Notices
The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.
Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise website.
Acknowledgments
Release Notes
Description
This release note covers software versions for the ArubaOS-CX 10.00 branch of the software.
If you run the
show version
command on the 8400, the version number will display XL.10.00.xxxx, where
xxxx is the minor version number.
ArubaOS-CX is a new, modern, fully programmable operating system built using a database-centric design that ensures higher availability and dynamic software process changes for reduced downtime. In addition to robust hardware reliability, the ArubaOS-CX operating system includes additional software elements not available with traditional systems, including the features included in the Enhancements section of this release note.
Version 10.00.0001 was the initial build of major version 10.00 software.
Product series supported by this software:
Aruba 8400 Switch Series
Important information
Version history
All released versions are fully supported by Hewlett Packard Enterprise, unless noted in the table.
Version number | Release date | Based on | Remarks |
---|---|---|---|
10.00.0019 | 2018-07-19 | 10.00.0018 | Released, fully supported, and posted on the web. |
10.00.0018 | 2018-05-18 | 10.00.0017 | Released, fully supported, and posted on the web. |
10.00.0017 | n/a | 10.00.0016 | Never released. |
10.00.0016 | 2018-05-02 | 10.00.0015 | Released, fully supported, and posted on the web. |
10.00.0015 | 2018-04-23 | 10.00.0014 | Released, fully supported, and posted on the web. |
10.00.0014 | 2018-04-06 | 10.00.0013 | Released, fully supported, and posted on the web. |
10.00.0013 | 2018-03-28 | 10.00.0012 | Released, fully supported, and posted on the web. |
10.00.0012 | 2018-03-13 | 10.00.0011 | Released, fully supported, and posted on the web. |
10.00.0011 | n/a | 10.00.0010 | Never released. |
10.00.0010 | 2018-02-28 | 10.00.0008 | Released, fully supported, and posted on the web. |
10.00.0009 | n/a | Never built. | |
10.00.0008 | 2018-02-15 | 10.00.0007 | Released, but never posted on the web. |
10.00.0007 | 2018-01-29 | 10.00.0006 | Released, fully supported, and posted on the web. |
10.00.0006 | 2018-01-10 | 10.00.0005 | Released, fully supported, and posted on the web. |
10.00.0005 | 2017-12-05 | 10.00.0004 | Released, fully supported, and posted on the web. |
10.00.0004 | 2017-11-14 | 10.00.0003 | Released, fully supported, and posted on the web. |
10.00.0003 | 2017-10-27 | 10.00.0002 | Released, fully supported, and posted on the web. |
10.00.0002 | 2017-10-16 | 10.00.0001 | Released, fully supported, and posted on the web. |
10.00.0001 | 2017-10-01 | Initial release of ArubaOS-CX 10.00 for the 8400 switch used by manufacturing for production. Not targeted for web posting. |
Products supported
Compatibility/interoperability
The switch web agent supports the following web browsers:
Browser | Minimum supported versions |
---|---|
Edge (Windows) | 38 |
Chrome (Ubuntu) | 54 (desktop) 56 (mobile) |
Firefox (Ubuntu) | 52 |
Safari (MacOS, IOS Only) | 10 |
Internet Explorer is not supported.
The following table provides information on compatibility of the switches found in this release note with network management software:
Management software | Supported version(s) |
---|---|
Airwave | 8.2.5 |
Network Automation | 10.10, 10.11, 10.20, 10.21, 10.30, 10.40 |
Network Node Manager i | 10.10, 10.20, 10.21, 10.30, 10.40 |
IMC | 7.3 (E0506P03) |
For more information, see the respective software manuals.
Minimum supported software versions
If your switch or module is not listed in the below table, it runs on all versions of the software.
Enhancements
This section lists enhancements added to this branch of the software.
Software enhancements are listed in reverse-chronological order, with the newest on the top of the list. Unless otherwise noted, each software version listed includes all enhancements added in earlier versions.
Version 10.00.0019
No enhancements were included in version 10.00.0019.
Version 10.00.0018
Transceivers
Support for the Aruba 40G QSFP+ LC ER4 40km SMF XCVR (Q9G82A) and Aruba 10GBASE-T SFP+ RJ45 30m Cat6A XCVR (JL563A) transceivers has been added.
JL563A is only allowed for use in ports 1 thru 12 per module. Maximum of 12 transceivers per JL363A Aruba 8400X 32-port 10GbE SFP/SFP+ with MACsec Advanced Module.
Version 10.00.0017
Version 10.00.0017 was never released.
Version 10.00.0016
No enhancements were included in version 10.00.0016.
Version 10.00.0015
No enhancements were included in version 10.00.0015.
Version 10.00.0014
No enhancements were included in version 10.00.0014.
Version 10.00.0013
Hardware support
PVST convergence
PVST interoperability
Version 10.00.0012
No enhancements were included in version 10.00.0012.
Version 10.00.0011
Version 10.00.0011 was never released.
Version 10.00.0010
No enhancements were included in version 10.00.0010.
Version 10.00.0009
Version 10.00.0009 was never built.
Version 10.00.0008
No enhancements were included in version 10.00.0008.
Version 10.00.0007
VLAN names
Web UI and REST certificates
Version 10.00.0006
Hardware support
Loop protection clear statistics
Loop protection SNMP traps
MCLAG
Version 10.00.0005
Logging
OSPF
VLAN configuration display on trunk interface
Support was added to display VLAN configurations on a trunk interface. To display the configuration, use the
show interface trunk
command. For example:
switch# show interface trunk ---------------------------------------------------------------------- Port Native VLAN Trunk VLANs ---------------------------------------------------------------------- 1/1/17 None 10,20,30,40 1/1/19 20 20,30
VLAN custom description
Version 10.00.0004
ACLs
New CLI options ([interface
<ID> [{in|out}]]
) were added to display ACL statistics for a specific interface. If multiple ACLs are applied to an interface, the statistics for each ACL is displayed. The syntax of the
show access-list hitcounts
command is now the following:
show access-list hitcounts {ip|ipv6|mac} <ACL-NAME> [interface <ID> [{in|out}]]
For example:
switch# show access-list hitcounts ip My_ACL interface 1/1/1 Statistics for ACL My_ACL (ipv4): interface 1/1/1* (in): Hit Count Configuration - 10 permit udp any 172.16.1.0/24 - 20 permit tcp 172.16.2.0/16 gt 1023 any - 30 permit tcp 172.26.1.0/24 any syn ack dscp 10 0 40 deny any any any count * access-list statistics are shared among all applied interfaces use 'access-list TYPE NAME copy' to create a uniquely-named access-list
SNMP
Temperature
New event logging messages were added to indicate the line module has exceeded the temperature threshold (Over temperature for sensor
<SENSOR-NAME>,
<TEMP> C
) and when the line module is about to be shut down by the system (Module
<ID> shutdown initiated for sensor
<SENSOR-NAME>,
<TEMP> C
). LED indicators on the front of the chassis have also been modified to flash orange to help indicate the temperature issue exists.
Version 10.00.0003
No enhancements were included in version 10.00.0003.
Version 10.00.0002
Checkpoint configuration management
Aruba Network Analytics Engine: AI for Networking
The Aruba Network Analytics Engine is a first-of-a-kind built-in framework for network assurance and remediation. Combining the full automation and deep visibility capabilities of the ArubaOS-CX operating system, this unique framework allows monitoring, troubleshooting, and network data collection through simple scripting agents.
ArubaOS-CX REST API
Switches running the ArubaOS-CX software are fully programmable with a REST (Representational State Transfer) API, allowing easy integration with other devices both on premises and in the cloud. This programmability, combined with the Aruba Network Analytics Engine, accelerates network administrator's understanding of, and response to, network issues. The ArubaOS-CX REST API enables programmatic access to the ArubaOS-CX database at the heart of the switch. Because everything in the switch is modeled in a structured way, coupled with its programmability, it's capable of being highly automated. By using a structured model, changes to the content and formatting of the CLI output do not affect the programs you write.
Other software features
Other software features found in this release include the following:
Category | Features |
---|---|
Layer 2 | IEEE 802.3 Long frame (1518 to 1536 bytes) Jumbo frame (1536 to 9216 bytes) VLAN IEEE 802.1Q IEEE 802.1p RSTP (802.1w) MSTP (802.1s) LACP (802.3ad) Mirroring RPVST+ Loop Protect LLDP MVRP |
Layer 3 | ARP IP datagram forwarding IP options TCP (RFC 793) UDP (RFC 768) ICMP IPv6 ND IPv6 FIB Layer 3 routing interface VRF Lite |
Routing | IPv4 routing:
IPv6 routing:
|
Multicast | IGMP snooping IGMP v2/v3 PIM-SM |
ACL & QoS | Remarking 802.1p, DSCP, IP precedence, and local precedence by ACL rule Mapping 802.1p, DSCP, IP precedence, or local precedence to output queue Strict Priority Basic ACL Advanced ACL Rate limiting Weighted Fair Queuing Port priority |
Management | SNMP v2/v3 Public MIBs Private (Enterprise) MIBs Syslog/Debug Airwave IMC CLI Dual-image Console login SSH login Web UI sFlow Control Plane Policing |
Application protocols | Ping DNS client DHCP client DHCP relay TFTP client SFTP client NTP client |
High Availability | Redundant management module Hot-swappable line modules, fabric modules, power supplies, and fans VRRP Redundant fabric MCLAG |
Security | RADIUS TACACS+ |
Fixes
This section lists released builds that include fixes found in this branch of the software. Software fixes are listed in reverse-chronological order, with the newest on the top of the list. Unless otherwise noted, each software version listed includes all fixes added in earlier versions.
The Symptom statement describes what a user might experience if this is seen on the network. The Scenario statement provides additional environment details and trigger summaries. When available, the Workaround statement provides a workaround to the issue for customers who decide not to update to this version of software.
The number that precedes the fix description is used for tracking purposes.
Version 10.00.0019
Mirroring
CR_32072
Symptom: Traffic mirroring does not function properly.
Scenario: If a redundancy failover is performed while the line modules are still initializing, after the failover, traffic mirroring for enabled mirroring sessions may not work correctly.
Workaround: Disable and re-enable the mirroring session after the failover is completed and all line modules are fully initialized.
Version 10.00.0018
MCLAG
CR_30910
Version 10.00.0017
Version 10.00.0017 was never released.
Version 10.00.0016
MCLAG
CR_32753
Version 10.00.0015
CPU Utilization
CR_28803
DHCP Relay
CR_32077
Event Log
CR_31967
MCLAG
CR_31662
Symptom: The switch incorrectly forwards ARP requests through the inter-switch link instead of the correct switch LAG interface.
Scenario: After disabling a switch interface followed by removal and addition to a LAG interface, the switch may incorrectly forward the traffic through the ISL link instead of the correct LAG interface.
Workaround: Disable one link on either of the LAG interfaces.
Spanning Tree
CR_32336
Symptom: In certain cases, spanning tree fails to converge.
Scenario: When an interface participating in the spanning tree is changed from L2 to L3 and back to L2 interface, spanning tree may fail to converge.
Workaround: Disable and re-enable spanning tree whenever converting an L2 interface to an L3 interface.
Version 10.00.0014
Spanning Tree
CR_31376
Symptom: The network experiences spanning-tree instability issues.
Scenario: In a mixed spanning-tree topology with an ArubaOS-CX switch running RPVST on VLAN 1 and interoperating with a peer device running RSTP or RPVST, the spanning-tree may experience instability issues and frequent topology changes (TCN).
Workaround: Disable and re-enable the extended system-id on the ArubaOS-CX switch.
Version 10.00.0013
Event Log
CR_30649
Symptom: The switch event log reports a crash for the 'rsyslogd' process.
Scenario: In certain conditions, the switch may report in event logs a crash for "rsyslogd" process in a message similar to:
rsyslogd crashed due to signal:6
Workaround: The process will automatically restart after the crash and generate a core dump file listed in the
show core-dump all
command.
Multicast
CR_22901
CR_31167
Symptom: The switch enters a hung state and fails to reboot or failover to the second management module (if running on a chassis switch with dual management modules).
Scenario: When multiple IGMP reports for well known multicast group addresses are received, over time the switch may enter into a hung state and fail to reboot the switch to the second management module (if running on a chassis switch with dual management modules).
Workaround: Monitor switch memory utilization and if it is observed to increase over time, manually reboot the entire switch or switch over to the second management module to prevent entering the hung state. If the switch is already in a hung state, reboot the switch to clear the hung state.
Routing
CR_30663
SNMP
CR_31123
Symptom: The SNMP process randomly crashes.
Scenario: When there are simultaneous SNMP queries processed by the switch, such as SNMP walks and
show tech
collection, the SNMP process may crash and generate a core file listed in the
show core-dump all
command.
Workaround: The SNMP process will restart immediately after the crash.
Spanning Tree
CR_30621
Symptom: Spanning tree enters an inconsistent state.
Scenario: After a switch reboot, the switch interfaces participating in the spanning tree path may be incorrectly initialized causing the spanning tree topology to enter into an inconsistent state and potentially cause network loops.
switch(config)# no spanning-tree switch(config)# spanning-tree
Version 10.00.0012
DHCP Relay
CR_29443
Symptom: The DHCP-relay debug message displays with an incorrect severity level.
hpe-relay[1555]: debug|LOG_ERR|AMM|1/5|DHCPRELAY|DHCPRELAY|Packet discarded on interface ABDC as Interface IP address is 0.
Workaround: This is a debug message indicating the valid reason for the packet discard.
MCLAG
CR_30430
Symptom: The switch experiences traffic loss on non-ECMP next-hop routes.
Scenario: After one of the MCLAG nodes is rebooted, the switch may fail to redirect non-ECMP next-hop routes over the MCLAG and the switch may experience traffic loss on these links.
Workaround: Disable the affected non-ECMP links or reboot both MCLAG switches to clear the state.
TACACS
CR_30213
Symptom: The SSH daemon crashes with an error similar to
signal - 11
.
aaa authentication login default tacacs local service = exec { PRIV-LVL = 15 }
Workaround: Use RADIUS authentication for switch SSH access or configure the "priv-lvl" TACACS+ attribute in lower case.
Version 10.00.0011
Version 10.00.0011 was never released.
Version 10.00.0010
No fixes were included in version 10.00.0010.
Version 10.00.0009
Version 10.00.0009 was never built.
Version 10.00.0008
Console
CR_27420
Symptom: Unexpected messages are displayed on the switch console.
Scenario: After issuing the
boot system
command, the switch may randomly display unexpected messages on the switch console, similar to
[FAILED] Failed unmounting /run/netns
.
Workaround: None. These messages do not have any impact to the switch or protocol functionality.
DHCPv6
CR_29827
Symptom: Network clients are not able to obtain an IPv6 address from some DHCPv6 servers.
Scenario: When the switch is configured as a DHCPv6 relay agent, network clients may not be able to obtain an IPv6 address from some DHCPv6 servers.
Workaround: Do not allow the DHCP server to use the UDP source port from the packet forwarded by the agent.
SNMP
CR_29892
Symptom/Scenario: When running multiple and repetitive SNMP queries, the switch memory utilization may increase over time.
Workaround: If observed switch memory utilization increasing over time, disable the SNMP agent on the switch using the
no snmp-service vrf mgmt | default
command and then re-enable the agent using the
snmp-service vrf mgmt | default
command.
Spanning Tree
CR_29754
Symptom: The switch incorrectly places ports in "blocking" state.
Scenario: In an MSTP configuration, if an event (such as disabling or disconnecting a port) is causing a topology change, switch ports may be incorrectly placed in "blocking" state, potentially causing two switches to become root and preventing the spanning-tree topology from properly converging. When this condition happens, the received and sent BPDU counters do not match in the output of the
show spanning-tree detail
command.
Workaround: Rebooting the switch will clear the incorrect port status and allow the spanning tree topology to properly converge.
Version 10.00.0007
ARP
CR_28891
Symptom: In certain conditions, the switch experiences traffic loss.
Scenario: In a switch configured in an MCLAG topology with VRRP, when there is a MAC or ARP aging event or when the events are cleared using the
clear mac-address [ port | vlan ]
<PORTNAME | VLAN-ID>
or
clear arp
commands, the switch may experience traffic drops.
Workaround: Reboot the switch.
BGP
CR_22531
Symptom: Unable to remove the password for a BGP neighbor.
Scenario: When attempting to remove the BGP neighbor password using the
no neighbor
<ip-address> password
<password-string>
command, the configured password is not removed.
Workaround: Remove the
<password-string>
from the command, using just
no neighbor
<ip-address> password
.
CR_22993
Classifier
CR_28867
VLAN
CR_28993
Version 10.00.0006
Classifier
CR_28817
Console
CR_29108
LAG
CR_28392
Line module
CR_29090
Link Aggregation
CR_28992
Loop Protection
CR_27347
Symptom: The switch sends the incorrect event severity level for loop detection messages.
Scenario: The switch sends the syslog messages for loop detection as informational instead of warning messages.
Workaround: Consider the loop detection message as having a warning level, rather than an info level.
CR_27387
Symptom: The switch does not correctly display the loop detection.
Scenario: When loop protection action is configured for
do-not-disable
, the switch fails to update the loop detection status in the output of the
show loop-protect
command. For example:
Interface 1/1/1 Loop-protect enabled : Yes Action on loop detection : Do not disable Loop detected count : 0 Loop detected : No Interface status : up
Workaround: Verify the loop detection in the switch event logs:
|hpe-lpd|2803|LOG_INFO|AMM|1/5|Loop detected on port 1/1/1
NTP
CR_29252
Symptom: The switch line cards crash after execution of the
show ntp status
command.
Scenario: When the switch is configured with an NTP server and the switch time is subsequently manually changed using CLI commands, it may cause a software abort error in the dune-agent and the switch line modules entering an endless reboot cycle. The switch will generate event logs similar to
systemd-coredump|1201|LOG_CRIT|LC|1/1|dune_agent_0 crashed due to signal:6
hpe-cardd|3207|LOG_ERR|AMM|1/5|Line module 1/1 has failed: ASIC Error
hpe-cardd|3207|LOG_ERR|AMM|1/5|Line module 1/1 has failed: ASIC Error
Workaround: Perform the following:
- Remove NTP configuration from the switch.
no ntp server <ip_address>
Configure the switch with manual date and time
clock time <time> clock date <date>
Save the switch configuration and reboot the switch.
Do not change the switch time without a reboot.
Web UI
CR_28624
Version 10.00.0005
BGP
CR_22984
CR_25819
Configuration
CR_27983
Symptom: A switch with a configuration file out of the box may fail to correctly apply the added configuration.
forward traffic over the data plane interfaces
ping the IP addresses configured on the switch interfaces
route traffic between the Aruba 8400 switch and a peer device
link up switch interfaces
initialize connected LAG interfaces
Workaround: Zeroize the switch management module before additional configuration is added to the switch using the
erase all zerioze
command in the config context.
LLDP
CR_25313
Loop Protection
CR_27349
Symptom: Switch cannot enable loop protection on some interfaces.
Scenario: Switch cannot enable loop protection on a VLAN when all VLANs are allowed on a trunk interface. For example:
interface 1/1/24 no routing vlan trunk allowed all loop-protect vlan 1000 interface lag1 vlan allowed all loop-protect
Workaround: Have specific VLANs in the allowed list and then enable loop protection.
CR_27376
Symptom: In certain conditions, the switch may not properly detect network loops.
Scenario: When loop protection is enabled on an interface, the switch does not properly detect the network loops generated in the network segment connected on that switch interface.
Workaround: This issue is specific to switches running ArubaOS-Switch as the loop pair. Identify the redundant link and disable the alternate path.
OSPF
CR_25468
CR_17335
Symptom: Virtual link is not functioning as expected.
Scenario: Virtual link may not function as expected if the remote end is initially configured to be area 0 and later changed to a different area.
Workaround: Avoid area ID changes "on the fly". You can reboot the switch to solve the issue, if needed.
sFlow
CR_25865
Symptom: sFlow sampling will not work when line modules are in non-consecutive slots.
Scenario: If there is a gap between line modules, sFlow sampling will only work on the lowest numbered module before the gap. For example, if slots 1, 3, and 4 have line modules installed, but slot 2 does not, sFlow sampling will only work on the ports on line module 1.
Workaround: Install line modules in contiguous order starting at slot 1.
Web UI
CR_26451
Symptom/Scenario: When using the Firefox browser, a dialog box reporting an error on attempt to upload new firmware is displayed.
Workaround: When seeing this dialog, user needs to log out and clear the cache in the browser, then try to log in again and reattempt the upload. To clear cache, enter URL: about:preferences, then type cache in the search. Select Clear Now button to clear cache.
Version 10.00.0004
Classifier
CR_26047
Symptom: Switch does not display the proper error message in the output of
show class
<...>
CLI commands
Scenario: When there is no class configured, the switch does not display the expected
No Class found
message in the output of
show class
<...>
CLI commands.
Workaround: Use CLI command
show running-config
to verify classifier configuration.
Loop Protection
CR_27096
Symptom: Loop protection may not be enabled on all VLANs.
Scenario: Switch fails to enable loop protection on all VLANs using the CLI command
loop-protect vlan all
in the interface context.
The switch also returns an error message similar to
VLAN
<VLAN-ID> is not configured on the interface
when enabling loop-protect on an interface where all VLANs are allowed.
interface <INTF-NAME> no routing vlan trunk allowed all loop-protect vlan <VLAN-ID>
Workaround: Use a VLAN range to enable loop-protect on all VLANs, such as
loop-protect vlan
<1-4094>
.
Loopback
CR_23416
Symptom: An error string is shown in the event log about invalid command
no shutdown
for the loopback interface.
Scenario: The loopback interface displays
no shutdown
in the running configuration; however, the
shutdown
and
no shutdown
commands are not available for the loopback interface. This results in error messages when importing the configuration to the switch. This error can be ignored and will not impede importing the configuration file.
Workaround: This is a display issue only, with no functional impact.
Management
CR_22122
CR_26986
Power Supply
CR_25480
VLAN
CR_26840
Symptom: Line modules are rebooted causing momentary traffic loss until the modules are back in a "Ready" state.
Scenario: When a VLAN which has IGMP snooping enabled gets deleted without removing the IGMP snooping configuration, all the line modules see a fatal error and get rebooted.
Workaround: Before deleting the VLAN, un-configure IGMP snooping on the VLAN.
Web UI
CR_27066
CR_27323
Symptom: The switch fails to update the switch image version.
Scenario: After uploading a new switch image version using the Web UI Firmware Update page, the switch fails to update the information on the Web UI page.
Workaround: Use the browser Refresh button to refresh the information displayed on the Firmware Update page.
Version 10.00.0003
Classifier
CR_25894
Diagnostics
CR_26016
Symptom: Switch may fail to display the diagnostic information for some line modules.
Scenario: Switch may fail to display the diagnostic information such as memory or CPU for some line modules. An error message similar to
System resource utilization data not available
displays when using the
show system resource-utilization module
<MODULE-ID>
command.
Workaround: Use the
show system resource-utilization
command to check memory, CPU, and open FDs.
L3 Addressing
CR_26915
Symptom: A LAG IP address may not be correctly programmed.
Scenario: If the IP address is assigned to a LAG interface before assigning port members to the LAG interface, the LAG IP address may not be correctly programmed when the line module is reloaded or after a system reboot.
Workaround: Remove and re-assign the IP address to the LAG interface.
LAG
CR_26265
Symptom: A LAG interface may enter a blocked state.
Scenario: When all line modules are removed and reinserted, a LAG interface status may show blocked in the output of the
show lacp interfaces
command.
Workaround: Reload the module with the affected LAG interface using the
boot line-module
<MODULE-ID>
command.
LLDP
CR_26559
Loop Protection
CR_26766
Symptom: The switch may fail to re-enable an interface disabled by loop protection.
Scenario: When the loop protection timer is configured on an interface, the switch fails to re-enable the interface after consecutive disable/enable triggers on the interface due to loop detections.
Workaround: Once the loop is removed, manually enable the interface using the
no shutdown
command from the interface context.
NAE
CR_25443
Symptom: Network Analytics Engine (NAE) allows for empty parameter values to be present. The NAE user interface does not correctly display this particular case properly, and you may see red colored error text when editing a parameter that indicates that the value is missing or invalid; however, you can ignore it and continue to save edited parameters. The UI also does not display default values specified in the Python script while editing an agent. Empty parameters display red error text, indicating that the value is missing or invalid when it is in fact valid.
Scenario: When a script with empty parameter values is created and instantiated via REST and then the agent is edited in the UI, NAE displays red error text, indicating a value is missing or invalid, when it really is valid.
Workaround: The issue is visual only, you can save the agent without changing any parameter values, or cancel updating the agent.
OSPFv3
CR_26056
Symptom: Switch may fail to honor OSPF active/passive mode configuration.
Scenario: When OSPF passive mode is configured globally for all interfaces, OSPF interfaces configured individually for active mode may enter passive mode after a switch reboot. Similarly, when OSPF global passive-interface configuration is enabled on another VRF, the OSPF interfaces on the default VRF are set to passive mode after the switch reboot.
Workaround: Avoid creating a global "passive-interface default" configuration and configure the interface individually.
VRRP
CR_25532
Web UI
CR_24166
Symptom: The web UI displays a timeout error if the request takes more than 60 seconds to complete.
Scenario: When using the web UI to perform various operations, a timeout error may be displayed if the request takes more than 60 seconds to complete. One example of this is trying to copy one configuration to another (i.e. copy a configuration to startup-config).
Wait a few minutes and check the status of the operation to see if it was actually successful. For example, when updating the configuration, after a couple of seconds, on refreshing the page, the new startup config (which was requested to be copied over) can be seen with the updated time.
Use the CLI.
Issues and workarounds
The following are known open issues with this branch of the software.
The Symptom statement describes what a user might experience if this is seen on the network. The Scenario statement provides additional environment details and trigger summaries. When available, the Workaround statement provides a workaround to the issue.
ARP
CR_25306
CR_25334
Symptom: Total number of neighbors is greater than the configured cache limit.
Scenario: Neighbor addition to the ARP table is not guaranteed when the amount of total neighbors is greater than the configured cache limit.
Workaround: Limit the total number of neighbors to be within the configured cache limit of 128K.
Jumbo Frames
CR_25546
L3 Addressing
CR_12008
CR_23936
LAG
CR_24779
Symptom: LAG assignments across multiple VRFs are impacted following configuration replay from a saved checkpoint with port-vrf assignment configurations.
Scenario: LAG assignments across multiple VRFs are retained even though the VRFs were deleted and the startup configuration was copied to the running configuration.
Workaround: Reboot the switch after the configuration from a checkpoint has been restored.
Multicast
CR_23498
NAE
CR_24268
OSPF
CR_08491
VRRP
CR_24910
Symptom: Unable to configure same IPv6 link local address as primary virtual IP address under different VRFs.
Scenario: Unique virtual link local addresses have to be configured for all VRRP IPv6 instances irrespective of VRF.
Workaround: Do not use the same virtual link local address across different VRFs.
Feature caveats
Feature | Description |
---|---|
sFlow and Mirroring | sFlow and port mirroring are mutually exclusive per port. A port cannot support both sFlow and mirroring at the same time. |
IGMP Snooping and MCLAG | IGMP Snooping and MCLAG are mutually exclusive within a VLAN. |
MVRP and MCLAG | MVRP is mutually exclusive with MCLAG. |
MCLAG and STP (RPVST+ or MSTP) | Spanning Tree (RPVST+ and MSTP) is mutually exclusive with MCLAG. |
RPVST+ and MSTP | Spanning Tree can only run in MSTP or RPVST+ mode. |
RPVST+ and MVRP | RPVST+ is mutually exclusive with MVRP. |
VRRP and Proxy ARP | VRRP is mutually exclusive with Proxy ARP on the same interface. |
IGMP/PIM on Loopback and GRE interfaces | PIM and IGMP cannot be enabled on Loopback and GRE interfaces. |
Supportability | Syslog server configuration is supported on the default VRF for access over data ports. |
Counters | Layer 3 Route-only port counters are not enabled by default. Enabling them will remove them from the counter resources shared with ACLs. |
Counters | Counters are shared between ACL and Layer 3 ports. The Max number of ACL entries with count action plus Layer 3 counters is: JL363A=24K, JL365A=24K, JL366A=8K. Enabling counters on a Layer 3 port consumes 6 ACL counter entries. |
Counters | Classifier Counters: Max number Classifier entries with count action: JL363A=12.8K, JL365A=12.8K, JL366A=6.4K. |
UDLD | For a UDLD-enabled interface to not lose traffic during a failover operation, the result of multiplying 'interval' and 'retries' should be at least 8 seconds. The default values are 7000 ms (interval) x 4 (retries) = 28 seconds. |
Network Analytics Engine (NAE) | Agents monitoring a resource that has column type enum with a list of strings (as opposed to a single string enum) is not supported. |
Network Analytics Engine (NAE) | After management module failover, up to 5 minutes of alert history could be lost. |
Network Analytics Engine (NAE) | The following tables are not supported for NAE scripts: OSPF_Route, OSPF_LSA, OSPF_Neighbor, BGP_Route. |
Network Analytics Engine (NAE) | Network Analytics Engine (NAE) agents execute Command Line Interface (CLI) actions as 'admin' user, so they have permission to run any command by default. However, when the authentication, authorization and accounting (AAA) feature is enabled, the same restrictions applied to 'admin' will also apply to NAE agents. Keep that in mind when configuring the AAA service, e.g. TACACS+, and make sure to give admin user permission to run all commands needed by enabled agents. Otherwise, some CLI commands may be denied and their outputs won't be available. Actions other than CLI won't be affected and will execute normally. Also, NAE agents won't authenticate, thus the AAA service configuration must not block authorization for unauthenticated 'admin' user. ClearPass doesn't support such configuration, so it cannot be used as a TACACS+ server. |
Classifiers | IPv4 egress ACLs can be applied only to route-only ports. |
Classifiers | Classifier policies, IPv6 and MAC ACLs are not supported on egress. |
Classifiers | DSCP remarking is performed only on routed packets. |
Classifiers | For security ACLs, HPE strongly encourages modifications be done as a two step process: Bring down the port and then modify. |
Classifiers | Policies containing both MAC and IPv6 classes are not allowed. |
REST | REST supports the 'admin' and 'operator' roles but does not work with TACACS+ command authorization. |
REST | With the exception of ACLs and VLANs, REST APIs using POST/PUT/DELETE are not validated before performing the function. Therefore, to avoid unintended results or side effects, HPE recommends testing the API write action first. |
Upgrade information
Version 10.00.0019 uses ServiceOS GT.01.01.0005.
Do not interrupt power to the switch during this important update.
File transfer methods
The switches support several methods for transferring files to and from a physically connected device or via the network, including TFTP, SFTP, and USB. This section explains how to download and run new switch software.
Enabling the management port
You must be in the config context to enable the management port. If you have reset your switch to factory defaults, execute the following commands to enable the management port, after getting into the config context.
The management port is connected and configured to use DHCP for obtaining the IP address. Both TFTP and SFTP use the management port to download the image onto the switch.
File transfer setup
TFTP
Before using TFTP to transfer the software to the switch, make sure:
A software version for the switch has been stored on a TFTP server accessible to the switch via management port. (The software file is typically available from the Switch Networking website at http://www.hpe.com/networking/support.)
The switch is properly connected to your network via the management port and has already been configured with a compatible IP address and subnet mask.
- The TFTP server is accessible to the switch via IP. Before you proceed, complete the following:
Obtain the IP address of the TFTP server in which the software file has been stored.
Determine the name of the software file stored in the TFTP server for the switch (for example, ArubaOS-CX_8400X_10_01_0001.swi.)
If your TFTP server is a UNIX workstation, ensure that the case (upper or lower) that you specify for the filename is the same case as the characters in the software filenames on the server.
SFTP
For some situations you may want to use a secure method to issue commands or copy files to the switch. By opening a secure, encrypted SSH session and enabling IP SSH file transfer, you can then use a third-party software application to take advantage of SFTP. SFTP provide a secure alternative to TFTP for transferring information that may be sensitive (like switch configuration files) to and from the switch. Essentially, you are creating a secure SSH tunnel as a way to transfer files with SFTP channels.
Before using SFTP to transfer the software to the switch, make sure:
A software version for the switch has been stored on a computer accessible to the switch via management port. (The software file is typically available from the Switch Networking website at http://www.hpe.com/networking/support.)
The switch is properly connected to your network via the management port and has already been configured with a compatible IP address and subnet mask.
- The computer containing the software image is accessible to the switch via IP. Before you proceed, complete the following:
Obtain the IP address of the computer on which the software file has been stored.
Determine the name of the software file stored on the computer for the switch (for example, ArubaOS-CX_8400X_10_01_0001.swi.)
Establish a secure encrypted tunnel between the switch and the computer containing the software update file (for more information, see the Fundamentals Guide for your switch).
NOTE:This is a one-time procedure. If you have already setup a secure tunnel, you can skip this step.
Enable secure file transfer using the
ssh server vrf <VRF-name>
command (for more information, see the Command-Line Interface Guide for your switch).switch(config)# ssh server vrf mgmt
USB
Before using USB to transfer the software to the switch, make sure to:
Store a software version on a USB flash drive.
Insert the USB device into the active management module's USB port.
Determine the name of the software file stored on the USB flash drive.
Enable USB on the switch:
switch(config)# usb switch(config)# do usb mount switch(config)# do show usb Enabled: Yes Mounted: Yes
Copying the software and rebooting the switch
Hewlett Packard Enterprise security policy
Fixes for security vulnerabilities are not documented in manuals, release notes, or other forms of product documentation.
A Security Bulletin is released when all vulnerable products still in support life have publicly available images that contain the fix for the security vulnerability.
Finding Security Bulletins
- Go to the HPE Support Center - Hewlett Packard Enterprise at www.hpe.com/support/hpesc.
- Enter your product name or number and click Go.
- Select your product from the list of results.
- Click the Top issues & solutions tab.
- Click the Advisories, bulletins & notices link.
Security Bulletin subscription service
You can sign up at http://www.hpe.com/support/Subscriber_Choice to initiate a subscription to receive future Hewlett Packard Enterprise Security Bulletin alerts via email.
Websites
Networking Websites
- Hewlett Packard Enterprise Networking Information Library
- Hewlett Packard Enterprise Networking Software
- Hewlett Packard Enterprise Networking website
- Hewlett Packard Enterprise My Networking website
- Hewlett Packard Enterprise My Networking Portal
- Hewlett Packard Enterprise Networking Warranty
General websites
- Hewlett Packard Enterprise Information Library
For additional websites, see Support and other resources.
Support and other resources
Accessing Hewlett Packard Enterprise Support
For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website:
To access documentation and support services, go to the Hewlett Packard Enterprise Support Center website:
Information to collect
Technical support registration number (if applicable)
Product name, model or version, and serial number
Operating system name and version
Firmware version
Error messages
Product-specific reports and logs
Add-on products or components
Third-party products or components
Accessing updates
Some software products provide a mechanism for accessing software updates through the product interface. Review your product documentation to identify the recommended software update method.
To download product updates:
- Hewlett Packard Enterprise Support Center
- www.hpe.com/support/hpesc
- Hewlett Packard Enterprise Support Center: Software downloads
- www.hpe.com/support/downloads
- Software Depot
- www.hpe.com/support/softwaredepot
To subscribe to eNewsletters and alerts:
To view and update your entitlements, and to link your contracts and warranties with your profile, go to the Hewlett Packard Enterprise Support Center More Information on Access to Support Materials page:
Access to some updates might require product entitlement when accessed through the Hewlett Packard Enterprise Support Center. You must have an HPE Passport set up with relevant entitlements.
Customer self repair
Hewlett Packard Enterprise customer self repair (CSR) programs allow you to repair your product. If a CSR part needs to be replaced, it will be shipped directly to you so that you can install it at your convenience. Some parts do not qualify for CSR. Your Hewlett Packard Enterprise authorized service provider will determine whether a repair can be accomplished by CSR.
For more information about CSR, contact your local service provider or go to the CSR website:
Remote support
Remote support is available with supported devices as part of your warranty or contractual support agreement. It provides intelligent event diagnosis, and automatic, secure submission of hardware event notifications to Hewlett Packard Enterprise, which will initiate a fast and accurate resolution based on your product's service level. Hewlett Packard Enterprise strongly recommends that you register your device for remote support.
If your product includes additional remote support details, use search to locate that information.
Remote support and Proactive Care information
- HPE Get Connected
- www.hpe.com/services/getconnected
- HPE Proactive Care services
- www.hpe.com/services/proactivecare
- HPE Proactive Care service: Supported products list
- www.hpe.com/services/proactivecaresupportedproducts
- HPE Proactive Care advanced service: Supported products list
- www.hpe.com/services/proactivecareadvancedsupportedproducts
Proactive Care customer information
- Proactive Care central
- www.hpe.com/services/proactivecarecentral
- Proactive Care service activation
- www.hpe.com/services/proactivecarecentralgetstarted
Warranty information
To view the warranty information for your product, see the links provided below:
- HPE ProLiant and IA-32 Servers and Options
- www.hpe.com/support/ProLiantServers-Warranties
- HPE Enterprise and Cloudline Servers
- www.hpe.com/support/EnterpriseServers-Warranties
- HPE Storage Products
- www.hpe.com/support/Storage-Warranties
- HPE Networking Products
- www.hpe.com/support/Networking-Warranties
Regulatory information
To view the regulatory information for your product, view the Safety and Compliance Information for Server, Storage, Power, Networking, and Rack Products, available at the Hewlett Packard Enterprise Support Center:
Additional regulatory information
Hewlett Packard Enterprise is committed to providing our customers with information about the chemical substances in our products as needed to comply with legal requirements such as REACH (Regulation EC No 1907/2006 of the European Parliament and the Council). A chemical information report for this product can be found at:
For Hewlett Packard Enterprise product environmental and safety information and compliance data, including RoHS and REACH, see:
For Hewlett Packard Enterprise environmental information, including company programs, product recycling, and energy efficiency, see:
Documentation feedback
Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hpe.com). When submitting your feedback, include the document title, part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.