P330-ML 4.5 RN.fm

P330-ML 4.5 RN.fm

Avaya

P330-ML Version 4.5 Release Notes

1. Introduction

This document contains information related to the Avaya P332G-ML, P332GT-ML and P334T-ML stackable switches that was not included in the User's Guide. This document also describes known issues, and other information required for proper installation and use of the product.

2. Important Notes

• This software version is for P330-ML switches only.

• You cannot stack P330-ML version 4.5 switches with P330 switches.

• When you upgrade from version 3.x to version 4.5, you should first upgrade to version 4.0. Only then upgrade to 4.5. You can obtain firmware version 4.0 from www.avaya.com/support .

• You must perform an NVRAM initialization before downloading module or stack configuration files, except for products that are configured with the factory settings.

• P330-ML 4.5 Embedded Web Manager requires Java plug-in version 1.4.2. You may download this from the Avaya support site: www.avaya.com/support.

— Please refer to the relevant Technical Note on the Avaya Support Site at www.avaya.com/support for managing Avaya products that require different Java plug-in versions.

February 2004 1

2

3. What's New

3. What's New

• Remote management access via SNMPv3

— SNMPv3 provides enhanced network management security with userbased authentication (SHA- or MD5-based), communication encryption

(DES-based) and access control per-MIB item.

• Support for both SNMPv3 and SNMPv2c traps.

• SSH (Secure Shell)

— SSH server functionality in the P330-ML provides enhanced remote session security using 3DES-CBC encryption, up to 2,048-bit DSA key and password-based user authentication.

— Client functionality in the P330-ML supports SCP (Secure Copy Protocol) for secure configuration upload/download.

• System logging to the CLI session, to an NVRAM file or to a syslog server

— System logging records all SNMP and CLI configuration changes and notification events.

• MAC security on 10/100 and GE ports.

— The MAC security function filters incoming frames with an unauthorized source MAC address.

— An authorized MAC can be accepted from more than one physical port.

• CPU utilization monitoring – monitor CPU and memory utilization of the module.

• Telnet client – you can open a Telnet session from the P330-ML CLI.

• Enhanced device access security

— You can enable or disable access to the switch for specific IP protocols:

SNMP (v1 and v3), SSH, Telnet, HTTP and ICMP redirect. You can also disable the terminal recovery password and the Telnet client function.

• Module and stack configuration files now contain only configuration information that differs from the default values.

New and enhanced CLI commands (see Section 6. “CLI Commands”).

• New trap added to indicate an unauthorized access attempt to the CLI via console, Telnet or SSH.

• Additional 802.1x RADIUS attribute to determine whether the addition of a static VLAN to a port will be in “REPLACE” mode (replace existing definitions) or “APPEND” mode (be added to existing definitions).

• Support for GBIC Copper (refer to the documentation shipped with GBIC

Copper transceiver for further information)

• The Self-loop Discovery feature is not supported in the P330-ML switches.

SLD functionality is included in RSTP implementation when working in either common or RSTP version.

P330-ML Release Notes

4. Problems Fixed

4. Problems Fixed

• The ping command no longer accepts the optional count parameter of zero in order to allow the command to stop normally.

• Port mirroring now functions when the mirror source port is a Gigabit Ethernet port on a P330-ML switch.

• When Spanning Tree and 802.1x are disabled, creating a new LAG no longer results in the LAG being set to blocking state when the first port to be added to the LAG has no link.

• A sustained high rate of VLAN violations no longer causes a reset.

• The “deny and notify” policy action now generates an SNMP trap when a packet is denied.

• Setting the RADIUS server UDP port no longer causes a reset.

• LAG, LAG members and GE ports will be non-edge by default. Changing the configuration via the CLI will be saved after reset.

When the LAG is deleted, its 10/100 Mb ports will become edge ports.

• The SNMP “duplicate IP” trap now contains the correct intruder MAC for a duplicate IP event on a router interface.

• The CAM table is cleared when a valuable port is disconnected or administratively disabled.

• A LAND attack on the P330 agent no longer causes the switch to reset.

A LAND attack consists of a stream of TCP SYN packets that have the source IP address and TCP port number set to the same value as the destination address and port number (i.e., that of the attacked host).

• Immunity to “EtherLeak”.

Short Ethernet packets that the P330-ML agent generates are now padded with zeros when the application PDU is shorter than 46 bytes.

• Enabling Spanning Tree on a port connected to a host (“edge-port” operational state) after Spanning Tree was disabled on that port no longer causes the port to become blocking.

• LAG member ports are now automatically set to 802.1x “force authorize” mode.

Therefore all LAG member ports will always be in forwarding mode. When ports are removed from the LAG, the 802.1x control state is reset to Auto.

• Deleting a router IP when VRRP is enabled on it no longer causes a reset.

• Allowed Managers CLI commands are now uploaded to the configuration file.

• The set queueing scheme CLI command is now uploaded to the configuration file.

• The show snmp CLI command now shows the enable/disable status of sending

SNMPv1 authentication failure traps.

• An SNMP “Auto-negotiation failure” trap is no longer sent when autonegotation is disabled on a port.

• Setting 802.1x timer parameters (set dot1x commands) to their minimum values no longer causes a reset.

P330-ML Release Notes 3

4. Problems Fixed

• The clear dot1x config CLI command now works.

• A user with “read-only” privileges can no longer reset the switch.

• You no longer need to remove the set cascading down fault monitoring disable 1

and set cascading up fault monitoring disable 1

commands from the module configuration file before downloading it to a non-stacked switch.

4 P330-ML Release Notes

5. Notes and Known Issues

5. Notes and Known Issues

5.1. Adding a new Switch to a Stack

If the new switch becomes a master after you add it to the stack, the stack IP address

(inband interface) will be taken from the new master switch. All other parameters are copied from the existing stack.

You should configure the IP address manually before adding the new switch or change the stack IP address after adding the switch.

5.2. Configuration Files

5.2.1. Upload Configuration Files

The following configuration commands are not uploaded:

• ip telnet-client

• no ip ssh

• set device-mode router

• set interface commands

• set license

• set ppp chap-secret

• set radius authentication secret

• set snmp community

• set terminal recovery password disable

• snmp-server user

• snmp-server remote-user

• username

5.2.2. Configuration File Download

• You cannot start the configuration file name with a number.

• You must download the module configuration files before downloading a stack configuration file that enables 802.1x on the stack. The module configuration file should contain force-authorize command for the port from which you download the configuration file, otherwise you will lose the connection to the

TFTP/SCP server.

• If there are 1,024 secure MAC entries in a module configuration file, the last entry download will fail.

5.3. Layer 2

5.3.1. Intermodule Port Redundancy

When defining an Intermodule Port Redundancy which includes the master module, configure the primary port on the master module.

P330-ML Release Notes 5

5. Notes and Known Issues

5.3.2. PPP Session

Executing PPP configuration commands via the CLI or downloading a configuration file with PPP commands will disconnect the current PPP session.

5.3.3. MAC Security

If a reset occurs within three minutes of enabling MAC security on a port, the MAC addresses learned on this port will not be saved as secure MACs.

5.4. Management and Monitoring

5.4.1. Traps and Logging (Syslog)

When you administratively disable a port, all faults on the port are cleared and the appropriate traps are sent.

5.4.2. Trap Hosts

If you configure seven SNMP server hosts with a notification other than “all”, then stations 8, 9 and 10 will be configured to notification set to “all”, even if you configure them otherwise.

5.5. PBNAC (Port-Based Network Access Control) – 802.1x

L 802.1x is only available on the 10/100BASE-T ports.

5.5.1. 802.1x Clients

Windows XP and Windows 2000 clients do not resend an authentication request in the event of an unsuccessful Windows login. You need disconnect and reconnect the

Ethernet cable from the PC to the network to re-authenticate using the correct password.

6

5.5.2. Configuring the RADIUS Server to Support PBNAC

You should first configure the RADIUS server on your network to work with 802.1x before enabling PBNAC on the P330-ML. You should also ensure that RADIUS parameters are correctly configued on the P330-ML and that the RADIUS server is accessible from the P330-ML. Due to the complexity of configuring the RADIUS server, we recommend that you refer to the appropriate Technical Notes on the

Avaya Support site: http://www.avaya.com/support

5.5.3. Enabling 802.1x

When you enable 802.1x (using the set dot1x system-auth-control command), all 10/100BASE-T ports, except LAG ports, will be set to blocking state.

To force a port to remain in forwarding state (without authentication), set the port to

P330-ML Release Notes

5. Notes and Known Issues force-authorize mode (using the set port dot1x port-control [module/ port] force-authorize

command) prior to enabling 802.1x.

5.5.4. set dot1x and show dot1x commands at the read-write level

You can only execute the “set” and “show” dot1x commands at the “read-write” level when the CLI is in “configure” mode.

5.5.5. New RADUIS Attributes

The “REPLACE” and “APPEND” attributes are only applicable if the “STATIC-

VLAN” attribute is configured.

5.6. RSTP (Rapid Spanning Tree Protocol) – 802.1w

• After you upgrade to firmware 4.5 or perform an NVRAM initialization, the

Spanning Tree version remains “common spanning tree”.

You can change the Spanning Tree version to RSTP using the set spantree version

CLI command.

• When you change the Spanning Tree version, the port path cost remains unchanged. Use the set port spantree cost auto CLI command in order to change the path cost according to the default of the standard.

• It is highly recommended to configure uplink and backbone ports manually

(except LAG logical and GE ports) to be “non-edge” ports, using the CLI command set port edge admin state.

5.7. Secure Copy (SCP)

• P330-ML version 4.5 was tested with the following SCP servers and operates with them:

— UNIX – OpenSSH server

— Microsoft Windows – Bitwise Ltd. WinSSHD SSH server

L If you wish to use a SCP server not listed above, test it for interoperability, since not all currently available SCP servers can operate correctly with the P330-ML.

• If you wish to use more than one SCP server at a time, you should use the same host public key on all the servers.

• You need to upload the sub-agent startup-config over SCP before performing a download over SCP to startup-config to this sub-agent (same host ip address, different file names)

— Specify a different file name for the upload to prevent accidental overwriting of an existing file

For example:

1

upload

copy startup-config scp <dummy file name> <ip address>

2

download

copy scp startup-config <filename> <ip address>

P330-ML Release Notes 7

6. CLI Commands

6. CLI Commands

L Please refer to the P330 Reference Guide for further information.

6.1. CLI Enhancements

• You can now execute the copy configuration CLI commands from the “admin” level only.

• The output of the following CLI commands has been enhanced:

— show cam mac

— show snmp

6.2. New CLI Commands

6.2.1. Allowed Protocols

• ip telnet enable

• no ip telnet

• ip telnet-client enable

• no ip telnet-client

• ip http enable

• no ip http

• ip icmp redirect

• no ip icmp redirect

6.2.2. CPU Utilization Monitoring

• set utilization cpu

• clear utilization cpu

• show utilization

6.2.3. General

• show cam vlan

• clear rmon statistics

• set terminal recovery password enable

• set terminal recovery password disable

• telnet

6.2.4. MAC Security

• set security mode

• set security violation action

• show security mode

• set port security

8 P330-ML Release Notes

• show port security

6.2.5. SNMPv3

• snmp-server enable

• no snmp-server

• [no] snmp-server community

• snmp-server enable notifications

• no snmp-server notifications

• [no] snmp-server engineID

• [no] snmp-server user

• [no] snmp-server remote-user

• [no] snmp-server group

• [no] snmp-server view

• [no] snmp-server host

• snmp-server informs

• show snmp view

• show snmp user

• show snmp group

• show snmp userToGroup

• show snmp engineID

6.2.6. SSH

• crypto key generate dsa

• ip ssh enable

• no ip ssh

• disconnect ssh

• show ip ssh

6.2.7. System Logging

• set logging file enable

• set logging file disable

• set logging file condition

• show logging file condition

• show logging file content

• clear logging file

• set logging server enable

• set logging server disable

• clear logging server

• set logging server condition

• show logging server condition

• set logging server facility

P330-ML Release Notes

6. CLI Commands

9

6. CLI Commands

• set logging server access-level

• set logging session enable

• set logging session disable

• set logging session condition

• show logging session condition

• set secure mac

• clear secure mac

• show secure mac

6.2.8. Upload/Download

• show upload status (replaces show tftp upload status)

• show download status (replaces show tftp download status)

• copy scp module-config

• copy scp stack-config

• copy scp startup-config

• copy module-config scp

• copy stack-config scp

• copy running-config scp

• copy startup-config scp

10 P330-ML Release Notes

7. Previous Software Versions

7. Previous Software Versions

Version Changes

3.5

3.8

3.9

3.11

4.0

• First release of P332G-ML and P332GT-ML stackable switch

• Support for the P333T-PWR Power over Ethernet switch

• Set welcome message command

• Reset stack command

• Immunity to SNMP attack (according to the Oulu

University SNMP vulnerability test suite) on the router and agent interfaces

• First release of the P334T-ML stackable switch

• Prevents access to the switch agent and router interfaces with unauthorized SNMP read/write communities, providing enhanced management security

• Allowed Managers

• Support for five simultaneous Telnet sessions

• Automatic PSU type detection

• Single software image file for both P332G-ML and

P332GT-ML for easier downloading.

• Rapid Spanning Tree (RSTP) – IEEE 802.1w

• Port-based network access control (PBNAC) – IEEE 802.1x

– on P334T-ML 10/100 ports only

• Strict and user-configurable weighted round-robin queuing algorithm

• MAC aging

• Enhanced port redundancy

• New and enhanced CLI commands

• Single software version for all P330-ML switches –

P332G-ML, P332GT-ML and P334T-ML – for easier downloading.

• Policy functionality enhancements:

— Increase in number of available policy lists to 20 (of which one is the active list)

— The default policy source is “local”

— Different DSCP mapping can be associated with each access list

— The P334T-ML supports Multilayer policy on its 10/

100 Mbps ports.

P330-ML Release Notes 11

7. Previous Software Versions

4.0

• Layer 3 functionality enhancements:

— Fragmentation and reassembly of packets to or from the router IP interfaces.

— RIP timers configuration.

— OSPF passive interface

— BOOTP / DHCP relay enhancement

— Each one of the three possible next hop IP addresses of a static route can be added or deleted separately, using the [no] ip route CLI command.

— Rate limiting of ICMP echo reply from the router entity.

12 P330-ML Release Notes

8. Downloading Software

8. Downloading Software

Download the 4.5 firmware as follows:

Use the command in the Avaya P330 CLI:

copy tftp SW_image <image-file> EW_archive <filename> <ip>

<mod_num>

image-file filename ip mod_num

Firmware image file name (full path)

• Embedded Web file name (full path) or

• “dummy” if you do not wish to download the

Embedded Web firmware.

The IP address of the TFTP server

Target module number

Please see the appropriate User’s Guide for related information.

L When you upgrade from version 3.x to version 4.5, you should first to upgrade to version 4.0. Only then upgrade to 4.5. You can obtain firmware version 4.0 from www.avaya.com/support .

© 2004 Avaya Inc. All rights reserved. All trademarks identified by the ® or TM are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners.

Document number: 10-300092

P330-ML Release Notes 13

Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement