FIRMWARE CHANGE HISTORY ----------------------- IBM RackSwitch G8316 Version 7.8.15.0 (Released July 2014) ** Changes since the 7.8.10.0 release ** Enhancements: None Changes: - Internal debug usernames have been removed from the firmware to prevent potential backdoor access. (XB282666) Fixes: None ================================================================================ IBM RackSwitch G8316 Version 7.8.10.0 (Released June 2014) ** Changes since the 7.8.1.0 release ** Enhancements: None Changes: - Added the Machine Type Model 7120-16E to identify Lenovo as a distribution channel. (XB275997) - A security vulnerability existed in the OpenSSL Protocol that is used in IBM System Networking Ethernet Switches. (CVE-2014-0224) Fixes: None ======================================================================================== IBM RackSwitch G8316 Version 7.8.1.0 (Released December 2013) New and Updated Features: ------------------------- OpenFlow 1.3.1 Support: ----------------------- Added support for OpenFlow Switch Specification Version 1.3.1; including but not limited to the following key features: * L3 MPLS * Static LAG * MAC/IP masking * Flexible Table Miss and Fail Secure * 40Gb support * Static CLI for Flow Programming * OpenFlow 1.0 backward compatability Full Private VLAN: ------------------ This feature supports Private VLAN configurations as described in RFC 5517. Enhanced Number of FCoE Sessions: --------------------------------- Number of FCoE sessions increased to 2000. Decoupling active VLANs from MSTP configuration: ------------------------------------------------ This feature enables the decoupling of the VLAN(s) configuration from MSTP configuration and changes the MSTP configuration menu to a more simplified one. By doing so, specifying a mapping between VLAN(s) and MSTI will not create any VLAN(s) and the participation of the VLAN(s) in MSTP will not depend on the VLAN(s) creation. NIST SP 800-131A Compliance: ---------------------------- Added a mode of operation that forces the device to operate and secure network operations in a manner that is fully compliant to the NIST SP 800-131A security standard. Removed support for obsolete cryptographic algorithms DES and MD5, as well as protocols like SSLv3, even in the non-compliant mode. Use SHA-256 as default: ----------------------- Set SHA-256 as the default and preferred hashing algorithm for all secured network operations where applicable. This includes TLS certificates and cipher suites with HMAC SHA-256 in TLS. Security Enhancements: ---------------------- Updated default protocols used for configuration to be secure. Devices will use secure protocols by default for configuration; for example: SSH, HTTPS, and SNMPv3. Insecure protocols are disabled by default for configuration; for example: Telnet, HTTP, and SNMPv1/v2. Also added a default user whose password must be changed after initial login. Remove Switch Type from login display: -------------------------------------- Removed Switch Type from login display. ACL6 Metering: -------------- Added metering support for IPv6 ACLs similar to the IPv4 ACLs. QoS Monitoring: --------------- This feature enhances the QoS statistics by presenting the COS statistics per port and per COS queue used. OSPF 20 Areas: -------------- Added support for upto 20 OSPF Areas. Increase Local Users: --------------------- Added support for up to 20 local user accounts with different privilege levels. syslog console and buffer severity: ----------------------------------- This feature provides a mechanism to configure severity level for log messages displayed on the console as well as for the syslog messages stored locally on the switch. Fixes: - A Security vulnerability existed in the TLS protocol versions TLS1.0 and earlier, in that an attacker could potentially discover the TLS session key. Added a configurable CLI option to restrict the minimum allowable protocol version of TLS, from TLS1.0 through TLS1.2. This is so that the user can avoid this vulnerability described in CVE-2011-3389, by selecting a higher protocol version that is not vulnerable to attack (TLS1.1 and above) ======================================================================================== IBM RackSwitch G8316 Version 7.7.5.0 (Released August 2013) ** Changes since the 7.7.3.0 release ** Enhancements: None Changes: - Dynamic link aggregation (LACP) ports that are not able to converge with peer ports will now result in a link-down state. This will occur when ports configured as members of an LACP trunk are connected to non-LACP ports. This is expected behavior. When connecting different IBMNOS products using LACP ports, it is recommended to install complimentary firmware versions (e.g., 7.7.5) on each device to ensure matching LACP behavior. Fixes: - Inefficiencies in the SNMP-processing code could result in high CPU utilization, SNMP client time-outs, protocol flaps, or a switch reset by the Hardware Watchdog. (66769, 70649) - User-configured ACL Deny rules were not being respected for packets with a Layer-4 (TCP) port of 22 or 23 (i.e., SSH and Telnet, respectively). (69126 / XB202484) - A prolonged period of high CPU utilization can lead to protocol-thread starvation. In one such case, LACP PDUs were not being sent by the CPU, leading to the break down of the LACP trunk forming the ISL in a vLAG topology. The ISL trunk ports that had previously been in the STP Discarding state would then errantly go into the Forwarding state, resulting in flooding of STP BPDUs into the network, and the inevitable network loop. (70887) - A hang of the Switch's I2C bus could occur, leading to a reset of the Switch by the hardware watchdog. (71721) - The SNMP dot1qVlanCurrentEntry OID was not being populated, resulting in SNMP Walks being stuck indefinitely at that point. (71785) - Disabling LACP (from the peer device) on a member port of an LACP trunk that also has STP disabled would result in the port being errantly displayed as FORWARDING in the output of the "show spanning-tree stp" command (and via the BBI), when in fact the port would be in the BLOCKING state (as designed). (71805, 71822) - Deleting the LACP key (from the peer device) on a member port of an LACP trunk that also has STP disabled would result in the port errantly going into the FORWARDING state. (71841) - With STP in PVRST mode and with a high active-port/STG product, a memory leak could occur while processing BPDUs (this was demonstrable with 47 ports active and more than 127 STGs configured per port). Over time, the memory leak could lead to a reset of the switch by the Memory Monitor. (71844) - A crash would occur when issuing the "show ufp info vport" command without explicitly specifying a vport number. (71951) - A watchdog timeout could occur if an IGMPv3 Report packet was received with the invalid source-IP address of 0.0.0.0. (71749) - Attempting to set port speed via the CMM would fail. (XB171317) - If the CMMs had "Failover on Physical Network Link" enabled (default), and the network link of the Active CMM went down, ports INTB1 and INTB2 could get disabled when the Standby CMM became active. (XB172285) - An IP address could not simultaneously be configured as a global DHCP server address, and a broadcast-domain DHCP server address. (XB172381) - A crash would occur while handling an SNMP “Get” Request for the Object that contains UFP information pertaining the switch (OID 1.0.8802.1.1.2.1.4.1.1.12.2700.65.4). (XB194463, XB202919) - A crash could occur if an FCoE-related CLI command was issued while the external management port was being flooded with packets. (XB199890) - If in Stacking mode, the switch would no longer receive time-sync updates from NTP servers over IPv6 interfaces after a CMM failover. (XB200147) - NTPv3 authentication information was being added to outgoing NTP Client Requests, even when authentication was disabled on the Switch. The consequence was that NTP servers that do not support authentication would discard the requests (i.e,, not respond to the Client Requests). (XB204541) - A crash could occur while handling an HTTPS request if the connection to the client was suddenly terminated while handling the transaction. (XB205895) - If the switch's Hostname was used to access the switch via BBI (i.e., relying on DNS instead of inputting the raw IP address), attempting to perform an image upgrade would result in redirection to a blank page. (XB206876) =============================================================================== IBM RackSwitch G8316 Version 7.7.3.0 (Released, June 2013) Enhancements: Enhanced Password security -------------------------- This feature provides stronger login enforcements for userIDs and password by forcing the local user passwords to be case sensitive, 8-64 character mix of uppercase letters, lowercase letters, numbers, and special characters, including at least one of each. Configurable port for SFTP -------------------------- This enhancement provides an option to perform SFTP operations on the switch using port numbers that can be configured explicitly (different from standard port 22) Microburst Detection -------------------- Microburst or congestion detection and control per port basis from ingress point of view based on shared memory usage and statistics logs per port per queue basis from egress point of view. DHCP Option 7 and option 12 --------------------------- These features enhance the DHCP client support on the switch to support Option 12 which defines the configuration of hostname and Option 7 which is used to get the syslog server address from DHCP server. Duplicate IP Detection ---------------------- The switch uses a simple mechanism to detect if two hosts on the same subnetwork are using the same IPv4 address at the same time. The switch sends a gratuitous ARP request for its own IP address. If it receives an ARP response, it sends a syslog message with the IP address and MAC address of the host that is using its IP address. OpenFlow 1.0 ------------ OpenFlow support has been added in this release. Hotlinks + STP -------------- In prior releases, STP needs to be disabled globally when Hotlinks feature is configured. This feature removed this limitation of having to globally disable STP. BGP multipath relax ------------------- This functionality allows load balancing across different autonomous system paths that have equal AS path length. vLAG+PIM Dense Mode ------------------- Enable the PIM protocol over the vLAG topology in dense mode for efficient multicast forwarding. Fixes: - A Security vulnerability existed in the OSPFv2 Routing Protocol that is used in IBM System Networking Ethernet Switches (CVE-2013-0149). - A Security vulnerability existed in IBM Switches which support Fibre Channel over Ethernet (FCoE), in that data frames were being flooded out of every port if the destination address was not in the MAC table. (CVE-2013-0570). ====================================================================== RackSwitch G8316 Firmware Release Version 7.6.7.0 (Released October 2013) ** Changes since the 7.6.6.0 release ** Enhancements: None. Changes: None. Fixes: - Inefficiencies in the SNMP-processing code could result in high CPU utilization, SNMP client time-outs, protocol flaps, or a switch reset by the Hardware Watchdog. (66769, 70649) - A crash would occur when routing packets to an unreachable IPv6 gateway. (68081) - A watchdog timeout could occur if an IGMPv3 Report packet was received with the invalid source-IP address of 0.0.0.0. (71749) - BGP neighborship sessions would flap when receiving BGP route messages that contained community attributes (XB194426) - A crash could occur while handling an HTTPS request if the connection to the client was suddenly terminated while handling the transaction. (XB205895) - The ACL logging feature would not report incoming packets that matched an ACL qualified by a TCP or UDP destination port. (XB208108) - A crash would occur if a data port was used to upload a file to an FTP server, if the file already existed on the server and had read-only access permissions. (XB209257) - A crash would occur if the traceroute command was executed with an IPv6 address specified, and no IPv6 management interfaces were configured. (XB215717) - A crash would occur if a ping was issued to a random host name, and an IPv6 DNS server was unreachable or non-existent (XB216882) - A crash would occur during a second attempt to authenticate a user via an unreachable or non-existent LDAP server. (XB217674) - A crash would occur if a TFTP upload or download was attempted, and no IPv6 interfaces were configured. (XB218041) - The switch's Browser-based Interface (BBI) was vulnerable to attacks by Web scanning tools, potentially resulting in crashes. (XB218795) - A crash would occur when receiving a random sequence of IGMPv3 reports that were interleaved from different Multicast receivers. (XB219263) - Invalid TCP packets (e.g., having both SYN and FIN flags set) received by the switch would not be discarded, resulting in a potential security vulnerability. (XB220985) ====================================================================== RackSwitch G8316 Firmware Release Version 7.6.6.0 (Released July 2013) ** Changes since the 7.6.5.0 release ** Enhancements: None. Changes: None. Fixes: - A Security vulnerability existed in the OSPFv2 Routing Protocol that is used in IBM System Networking Ethernet Switches (CVE-2013-0149) - A Security vulnerability existed in IBM Switches which support Fibre Channel over Ethernet (FCoE), in that data frames were being flooded out of every port if the destination address was not in the MAC table. (CVE-2013-0570) ======================================================================= RackSwitch G8316 Firmware Release Version 7.6.5.0 (Released April 2013) ** Changes since the 7.6.3.0 release ** Enhancements: None. Changes: - Added the ability in Hotlinks configurations to enable STP on non-Hotlinks ports, thus removing the previous restriction that STP be globally disabled whenever the Hotlinks feature was enabled. (67161) Fixes: - With Putty SSH client version v0.61 or later, if the amount of data being transferred is larger than the Putty Channel Window (16KB), the client will send an SSH channel request to the server. The issue was that the switch would misinterpret this request and erroneously close the session, and display the "ERROR in processing the SSH message(payload too large)" message at the terminal. (65974) - Polling the Forwarding Database via SNMP would result in prolonged high CPU utilization if the same MAC addresses were learned in multiple VLANs. This would make it difficult for the CPU to process BPDUs in a timely manner, possibly resulting in an STP topology change. (66621) - A crash would occur when booting if the "logging synchronous" command was in the startup configuration. (66885) - FTP sessions establisehed over an IPv6 interface could close unexpectedly during data transfer. (67076) - A crash would occur during reboot if the "no tacacs-server enable-bypass" command was present the start-up configuration, but the "tacacas-server enable" command was not. (67376) - A crash could occur when polling the Forwarding Database via SNMP. (67410) - With Hotlinks configured, the STP configuration would be lost when the mode was changed from RSTP to MSTP. (67522) - After disabling the Virtual Router group, the "show running" command would erroneously display the factory default information for the group. (67667) - If the LACP member port for which the PBR next-hop ARP entry was associated went down, traffic destined for the next-hop router would temporarily be lost. (68150) - After a VRRP fail-over (i.e., the Master switch goes down), the route to the PBR next-hop Router would not always be reestablished after the Backup switch became the Master, and traffic would not resume. (68352) - In a Hotlinks topology, copying either the active or backup configuration to the running configuration could lead to the HotLinks standby interface being put into the forwarding state, resulting in a network loop. (68596) - When uploading a configuration file via a Microsoft Windows SCP client, and/or if the file had been previously saved in the Windows file format, the error message "Warning : Switch type not specified. Configuration may not load properly" would be displayed. This was actually a benign error, since the upload would actually complete successfully. (69045) - Removing a VLAN from a Spanning Tree Group (STG) other than the Default STG (STG 1) would inadvertently trigger a topology change in the Default STG. (69303) - After a failover in a Hotlinks topology with more than 500 VLANs, some MAC entries would not be re-programmed in the new Master switch's Forwarding Database (FDB), resulting in flooding within the associated VLANs. (69413) - With STP disabled, MAC entries associated with a physical port would not be removed from the Forwarding Database (FDB) after adding the port to portchannel. (69571) - After changing the LACP key using the "lacp key xxx" command, the peer switch would generate a syslog recording the change, but the trunk number referenced in the syslog message would be invalid. (69590) - After a failover in a Hotlinks topology the with uplinks configured as portchannels, some MAC entries would not removed from the new Backup switch's Forwarding Database (FDB), resulting in flooding within the associated VLANs. (69917) - A crash would occur when sequentially executing the "interface [port | portchannel] shut" and "interface [port | portchannel] no shut" commands, after sFlow packets had previously been received. (70199) =============================================================================== Version 7.6.3.0 (Released February 2013) ** Changes since the 7.6.1.0 release ** Enhancements: None. Changes: - Added support for power supplies that meet the new China Compulsory Certificate (CCC) requirements for altitude and humidity. (68356) Fixes: None =============================================================================== Version 7.6.1.0 (Released December 2012) New and Updated Features ======================== BGP Route-reflector support: -------------------- Route Reflection is a technique to avoid a large number of sessions between IBGP peers. In this release, support for RFC4456 (BGP Route Reflection - An Alternative to Full Mesh Internal BGP (IBGP)) has been added. SNMP: Support for 8 Read-Only and Read-Write communities: --------------------------------------------------------- This release adds support for 8 read-community names(Read-Only), and 8 write-community names(Read-Write) with SNMPv1 and SNMPv2. RFC5340: OSPF For IPv6: ----------------------- The switch was previously compliant with RFC2740. Starting with this release, the switch is compliant with RFC5340, which supersedes RFC2740. VLAG and PIM Support: --------------------- Previous releases supported IP Multicast routing through the PIM protocol. Also previously supported was the VLAG (Virtual Link Aggregation) protocol. This release adds support for PIM over a vLAG topology, so that the most efficient multicast routing can be achieved in a vLAG topology. NTP Client Display Improvements: --------------------------------- The Network Time Protocol (NTP) is widely used to synchronize computer clocks in the Internet. With the NTP service enabled, the switch can accurately update its internal clock to be consistent with other devices on the network. In this release, the "show ntp" command has been updated with such details as clock offset, stratum, and reference clock. Also in this release is a dampening of the number of syslog messages generated when the system clock is updated or if NTP synchronization fails. Cisco like CLI: --------------- As part of this change, some existing ISCLI commands have been modified to look more like those in Cisco's IOS. The commands chosen for modification in this release are ones frequently used for VLAN, Port, and STP configuration. With these changes, those familiar with Cisco-IOS CLI can more readily configure the IBM-NOS VLAN, Port, and STP modules. Support for 4K VLANS: ----------------- Increased the scalability of VLANS from 2K to 4K