FIRMWARE CHANGE HISTORY ----------------------- IBM RackSwitch G8264CS Version 7.8.10.0 (Released March 2015) ** Changes since the 7.8.8.0 release ** Enhancements: none Changes: - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2014-3572, CVE-2015-0204, CVE-2014-8275,CVE-2014-3570. - Fixed security vulnerabilities as reported in CVE Advisories CVE-2014-0191 (libxml2) ,CVE-2013-2877(libxml2) ,CVE-2014-3660 (libxml2) , CVE-2013-2566(RC4 algo, TLS protocol) Fixes: none ================================================================================ IBM RackSwitch G8264CS Version 7.8.8.0 (Released November 2014) ** Changes since the 7.8.7.0 release ** Enhancements: LACP Individual Mode -------------------- When this feature is enabled on an LACP port-channel, if a member port of the port-channel does not receive any LACPDU over a period of time, it will be treated as a normal port which may forward data traffic according to its STP state. Changes: none Fixes: - FCoE sessions could flap due to the High CPU Utilization caused by the software flooding of Clear Virtual Links packets with an unknown destination MAC in the FCoE VLAN. (LV296464) - Configuration changes could be denied with the error "Error: STP cannot be enabled on FC port .", if any vlan assigned to a fiber channel port is a member of a MSTP instance. (X294677) ================================================================================ IBM RackSwitch G8264CS Version 7.8.7.0 (Released September 2014) ** Changes since the 7.8.6.0 release ** Enhancements: EasyConnect Easy Connect is a feature which allows the user to easily apply a series of customizable and canned configurations based on common deployment scenarios requiring little network administration or additional network design. Changes: none Fixes: - FCOE sessions would flap at random and the message "Could not read FC module temperature" would be logged due to deadlock on the I2C bus shared between Ehternet and Fiber Channel modules. (XB281638) - All FCOE FIP solicitation messages were tied to the lowest numbered port in the NPV Vlan, even when no FCF ports were online in the NPV Vlan. (XB290563) - A crash would occur after multiple failed attempts to login via SSH or BBI, if secure-backdoor is enabled and the configured remote RADIUS/TACACS authentication servers can be reached . (XB293746,XB292790) - Secure-backdoor access to the switch fails via SSH, when configured remote RADIUS/TACACS authentication servers can be reached. (XB293743,XB294261) - Secure-backdoor and backdoor access to the switch via SSH, fails to prompt for username. (XB292116,XB293076) - Changes to configuration are denied with the error "Error: Ports x and y have the same LACP admin key but different link settings (speed/duplex/flowcontrol).", when links x and y with dissimilar cables (i.e DAC and SFP+) are aggregated. (XB282364) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3509,CVE-2014-3510, CVE-2014-3511. (XB293143) - Changes to configuration are denied with the error "Error Ports ... have the same LACP admin key but different STP edge settings" after a non-existing VLAN is added to a port , if LACP and STP edge/portfast are both enabled on the port. (XB282083) - Executing "copy tech-support" family of commands could result in instability in the stack and cause FCOE sessions to flap. (XB274963,XB274963) ================================================================================ IBM RackSwitch G8264CS Version 7.8.6.0 (Released July 2014) ** Changes since the 7.8.5.0 release ** Enhancements: None Changes: - Internal debug usernames have been removed from the firmware to prevent potential backdoor access. (XB282666) Fixes: None ================================================================================ IBM RackSwitch G8264CS Version 7.8.5.0 (Released June 2014) ** Changes since the 7.8.4.0 release ** Enhancements: None Changes : - A security vulnerability existed in the OpenSSL Protocol that is used in IBM System Networking Ethernet Switches. (CVE-2014-0224) Fixes : None ======================================================================================== IBM RackSwitch G8264CS Version 7.8.4.0 (Released June 2014) New and Updated Features: ------------------------- Virtual Link Aggregation Group (VLAG): -------------------------------------- Typically, Spanning Tree Protocol (STP) is used to prevent broadcast loops, blocking redundant uplink paths. This has the unwanted consequence of reducing the available bandwidth between the layers by as much as 50%. In addition, STP may be slow to resolve topology changes that occur during a link failure, and can result in considerable MAC address flooding. Using VLAGs, the redundant uplinks remain active, utilizing all available bandwidth. Two switches are paired into VLAG peers, and act as a single virtual entity for the purpose of establishing a multi-port trunk. Ports from both peers can be grouped into a VLAG and connected to the same LAG-capable target device. From the perspective of the target device, the ports connected to the VLAG peers appear to be a single trunk connecting to a single logical device. The target device uses the configured Tier ID to identify the VLAG peers as this single logical device. It is important that you use a unique Tier ID for each VLAG pair you configure. The VLAG-capable switches synchronize their logical view of the access layer port structure and internally prevent implicit loops. The VLAG topology also responds more quickly to link failure and does not result in unnecessary MAC flooding. VLAGs are also useful in multi-layer environments for both uplink and downlink redundancy to any regular LAG-capable device. Full Private VLAN: ------------------ This feature supports Private VLAN configurations as described in RFC 5517. QoS Monitoring: --------------- This feature enhances the QoS statistics by presenting the COS statistics per port and per COS queue used. Enhanced Number of FCoE Sessions: --------------------------------- Number of FCoE sessions increased to 2000. SNMP support for management via IBM Systems Director: ----------------------------------------------------- This feature adds SNMP support for configuration and management of FC features to enable management of the switch via IBM Systems Director. Decoupling active VLANs from MSTP configuration: ------------------------------------------------ This feature enables the decoupling of the VLAN(s) configuration from MSTP configuration and changes the MSTP configuration menu to a more simplified one. By doing so, specifying a mapping between VLAN(s) and MSTI will not create any VLAN(s) and the participation of the VLAN(s) in MSTP will not depend on the VLAN(s) creation. NIST SP 800-131A Compliance: ---------------------------- Added a mode of operation that forces the device to operate and secure network operations in a manner that is fully compliant to the NIST SP 800-131A security standard. Removed support for obsolete cryptographic algorithms DES and MD5, as well as protocols like SSLv3, even in the non-compliant mode. Use SHA-256 as default: ----------------------- Set SHA-256 as the default and preferred hashing algorithm for all secured network operations where applicable. This includes TLS certificates and cipher suites with HMAC SHA-256 in TLS. Switch Login display: --------------------- When the "system notice" attribute is configured, the information which identifies the Switch Product Name is no longer displayed at the login banner. https support for IBM Flex System Manager (FSM) to download the Qbg Virtual Service Interface (VSI) Database: ---------------------------------------------------------------- FSM provides VSIDB service and requires SSL connection to communicate with VSIDB client for enhanced security. This feature provides SSL support for VSIDB client to get the VSIDB from FSM. ACL6 Metering: -------------- Added metering support for IPv6 ACLs similar to the IPv4 ACLs. Increase Local Users: --------------------- Added support for up to 20 local user accounts with different privilege levels. syslog console and buffer severity: ----------------------------------- This feature provides a mechanism to configure severity level for log messages displayed on the console as well as for the syslog messages stored locally on the switch. BGP DSCP Marking: ----------------- This feature allows users to configure the DSCP value to be used in the IP header of the outgoing BGP packets. BGP next hop self: ------------------ BGP routing updates sent to a neighbor contain the next hop IP address used to reach a destination. In eBGP, the edge router, by default, sends its own IP address as the next hop address. However, this can sometimes cause routing path failures in Non-Broadcast Multiaccess Networks (NBMA) and when the edge router sends iBGP updates. To avoid routing failures, you can manually configure the next hop IP address. In case of NBMA networks, you can configure the external BGP speaker to advertise its own IP address as the next hop. In case of iBGP updates, you can configure the edge iBGP router to send its IP address as the next hop. BGP Multihop TTL Security: -------------------------- This feature ensures a protection mechanism for BGP peering sessions against CPU utilization based attacks by validating the TTL in the incoming BGP packet. LLDP MIB: --------- This feature supports LLDP MIB per IEEE 802.ab standard. LLDP vendor information display: -------------------------------- In prior releases, LLDP is disabled by default. This feature enables LLDP by default, and disables optional TLVs, corrects the vendor information and adds three new commands that show more detailed LLDP information. SNMP and BBI for OSPFv3: ------------------------ BBI and SNMP support for OSPFv3 over IPsec has been added. 4K VLAN Support: ---------------- Upto 4095 VLANs per switch are supported. Fibre Channel ISL E_Port support: --------------------------------- FC E_Port support has been added. E_ports (expansion ports) connect two full fabric switches to form an inter-switch link (ISL). Fixes: - A Security vulnerability existed in the TLS protocol versions TLS1.0 and earlier, in that an attacker could potentially discover the TLS session key. Added a configurable CLI option to restrict the minimum allowable protocol version of TLS, from TLS1.0 through TLS1.2. This is so that the user can avoid this vulnerability described in CVE-2011-3389, by selecting a higher protocol version that is not vulnerable to attack (TLS1.1 and above) ======================================================================================== IBM RackSwitch G8264CS Version 7.7.8.0 (Released December 2013) ** Changes since the 7.7.5.0 release ** Enhancements: None Changes: - A security vulnerability existed in the TLS protocol versions TLS1.0 and earlier, in that an attacker could potentially discover the TLS session key. To prevent this, a configurable CLI option was added to restrict the minimum allowable protocol version of TLS, from SSLv3 through TLS1.2. (CVE-2011-3389) Fixes: - A crash would occur when routing packets to an unreachable IPv6 gateway. (68081) - A crash would occur during TACACS+ authentication when receiving optional attributes (during the authorization stage). (68473) - With Layer-2 Failover configured, data traffic would momentarily be interrupted while transitioning from the active port to the standby port during a failover. (XB172186, XB222079) - The ACL logging feature would not report incoming packets that matched an ACL qualified by a TCP or UDP destination port. (XB208108) - Valid LLC frames received would erroneously be reported as ingress errors if they included a 802.1Q VLAN tag. (XB208414, XB227573) - A crash would occur if a data port was used to upload a file to an FTP server, if the file already existed on the server and had read-only access permissions. (XB209257) - A crash would occur if the traceroute command was executed with an IPv6 address specified, and no IPv6 management interfaces were configured. (XB215717) - Connecting to a Secure FTP server using a human-readable hostname would fail(would only work when an IP address was explicitly specified). (XB216488) - A crash would occur if a ping was issued to a random host name, and an IPv6 DNS server was unreachable or non-existent (XB216882) - A crash would occur during a second attempt to authenticate a user via an unreachable or non-existent LDAP server. (XB217674) - In a VRRP topology, when the Nessus security-scanning tool performed the "failed login" test via SSH, the VRRP process on the backup switch could fail to receive advertisement packets from the VRRP master within the specified threshold, leading to an oscillation between master and back-up states. (XB217716) - A crash would occur if a TFTP upload or download was attempted, and no IPv6 interfaces were configured. (XB218041) - The switch's Browser-based Interface (BBI) was vulnerable to attacks by Web scanning tools, potentially resulting in crashes. (XB218795) - FCoE connections could be lost when receiving FLOGI packets in rapid succession from servers hosting a large number of FCoE-enabled Virtual Machines. (XB220347) - Invalid TCP packets (e.g., having both SYN and FIN flags set) received by the switch would not be discarded, resulting in a potential security vulnerability. (XB220985) - A crash would occur when performing an SNMP Get operation upon index 128 of the stpInfoPortTable object. (XB249428) - An over-temperature could occur, leading to a loss of FCoE connections and traffic. (XB255903) ======================================================================================== IBM RackSwitch G8264CS Version 7.7.5.0 (Released August 2013) ** Changes since the 7.7.3.0 release ** Enhancements: None Changes: - Dynamic link aggregation (LACP) ports that are not able to converge with peer ports will now result in a link-down state. This will occur when ports configured as members of an LACP trunk are connected to non-LACP ports. This is expected behavior. When connecting different IBMNOS products using LACP ports, it is recommended to install complimentary firmware versions (e.g., 7.7.5) on each device to ensure matching LACP behavior. - Added support for a new front-to-back airflow power supplies (part numbers 94Y8104 and 94Y8105). Fixes: - Inefficiencies in the SNMP-processing code could result in high CPU utilization, SNMP client time-outs, protocol flaps, or a switch reset by the Hardware Watchdog. (66769, 70649) - User-configured ACL Deny rules were not being respected for packets with a Layer-4 (TCP) port of 22 or 23 (i.e., SSH and Telnet, respectively). (69126 / XB202484) - A prolonged period of high CPU utilization can lead to protocol-thread starvation. In one such case, LACP PDUs were not being sent by the CPU, leading to the break down of the LACP trunk forming the ISL in a vLAG topology. The ISL trunk ports that had previously been in the STP Discarding state would then errantly go into the Forwarding state, resulting in flooding of STP BPDUs into the network, and the inevitable network loop. (70887) - A hang of the Switch's I2C bus could occur, leading to a reset of the Switch by the hardware watchdog. (71721) - The SNMP dot1qVlanCurrentEntry OID was not being populated, resulting in SNMP Walks being stuck indefinitely at that point. (71785) - Disabling LACP (from the peer device) on a member port of an LACP trunk that also has STP disabled would result in the port being errantly displayed as FORWARDING in the output of the "show spanning-tree stp" command (and via the BBI), when in fact the port would be in the BLOCKING state (as designed). (71805, 71822) - Inefficiencies in the periodic polling of I2C devices would result in a persistent high CPU-utilization condition. (71814) - Deleting the LACP key (from the peer device) on a member port of an LACP trunk that also has STP disabled would result in the port errantly going into the FORWARDING state. (71841) - With STP in PVRST mode and with a high active-port/STG product, a memory leak could occur while processing BPDUs (this was demonstrable with 47 ports active and more than 127 STGs configured per port). Over time, the memory leak could lead to a reset of the switch by the Memory Monitor. (71844) - A watchdog timeout could occur if an IGMPv3 Report packet was received with the invalid source-IP address of 0.0.0.0. (71749) - Receiving multicast packets on server-facing ports at a high rate could cause FCoE sessions to go down momentarily. (XB148188) - Attempting to set port speed via the CMM would fail. (XB171317) - If the CMMs had "Failover on Physical Network Link" enabled (default), and the network link of the Active CMM went down, ports INTB1 and INTB2 could get disabled when the Standby CMM became active. (XB172285) - An IP address could not simultaneously be configured as a global DHCP server address, and a broadcast-domain DHCP server address. (XB172381) - A crash could occur if an FCoE-related CLI command was issued while the external management port was being flooded with packets. (XB199890) - NTPv3 authentication information was being added to outgoing NTP Client Requests, even when authentication was disabled on the Switch. The consequence was that NTP servers that do not support authentication would discard the requests (i.e,, not respond to the Client Requests). (XB204541) - A crash could occur while handling an HTTPS request if the connection to the client was suddenly terminated while handling the transaction. (XB205895) - If the switch's Hostname was used to access the switch via BBI (i.e., relying on DNS instead of inputting the raw IP address), attempting to perform an image upgrade would result in redirection to a blank page. (XB206876) ====================================================================== IBM RackSwitch G8264CS 7.7.3.0 (Released, June 2013) Enhancements: VMReady coexistence with QBG ---------------------------- In the previous releases, VMready and QBG cannot be enabled at the same time on the switch system due to conflicting behavior. In this release, the user is allowed to run both VMready and QBG at the same time on the same switch system. Debug enhancements ------------------ Added debug commands to provide more detail than shown in current counters. New commands added for LACP packets and spanning tree BPDU packets. Diff flash support in iSCLI --------------------------- Provided a command in iSCLI to display the differences between the running configuration and the saved configuration. This functionality is currently available in IBMNOSCLI and is now added to the iSCLI. VMcheck ------- Provide MAC checking mechanism to prevent untrusted devices from spoofing the MAC of a trusted device and gaining access to the VM network. When VMcheck is enabled on an ESX server port virtual machines are only allowed to use their assigned MAC address. VMcheck can be configured to disable port, drop packets only from intruding MAC, only send a log if MAC checking detects a VM transmitting with a different MAC address than what is listed in VMware?s Vcenter. Host Resources MIB(RFC-1514) ---------------------------- Provided support for standards based HOST-RESOURCES-MIB defined in RFC 2790 allowing the switches to be managed by standard objectIDs. Host resources mib defines a uniform set of objects to manage host devices that are independent of the vendor, software or network capabilities. Implementation of the system and interface groups is mandatory. Terminal-length 0 persistent ---------------------------- Provided isCLI commands for configuring the terminal length for CLI sessions. The commands saved in the flash for persistency across resets. Runtime option to change the terminal length for the current session without affecting the saved configuration. Manual Reflective Relay mode for SRIOV/VEPA NICs ------------------------------------------------ Reflective relay is a basic feature on switch. Manual reflective relay means configuring reflective relay manually by user. Currently, reflective relay is enabled by Qbg automatically when EVB profile is enabled on port, and peer server requests it via LLDP. Meanwhile there is no interface for user to configure. In this release we added the option to manually configured reflective relay by user, especially when Qbg is disabled. IPv6 Address support with VSIDB ------------------------------- The servers on FSM use IPv6 address by default and support IPv6 HTTP server. But IPv6 HTTP client has not been supported by VSIDB so far. In this release, we added the support of IPv6 HTTP client to communicate to VSIDB. Duplicate IP Detection ---------------------- The switch uses a simple mechanism to detect if two hosts on the same subnetwork are using the same IPv4 address at the same time. The switch sends a gratuitous ARP request for its own IP address. If it receives an ARP response, it sends a syslog message with the IP address and MAC address of the host that is using its IP address. DHCP Option 7 and option 12 --------------------------- These features enhance the DHCP client support on the switch to support Option 12 which defines the configuration of hostname and Option 7 which is used to get the syslog server address from DHCP server. Enhanced Password security -------------------------- This feature provides stronger login enforcements for userIDs and password by forcing the local user passwords to be case sensitive, 8-64 character mix of uppercase letters, lowercase letters, numbers, and special characters, including at least one of each. Configurable port for SFTP -------------------------- This enhancement provides an option to perform SFTP operations on the switch using port numbers that can be configured explicitly (different from standard port 22) BGP multipath relax ------------------- This functionality allows load balancing across different autonomous system paths that have equal AS path length. SMIS IPv6 support ----------------- The Storage Management Initiative - Specification (SMIS) protocol was introduced in the last release to provide the management of storage devices within the fiber channel fabric. In this release we introduced support to configure IPv6 switch management addresses. LACP Suspend Port ----------------- This feature provides the capability to allocate an assigned trunk to LACP ports by LACP key, which avoids a potential traffic loop caused by mis-connection or error configuration. Static ARP entry with mcast address ----------------------------------- Provide solution to allow static unicast ARPs with multicast MAC entries to support networks using Microsoft NLB. IBM NOS now allows two enhancements: a multicast address is now configured as a static ARP entry and the static ARP entry does not require the port to be defined. NTP Client Display Improvements: --------------------------------- The Network Time Protocol (NTP) is widely used to synchronize computer clocks in the Internet. With the NTP service enabled, the switch can accurately update its internal clock to be consistent with other devices on the network. The "show ntp" command has been updated with details like clock offset, stratum, reference clock etc. NTP enhancements have been provided to minimize the number of syslogs sent when NTP sync fails and when the system clock is updated. SNMP and BBI Support for OSPFv3 and MLDv2 ----------------------------------------- IPSec feature was provided in 6.7 release but only in command line interfaces. This release addded configuration and monitoring support for MLDv2 via the BBI and SNMP interfaces. SNMP trap for power failure --------------------------- The IBM RackSwitch has hot-swappable redundant power supplies that can be monitored. When one power supply fails/is removed, the switch will send a failure notification SNMP trap. When the power supply returns to normal operation the switch will send another notification SNMP trap. RFC5340 Support (OSPFv3 IPv6) ----------------------------- Modifications to OSPF for IPv6 in order to update it from current supported RFC2740 to newer RFC5340. Distributed vSwitch and vSphere 5.0 ----------------------------------- A distributed vSwitch (dvSwitch) spans across multiple hypervisors in a data center and simplify virtual machine networking by enabling the administrator to set up virtual machine networking for the entire datacenter from a centralized interface. SNMP: need 8 RO & RW communities -------------------------------- Update switch SNMP incoming packet processing to support 8 read community strings and 8 write community strings. BGP Route Reflector ------------------- Route reflector (RFC 4456) is a technique to avoid the large number of sessions between IBGP peers. Typically BGP requires that IBGP peers should be in a full mesh topology. For a large number of peers scaling problems may appear. A route reflector(RR) basically is a router which distributes routes received from an IBGP peer to another IBGP peer. Qbg/Vepa phase 2 ---------------- Enable 802.1QBG support with Virtual Ethernet Port Aggregator (VEPA) mode (also called reflective relay) per port. BGP Debug --------- This feature will allow administrator to turn on log for BGP update message sent/received from/to a particular neighbor. ====================================================================== IBM RackSwitch G8264CS Version 7.1.6.0 (Released October 2013) ** Changes since the 7.1.5.0 release ** Enhancements: None Changes: None Fixes: - User-configured ACL Deny rules were not being respected for packets with a Layer-4 (TCP) port of 22 or 23 (i.e., SSH and Telnet, respectively). (69126 / XB202484) - Inefficiencies in the SNMP-processing code could result in high CPU utilization, SNMP client time-outs, protocol flaps, or a switch reset by the Hardware Watchdog. (66769, 70649) - A crash would occur when routing packets to an unreachable IPv6 gateway. (68081) - A watchdog timeout could occur if an IGMPv3 Report packet was received with the invalid source-IP address of 0.0.0.0. (71749) - BGP neighborship sessions would flap when receiving BGP route messages that contained community attributes (XB194426) - A crash could occur while handling an HTTPS request if the connection to the client was suddenly terminated while handling the transaction. (XB205895) - The ACL logging feature would not report incoming packets that matched an ACL qualified by a TCP or UDP destination port. (XB208108) - A crash would occur if a data port was used to upload a file to an FTP server, if the file already existed on the server and had read-only access permissions. (XB209257) - A crash would occur if the traceroute command was executed with an IPv6 address specified, and no IPv6 management interfaces were configured. (XB215717) - A crash would occur if a ping was issued to a random host name, and an IPv6 DNS server was unreachable or non-existent (XB216882) - A crash would occur during a second attempt to authenticate a user via an unreachable or non-existent LDAP server. (XB217674) - A crash would occur if a TFTP upload or download was attempted, and no IPv6 interfaces were configured. (XB218041) - The switch's Browser-based Interface (BBI) was vulnerable to attacks by Web scanning tools, potentially resulting in crashes. (XB218795) - A crash would occur when receiving a random sequence of IGMPv3 reports that were interleaved from different Multicast receivers. (XB219263) - Invalid TCP packets (e.g., having both SYN and FIN flags set) received by the switch would not be discarded, resulting in a potential security vulnerability. (XB220985) ======================================================================= IBM RackSwitch G8264CS Version 7.1.5.0 (Released June 2013) ** Changes since the 7.1.3.0 release ** Enhancements: None Changes: - Added support for a new front-to-back airflow power supplies (part numbers 94Y8104 and 94Y8105). Fixes: - A Security vulnerability existed in the OSPFv2 Routing Protocol that is used in IBM System Networking Ethernet Switches (CVE-2013-0149) ======================================================================= IBM RackSwitch G8264CS Version 7.1.3.0 (Released June 2013) ** Changes since the 7.1.2.0 release ** Enhancements: None Changes: None Fixes: - Firmware upgrades could fail if a transceiver is removed or inserted during the process. The failure would be accompanied with the error message "CRC Error in KERNEL region". - A Security vulnerability existed in IBM Switches which support Fibre Channel over Ethernet (FCoE), in that data frames were being flooded out of every port if the destination address was not in the MAC table. (CVE-2013-0570) ======================================================================= IBM RackSwitch G8264CS Version 7.1.2.0 (Released June 2013) Initial release.