Professional Documents
Culture Documents
RN 10000 10-10-1030 PDF
RN 10000 10-10-1030 PDF
RN 10000 10-10-1030 PDF
1030 Release
Notes
10000 Switch Series
Notices
The information contained herein is subject to change without notice. The only warranties for Hewlett
Packard Enterprise products and services are set forth in the express warranty statements accompanying
such products and services. Nothing herein should be construed as constituting an additional warranty.
Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use,
or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software
Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under
vendor's standard commercial license.
Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard
Enterprise has no control over and is not responsible for information outside the Hewlett Packard
Enterprise website.
Acknowledgments
Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
|2
Chapter 1
AOS-CX 10.10.1030 release notes
Products supported
This release applies to the 10000 Switch Series. The following table lists any applicable minimum software
versions required for that model of switch.
If your product is not listed in the below table, no minimum software version is required.
Minimum
Product number Product name software
version
Diffie-Helman algorithm is no longer enabled by default for key exchange. To enable using Diffie-Helman for key
exchange, use the command ssh key-exchange-algorithms <KEY-EXCHANGE-ALGORITHM-LIST>.”
AOS-CX BGP implementations support resolving a BGP route's nexthop to a default route (0.0.0.0/0). However,
this is not generally recommended in network deployments. Considering the default route to be the last resort
route, resolving the BGP route's nexthop to a default route can cause potential routing loops in the network, if they
are not properly designed and monitored. Route flaps and/or traffic drops may be observed in such cases.
In a future release, AOS-CX will not support the BGP route's nexthop resolving to a default route in the Route table.
To avoid this problem and to be prepared for the update, Aruba recommends configuring a more specific static
route (or host route) for BGP nexthops that are multihops away that are resolving via the default route.
If using the Web UI, you should clear the browser cache after upgrading to this version of software before logging
into the switch using a Web UI session. This will ensure the Web UI session downloads the latest changes.
Please specify the product and version for which you are requesting source code. You may also request a
copy of this source code free of charge at: https://hpe.com/software/opensource
Version history
All released versions are fully supported by Aruba, unless noted in the table.
10.10.0002 2022-06-21 Initial release of AOS-CX 10.10. Released, fully supported, and
posted on the Web.
Compatibility/interoperability
The switch web agent supports the following web browsers:
Edge (Windows) 41
Firefox (Ubuntu) 56
Safari (MacOS) 12
Recommended versions of network management software for switches found in this release note:
AirWave 8.2.14.1
NetEdit 2.5.0
To upgrade software using NetEdit, make sure to upgrade to the above version of NetEdit first and then execute
the switch software upgrade on devices discovered by this version of NetEdit.
Enhancements
This section lists enhancements added to this branch of the software.
For a list of enhancements in previous releases, refer to the AOS-CX Release Notes Portal.
The number listed with the category is used for tracking purposes.
Link 220247 Symptom: An AOS-CX VSX Pair configured with an MC-LAG starts
Aggregation transmitting data on a LAG member while the partner port is still out of
sync, causing traffic loss.
Scenario: The two virtual connect modules are connected via an MC-Lag to
the VSX Pair. The upgrade process first upgrades one VC module and then
the other. The LACP Partner takes roughly four minutes to transition from
Out-of-Sync to In-Sync during a disruptive firmware upgrade for a specific
module.
Feature caveats
The following are feature caveats that should be taken into consideration when using this version of the
software.
Feature Description
TFTP Blocksize greater than 1480 is not supported in 4100i, 6100 and 6000 Switch
series.
VRRP The same virtual link-local address cannot be used across different VRFs.
REST Boundary values for match vni and set local preference in a route-map
system cannot be set via the REST API and must be manually configured on
the switch via the CLI.
Stateful L4 firewall For locally-switched and routed flows on the switch, the traffic from the host is
subject to policy processing only once and only egress policy is enforced on
the traffic egressing the workload and entering the switch.
Stateful L4 firewall Stateful services for VRFs, where route leaking is enabled, are not supported.
Stateful L4 firewall TCP state transition validation is not supported with VSX.
EVPN After an issue with duplicate IPs on two VTEPs is resolved, the EVPN does not
advertise the MAC/IP entry. As a workaround, clear the ARP table.
Classifiers Classifier policies, IPv6 and MAC ACLs are not supported on egress.
Classifiers Policies containing both MAC and IPv6 classes are not allowed.
Counters Layer 3 Route-only port counters are not enabled by default. Enabling them
will reduce ipv4 route scale to 80K.
ICMP Redirect The switch may incorrectly duplicate an IP frame that triggers ICMP redirect.
Network Analytics Engine (NAE) Agents monitoring a resource that has column type enum with a list of strings
(as opposed to a single string enum) is not supported.
Network Analytics Engine (NAE) Network Analytics Engine (NAE) agents execute Command Line Interface (CLI)
actions as 'admin' user, so they have permission to run any command by
default. However, when the authentication, authorization and accounting
(AAA) feature is enabled, the same restrictions applied to 'admin' will also
apply to NAE agents. When using AAA, make sure to give the admin user the
permissions to run all commands needed by enabled NAE agents. Otherwise,
some CLI commands may be denied and their outputs won't be available.
Actions other than CLI won't be affected and will execute normally. Also, NAE
agents won't authenticate, thus the AAA service configuration must not block
authorization for unauthenticated 'admin' user. ClearPass doesn't support
such configuration, so it cannot be used as a TACACS+ server.
Network Analytics Engine (NAE) The following tables are not supported for NAE scripts: OSPF_Route, OSPF_
LSA, OSPF_Neighbor, BGP_Route.
OSPF OSPFv2 and OSPFv3 do not support detailed LSA show commands.
REST REST supports the 'admin' and 'operator' roles but does not work with
TACACS+ command authorization.
RPVST+ and MSTP Spanning Tree can only run in MSTP or RPVST+ mode.
VRRP The same virtual link-local address cannot be used across different VRFs.
VSX and Static VXLAN Static VXLAN on VSX configuration is not supported. Use VSX and EVPN or VSX
and HSC.
Known issues
The following are known open issues with this branch of the software. The Symptom statement describes
what a user might experience if this is seen on the network. The Scenario statement provides environment
details and trigger summaries. When available, the Workaround statement provides a workaround to the
issue.
Interface Persona 2478 Symptom:Once one switch is updated to the newer 10.10.1010
image, the older switch sometimes reboots with a Critical Service
Fault. Following this reboot, the switch may get stuck in a boot-loop,
requiring the user to isolate the switch from the VSX peer to recover
it.
Scenario: This issue can be encountered when performing a live
upgrade from AOS-CX 10.09.1040 to 10.10.1010, and there is data
traffic passing through the VSX peer. This is timing related and is not
seen every time.
Workaround: To avoid the boot loop as described above, it is
recommended to increase the age timeout for both stateless and
stateful flows in PSM. Set both the timeout values to 3600s (1 hour)
before initiating the live upgrade. Once the live upgrade procedure is
complete and both the VSX peers are running the 10.10.1010
software image, the age timeout can be restored to the original
values. The default age timeout is 60s for stateless flows and 600s
for stateful flows.
Physical Interfaces 2160 Symptom: When performing a reload of one member of the VSX
pair, there is a lag between the time the reload command is issued
and the time at which the MC L-Agg ports go down, instructing peer
switches to send traffic to the other switch of the VSX pair. This issue
is seen in a VSX switch pair where the switches have a large
configuration.
Scenario: The impact of this is mostly seen in ALG operations. The
two VSX switches stop syncing ALG state when the reload is initiated.
If the reloading switch updates state before its ports go down, the
other VSX member remains unaware of this.
Workaround: Perform VSX member reboots during maintenance
windows. If it is essential that no state loss occurs, it is
recommended to power-cycle the switch instead of graceful reboot.
Physical Interfaces 2151 Symptom: When one member of the VSX pair reboots and comes
back up, it takes a very long time for the VSX pair to get in sync. This
issue is seen in a VSX switch pair where the switches have a very
large configuration, specifically with a high number of Private VLANs.
Scenario: The MC-Lag legs on the newly rebooted member come up
briefly, and traffic sent to the member is then dropped since the
DSM does not have state. Once the VSX pair gets in sync, any state
seen on the newly booted member is lost.
Workaround: The default vsx inter-switch-link peer-detect
interval configuration is 300 seconds. To work around the above
issue, set the configured value to a higher duration. The max
configurable duration is 1800 seconds.
Slot Management 2391 Symptom: This happens specifically when an L2 port on which
redirected traffic is being sent by the switch to a silent host. This
issue happens specifically when the L2 port is moved into a Link
Aggregation while traffic is being sent.
Impact: Once the port is moved to the L-Agg, the traffic to the host
will get dropped until the host MAC address is learnt. The traffic will
not be flooded, and an ARP request will not be sent for the host. This
will continue until the host initiates communication and causes to
MAC to be learned.
Workaround: Flapping the port will cause the ARP requests to be
sent out afresh and will trigger a MAC learn, allowing traffic to reach
the host. It is recommended to bring down the port before moving
the port to a L-Agg, and bring up the port once it is part of the L-Agg.
VxLAN 1216 Symptom: A 10000 Series switch cannot be used as a border VTEP
with PSM redirection enabled. L3VNI to L3VNI traffic cannot be
supported with redirection. All multihop workflows will fail. The
switch is not able to support firewalling on hosts directly attached to
Borders with this limitation.
Scenario: A 10000 Series switch as a TOR switch and border VTEP.
VxLAN 1225 Symptom: Traffic from VLAN with a policy to a VLAN without a policy
cannot be supported.
Scenario: Firewall inspection cannot be disabled for selected VLANs.
It needs to be enabled on all VLANs of a VRF for normal traffic to flow.
For VLANs with no firewall inspection, enable a policy with a permit all
rule.
VxLAN 1226 Symptom: TCP session information is synced locally within a VSX
pair (TOR). When hosts/VM move to new racks, the TCP session is
unknown to the new TOR and will be dropped.
Scenario: This issue occurs during VMOTION of hosts between TORs
Workaround: Old sessions will have to be reconnected. New
sessions are not impacted.
VxLAN 1244 Symptom: There is no support for application ALG for the firewall.
Scenario: Applications that use multiple ports (UDP/TCP) and ports
are dynamically negotiated will be affected.
VxLAN 1245 Symptom; Local proxy ARP cannot be disabled per VLAN.
Scenario: Deployents that require local proxy ARP
Workaround: Proxy ARP needs to be disabled per port.
Port 1013 Symptom: Port with AOC15 SFP might not link up after a link flap.
Scenario: If AOC15 SFP is used, and there are multiple port flaps,
then there is a chance that the port might not link up.
Workaround: Recover from this issue by issuing the commands
shut and no shut on the port.
Stateful L4 firewall 985 Symptom: Glean traffic is not redirected to the Pensando
Distributed Services Module (DSM) for policy evaluation.
Scenario: In a VLAN where policy enforcement is enabled, if there is
a host which does not have ARP resolved, then the first packet of this
flow will not be redirected to DSM for policy enforcement. The flow
will not be evaluated, and the flow table will not be programmed
based on this first packet. Once ARP is resolved, subsequent packets
will be redirected to Elba for evaluation.
Workaround: None.
Core 454 Symptom: The show core-dump all command does not show cores
from DSM.
Scenario: Core dumps from DSM are not shown in the output of
show core-dump all command in AOS-CX.
Stateful L4 firewall 343 Symptom: In a VSX deployment , the first packet of a flow 9140 bytes
ore more will fail flow sync.
Scenario: This happens in a VSX scenario when there is a need to
synchronize flows across the VSX peers to accommodate
asymmetric traffic and firewall high availability. If the first packet of
the flow is 9140 bytes or more, then this flow will not be
synchronized. This can happen for UDP/ICMP packets, as TCP SYN
packets are not larger than 9140 bytes. Virtual Machines (VMs)
running on ESXi should not encounter this issue since DVS limits
maximum MTU to 9000 bytes.
Workaround: None
Upgrade information
AOS-CX 10.10.0002 uses ServiceOS DL.01.10.0002.
Each VSX switch in a pair must run the same version of AOS-CX. If a primary VSX switch is upgraded to 10.10.xxxx,
the secondary VSX switch must be immediately upgraded to that same version. If the ISL link is disabled and
enabled on VSX switches that are running different versions of AOS-CX, a VSX secondary switch running an older
version of AOS-CX may be unable to synch information from the VSX primary, which can cause the port state to
become blocked and lead to traffic loss.
1. Use the show checkpoint command to see the saved checkpoints and ensure that you have a checkpoint
that is an exact match of the target software version. (See the Image Version column in the output of the
command, for example, DL.10.10.yyyy)
This checkpoint can be the startup-config-backup automatically created during the initial upgrade or any
other manually created checkpoint for the target software version.
3. Boot the switch to the target version (lower version), making sure to select no when prompted to save the
current configuration.
This version may contain a change of BootROM from the current running version. A BootROM update is a non-
failsafe update. Do not interrupt power to the switch during the update process or the update could permanently
damage the device.
1. Copy the new image into the non-current boot bank on the switch using your preferred method.
2. Depending on the version being updated, there may be device component updates needed. Preview
any devices updates needed using the boot system <BOOT-BANK> command and entering n when
asked to continue.
For example, if you copied the new image to the secondary boot bank and no device component
updates are needed, you will see this:
In this example, three device updates will be made upon reboot, one of which is a non-failsafe device:
3. When ready to update the system, if a non-failsafe device update is needed, make sure the system
will not have any power interruption during the process. Invoke the allow unsafe updates
command to allow updates to proceed after a switch reboot. Proceed to step 4 within the configured
time.
switch# config
switch(config)# allow-unsafe-updates 30
Continue (y/n)? y
4. Use the boot system <BOOT-BANK> command to initiate the upgrade. On the switch console port an
output similar to the following will be displayed as various components are being updated:
ServiceOS Information:
Version: <serviceOS_number>
Build Date: yyyy-mm-dd hh:mm:ss PDT
Build ID: ServiceOS:<serviceOS_number>: 6303a2a501ba:202006171659
SHA: 6303a2a501bad91100d9e71780813c59f19c12fe
Boot Profiles:
0. Service OS Console
1. Primary Software Image [xx.10.10.1020]
2. Secondary Software Image [xx.10.10.1030]
Select profile(secondary):
ISP configuration:
Auto updates : enabled
Version comparisons : match (upgrade or downgrade)
Unsafe updates : allowed (less than 29 minute(s) remaining)
Advanced:
Config path : /fs/nos/isp/config [DEFAULT]
Log-file path : /fs/logs/isp [DEFAULT]
Write-protection : disabled [DEFAULT]
Package selection : 0 [DEFAULT]
Starting update...
Writing... Done.
Erasing... Done.
Reading... Done.
Verifying... Done.
Reading... Done.
Verifying... Done.
Multiple components may be updated and several reboots will be triggered during these updates. When all
component updates are completed, the switch console port will arrive at the login prompt with a display
similar to following:
switch login:
Aruba recommends waiting until all upgrades have completed before making any configuration changes.
Other resources
Aruba is committed to ensuring you have the resources you need to be successful. Check out these learning
and documentation resources:
n Fixes for security vulnerabilities are not documented in manuals, release notes, or other forms of product
documentation.
n A Security Bulletin is released when all vulnerable products still in support life have publicly available
images that contain the fix for the security vulnerability.