FIRMWARE CHANGE HISTORY ----------------------- Lenovo RackSwitch G8124E Version 8.3.2.0 (Released July 2015) New and Updated Features: ------------------------- SNSC - No terminal prompting (aka Add 'terminal don’t-ask' for SNSC) -------------------------------------------------------------------- This feature implements a new CLI command “[no] terminal dont-ask” to turn off prompting for all CLI commands that would ask for user confirmation to proceed. This command will help SNSC to implement their “user command snippet” feature where they want no prompting but default behavior for CLI commands. STP range enhancement (STP range show running enhancement): ------------------------------------------------------------ The STP related configuration can be shown under STG range in show running output. BGP preappend AS Path ------------------------ Prepending AS path allows the switch to add its own AS number multiple times to the outbound routes to influence the BGP route selection of routers in other AS. With this feature, the switch can influence the BGP route selection so that one path is preferred over another. This is especially useful when customers are dual home to two different Internet Service Providers (ISPs) and they want to have a primary path to one ISP and use the other ISP as a backup path. OpenSSL RC4 Vulnerability ---------------------------- Disable the usage of the RC4 cipher in the VMWare vi client in order to avoid security vulnerabilities. Advisory 2291 – OpenSSL PSIRT Advisory 2309 – OpenSSL PSIRT Upgrade the OpenSSL library in order to avoid security vulnerabilities. Dynamic ARP Inspection ----------------------- Dynamic ARP Inspection is a security feature that enables the device to intercept and examine all ARP request and response packets in a subnet and discard those packets with invalid IP to MAC address bindings. This capability protects the network from some man-in-the-middle attacks. Fixes: XB217293 Display ARP entries for VLAN 4095 Enhancement to display the ARP table for MGMT VLAN 4095. ********************************************************************** ********************************************************************** ***** The release numbers listed below can only be installed ***** ***** on the IBM G8124 ***** ***** ***** ***** The enhancements, changes and fixes listed below are ***** ***** included for historical reference as they are applicable ***** ***** to the Lenovo G8124 ***** ********************************************************************** ********************************************************************** ********************************************************************** IBM RackSwitch G8124E Version 7.11.1.0 (Released November 2014) New and Updated Features: ------------------------- IGMPv3 on vLAG support ---------------------- IGMPv3 protocol can now be configured when the unit is part of a vLAG topology. Display ARP entries for VLAN 4095 ---------------------------------- This enhancement extends the display of ARP table to include the ARPs learnt on the dedicated management port. The details are covered in XB217293. TACACs --------- For remote authentication with SSH using bypass username, both local username and password will be prompted. BGP Preappend AS Path ---------------------- This enhancement allows route-map to specify up to 32 AS numbers to prepend to a matched route. Fixes: None ===================================================================== IBM RackSwitch G8124E Version 7.9.1.0 (Released June 2014) VLAG-PIM with multicast sources ------------------------------- PIM is a multicast routing protocol to route the multicast traffic from multicast source to the receiver. vLAG PIM defines how PIM protocol should work over the vLAG topology. This new enhancement enables support for vLAG PIM with multicast source connected in the L2 domain behind the vLAG ports. It defines the vLAG PIM protocol behavior and traffic routing across different multicast source and receivers. With this new enhancement, multicast source and receiver can be connected anywhere in the vLAG PIM environment.This also enables vLAG PIM support in a multi tier tenant environment with L2 VLAG on the bottom tier and L3 VLAG on the top tier. Decoupling active VLANs from MSTP configuration: ------------------------------------------------ This feature enables the decoupling of the VLAN(s) configuration from MSTP configuration and changes the MSTP configuration menu to a more simplified one. By doing so, specifying a mapping between VLAN(s) and MSTI will not create any VLAN(s) and the participation of the VLAN(s) in MSTP will not depend on the VLAN(s) creation. LACP Individual Mode -------------------- When this feature is enabled on an LACP port-channel, if a member port of the port-channel does not receive any LACPDU over a period of time, it will be treated as a normal port which may forward data traffic according to its STP state. VLAG-MSTP Enhancement --------------------- This enhancement removes STP configuration restrictions, such as changing the MSTP instance and VLAN associations, that were enforced in previous releases when vLAG and MSTP are both enabled. The vLAG interswitch link ports are no longer error-disabled when there's an MSTP region mismatch between the vLAG switches, instead a recurring warning message is generated during the duration of the configuration mismatch. STP Range enhancement --------------------- This feature is an enhancement for existing STP commands to support configuration of a range of STP groups at a time. IBM-NOS CLI removal ------------------- The IBM-NOS CLI will not be supported as of this release. All switches will boot up with ISCLI. The existing NOS CLI configuration still can be recognized and correctly converted to provide smooth migration for customers who have NOS CLI configuration. IPv6 Counter enhancement ------------------------ This release adds CLI and corresponding SNMP MIB objects for IPv6 counters. The feature provides support for IPv6 neighbor cache table statistics like: Current number of installed entries. Maximum number of entries supported by router. High Water of the ipv6 neighbor cache table. Clear statistics BGP Community Lite ------------------ This feature provides support for BGP community strings to be advertised in updates to neighbors.The switch will be configured to attach a community string to the route updates it sends to peers.In this release, the IBM switch will not make any routing changes or alterations to the community string when receiving updates with a community string attached. Display BGP Routes ------------------- This feature provides an option to display BGP advertised routes that have been advertised to a specific neighbor. Host-Resources MIB (RFC1514) ------------------------------------------- The Host Resources MIB (RFC 2790) defines objects which are common across many computer system architectures. SNMP ACL --------- This feature is an enhancement to add access control for SNMP requests. SNMP Trap Host --------------- This feature implements the SNMP interface for getting and setting SNMP host configuration for traps. ESN to SNMP ------------ This feature enables SNMP access to Electronic Serial Number of the switch. Compliance to NIST-800 131A ---------------------------- This release enables compliance to NIST SP800-131a. PSIRT - SSL Vulnerability [CVE-2011-3389] ----------------------------------------- This release addresses the SSL vulnerability as described in CVE-2011-3389. It allows the customer to configure the switch to explicitly restrict negotiated versions to a “minimum version” of ssl to force the switch to ensure that only “safe” versions are negotiated. Security vulnerability: Remove switch type from login display ------------------------------------------------------------- Removed the switch type prompt since this is a security vulnerability. Secure FTP ---------- This release adds support for Secure FTP (sFTP). Use SHA-256 as default: ----------------------- Set SHA-256 as the default and preferred hashing algorithm for all secured network operations where applicable. This includes TLS certificates and cipher suites with HMAC SHA-256 in TLS. IPSec over Virtual links ------------------------ OSPFv3 over IPSec on Virtual Links is needed to complete NIST IPSec certification for OSPFv3 traffic. IPSec is needed to secure IPv6 traffic. The feature will use IPv6 Authentication Header (AH) to provide authentication and IPv6 Encapsulating Security Payload (ESP) to provide authentication and confidentiality to virtual link packets. Password Fix-Up Mode --------------------- Password Fix-Up Mode enables admin user account recovery if administrator access is lost. This release adds the option to disable password fix-up functionality to let the administrator of the switch decide whether the Fix-Up mode should be enabled or not to cover security concerns. IPv6 Health Check ----------------- The release supports the use of IPv6 address for vLAG health check. RMON Support (RFC1757,RFC2819) --------------------------------- Remote network monitoring devices, often called monitors or probes, are instruments that exist for the purpose of managing a network. This release supports RMON for Ethernet statistics, Ethernet History as well as Alarm and Event groups. Layer 3 ARP Table full ----------------------- When the L3 ARP table is full, the switch will generate a new trap message in addition to the existing syslog message. Use SSH public keys for up to 20 local switch users/admins ----------------------------------------------------------- The feature allows users to login to switch via SSH using public key authentication instead of password authentication.When SSH is enabled the switch should support both password and public key authentication. The switch shall support up to 20 SSH public key users.  Fixes: - SNMP MIB walk could result in the flap of protocols such as VRRP, STP, LACP. (XB251897/XB253845) - Executing "show interface transceiver" command could result in the flap of protocols such as VRRP, STP, LACP. (XB253893) ================================================================================ IBM RackSwitch G8124 Version 7.7.5.0 (Released August 2013) ** Changes since the 7.7.3.0 release ** Enhancements: None Changes: SNMP ports that are not able to converge with peer ports will now result in a link-down state. This will occur when ports configured as members of an LACP trunk are connected to non-LACP ports. This is expected behavior. When connecting different IBMNOS products using LACP ports, it is recommended to install complimentary firmware versions (e.g., 7.7.5) on each device to ensure matching LACP behavior. Fixes: - Inefficiencies in the SNMP-processing code could result in high CPU utilization, SNMP client time-outs, protocol flaps, or a switch reset by the Hardware Watchdog. (66769, 70649) - User-configured ACL Deny rules were not being respected for packets with a Layer-4 (TCP) port of 22 or 23 (i.e., SSH and Telnet, respectively). (69126 / XB202484) - A prolonged period of high CPU utilization can lead to protocol-thread starvation. In one such case, LACP PDUs were not being sent by the CPU, leading to the break down of the LACP trunk forming the ISL in a vLAG topology. The ISL trunk ports that had previously been in the STP Discarding state would then errantly go into the Forwarding state, resulting in flooding of STP BPDUs into the network, and the inevitable network loop. (70887) - The SNMP dot1qVlanCurrentEntry OID was not being populated, resulting in SNMP Walks being stuck indefinitely at that point. (71785) - Disabling LACP (from the peer device) on a member port of an LACP trunk that also has STP disabled would result in the port being errantly displayed as FORWARDING in the output of the "show spanning-tree stp" command (and via the BBI), when in fact the port would be in the BLOCKING state (as designed). (71805, 71822) - Deleting the LACP key (from the peer device) on a member port of an LACP trunk that also has STP disabled would result in the port errantly going into the FORWARDING state. (71841) - With STP in PVRST mode and with a high active-port/STG product, a memory leak could occur while processing BPDUs (this was demonstrable with 47 ports active and more than 127 STGs configured per port). Over time, the memory leak could lead to a reset of the switch by the Memory Monitor. (71844) - A crash would occur when issuing the "show ufp info vport" command without explicitly specifying a vport number. (71951) - A watchdog timeout could occur if an IGMPv3 Report packet was received with the invalid source-IP address of 0.0.0.0. (71749) - Attempting to set port speed via the CMM would fail. (XB171317) - If the CMMs had "Failover on Physical Network Link" enabled (default), and the network link of the Active CMM went down, ports INTB1 and INTB2 could get disabled when the Standby CMM became active. (XB172285) - An IP address could not simultaneously be configured as a global DHCP server address, and a broadcast-domain DHCP server address. (XB172381) - A crash would occur while handling an SNMP ?Get? Request for the Object that contains UFP information pertaining the switch (OID 1.0.8802.1.1.2.1.4.1.1.12.2700.65.4). (XB194463, XB202919) - A crash could occur if an FCoE-related CLI command was issued while the external management port was being flooded with packets. (XB199890) - NTPv3 authentication information was being added to outgoing NTP Client Requests, even when authentication was disabled on the Switch. The consequence was that NTP servers that do not support authentication would discard the requests (i.e,, not respond to the Client Requests). (XB204541) - A crash could occur while handling an HTTPS request if the connection to the client was suddenly terminated while handling the transaction. (XB205895) - If the switch's Hostname was used to access the switch via BBI (i.e., relying on DNS instead of inputting the raw IP address), attempting to perform an image upgrade would result in redirection to a blank page. (XB206876) =========================================================================== IBM RackSwitch G8124E 7.7.3.0 (Released, June 2013) ------- Enhancements: LACP Suspend Port ----------------- This feature provides the capability to allocate an assigned trunk to LACP ports by LACP key, which avoids a potential traffic loop caused by mis-connection or error configuration. FCoE with LAG support in standalone mode solution ------------------------------------------------- Link Aggregration Group (LAG) also know as trunk, allows multiple ports on a switch to be combined together as a single link. To support the increasing demand of higher bandwidth to the uplink FCF in an FCoE environment, we added LAG support for our FCoE solution in this release. Duplicate IP Detection ---------------------- The switch uses a simple mechanism to detect if two hosts on the same subnetwork are using the same IPv4 address at the same time. The switch sends a gratuitous ARP request for its own IP address. If it receives an ARP response, it sends a syslog message with the IP address and MAC address of the host that is using its IP address. Hotlinks + STP -------------- In prior releases, STP needs to be disabled globally when Hotlinks feature is configured. This feature removed this limitation of having to globally disable STP. BGP multipath relax ------------------- This functionality allows load balancing across different autonomous system paths that have equal AS path length. vLAG+PIM Dense Mode ------------------- Enable the PIM protocol over the vLAG topology in dense mode for efficient multicast forwarding.