FIRMWARE CHANGE HISTORY ----------------------- IBM RackSwitch G8264T Version 7.9.24.0 (Released March 2019) ** Changes since the 7.9.23.0 release ** Enhancements: none Changes: none Fixes: - Fixed vulnerabilities in the OpenSSL library as reported in the CVE Advisory CVE-2018-0732. (147029) ================================================================================ IBM RackSwitch G8264T Version 7.9.23.0 (Released October 2018) ** changes since release 7.9.22.0 ** Enhancements: none Changes: none Fixes: - A crash could occur when the switch were scanned by the Rapid 7 security tool or nessus scan for vulnerabilities or when the CLI commands "no ssh enable" or "no access netconf ssh enable" were executed after the scan. (133904/138760) - Fixed vulnerabilities in the TLS protocol as reported in the CVE Advisories CVE-2014-8730. (80866) - Switch no longer supports the Diffie-Hellman key exchange algorithm in strict security mode. (143643) - Enhance BBI session default user password reset framework. (135949/135951) ================================================================================ IBM RackSwitch G8264T Version 7.9.22.0 (Released June 2018) ** changes since release 7.9.21.0 ** Enhancements: none Changes: none Fixes: - Fixed Libxml2 vulnerabilities as reported in the Advisories CVE-2016-5131, CVE-2017-15412, CVE-2017-16932, CVE-2017-5130. (124059) ================================================================================ IBM RackSwitch G8264T Version 7.9.21.0 (Released November 2017) ** changes since release 7.9.20.0 ** Enhancements: none Changes: none Fixes: - Switch would crash when adding/deleting port member(s) to Openflow instance, if there were NEC vendor specific flow with drop (PFP_DROP) action in the Openflow table. (96981) - Fixed libXML2 vulnerabilities as reported in the CVE Advisories CVE-2017-8872, CVE-2017-9049 and CVE-2017-9050. (104768) - Address issue in login credential mechanism. (107614) - Support for the weak ciphers TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA has been removed. (109956/111620) - Fixed TCP vulnerabilities as reported in the CVE Advisory CVE-2017-6214. (113078) - Address non-configured community strings. (115054) - The switch’s browser based interface (BBI) was susceptible to security vulnerabilities cross-site scripting (XSS) and stored cross-site scripting as reported by the IBM security tool Appscan. (116507) - Switch would crash when the command “show mp thread” is executed, before any syslogs were logged by the switch or if logging were completely disabled on the switch. (117304) ================================================================================ IBM RackSwitch G8264T Version 7.9.20.0 (Released May 2017) ** changes since release 7.9.19.0 ** Enhancements: none Changes: - The support for TLS versions 1.1 and 1.0 has been deprecated. TLS version 1.2 is now supported by default. (PSIRT ALIRT 10820) (72679) Fixes: - The MTU value for a port in the output of “show lldp info” command is incorrectly reported as 1522 instead of 9216. (73928) - Switch fails to add all output ports received in a FlowMod message with modify-strict option when the message has more than 31 output ports. (80146) - The switch’s browser based interface (BBI) was reported to be missing the "Content-Security-Policy", "X-Content-Type-Option" and "X-XSS-Protection" headers in the HTTP response when scanned by the web security tool IBM Appscan. (68381/75827) - In a multicast environment, switch acting simultaneously as a "Last Hop Router" (LHR) and an "Intermediate Router" (IR) would cause the switch to be unable to send traffic to LHR clients for a specific group. This happens when the switch has already received IR PIM joins for the same group, started forwarding traffic towards the IR clients and then receives LHR IGMP joins for that group. (78192) - A crash would occur when scanned by the web security tool IBM Appscan, while running a Recorded Login option. (90107) - HTTP requests sent by LXCA with a “/” URL would erroneously be rejected causing the switch’s GUI to fail to launch in LXCA (92267) - Fixed zlib vulnerabilities as reported in the CVE Advisories CVE-2016-9840, CVE-2016-9841, CVE-2016-9842 and CVE-2016-9843. (86800) - Fixed libXML2 vulnerabilities as reported in the CVE Advisories CVE-2016-4658 and CVE-2016-9318. (86808) - A switch upon receiving a rogue OSPF LSA containing its own router ID with a maximum sequence number (0x7fffffff), would incorrectly respond with a fight-back LSA of its own database, as opposed to the rogue's LSA database. (92346) ================================================================================ IBM RackSwitch G8264T Version 7.9.19.0 (Released January 2017) ** changes since release 7.9.18.0 ** Enhancements: none Changes: none Fixes: - The switch’s browser based interface (BBI) was reported to be susceptible to the security vulnerability CSRF (cross-site request forgery) when scanned by the web security tool IBM Appscan. (68381) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2016-2183(SWEET32) and CVE-2016-6329. The ciphers DES,3DES and Blowfish are no longer supported. (66395) ================================================================================ IBM RackSwitch G8264T Version 7.9.18.0 (Released September 2016) ** changes since release 7.9.17.0 ** Enhancements: none Changes: none Fixes: - Switch could crash when processing SSL traffic received on the management interface. (50705) - Password for tacacs users could not be changed from the switch using the "primary-password" command when the "tacacs-server password-change" feature is enabled. (63530) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2016-2108(ALIRT LEN-7502). (55174) - Fixed security vulnerabilities as reported in CVE Advisories CVE-2016-3705, CVE-2016-3627, CVE-2015-8806, VE-2016-4447, CVE-2016-4449, CVE-2016-4448 (libxml2). (57176, 55781, 58942, 58943) ================================================================================ IBM RackSwitch G8264T Version 7.9.17.0 (Released June 2016) ** changes since release 7.9.16.0 ** Enhancements: none Changes: none Fixes: - Fixed security vulnerabilities as reported in CVE Advisories CVE-2015-8710 (libxml2). (49214) - The switch’s browser based interface (BBI) was susceptible to security vulnerabilities XSS (stored cross-site scripting) and CSRF (cross-site request forgery). The web security policy mechanism HSTS (HTTP Strict Transport Security) has been implemented on BBI. (49409, 49427, 49471) - The switch’s browser based interface (BBI) would fail to honor the “cache-control=no-cache” directive and still cache the pages. The value of the “cache-control” directive has been changed from “no-cache” to “no-store”. (49475) - Switch could crash when enabling HTTPS protocol, while the switch were trying to connect to the VSI Manager. (50435) ================================================================================ IBM RackSwitch G8264T Version 7.9.16.0 (Released February 2016) ** changes since release 7.9.15.0 ** Enhancements: none Changes: - The output of “show tech-support” now includes the isCLI commands as headers before their respective output. (38125) Fixes: - Using Cisco ACS, version 5.3 and above, to authenticate users with TACACS protocol, could lead to the User Interface thread (SSHD,AGR,TNET,CONS) to be suspended forever, thereby denying any further authentication with the TACACS protocol. (LV307694/7383) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2015-7575 (SLOTH). (47856) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2015-3194, CVE-2015-3195. (46801) ================================================================================ IBM RackSwitch G8264T Version 7.9.15.0 (Released October 2015) ** changes since release 7.9.14.0 ** Enhancements: none Changes: - The command "show flash-dump-uuencode" in the isCLI menu and its equivalent "/maint/uudmp" from the IBMNOS-CLI menu have been deprecated. The reference to use these commands has been removed from the help tip that is posted upon user login if a flash-dump exists on the switch. (XB282980) - Added the ability for users to enable/disable SNMP login/logout traps through the "[no] snmp-server loginout-trap" command. (38040) Fixes: - The switch would fail to send ICMP TTL Exceeded messages back to the source when the incoming ICMP packet had a TTL of 1 with a destination address of the VRRP IP of the switch. As a side effect, Traceroute between devices would fail if the VRRP IP of the switch were one of th hops in the path. (LV311922) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2015-1788 (BN_GF2m_mod_inv), CVE-2015-1789 (X509_cmp_time) and CVE-2015-1792 (do_free_upto). (39415) ================================================================================ IBM RackSwitch G8264T Version 7.9.14.0 (Released July 2015) ** changes since release 7.9.13.0 ** Enhancements: none Changes: - Addiitonal Debugs have been added to the get more information about system queues and threads under maitenace mode.The output of the "show mp thread" now includes information about the last command processed by each STEM thread. (LV311825) Fixes: - Vlag failover due to primary switch being reloaded may incorrectly cause the secondary switch to error disable its vlag ports. This may happen when the healthcheck interface port number is higher than that of the ISL interface port number. (LV308603) - A high CPU utilization could occur during Topology Changes when running MSTP protocol in a multi tier VLAG setup. (LV310542) - Switch could hang after deleting an IP interface that is associated with OSPF. (LV311901) - An SNMP MIB walk on both the peers of a VLAG domain could result in the flap of VRRP Protocol. (XB251897/XB253845) - Fixed GLIBC vulnerabilities as reported in CVE Advisories CVE-2013-7424 (getaddrinfo()) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2015-0286 (ASN1_TYPE_cmp). ================================================================================ IBM RackSwitch G8264T Version 7.9.13.0 (Released April 2015) ** changes since release 7.9.11.0 ** Enhancements: none Fixes: - FCoE sessions could flap due to the High CPU Utilization caused by the software flooding of Clear Virtual Links packets with an unknown destination MAC in the FCoE VLAN. (LV296464) - All packets received with a certain MAC address are flooded subsequent to receiving an IGMP Join/Leave on the stack member with the same MAC address as source MAC. (XB271036) - A crash would occur when uploading a configuration to the switch, where the configuration file was edited to remove the leading Tab from the commands under "vlan dot1q" menu. (LV299681) - Syslog messages would be lost after a reboot, when setting the facility using “logging host <1/2> facility “ to an odd number (LV299860) - Switch could fail to install an ARP Entry for the static route or gateway leading to ARP packets getting flooded in the network. (LV301211) - Fixed OpenSSL vulnerabilities as reported in CVE Advisories CVE-2014-3572, CVE-2015-0204, CVE-2014-8275,CVE-2014-3570, CVE-2015-2808 (BarMitzvah), CVE-2014-3505, CVE-2014-3506 (openssl), CVE-2014-3507(same as 3506, d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb), CVE-2014-3508 (openssl), CVE-2014-3509 (race condition in t1_lib.c) ,CVE-2014-3510 (openssl), CVE-2014-3511 (openssl). (LV304231, LV308279,XB293143) - Fixed security vulnerabilities as reported in CVE Advisories CVE-2014-0191 (libxml2) ,CVE-2013-2877(libxml2) ,CVE-2014-3660 (libxml2) , CVE-2013-2566(RC4 algo, TLS protocol),CVE-2015-0235 (GHOST/glibc) Changes: - In a vlag setup with VRRP, ICMP replies will use the Physical switch's MAC as source MAC, as opposed to the VRRP MAC. (XB292827) - Extend the ability of the command "[no] snmp-server link-trap port enable" to enable/disable link-traps for multiple interfaces. (LV302420) ================================================================================ IBM RackSwitch G8264T Version 7.9.11.0 (Released October 2014) ** changes since release 7.9.10.0 ** Enhancements: None Changes: - A security vulnerability existed in the OpenSSL Protocol that is used in IBM System Networking Ethernet Switches. (CVE-2014-3505,CVE-2014-3506,CVE-2014-3507,CVE-2014-3508,CVE-2014-3510) Fixes: None ================================================================================ IBM RackSwitch G8264T Version 7.9.10.0 (Released July 2014) ** changes since release 7.9.1.0 ** Enhancements: None Changes: - Internal debug usernames have been removed from the firmware to prevent potential backdoor access. (XB282666) Fixes: None ================================================================================ IBM RackSwitch G8264T Version 7.9.1.0 (Released June 2014) ---------------------------------------------------------- VLAG-PIM with multicast sources ------------------------------- PIM is a multicast routing protocol to route the multicast traffic from multicast source to the receiver. vLAG PIM defines how PIM protocol should work over the vLAG topology. This new enhancement enables support for vLAG PIM with multicast source connected in the L2 domain behind the vLAG ports. It defines the vLAG PIM protocol behavior and traffic routing across different multicast source and receivers. With this new enhancement, multicast source and receiver can be connected anywhere in the vLAG PIM environment.This also enables vLAG PIM support in a multi tier tenant environment with L2 VLAG on the bottom tier and L3 VLAG on the top tier. Full Private VLAN: ------------------ This release supports Private VLAN configurations as described in RFC 5517. Service Location Protocol ------------------------- Service location Protocol provides a dynamic configuration mechanism for applications in local area networks.Applications are modeled as clients that need to find servers attached to any of the available networks within an enterprise. LACP Individual Mode --------------------- When this feature is enabled on an LACP port-channel, if a member port of the port-channel does not receive any LACPDU over a period of time, it will be treated as a normal port which may forward data traffic according to its STP state. Layer 3 ARP Table full ----------------------- When the L3 ARP table is full, the switch will generate a new trap message in addition to the existing syslog message. Auto VLAN Tagging on Trunk ports --------------------------------- This enhancement facilitates the process of adding trunk ports in VLANs by automatically adding them to all VLANs from their allowed ranges. By default, all VLANs are allowed on each port.When a port is configured as trunk port, it is automatically added to all VLANs from its allowed range. Also, when a new VLAN is created, all trunk ports which have that VLAN in their allowed ranges are automatically added to it. Password Fix-Up Mode --------------------- Password Fix-Up Mode enables admin user account recovery if administrator access is lost. This release adds the option to disable password fix-up functionality to let the administrator of the switch decide whether the Fix-Up mode should be enabled or not to cover security concerns. STP Range enhancement --------------------- This feature is an enhancement for existing STP commands to support configuration of a range of STP groups at a time. VLAG-MSTP Enhancement --------------------- This enhancement removes STP configuration restrictions, such as changing the MSTP instance and VLAN associations, that were enforced in previous releases when vLAG and MSTP are both enabled. The vLAG interswitch link ports are no longer error-disabled when there's an MSTP region mismatch between the vLAG switches, instead a recurring warning message is generated during the duration of the configuration mismatch. BGP Community Lite ------------------ This feature provides support for BGP community strings to be advertised in updates to neighbors.The switch will be configured to attach a community string to the route updates it sends to peers.In this release, the IBM switch will not make any routing changes or alterations to the community string when receiving updates with a community string attached. Display BGP Routes ------------------- This feature provides an option to display BGP advertised routes that have been advertised to a specific neighbor. IPv6 Counter enhancement ------------------------ This feature enhancement adds CLI and corresponding SNMP MIB objects for IPv6 counters.The feature provides support for ipv6 neighbor cache table statistics like: Current number of installed entries. Maximum number of entries supported by router. High Water of the ipv6 neighbor cache table. Clear statistics OpenFlow 1.3.1 Support: ----------------------- Added support for OpenFlow Switch Specification Version 1.3.1; including but not limited to the following key features: * L3 MPLS * Static LAG * MAC/IP masking * Flexible Table Miss and Fail Secure * 40Gb support * Static CLI for Flow Programming * OpenFlow 1.0 backward compatability OpenFlow 1.3.1 Group support ------------------------ In this release support for OpenFlow groups in accordance with OpenFlow 1.3.1 has been added.Actions associated with flow entries can direct packets to a group. OpenFlow Support for LAG over Edge Ports ----------------------------------------- This feature will allow user to configure openflow static LAG port as edge port on the switch.A user can configure multiple Openflow LAG ports and physical ports as edge ports as required. sFlow support in OpenFlow ports ------------------------------- This release adds sampling support for packets received on Openflow ports configured for this feature.An sFlow server should be configured to reachable via non-openflow data port or management port for this functionality to work. RMON Support (RFC1757,RFC2819) --------------------------------- Remote network monitoring devices, often called monitors or probes, are instruments that exist for the purpose of managing a network. This release supports RMON for Ethernet statistics, Ethernet History as well as Alarm and Event groups. NetConf ------- The NETCONF (RFC4741) protocol defines a simple mechanism through which a network device can be managed, configuration data information can be retrieved, and new configuration data can be uploaded and manipulated. Secure FTP ---------- This release adds support for Secure FTP (sFTP). SNMP ACL --------- This feature is an enhancement to add access control for SNMP requests. SNMP Trap Host --------------- This feature implements the SNMP interface for getting and setting SNMP host configuration for traps. ESN to SNMP ------------ This feature enables SNMP access to Electronic Serial Number of the switch. IPSec over Virtual links ------------------------ OSPFv3 over IPSec on Virtual Links is needed to complete NIST IPSec certification for OSPFv3 traffic. IPSec is needed to secure IPv6 traffic. The feature will use IPv6 Authentication Header (AH) to provide authentication and IPv6 Encapsulating Security Payload (ESP) to provide authentication and confidentiality to virtual link packets. IBM-NOS CLI removal ------------------- The IBM-NOS CLI will not be supported as of this release. All switches will boot up with ISCLI. The existing NOS CLI configuration still can be recognized and correctly converted to provide smooth migration for customers who have NOS CLI configuration. Use SSH public keys for up to 20 local switch users/admins ----------------------------------------------------------- The feature allows users to login to switch via SSH using public key authentication instead of password authentication.When SSH is enabled the switch should support both password and public key authentication. The switch shall support up to 20 SSH public key users. IBM RackSwitch G8264T Version 7.8.1.0 (Released Dec 2013) ---------------------------------------------------------- Decoupling active VLANs from MSTP configuration: ------------------------------------------------ This feature enables the decoupling of the VLAN(s) configuration from MSTP configuration and changes the MSTP configuration menu to a more simplified one. By doing so, specifying a mapping between VLAN(s) and MSTI will not create any VLAN(s) and the participation of the VLAN(s) in MSTP will not depend on the VLAN(s) creation. NIST SP 800-131A Compliance: ---------------------------- Added a mode of operation that forces the device to operate and secure network operations in a manner that is fully compliant to the NIST SP 800-131A security standard. Removed support for obsolete cryptographic algorithms DES and MD5, as well as protocols like SSLv3, even in the non-compliant mode. Use SHA-256 as default: ----------------------- Set SHA-256 as the default and preferred hashing algorithm for all secured network operations where applicable. This includes TLS certificates and cipher suites with HMAC SHA-256 in TLS. Security Enhancements: ---------------------- Updated default protocols used for configuration to be secure. Devices will use secure protocols by default for configuration; for example: SSH, HTTPS, and SNMPv3. Insecure protocols are disabled by default for configuration; for example: Telnet, HTTP, and SNMPv1/v2. Also added a default user whose password must be changed after initial login. Remove Switch Type from login display: -------------------------------------- Removed Switch Type from login display. ACL6 Metering: -------------- Added metering support for IPv6 ACLs similar to the IPv4 ACLs. Increase Local Users: --------------------- Added support for up to 20 local user accounts with different privilege levels. QoS Monitoring: --------------- This feature enhances the QoS statistics by presenting the COS statistics per port and per COS queue used. BGP DSCP Marking: ----------------- This feature allows users to configure the DSCP value to be used in the IP header of the outgoing BGP packets. CPU-MIB - Improved Process and CPU monitoring (local switch info only): ----------------------------------------------------------------------- Added SNMP MIBs to read System wide and per-thread CPU utilization information of the switch. BGP Multihop TTL Security: -------------------------- This feature ensures a protection mechanism for BGP peering sessions against CPU utilization based attacks by validating the TTL in the incoming BGP packet. LLDP MIB: --------- This feature supports LLDP MIB per IEEE 802.ab standard. LLDP vendor information display: -------------------------------- In prior releases, LLDP is disabled by default. This feature enables LLDP by default, and disables optional TLVs, corrects the vendor information and adds three new commands that show more detailed LLDP information. Fixes: - A Security vulnerability existed in the TLS protocol versions TLS1.0 and earlier, in that an attacker could potentially discover the TLS session key. Added a configurable CLI option to restrict the minimum allowable protocol version of TLS, from TLS1.0 through TLS1.2. This is so that the user can avoid this vulnerability described in CVE-2011-3389, by selecting a higher protocol version that is not vulnerable to attack (TLS1.1 and above) ======================================================================================== IBM Rackswitch G8264T Firmware version 7.7.5.0 (Released August 2013) ** Changes since the 7.7.3.0 release ** Enhancements: None Changes: - Dynamic link aggregation (LACP) ports that are not able to converge with peer ports will now result in a link-down state. This will occur when ports configured as members of an LACP trunk are connected to non-LACP ports. This is expected behavior. When connecting different IBMNOS products using LACP ports, it is recommended to install complimentary firmware versions (e.g., 7.7.5) on each device to ensure matching LACP behavior. Fixes: - Inefficiencies in the SNMP-processing code could result in high CPU utilization, SNMP client time-outs, protocol flaps, or a switch reset by the Hardware Watchdog. (66769, 70649) - User-configured ACL Deny rules were not being respected for packets with a Layer-4 (TCP) port of 22 or 23 (i.e., SSH and Telnet, respectively). (69126 / XB202484) - A prolonged period of high CPU utilization can lead to protocol-thread starvation. In one such case, LACP PDUs were not being sent by the CPU, leading to the break down of the LACP trunk forming the ISL in a vLAG topology. The ISL trunk ports that had previously been in the STP Discarding state would then errantly go into the Forwarding state, resulting in flooding of STP BPDUs into the network, and the inevitable network loop. (70887) - A hang of the Switch's I2C bus could occur, leading to a reset of the Switch by the hardware watchdog. (71721) - The SNMP dot1qVlanCurrentEntry OID was not being populated, resulting in SNMP Walks being stuck indefinitely at that point. (71785) - Disabling LACP (from the peer device) on a member port of an LACP trunk that also has STP disabled would result in the port being errantly displayed as FORWARDING in the output of the "show spanning-tree stp" command (and via the BBI), when in fact the port would be in the BLOCKING state (as designed). (71805, 71822) - Deleting the LACP key (from the peer device) on a member port of an LACP trunk that also has STP disabled would result in the port errantly going into the FORWARDING state. (71841) - With STP in PVRST mode and with a high active-port/STG product, a memory leak could occur while processing BPDUs (this was demonstrable with 47 ports active and more than 127 STGs configured per port). Over time, the memory leak could lead to a reset of the switch by the Memory Monitor. (71844) - A crash would occur when issuing the "show ufp info vport" command without explicitly specifying a vport number. (71951) - A watchdog timeout could occur if an IGMPv3 Report packet was received with the invalid source-IP address of 0.0.0.0. (71749) - Attempting to set port speed via the CMM would fail. (XB171317) - If the CMMs had "Failover on Physical Network Link" enabled (default), and the network link of the Active CMM went down, ports INTB1 and INTB2 could get disabled when the Standby CMM became active. (XB172285) - An IP address could not simultaneously be configured as a global DHCP server address, and a broadcast-domain DHCP server address. (XB172381) - A crash would occur while handling an SNMP “Get” Request for the Object that contains UFP information pertaining the switch (OID 1.0.8802.1.1.2.1.4.1.1.12.2700.65.4). (XB194463, XB202919) - A crash could occur if an FCoE-related CLI command was issued while the external management port was being flooded with packets. (XB199890) - If in Stacking mode, the switch would no longer receive time-sync updates from NTP servers over IPv6 interfaces after a CMM failover. (XB200147) - NTPv3 authentication information was being added to outgoing NTP Client Requests, even when authentication was disabled on the Switch. The consequence was that NTP servers that do not support authentication would discard the requests (i.e,, not respond to the Client Requests). (XB204541) - A crash could occur while handling an HTTPS request if the connection to the client was suddenly terminated while handling the transaction. (XB205895) - If the switch's Hostname was used to access the switch via BBI (i.e., relying on DNS instead of inputting the raw IP address), attempting to perform an image upgrade would result in redirection to a blank page. (XB206876) ======================================================================================== IBM Rackswitch G8264T Firmware version 7.7.3.0 (Released, June 2013) Enhancements: Enhanced Password security -------------------------- This feature provides stronger login enforcements for userIDs and password by forcing the local user passwords to be case sensitive, 8-64 character mix of uppercase letters, lowercase letters, numbers, and special characters, including at least one of each. DHCP Option 7 and option 12 --------------------------- These features enhance the DHCP client support on the switch to support Option 12 which defines the configuration of hostname and Option 7 which is used to get the syslog server address from DHCP server. Duplicate IP Detection ---------------------- The switch uses a simple mechanism to detect if two hosts on the same subnetwork are using the same IPv4 address at the same time. The switch sends a gratuitous ARP request for its own IP address. If it receives an ARP response, it sends a syslog message with the IP address and MAC address of the host that is using its IP address. BGP multipath relax ------------------- This functionality allows load balancing across different autonomous system paths that have equal AS path length. vLAG+PIM Dense Mode ------------------- Enable the PIM protocol over the vLAG topology in dense mode for efficient multicast forwarding. BGP Debug --------- This feature will allow administrator to turn on log for BGP update message sent/received from/to a particular neighbor. Fixes: - A Security vulnerability existed in the OSPFv2 Routing Protocol that is used in IBM System Networking Ethernet Switches (CVE-2013-0149). - A Security vulnerability existed in IBM Switches which support Fibre Channel over Ethernet (FCoE), in that data frames were being flooded out of every port if the destination address was not in the MAC table. (CVE-2013-0570). =================================================================================== IBM Rackswitch G8264T Firmware version 7.6.3.20 (released October 2013) ** Changes since the 7.6.3.10 release ** Enhancements: None. Changes: None. Fixes: - Inefficiencies in the SNMP-processing code could result in high CPU utilization, SNMP client time-outs, protocol flaps, or a switch reset by the Hardware Watchdog. (66769, 70649) - A crash would occur when routing packets to an unreachable IPv6 gateway. (68081) - A watchdog timeout could occur if an IGMPv3 Report packet was received with the invalid source-IP address of 0.0.0.0. (71749) - BGP neighborship sessions would flap when receiving BGP route messages that contained community attributes (XB194426) - A crash could occur while handling an HTTPS request if the connection to the client was suddenly terminated while handling the transaction. (XB205895) - The ACL logging feature would not report incoming packets that matched an ACL qualified by a TCP or UDP destination port. (XB208108) - A crash would occur if a data port was used to upload a file to an FTP server, if the file already existed on the server and had read-only access permissions. (XB209257) - A crash would occur if the traceroute command was executed with an IPv6 address specified, and no IPv6 management interfaces were configured. (XB215717) - A crash would occur if a ping was issued to a random host name, and an IPv6 DNS server was unreachable or non-existent (XB216882) - A crash would occur during a second attempt to authenticate a user via an unreachable or non-existent LDAP server. (XB217674) - A crash would occur if a TFTP upload or download was attempted, and no IPv6 interfaces were configured. (XB218041) - The switch's Browser-based Interface (BBI) was vulnerable to attacks by Web scanning tools, potentially resulting in crashes. (XB218795) - A crash would occur when receiving a random sequence of IGMPv3 reports that were interleaved from different Multicast receivers. (XB219263) - Invalid TCP packets (e.g., having both SYN and FIN flags set) received by the switch would not be discarded, resulting in a potential security vulnerability. (XB220985) =================================================================================== IBM Rackswitch G8264T Firmware version 7.6.3.10 (released July 2013) ** Changes since the 7.6.3.0 release ** Enhancements: None. Changes: None. Fixes: - A Security vulnerability existed in the OSPFv2 Routing Protocol that is used in IBM System Networking Ethernet Switches (CVE-2013-0149) - A Security vulnerability existed in IBM Switches which support Fibre Channel over Ethernet (FCoE), in that data frames were being flooded out of every port if the destination address was not in the MAC table. (CVE-2013-0570) =================================================================================== IBM Rackswitch G8264T Firmware version 7.6.3.0 (released May 2013) ** Changes since the 7.6.2.0 release ** Enhancements: None. Changes: None. Fixes: - Random discards of transmitted frames could occur when sending frames of varying odd-numbered lengths, starting at 6749 bytes. (69933) =================================================================================== IBM Rackswitch G8264T Firmware version 7.6.2.0 (released January 2013) ** Changes since the 7.6.1.0 release ** Enhancements: None. Changes: - Added support for China-certified power supplies 94Y8070 (front-to-rear fan direction), and 94Y8088 (rear-to-front fan direction). (67088) Fixes: None. =================================================================================== Rackswith G8264-T Firmware version 7.6.1.0 (released December 2012) New and Updated Features ======================== BGP Route Reflection: --------------------- Route Reflection is a technique to avoid a large number of sessions between IBGP peers. In this release, support for RFC4456 (BGP Route Reflection - An Alternative to Full Mesh Internal BGP (IBGP)) has been added. SNMP: Support for 8 Read-Only and Read-Write communities: --------------------------------------------------------- This release adds support for 8 read-community names(Read-Only), and 8 write-community names(Read-Write) with SNMPv1 and SNMPv2. RFC5340: OSPF For IPv6: ----------------------- The switch was previously compliant with RFC2740. Starting with this release, the switch is compliant with RFC5340, which supersedes RFC2740. VLAG and PIM Support: --------------------- Previous releases supported IP Multicast routing through the PIM protocol. Also previously supported was the VLAG (Virtual Link Aggregation) protocol. This release adds support for PIM over a vLAG topology, so that the most efficient multicast routing can be achieved in a vLAG topology. NTP Client Display Improvements: --------------------------------- The Network Time Protocol (NTP) is widely used to synchronize computer clocks in the Internet. With the NTP service enabled, the switch can accurately update its internal clock to be consistent with other devices on the network. In this release, the "show ntp" command has been updated with such details as clock offset, stratum, and reference clock. Also in this release is a dampening of the number of syslog messages generated when the system clock is updated or if NTP synchronization fails. Cisco-like CLI: --------------- As part of this change, some existing ISCLI commands have been modified to look more like those in Cisco's IOS. The commands chosen for modification in this release are ones frequently used for VLAN, Port, and STP configuration. With these changes, those familiar with Cisco-IOS CLI can more readily configure the IBM-NOS VLAN, Port, and STP modules. Support for 4K VLANS: --------------------- Increased the scalability of VLANS from 2K to 4K Openflow support: ---------------- Openflow support has been added. debug enhancement ----------------- Added debug commands to provide more detail than shown in current counters. New commands will be added for LACP packets and spanning tree BPDU packets Diff flash in iCLI ------------------ Provided a command in ISCLI to display the differences between the running configuration and the saved configuration. This functionality is currently available in IBMNOSCLI and should now be added to the ISCLI. VMReady Distributed vswitch Support: ------------------------------------ VMReady distributed vswitch support is added and also support for vSphere 5.0 Syslog Enhancement: ------------------- Support for different configurable severity levels for Syslog on IBM switches. SNMP Trap for Power Failure: ---------------------------- Support SNMP trap generation on power failure. Host Resources MIB(RFC-1514) ---------------------------- Provided support for standards based HOST-RESOURCES-MIB defined in RFC 2790 allowing the switches to be managed by standard objectIDs. Host resources mib defines a uniform set of objects to manage host devices that are independent of the vendor, software or network capabilities. Implementation of the system and interface groups is mandatory Next Hop Self ------------- BGP next hop self feature supported with set the IP address for the next hop and override the default behavior used to select next hop Precision time Protocol ----------------------- Provided support for hardware assisted PTP synchronization to improve the time accuracy between systems in the network. PTP keeps system time of nodes in a network closely synchronized. Its accuracy is s ub-microsecond compared to the millisecond accuracy provided with NTP. The improved accuracy between systems is needed in networks with low latency and increased virtualization networks. SNMP and BBI Support for OSPFv3 and MLDv2 ----------------------------------------- IPSec feature was provided in 6.7 release but only in command line interfaces. This release addded configuration and monitoring support for MLDv2 via the BBI and SNMP interfaces. Terminal-length 0 persistent ---------------------------- Provided Cisco-like commands for configuring the terminal length for CLI sessions. The commands saved in the flash for persistency across resets. Runtime option to change the terminal length for the current session without affecting the saved configuration. vLAG scaling ------------ Increased the number of vLAG groups to 50. VMCheck: -------------------- The switch primarily identifies virtual machines by their MAC addresses. An untrusted server or a VM could identify itself by a trusted MAC address leading to MAC spoofing attacks. Sometimes, MAC addresses get transferred to another VM, or they get duplicated. The VMcheck solution addresses these security concerns by validating the MAC addresses assigned to VMs. The switch periodically sends hello messages on server ports. These messages include the switch identifier and port number. The hypervisor listens to these messages on physical NICs and stores the information, which can be retrieved using the VMware Infrastructure Application Programming Interface (VI API). This information is used to validate VM.