FIRMWARE CHANGE HISTORY ----------------------- IBM RackSwitch G8124/G8124E Version 7.11.5.0 (Released October 2015) ** Changes since the 7.11.4.0 release ** Enhancements: none Changes: - The command "show flash-dump-uuencode" in the isCLI menu and its equivalent "/maint/uudmp" from the IBMNOS-CLI menu have been deprecated. The reference to use these commands has been removed from the help tip that is posted upon user login if a flash-dump exists on the switch. (XB282980) - Added the ability for users to enable/disable SNMP login/logout traps through the "[no] snmp-server loginout-trap" command. (38040) Fixes: - When configuring “qos bandwidth min” on an UFP port, the switch would incorrectly allow the sum of the minimum bandwidth to be less than 100%. (40181,40295) - Switch would incorrectly permit users to configure more than 4 vNIC functions per port, which could cause the switch to crash. Users are now restricted to configure beyond the supported 4 vNIC functions per port. (40296) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2015-1788 (BN_GF2m_mod_inv), CVE-2015-1789 (X509_cmp_time) and CVE-2015-1792 (do_free_upto). (39415) ================================================================================ IBM RackSwitch G8124/G8124E Version 7.11.4.0 (Released July 2015) ** Changes since the 7.11.3.0 release ** Enhancements: none Changes: - Added the ability to delete SNMP read and write community strings with the introduction of two new commands "no snmp-server read-community" and "no snmp-server write-community" respectively. (LV308180) - Addiitonal Debugs have been added to the get more information about system queues and threads under maitenace mode.The output of the "show mp thread" now includes information about the last command processed by each STEM thread. (LV311825) Fixes: - The mapping between local and remote ports is incorrect when using standard LLDP MIBs. The same is not true for private LLDP mibs (lldpInfoRemoteDevicesTable). (XB299432) - A high CPU utilization could occur during Topology Changes when running MSTP protocol in a multi tier VLAG setup. (LV310542) - Vlag failover due to primary switch being reloaded may incorrectly cause the secondary switch to error disable its vlag ports. This may happen when the healthcheck interface port number is higher than that of the ISL interface port number. (LV308603) - Switch could hang after deleting an IP interface that is associated with OSPF. (LV311901) - An SNMP MIB walk on both the peers of a VLAG domain could result in the flap of VRRP Protocol. (XB251897/XB253845) - Fixed GLIBC vulnerabilities as reported in CVE Advisories CVE-2013-7424 (getaddrinfo()) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2015-0286 (ASN1_TYPE_cmp). ================================================================================ IBM RackSwitch G8124/G8124E Version 7.11.3.0 (Released April 2015) Enhancements: none Fixes: - FCoE sessions could flap due to the High CPU Utilization caused by the software flooding of Clear Virtual Links packets with an unknown destination MAC in the FCoE VLAN. (LV296464) - Missing space after Objects DHCPSnoopingCurCfgPortTableEntry , DHCPSnoopingNewCfgPortTableEntry , DHCPSnoopingCurCfgVlanTableEntry and MldNewInterfaceEntry in the Enterprise MIB would cause compile errors when using certain MIB compilers. (XB280147) - A crash would occur when uploading a configuration to the switch, where the configuration file was edited to remove the leading Tab from the commands under "vlan dot1q" menu. (LV299681) - Switch could fail to install an ARP Entry for the static route or gateway leading to ARP packets getting flooded in the network. (LV301211) - Syslog messages would be lost after a reboot, when setting the facility using “logging host <1/2> facility “ to an odd number (LV299860) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2014-3572, CVE-2015-0204, CVE-2014-8275,CVE-2014-3570, CVE-2015-2808 (BarMitzvah), CVE-2014-3505, CVE-2014-3506 (openssl), CVE-2014-3507(same as 3506, d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb), CVE-2014-3508 (openssl), CVE-2014-3509 (race condition in t1_lib.c) ,CVE-2014-3510 (openssl), CVE-2014-3511 (openssl). (LV304231, LV308279,XB293143) - Fixed security vulnerabilities as reported in CVE Advisories CVE-2014-0191 (libxml2) ,CVE-2013-2877(libxml2) ,CVE-2014-3660 (libxml2) , CVE-2013-2566(RC4 algo, TLS protocol),CVE-2015-0235 (GHOST/glibc) Changes: - Extend the ability of the command "[no] snmp-server link-trap port enable" to disable/enable link-trap for multiple interfaces. (LV302420) - source MAC address of protocol packets from LLDP, LACP , STP, PVRST and 802.1x are not learned by the switch. (LV301284) ===================================================================== IBM RackSwitch G8124/G8124E Version 7.11.1.0 (Released November 2014) New and Updated Features: ------------------------- IGMPv3 on vLAG support ---------------------- IGMPv3 protocol can now be configured when the unit is part of a vLAG topology. Display ARP entries for VLAN 4095 --------------------------------- This enhancement extends the display of ARP table to include the ARPs learnt on the dedicated management port. TACACs ------ For remote authentication with SSH using bypass username, both local username and password will be prompted. BGP Preappend AS Path ---------------------- This enhancement allows route-map to specify up to 32 AS numbers to prepend to a matched route. Fixes: None ===================================================================== IBM RackSwitch G8124/G8124E Version 7.9.1.0 (Released June 2014) New and Updated Features: ------------------------- VLAG-PIM with multicast sources ------------------------------- PIM is a multicast routing protocol to route the multicast traffic from multicast source to the receiver. vLAG PIM defines how PIM protocol should work over the vLAG topology. This new enhancement enables support for vLAG PIM with multicast source connected in the L2 domain behind the vLAG ports. It defines the vLAG PIM protocol behavior and traffic routing across different multicast source and receivers. With this new enhancement, multicast source and receiver can be connected anywhere in the vLAG PIM environment.This also enables vLAG PIM support in a multi tier tenant environment with L2 VLAG on the bottom tier and L3 VLAG on the top tier. Decoupling active VLANs from MSTP configuration: ------------------------------------------------ This feature enables the decoupling of the VLAN(s) configuration from MSTP configuration and changes the MSTP configuration menu to a more simplified one. By doing so, specifying a mapping between VLAN(s) and MSTI will not create any VLAN(s) and the participation of the VLAN(s) in MSTP will not depend on the VLAN(s) creation. LACP Individual Mode -------------------- When this feature is enabled on an LACP port-channel, if a member port of the port-channel does not receive any LACPDU over a period of time, it will be treated as a normal port which may forward data traffic according to its STP state. VLAG-MSTP Enhancement --------------------- This enhancement removes STP configuration restrictions, such as changing the MSTP instance and VLAN associations, that were enforced in previous releases when vLAG and MSTP are both enabled. The vLAG interswitch link ports are no longer error-disabled when there's an MSTP region mismatch between the vLAG switches, instead a recurring warning message is generated during the duration of the configuration mismatch. STP Range enhancement --------------------- This feature is an enhancement for existing STP commands to support configuration of a range of STP groups at a time. IBM-NOS CLI removal ------------------- The IBM-NOS CLI will not be supported as of this release. All switches will boot up with ISCLI. The existing NOS CLI configuration still can be recognized and correctly converted to provide smooth migration for customers who have NOS CLI configuration. IPv6 Counter enhancement ------------------------ This release adds CLI and corresponding SNMP MIB objects for IPv6 counters. The feature provides support for IPv6 neighbor cache table statistics like: Current number of installed entries. Maximum number of entries supported by router. High Water of the ipv6 neighbor cache table. Clear statistics BGP Community Lite ------------------ This feature provides support for BGP community strings to be advertised in updates to neighbors.The switch will be configured to attach a community string to the route updates it sends to peers.In this release, the IBM switch will not make any routing changes or alterations to the community string when receiving updates with a community string attached. Display BGP Routes ------------------- This feature provides an option to display BGP advertised routes that have been advertised to a specific neighbor. Host-Resources MIB (RFC1514) ---------------------------- The Host Resources MIB (RFC 2790) defines objects which are common across many computer system architectures. SNMP ACL --------- This feature is an enhancement to add access control for SNMP requests. SNMP Trap Host --------------- This feature implements the SNMP interface for getting and setting SNMP host configuration for traps. ESN to SNMP ------------ This feature enables SNMP access to Electronic Serial Number of the switch. Compliance to NIST-800 131A ---------------------------- This release enables compliance to NIST SP800-131a. PSIRT - SSL Vulnerability [CVE-2011-3389] ----------------------------------------- This release addresses the SSL vulnerability as described in CVE-2011-3389. It allows the customer to configure the switch to explicitly restrict negotiated versions to a “minimum version” of ssl to force the switch to ensure that only “safe” versions are negotiated. Security vulnerability: Remove switch type from login display ------------------------------------------------------------- Removed the switch type prompt since this is a security vulnerability. Secure FTP ---------- This release adds support for Secure FTP (sFTP). Use SHA-256 as default: ----------------------- Set SHA-256 as the default and preferred hashing algorithm for all secured network operations where applicable. This includes TLS certificates and cipher suites with HMAC SHA-256 in TLS. IPSec over Virtual links ------------------------ OSPFv3 over IPSec on Virtual Links is needed to complete NIST IPSec certification for OSPFv3 traffic. IPSec is needed to secure IPv6 traffic. The feature will use IPv6 Authentication Header (AH) to provide authentication and IPv6 Encapsulating Security Payload (ESP) to provide authentication and confidentiality to virtual link packets. Password Fix-Up Mode --------------------- Password Fix-Up Mode enables admin user account recovery if administrator access is lost. This release adds the option to disable password fix-up functionality to let the administrator of the switch decide whether the Fix-Up mode should be enabled or not to cover security concerns. IPv6 Health Check ----------------- The release supports the use of IPv6 address for vLAG health check. RMON Support (RFC1757,RFC2819) --------------------------------- Remote network monitoring devices, often called monitors or probes, are instruments that exist for the purpose of managing a network. This release supports RMON for Ethernet statistics, Ethernet History as well as Alarm and Event groups. Layer 3 ARP Table full ----------------------- When the L3 ARP table is full, the switch will generate a new trap message in addition to the existing syslog message. Use SSH public keys for up to 20 local switch users/admins ----------------------------------------------------------- The feature allows users to login to switch via SSH using public key authentication instead of password authentication.When SSH is enabled the switch should support both password and public key authentication. The switch shall support up to 20 SSH public key users. Fixes: - SNMP MIB walk could result in the flap of protocols such as VRRP, STP, LACP. (XB251897/XB253845) - Executing "show interface transceiver" command could result in the flap of protocols such as VRRP, STP, LACP. (XB253893) ================================================================================ IBM RackSwitch G8124 Version 7.7.5.0 (Released August 2013) ** Changes since the 7.7.3.0 release ** Enhancements: None Changes: SNMP ports that are not able to converge with peer ports will now result in a link-down state. This will occur when ports configured as members of an LACP trunk are connected to non-LACP ports. This is expected behavior. When connecting different IBMNOS products using LACP ports, it is recommended to install complimentary firmware versions (e.g., 7.7.5) on each device to ensure matching LACP behavior. Fixes: - Inefficiencies in the SNMP-processing code could result in high CPU utilization, SNMP client time-outs, protocol flaps, or a switch reset by the Hardware Watchdog. (66769, 70649) - User-configured ACL Deny rules were not being respected for packets with a Layer-4 (TCP) port of 22 or 23 (i.e., SSH and Telnet, respectively). (69126 / XB202484) - A prolonged period of high CPU utilization can lead to protocol-thread starvation. In one such case, LACP PDUs were not being sent by the CPU, leading to the break down of the LACP trunk forming the ISL in a vLAG topology. The ISL trunk ports that had previously been in the STP Discarding state would then errantly go into the Forwarding state, resulting in flooding of STP BPDUs into the network, and the inevitable network loop. (70887) - The SNMP dot1qVlanCurrentEntry OID was not being populated, resulting in SNMP Walks being stuck indefinitely at that point. (71785) - Disabling LACP (from the peer device) on a member port of an LACP trunk that also has STP disabled would result in the port being errantly displayed as FORWARDING in the output of the "show spanning-tree stp" command (and via the BBI), when in fact the port would be in the BLOCKING state (as designed). (71805, 71822) - Deleting the LACP key (from the peer device) on a member port of an LACP trunk that also has STP disabled would result in the port errantly going into the FORWARDING state. (71841) - With STP in PVRST mode and with a high active-port/STG product, a memory leak could occur while processing BPDUs (this was demonstrable with 47 ports active and more than 127 STGs configured per port). Over time, the memory leak could lead to a reset of the switch by the Memory Monitor. (71844) - A crash would occur when issuing the "show ufp info vport" command without explicitly specifying a vport number. (71951) - A watchdog timeout could occur if an IGMPv3 Report packet was received with the invalid source-IP address of 0.0.0.0. (71749) - Attempting to set port speed via the CMM would fail. (XB171317) - If the CMMs had "Failover on Physical Network Link" enabled (default), and the network link of the Active CMM went down, ports INTB1 and INTB2 could get disabled when the Standby CMM became active. (XB172285) - An IP address could not simultaneously be configured as a global DHCP server address, and a broadcast-domain DHCP server address. (XB172381) - A crash would occur while handling an SNMP ?Get? Request for the Object that contains UFP information pertaining the switch (OID 1.0.8802.1.1.2.1.4.1.1.12.2700.65.4). (XB194463, XB202919) - A crash could occur if an FCoE-related CLI command was issued while the external management port was being flooded with packets. (XB199890) - NTPv3 authentication information was being added to outgoing NTP Client Requests, even when authentication was disabled on the Switch. The consequence was that NTP servers that do not support authentication would discard the requests (i.e,, not respond to the Client Requests). (XB204541) - A crash could occur while handling an HTTPS request if the connection to the client was suddenly terminated while handling the transaction. (XB205895) - If the switch's Hostname was used to access the switch via BBI (i.e., relying on DNS instead of inputting the raw IP address), attempting to perform an image upgrade would result in redirection to a blank page. (XB206876) =========================================================================== IBM RackSwitch G8124E 7.7.3.0 (Released, June 2013) --------------------------------------------------- Enhancements: LACP Suspend Port ----------------- This feature provides the capability to allocate an assigned trunk to LACP ports by LACP key, which avoids a potential traffic loop caused by mis-connection or error configuration. FCoE with LAG support in standalone mode solution ------------------------------------------------- Link Aggregration Group (LAG) also know as trunk, allows multiple ports on a switch to be combined together as a single link. To support the increasing demand of higher bandwidth to the uplink FCF in an FCoE environment, we added LAG support for our FCoE solution in this release. Duplicate IP Detection ---------------------- The switch uses a simple mechanism to detect if two hosts on the same subnetwork are using the same IPv4 address at the same time. The switch sends a gratuitous ARP request for its own IP address. If it receives an ARP response, it sends a syslog message with the IP address and MAC address of the host that is using its IP address. Hotlinks + STP -------------- In prior releases, STP needs to be disabled globally when Hotlinks feature is configured. This feature removed this limitation of having to globally disable STP. BGP multipath relax ------------------- This functionality allows load balancing across different autonomous system paths that have equal AS path length. vLAG+PIM Dense Mode ------------------- Enable the PIM protocol over the vLAG topology in dense mode for efficient multicast forwarding.