FIRMWARE CHANGE HISTORY ----------------------- IBM RackSwitch G8052 Version 7.7.5.0 (Released August 2013) ** Changes since the 7.7.3.0 release ** Enhancements: None Changes: - Dynamic link aggregation (LACP) ports that are not able to converge with peer ports will now result in a link-down state. This will occur when ports configured as members of an LACP trunk are connected to non-LACP ports. This is expected behavior. When connecting different IBMNOS products using LACP ports, it is recommended to install complimentary firmware versions (e.g., 7.7.5) on each device to ensure matching LACP behavior. Fixes: - Inefficiencies in the SNMP-processing code could result in high CPU utilization, SNMP client time-outs, protocol flaps, or a switch reset by the Hardware Watchdog. (66769, 70649) - User-configured ACL Deny rules were not being respected for packets with a Layer-4 (TCP) port of 22 or 23 (i.e., SSH and Telnet, respectively). (69126 / XB202484) - A prolonged period of high CPU utilization can lead to protocol-thread starvation. In one such case, LACP PDUs were not being sent by the CPU, leading to the break down of the LACP trunk forming the ISL in a vLAG topology. The ISL trunk ports that had previously been in the STP Discarding state would then errantly go into the Forwarding state, resulting in flooding of STP BPDUs into the network, and the inevitable network loop. (70887) - The SNMP dot1qVlanCurrentEntry OID was not being populated, resulting in SNMP Walks being stuck indefinitely at that point. (71785) - Disabling LACP (from the peer device) on a member port of an LACP trunk that also has STP disabled would result in the port being errantly displayed as FORWARDING in the output of the "show spanning-tree stp" command (and via the BBI), when in fact the port would be in the BLOCKING state (as designed). (71805, 71822) - Deleting the LACP key (from the peer device) on a member port of an LACP trunk that also has STP disabled would result in the port errantly going into the FORWARDING state. (71841) - With STP in PVRST mode and with a high active-port/STG product, a memory leak could occur while processing BPDUs (this was demonstrable with 47 ports active and more than 127 STGs configured per port). Over time, the memory leak could lead to a reset of the switch by the Memory Monitor. (71844) - A crash would occur when issuing the "show ufp info vport" command without explicitly specifying a vport number. (71951) - A watchdog timeout could occur if an IGMPv3 Report packet was received with the invalid source-IP address of 0.0.0.0. (71749) - Attempting to set port speed via the CMM would fail. (XB171317) - If the CMMs had "Failover on Physical Network Link" enabled (default), and the network link of the Active CMM went down, ports INTB1 and INTB2 could get disabled when the Standby CMM became active. (XB172285) - An IP address could not simultaneously be configured as a global DHCP server address, and a broadcast-domain DHCP server address. (XB172381) - A crash would occur while handling an SNMP “Get” Request for the Object that contains UFP information pertaining the switch (OID 1.0.8802.1.1.2.1.4.1.1.12.2700.65.4). (XB194463, XB202919) - A crash could occur if an FCoE-related CLI command was issued while the external management port was being flooded with packets. (XB199890) - NTPv3 authentication information was being added to outgoing NTP Client Requests, even when authentication was disabled on the Switch. The consequence was that NTP servers that do not support authentication would discard the requests (i.e,, not respond to the Client Requests). (XB204541) - A crash could occur while handling an HTTPS request if the connection to the client was suddenly terminated while handling the transaction. (XB205895) - If the switch's Hostname was used to access the switch via BBI (i.e., relying on DNS instead of inputting the raw IP address), attempting to perform an image upgrade would result in redirection to a blank page. (XB206876) =============================================================================== IBM RackSwitch G8052 Version 7.7.3.0 (Released, June 2013) Enhancements: Enhanced Password security -------------------------- This feature provides stronger login enforcements for userIDs and password by forcing the local user passwords to be case sensitive, 8-64 character mix of uppercase letters, lowercase letters, numbers, and special characters, including at least one of each. DHCP Option 7 and option 12 --------------------------- These features enhance the DHCP client support on the switch to support Option 12 which defines the configuration of hostname and Option 7 which is used to get the syslog server address from DHCP server. Duplicate IP Detection ---------------------- The switch uses a simple mechanism to detect if two hosts on the same subnetwork are using the same IPv4 address at the same time. The switch sends a gratuitous ARP request for its own IP address. If it receives an ARP response, it sends a syslog message with the IP address and MAC address of the host that is using its IP address. OpenFlow 1.0 ------------ OpenFlow support has been added in this release, with an increase of 1K to 2K ACL support. Hotlinks + STP -------------- In prior releases, STP needs to be disabled globally when Hotlinks feature is configured. This feature removed this limitation of having to globally disable STP. BGP multipath relax ------------------- This functionality allows load balancing across different autonomous system paths that have equal AS path length. TAGIPVID -------- Enable outer vlan tag insertion at the port ingress direction. With this capability, the handling of outer tag could become symmetric for both directions (ingress and egress) and for both untagged and single tagged packet (inside switch, it becomes single tagged and double tagged respectively). Fixes: - A Security vulnerability existed in the OSPFv2 Routing Protocol that is used in IBM System Networking Ethernet Switches (CVE-2013-0149). =================================================================================== Rackswitch G8052 Firmware version 7.6.3.20 (released October 2013) ** Changes since the 7.6.3.10 release ** Enhancements: None. Changes: None. Fixes: - Inefficiencies in the SNMP-processing code could result in high CPU utilization, SNMP client time-outs, protocol flaps, or a switch reset by the Hardware Watchdog. (66769, 70649) - A crash would occur when routing packets to an unreachable IPv6 gateway. (68081) - A watchdog timeout could occur if an IGMPv3 Report packet was received with the invalid source-IP address of 0.0.0.0. (71749) - BGP neighborship sessions would flap when receiving BGP route messages that contained community attributes (XB194426) - A crash could occur while handling an HTTPS request if the connection to the client was suddenly terminated while handling the transaction. (XB205895) - The ACL logging feature would not report incoming packets that matched an ACL qualified by a TCP or UDP destination port. (XB208108) - A crash would occur if a data port was used to upload a file to an FTP server, if the file already existed on the server and had read-only access permissions. (XB209257) - A crash would occur if the traceroute command was executed with an IPv6 address specified, and no IPv6 management interfaces were configured. (XB215717) - A crash would occur if a ping was issued to a random host name, and an IPv6 DNS server was unreachable or non-existent (XB216882) - A crash would occur during a second attempt to authenticate a user via an unreachable or non-existent LDAP server. (XB217674) - A crash would occur if a TFTP upload or download was attempted, and no IPv6 interfaces were configured. (XB218041) - The switch's Browser-based Interface (BBI) was vulnerable to attacks by Web scanning tools, potentially resulting in crashes. (XB218795) - A crash would occur when receiving a random sequence of IGMPv3 reports that were interleaved from different Multicast receivers. (XB219263) - Invalid TCP packets (e.g., having both SYN and FIN flags set) received by the switch would not be discarded, resulting in a potential security vulnerability. (XB220985) ====================================================================== Rackswitch G8052 Firmware version 7.6.3.10 (released July 2013) ** Changes since the 7.6.3.0 release ** Enhancements: None. Changes: None. Fixes: - A Security vulnerability existed in the OSPFv2 Routing Protocol that is used in IBM System Networking Ethernet Switches (CVE-2013-0149) =================================================================================== Rackswitch G8052 Firmware version 7.6.3.0 (released February 2013) ** Changes since the 7.6.1.0 release ** Enhancements: None. Changes: - Added support for power supplies that meet the new China Compulsory Certificate (CCC) requirements for altitude and humidity. (68354) Fixes: None. =================================================================================== Rackswith G8052 Firmware version 7.6.1.0 (released December 2012) New and Updated Features ======================== BGP Route Reflection: --------------------- Route Reflection is a technique to avoid a large number of sessions between IBGP peers. In this release, support for RFC4456 (BGP Route Reflection - An Alternative to Full Mesh Internal BGP (IBGP)) has been added. SNMP: Support for 8 Read-Only and Read-Write communities: --------------------------------------------------------- This release adds support for 8 read-community names(Read-Only), and 8 write-community names(Read-Write) with SNMPv1 and SNMPv2. RFC5340: OSPF For IPv6: ----------------------- The switch was previously compliant with RFC2740. Starting with this release, the switch is compliant with RFC5340, which supersedes RFC2740. NTP Client Display Improvements: --------------------------------- The Network Time Protocol (NTP) is widely used to synchronize computer clocks in the Internet. With the NTP service enabled, the switch can accurately update its internal clock to be consistent with other devices on the network. In this release, the "show ntp" command has been updated with such details as clock offset, stratum, and reference clock. Also in this release is a dampening of the number of syslog messages generated when the system clock is updated or if NTP synchronization fails. Cisco-like CLI: --------------- As part of this change, some existing ISCLI commands have been modified to look more like those in Cisco's IOS. The commands chosen for modification in this release are ones frequently used for VLAN, Port, and STP configuration. With these changes, those familiar with Cisco-IOS CLI can more readily configure the IBM-NOS VLAN, Port, and STP modules. =============================================================================== RackSwitch G8052 Version 7.2.4.0 (Released June 2012) ** Changes since the 7.2.3.0 release ** Enhancements: - Added the ability to monitor per-Port and per-QoS-queue, the number and rate of packets and octets transmitted and discarded. (57359) Changes: None. Fixes: - MAC synchronization would not complete successfully after reloading any of the switches in a multi-tier vLAG topology. (56939, 59727) - VLANs could not be added or deleted on vLAG ports without first disabling vLAG. This has been fixed in this release for PVRST mode only. This will be fixed for MSTP in a future release. (57336) - Early implementations of vLAG used TCP port 13000 to represent vLAG health-check packets. This would cause other applications that used this port (e.g., Traceroute) to fail, even in a non-vLAG topology. (57885) - False "L3 table is full" messages could be displayed when the Switch ASIC is adding ARP entries. (58480, 60362, 60481) - The 'intfInfoAddr' and 'intfInfoNetMask' SNMP MIB objects contained invalid data for IPv6 interfaces. (59132) - VM Association ACLs would become invalid if the "copy active-config running-config" command was run. (59328) - An "HTTP 405" error would occur when attempting to enable Layer-2 failover via the BBI. (59898) - QSFP+ transceivers would not be recognized after removal and reinsertion. (60067) - A CIST topology change could occur when uploading a tech-support file when over 2000 MSTP instances were configured. (60076) - SNMP traps were not being sent for NTP "clock updated", NTP "server unreachable", and 802.1x events. (60203) - On an forwarding LACP-member port for which is CIST disabled, the STP state in hardware would remain Blocking after recovering from a link flap (60375) - With static ECMP routes configured, disabling any of the associated IP interfaces would cause its routes to be removed from all other interfaces for which those routes were configured. (60430) - Performing an SNMP Walk on the IPv6 Routing table could lead to a corruption of CPU's packet-buffer pool, leading to an inability of the CPU to further receive IPv6 packets. (60486) - vLAG switches would errantly forward IGMP messages (Reports, Leaves, and Joins) across the ISL on VLANs for which IGMP snooping was disabled. (60545) - Reserved IP Multicast packets would not be forwarded if flooding and and IP routing were disabled. (60563) - The sequence of disabling then enabling vLAG (globally or per-instance) could lead to the the swapping of the Trunk IDs of LACP trunks, but with hardware FDB still reflecting the previous IDs. This could lead to the flooding of vLAG traffic to non-vLAG ports. (60673) - When a vLAG instance was removed from an underlying static trunk, all of the ports in the trunk would go into the STP Discarding state. (60736) - In a vLAG topology with the vLAG switches running in MSTP mode, and the corresponding Access switch running in PVRST mode, the sequence of disabling then enabling vLAG on the Primary switch would cause the vLAG ports of the Secondary switch to go into the STP Discarding state. (60837) - The NTP primary server IP address would be replaced with the word 'key' if the invalid command 'ntp primary-server key [x]' was invoked from ISCLI. (60900) - If two LLDP PDUs were received from the same source on two different ports within the time specified by the TTL TLV of the first PDU to arrive, 4KB of CPU memory would be lost (i.e., not returned to the global memory pool) while processing the second PDU. Over time, this condition could lead to CPU memory exhaustion, and a reset by the switch's Memory Monitor. (61108) - MAC synchronization would not complete successfully after a topology change occurred in a vLAG configuration. (61305) - Repetitive use of the isCLI "pipe" option would result in a memory leak. Over time, this could lead to CPU memory exhaustion, and a reset by the switch's Memory Monitor. (61623) - The "terminal-length 0" setting would not be respected when using the isCLI "pipe" option. (61751) - A crash could occur when receiving IP packets with the TCP port 11000. (61786) =================================================================================== RackSwitch G8052 Version 7.2.3.0 (Released May 2012) ** Changes since the 7.2.2.0 release ** Enhancements: None. Changes: None. Fixes: - In vLAG pair, if the vLAG port on the Primary switch was down while the Secondary switch was rebooted, the vLAG port on Secondary switch would remain in the DISC/DESG state after boot-up. (59735) =================================================================================== RackSwitch G8052 Version 7.2.2.0 (Released April 2012) ** Changes since the 7.2.1.0 release ** Enhancements: None. Changes: None. Fixes: - Stack traces produced by Memory-Monitor resets were inaccurate. (59210) ===================================================================================