE+-4SFP+ (370W) EI Switch JG936A.
•
HP 5130-48G-PoE+-4SFP+ (370W) EI Switch JG937A.
•
HP 5130-24G-PoE+-4SFP+ (370W) EI Brazil Switch JG977A.
•
HP 5130-48G-PoE+-4SFP+ (370W) EI Brazil Switch JG978A.
Condition: None.
201506180249
•
Symptom: CVE-2015-3143
•
Condition: cURL and libcurl 7.10. 6 through 7.41.0 does not properly re-use NTLM connections, which allows remote attackers to connect as other users via an unauthenticated request.
201506180249
•
Symptom: CVE-2015-3148
•
Condition: cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use authenticated
Negotiate connections, whic h allows remote attackers to connect as other users via a request.
Resolved problems in R3109P07
201506100324
•
Symptom: Software upgrade fails for an IRF fabric from the Web interface.
•
Conditions: This symptom might occur when you upgrade software for the IRF fabric from the
Web interface.
201503050138
•
Symptom: The flash memory of an IRF subordinate device is not available after the device reboots to rejoin the IRF fabric.
•
Conditions: This symptom might occur if you have saved running configuration only for this subordinate device in the IRF fabric before you reboot the device.
201504090194
•
Symptoms: CVE-2015-0209
•
Condition: A malformed EC private key file consumed via the d2i_E CPrivateKey function could cause a use after free condition. This could lead to a DoS attack or memory corruption for applications that receive EC private keys from untrusted sources.
201504090194
•
Symptoms: CVE-2015-0286
•
Condition: DoS vulnerability in certificate verification operation. Any application which performs certificate verification is vulnerable including OpenSSL clients and servers which enable client authentication.
39
201504090194
•
Symptoms: CVE-2015-0287
•
Condition: Reusing a structure in ASN.1 parsing may allow an attacker to cause memory corruption via an invalid write. Applications that parse structures containing CHOICE or ANY
DEFINED BY components may be affected.
201504090194
•
Symptoms:CVE-2015-0288
•
Condition: The function X509_to_X509_REQ will crash with a NULL pointer dereference if the certificate key is invalid.
201504090194
•
Symptoms: CVE-2015-0289
•
Condition: The PKCS #7 parsing code does not handle missing outer Cont entInfo correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with missing content and trigger a
NULL pointer dereference on parsing.
201505150249
•
Symptom: TCP processing errors occur during an NQA operation. The operation fails, and services are interrupted on the switch.
•
Condition: This symptom might occur if an NQA operation is performed on the switch.
201505150245
•
Symptom: The switch cannot correctly send ARP packets to the controller.
•
Condition: This symptom might occur if a .mdb binary configuration file is used to restore
OpenFlow configuration.
201504200256
•
Symptom: The switch cannot provide DHCP services correctly as a DHCP server.
•
Condition: This symptom might occur if the following conditions exist:
A DHCP client has obtained an IP address from the DHCP server, and its address lease expires.
The client is configured as a BOOTP client.
201505240024
•
Symptom: Some PoE registers restore the default values after the PoE firmware is online updated.
•
Condition: This symptom might occur if a PoE firmware online update is performed.
201506170069
•
Symptom: An 802.1X client is forced to log off soon after it logs in.
•
Condition: This symptom occurs if the 802.1X authentication server assigns security policies such as ACL and user profile to the client after the client passes the 802.1X authentication.
Resolved problems in R3109P05
201505150457
•
Symptom: A PoE switch cannot supply power over PoE to IP phones of some vendors.
•
Condition: This symptom occurs when you connect the IP phones to the switch and supply power over PoE.
40
201506130010
•
Symptom: A port is brought up and can forward packets when the MDIX mode negotiation fails.
•
Condition: This symptom occurs if the following operations have been performed:
Use a straight-through cable to connect the port and its peer port.
Configure the same MDI (or MDIX) mode at both ends of the cable.
201504020079
•
Symptom: The Web interface is stuck at the Please wait… window when you upgrade system software in the Web interface.
•
Condition: This symptom occurs after you select the upgrade file and click Apply in the Web interface.
201502110444
•
Symptom: The switch reconnects to the SDN controller immediately after an unexpected disconnection from the controller.
•
Condition: This symptom might occur if an active/standby MPU switchover occurs when the controller is issuing a large number of flow table entries to the switch.
201506100226
•
Symptom: The port connected to an IP phone is removed from the voice VLAN after both the
LLDP aging timer and the voice VLAN aging timer expire.
•
Condition: This symptom might occur if the switch establishes a neighbor relationship with the
IP phone and advertises voice VLAN information to the IP phone through LLDP.
201504210120
•
Symptom: The PSE status setting of an IRF fabric is missing after a subordinate switch is rebooted.
•
Condition: This symptom might occur if the following conditions exist:
The IRF fabric contains multiple members.
The poe enable pse command is configured on the IRF fabric.
The subordinate switch is a PoE switch.
201505110287
•
Symptom: A user passes MAC authentication, but the authentication server fails to assign the authorization VLAN to the user.
•
Condition: This symptom occurs if the VLAN attribute issued by the authentication server in the
Access-Accept packet ends with \0x00.
201504150187
•
Symptom: CVE-2015-1799
•
Condition: Authentication doesn’t protect symmetric associations against DoS attacks.
201505270138
•
Symptom: The switch cannot use IP subnet-based VLANs to match and forward untagged packets.
•
Condition: This symptom might occur if IP subnet-based VLANs are configured on the switch.
201412120103
•
Symptom: After a reboot, the IDs of some members in an IRF fabric are changed to the default number 1. The affected members cannot rejoin the IRF fabric.
41
•
Condition: This symptom might occur if operations are frequently performed on the NOR flash memory, for example, save the configuration file frequently.
201505110140
•
Symptom: The switch reboots unexpectedly or cannot provide services correctly when a MAC address move occurs.
•
Condition: This symptom might occur if one of the following conditions exists on the switch:
100 or more ARP entries in a VLAN have the same MAC address, and the MAC address moves between ports.
The MAC address of an ARP entry moves between ports five times per second or more frequently.
Resolved problems in R3109P04
201505240023
•
Symptom: A PoE switch fails to supply power over PoE to all PDs after the switch is power cycled.
•
Condition: This symptom might occur after the switch is power cycled.
201510130155
•
Symptom: The switch fails to obtain an IP address across VLANs.
•
Condition: This symptom might occur if the following conditions exist:
A Layer 3 firewall is not deployed between the switch and the DHCP server.
DHCP relay is enabled on the Layer 3 firewall, and DHCP snooping is enabled on the switch.
Resolved problems in R3109P03
201503310150
•
Symptom: A PC cannot obtain an IP address from the DHCP server.
•
Condition: This symptom occurs if the following conditions exist:
DHCP snooping is enabled by using the dhcp snooping enable command on the switch.
The private VLAN feature is configured on the switch.
An interface in a primary VLAN is connected to the DHCP server.
An interface in an associated secondary VLAN is connected to the PC.
201504080340
•
Symptom: A RADIUS server fails to identify Access-Request packets from the switch, and users fail the authentication.
•
Condition: This symptom occurs if Access-Request packets include invalid attribute values, for example, attribute values that end with \0.
Resolved problems in R3109P01
201501290379
•
Symptom: 802.1X users fail to log in.
42
•
Condition: This symptom occurs if the authorization VLANs assigned by the authentication server use a format incompatible with the switch.
201412180459
•
Symptom: Traffic is not forwarded based on an OpenFlow group entry as expected.
•
Condition: This symptom occurs if the following operations have been performed:
Configure a group entry.
Deploy a flow entry and configure the flow entry to use the group entry for forwarding.
Modify the output port of the group entry.
201412150089
•
Symptom: Portal users log out unexpectedly.
•
Condition: This symptom occurs if the following conditions exist:
DHCP and portal roaming are enabled.
The portal users roam between APs by using mobile devices.
201503020204
•
Symptom: A PoE switch cannot supply power correctly.
•
Condition: This symptom occurs if the PoE module receives incorrect instructions.
201412190083
•
Symptom: The voice-vlan qos command does not take effect on an interface.
•
Condition: This symptom occurs if CDP-compatible LLDP is configured to advertise voice VLA N information on the interface.
201501210272
•
Symptom: CVE-2014-3569
•
Condition: The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 0.9.8zc, 1.0.0o, and
1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshake to a no-ssl3 application wit h certain error handling.
201501210272
•
Symptom: CVE-2014-3571
•
Condition: A carefully crafted DTLS message can cause a segmentation fault in OpenSSL due to a NULL pointer dereference. This could lead to a Denial Of Service attack.
201501210272
•
Symptom: CVE-2015-0206
•
Condition: A memory leak can occur in the dtls1_buffer_record function under certain conditions. In particular this could occur if an attacker sent repeated DTLS records with the same sequence number but for the next epoch. The memory leak could be exploited by an attacker in a Denial of Service attack through memory exhaustion.
201501210272
•
Symptom: CVE-2015-0205
•
Condition: An OpenSSL server will accept a DH certificate for client authentication without the certificate verify message. This effectively allows a client to authenticate without the use of a private key. This only affects servers which trust a client certificate authority which issues certificates containing DH keys.
43
201501210272
•
Symptom: CVE-2014-3570
•
Condition: Bignum squaring (BN_sqr) may produce incorrect results on some platforms, including x86_64. This bug occurs at random with a very low probability, and is not known to be exploitable in any way.
201501210272
•
Symptom: CVE-2015-0204
•
Condition: An OpenSSL client will accept the use of an RSA temporary key in a non-export
RSA key exchange ciphersuite. A server could present a weak temporary key and downgrade the security of the session.
201501210272
•
Symptom: CVE-2014-3572
•
Condition: An OpenSSL client will accept a handshake using an ephemeral ECDH ciphersuit e using an ECDSA certificate if the server key exchange message is omitted. This effectively removes forward secrecy from the ciphersuite.
201501210272
•
Symptom: CVE-2014-8275
•
Condition: By modifying the contents of the signature algorithm or the encoding of the signature, it is possible to change the certific ate's fingerprint. Only custom applications that rely on the uniqueness of the fingerprint may be affected.
Resolved problems in R3108P03
201412150184
•
Symptom: The MA C address entry for a user successfully passing MA C authentication is aged before the offline detect timer expires.
•
Condition: This symptom occurs when MAC authentication is enabled and the
mac-authentication timer offline-detect command is used set the offline detect timer for MA C authentication.
201501140409
•
Symptom: A user passing MAC authentication must wait 60 seconds before triggering new
MAC authentication.
•
Condition: This symptom occurs when the following conditions exist:
MAC authentication is enabled on an interface.
A user that accesses the interface passes MAC authentication.
The shutdown and then undo shutdown commands are executed on the interface.
201412150398
•
Symptom: After the shutdown command is executed in an interface through which a user fails the 802.1X authentication, the interface is still in the 802.1X Auth-Fail VLAN configured for the interface.
•
Condition: This symptom occurs when the following conditions exist:
The dot1x quiet-period command is used in system view to enable the quiet timer.
802.1X is enabled on the interface.
An 802.1X Auth-Fail VLAN is configured on the interface.
44
201412040514
•
Symptom: The switch first replies with a barrier reply and then prompts an error.
•
Condition: This symptom occurs when OpenFlow continues to deploy flow entries and sends barrier request messages after the deployed flow entries reach the specifications.
201412310374
•
Symptom: CVE-2014-9295.
•
Condition: Stack-based buffer overflows in ntpd in NTP before 4.2.8 allow remote attackers to execute arbitrary code via a crafted packet.
201410230226
•
Symptom: SSL 3.0 Fallback protection.
•
Condition: OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications to block the ability for a MITM attacker to force a protocol downgrade. Some client applications
(such as browsers) will rec onnect using a downgraded protocol to work around interoperability bugs in older servers. This could be exploited by an active man-in-the-middle to downgrade connections to SSL 3.0 even if both sides of the connection support higher protocols. SSL 3.0 contains a number of weaknesses including POODLE (CVE-2014-3566).
201410230226
•
Symptom: CVE-2014-3567
•
Condition: When an OpenSSL SSL/TLS/DTLS server rec eives a session ticket the integrity of that ticket is first verified. In the event of a session ticket integrity check failing, OpenSSL will fail to free memory causing a memory leak. By sending a large number of invalid session tickets an attacker could exploit this issue in a Denial of Service attack.
201501150467
•
Symptom: PoE cannot supply power correctly.
•
Condition: This symptom can be seen when the PoE chip becomes abnormal because of PoE communication errors.
201501070257
•
Symptom: The switch cannot communicate with a Cisco IP phone.
•
Condition: This symptom can be seen when the following conditions exist:
The switch is directly connected to the Cisco IP phone.
CDP-compatible LLDP is enabled on the switch.
The sent LLDP protocol packets and CDP protocol packets carry voice VLAN TLVs.
201407310086
•
Symptom: The function of configuring the voice VLAN information that LLDP/CDP advertises does not take effect.
•
Condition: This symptom can be seen when the lldp tlv-enable med-tlv network-policy
vlan-id command is configured on an interface to specify the voice VLAN information that
LLDP/CDP will advertise to IP phones.
Resolved problems in R3108P01
201410140175
•
Symptom: The system displays configuration errors though the configuration has been issued to an interface.
45
•
Condition: This symptom can be seen when you log in to the switch through the Web interface and shut down an IRF physical interface.
201410210187
•
Symptom: When a user performs MAC authentication, the system does not transmit information about the MAC authentication-enabled interface to the authentication server. As a result, the user fails to pass the authentication.
•
Condition: This symptom can be seen after you log in to the switch through the Web interface and enable MAC authentication on the interface.
201410200402
•
Symptom: The number of 802.1X online users collected in the Web interface is different from the actual number of 802.1X online users.
•
Condition: This symptom can be seen when 2000 users pass 802. 1X authentication and come online.
201408290076
•
Symptom: PoE cannot be successfully enabled on a port.
•
Condition: This symptom can be seen when you log in to the switch through the Web interface and enable PoE on the port.
201410200322
•
Symptom: The maximum power of a PSE cannot be restored to the original value.
•
Condition: This symptom can be seen when the following procedure is performed:
Log in to the switch through the Web interface.
Input an incorrect value for the maximum PSE power.
Click Cancel.
201410100091
•
Symptom: A black screen appears on the Web login page for the switch.
•
Condition: This symptom can be seen when you log in to the switch through the Web interface and test the cable connections for Ethernet interfaces of the switch multiple times.
201312030126
•
Symptom: Addressed SSRT101324. A security bulletin for SSRT101324 should be published in January 2014. Please see the security bulletin for additional details.
•
Condition: Addressed SSRT101324. A security bulletin for SSRT101324 should be published in January 2014. Please see the security bulletin for additional details.
201410210004
•
Symptom: Device will tear down TCP connection in established state when receives wrong
TCP packet.
•
Condition: Only for those TCP connections in established state. When they receive TCP SYN packet which is carrying a sequence number falling into the connection receiving window, a
RST packet will be sent and the connection will be dropped immediately.
201406190088
•
Symptom: CVE-2014-0224.
•
Condition: This symptom can be seen when Open SSL Server is used.
201408220480
•
Symptom: CVE-2014-3508
46
•
Condition: A flaw in OBJ_obj2txt may cause pretty printing functions such as
X509_name_oneline, X509_name_print _ex et al. to leak some information from the stack.
Applications may be affected if they echo pretty printing output to the attacker.
201406270104
•
Symptom: The MAC address entries of an STP edge port are deleted if the network topology changes.
•
Condition: This symptom might occur if a port is configured as an STP edge port, and network topology changes occur.
Resolved problems in R3106P01
None
Resolved problems in R3106
First release
Support and other resources
Accessing Hewlett Packard Enterprise Support
•
For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website: www.hpe.com/assistance
•
To access documentation and support services, go to the Hewlett Packard Enterprise Support
Center website: www.hpe.com/support/hpesc
Information to collect:
•
Technical support registration number (if applicable).
•
Product name, model or version, and serial number.
•
Operating system name and version.
•
Firmware version.
•
Error messages.
•
Product-specific reports and logs.
•
Add-on products or components.
•
Third-party products or components.
Documents
To find related documents, see the Hewlett Packard Enterprise Support Cent er website at http://www.hpe.com/support/hpesc .
•
Enter your product name or number and click Go. If necessary, select your product from the resulting list.
•
For a complete list of acronyms and their definitions, see HPE FlexNetwork technology acronyms.
47
Related documents
The following documents provide related information:
•
HPE 5130 EI Switch Series Installation Guide
•
HPE PSR150-A & PSR150-D Power Supplies User Guide
•
HPE 5130 EI Switch Series Configuration Guides-Release 311x
•
HPE 5130 EI Switch Series Command References-Release 311x
Documentation feedback
Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the document ation, send any errors, suggestions, or comments to Documentation
Feedback ( [email protected]
). When submitting your feedback, include the document title, part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.
48
Appendix A Feature list
Hardware features
Table 4 5130 EI series hardware features for non-PoE switch models
Item
Dimensions
(H × W × D)
Weight
Console ports
10/100/1000
Base-T
Ethernet ports
HPE 5130-24G-4SFP+
EI
43.6 × 440 × 160 mm (1.72
× 17.32 × 6.30 in)
≤ 5 kg (11.02 lb)
1
24
HPE 5130-48G-4SFP+ EI
43.6 × 440 × 260 mm (1.72 ×
17.32 × 10.24 in)
≤ 5 kg (11.02 lb)
1
48
HPE
5130-24G-SFP-4SFP+ EI
43.6 × 440 × 360 mm (1.72 ×
17.32 × 14.17 in)
≤ 8 kg (17.64 lb)
1
8 (Each and its corresponding SFP port form a combo interface.)
100/1000Bas e-X SFP ports
N/A N/A
24 (The rightmost eight SFP ports and their corresponding
10/100/1000Base-T
Ethernet ports form combo interfaces.)
4 SFP+ ports 4
Power supply slots
N/A
Input voltage
•
Rated voltage: 100
VAC to 240 VAC @
50 or 60 Hz
•
Max voltage: 90 VAC to 264 VAC @ 47 to
63 Hz
4
N/A 2, on the rear panel
•
AC power source
Rated voltage: 100 VAC to 240 VAC @ 50 or 60 Hz
Max voltage: 90 VAC to 264 VAC @ 47 to 63 Hz
•
DC power source: –48 V DC power source in the equipment room or RPS (recommended HP RPS models: A-RPS800 or A-RPS1600)
Rated voltage: –48 VDC to –60 VDC
Max voltage: –36 VDC to –72 VDC
•
AC: 38 W
•
DC: 38 W
•
AC: 30 W
•
DC: 38 W
Minimum power consumption
19 W
Maximum power consumption
26 W
Chassis leakage current compliance
•
UL60950-1
•
EN60950-1
•
IEC60950-1
•
GB4943.1
Melting current of power supply fuse
AC-input: 2 A/250 V
•
•
•
•
AC: 45 W
DC: 50 W
AC-input: 10 A/250 V
DC-input: 5 A/250 V
•
•
•
•
AC: 60 W
DC: 68 W
AC-input: 5 A/250 V
DC-input: 8 A/250 V
49
Item
HPE 5130-24G-4SFP+
EI
HPE 5130-48G-4SFP+ EI
Operating temperature
0°C to 45°C (32°F to 113°F)
Operating humidity
5% to 95%, noncondensing
Fire resistance compliance
•
UL60950-1
•
EN60950-1
•
IEC60950-1
•
GB4943.1
Table 5 5130 EI series hardware features for PoE switch models
HPE
5130-24G-SFP-4SFP+ EI
Item
Dimensions (H
× W × D)
HPE 5130-24G-PoE+-4SFP+
(370W) EI Switch
43.6 × 440 × 300 mm (1.72 × 17.32 ×
11.81 in)
Weight
≤ 8 kg (17.64 lb)
Console ports 1
HPE 5130-48G-PoE+-4SFP+ (370W) EI
Switch
43.6 × 440 × 360 mm (1.72 × 17.32 × 14.17 in)
≤ 8 kg (17.64 lb)
1
10/100/1000B ase-T Ethernet ports
24
SFP+ ports
Input voltage
48
4 4
•
AC power source
Rated voltage: 100 VAC to 240 VAC @ 50 or 60 Hz
Max voltage: 90 VAC to 264 VAC @ 47 to 63 Hz
•
DC power source: HP A-RPS1600
Rated voltage: –54 VDC to –57 VDC
Ma x voltage: –44 VDC to –60 VDC for single DC input and –54 VDC to –57 VDC for AC+DC dual inputs
Maximum PoE per port
30 W 30 W
•
AC: 370 W
•
DC: 800 W
•
AC: 47 W
•
DC: 43 W
Total PoE
AC: 370 W
•
DC: 740 W
Minimum power consumption
AC: 30 W
•
DC: 25 W
Maximum power consumption
(including PoE consumption)
•
AC: 460 W (including 370 W PoE consumption)
•
DC: 790 W (including 740 W PoE consumption)
Chassis leakage current compliance
•
UL60950-1
•
EN60950-1
•
IEC60950-1
•
GB4943.1
Melting current of power supply fuse
•
AC-input: 10 A/250 V
•
DC-input: 25 A/250 V
Operating
0°C to 45°C (32°F to 113°F)
•
•
•
•
AC: 490 W (including 370 W PoE consumption)
DC: 890 W (including 800 W PoE consumption)
AC-input: 10 A/250 V
DC-input: 25 A/250 V
50
temperature
Operating humidity
5% to 95%, noncondensing
Fire resistance compliance
•
UL60950-1
•
EN60950-1
•
IEC60950-1
•
GB4943.1
Table 6 5130 EI series hardware features for more switch models
Item
Dimensions
(H × W × D)
Weight
HPE
5130-24G-2SFP+-
2XGT EI Switch
HPE
5130-48G-2SFP+
-2XGT EI Switch
43.6 × 440 × 160 mm
(1.72 × 17.32 ×6.3 in)
≤ 3 kg (6.61 lb)
43.6 × 440 × 270 mm (1.72 × 17.32 ×
9.55in)
≤ 5 kg (11.02 lb)
HPE
5130-24G-PoE+-
2SFP+-2XGT
(370W) Switch
43.6 × 440 × 360 mm (1.72 × 17.32 ×
14.17 in)
≤ 6 kg (13.23 lb)
HPE
5130-48G-PoE+-
2SFP+-2XGT
(370W) Switch
43.6 × 440 × 420 mm (1.72 × 17.32 ×
16.53 in)
≤ 7 kg (15.43 lb)
Console ports
10/100/1000
Base-T
Ethernet ports
1
24
1
24
1
48
1
48
SFP+ ports
Input voltage
2
•
Rated voltage:
100 VAC to 240
VAC @ 50 or 60
Hz
•
Max voltage: 90
VAC to 264 VAC
@ 47 to 63 Hz
2 2 2
•
AC power source
Rated voltage: 100 VAC to 240 VAC @ 50 or 60 Hz
Max voltage: 90 VAC to 264 VAC @ 47 to 63 Hz
•
DC power source
Rated voltage:
S5130-28TP-EI: N/A
S5130-52TP-EI: 36 VDC to –72 VDC
S5130-28TP-PWR-EI: 54 VDC to –57 VDC
S5130-52TP-PWR-EI: 54 VDC to –57 VDC
Maximum
PoE per port
Total PoE
N/A
N/A
N/A
N/A
30 W
•
AC: 370 W
•
DC: 720 W
30 W
•
AC: 370 W
•
DC: 800 W
Minimum power consumption
20 W
•
AC: 36
W
•
DC: 36
W
•
AC: 31 W
•
DC: 20 W
•
AC: 43 W
•
DC: 30 W
Maximum power consumption
34 W
•
AC: 54
W
•
DC: 54
W
•
AC: 425 W
(including 370 W
PoE consumption)
•
DC: 750 W
(including 720 W
PoE consumption)
•
AC: 470 W
(including 370 W
PoE consumption)
•
DC: 910 W
(including 800 W
PoE consumption)
51
Item
Chassis leakage current compliance
HPE
5130-24G-2SFP+-
2XGT EI Switch
•
UL60950-1
•
EN60950-1
•
IEC60950-1
•
GB4943.1
Melting current of power module fuse
AC-input: 2
A/250 V
HPE
5130-48G-2SFP+
-2XGT EI Switch
•
AC-input: 3.15
A/250 V
HPE
5130-24G-PoE+-
2SFP+-2XGT
(370W) Switch
HPE
5130-48G-PoE+-
2SFP+-2XGT
(370W) Switch
•
AC-input: 10 A/250
V
•
DC-input: 25 A/250
V
•
AC-input: 10
A/250 V
•
DC-input: 25
A/250 V
Operating temperature
Operating humidity
0°C to 45°C (32°F to 113°F)
Fire resistance compliance
5% to 95%, noncondensing
•
UL60950-1
•
EN60950-1
•
IEC60950-1
•
GB4943.1
Table 7 5130 EI series hardware features for Brazil non-PoE switch models
Item
Dimensions (H × W ×
D)
Weight
Console ports
10/100/1000Base-T
Ethernet ports
100/1000Base-X SFP ports
SFP+ ports
Power supply slots
HPE 5130-24G-4SFP+ EI Brazil
Switch
43.6 × 440 × 160 mm (1.72 × 17.32 ×
6.30 in)
≤ 5 kg (11.02 lb)
HPE 5130-48G-4SFP+ EI Brazil
Switch
43.6 × 440 × 260 mm (1.72 × 17.32 ×
10.24 in)
≤ 5 kg (11.02 lb)
1 1
24
N/A
48
N/A
Input voltage
Minimum power consumption
4
N/A
•
Rated voltage: 100 VAC to 240
VAC @ 50 or 60 Hz
•
Max voltage: 90 VAC to 264
VAC @ 47 to 63 Hz
19 W
4
N/A
•
AC power source
Rated voltage: 100 VAC to 240
VAC @ 50 or 60 Hz
Ma x voltage: 90 VAC to 264 VAC
@ 47 to 63 Hz
•
DC power source: –48 V DC power source in the equipment room or
RPS (recommended HP RPS models: A-RPS800 or A-RPS1600)
Rated voltage: –48 VDC to –60
VDC
Max voltage: –36 VDC to –72
VDC
•
AC: 38 W
•
DC: 38 W
52
Item
Maximum power consumption
Chassis leakage current compliance
Melting current of power supply fuse
HPE 5130-24G-4SFP+ EI Brazil
Switch
26 W
HPE 5130-48G-4SFP+ EI Brazil
Switch
•
AC: 45 W
•
DC: 50 W
•
UL60950-1
•
EN60950-1
•
IEC60950-1
•
GB4943.1
AC-input: 2 A/250 V
•
AC-input: 10 A/250 V
•
DC-input: 5 A/250 V
Operating temperature 0°C to 45°C (32°F to 113°F)
Operating humidity
Fire resistance compliance
5% to 95%, noncondensing
•
UL60950-1
•
EN60950-1
•
IEC60950-1
•
GB4943.1
Table 8 5130 EI series hardware features for Brazil PoE switch models
Item
Dimensions (H
× W × D)
Weight
HPE 5130-24G-PoE+-4SFP+
(370W) EI Brazil Switch
43.6 × 440 × 300 mm (1.72 × 17.32 ×
11.81 in)
≤ 8 kg (17.64 lb)
Console ports 1
HPE 5130-48G-PoE+-4SFP+ (370W) EI
Brazil Switch
43.6 × 440 × 360 mm (1.72 × 17.32 × 14.17 in)
≤ 8 kg (17.64 lb)
1
10/100/1000B ase-T Ethernet ports
24
SFP+ ports
Input voltage
48
4 4
•
AC power source
Rated voltage: 100 VAC to 240 VAC @ 50 or 60 Hz
Max voltage: 90 VAC to 264 VAC @ 47 to 63 Hz
•
DC power source: HP A-RPS1600
Rated voltage: –54 VDC to –57 VDC
Ma x voltage: –44 VDC to –60 VDC for single DC input and –54 VDC to –57 VDC for AC+DC dual inputs
Maximum PoE per port
30 W
Total PoE
AC: 370 W
•
DC: 740 W
Minimum power consumption
AC: 30 W
•
DC: 25 W
Maximum power consumption
(including PoE consumption)
•
AC: 460 W (including 370 W PoE consumption)
•
DC: 790 W (including 740 W PoE consumption)
Chassis
•
UL60950-1
30 W
•
•
•
•
•
•
AC: 370 W
DC: 800 W
AC: 47 W
DC: 43 W
AC: 490 W (including 370 W PoE consumption)
DC: 890 W (including 800 W PoE consumption)
53
leakage current compliance
•
EN60950-1
•
IEC60950-1
•
GB4943.1
Melting current of power supply fuse
•
AC-input: 10 A/250 V
•
DC-input: 25 A/250 V
Operating temperature
0°C to 45°C (32°F to 113°F)
Operating humidity
5% to 95%, noncondensing
Fire resistance compliance
•
UL60950-1
•
EN60950-1
•
IEC60950-1
•
GB4943.1
Software features
Table 9 Software features of the 5130 EI series
•
AC-input: 10 A/250 V
•
DC-input: 25 A/250 V
Feature
HPE
5130-24G-4S
FP+ EI
Switch / HPE
5130-24G-2S
FP+-2XGT EI
Switch/ HPE
5130-24G-4S
FP+ EI Brazil
Switch
HPE
5130-48G-4S
FP+ EI
Switch / HPE
5130-48G-2S
FP+-2XGT EI
Switch/ HPE
5130-48G-4S
FP+ EI Brazil
Switch
HPE
5130-24G-Po
E+-4SFP+
(370W) EI
Switch / HPE
5130-24G-Po
E+-2SFP+-2
XGT (370W)
EI Switch/
HPE
5130-24G-Po
E+-4SFP+
(370W) EI
Brazil
Switch
HPE
5130-24G-SF
P-4SFP+ EI
Switch
Full duplex Wire speed L2 switching capacity
128 Gbps 176 Gbps 128 Gbps 128 Gbps
Whole system
Wire speed L2 switching
Packet forwarding rate
Forwarding mode
95.232 Mpps
Store-forward
130.952 Mpps 95.232 Mpps 95.232 Mpps
IRF
•
Ring topology
•
Daisy chain topology
•
LACP MAD
•
ARP MAD
•
ND MAD
HPE
5130-48G-Po
E+-4SFP+
(370W) EI
Switch / HPE
5130-48G-Po
E+-2SFP+-2
XGT (370W)
EI Switch/
HPE
5130-48G-Po
E+-4SFP+
(370W) EI
Brazil
Switch
176 Gbps
130.952 Mpps
54
Link aggregation
Flow control
Jumbo Frame
MAC address table
VLAN
VLAN mapping
ARP
ND
•
BFD MAD
•
IRF comprised of different models
•
Aggregation of 10-GE ports
•
Aggregation of GE ports
•
Static link aggregation
•
Dynamic link aggregation
•
Inter-device aggregation
•
A maximum of 14 aggregation groups on a device
•
A maximum of 128 inter-device aggregation groups
•
A maximum of 8 ports for each aggregation group
•
IEEE 802.3x flow control
•
Back pressure
•
Supports maximum frame size of 9000
•
16K MAC addresses
•
1K static MAC addresses
•
Blackhole MAC addresses
•
MAC address learning limit on a port
•
Port-based VLANs (4094 VLANs)
•
QinQ and selective QinQ
•
One-to-one VLAN mapping
•
Many-to-one VLAN mapping
•
Two-to-two VLAN mapping
•
1K entries
•
512 static entries
•
Gratuitous ARP
•
Common proxy ARP and local proxy ARP
•
ARP source suppression
•
ARP black hole
•
ARP detection (based on DHCP snooping entries/802.1X security entries/static
IP-to-MAC bindings)
•
Multiport ARP
•
512 entries
•
256 static entries
VLAN virtual interface
DHCP
UDP helper
DNS
IPv4 unicast route
32
•
DHCP client
•
DHCP snooping
•
DHCP relay agent
•
DHCP server
•
DHCPv6 server
•
DHCPv6 relay agent
•
DHCPv6 snooping
•
UDP helper
•
Static DNS
•
Dynamic DNS
•
IPv4 and IPv6 DNS
•
512 static routes
•
RIP
•
Routing policies
55
IPv6 unicast route
BFD
Multicast
Broadcast/multi cast/unicast storm control
MSTP
QoS/ACL
Mirroring
Remote mirroring
Security
802.1X
Loading and upgrading
•
Policy-based routing
•
256 static routes
•
RIPng
•
Routing policies
•
Policy-based routing
•
Static route
•
MAD
•
IGMP snooping
•
MLD snooping
•
IPv4 and IPv6 multicast VLAN
•
IPv4 and IPv6 PIM snooping
•
Storm control based on port rate percentage
•
PPS-based storm control
•
Bps-based storm control
•
STP/RSTP/MSTP protocol
•
STP Root Guard
•
BPDU Guard
•
128 PVST instances
•
Remarking of 802.1p and DSCP priorities
•
Packet filtering at L2 (Layer 2) through L4 (Layer 4)
•
Eight output queues for each port
•
SP/WRR/SP+WRR queue scheduling algorithms
•
Port-based rate limiting
•
Flow-based redirection
•
Time range
•
Stream mirroring
•
Port mirroring
•
Multiple mirror observing port
•
Port remote mirroring (RSPAN)
•
Hierarchical management and password protection of users
•
AAA authentication
•
RADIUS authentication
•
HWTACACS
•
SSH 2.0
•
Port isolation
•
802.1X
•
Port security
•
MAC-address-based authentication
•
IP Source Guard
•
HTTPS
•
PKI
•
EAD
•
Up to 2,048 users
•
Port-based and MAC address-based authentication
•
Trunk port authentication
•
Dynamic 802.1X-based QoS/ACL/VLAN assignment
•
Loading and upgrading through XModem protocol
•
Loading and upgrading through FTP
56
Management
Maintenance
•
Loading and upgrading through the trivial file transfer protocol (TFTP)
•
Configuration at the command line interface
•
Remote configuration through Telnet
•
Configuration through Console port
•
Simple network management protocol (SNMP)
•
IMC NMS
•
System log
•
Hierarchical alarms
•
NTP
•
Power supply alarm function
•
Fan and temperature alarms
•
Debugging information output
•
Ping and Tracert
•
NQA
•
Track
•
Remote maintenance through Telnet
•
802.1ag
•
802.3ah
•
DLDP
57
Appendix B Upgrading software
This chapter describes types of software used on the switch and how to upgrade soft ware while the switch is operating normally or when the switch cannot correctly start up.
System software file types
Software required for starting up the switch includes:
•
Boot ROM image—A .bin file that comprises a basic section and an extended section. The basic section is the minimum code that bootstraps the system. The extended section enables hardware initialization and provides system management menus. You can use these menus to load software and the startup configuration file or manage files when t he switch cannot correctly start up.
•
Software images—Includes boot images and system images.
Boot image—A .bin file that contains the operating system kernel. It provides process management, memory management, file system management, and the emergency shell.
System image—A .bin file that contains the minimum modules required for device operation and some basic features, including device management, interface management, configuration management, and routing management.
The software images that have been loaded are called “current software images.” The software images specified to load at next startup are called “startup software images.”
These images might be released separately or as a whole in one .ipe package file. If an .ipe file is used, the system automatically decompresses the file, loads the .bin boot and system images in the file and sets them as startup software images. Typically, the Boot ROM and software images for this switch series are released in an .ipe file named main.ipe.
System startup process
Upon power-on, the Boot ROM image runs to initialize hardware and then the software images run to start up the entire system, as shown in
58
Figure 1 System startup process
Start
Boot ROM runs
Press Ctrl+B promptly?
No
Startup software images run
Yes
Enter Boot menu to upgrade Boot ROM or startup software images
System starts up and CLI appears
Finish
Upgrade methods
You can upgrade system software by using one of the following methods:
Upgrading method Software types Remarks
•
Boot ROM image
•
Software images
•
You must reboot the switch to complete the upgrade.
•
This method can interrupt ongoing network services.
Use this method when the switch cannot correctly start up.
•
Boot ROM image
•
Software images
CAUTION:
Upgrading an IRF fabric from the CLI instead of the Boot menu.
The Boot menu method increases the service downtime, because it requires that you upgrade the member switches one by one.
The output in this document is for illustration only and might vary with soft ware releases. This document uses boot.bin and system.bin to represent boot and system image names. The actual software image name format is chassis-model_Comware-version_image-t ype_release, for example,
5130EI-CMW710-BOOT-R3115P01.bin and 5130EI-CMW710-SYS TEM-R3115P01.bin.
59
Upgrading from the CLI
This section uses a two-member IRF fabric as an example to describe how to upgrade software from the CLI. If you have more than two subordinate switches, repeat the steps for the subordinate switch to upgrade their software. If you are upgrading a standalone switch, ignore the steps for upgrading the subordinate switch. For more information about setting up and configuring an IRF fabric, see the installation guide and IRF configuration guide for the HPE 5130 EI switch series.
Preparing for the upgrade
Before you upgrade software, complete the following tasks:
1.
Log in to the IRF fabric through Telnet or the console port. (Details not shown.)
2.
Identify the number of IRF members, each member switch's role, and IRF member ID.
<Sysname> display irf
MemberID Role Priority CPU-Mac Description
*+1 Master 5 0023-8927-afdc ---
2 Standby 1 0023-8927-af43 ---
--------------------------------------------------
* indicates the device is the master.
+ indicates the device through which the user logs in.
The Bridge MAC of the IRF is: 0023-8927-afdb
Auto upgrade : no
Mac persistent : 6 min
Domain ID : 0
3.
Verify that each IRF member switch has sufficient storage space for the upgrade images.
IMPORTANT:
Each IRF member switch must have free storage space that is at least two times the size of the upgrade image file.
# Identify the free flash space of the master switch.
<Sysname> dir
Directory of flash:
0 -rw- 41424 Aug 23 2013 02:23:44 startup.mdb
1 -rw- 3792 Aug 23 2013 02:23:44 startup.cfg
2 -rw- 53555200 Aug 23 2013 09:53:48 system.bin
3 drw- - Aug 23 2013 00:00:07 seclog
4 drw- - Aug 23 2013 00:00:07 diagfile
5 drw- - Aug 23 2013 00:00:07 logfile
6 -rw- 9959424 Aug 23 2013 09:53:48 boot.bin
7 -rw- 9012224 Aug 23 2013 09:53:48 backup.bin
524288 KB total (453416 KB free)
# Identify the free flash space of each subordinate switch, for example, switch 2.
<Sysname> dir slot2#flash:/
Directory of slot2#flash:/
0 -rw- 41424 Jan 01 2011 02:23:44 startup.mdb
60
1 -rw- 3792 Jan 01 2011 02:23:44 startup.cfg
2 -rw- 93871104 Aug 23 2013 16:00:08 system.bin
3 drw- - Jan 01 2011 00:00:07 seclog
4 drw- - Jan 01 2011 00:00:07 diagfile
5 drw- - Jan 02 2011 00:00:07 logfile
6 -rw- 13611008 Aug 23 2013 15:59:00 boot.bin
7 -rw- 9012224 Nov 25 2011 09:53:48 backup.bin
524288 KB total (453416 KB free)
4.
Compare the free flash space of each mem ber switch with the size of the soft ware file to load. If the space is sufficient, start the upgrade process. If not, go to the next step.
5.
Delete unused files in the flash memory to free space:
CAUTION:
• To avoid data loss, do not delete the current configuration file. For information about the current configuration file, use the display startup command.
• The delete /unreserved file-url command deletes a file permanently and the action cannot be undone.
• The delete file-url command moves a file to the recycle bin and the file still occupies storage space. To free the storage space, first execute the undelete command to restore the file, and then execute the delete /unreserved file-url command.
# Delete unused files from the flash memory of the master switch.
<Sysname> delete /unreserved flash:/backup.bin
The file cannot be restored. Delete flash:/backup.bin?[Y/N]:y
Deleting the file permanently will take a long time. Please wait...
Deleting file flash:/backup.bin...Done.
# Delete unused files from the flash memory of the subordinate switch.
<Sysname> delete /unreserved slot2#flash:/backup.bin
The file cannot be restored. Delete slot2#flash:/backup.bin?[Y/N]:y
Deleting the file permanently will take a long time. Please wait...
Deleting file slot2#flash:/backup.bin...Done.
Downloading software images to the master switch
Before you start upgrading software images packages, make sure you have downloaded the upgrading software files to the root directory in flas h memory. This section describes downloading an .ipe software file as an example.
The following are ways to download, upload, or copy files to the master switch:
•
•
•
Prerequisites
If FTP or TFTP is used, the IRF fabric and the PC working as the FTP/TFTP server or FTP client can reach each other.
Prepare the FTP server or TFTP server program yourself for the PC. The switch series does not come with these software programs.
61
FTP download from a server
You can use the switch as an FTP client to download files from an FTP server.
To download a file from an FTP server, for example, the server at 10.10.110.1:
1.
Run an FTP server program on the server, configure an FTP username and password, specify the working directory and copy the file, for example, newest.ipe, to the directory.
2.
Execute the ftp command in user view on the IRF fabric to access the FTP server.
<Sysname> ftp 10.10.110.1
Trying 10.10.110.1...
Press CTRL+C to abort
Connected to 10.10.110.1(10.10.110.1).
220 FTP service ready.
User (10.10.110.1:(none)):username
331 Password required for username.
Password:
230 User logged in.
3.
Enable the binary transfer mode. ftp> binary
200 Type set to I.
4.
Execute the get command in FTP client view to download the file from the FTP server. ftp> get newest.ipe
227 Entering Passive Mode (10,10,110,1,17,97).
125 BINARY mode data connection already open, transfer starting for /newest.ipe
226 Transfer complete.
32133120 bytes received in 35 seconds (896. 0 kbyte/s) ftp> bye
221 Server closing.
FTP upload from a client
You can use the IRF fabric as an FTP server and upload files from a client to the IRF fabric.
To FTP upload a file from a client:
On the IRF fabric:
1.
Enable FTP server.
<Sysname> system-view
[Sysname] ftp server enable
2.
Configure a local FTP user account:
# Create the user account.
[Sysname] local-user abc
# Set its password and specify the FTP service.
[Sysname-luser-manage-abc] password simple pwd
[Sysname-luser-manage-abc] service-type ftp
# Assign the network-admin user role to the user account for uploading file to the working directory of the server.
[Sysname-luser-manage-abc] authorization-attribute user-role network-admin
[Sysname-luser-manage-abc] quit
[Sysname] quit
On the PC:
3.
Log in to the IRF fabric (the FTP server) in FTP mode.
62
c:\> ftp 1.1.1.1
Connected to 1.1.1.1.
220 FTP service ready.
User(1.1.1.1:(none)):abc
331 Password required for abc.
Password:
230 User logged in.
4.
Enable the binary file transfer mode. ftp> binary
200 TYPE is now 8-bit binary.
5.
Upload the file (for example, newest.ipe) to the root directory of the flash memory on the master switch. ftp> put newest.ipe
200 PORT command successful
150 Connecting to port 10002
226 File successfully transferred ftp: 32133120 bytes sent in 64.58 secs (497.60 Kbytes/sec).
TFTP download from a server
To download a file from a TFTP server, for example, the server at 10.10.110.1:
1.
Run a TFTP server program on the server, specify the working directory, and copy the file, for example, newest.ipe, to the directory.
2.
On the IRF fabric, execute the tftp command in user view to download the file to the root directory of the flash memory on the master switch.
<Sysname> tftp 10.10.110.1 get newest.ipe
Press CTRL+C to abort.
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 30.6M 0 30.6M 0 0 143k 0 --:--:-- 0:03:38 --:--:-- 142k
Upgrading the software images
To upgrade the software images:
1.
Specify the upgrade image file (newest.ipe in this example) used at the next startup for the master switch, and assign the M attribute to the boot and system images in the file.
<Sysname> boot-loader file flash:/newest.ipe slot 1 main
Verifying image file..........Done.
Images in IPE:
boot.bin
system.bin
This command will set the main startup software images. Continue? [Y/N]:y
Add images to target slot.
Decompressing file boot.bin to flash:/boot.bin....................Done.
Decompressing file system.bin to flash:/system.bin................Done.
The images that have passed all examinations will be used as the main startup so ftware images at the next reboot on slot 1.
2.
Specify the upgrade image file as the main startup image file for each subordinate switch. This example uses IRF member 2. (The subordinate switches will automatically copy the file to the root directory of their flash memories.)
63
<Sysname> boot-loader file flash:/newest.ipe slot 2 main
Verifying image file..........Done.
Images in IPE:
boot.bin
system.bin
This command will set the main startup software images. Continue? [Y/N]:y
Add images to target slot.
Decompressing file boot.bin to flash:/boot.bin....................Done.
Decompressing file system.bin to flash:/system.bin................Done.
The images that have passed all examinations will be used as the main startup so ftware images at the next reboot on slot 2.
3.
Enable the software auto-update function.
<Sysname> system-view
[Sysname] irf auto-update enable
[Sysname] quit
This function checks the software versions of member switches for inconsistency with the master switch. If a subordinate switch is using a different software version than the master, the function propagates the current software images of the master to the subordinate as main startup images. The function prevents software version inconsistency from causing the IRF setup failure.
4.
Save the current configuration in any view to prevent data loss.
<Sysname> save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key): flash:/startup.cfg exists, overwrite? [Y/N]:y
Validating file. Please wait.................
Saved the current configuration to mainboard device successfully.
Slot 2:
Save next configuration file successfully.
5.
Reboot the IRF fabric to complete the upgrade.
<Sysname> reboot
Start to check configuration with next startup configuration file, please wait.
........DONE!
This command will reboot the device. Continue? [Y/N]:y
Now rebooting, please wait...
The system automatically loads the .bin boot and system images in the .ipe file and sets them as the startup software images.
6.
Execute the display version command in any view to verify that the current main software images have been updated (details not shown).
NOTE:
The system aut omatically checks the compatibility of the Boot ROM image and the boot and system images during the reboot. If you are prompted that the Boot ROM image in the upgrade image file is different than the current Boot ROM image, upgrade both the basic and extended sections of the
Boot ROM image for compatibility. If you choose to not upgrade the Boot ROM image, the system will ask for an upgrade at the next reboot performed by powering on the switch or rebooting from the
CLI (promptly or as scheduled). If you fail to make any choice in the required time, the system upgrades the entire Boot ROM image.
64
Upgrading from the Boot menu
In this approach, you must access the Boot menu of each member switch to upgrade their software one by one. If you are upgrading software images for an IRF fabric, using the CLI is a better choice.
TIP:
Upgrading through the Ethernet port is faster than through the console port.
Prerequisites
Make sure the prerequisites are met before you start upgrading software from the Boot menu.
Setting up the upgrade environment
1.
Use a console cable to connect the console terminal (for example, a PC) to the console port on the switch.
2.
Connect the Ethernet port on the switch to the file server.
NOTE:
The file server and the configuration terminal can be co-located.
3.
Run a terminal emulator program on the console terminal and set the following terminal settings:
Bits per second—9,600
Data bits—8
Parity—None
Stop bits—1
Flow control—None
Emulation—VT100
Preparing for the TFTP or FTP transfer
To use TFTP or FTP:
•
Run a TFTP or FTP server program on the file server or the console terminal.
•
Copy the upgrade file to the file server.
•
Correctly set the working directory on the TFTP or FTP server.
•
Make sure the file server and the switch can reach each other.
Verifying that sufficient storage space is available
IMPORTANT:
For the switch to start up correctly, do not delete the main startup software images when you free storage space before upgrading Boot ROM. On the Boot menu, the main startup software images are marked with an asterisk (*).
When you upgrade software, make sure each member s witch has sufficient free storage spac e for
the upgrade file, as shown in Table 8 .
Table 10 Minimum free storage space requirements
Upgraded images
Comware images
Minimum free storage space requirements
Two times the size of the Comware upgrade package file.
65
Upgraded images
Boot ROM
Minimum free storage space requirements
Same size as the Boot ROM upgrade image file.
Scheduling the upgrade time
During the upgrade, the switch cannot provide any servic es. You must make sure the upgrade has a minimal impact on the network services.
Accessing the Boot menu
Starting......
Press Ctrl+D to access BASIC BOOT MENU
********************************************************************************
* *
* HPE 5130-48G-4SFP+ EI Switch BOOTROM, Version 112 *
* *
********************************************************************************
Copyright (c) 2010-2015 Hewlett-Packard Development Company, L.P.
Creation Date : Apr 13 2015, 14:45:33
CPU Clock Speed : 1000MHz
Memory Size : 1024MB
Flash Size : 512MB
CPLD Version : 001
PCB Version : Ver.B
Mac Address : 443192f992f1
PEX mode is disabled.
Press Ctrl+B to access EXTENDED BOOT MENU...0
Press one of the shortcut key combinations at prompt.
Table 11 Shortcut keys
Shortcut keys
Prompt message Function
Ctrl+B
Press Ctrl+B to enter
Extended Boot menu...
Accesses the extended Boot menu.
Remarks
Press the keys within 1 second (in fast startup mode) or 5 seconds (in full startup mode) after the message appears.
You can upgrade and manage system software and
Boot ROM from this menu.
66
Shortcut keys
Ctrl+D
Prompt message Function
Press Ctrl+D to access
BASIC BOOT MENU
Accesses the basic Boot menu.
Remarks
Press the keys within 1 seconds after the message appears.
You can upgrade Boot ROM or access the extended Boot
ROM segment from this menu.
Accessing the basic Boot menu
If the extended Boot ROM segment has corrupted, you can repair or upgrade it from the basic Boot menu.
Press Ctrl+D within 1 seconds after the "Press Ctrl+D to access BASIC BOOT ME NU" prompt message appears. If you fail to do this within the time limit, the system starts to run the extended
Boot ROM segment.
********************************************************************************
* *
* BASIC BOOTROM, Version 112 *
* *
********************************************************************************
BASIC BOOT MENU
1. Update full BootRom
2. Update extended BootRom
3. Update basic BootRom
4. Boot extended BootRom
0. Reboot
Ctrl+U: Access BASIC ASSISTANT MENU
Enter your choice(0-4):
Table 12 Basic Boot ROM menu options
Option
1. Update full BootRom
2. Update extended BootRom
3. Update basic BootRom
Task
Update the entire Boot ROM, including the basic segment and the extended segment. To do so, you must use
XMODEM and the console port. For more information, see
Using XMODEM to upgrade Boot ROM through the console port .
Update the extended Boot ROM segment. To do so, you must use XMODEM and the console port. For more
information, see Using XMODEM to upgrade Boot ROM through the console port .
Update the basic Boot ROM segment. To do so, you must use XMODEM and the console port. For more information,
see Using XMODEM to upgrade Boot ROM through the console port .
67
Option
4. Boot extended BootRom
Task
Access the extended Boot ROM segment.
For more information, see Accessing the extended Boot menu.
Reboot the switch. 0. Reboot
Ctrl+U: Access BASIC ASSISTANT MENU
Press Ctrl + U to access the BASIC ASSISTANT menu
Table 13 BASIC ASSISTANT menu options
Option
1. RAM Test
0. Return to boot menu
Task
Perform a RAM self-test.
Return to the basic Boot menu.
Accessing the extended Boot menu
Press Ctrl+ B within 1 second (in fast startup mode) or 5 seconds (in full startup mode) after the
"Press Ctrl-B to enter Extended Boot menu..." prompt message appears. If you fail to do this, the system starts decompressing the system software.
Alternatively, you can enter 4 in the basic Boot menu to access the extended Boot menu.
The "Password recovery capability is enabled." or "Password recovery capability is disabled." message appears, followed by the extended Boot menu. A vailability of some menu options depends on the state of password recovery capability (see
Table 11 ). For more information about password
recovery capability, see Fundamentals Configuration Guide in HPE 5130 EI S witch Series
Configuration Guides.
Password recovery capability is enabled.
EXTENDED BOOT MENU
1. Download image to flash
2. Select image to boot
3. Display all files in flash
4. Delete file from flash
5. Restore to factory default configuration
6. Enter BootRom upgrade menu
7. Skip current system configuration
8. Set switch startup mode
0. Reboot
Ctrl+Z: Access EXTENDED ASSISTANT MENU
Ctrl+F: Format file system
Ctrl+P: Change authentication for console login
Ctrl+R: Download image to SDRAM and run
Ctrl+Y: Change Work Mode
Ctrl+C: Display Copyright
Enter your choice(0-8):
68
Table 14 Extended Boot ROM menu options
Option
1. Download image to flash
2. Select image to boot
Tasks
Download a software image file to the flash.
•
Specify the main and backup software image file for the next startup.
•
Specify the main and backup configuration files for the next startup. This task can be performed only if password recovery capability is enabled.
Display files on the flash.
Delete files to free storage space.
3. Display all files in flash
4. Delete file from flash
5. Restore to factory default configuration
Delete the current next-startup configuration files and restore the factory-default configuration.
This option is available only if password recovery capability is disabled.
6. Enter BootRom upgrade menu Access the Boot ROM upgrade menu.
7. Skip current system configuration
8. Set switch startup mode
Start the switch without loading any configuration file.
This is a one-time operation and takes effect only for the first system boot or reboot after you choose this option.
This option is available only if password recovery capability is enabled.
Set the startup mode to fast startup mode or full startup mode.
0. Reboot
Ctrl+F: Format file system
Ctrl+P: Change authentication for console login
Reboot the switch.
Format the current storage medium.
Skip the authentication for console login.
This is a one-time operation and takes effect only for the first system boot or reboot after you choose this option.
This option is available only if password recovery capability is enabled.
Ctrl+R: Download image to
SDRAM and run
Ctrl+Z: Access EXTENDED
ASSISTANT MENU
Download a system software image and start the switch with the image.
This option is available only if password recovery capability is enabled.
Access the EXTENDED ASSISTANT MENU.
For options in the menu, see Table 13 .
Change Work Mode. Ctrl+Y: Change Work Mode
Ctrl+C: Display Copyright Display the copyright statement.
Table 15 EXTENDED ASSISTANT menu options
Option
1. Display Memory
2. Search Memory
0. Return to boot menu
Task
Display data in the memory.
Search the memory for a specific data segment.
Return to the extended Boot ROM menu.
Upgrading Comware images from the Boot menu
You can use the following methods to upgrade Comware images:
•
Using TFTP to upgrade software images through the Ethernet port
69
•
Using FTP to upgrade software images through the Ethernet port
•
Using XMODEM to upgrade software through the console port
Using TFTP to upgrade software images through the Ethernet port
1.
Enter 1 in the Boot menu to access the file transfer protocol submenu.
1. Set TFTP protocol parameters
2. Set FTP protocol parameters
3. Set XMODEM protocol parameters
0. Return to boot menu
Enter your choice(0-3):
2.
Enter 1 to set the TFTP parameters.
Load File Name :update.ipe
Server IP Address :192.168.0.3
Local IP Address :192.168.0.2
Subnet Mask :255.255.255.0
Gateway IP Address :0.0.0.0
Table 16 TFTP parameter description
Item
Load File Name
Server IP Address
Description
Name of the file to download (for example, update.ipe).
IP address of the TFTP server (for example, 192.168.0.3).
Local IP Address
Subnet Mask
IP address of the switch (for example, 192.168.0.2).
Subnet mask of the switch (for example, 255.255.255.0).
Gateway IP Address
IP address of the gateway (in this example, no gateway is required because the server and the switch are on the same subnet).
NOTE:
• To use the default setting for a field, press Enter without entering any value.
• If the switch and the server are on different subnets, you must specify a gateway address for the switch.
3.
Enter all required parameters, and enter Y to confirm the settings. The following prompt appears:
Are you sure to download file to flash? Yes or No (Y/N):Y
4.
Enter Y to start downloading the image file. To return to the Boot menu without downloading the upgrade file, enter N.
Loading.........................................................................
................................................................................
................................................................................
................................................................Done!
5.
Enter the M (main), B (backup), or N (none) attribute for the images. In this example, assign the main attribute to the images.
Please input the file attribute (Main/Backup/None) M
Image file boot.bin is self-decompressing...
Free space: 534980608 bytes
Writing flash...................................................................
................................................................................
70
...................................................................Done!
Image file system.bin is self-decompressing...
Free space: 525981696 bytes
Writing flash...................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
.......................................................................Done!
NOTE:
• The switch always attempts to boot with the main images first. If the attempt fails, for example, because the main images are not available, the switch tries to boot with the backup images. An image with the none attribute is only stored in flash memory for backup.
To use it at reboot, you must change its attribute to main or backup.
• If an image with the same attribute as the image you are loading is already in the flash memory, the attribute of the old image changes to none after the new image becomes valid.
6.
Enter 0 in the Boot menu to reboot the switch with the new software images.
EXTENDED BOOT MENU
1. Download image to flash
2. Select image to boot
3. Display all files in flash
4. Delete file from flash
5. Restore to factory default configuration
6. Enter BootRom upgrade menu
7. Skip current system configuration
8. Set switch startup mode
0. Reboot
Ctrl+Z: Access EXTENDED ASSISTANT MENU
Ctrl+F: Format file system
Ctrl+P: Change authentication for console login
Ctrl+R: Download image to SDRAM and run
Ctrl+Y: Change Work Mode
Ctrl+C: Display Copyright
Enter your choice(0-8): 0
Using FTP to upgrade software images through the Ethernet port
1.
Enter 1 in the Boot menu to access the file transfer protocol submenu.
1. Set TFTP protocol parameters
2. Set FTP protocol parameters
3. Set XMODEM protocol parameters
0. Return to boot menu
Enter your choice(0-3):
2.
Enter 2 to set the FTP parameters.
Load File Name :update.ipe
71
Server IP Address :192.168.0.3
Local IP Address :192.168.0.2
Subnet Mask :255.255.255.0
Gateway IP Address :0.0.0.0
FTP User Name :switch
FTP User Password :***
Table 17 FTP parameter description
Item
Load File Name
Server IP Address
Description
Name of the file to download (for example, update.ipe).
IP address of the FTP server (for example, 192.168.0.3).
Local IP Address
Subnet Mask
Gateway IP Address
IP address of the switch (for example, 192.168.0.2).
Subnet mask of the switch (for example, 255.255.255.0).
IP address of the gateway (in this example, no gateway is required because the server and the switch are on the same subnet).
FTP User Name
Username for accessing the FTP server, which must be the same as configured on the FTP server.
FTP User Password
Password for accessing the FTP server, which must be the same as configured on the FTP server.
NOTE:
• To use the default setting for a field, press Enter without entering any value.
• If the switch and the server are on different subnets, you must specify a gateway address for the switch.
3.
Enter all required parameters, and enter Y to confirm the settings. The following prompt appears:
Are you sure to download file to flash? Yes or No (Y/N):Y
4.
Enter Y to start downloading the image file. To return to the Boot menu without downloading the upgrade file, enter N.
Loading.........................................................................
................................................................................
................................................................................
................................................................Done!
5.
Enter the M (main), B (backup), or N (none) attribute for the images. In this example, assign the main attribute to the images.
Please input the file attribute (Main/Backup/None) M
Image file boot.bin is self-decompressing...
Free space: 534980608 bytes
Writing flash...................................................................
................................................................................
...................................................................Done!
Image file system.bin is self-decompressing...
Free space: 525981696 bytes
Writing flash...................................................................
................................................................................
................................................................................
................................................................................
72
................................................................................
................................................................................
.......................................................................Done!
EXTENDED BOOT MENU
1. Download image to flash
2. Select image to boot
3. Display all files in flash
4. Delete file from flash
5. Restore to factory default configuration
6. Enter BootRom upgrade menu
7. Skip current system configuration
8. Set switch startup mode
0. Reboot
Ctrl+Z: Access EXTENDED ASSISTANT MENU
Ctrl+F: Format file system
Ctrl+P: Change authentication for console login
Ctrl+R: Download image to SDRAM and run
Ctrl+Y: Change Work Mode
Ctrl+C: Display Copyright
Enter your choice(0-8):0
NOTE:
• The switch always attempts to boot with the main images first. If the attempt fails, for example, because the main images not available, the switch tries to boot with the backup images. An image with the none attribute is only stored in flash memory for backup. To use it at reboot, you must change its attribute to main or backup.
• If an image with the same attribute as the image you are loading is already in the flash memory, the attribute of the old image changes to none after the new image becomes valid.
6.
Enter 0 in the Boot menu to reboot the switch with the new software images.
Using XMODEM to upgrade software through the console port
XMODEM download through the console port is slower than TFTP or FTP download through the
Ethernet port. To save time, use the Ethernet port as long as possible.
1.
Enter 1 in the Boot menu to access the file transfer protocol submenu.
1. Set TFTP protocol parameters
2. Set FTP protocol parameters
3. Set XMODEM protocol parameters
0. Return to boot menu
Enter your choice(0-3):
2.
Enter 3 to set the XMODEM download baud rate.
Please select your download baudrate:
1.* 9600
2. 19200
3. 38400
4. 57600
73
5. 115200
0. Return to boot menu
Enter your choice(0-5):5
3.
Select an appropriate download rate, for example, enter 5 to select 115200 bps.
Download baudrate is 115200 bps
Please change the terminal's baudrate to 115200 bps and select XMODEM protocol
Press enter key when ready
4.
Set the serial port on the terminal to use the same baud rate and prot ocol as the console port. If you select 9600 bps as the download rate for the console port, skip this task.
a. Select Call > Disconnect in the HyperTerminal window to disconnect the terminal from the switch.
Figure 2 Disconnecting the terminal from the switch
b. Select File > Properties, and in the Properties dialog box, click Configure.
Figure 3 Properties dialog box
c. Select 115200 from the Bits per second list and click OK.
74
Figure 4 Modifying the baud rate
d. Select Call > Call to reestablish the connection.
Figure 5 Reestablishing the connection
5.
Press Enter. The following prompt appears:
Are you sure to download file to flash? Yes or No (Y/N):Y
6.
Enter Y to start downloading the file. (To return to the Boot menu, enter N.)
Now please start transfer file with XMODEM protocol
If you want to exit, Press <Ctrl+X>
Loading ...CCCCCCCCCCCCCCCCCCCCCCCCC
7.
Select Transfer > Send File in the HyperTerminal window.
Transfer menu
75
8.
In the dialog box that appears, click Browse to select the source file, and select Xmodem from the Protocol list.
File transmission dialog box
9.
Click Send. The following dialog box appears:
File transfer progress
10. Enter the M (main), B (backup), or N (none) attribute for the images. In this example, assign the main attribute to the images.
Please input the file attribute (Main/Backup/None) m
The boot.bin image is self-decompressing...
# At the Load File name prompt, enter a name for the boot image to be saved to flash memory.
Load File name : default_file boot-update.bin (At the prompt,
Free space: 470519808 bytes
Writing flash...................................................................
.............Done!
The system-update.bin image is self-decompressing...
# At the Load File name prompt, enter a name for the system image to be saved to flash memory.
Load File name : default_file system-update.bin
Free space: 461522944 bytes
Writing flash...................................................................
.............Done!
Your baudrate should be set to 9600 bps again!
Press enter key when ready
76
NOTE:
• The switch always attempts to boot with the main images first. If the attempt fails, for example, because the main images not available, the switch tries to boot with the backup images. An image with the none attribute is only stored in the flash memory for backup. To use it at reboot, you must change its attribute to main or backup.
• If an image with the same attribute as the image you are loading is already in flash memory, the attribute of the old image changes to none after the new image becomes valid.
11. If t he baud rate of the HyperTerminal is not 9600 bps, restore it to 9600 bps as described in step
. If the baud rate is 9600 bps, skip this step.
NOTE:
The console port rate reverts to 9600 bps at a reboot. If you have changed the baud rate, you must perform this step so you can access the switch through the console port after a reboot.
EXTENDED BOOT MENU
1. Download image to flash
2. Select image to boot
3. Display all files in flash
4. Delete file from flash
5. Restore to factory default configuration
6. Enter BootRom upgrade menu
7. Skip current system configuration
8. Set switch startup mode
0. Reboot
Ctrl+Z: Access EXTENDED ASSISTANT MENU
Ctrl+F: Format file system
Ctrl+P: Change authentication for console login
Ctrl+R: Download image to SDRAM and run
Ctrl+Y: Change Work Mode
Ctrl+C: Display Copyright
Enter your choice(0-8): 0
12. Enter 0 in the Boot menu to reboot the system with the new software images.
Upgrading Boot ROM from the Boot menu
You can use the following methods to upgrade the Boot ROM image:
•
Using TFTP to upgrade Boot ROM through the Ethernet port
•
Using FTP to upgrade Boot ROM through the Ethernet port
•
Using XMODEM to upgrade Boot ROM through the console port
Using TFTP to upgrade Boot ROM through the Ethernet port
1.
Enter 6 in the Boot menu to access the Boot ROM update menu.
1. Update full BootRom
2. Update extended BootRom
3. Update basic BootRom
0. Return to boot menu
77
Enter your choice(0-3):
2.
Enter 1 in the Boot ROM update menu to upgrade the full Boot ROM.
The file transfer protocol submenu appears:
1. Set TFTP protocol parameters
2. Set FTP protocol parameters
3. Set XMODEM protocol parameters
0. Return to boot menu
Enter your choice(0-3):
3.
Enter 1 to set the TFTP parameters.
Load File Name :update.btm
Server IP Address :192.168.0.3
Local IP Address :192.168.0.2
Subnet Mask :255.255.255.0
Gateway IP Address :0.0.0.0
Table 18 TFTP parameter description
Item
Load File Name
Server IP Address
Description
Name of the file to download (for example, update.btm).
IP address of the TFTP server (for example, 192.168.0.3).
Local IP Address
Subnet Mask
IP address of the switch (for example, 192.168.0.2).
Subnet mask of the switch (for example, 255.255.255.0).
Gateway IP Address
IP address of the gateway (in this example, no gateway is required because the server and the switch are on the same subnet).
NOTE:
• To use the default setting for a field, press Enter without entering any value.
• If the switch and the server are on different subnets, you must specify a gateway address for the switch.
4.
Enter all required parameters and press Enter to start downloading the file.
Loading.................................................Done!
5.
Enter Y at the prompt to upgrade the basic Boot ROM section.
Will you Update Basic BootRom? (Y/N):Y
Updating Basic BootRom...........Done.
6.
Enter Y at the prompt to upgrade the extended Boot ROM section.
Updating extended BootRom? (Y/N):Y
Updating extended BootRom.........Done.
7.
Enter 0 in the Boot ROM update menu to return to the Boot menu.
1. Update full BootRom
2. Update extended BootRom
3. Update basic BootRom
0. Return to boot menu
Enter your choice(0-3):
8.
Enter 0 in the Boot menu to reboot the switch with the new Boot ROM image.
78
Using FTP to upgrade Boot ROM through the Ethernet port
1.
Enter 6 in the Boot menu to access the Boot ROM update menu.
1. Update full BootRom
2. Update extended BootRom
3. Update basic BootRom
0. Return to boot menu
Enter your choice(0-3):
2.
Enter 1 in the Boot ROM update menu to upgrade the full Boot ROM.
The file transfer protocol submenu appears:
1. Set TFTP protocol parameters
2. Set FTP protocol parameters
3. Set XMODEM protocol parameters
0. Return to boot menu
Enter your choice(0-3):
3.
Enter 2 to set the FTP parameters.
Load File Name :update.btm
Server IP Address :192.168.0.3
Local IP Address :192.168.0.2
Subnet Mask :255.255.255.0
Gateway IP Address :0.0.0.0
FTP User Name :switch
FTP User Password :123
Table 19 FTP parameter description
Item
Load File Name
Server IP Address
Local IP Address
Subnet Mask
Description
Name of the file to download (for example, update.btm).
IP address of the FTP server (for example, 192.168.0.3).
IP address of the switch (for example, 192.168.0.2).
Subnet mask of the switch (for example, 255.255.255.0).
Gateway IP Address
FTP User Name
IP address of the gateway (in this example, no gateway is required because the server and the switch are on the same subnet).
Username for accessing the FTP server, which must be the same as configured on the FTP server.
FTP User Password
Password for accessing the FTP server, which must be the same as configured on the FTP server.
NOTE:
• To use the default setting for a field, press Enter without entering any value.
• If the switch and the server are on different subnets, you must specify a gateway address for the switch.
4.
Enter all required parameters and press Enter to start downloading the file.
Loading.................................................Done!
5.
Enter Y at the prompt to upgrade the basic Boot ROM section.
Will you Update Basic BootRom? (Y/N):Y
79
Updating Basic BootRom...........Done.
6.
Enter Y at the prompt to upgrade the extended Boot ROM section.
Updating extended BootRom? (Y/N):Y
Updating extended BootRom.........Done.
7.
Enter 0 in the Boot ROM update menu to return to the Boot menu.
1. Update full BootRom
2. Update extended BootRom
3. Update basic BootRom
0. Return to boot menu
Enter your choice(0-3):
8.
Enter 0 in the Boot menu to reboot the switch with the new Boot ROM image.
Using XMODEM to upgrade Boot ROM through the console port
XMODEM download through the console port is slower than TFTP or FTP download through the
Ethernet port. To save time, use the Ethernet port as long as possible.
1.
Enter 6 in the Boot menu to access the Boot ROM update menu.
1. Update full BootRom
2. Update extended BootRom
3. Update basic BootRom
0. Return to boot menu
Enter your choice(0-3):
2.
Enter 1 in the Boot ROM update menu to upgrade the full Boot ROM.
The file transfer protocol submenu appears:
1. Set TFTP protocol parameters
2. Set FTP protocol parameters
3. Set XMODEM protocol parameters
0. Return to boot menu
Enter your choice(0-3):
3.
Enter 3 to set the XMODEM download baud rate.
Please select your download baudrate:
1.* 9600
2. 19200
3. 38400
4. 57600
5. 115200
0. Return to boot menu
Enter your choice(0-5):5
4.
Select an appropriate download rate, for example, enter 5 to select 115200 bps.
Download baudrate is 115200 bps
Please change the terminal's baudrate to 115200 bps and select XMODEM protocol
Press enter key when ready
5.
Set the serial port on the terminal to use the same baud rate and prot ocol as the console port. If you select 9600 bps as the download rate for the console port, skip this task.
80
a. Select Call > Disconnect in the HyperTerminal window to disconnect the terminal from the switch.
Figure 6 Disconnecting the terminal from the switch
b. Select File > Properties, and in the Properties dialog box, click Configure.
Figure 7 Properties dialog box
c. Select 115200 from the Bits per second list and click OK.
81
Figure 8 Modifying the baud rate
d. Select Call > Call to reestablish the connection.
Figure 9 Reestablishing the connection
6.
Press Enter to start downloading the file.
Now please start transfer file with XMODEM protocol
If you want to exit, Press <Ctrl+X>
Loading ...CCCCCCCCCCCCCCCCCCCCCCCCC
7.
Select Transfer > Send File in the HyperTerminal window.
Transfer menu
8.
In the dialog box that appears, click Browse to select the source file, and select Xmodem from the Protocol list.
82
File transmission dialog box
9.
Click Send. The following dialog box appears:
File transfer progress
10. Enter Y at the prompt to upgrade the basic Boot ROM section.
Loading ...CCCCCCCCCCCCCC ...Done!
Will you Update Basic BootRom? (Y/N):Y
Updating Basic BootRom...........Done.
11. Enter Y at the prompt to upgrade the extended Boot ROM section.
Updating extended BootRom? (Y/N):Y
Updating extended BootRom.........Done.
12. If the baud rate of the HyperTerminal is not 9600 bps, restore it to 9600 bps at the prompt, as
. If the baud rate is 9600 bps, skip this step.
Please change the terminal's baudrate to 9600 bps, press ENTER when ready.
NOTE:
The console port rate reverts to 9600 bps at a reboot. If you have changed the baud rate, you must perform this step so you can access the switch through the console port after a reboot.
13. Press Enter to access the Boot ROM update menu.
14. Enter 0 in the Boot ROM update menu to return to the Boot menu.
1. Update full BootRom
2. Update extended BootRom
3. Update basic BootRom
83
0. Return to boot menu
Enter your choice(0-3):
15. Enter 0 in the Boot menu to reboot the switch with the new Boot ROM image.
Managing files from the Boot menu
From the Boot menu, you can display files in flash memory to check for obsolete files, incorrect files, or space insufficiency, delete files to releas e storage space, or change the attributes of software images.
Displaying all files
Enter 3 in the Boot menu to display all files in flash memory and identify the free space size.
EXTENDED BOOT MENU
1. Download image to flash
2. Select image to boot
3. Display all files in flash
4. Delete file from flash
5. Restore to factory default configuration
6. Enter BootRom upgrade menu
7. Skip current system configuration
8. Set switch startup mode
0. Reboot
Ctrl+Z: Access EXTENDED ASSISTANT MENU
Ctrl+F: Format file system
Ctrl+P: Change authentication for console login
Ctrl+R: Download image to SDRAM and run
Ctrl+Y: Change Work Mode
Ctrl+C: Display Copyright
Enter your choice(0-8): 3
The following is a sample output:
Display all file(s) in flash:
File Number File Size(bytes) File Name
================================================================================
1 8177 flash:/testbackup.cfg
2(*) 53555200 flash:/system.bin
3(*) 9959424 flash:/boot.bin
4 3678 flash:/startup.cfg_backup
5 30033 flash:/default.mdb
6 42424 flash:/startup.mdb
7 18 flash:/.pathfile
8 232311 flash:/logfile/logfile.log
9 5981 flash:/startup.cfg_back
10(*) 6098 flash:/startup.cfg
11 20 flash:/.snmpboots
Free space: 464298848 bytes
84
The current image is boot.bin
(*)-with main attribute
(b)-with backup attribute
(*b)-with both main and backup attribute
Deleting files
If storage space is insufficient, delete obsolete files to free up storage space.
To delete files:
1.
Enter 4 in the Boot menu:
Deleting the file in flash:
File Number File Size(bytes) File Name
================================================================================
1 8177 flash:/testbackup.cfg
2(*) 53555200 flash:/system.bin
3(*) 9959424 flash:/boot.bin
4 3678 flash:/startup.cfg_backup
5 30033 flash:/default.mdb
6 42424 flash:/startup.mdb
7 18 flash:/.pathfile
8 232311 flash:/logfile/logfile.log
9 5981 flash:/startup.cfg_back
10(*) 6098 flash:/startup.cfg
11 20 flash:/.snmpboots
Free space: 464298848 bytes
The current image is boot.bin
(*)-with main attribute
(b)-with backup attribute
(*b)-with both main and backup attribute
2.
Enter the number of the file to delete. For example, enter 1 to select the file testbackup.cfg.
Please input the file number to change: 1
3.
Enter Y at the confirmation prompt.
The file you selected is testbackup.cfg,Delete it? (Y/N):Y
Deleting....................................Done!
Changing the attribute of software images
Software image attributes include main (M), backup (B), and none (N). System software and boot software can each have multiple none-attribute images but only one main image and one backup image on the switch. You can assign both the M and B attributes to one image. If the M or B attribute you are assigning has been assigned to another image, the assignment removes the attribute from that image. If the removed attribute is the sole attribute of the image, its attribute changes to N.
For example, the system image system.bin has the M attribute and the system image
system-update.bin has the B attribute. After you assign the M attribute to system-update.bin, the attribute of system-update.bin changes to M+B and the attribute of system.bin changes to N.
To change the attribute of a system or boot image:
1.
Enter 2 in the Boot menu.
EXTENDED BOOT MENU
1. Download image to flash
85
2. Select image to boot
3. Display all files in flash
4. Delete file from flash
5. Restore to factory default configuration
6. Enter BootRom upgrade menu
7. Skip current system configuration
8. Set switch startup mode
0. Reboot
Ctrl+Z: Access EXTENDED ASSISTANT MENU
Ctrl+F: Format file system
Ctrl+P: Change authentication for console login
Ctrl+R: Download image to SDRAM and run
Ctrl+Y: Change Work Mode
Ctrl+C: Display Copyright
Enter your choice(0-8): 2
2.
1 or 2 at the prompt to set the attribute of a software image. (The following output is based on the option 2. To set the attribute of a configuration file, enter 3.)
1. Set image file
2. Set bin file
3. Set configuration file
0. Return to boot menu
Enter your choice(0-3): 2
File Number File Size(bytes) File Name
================================================================================
1(*) 53555200 flash:/system.bin
2(*) 9959424 flash:/boot.bin
3 13105152 flash:/boot-update.bin
4 91273216 flash:/system-update.bin
Free space: 417177920 bytes
(*)-with main attribute
(b)-with backup attribute
(*b)-with both main and backup attribute
Note:Select .bin files. One but only one boot image and system image must be included.
3.
Enter the number of the file you are working with. For example, enter 3 to select the boot image
boot-update.bin. and enter 4 to select the system image system-update.bin.
Enter file No.(Allows multiple selection):3
Enter another file No.(0-Finish choice):4
4.
Enter 0 to finish the selection.
Enter another file No.(0-Finish choice):0
You have selected: flash:/boot-update.bin flash:/system-update.bin
5.
Enter M or B to change its attribute to main or backup. If you change its attribute to M, the attribute of boot.bin changes to none.
86
Please input the file attribute (Main/Backup) M
This operation may take several minutes. Please wait....
Next time, boot-update.bin will become default boot file!
Next time, system-update.bin will become default boot file!
Set the file attribute success!
Handling software upgrade failures
If a software upgrade fails, the system runs the old software version.
To handle a software upgrade failure:
1.
Verify that the software release is compatible with the switch model and the correct file is used.
2.
Verify that the software release and the Boot ROM release are compatible. For software and
Boot ROM compatibility, see the hardware and software compatibility matrix in the correct release notes.
3.
Check the physical ports for a loose or incorrect connection.
4.
If you are using the console port for file transfer, check the HyperTerminal settings (including the baud rate and data bits) for any wrong setting.
5.
Check the file transfer settings:
If XMODEM is used, you must set the same baud rate for the terminal as for the console port.
If TFTP is used, you must enter the same server IP addresses, file name, and working directory as set on the TFTP server.
If FTP is used, you must enter the same FTP server IP address, source file name, working directory, and FTP username and password as set on the FTP server.
6.
Check the FTP or TFTP server for any incorrect setting.
7.
Check that the storage device has sufficient space for the upgrade file.
87
HPE 5130EI-CMW710-R3207 & R3207-US
Release Notes
Software Feature Changes
The information in this document is subject to change without notice.
© Copyright 2016,2017 Hewlett Packard Enterprise Development LP
Contents
Release 3207/3207-US ·····································································1
New features: Fundamentals features ···················································2
New features: IRF features ·································································4
New features: Layer 2—LAN switching features ······································4
New features: Layer 3—IP services features ··········································5
New features: Layer 3—IP routing features ·········································· 10
New features: IP multicast features ···················································· 11
New features: ACL and QoS features ················································· 11
New features: Security features ························································· 12
New features: High availability features ··············································· 17
New features: Network management and monitoring features ·················· 18
New features: OpenFlow features ······················································ 20
Modified feature: Configuring a command alias ····································· 20
Modified feature: Displaying command aliases ····································· 21
Modified feature: Configuring a hotkey ················································ 21
Modified feature: Maximum length for a configuration file name ················ 22
Modified feature: BFD MAD collision handling process ··························· 23
Modified feature: Support for commands on IRF physical interfaces ·········· 23
i
Modified feature: Displaying information about packets dropped on an interface
Modified feature: Displaying MAC address move records ························ 25
Modified feature: MAC address move notifications ································ 25
Modified feature: Setting the voice VLAN aging timer ····························· 26
Modified feature: Creating a VLAN ····················································· 26
Modified feature: Setting the LLDP frame transmission interval ················ 28
Modified feature: Displaying ARP entries ············································· 28
Modified feature: Displaying the aging time of dynamic ARP entries ·········· 30
Modified feature: Specifying gateways on the DHCP server for DHCP clients
Modified feature: Displaying information for DHCP snooping trusted ports ·· 31
ii
Modified feature: Setting the MTU of IPv4 packets sent over an interface ··· 32
Modified feature: Setting the TCP buffer size ········································ 33
Modified feature: Configuring prefix to be advertised in RA messages ······· 33
Modified feature: Setting the MTU of IPv6 packets sent over an interface ··· 34
Modified feature: Displaying PBR configuration ····································· 34
Modified feature: Displaying IPv6 PBR configuration ······························ 35
Modified feature: Creating an ACL ····················································· 36
Modified feature: Copying an ACL to create a new ACL ·························· 37
Modified feature: Displaying ACL configuration and match statistics ·········· 37
Modified feature: Displaying packet filtering statistics ····························· 38
Modified feature: Displaying accumulated packet filtering statistics for an ACL
Modified feature: Displaying ACL application details for packet filtering ······ 39
iii
Modified feature: Applying an ACL to an interface for packet filtering ········· 39
Modified feature: Clearing statistics for ACLs ······································· 40
Modified feature: Specifying an ACL match criterion ······························ 41
Modified feature: Displaying predefined control plane QoS policies of cards 42
Modified feature: Length range for an ISP domain ································· 44
Modified feature: Displaying local user configuration ······························ 44
Modified feature: Displaying user group configuration ···························· 45
Modified feature: Enabling the RADIUS server load sharing feature ·········· 46
Modified feature: Setting the real-time accounting interval ······················· 46
Modified feature: Displaying 802.1X information ···································· 47
iv
Modified feature: Port-specific mandatory 802.1X authentication domain ··· 47
Modified feature: Predefined user roles for SSH and FTP client commands 50
Modified feature: Displaying information about SNMP groups ·················· 53
Modified feature: Displaying SNMPv3 user information ··························· 53
Modified feature: Configuring an SNMPv1 or SNMPv2c community ·········· 54
v
Modified feature: Creating an SNMP group ·········································· 55
Modified feature: Creating an SNMPv1 or SNMPv2c user ······················· 56
Modified feature: Creating an SNMPv3 user ········································· 57
Modified feature: Configuration locking BY NETCONF ··························· 59
Removed features ·········································································· 59
Related documentation ···································································· 61
vi
Release 3207
This release has the following changes:
•
New features: Fundamentals features
•
•
New features: Layer 2—LAN switching features
•
New features: Layer 3—IP services features
•
New features: Layer 3—IP routing features
•
New features: IP multicast features
•
New features: ACL and QoS features
•
New features: Security features
•
New features: High availability features
•
New features: Network management and monitoring features
•
New features: OpenFlow features
•
Modified feature: Configuring a command alias
•
Modified feature: Displaying command aliases
•
Modified feature: Configuring a hotkey
•
Modified feature: Maximum length for a configuration file name
•
Modified feature: BFD MAD collision handling process
•
Modified feature: Support for commands on IRF physical interfaces
Modified feature: Excluding a service interface from the IRF MAD shutdown action by the system
•
Modified feature: Displaying information about packets dropped on an interface
•
Modified feature: Displaying MAC address move records
•
Modified feature: MAC address move notifications
•
Modified feature: Setting the voice VLAN aging timer
•
Modified feature: Creating a VLAN
•
Modified feature: Setting the LLDP frame transmission interval
•
Modified feature: Displaying ARP entries
•
Modified feature: Displaying the aging time of dynamic ARP entries
•
Modified feature: Specifying gateways on the DHCP server for DHCP clients
•
Modified feature: Displaying information for DHCP snooping trusted ports
•
Modified feature: Setting the MTU of IPv4 packets sent over an interface
•
Modified feature: Setting the TCP buffer size
•
Modified feature: Configuring prefix to be advertised in RA messages
•
Modified feature: Setting the MTU of IPv6 packets sent over an interface
•
Modified feature: Displaying PBR configuration
•
Modified feature: Displaying IPv6 PBR configuration
•
Modified feature: Creating an ACL
1
•
Modified feature: Copying an ACL to create a new ACL
•
Modified feature: Displaying ACL configuration and match statistics
•
Modified feature: Displaying packet filtering statistics
•
Modified feature: Displaying accumulated packet filtering statistics for an ACL
•
Modified feature: Displaying ACL application details for packet filtering
•
Modified feature: Applying an ACL to an interface for packet filtering
•
Modified feature: Specify the applicable scope of packet filtering on a VLAN interface
•
•
Modified feature: Clearing statistics for ACLs
Modified feature: Clearing the packet filtering statistics and accumulated statistics for an ACL
•
Modified feature: Specifying an ACL match criterion
•
Modified feature: Displaying predefined control plane QoS policies of cards
•
Modified feature: Length range for an ISP domain
•
Modified feature: Displaying local user configuration
•
Modified feature: Displaying user group configuration
•
Modified feature: Enabling the RADIUS server load sharing feature
•
Modified feature: Setting the real-time accounting interval
•
Modified feature: Displaying 802.1X information
•
Modified feature: Port-specific mandatory 802.1X authentication domain
•
Modified feature: Removing users from the MAC authentication critical VLAN on a port
•
Modified feature: Port security's limit on the number of secure MAC addresses on a port
Modified feature: Creating an SSH user and specifying the service type and authentication method
•
Modified feature: Predefined user roles for SSH and FTP client commands
Modified feature: Setting the number of ARP blackhole route probes for each unresolved IP address
•
Modified feature: Displaying information about SNMPv1 or SNMPv2c communities
•
Modified feature: Displaying information about SNMP groups
•
Modified feature: Displaying SNMPv3 user information
•
Modified feature: Configuring an SNMPv1 or SNMPv2c community
•
Modified feature: Creating an SNMP group
•
Modified feature: Creating an SNMPv1 or SNMPv2c user
•
Modified feature: Creating an SNMPv3 user
•
Modified feature: Configuration locking BY NETCONF
Modified feature: Value range for the interval for an OpenFlow instance to reconnect to a controller
•
New features: Fundamentals features
describes the fundamental features added in this software version. For more information about the features and commands, see HPE 5130 EI Switch Series Fundamentals Configuration
Guide-R3207 and HPE 5130 EI Switch Series Fundamentals Command Reference-R3207.
2
Table 1 Fundamentals features added in version R3207
Feature
CLI: Repeating commands in the command history buffer for the current
CLI session
Login management: Associating a Telnet redirect listening port with an IP address
Command changes
The
The
repeat [ number ] [ count times ] [ delay
seconds ]
command was added.
ip alias
command was added.
Login management: Specifying an ACL by its name to apply the ACL to the HTTP or HTTPS service
The
name acl-name
option was added to the following commands:
•
ip http acl
•
ip https acl
Login management: Enabling RESTful access
The following commands were added:
•
•
restful http enable restful https enable
Login management: Setting the user line locking key
Login management: Locking the current user line and enabling unlocking authentication
The
The
lock-key key-string
command was added.
lock reauthentication
command was added.
Login management: Specifying a source
IPv6 address or source interface for outgoing Telnet packets
The
source
{
interface
interface-type interface-number
|
ipv6
ipv6-address
}
option was added to the
telnet ipv6
command.
Login management: Enabling logging for
Telnet login attempts that are denied by the Telnet login control ACL
The
telnet server acl-deny-log enable
command was added.
Login management: Applying a Layer 2
ACL to filter Telnet logins
The
mac
keyword was added to the following commands:
•
•
telnet server ipv6 acl telnet server acl
Login management: Enabling Web operation logging
FTP: Associating an SSL server policy with the FTP server
The
webui log enable
command was added.
FTP: Enabling logging for FTP login attempts that are denied by the FTP login control ACL
The
ftp server acl-deny-log enable
command was added.
The
ftp server ssl-server-policy
command was added.
Configuration file management:
Committing the settings configured after the configuration commit delay timer was set
The
configuration commit
command was added.
Configuration file management: Starting the configuration commit delay timer
The
configuration commit delay
delay-time
command was added.
Configuration file management: Main next-startup configuration file backup to an IPv6 TFTP server or download from an
IPv6 TFTP server
The ipv6 ipv6-server option was added to the following commands:
•
backup startup-configuration
•
restore startup-configuration
Configuration file management:
Displaying all running configuration or the running configuration for an IRF member
The all and slot slot-number options were added to the
display current-configuration
command.
3
Feature
device
Configuration file management:
Overwriting the target configuration file with the running configuration if an inconsistency is detected between the settings
Command changes
Configuration file management:
Displaying all running configuration in the current view
The all keyword was added to the
display this
command.
The
changed
keyword was added to the
save
command.
Software upgrade: Installing or uninstalling feature or patch images
Device management: Displaying CPU usage statistics in table form
The following commands were added:
•
display install active
•
•
•
display install committed install activate install commit
•
install deactivate
The
summary
keyword was added to the
display cpu-usage
command.
Device management: Displaying flash memory information
Device management: Displaying brief memory usage information
Device management: Displaying system stability and status information
Device management: Setting free-memory thresholds in percentage, and setting and displaying free-memory early-warning thresholds and sufficient-memory thresholds
The
flash
keyword was added to the
display device
command.
The
summary
keyword was added to the
display memory
command.
The
display system stable state
command was added.
•
The
early-warning
,
secure
, and
ratio
options were added to the
memory-threshold
command.
•
The
display memory-threshold
command also displays early warning thresholds.
New features: IRF features
Table 2 describes the IRF features added in this software version. For more information about the
features and commands, see HPE 5130 EI Switch Series IRF Configuration Guide-R3207 and HPE
5130 EI Switch Series IRF Command Reference-R3207.
Table 2 IRF features added in version R3207
Feature
Bulk-configuring basic IRF settings
Command changes
The
easy-irf
command was added.
New features: Layer 2—LAN switching features
describes the Layer 2—LAN switching features added in this software version. For more information about the features and commands, see HPE 5130 EI Switch Series Layer 2—LAN
Switching Configuration Guide-R3207 and HPE 5130 EI Switch Series Layer 2—LAN Switching
Command Reference-R3207.
4
Table 3 Layer 2—LAN switching features added in version R3207
Feature
Ethernet link aggregation: Configuring an aggregate interface as an edge aggregate interface
Command changes
The
lacp edge-port
command was added.
Ethernet link aggregation: Configuring
LACP to operate in passive mode on a port
Ethernet link aggregation: Using the port speeds as the preferential criteria for selecting a reference port for a dynamic aggregation group
Ethernet link aggregation: Enabling the current interface to synchronize the attribute configurations from the aggregate interface when the interface was assigned to the aggregate interface
Spanning tree: Enabling SNMP notifications for new-root election events or spanning tree topology changes
The
The
The
link-aggregation group
The
lacp mode passive
command was added.
lacp select speed
command was added.
force
keyword was added to the
port
command.
new-root
and
tc
keywords were added to the
snmp-agent trap enable stp
command.
Spanning tree: Enabling dispute guard The
stp dispute-protection
command was added.
Spanning tree: Disabling inconsistent
PVID protection
Spanning tree: Configuring BPDU guard on an interface
The
stp ignore-pvid-inconsistency
command was added.
The
stp port bpdu-protection
{
enable
|
disable
}
command was added.
Spanning tree: Disabling the device from reactivating edge ports shut down by
BPDU guard
The
stp port shutdown permanent
command was added.
Spanning tree: Enabling PVST BPDU guard
VLAN: Clearing statistics on a VLAN interface
The
stp pvst-bpdu-protection
command was added.
The
reset counters interface vlan-interface
VLAN: Associating a VLAN with the specified protocol template
L2PT: Enabling L2PT for UDLD
LLDP: Enabling advertisement of the management address TLV globally and setting the management address to be advertised
The
raw
keyword was added to the
protocol-vlan
command.
The
udld
keyword was added to the
l2protocol tunnel dot1q
command.
The
lldp
[
agent
{
nearest-customer
|
nearest-nontpmr
} ]
global tlv-enable basic-tlv management-address-tlv
[
ipv6
]
{
ip-address
|
interface loopback
interface-number | interface
vlan-interface interface-number }
command was added.
New features: Layer 3—IP services features
Table 4 describes the Layer 3—IP services features added in this software version. For more
information about the features and commands, see HPE 5130 EI Switch Series Layer 3—IP Services
5
Configuration Guide-R3207 and HPE 5130 EI Switch Series Layer 3—IP Services Command
Reference-R3207.
Table 4 Layer 3—IP services features added in version R3207
Feature
Displaying the maximum number of ARP entries that a device supports
Command changes
The
display arp entry-limit
command was added.
Setting the aging timer for dynamic ARP entries
The
second aging-seconds
option was added to the
arp timer aging
command.
Setting the times and the interval for retransmitting a gratuitous ARP packet for the device MAC address change
The
gratuitous-arp mac-change retransmit
times
interval
seconds
command was added.
IP addressing: Displaying brief IP configuration for Layer 3 interfaces
The
description
keyword was added to the
display ip interface brief
command.
Enabling client offline detection on the
DHCP server or relay agent
Enabling DHCP logging on the DHCP server
The
The
dhcp client-detect
command was added.
dhcp log enable
command was added.
Enabling the DHCP server proxy on the relay agent
The
proxy
keyword was added to the
dhcp select
command.
DHCP server: Specifying a DHCP address pool for a DHCP user class
DHCP server: Specifying a DHCP option group for a DHCP user class in a DHCP address pool
DHCP server: Specifying the default
DHCP address pool
The
The
The
class ip-pool
command was added.
class option-group
command was added.
default ip-pool
command was added.
DHCP server: Applying a DHCP policy to an interface
The
dhcp apply-policy
command was added.
DHCP server: Creating a DHCP option group and entering its view
The
dhcp option-group
command was added.
DHCP server: Creating a DHCP policy
DHCP server: Enabling MAC address check on the DHCP server.
DHCP server: Configuring the DHCP server to back up the bindings to a file
DHCP server: Configuring a match rule for a DHCP user class
The
dhcp policy
command was added.
The
dhcp server check mac-address
command was added.
•
•
The following commands were added:
•
dhcp server database filename
•
•
dhcp server database update interval dhcp server database update now dhcp server database update stop display dhcp server database
•
•
•
The following parameters were added to the
if-match
command:
•
hardware-address
hardware-address
•
mask
hardware-address-mask
ascii
ascii-string
offset
offset
partial
6
Feature Command changes
•
relay-agent
gateway-address
DHCP server: Setting the DHCP address pool usage threshold
The
ip-in-use threshold
command was added.
DHCP server: Customizing a DHCP option
DHCP server: Configuring the DHCP server in DHCP policy view
DHCP relay agent: Enabling the switchback to the master DHCP server and setting the delay time
DHCP relay agent: Specifying the DHCP server selecting algorithm
The
option
command was added in DHCP option group view.
The following commands were added in DHCP policy view:
•
class ip-pool
•
default ip-pool
DHCP server: Adding DHCP user classes to the whitelist
The
valid class
command was added.
DHCP server: Enabling the DHCP user class whitelist
DHCP relay agent: Setting the DHCP server response timeout time for DHCP server switchover
DHCP relay agent: Specifying the DHCP relay agent address to be inserted in
DHCP requests
The
The
dhcp relay dhcp-server timeout
command was added.
The
verify class
command was added.
dhcp relay gateway
command was added.
DHCP relay agent: Configuring the padding mode and padding format for the
Circuit ID sub-option
The following keywords were added to the
dhcp relay information circuit-id
command:
•
bas
•
interface
The following commands were added:
•
dhcp relay master-server switch-delay
•
master-server switch-delay
The following commands were added:
•
dhcp relay server-address algorithm
•
remote-server algorithm
DHCP relay agent: Specifying the source
IP address for relayed DHCP requests
The
dhcp relay source-address
command was added.
DHCP relay agent: Enabling the DHCP smart relay feature
dhcp smart-relay enable
DHCP relay agent: Setting the DHCP server response timeout time for DHCP server switchover
DHCP relay agent: Specifying DHCP servers for a DHCP address pool
The
The
dhcp-server timeout
command was added.
remote-server
command was added.
DHCP snooping: Enabling the recording of DHCP snooping entries for a VLAN
The
dhcp snooping binding record
command was added in VLAN view.
DHCP snooping: Disabling DHCP snooping on an interface
The
dhcp snooping disable
command was added.
DHCP snooping: Enabling DHCP snooping for VLANs
The
dhcp snooping enable vlan
command was added.
DHCP snooping: Configuring an interface in a VLAN as a trusted port
The
dhcp snooping trust interface
command was added.
7
Feature
DHCP snooping: Displaying DHCP snooping entries
Command changes
The
verbose
keyword was added to the
display dhcp snooping binding
command.
IP forwarding basics: Saving the IP forwarding entries to a file
The
ip forwarding-table save filename
filename
command was added.
IP performance optimization: Enabling an interface to forward directed broadcasts destined for the directly connected network
The
acl acl-number
option was added to the
ip forward-broadcast
command.
IPv6 basics: Displaying the maximum number of ND entries that a device supports
IPv6 basics: Specifying an IPv6 prefix for an interface to automatically generate an
IPv6 global unicast address and advertising the prefix
IPv6 basics: Configuring the default settings for prefixes advertised in RA messages
The
display ipv6 neighbors entry-limit
command was added.
The
ipv6 address prefix-number
command was added.
The
ipv6 nd ra prefix default
command was added.
IPv6 basics: Setting the interval for retransmitting an NS message for DAD
The
ipv6 nd snooping dad retrans-timer
interval
command was added.
IPv6 basics: Setting timeout timers for ND snooping entries
The
ipv6 nd snooping lifetime
{
invalid
invalid-lifetime
|
valid
valid-lifetime
} command was added.
IPv6 basics: Configuring the port as an
ND snooping uplink port which cannot learn ND snooping entries
Enabling the DHCPv6 server or relay agent to advertise IPv6 prefixes
The
ipv6 nd snooping uplink
command was added.
IPv6 basics: Enabling IPv6 local fragment reassembly
The
ipv6 reassemble local enable
command was added.
The
ipv6 dhcp advertise pd-route
command was added.
Enabling DHCPv6 logging on the
DHCPv6 server
DHCPv6 server: Specifying a DHCPv6 address pool for a DHCPv6 user class
DHCPv6 server: Specifying the default
DHCPv6 address pool
The
The
The
ipv6 dhcp log enable
command was added.
class pool
command was added.
default pool
command was added.
DHCPv6 server: Displaying information about a DHCPv6 option group
The
display ipv6 dhcp option-group
command was added.
DHCPv6 server: Configuring the DHCPv6 server in DHCPv6 option group view
The following commands were added in DHCPv6 option group view:
•
•
dns-server domain-name
DHCPv6 server: Configuring a match rule for a DHCPv6 user class
The
if-match
command was added.
DHCPv6 server: Applying a DHCPv6 policy to an interface
The
ipv6 dhcp apply-policy
command was added.
DHCPv6 server: Creating a DHCPv6 user
The
ipv6 dhcp class
command was added.
8
Feature
class and entering DHCPv6 user class view
DHCPv6 server: Creating a static
DHCPv6 option group
DHCPv6 server: Creating a DHCPv6 policy
Command changes
The
The
ipv6 dhcp option-group
command was added.
ipv6 dhcp policy
command was added.
DHCPv6 server: Specifying a prefix for a
DHCPv6 address pool
The
prefix prefix-number
option was added to the
ipv6 dhcp prefix-pool
command.
DHCPv6 server: Configuring the DHCPv6 server to back up the bindings to a file
•
•
•
The following commands were added:
•
ipv6 dhcp server database filename
•
ipv6 dhcp server database update interval ipv6 dhcp server database update now ipv6 dhcp server database update stop display ipv6 dhcp server database
DHCPv6 server: Specifying an IPv6 subnet for dynamic allocation in a
DHCPv6 address pool
The following options were added to the
networ
k command:
•
prefix
prefix-number
•
sub-prefix
/
sub-prefix-length
DHCPv6 server: Configuring the DHCPv6 server in DHCPv6 option group view
The following commands were added in DHCPv6 option group view:
•
•
option sip-server
DHCPv6 server: Specifying a DHCPv6 option group for a DHCPv6 address pool
The
option-group
command was added.
DHCPv6 relay agent: Displaying DHCPv6 relay entries that record clients' IPv6 address information
The
display ipv6 dhcp relay client-information address
command was added.
DHCPv6 relay agent: Displaying DHCPv6 relay entries that record clients' IPv6 prefix information
The
display ipv6 dhcp relay client-information pd
command was added.
DHCPv6 relay agent: Specifying gateway addresses for DHCPv6 clients in a
DHCPv6 address pool
The
gateway-list
command was added.
DHCPv6 relay agent: Enabling client offline detection
DHCPv6 relay agent: Enabling the
DHCPv6 relay agent to record relay entries
DHCPv6 relay agent: Specifying a gateway address for DHCPv6 clients
The
The
The
ipv6 dhcp client-detect
command was added.
ipv6 dhcp relay client-information record
command was added.
ipv6 dhcp relay gateway
command was added.
DHCPv6 relay agent: Specifying a padding mode for the Interface-ID option
DHCPv6 relay agent: Enabling IPv6 release notification
The
ipv6 dhcp relay interface-id
command was added.
The
ipv6 dhcp relay release-agent
command was added.
DHCPv6 relay agent: Specifying DHCPv6 servers for the DHCPv6 address pool
The
remote-server
command was added.
DHCPv6 relay agent: Clearing DHCPv6 The
reset ipv6 dhcp relay
9
Feature
relay entries that record clients' IPv6 address information
DHCPv6 relay agent: Clearing DHCPv6 relay entries that record clients' IPv6 prefix information
Command changes client-information address
command was added.
The
reset ipv6 dhcp relay client-information pd
command was added.
DHCPv6 client: Configuring the interface to use DHCPv6 to obtain an IPv6 address and other configuration parameters
The
option-group
option
-
group-numbe
r option was added to the following commands:
•
ipv6 dhcp client pd
•
ipv6 address dhcp-alloc
DHCPv6 client: Configuring the DHCPv6 client DUID
DHCPv6 client: Configuring the interface to use DHCPv6 to obtain an IPv6 address, an IPv6 prefix, and other configuration parameters
The
ipv6 dhcp client duid
command was added.
The
ipv6 dhcp client stateful
command was added.
New features: Layer 3—IP routing features
Table 5 describes the Layer 3—IP routing features added in this software version. For more
information about the features and commands, see HPE 5130 EI Switch Series Layer 3—IP Routing
Configuration Guide-R3207 and HPE 5130 EI Switch Series Layer 3—IP Routing Command
Reference-R3207.
Table 5 Layer 3—IP routing features added in version R3207
Feature
RIP: Displaying the GR status for a RIP process
RIP: Displaying the NSR status for a RIP process
RIP: Setting the GR interval
RIP: Enabling RIP NSR
RIP: Configuring RIP FRR
RIPng: Displaying the GR status for a
RIPng process
RIPng: Displaying the NSR status for a
RIPng process
RIPng: Enabling RIPng FRR
RIPng: Setting the GR interval
RIPng: Enabling RIPng NSR
RIPng: Enabling BFD single-hop echo detection for RIPng FRR
Command changes
The
display rip graceful-restart
command was added.
The
display rip non-stop-routing
command was added.
The
graceful-restart interval
command was added.
The
non-stop-routing
command was added.
The
fast-reroute
command was added.
The display ripng graceful-restart
command was added.
The display ripng non-stop-routing
command was added.
The fast-reroute
command was added.
The
graceful-restart interval
command was added.
The
non-stop-routing
command was added.
The
ripng primary-path-detect bfd echo
command was added.
10
New features: IP multicast features
Table 6 describes the IP multicast features added in this software version. For more information
about the features and commands, see HPE 5130 EI Switch Series IP Multicast Configuration
Guide-R3207 and HPE 5130 EI Switch Series IP Multicast Command Reference-R3207.
Table 6 IP multicast features added in version R3207
Feature
IGMP snooping: Displaying information about dynamic IGMP snooping group entries for an interface
IGMP snooping: Displaying detailed information about dynamic router ports
IGMP snooping: Displaying detailed information about static router ports
Command changes
The
interface interface-type
interface-number
option was added to the
display igmp-snooping group
command.
The
verbose
keyword was added to the
display igmp-snooping router-port
command.
The
verbose
keyword was added to the
display igmp-snooping static-router-port
command.
IGMP snooping: Enabling IGMP snooping globally
IGMP snooping: Disabling IGMP snooping for a VLAN
PIM snooping: Displaying detailed information about PIM snooping router ports
The
global-enable
command was added.
The
igmp-snooping disable
command was added.
The
verbose
keyword was added to the
display pim-snooping router-port
command.
MLD snooping: Displaying information about dynamic MLD snooping group entries for an interface
MLD snooping: Displaying detailed information about dynamic router ports
The
interface interface-type
interface-number
option was added to the
display mld-snooping group
command.
The
verbose
keyword was added to the
display mld-snooping router-port
command.
MLD snooping: Displaying detailed information about static router ports
The
verbose
keyword was added to the
display mld-snooping static-router-port
command.
MLD snooping: Enabling MLD snooping globally
The
global-enable
command was added.
MLD snooping: Disabling MLD snooping for a VLAN
The
mld-snooping disable
command was added.
IPv6 PIM snooping: Displaying detailed information about IPv6 PIM snooping router ports
The
verbose
keyword was added to the
display ipv6 pim-snooping router-port
command.
New features: ACL and QoS features
describes the ACL and QoS features added in this software version. For more information about the features and commands, see HPE 5130 EI Switch Series ACL and QoS Configuration
Guide-R3207 and HPE 5130 EI Switch Series ACL and QoS Command Reference-R3207.
11
Table 7 ACL and QoS features added in version R3207
Command changes Feature
ACL: Enabling SNMP notifications for packet filtering and setting the interval
The
acl trap interval
command was added.
ACL: Setting a rule numbering step for an
ACL
The
start start-value
option was added to the
step
command.
QoS: Configuring a description for a traffic class
The
description
command was added.
QoS: Associating a traffic behavior with a traffic class in a QoS policy
The
insert-before before-classifier-name option was added to the
classifier behavior
command.
QoS: Displaying QoS policies applied to user profiles
display qos policy user-profile
QoS: Configuring queue scheduling profiles
•
•
•
The following commands were added:
•
display qos qmprofile configuration
•
•
display qos qmprofile interface qos qmprofile bandwidth queue queue qos apply qmprofile
The following commands were added:
•
display buffer usage interface
•
buffer usage threshold
Data buffer: Configuring data buffer monitoring
New features: Security features
describes the security features added in this software version. For more information about the features and commands, see HPE 5130 EI Switch Series Security Configuration Guide-R3207 and HPE 5130 EI Switch Series Security Command Reference-R3207.
Table 8 Security features added in version R3207
Feature
AAA: New authorization attributes for users
Command changes
The following parameters were added in the
authorization-attribute
command in ISP domain view:
•
acl
•
car
•
igmp
12
Feature
AAA: Configuring a description for a network access user
•
•
Command changes
•
mld url user-group
The following parameters were added in the
authorization-attribute
command in local user view or user group view:
•
idle-cut
•
session-timeout
AAA: Configuring the device to include the idle cut period in the user online duration sent to the server
The
session-time include-idle-time
command was added.
The
description
command was added in local user view.
The
local-user auto-delete enable
command was added.
AAA: Configuring the auto-delete feature of local users
AAA: Configuring the validity period for a network access user
AAA: Configuring the device ID
The
The
validity-datetime
command was added.
aaa device-id
command was added.
AAA: Enabling the extended accounting-on feature
The
accounting-on extended
command was added.
AAA: Configuring the device to interpret the
RADIUS class attribute (attribute 25) as CAR parameters
The
attribute 25 car
command was added.
AAA: Configuring the MAC address format for
RADIUS attribute 31
The
attribute 31 mac-format
command was added.
AAA: Setting the data measurement unit for the
Remanent_Volume attribute
The
attribute remanent-volume
command was added.
AAA: Configuring the RADIUS attribute translation feature
•
•
•
The following commands were added:
•
attribute convert
(RADIUS DAS view)
•
attribute convert
(RADIUS scheme view)
attribute reject attribute reject
(RADIUS DAS view)
(RADIUS scheme view)
attribute translate
•
radius attribute extended
AAA: Configuring the DSCP priority of RADIUS packets
AAA: Support for CoA messages to shut down or reboot the access port of users or reauthenticate users
The
N/A
radius dscp
command was added.
AAA: Specifying a RADIUS session-control client
AAA: Configuring an LDAP attribute map
The
radius session-control client
command was added.
The following commands were added:
•
attribute-map
•
•
ldap attribute-map map
13
Feature
AAA: Specifying the LDAP authorization server
AAA: Broadcasting RADIUS accounting requests
Command changes
The
authorization-server
command was added.
The
broadcast
keyword was added to the following commands:
•
accounting lan-access
•
accounting portal
AAA: Displaying the HWTACACS service statistics
The
display hwtacacs scheme
[
hwtacacs-scheme-name
statistics
] command was added.
AAA: Configuring the RADIUS server feature
•
•
The following commands were added:
•
display radius-server active-client
•
display radius-server active-user radius-server activate radius-server client
802.1X: Redirect URL assignment
802.1X: Displaying information about online
802.1X open users
N/A
The
open
keyword was added to the
display dot1x connection
command.
802.1X: Displaying MAC address information of
802.1X users in specific VLANs
802.1X: Enabling logging for 802.1X users
The
display dot1x mac-address
command was added.
The
dot1x access-user log enable
command was added.
802.1X: Setting the maximum number of 802.1X authentication attempts for MAC authenticated users
The
dot1x after-mac-auth max-attempt
command was added.
802.1X: Specifying supported domain name delimiters
MAC authentication: Redirect URL assignment
The
dot1x domain-delimiter
command was added.
N/A
MAC authentication: Displaying information about online MAC authentication open users
MAC authentication: Enabling logging for MAC authentication users
The
open
keyword was added to the
display mac-authentication connection
command.
MAC authentication: Displaying MAC address information of MAC authentication users in specific
VLANs
The
display mac-authentication mac-address
command was added.
The
mac-authentication access-user log enable
command was added.
MAC authentication: Enabling the authorization
VLAN auto-tag feature
MAC authentication: Including user IP addresses in MAC authentication requests
Port security: Redirect URL assignment for specific port security modes
The
mac-authentication auto-tag
[
ignore-config
]
command was added.
The
mac-authentication carry user-ip
command was added.
N/A
Port security: Enabling open authentication mode
The following commands were added:
•
port-security authentication
14
Feature Command changes open
•
port-security authentication open global
Port security: Setting the secure MAC aging timer in seconds
Port security: Enabling logging for port security users
Port security: Enabling the quiet timer function for the authorization-fail-offline feature
The
second
keyword was added to the
port-security timer autolearn aging
command.
The
port-security access-user log enable
command was added.
The
quiet-period
keyword was added to the
port-security authorization-fail offline
command.
Port security: Setting port security's limit on the number of MAC addresses for specific VLANs on a port
The
port-security mac-limit
command was added.
Port security: Setting port security's limit on the number of secure MAC addresses for specific
VLANs on a port
Portal support for EAP
Portal: Displaying information about portal users
The
vlan
[ vlan-id-list ]
option was added to the
port-security max-mac-count
command.
N/A
•
•
•
The following parameters were added in the
display portal user
command:
•
ip ipv6 pre-auth verbose
Portal: Displaying information about Web redirect rules
Portal: Configuring a match rule for URL redirection
The
display web-redirect rule interface
interface-type
interface-number [ slot
slot-number
] command was added.
The
if-match
{
original-url
url-string
redirect-url
url-string
[
url-param-encryption
{
aes
|
des
}
key
{
cipher
|
simple
} string ] |
user-agent
string
redirect-url
url-string
}
command was added.
Portal: Setting the maximum number of portal users on an interface
Portal: Enabling strict checking on portal authorization information
Portal: Specifying the Layer 3 interface on which an IP-based portal-free rule takes effect
The
portal
{
ipv4-max-user
|
ipv6-max-user
}
max-number
command was added.
The
portal authorization
{
acl
|
user-profile
}
strict-checking
command was added.
The
interface
interface-type interface-number
option was added to the
portal free-rule
command.
Portal: Configuring a destination-based portal-free rule
The
portal free-rule
rule-number
destination
host-name
command was added.
15
Feature
Portal: Enabling logging for portal logins and logouts
Command changes
The
portal log enable
command was added.
Portal: Specifying the format for the NAS-Port-Id attribute
Portal: Specifying a portal preauthentication domain
Portal: Specifying the type of a portal authentication server or portal Web server
Portal: Configuring the device to carry the user
MAC address in encrypted form in the redirect
URL
Portal: Configuring Web redirect
The
portal nas-port-id format
{
1
|
2
|
3
|
4
}
command was added.
The
portal
[
ipv6
]
pre-auth domain
domain-name
command was added.
Portal: Enabling the Rule ARP or ND entry feature for portal clients
The
portal refresh
{ arp | nd }
enable
command was added.
Portal: Allowing only users with DHCP-assigned IP addresses to pass portal authentication
The
portal [ ipv6 ] user-dhcp-only command was added.
Portal: Specifying the port number of a Web proxy server
The
portal web-proxy port port-number command was added.
Portal: Configuring the device to periodically register with the portal authentication server
The
server-register
[
interval
interval-value
]
command was added.
The
server-type { cmcc |
imc
}
command was added.
The
[
encryption
{
aes
|
des
}
key
{
cipher
|
simple
}
string
]
parameter was added to the
url-parameter
command.
The
web-redirect
[
ipv6
]
url
url-string
[
interval
interval ] command was added.
Web authentication: Setting the redirection wait time
Web authentication: Adding parameters to the redirection URL of the Web authentication server
The
redirect-wait-time period
command was added.
The
url-parameter parameter-name
{ original-url | source-address |
source-mac | value expression } command was added.
PKI: Specifying an ECDSA key pair for certificate request
The
public-key ecdsa name
key-name
[
secp256r1
|
secp384r1
|
secp521r1
] command was added in FIPS mode.
IKE: Configuring a description for an IKE proposal The
description
text
command was added.
IKE: Displaying IKE statistics
IKEv2: Displaying IKEv2 statistics
IKEv2: Clearing IKEv2 statistics
SSL: SSL server support for optional SSL client authentication
The
display ike statistics
command was added.
The
display ikev2 statistics
command was added.
The
reset ikev2 statistics
command was added.
The
optional
keyword was added to the
client-verify
command.
SSL: Setting the timeout time for cached sessions
The
timeout
time
option was added to the
session
command.
SSH: Releasing SSH connections
The
free ssh
{
user-ip
{
ip-address
|
ipv6
ipv6-address
} [
port
16
Feature
SSH: Displaying server public key information saved in the public key file of the SSH client
Command changes
port-number
] |
user-pid
pid-number
|
username username
}
command was added.
SSH: Enabling logging for SSH login attempts that are denied by the SSH login control ACL
The
ssh server acl-deny-log enable
command was added.
SSH: Specifying the SSH service port
SSH: Deleting server public keys saved in the public key file on the SSH client
The
ssh server port port-number command was added.
The
delete ssh client server-public-key
[
server-ip
ip-address
]
command was added.
The
display ssh client server-public-key
[
server-ip
ip-address
]
command was added.
802.1X client All 802.1X client commands were newly added.
IP source guard: Displaying IPv4SG bindings dynamically generated based on ARP snooping or
802.1X
The
arp-snooping
and
dot1x
keywords were added to the
display ip source binding
command.
IP source guard: Displaying IPv6SG bindings dynamically generated based on DHCPv6 relay agent, 802.1X, or ND snooping
The following keywords were added to the
display ipv6 source binding
command:
•
•
•
dhcpv6-relay dot1x nd-snooping
ARP attack protection: Converting valid static ARP entries to dynamic ARP entries and deleting invalid static ARP entries
The
undo arp fixup
command was added.
ARP attack protection: Specifying the sender IP address range for ARP packet checking
SAVI
The
arp sender-ip-range
command was added.
All SAVI commands were newly added.
New features: High availability features
about the features and commands, see HPE 5130 EI Switch Series High Availability Configuration
Guide-R3207 and HPE 5130 EI Switch Series High Availability Command Reference-R3207.
Table 9 High availability features added in version R3207
Feature
CFD: Enabling two-way DM
CFD: Enabling loss measurement
DLDP: Setting the port shutdown mode
BFD: Creating a BFD session for detecting the local interface state
Command changes
The
dot1p
dot1p-value
and
interval
interval
options were added to the
cfd dm two-way
command.
The
dot1p
dot1p-value
and
interval
interval
options were added to the
cfd slm
command.
The
hybrid
keyword was added to the
dldp unidirectional-shutdown
command.
The
bfd detect-interface source-ip
command was added.
17
Feature
BFD: Enabling the echo packet mode
Command changes
The
receive
and
send
keywords were added to the
bfd echo enable
command.
The
snmp-agent trap enable bfd
command was added.
BFD: Enabling SNMP notifications for
BFD
Monitor Link: Configuring the uplink interface threshold for triggering monitor link group state switchover
Process placement
The
uplink up-port-threshold
command was added.
Track: Displaying track entry information
All process placement commands were newly added.
The
negative
,
positive
, and
brief
keywords were added to the
display track
command.
Track: Creating a track entry and associate it with the physical state of an interface
Track: Creating a track entry and associate it with a route entry
Track: Creating a track entry and associate it with the neighbor availability status of an LLDP interface
The
The
track ip route reachability
command was added.
The
track interface physical
command was added.
track lldp neighbor
command was added.
New features: Network management and monitoring features
describes the network management and monitoring features added in this software version.
For more information about the features and commands, see HPE 5130 EI Switch Series Network
Management and Monitoring Configuration Guide-R3207 and HPE 5130 EI Switch Series Network
Management and Monitoring Command Reference-R3207
Table 10 Network management and monitoring features added in version R3207
Feature
NQA: Specifing a community name for the
SNMP operation
NQA: Specifying a destination device by its host name for the UDP tracert operation
Command changes
The
The
community read
command was added.
destination host
command was added.
NQA: Configuring the RADIUS template The
key
command was added.
NQA: Specifying the next hop IP address for
ICMP echo requests
NQA: Configuring the TCP half open template
NQA: Configuring the SSL template
NQA: Configuring the HTTPS template
NTP: Configuring NTP authentication
NETCONF: Specifying a mandatory
The
N/A
next-hop
command was added
The
ssl-client-policy
command was added.
N/A
The
hmac-sha-1
,
hmac-sha-256
,
hmac-sha-384
, and
hmac-sha-512
keywords were added to the
ntp-service authentication-keyid
command.
The
netconf soap domain
command was added.
18
Feature
authentication domain for NETCONF users
Command changes
NETCONF: Applying an ACL to NETCONF over
SOAP traffic
The
netconf soap acl
command was added.
NETCONF: Setting the DSCP value for outgoing
NETCONF over SOAP packets
The
netconf soap dscp
command was added/
NETCONF: Specifying a specific name space.
The
netconf capability specific-namespace
command was added.
NETCONF: Setting the NETCONF session idle timeout time
NETCONF: Support for the OverWrite attribute for saving the running configuration
NETCONF: Subscribing to monitoring events and module report events
NETCONF: Retrieving NETCONF information
NETCONF: Retrieving YANG file content
NETCONF: Not support for the <edit-config> operation while the device is rolling back configuration.
VCF fabric
The
N/A
N/A
netconf idle-timeout
command was added.
N/A
N/A
N/A
SNMP: Calculating the encrypted form for a key in plaintext form
All VCF fabric commands were newly added.
•
In non-FIPS mode: The
aes192md5
, aes192sha,
aes256md5
, and
aes256sha
keywords were added to the
snmp-agent calculate-password
command.
•
In FIPs mode: The
aes192sha
and
aes256sha
keywords were added to the
snmp-agent calculate-password
command.
EAA: Configuring a member device join or leave event
The
insert
and
remove
keywords were added to the
event hotplug
command.
EAA: Configuring a track event for a CLI-defined monitor policy
The
event track
command was added.
EAA: Setting the size for the EAA-monitored log buffer
The
rtm event syslog buffer-size
command was added.
Process monitoring and maintenance:
Specifying the action to be taken in response to a kernel thread deadloop
The
monitor kernel deadloop action
command was added.
Process monitoring and maintenance: Enabling kernel thread deadloop detection for a CPU core.
The
core
keyword was added to the
monitor kernel deadloop enable
command.
Information center: Setting the maximum number of log traps that can be stored in the log trap buffer
The
info-center syslog trap
command was added.
Information center: Enabling SNMP notifications for log messages
The
snmp-agent trap enable syslog
command was added.
19
New features: OpenFlow features
Table 11 describes the OpenFlow features added in this software version. For more information
about the features and commands, see HPE 5130 EI Switch Series OpenFlow Configuration
Guide-R3207 and HPE 5130 EI Switch Series OpenFlow Command Reference-R3207.
Table 11 OpenFlow features added in version R3207
Feature
Displaying information of the client that connects to the server that is enabled for an OpenFlow instance in the controller information
Command changes
The
listened
keyword was added to the
display openflow
command.
Adding the VLAN tagging and untagging flow tables
The
ingress-vlan
ingress-table-id and
egress-vlan
egress-table-id options were added to the
flow-table
command.
Clearing statistics on packets that a controller sends and receives for an OpenFlow instance
The
reset openflow instance statistics
command was added.
Adding the smart interruption mode
The
smart
keyword was added to the
fail-open mode
command.
Modified feature: Configuring a command alias
Feature change description
The syntax of the command for configuring a command alias changed from
command-alias mapping
to
alias
.
Command changes
Modified command: command-alias mapping
Old syntax command-alias mapping
New syntax alias
Views
Any view
Change description
Before modification: The command syntax is
command-alias mapping
.
After modification: The command syntax is
alias
.
20
Modified feature: Displaying command aliases
Feature change description
The syntax of the command for displaying command aliases changed from
display command-alias
to
display alias
.
Command changes
Modified command: display command-alias
Old syntax display command-alias
New syntax display alias
Views
Any view
Change description
Before modification: The command syntax is
display command-alias
.
After modification: The command syntax is
display alias
.
Modified feature: Configuring a hotkey
Feature change description
More hotkeys can be modified.
Command changes
Modified command: hotkey
Old syntax
hotkey {
ctrl_g
|
ctrl_l
|
ctrl_o
|
ctrl_t
|
ctrl_u
} command
New syntax
hotkey hotkey {
command
| function function |
none
}
Views
System view
Change description
Before modification: The command allows you to configure only five hotkeys.
After modification: The command allows you to configure all hotkeys.
21
Modified feature: Maximum length for a configuration file name
Feature change description
The maximum length was increased for a configuration file name.
Command changes
Modified command: configuration replace file
Syntax configuration replace file
filename
Views
System view
Change description
Before modification: The maximum length cannot exceed 191 characters for a configuration file name. The file name can include the file path.
After modification: The maximum length cannot exceed 255 characters for a configuration file name.
The file name can include the file path.
Modified command: restore startup-configuration
Syntax restore startup-configuration from
tftp-server src-filename
Views
User view
Change description
Before modification: The maximum length cannot exceed 191 characters for a configuration file name. The file name can include the file path.
After modification: The maximum length cannot exceed 255 characters for a configuration file name.
The file name can include the file path.
Modified command: save
Syntax save
file-url [
all
|
slot
slot-number
]
Views
Any view
Change description
Before modification: The maximum length cannot exceed 191 characters for a configuration file name. The file name can include the file path.
After modification: The maximum length cannot exceed 255 characters for a configuration file name.
The file name can include the file path.
22
Modified command: startup saved-configuration
Syntax startup saved-configuration
cfgfile
[
backup
|
main
]
Views
User view
Change description
Before modification: The maximum length cannot exceed 191 characters for a configuration file name. The file name can include the file path.
After modification: The maximum length cannot exceed 255 characters for a configuration file name.
The file name can include the file path.
Modified feature: BFD MAD collision handling process
Feature change description
Before modification, BFD MAD uses the following process to handle a multi-active collision:
1.
Compares the member IDs of the masters in the split IRF fabrics.
2.
Sets all fabrics to the Recovery state except the one that has the lowest numbered master.
BFD MAD cannot be configured together with LACP MAD, because they handle collisions differently.
After modification, BFD MAD uses the following process to handle a multi-active collision:
1.
Compares the number of members in each split IRF fabric.
2.
Sets all fabrics to the Recovery state except the one that has the most members.
3.
Compares the member IDs of the masters if all IRF fabrics have the same number of members.
4.
Sets all fabrics to the Recovery state except the one that has the lowest numbered master.
BFD MAD can be configured together with LACP MAD.
Command changes
None.
Modified feature: Support for commands on IRF physical interfaces
Feature change description
The following commands were added on IRF physical interfaces:
•
MAC address table configuration commands, including the
mac-address static source-check enable
command. For information about this command, see HPE 5130 EI
Switch Series Layer 2—LAN Switching Command Reference-R3207.
•
The
mirroring-group reflector-port
command. Use this command to configure the reflector port for a remote source group. When you execute this command on an IRF physical interface, the binding between the physical interface and IRF port is removed. To avoid IRF split, do not configure a physical interface as a reflector port if that interface is the only member
23
interface of an IRF port. For more information about the
mirroring-group reflector-port
command, see HPE 5130 EI Switch Series Network Management and
Monitoring Command Reference-R3207.
•
LLDP commands, including:
lldp admin-status
lldp check-change-interval lldp enable
lldp encapsulation snap
lldp notification remote-change enable
lldp tlv-enable
Use these commands to view the connectivity and status of IRF links. For more information about LLDP commands, see HPE 5130 EI Switch Series Layer 2—LAN Switching Command
Reference-R3207.
Command changes
•
•
•
•
•
•
•
The following commands were added in IRF physical interface view:
•
lldp admin-status lldp check-change-interval lldp enable lldp encapsulation snap lldp notification remote-change enable lldp tlv-enable mac-address static source-check enable mirroring-group reflector-port
Modified feature: Excluding a service interface from the
IRF MAD shutdown action by the system
Feature change description
When the IRF fabric transits to the Recovery state, the system automatically excludes the following service interfaces from being shut down:
•
Before modification:
IRF physical interfaces.
Member interfaces of an aggregate interface if the aggregate interface is excluded from being shut down.
•
After modification:
IRF physical interfaces.
Interfaces used for BFD MAD.
Member interfaces of an aggregate interface if the aggregate interface is excluded from being shut down.
24
Command changes
None.
Modified feature: Displaying information about packets dropped on an interface
Feature change description
Statistics about packets dropped due to insufficient data buffer were displayed.
Command changes
Modified command: display packet-drop
Syntax display packet-drop
{ interface [
interface-type
[ interface-number ] ] |
summary }
Views
Any view
Change description
Before modification: The command cannot display statistics about packets dropped due to insufficient data buffer.
After modification: The command can display statistics about packets dropped due to insufficient data buffer as follows:
Packets dropped due to insufficient data buffer. Input dropped: 0 Output dropped:0
Modified feature: Displaying MAC address move records
Feature change description
The maximum number of MAC address move records the device can display changed from 20 to
200.
Command changes
None.
Modified feature: MAC address move notifications
Feature change description
Before modification: Within a detection interval, an IRF member device can record MAC address move information for a maximum of 20 MAC addresses. The most recent record will override the oldest one.
25
After modification:
Within a detection interval, an IRF member device can record MAC address move information for a maximum of 20 MAC addresses. The records are ranked in descending order of MAC move counts.
When the MAC move count of a new record is higher than the MAC move count of any existing record, the device performs the following operations:
•
Discards the record that has the lowest MAC move count.
•
Ranks the MAC address move records in descending order of MAC move count.
Then, in the next detection interval, the device discards all MAC address move records generated in the previous detection interval and starts another round of MAC move record generation.
Command changes
None.
Modified feature: Setting the voice VLAN aging timer
Feature change description
You can configure voice VLANs not to age out in this version and later.
Command changes
Modified command: voice-vlan aging
Syntax
voice-vlan aging minutes
undo voice-vlan aging
Views
System view
Change description
Before modification: The value of voice VLAN aging timer is in the range of 5 to 43200 minutes.
After modification: The value of voice VLAN aging timer can be 0 minutes or in the range of 5 to
43200 minutes. If you set the voice VLAN aging timer to 0 minutes, the voice VLAN does not age out.
Modified feature: Creating a VLAN
Feature change description
When you create a VLAN, you can specify a space-separated list of up to 32 VLAN items in this version and later.
26
Command changes
Modified command: vlan
Old syntax vlan
{ vlan-id1 [ to vlan-id2 ] | all }
undo vlan { vlan-id1 [ to vlan-id2 ] | all }
New syntax vlan
{ vlan-id-list ] | all }
undo vlan { vlan-id-list | all }
Views
System view
Change description
Before modification: The vlan-id1 to vlan-id2 option specifies a VLAN range. This option can be specified only once.
After modification: The vlan-id-list argument specifies a space-separated list of up to 32 VLAN items.
Modified feature: Displaying history about ports that are blocked by spanning tree protection features
Feature change description
You can use the
display stp abnormal-port
command to display history about ports that are blocked by spanning tree protection features.
Command changes
Modified command: display stp abnormal-port
Syntax display stp abnormal-port
Views
Any view
Change description
Before modification:
<Sysname> display stp abnormal-port
MST ID Blocked Port Reason
1 GigabitEthernet1/0/1 Root-Protected
2 GigabitEthernet1/0/2 Loop-Protected
12 GigabitEthernet1/0/3 Loopback-Protected
After modification:
<Sysname> display stp abnormal-port
---
[
GigabitEthernet1/0/1
]
---
27
MST ID BlockReason Time
0 Loopback-Protected 07:56:44 05/01/2017
0 Disputed 07:56:37 05/01/2017
0 Loop-Protected 06:56:13 05/01/2017
---
[
GigabitEthernet1/0/2
]
---
MST ID BlockReason Time
0 Loopback-Protected 07:55:51 05/01/2017
Modification:
•
In an MSTI or VLAN, this command can display a maximum of three history records for a port that is blocked by spanning tree protection features.
•
The following fields were added to the output from the command:
display stp abnormal-port
BlockReason—Reason that the port was blocked.
Time—Protection feature trigger time.
Modified feature: Setting the LLDP frame transmission interval
Feature change description
The minimum LLDP frame transmission interval was changed from 5 seconds to 1 second.
Command changes
Modified command: lldp timer tx-interval
Syntax
lldp timer tx-interval interval
undo lldp timer tx-interval
Views
System view
Change description
Before modification: The value range for the interval argument was 5 to 32768 seconds.
After modification: The value range for the interval argument is 1 to 32768 seconds.
Modified feature: Displaying ARP entries
Feature change description
The unit of the displayed aging time for ARP entries was changed from minute to second, and Rule
ARP entries were added to the output.
28
Command changes
Modified command: display arp
Syntax display arp
[ [
all
|
dynamic
|
multiport
|
static
] [
slot
slot-number ] |
vlan
vlan-id |
interface
interface-type interface-number ] [
count
|
verbose
]
Views
Any view
Change description
Before modification:
# Display brief information about all ARP entries.
<Sysname> display arp all
Type: S-Static D-Dynamic O-Openflow M-Multiport I-Invalid
IP Address MAC Address VLAN Interface Aging Type
20.1.1.1 00e0-fc00-0001 N/A N/A N/A S
193.1.1.70 00e0-fe50-6503 100 GE1/0/1 N/A IS
192.168.0.115 000d-88f7-9f7d 1 GE1/0/2 18 D
192.168.0.39 0012-a990-2241 1 GE1/0/3 20 D
22.1.1.1 010c-299d-c041 10 N/A N/A M
# Display detailed information about all ARP entries.
<Sysname> display arp all verbose
Type: S-Static D-Dynamic O-Openflow M-Multiport I-Invalid
IP Address MAC Address VLAN Interface Aging Type
Vpn Instance
20.1.1.1 00e0-fc00-0001 N/A N/A N/A S
[
No Vrf
]
193.1.1.70 00e0-fe50-6503 100 GE1/0/1 N/A IS
[
No Vrf
]
192.168.0.115 000d-88f7-9f7d 1 GE1/0/2 18 D
[
No Vrf
]
192.168.0.39 0012-a990-2241 1 GE1/0/3 20 D
[
No Vrf
]
22.1.1.1 010c-299d-c041 10 N/A N/A M
[
No Vrf
]
After modification:
# Display brief information about all ARP entries.
<Sysname> display arp all
Type: S-Static D-Dynamic O-Openflow R-Rule M-Multiport I-Invalid
IP Address MAC Address VID Interface/Link ID Aging Type
1.1.1.1 02e0-f102-0023 1 GE1/0/1 N/A S
1.1.1.2 00e0-fc00-0001 12 GE1/0/2 960 D
1.1.1.3 00e0-fe50-6503 12 Tunnel1 960 D
1.1.1.4 000d-88f7-9f7d 12 0x1 960 D
# Display detailed information about all ARP entries.
<Sysname> display arp all verbose
29
Type: S-Static D-Dynamic O-Openflow R-Rule M-Multiport I-Invalid
IP Address : 1.1.1.1 VID : 1 Aging : N/A
MAC Address : 02e0-f102-0023 Type: S Nickname: 0x0000
Interface/Link ID: GE1/0/1
VPN Instance :
[
No Vrf
]
VXLAN ID : N/A
VSI Name : N/A
VSI Interface : N/A
IP Address : 1.1.1.2 VID : 12 Aging : 960 sec
MAC Address : 0015-e944-adc5 Type: D Nickname: 0x0000
Interface/Link ID: GE1/0/2
VPN Instance :
[
No Vrf
]
VXLAN ID : N/A
VSI Name : N/A
VSI Interface : N/A
IP Address : 1.1.1.3 VID : 12 Aging : 960 sec
MAC Address : 0013-1234-0001 Type: D Nickname: 0x0000
Interface/Link ID: Tunnel1
VPN Instance :
[
No Vrf
]
VXLAN ID : N/A
VSI Name : N/A
VSI Interface : N/A
IP Address : 1.1.1.4 VID : 12 Aging : 960 sec
MAC Address : 0012-1234-0002 Type: D Nickname: 0x0000
Interface/Link ID: 0x1
VPN Instance :
[
No Vrf
]
VXLAN ID : N/A
VSI Name : N/A
VSI Interface : N/A
The following changes were added to the command output:
•
The R-Rule field was added.
•
The unit of the displayed aging time for ARP entries was changed from minute to second.
Modified feature: Displaying the aging time of dynamic
ARP entries
Feature change description
The unit of the displayed aging time of dynamic ARP entries was changed from minute to second.
Command changes
Modified command: display arp timer aging
Syntax display arp timer aging
30
Views
Any view
Change description
Before modification: The unit of the displayed aging time of dynamic ARP entries was minute.
# Display the aging time of dynamic ARP entries.
<Sysname> display arp timer aging
Current ARP aging time is 20 minute(s)
After modification: The unit of the displayed aging time of dynamic ARP entries was changed from minute to second.
# Display the aging time of dynamic ARP entries.
<Sysname> display arp timer aging
Current ARP aging time is 1200 seconds
Modified feature: Specifying gateways on the DHCP server for DHCP clients
Feature change description
The maximum number of gateways that can be specified on the DHCP server for DHCP clients was changed from 8 to 64.
Command changes
Modified command: gateway-list
Syntax
gateway-list ip-address&<1-64>
undo gateway-list
[ ip-address&<1-64> ]
Views
DHCP address pool view
DHCP secondary subnet view
Change description
Before modification: A maximum of eight gateways can be specified on the DHCP server for DHCP clients.
After modification: A maximum of 64 gateways can be specified on the DHCP server for DHCP clients.
Modified feature: Displaying information for DHCP snooping trusted ports
Feature change description
From this version, you can display VLAN information for DHCP snooping trusted ports.
31
Command changes
Modified command: display dhcp snooping trust
Syntax display dhcp snooping trust
Views
Any view
Change description
Before modification:
# Display information about trusted ports.
<Sysname> display dhcp snooping trust
DHCP snooping is enabled.
Interface Trusted
========================= ============
GigabitEthernet1/0/1 Trusted
After modification:
# Display information about trusted ports.
<Sysname> display dhcp snooping trust
DHCP snooping is enabled.
Interface Trusted VLAN
========================= ============ =======
GigabitEthernet1/0/1 Trusted
GigabitEthernet1/0/2 - 100
GigabitEthernet1/0/3 - 100, 200
The following changes were added to the command output:
•
Trusted—For a DHCP snooping trusted port configured in system view, this field displays
Trusted. For a trusted port configured in VLAN view, this field displays a hyphen (-).
•
VLAN—VLANs in which the port is configured as trusted. If a trusted port is configured after
DHCP snooping is enabled globally, this field is empty.
Modified feature: Setting the MTU of IPv4 packets sent over an interface
Feature change description
The value range for the MTU of IPv4 packets sent over an interface was changed.
Command changes
Modified command: ip mtu
Syntax ip mtu
mtu-size
32
undo ip mtu
Views
Interface view
Change description
Before modification: The value range for the
mtu-size
argument is 128 to 2000 bytes.
After modification: The value range for the
mtu-size
argument is 128 to 1500 bytes.
Modified feature: Setting the TCP buffer size
Feature change description
The default size of the TCP receive/send buffer was changed from 64 KB to 63 KB.
Command changes
Modified command: tcp window
Syntax tcp window
window-size
undo tcp window
Views
System view
Change description
Before modification: The default size of the TCP receive/send buffer is 64 KB.
After modification: The default size of the TCP receive/send buffer is 63 KB.
Modified feature: Configuring prefix to be advertised in
RA messages
Feature change description
The following changes were added to the
ipv6 nd ra prefix
command:
•
The
no-advertise
keyword was added.
•
The
valid-lifetime
,
preferred-lifetime
, and
no-advertise
parameters in this command were changed from required to optional.
Command changes
Modified command: ipv6 nd ra prefix
Old syntax ipv6 nd ra prefix
{ ipv6-prefix prefix-length | ipv6-prefix/prefix-length }
valid-lifetime preferred-lifetime
[
no-autoconfig
|
off-link
] *
33
New syntax ipv6 nd ra prefix
{ ipv6-prefix prefix-length | ipv6-prefix/prefix-length }
[
valid-lifetime preferred-lifetime
[
no-autoconfig
|
off-link
] * |
no-advertise
]
Views
Interface view
Change description
Before modification:
•
The device always advertises the prefix in RA messages.
•
When configuring the
ipv6 nd ra prefix
command, you must specify the
valid-lifetime
and
preferred-lifetime
parameters.
After modification:
•
The
no-advertise
keyword was added to disable the device from advertising the prefix specified in the
ipv6 nd ra prefix
command.
•
The
valid-lifetime
and
preferred-lifetime
parameters become optional. If you do not configure optional parameters for this command, the prefix uses the default settings configured by the
ipv6 nd ra prefix default
command.
Modified feature: Setting the MTU of IPv6 packets sent over an interface
Feature change description
The value range for the MTU of IPv6 packets sent over an interface was changed.
Command changes
Syntax ipv6 mtu
size
undo ipv6 mtu
Views
Interface view
Change description
Before modification: The value range for the
size
argument is 1280 to 10240 bytes.
After modification: The value range for the
size
argument is 1280 to 1500 bytes.
Modified feature: Displaying PBR configuration
Feature change description
In this release, the
display ip policy-based-route setup
command can display the type of the policies.
34
Command changes
Modified command: display ip policy-based-route setup
Syntax display ip policy-based-route setup
Views
Any view
Change description
Before modification: The command displays applied policies and interfaces to which the policies are applied.
<Sysname> display ip policy-based-route setup
Policy Name Interface Name pr01 Vlan-interface 1
After modification: The command displays applied policies, interfaces to which the policies are applied, and type of the policies.
<Sysname> display ip policy-based-route setup
Policy name Type Interface pr01 Forward Vlan-interface2 aaa Local N/A
Table 12 Command output
Field
Type
Description
Type of the PBR:
•
Forward—Interface PBR.
•
Local—Local PBR.
Modified feature: Displaying IPv6 PBR configuration
Feature change description
In this release, the
display ipv6 policy-based-route setup
command can display the type of the policies.
Command changes
Modified command: display ipv6 policy-based-route setup
Syntax display ipv6 policy-based-route setup
Views
Any view
Change description
Before modification: The command displays applied IPv6 policies and interfaces to which the IPv6 policies are applied.
35
<Sysname> display ipv6 policy-based-route setup
Policy Name Interface Name pr01 Vlan-interface 1
After modification: The command displays applied IPv6 policies, interfaces to which the IPv6 policies are applied, and type of the IPv6 policies.
<Sysname> display ipv6 policy-based-route setup
Policy name Type Interface pr01 Forward Vlan-interface 2 pr02 Local N/A
Table 13 Command output
Field
Type
Description
Type of the IPv6 PBR:
•
Forward—Interface IPv6 PBR.
•
Local—Local IPv6 PBR.
Modified feature: Creating an ACL
Feature change description
The syntax of the
acl
command was changed.
Command changes
Modified command: acl
Old syntax acl
[
ipv6
]
number
acl-number
[
name
acl-name
] [
match-order
{
auto
|
config
} ]
undo acl
[
ipv6
] {
all
|
name
acl-name
|
number
acl-number
}
New syntax acl
[
ipv6
] { advanced | basic } { acl-number |
name
acl-name
} [
match-order
{
auto
|
config
} ]
acl mac
{
acl-number
|
name
acl-name } [
match-order
{
auto
|
config
} ]
acl
[
ipv6
]
number
acl-number
[
match-order
{
auto
|
config
} ]
undo acl
[
ipv6
] {
all
| { advanced | basic } {
acl-number
|
name
acl-name
} }
undo acl
mac {
all
|
acl-number
|
name
acl-name }
undo acl
[
ipv6
] number
acl-number
Views
System view
Change description
After modification:
•
You can use the
acl
[
ipv6
]
number
acl-number
command to create an ACL or enter the view of an existing ACL.
36
•
If an ACL is created by using the
name
acl-name
option, you can use only the
acl [
ipv6
|
mac
]
name
acl-name
command to enter the ACL view.
Modified feature: Copying an ACL to create a new ACL
Feature change description
The syntax of the
acl copy
command was changed.
Command changes
Modified command: acl copy
Old syntax acl
[
ipv6
]
copy
{
source-acl-number
|
name
source-acl-name
}
to
{
dest-acl-number
|
name
dest-acl-name
}
New syntax acl
[
ipv6
| mac ]
copy
{
source-acl-number
|
name
source-acl-name
}
to
{
dest-acl-number
|
name
dest-acl-name
}
Views
System view
Change description
After modification, the
mac
keyword was available to specify a Layer 2 ACL.
Modified feature: Displaying ACL configuration and match statistics
Feature change description
The syntax of the
display acl
command was changed.
Command changes
Modified command: display acl
Old syntax display acl
[
ipv6
] {
acl-number
|
all
|
name
acl-name
}
New syntax display acl
[
ipv6
|
mac
] {
acl-number
|
all
|
name
acl-name
}
Views
Any view
Change description
After modification:
37
•
The
mac
keyword was available to specify a Layer 2 ACL.
•
The start rule ID was added in the command output.
Modified feature: Displaying packet filtering statistics
Feature change description
The syntax of the
display packet-filter statistics
command was changed.
Command changes
Modified command: display packet-filter statistics
Old syntax display packet-filter statistics interface
interface-type interface-number
{
inbound
|
outbound
} [ [ ipv6 ] {
acl-number
|
name
acl-name
} ] [
brief
]
New syntax display packet-filter statistics interface
interface-type interface-number
{
inbound
|
outbound
} [ [
ipv6
| mac ] {
acl-number
|
name
acl-name
} ] [
brief
]
Views
Any view
Change description
After modification, the
mac
keyword was available to specify a Layer 2 ACL.
Modified feature: Displaying accumulated packet filtering statistics for an ACL
Feature change description
The syntax of the
display packet-filter statistics sum
command was changed.
Command changes
Modified command: display packet-filter statistics sum
Old syntax display packet-filter statistics sum
{
inbound
|
outbound
} [ ipv6 ]
{
acl-number
|
name
acl-name
} [
brief
]
New syntax display packet-filter statistics sum
{
inbound
|
outbound
} [
ipv6
| mac ]
{
acl-number
|
name
acl-name
} [
brief
]
38
Views
Any view
Change description
After modification, the
mac
keyword was available to specify a Layer 2 ACL.
Modified feature: Displaying ACL application details for packet filtering
Feature change description
The syntax of the
display packet-filter verbose
command was changed.
Command changes
Modified command: display packet-filter verbose
Old syntax display packet-filter verbose interface
interface-type interface-number
{
inbound
|
outbound
} [ [
ipv6
] {
acl-number
|
name
acl-name
} ] [
slot
slot-number
]
New syntax display packet-filter verbose interface
interface-type interface-number
{
inbound
|
outbound
} [ [
ipv6
| mac ] {
acl-number
|
name
acl-name
} ] [
slot
slot-number
]
Views
Any view
Change description
After modification, the mac keyword was available to specify a Layer 2 ACL.
Modified feature: Applying an ACL to an interface for packet filtering
Feature change description
The syntax of the
packet-filter
command was changed.
Command changes
Modified command: packet-filter
Old syntax packet-filter
[
ipv6
] {
acl-number
|
name
acl-name
} {
inbound
|
outbound
}
[
hardware-count
]
39
undo packet-filter
[ ipv6 ] {
acl-number
|
name
acl-name
} {
inbound
|
outbound
}
New syntax packet-filter
[ ipv6 | mac ] {
acl-number
|
name
acl-name
} {
inbound
|
outbound
} [
hardware-count
]
undo packet-filter
[
ipv6
| mac ] {
acl-number
|
name
acl-name
} {
inbound
|
outbound
}
Views
Layer 2 Ethernet interface view
VLAN interface view
Change description
After modification, the mac keyword was available to specify a Layer 2 ACL.
Modified feature: Specify the applicable scope of packet filtering on a VLAN interface
Feature change description
The syntax of the
packet-filter filter
command was changed.
Command changes
Modified command: packet-filter filter
Old syntax packet-filter filter
[ route | all ]
New syntax packet-filter filter
{ route | all }
Views
VLAN interface view
Change description
After modification, you must specify the application scope for packet filtering on a VLAN interface.
Modified feature: Clearing statistics for ACLs
Feature change description
The syntax of the
reset acl counter
command was changed.
40
Command changes
Modified command: reset acl counter
Old syntax reset acl
[
ipv6
]
counter
{
acl-number
|
all
|
name
acl-name
}
New syntax reset acl
[
ipv6
|
mac
]
counter
{
acl-number
|
all
|
name
acl-name
}
Views
User view
Change description
After modification, the
mac
keyword was available to specify a Layer 2 ACL.
Modified feature: Clearing the packet filtering statistics and accumulated statistics for an ACL
Feature change description
The syntax of the
reset packet-filter statistics
command was changed.
Command changes
Modified command: reset packet-filter statistics
Old syntax reset packet-filter statistics interface
[
interface-type interface-number
] {
inbound
|
outbound
} [ [
ipv6
] {
acl-number
|
name
acl-name
} ]
New syntax reset packet-filter statistics interface
[
interface-type interface-number
] {
inbound
|
outbound
} [ [
ipv6
| mac ] {
acl-number
|
name
acl-name
} ]
Views
User view
Change description
After modification, the
mac
keyword was available to specify a Layer 2 ACL.
Modified feature: Specifying an ACL match criterion
Feature change description
The syntax for specifying an ACL match criterion was changed.
41
Command changes
Modified command: if-match acl
Old syntax if-match acl
[ ipv6 ] {
acl-numbe
r | name acl-name }
New syntax if-match acl
[ ipv6 | mac ] {
acl-numbe
r
| name acl-name }
Views
Traffic class view
Change description
The
mac
keyword was added to the
if-match acl
command for specifying a Layer 2 ACL.
Modified feature: Displaying predefined control plane
QoS policies of cards
Feature change description
The
display qos policy control-plane pre-defined
command output was changed.
Command changes
Modified command: display qos policy control-plane pre-defined
Syntax display qos policy control-plane pre-defined
[ slot slot-number ]
Views
Any view
Change description
Command output before modification:
<Sysname> display qos policy control-plane pre-defined slot 1
Pre-defined policy information slot 1
Protocol Priority Bandwidth (kbps) Group
IS-IS 4 512 critical
VRRP 5 768 important
IGMP 3 256 important
VRRPv6 3 768 important
ARP 1 256 normal
DHCP Snooping 3 256 redirect
DHCP 3 256 normal
802.1x 1 128 important
STP 6 256 critical
LACP 5 64 critical
MVRP 3 256 critical
42
BGP 3 256 critical
ICMP 1 640 monitor
IPOPTION 2 64 normal
BGPv6 3 256 critical
IPOPTIONv6 2 64 normal
LLDP 3 128 important
DLDP 3 64 critical
TELNET 1 512 management
SSH 1 512 management
HTTP 1 64 management
HTTPS 1 64 management
ARP Snooping 1 256 redirect
ICMPv6 1 512 monitor
DHCPv6 3 256 normal
Command output after modification:
<Sysname> display qos policy control-plane pre-defined slot 1
Pre-defined policy information slot 1
Protocol Priority Bandwidth Group
Default N/A 0 (kbps) N/A
IS-IS 4 512 (kbps) critical
VRRP 35 768 (kbps) important
IGMP 3 256 (kbps) important
VRRPv6 35 768 (kbps) important
ARP 1 128 (kbps) normal
DHCP Snooping 3 256 (kbps) redirect
DHCP 3 256 (kbps) normal
802.1x 1 128 (kbps) important
STP 6 256 (kbps) critical
LACP 5 64 (kbps) critical
MVRP 3 256 (kbps) critical
BGP 3 256 (kbps) critical
ICMP 1 640 (kbps) monitor
IPOPTION 2 64 (kbps) normal
BGPv6 3 256 (kbps) critical
IPOPTIONv6 2 64 (kbps) normal
LLDP 3 128 (kbps) important
DLDP 3 64 (kbps) critical
TELNET 1 512 (kbps) management
SSH 1 512 (kbps) management
TACACS 1 512 (kbps) management
RADIUS 1 512 (kbps) management
HTTP 1 64 (kbps) management
HTTPS 1 64 (kbps) management
ARP Snooping 1 256 (kbps) redirect
ICMPv6 1 512 (kbps) monitor
DHCPv6 3 256 (kbps) normal
43
Modified feature: Length range for an ISP domain
Feature change description
The length range for an ISP domain name was changed.
Command changes
Modified commands: display domain, domain, domain default enable, domain if-unknown
Syntax
Any view:
display domain
[
isp-name
]
System view:
domain
isp-name
domain default
enable isp-name
domain if-unknown
isp-name
Views
Any view
System view
Change description
Before modification: The
isp-name
argument is a string of 1 to 24 characters.
After modification: The
isp-name
argument is a string of 1 to 255 characters.
Modified feature: Displaying local user configuration
Feature change description
Syntax was changed for the
display local-user
command to display local user configuration.
Command changes
Modified command: display local-user
Old syntax
display local-user [ class { manage | network } | service-type { ftp |
http
|
https
| lan-access |
portal
| ssh |
telnet
| terminal } | state { active |
block } | user-name user-name | vlan vlan-id ]
New syntax
display local-user [ class { manage | network } | idle-cut { disable |
enable } | service-type { ftp |
http
|
https
| lan-access |
portal
| ssh |
telnet
| terminal } | state { active | block } | user-name user-name
class
{ manage | network } | vlan vlan-id ]
44
Views
Any view
Change description
Before modification:
•
You cannot specify local users by the status of the idle cut feature.
•
The user-name user-name username. option specifies all local users that have the specified
After modification:
•
The
idle-cut { disable | enable } option was added. This option specifies local users by the status of the idle cut feature.
•
The
class
{ manage | network } option was added before the
user-name user-name option to specify device management users or network access users that have the specified username.
Modified feature: Displaying user group configuration
Feature change description
Syntax was changed for the
display user-group
command to display user group configuration.
Command changes
Modified command: display user-group
Old syntax display user-group
[ group-name ]
New syntax display user-group
{
all
|
name
group-name }
Views
Any view
Change description
Before modification: The
group-name
argument is optional. If you do not specify a user group, this command displays configuration for all user groups.
After modification:
•
The
all
keyword was added. This keyword specifies all user groups.
•
The
name
keyword was added before the
group-name
argument to specify a user group.
•
You must specify either
all
or
name
group-name
.
45
Modified feature: Enabling the RADIUS server load sharing feature
Feature change description
Syntax was changed for the command that enables the RADIUS server load sharing feature.
Command changes
Modified command: server-load-sharing enable
Old syntax algorithm loading-share enable undo algorithm loading-share enable
New syntax server-load-sharing enable undo server-load-sharing enable
Views
RADIUS scheme view
Change description
The syntax of this command was change from
algorithm loading-share enable
to
server-load-sharing enable
.
Modified feature: Setting the real-time accounting interval
Feature change description
Syntax was changed for the command that sets the real-time accounting interval, and the value range for the argument in this command was also changed.
Command changes
Modified command: timer realtime-accounting
Old syntax timer realtime-accounting
minutes
New syntax timer realtime-accounting
interval [
second
]
Views
RADIUS scheme view
46
Change description
Before modification:
•
The value range for the
minutes
argument is 0 to 60.
•
The real-time accounting interval is in minutes.
After modification:
•
The value range for the
interval
argument is 0 to 71582.
•
The
second
keyword was added. This keyword specifies the real-time accounting interval, in seconds. If you do not specify this keyword, the real-time accounting interval is in minutes.
Modified feature: Displaying 802.1X information
Feature change description
The Max 802.1X users field was removed from the output of the
display dot1x
command.
Command changes
Modified command: display dot1x
Syntax display dot1x
[ sessions | statistics ] [ interface interface-type
interface-number ]
Views
Any view
Change description
Before modification: The Max 802.1X users field in the command output indicates the maximum number of online 802.1X users each device supports.
After modification: The Max 802.1X users field is removed from the command output. The output does not include the information about the maximum number of online 802.1X users each device supports.
Modified feature: Port-specific mandatory 802.1X authentication domain
Feature change description
The length range was changed for the ISP domain name string when you specify a mandatory
802.1X authentication domain on a port.
47
Command changes
Modified command: dot1x mandatory-domain
Syntax
dot1x mandatory-domain domain-name
Views
Layer 2 Ethernet interface view
Change description
Before modification: The value range for the
domain-name
argument is 1 to 24 characters.
After modification: The value range for the
domain-name
argument is 1 to 255 characters.
Modified feature: Removing users from the MAC authentication critical VLAN on a port
Feature change description
The syntax was changed for the command that removes users from the MAC authentication critical
VLAN on a port.
Command changes
Modified command: reset mac-authentication critical vlan
Old syntax reset mac-authentication critical-vlan interface
interface-type interface-number
[
mac-address
mac-address
]
New syntax reset mac-authentication critical vlan interface
interface-type interface-number
[
mac-address
mac-address
]
Views
User view
Change description
The
critical-vlan
keyword was changed to
critical vlan
.
Modified feature: Port security's limit on the number of secure MAC addresses on a port
Feature change description
The value range was changed for setting the maximum number of secure MAC addresses that port security allows on a port.
48
Command changes
Modified command: port-security max-mac-count
Syntax
port-security max-mac-count max-count
Views
Layer 2 Ethernet interface view
Change description
Before modification: The value range for the
max-count
argument is 1 to 4294967295.
After modification: The value range for the
max-count
argument is 1 to 2147483647.
Modified feature: Creating an SSH user and specifying the service type and authentication method
Feature change description
Support for specifying multiple SSH client public keys was added for an SSH user.
Command changes
Modified command: ssh user
Old syntax
In non-FIPS mode:
ssh user username service-type { all | netconf | scp | sftp |
stelnet
}
authentication-type
{
password
| {
any
|
password-publickey
| publickey }
[ assign {
pki-domain
domain-name | publickey
keyname
} ] }
In FIPS mode:
ssh user username service-type { all | netconf | scp | sftp |
stelnet
}
authentication-type
{
password
|
password-publickey
[ assign {
pki-domain
domain-name | publickey
keyname
} ] }
New syntax
In non-FIPS mode:
ssh user username service-type { all | netconf | scp | sftp |
stelnet
}
authentication-type
{
password
| {
any
|
password-publickey
| publickey }
[ assign {
pki-domain
domain-name | publickey keyname&<1-6> } ] }
In FIPS mode:
ssh user username service-type { all | netconf | scp | sftp |
stelnet
}
authentication-type
{
password
|
password-publickey
[ assign {
pki-domain
domain-name | publickey keyname&<1-6> } ] }
Views
System view
49
Change description
After modification, you can specify multiple SSH client public keys for client verification.
Modified feature: Predefined user roles for SSH and FTP client commands
Feature change description
•
•
•
The predefined user roles for the following SSH and FTP client commands were changed:
•
bye exit help quit
Command changes
Modified command: bye
Syntax bye
Views
SFTP client view
FTP client view
Change description
Before modification, the predefined user role for this command is network-admin.
After modification, the predefined user roles for this command are network-admin and network-operator.
Modified command: exit
Syntax exit
Views
SFTP client view
Change description
Before modification, the predefined user role for this command is network-admin.
After modification, the predefined user roles for this command are network-admin and network-operator.
Modified command: help
Syntax help
50
Views
SFTP client view
FTP client view
Change description
Before modification, the predefined user role for this command is network-admin.
After modification, the predefined user roles for this command are network-admin and network-operator.
Modified command: quit
Syntax quit
Views
SFTP client view
FTP client view
Change description
Before modification, the predefined user role for this command is network-admin.
After modification, the predefined user roles for this command are network-admin and network-operator.
Modified feature: Setting the number of ARP blackhole route probes for each unresolved IP address
Feature change description
The default value of ARP blackhole route probes for each unresolved IP address was changed from one to three.
Command changes
Modified command: arp resolving-route probe-count
Syntax arp resolving-route probe-count
count
undo arp resolving-route probe-count
Views
System view
Change description
Before modification: The device performs one ARP blackhole route probe for each unresolved IP address by default.
After modification: The device performs three ARP blackhole route probes for each unresolved IP address by default.
51
Modified feature: Displaying information about SNMPv1 or SNMPv2c communities
Feature change description
The ACL name field was added to the output from the
display snmp-agent community
command.
Command changes
Modified command: display snmp-agent community
Syntax display snmp-agent community
[
read
|
write
]
Views
Any view
Change description
Before modification:
<Sysname> display snmp-agent community
Community name: aa
Group name: aa
ACL:2001
Storage-type: nonVolatile
Context name: con1
After modification:
<Sysname> display snmp-agent community
Community name: aa
Group name: aa
ACL:2001
Storage-type: nonVolatile
Context name: con1
Community name: cc
Group name: cc
ACL name: testacl
Storage-type: nonVolatile
The ACL name field appears only when an ACL name is specified for the SNMPv1 or SNMPv2c community. It is exclusive with the ACL field.
52
Modified feature: Displaying information about SNMP groups
Feature change description
The ACL name field was added to the output from the
display snmp-agent group
command.
Command changes
Modified command: display snmp-agent group
Syntax display snmp-agent group
[
group-name
]
Views
Any view
Change description
Before modification:
<Sysname> display snmp-agent group
Group name: groupv3
Security model: v3 noAuthnoPriv
Readview: ViewDefault
Writeview: <no specified>
Notifyview: <no specified>
Storage-type: nonVolatile
After modification:
<Sysname> display snmp-agent group
Group name: groupv3
Security model: v3 noAuthnoPriv
Readview: ViewDefault
Writeview: <no specified>
Notifyview: <no specified>
Storage-type: nonVolatile
ACL name: testacl
The ACL name field appears only when an ACL name is specified for the SNMP group. It is exclusive with the ACL field.
Modified feature: Displaying SNMPv3 user information
Feature change description
The ACL name field was added to the output from the command.
display snmp-agent usm-user
53
Command changes
Modified command: display snmp-agent usm-user
Syntax display snmp-agent usm-user
[
engineid
engineid
|
group
group-name
|
username
user-name
] *
Views
Any view
Change description
Before modification:
<Sysname> display snmp-agent usm-user
Username: userv3
Group name: mygroupv3
Engine ID: 800063A203000FE240A1A6
Storage-type: nonVolatile
UserStatus: active
After modification:
<Sysname> display snmp-agent usm-user
Username: userv3
Group name: mygroupv3
Engine ID: 800063A203000FE240A1A6
Storage-type: nonVolatile
UserStatus: active
ACL: 2000
Username: userv3
Group name: mygroupv3
Engine ID: 8000259503000BB3100A508
Storage-type: nonVolatile
UserStatus: active
ACL name: testacl
The ACL name field appears only when an ACL name is specified for the SNMPv3 user. It is exclusive with the ACL field.
Modified feature: Configuring an SNMPv1 or SNMPv2c community
Feature change description
The
name
ipv4-acl-name
and
name ipv6-acl-name
options and advanced ACLs were supported for configuring an SNMP community.
54
Command changes
Modified command: snmp-agent community
Old syntax
In VACM mode:
snmp-agent community
{
read
|
write
} [ simple | cipher ]
community-name
[
mib-view
view-name
] [
acl
acl-number |
acl
ipv6 ipv6-acl-number ] *
In RBAC mode:
snmp-agent community
[
simple
|
cipher
]
community-name
user-role
role-name
[
acl
acl-number |
acl
ipv6 ipv6-acl-number ] *
New syntax
In VACM mode:
snmp-agent community
{
read
|
write
} [ simple | cipher ]
community-name
[
mib-view
view-name
] [
acl
{ ipv4-acl-number |
name
ipv4-acl-name } |
acl
ipv6 { ipv6-acl-number | name ipv6-acl-name } ] *
In RBAC mode:
snmp-agent community
[
simple
|
cipher
]
community-name
user-role
role-name
[
acl
{ ipv4-acl-number |
name
ipv4-acl-name } |
acl
ipv6 {
ipv6-acl-number
| name ipv6-acl-name } ] *
Views
System view
Change description
Before modification: You can specify a basic IPv4/IPv6 ACL by its number for an SNMP community.
After modification:
•
You can specify a basic or advanced IPv4/IPv6 ACL by its number for an SNMP community.
•
You can specify a basic or advanced IPv4/IPv6 ACL by its name for an SNMP community.
Modified feature: Creating an SNMP group
Feature change description
The
name
ipv4-acl-name
and
name ipv6-acl-name
options and advanced ACLs were supported for creating an SNMP group.
Command changes
Modified command: snmp-agent group
Old syntax
SNMPv1 and SNMP v2c:
snmp-agent group
{
v1
|
v2c
}
group-name
[
read-view
view-name
] [
write-view
view-name
] [
notify-view
view-name
] [
acl
acl-number
| acl
ipv6
ipv6-acl-number
] *
55
SNMPv3 (in non-FIPS mode):
snmp-agent group v3
group-name
[
authentication
|
privacy
] [
read-view
read-view
] [
write-view
write-view
] [
notify-view
notify-view
] [
acl
acl-number
| acl ipv6 ipv6-acl-number ] *
SNMPv3 (in FIPS mode):
snmp-agent group v3
group-name
{
authentication
|
privacy
} [
read-view
read-view
] [
write-view
write-view
] [
notify-view
notify-view
] [
acl
acl-number
| acl ipv6 ipv6-acl-number ] *
New syntax
SNMPv1 and SNMP v2c:
snmp-agent group
{
v1
|
v2c
}
group-name
[
read-view
view-name
] [
write-view
view-name
] [
notify-view
view-name
] [
acl
{ ipv4-acl-number | name
ipv4-acl-name } |
acl
ipv6 { ipv6-acl-number | name ipv6-acl-name } ] *
SNMPv3 (in non-FIPS mode):
snmp-agent group v3
group-name
[
authentication
|
privacy
] [
read-view
read-view
] [
write-view
write-view
] [
notify-view
notify-view
] [
acl
{ ipv4-acl-number | name ipv4-acl-name } |
acl
ipv6 { ipv6-acl-number | name
ipv6-acl-name
} ] *
SNMPv3 (in FIPS mode):
snmp-agent group v3
group-name
{
authentication
|
privacy
} [
read-view
read-view
] [
write-view
write-view
] [
notify-view
notify-view
] [
acl
{ ipv4-acl-number | name ipv4-acl-name } |
acl
ipv6 { ipv6-acl-number | name
ipv6-acl-name
} ] *
Views
System view
Change description
Before modification: You can specify a basic IPv4/IPv6 ACL by its number for an SNMP group.
After modification:
•
You can specify a basic or advanced IPv4/IPv6 ACL by its number for an SNMP group.
•
You can specify a basic or advanced IPv4/IPv6 ACL by its name for an SNMP group.
Modified feature: Creating an SNMPv1 or SNMPv2c user
Feature change description
The
name
ipv4-acl-name
and
name ipv6-acl-name
options and advanced ACLs were supported for creating an SNMPv1/SNMPv2c user.
Command changes
Modified command: snmp-agent usm-user
{
v1
|
v2c
}
Old syntax snmp-agent usm-user
{
v1
|
v2c
}
user-name group-name
[
acl
acl-number | acl
ipv6 ipv6-acl-number ] *
56
New syntax snmp-agent usm-user
{
v1
|
v2c
}
user-name group-name
[
acl
{
ipv4-acl-number
| name ipv4-acl-name } |
acl
ipv6 { ipv6-acl-number | name ipv6-acl-name } ]
*
Views
System view
Change description
Before modification: You can specify a basic IPv4/IPv6 ACL by its number for an SNMPv1/SNMPv2c user.
After modification:
•
You can specify a basic or advanced IPv4/IPv6 ACL by its number for an SNMPv1/SNMPv2c user.
•
You can specify a basic or advanced IPv4/IPv6 ACL by its name for an SNMPv1/SNMPv2c user.
Modified feature: Creating an SNMPv3 user
Feature change description
The
name
ipv4-acl-name
and
name ipv6-acl-name
options and advanced ACLs were supported for creating an SNMPv3 user.
The following encryption algorithms were added for creating an SNMPv3 user:
•
In FIPS mode—aes192 and aes256 encryption algorithms.
•
In non-FIPS mode—3des, aes192, and aes256 encryption algorithms in VACM mode and
aes192 and aes256 encryption algorithms in RBAC mode.
Command changes
Modified command: snmp-agent usm-user v3
Old syntax
In non-FIPS mode (in VACM mode):
snmp-agent usm-user v3
user-name group-name
[
remote
{ ip-address |
ipv6
ipv6-address } ] [ { cipher |
simple
}
authentication-mode
{
md5
|
sha
}
auth-password
[
privacy-mode
{
aes128
|
des56
}
priv-password
] ] [
acl
acl-number
| acl ipv6 ipv6-acl-number ] *
In non-FIPS mode (in RBAC mode):
snmp-agent usm-user v3
user-name
user-role role-name [
remote
{
ip-address
|
ipv6
ipv6-address } ] [ { cipher |
simple
}
authentication-mode
{
md5
|
sha
}
auth-password
[
privacy-mode
{
aes128
|
3des
| des56 }
priv-password
] ] [
acl
acl-number
| acl ipv6 ipv6-acl-number ] *
In FIPS mode (in VACM mode):
snmp-agent usm-user v3
user-name group-name
[
remote
{ ip-address |
ipv6
ipv6-address } ] { cipher |
simple
}
authentication-mode
sha auth-password
[
privacy-mode aes128
priv-password
] [
acl
acl-number
| acl
ipv6
ipv6-acl-number ] *
57
In FIPS mode (in RBAC mode):
snmp-agent usm-user v3
user-name
user-role role-name [
remote
{
ip-address
|
ipv6
ipv6-address } ] [ { cipher |
simple
}
authentication-mode sha
auth-password
[
privacy-mode aes128
priv-password
] ] [
acl
acl-number
| acl
ipv6 ipv6-acl-number ] *
New syntax
In non-FIPS mode (in VACM mode):
snmp-agent usm-user v3
user-name group-name
[
remote
{ ipv4-address |
ipv6
ipv6-address }] [ { cipher |
simple
}
authentication-mode
{
md5
|
sha
}
auth-password
[
privacy-mode
{
3des
|
aes128
|
aes192
| aes256 |
des56
}
priv-password
] ] [
acl
{ ipv4-acl-number | name ipv4-acl-name } |
acl ipv6
{ ipv6-acl-number | name ipv6-acl-name } ] *
In non-FIPS mode (in RBAC mode):
snmp-agent usm-user v3
user-name
user-role
role-name
[
remote
{ ipv4-address |
ipv6
ipv6-address } ] [ { cipher |
simple
}
authentication-mode
{
md5
|
sha
}
auth-password
[
privacy-mode
{
3des
|
aes128
|
aes192
|
aes256
| des56 }
priv-password
] ] [
acl
{ ipv4-acl-number |
name ipv4-acl-name } |
acl
ipv6 { ipv6-acl-number | name ipv6-acl-name } ]
*
In FIPS mode (in VACM mode):
snmp-agent usm-user v3
user-name group-name
[
remote
{ ipv4-address |
ipv6
ipv6-address } ] { cipher |
simple
}
authentication-mode
sha auth-password
[
privacy-mode
{ aes128 | aes192 | aes256 }
priv-password
] [
acl
{ ipv4-acl-number | name ipv4-acl-name } |
acl
ipv6 { ipv6-acl-number | name
ipv6-acl-name
} ] *
In FIPS mode (in RBAC mode):
snmp-agent usm-user v3
user-name
user-role
role-name
[
remote
{ ipv4-address |
ipv6
ipv6-address } ] [ { cipher |
simple
}
authentication-mode sha
auth-password
[
privacy-mode
{ aes128 | aes192 |
aes256 }
priv-password
] ] [
acl
{ ipv4-acl-number | name ipv4-acl-name } |
acl
ipv6 { ipv6-acl-number | name ipv6-acl-name } ] *
Views
System view
Change description
Before modification: You can specify a basic IPv4/IPv6 ACL by its number for an SNMPv3 user.
After modification:
•
You can specify a basic or advanced IPv4/IPv6 ACL by its number for an SNMPv3 user user.
•
You can specify a basic or advanced IPv4/IPv6 ACL by its name for an SNMPv3 user.
The following parameters were added to the command:
•
In FIPS mode—The
name
ipv4-acl-name
and name ipv6-acl-name options and the
aes192
and
aes256
keywords.
•
In non-FIPS mode—The
name
ipv4-acl-name
and
name ipv6-acl-name
options
and
the
3des, aes192
, and
aes256
keywords in VACM mode and
aes192
and
aes256
keywords in RBAC mode.
58
Modified feature: Configuration locking BY NETCONF
Feature change description
Before modification: After a user uses NETCONF to lock the configuration, other users cannot use
NETCONF to configure the device but can use other configuration methods, such as CLI and SNMP.
After modification: After a user uses NETCONF to lock the configuration, other users cannot use
NETCONF or any other methods to configure the device.
Command changes
None.
Modified feature: Value range for the interval for an
OpenFlow instance to reconnect to a controller
Feature change description
The value range changed for the interval for an OpenFlow instance to reconnect to a controller.
Command changes
Modified command: controller connect interval
Syntax
controller connect interval interval
undo controller connect interval
Views
OpenFlow instance view
Change description
Before modification: The value range for the interval argument is 10 to 120 seconds.
After modification: The value range for the interval argument is 1 to 120 seconds.
Removed features
Table 14 Removed features in version R3207
Feature
IPv6 basics: Enabling a device to discard
IPv6 packets that contain extension headers
Removed commands
The
ipv6 option drop enable
command was removed from system view.
QoS: Configuring traffic policing for all traffic on inbound interface by using the non-MQC approach
•
The following commands were removed from Layer 2
Ethernet interface view:
qos car inbound any cir
committed-information-rate
[ cbs
59
Feature
QoS: Configuring the bandwidth guaranteeing group
AAA: Specifying a security policy server for a RADIUS scheme
IKE: Specifying a DH group for key negotiation in phase 1
Removed commands
committed-burst-size
[
ebs
excess-burst-size
] ] [
green
action
|
red
action
|
yellow
action
]
qos car inbound any cir
committed-information-rate
[
cbs
committed-burst-size
]
pir
peak-information-rate
[
ebs
excess-burst-size
] [
green
action
|
red action | yellow action ]
•
The display qos car interface [
interface-type interface-number ] command was removed from any view.
•
The
qos nni bandwidth
bandwidth-value
command was removed from system view.
•
The
qos uni enable
command was removed from
Layer 2 Ethernet interface view.
•
The following commands were removed from any view:
display qos nni bandwidth
display qos uni interface
[
interface-type interface-number
]
The
security-policy-server { ipv4-address
| ipv6 ipv6-address }
command was removed from
RADIUS scheme view.
In FIPS mode, the
group24
keyword was removed from the
dh
command in IKE proposal view.
60
Related documentation
This document introduces software feature changes between HPE 5130EI-CMW710-R3207 and later versions. For information about software feature changes between software versions earlier than HPE 5130EI-CMW710-R3207, see HPE 5130EI-CMW710-R3115P08 Release Notes
(Software Feature Changes).
61
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement