aos-cx 10.08.0001 release notes · 2021. 8. 18. ·...

AOS-CX 10.08.0001 ReleaseNotes

6300, 6400 Switch Series

Published: September 2021Edition: 3

| 2

Copyright Information

©Copyright 2021 Hewlett Packard Enterprise Development LP.

Open Source Code

This product includes code licensed under theGNU General Public License, the GNU Lesser General PublicLicense, and/or certain other open source licenses. A completemachine-readable copy of the source codecorresponding to such code is available upon request. This offer is valid to anyone in receipt of thisinformation and shall expire three years following the date of the final distribution of this product versionby Hewlett Packard Enterprise Company. To obtain such source code, send a check ormoney order in theamount of US $10.00 to:

Hewlett Packard Enterprise Company6280 America Center DriveSan Jose, CA 95002USA

NoticesThe information contained herein is subject to changewithout notice. The only warranties for HewlettPackard Enterprise products and services are set forth in the express warranty statements accompanyingsuch products and services. Nothing herein should be construed as constituting an additional warranty.Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

Confidential computer software. Valid license fromHewlett Packard Enterprise required for possession, use,or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer SoftwareDocumentation, and Technical Data for Commercial Items are licensed to theU.S. Government undervendor's standard commercial license.

Links to third-party websites take you outside theHewlett Packard Enterprise website. Hewlett PackardEnterprise has no control over and is not responsible for information outside theHewlett PackardEnterprise website.

AcknowledgmentsMicrosoft andWindows are either registered trademarks or trademarks of Microsoft Corporation in theUnited States and/or other countries.

Chapter 1AOS-CX 10.08 release notes

AOS-CX 10.08 release notes

DescriptionThis release note covers software versions for the AOS-CX 10.08 branch of the software.

If you run the show version command on the switch, the version number will display FL.10.08.xxxx, where xxxx isthe minor version number.

AOS-CX is a new,modern, fully programmable operating systembuilt using a database-centric design thatensures higher availability and dynamic software process changes for reduced downtime. In addition torobust hardware reliability, the AOS-CX operating system includes additional software elements not availablewith traditional systems, including the features included in the Features section of this release note.

Version 10.08.0001 is the initial build of major version 10.08 software.

Product series supported by this software:

n Aruba 6300 Switch Seriesn Aruba 6400 Switch Series

Important information

Aruba switches covered by this release note use eMMC or SSD storage. This is non-volatile memory for persistentstorage of config, files, databases, scripts, and so forth. Aruba recommends updating to version 10.05.0060 or10.06.0100 or later (including this release) to implement significant improvements to memory usage and prolongthe life of the switch.

To avoid damage to your equipment, do not interrupt power to the switch during a software update.

Switch fans will run at full speed when a fault is detected with the temperature sensors in the switch. This isnormal behavior to ensure overheating does not occur. Should the fans run at full speed at unexpected times,check the output of show environment temperature and show environment fans, then contact support forfurther assistance.

AOS-CX 10.08.0001 Release Notes | for 6300 and 6400 Switches 3

AOS-CX 10.08 release notes | 4

In this and previous releases, AOS-CX BGP implementations support resolving a BGP route's nexthop to a defaultroute (0.0.0.0/0). However, this is not generally recommended in network deployments. Considering the defaultroute to be the last resort route, resolving the BGP route's nexthop to a default route can cause potential routingloops in the network, if they are not properly designed andmonitored. Route flaps and/or traffic drops may beobserved in such cases.

In a future release, AOS-CX will not support the BGP route's nexthop resolving to a default route in the Routetable. To avoid this problem and to be prepared for the update, Aruba recommends configuring a more specificstatic route (or host route) for BGP nexthops that are multihops away that are resolving via the default route.

If using the Web UI, you should clear the browser cache after upgrading to this version of software before logginginto the switch using a Web UI session. This will ensure the Web UI session downloads the latest changes.

If a switch has RPVST enabled and the native VLAN ID configured for a trunk interface is not the default VLAN ID 1,and the native VLAN ID is also used as the management VLAN, the switch may not be accessible over the trunkinterface after upgrading from any 10.04.00xx version of software to 10.08.xxxx.To fix the issue after an upgrade, log into the switch using the OOBM interface or serial port console andconfigure the following:

switch# configure

switch(config)# spanning-tree rpvst-mstp-interconnect-vlan <VLAN_ID>

where <VLAN_ID> is the native VLAN ID configured on the trunk interface.If there are multiple trunk interfaces configured on the switch, each with a different VLAN ID, contact the ArubaSupport Team.

If the switch has the always-on PoE feature enabled, during the upgrade from a version of software prior to10.05.0001 to this version of software, PoE Powered Devices (PDs) will lose power from the switch as the switchwill power cycle during the update. Plan a time for upgrading the switch when loss of power to the PDs attached tothe switch can be mitigated.

When upgrading from software versions before 10.05.0001, if the switch is configured with an entry in a class-map or an Access List that matches AH or ESP traffic, the policy will fail to apply, as these options are no longerpermitted. Remove such entries from the configuration prior to upgrading to 10.08.0001 or remove the respectiveentries from ACLs or Class that failed to apply after the upgrade to 10.08.0001.


When upgrading from a version of software prior to version 10.05.0001, if the switch is configured with IGMP orMLD snooping options such as "forward", "fastleave", "forced-fastleave", or "blocked" at the VLAN context, afterupgrading to this software version, you will need to reconfigure these options for each interface from theinterface configuration context.Example config before 10.05.0001:

vlan 2

ip igmp snooping forward 1/1/1

ip igmp snooping blocked 1/1/2

ip igmp snooping force-fastleave 1/1/3

ip igmp snooping fastleave 1/1/4

Example config to be added after upgrade to this software version:

interface 1/1/1

ip igmp snooping forward vlan 2

interface 1/1/2

ip igmp snooping blocked van 2

interface 1/1/3

ip igmp snooping forced-fastleave vlan 2

interface 1/1/4

ip igmp snooping fastleave vlan 2

To restore a previous configuration when downgrading to a previous version of software, follow these steps:

1. Use the show checkpoint command to see the saved checkpoints and ensure that you have a checkpointthat is an exact match of the target software version (see the Image Version column in the output of thecommand, for example, FL.10.06.0100).

This checkpoint can be the startup-config-backup automatically created during the initial upgrade or anyother manually created checkpoint for the target software version.

2. Copy the backup checkpoint into the startup-config.

3. Boot the switch to the target version (lower version), making sure to select no when prompted to save thecurrent configuration.

Industry and government certificationsRefer to the Approved Product Lists sites for the Common Criteria, FIPS 140-2 and DoDIN APL to obtain theproduct certification details. Products should be used as evaluated and defined in the respectiveconfiguration guides.

n Common Criteria: https://www.niap-ccevs.org/Product/n FIPS 140-2: https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Validated-

https://www.niap-ccevs.org/Product/

https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Validated-Modules/Search


Modules/Searchn DoDIN APL: https://aplits.disa.mil/processAPList.action

License written offerThis product includes code licensed under theGNU General Public License, the GNU Lesser General PublicLicense, and/or certain other open-source licenses. A completemachine-readable copy of the source codecorresponding to such code is available upon request. This offer is valid to anyone in receipt of thisinformation and shall expire three years following the date of the final distribution of this product versionby Hewlett Packard Enterprise Company. To obtain such source code, send a check ormoney order in theamount of US $10.00 to:

Hewlett Packard Enterprise CompanyAttn: General Counsel6280 America Center DriveSan Jose, CA 95002U.S.A.

Please specify the product and version for which you are requesting source code. Youmay also request acopy of this source code free of charge at: https://hpe.com/software/opensource

Version historyAll released versions are fully supported by Aruba, unless noted in the table.

Version number Release date Remarks

10.08.0001 2021-08-13 Initial release of AOS-CX 10.08. Released, fully supported, andposted on the web.

Products supportedThis release applies to the following product models:

Product number Description

JL658A Aruba 6300M 24-port SFP+ and 4-port SFP56 Switch

JL659A Aruba 6300M 48-port HPE Smart Rate 1/2.5/5GbE Class 6 PoE and 4-port SFP56 Switch

JL660A Aruba 6300M 24-port HPE Smart Rate 1/2.5/5GbE Class 6 PoE and 4-port SFP56 Switch

JL661A Aruba 6300M 48-port 1GbE Class 4 PoE and 4-port SFP56 Switch

JL662A Aruba 6300M 24-port 1GbE Class 4 PoE and 4-port SFP56 Switch

JL663A Aruba 6300M 48-port 1GbE and 4-port SFP56 Switch

JL664A Aruba 6300M 24-port 1GbE and 4-port SFP56 Switch

JL762A Aruba 6300M 48-port 1GbE and 4-port SFP56 Power-to-Port 2 Fan Trays 1 PSU Bundle

https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Validated-Modules/Search

https://aplits.disa.mil/processAPList.action

https://hpe.com/software/opensource


Product number Description

JL665A Aruba 6300F 48-port 1GbE Class 4 PoE and 4-port SFP56 Switch

JL666A Aruba 6300F 24-port 1GbE Class 4 PoE and 4-port SFP56 Switch

JL667A Aruba 6300F 48-port 1GbE and 4-port SFP56 Switch

JL668A Aruba 6300F 24-port 1GbE and 4-port SFP56 Switch

R0X26A Aruba 6405 Switch

R0X29A Aruba 6405 96-port 1GbE Class PoE 4 and 4-port SFP56 Switch

R0X30A Aruba 6405 48-port SFP+ and 8-port SFP56 Switch

R0X27A Aruba 6410 Switch

JL741A Aruba 6410 96-port 1GbE Class PoE 4 and 4-port SFP56 Switch

R0X31A Aruba 6400 Management Module

Compatibility/interoperabilityThe switch web agent supports the following web browsers:

Browser Minimum supported versions

Edge (Windows) 41

Chrome (Ubuntu) 76 (desktop)

Firefox (Ubuntu) 56

Safari (MacOS) 12

Safari (iOS) 10 (Version 12 is not supported)

Internet Explorer is not supported.

Recommended versions of network management software for switches found in this release note:

Management software Recommended version(s)

Airwave 8.2.13

NetEdit 2.1.1

Aruba CX Mobile App 2.6.6 (or later)

Aruba Central 2.5.4 (6400 supports only Template group) (6300 supports both Template andUI groups)


Management software Recommended version(s)

Network Automation 10.10, 10.11, 10.20, 10.21, 10.30, 10.40

Network Node Manager 10.10, 10.20, 10.21, 10.30, 10.40

IMC 7.3 (E0705P07)

For more information, see the respective software manuals.

To upgrade software using NetEdit, make sure to upgrade to the above version of NetEdit first and then executethe switch software upgrade on devices discovered by this version of NetEdit.

Minimum supported software versions

If your product is not listed in the below table, it runs on all versions of software.

Product number Product nameMinimumsoftwareversion

R0X26A Aruba 6405 Switch 10.04.1000

R0X31A Aruba 6400 Management Module 10.04.1000

R0X38B Aruba 6400 48-port 1GbE Class 4 PoE Module 10.04.1000

R0X39B Aruba 6400 48-port 1GbE Class 4 PoE and 4-port SFP56 Module 10.04.1000

R0X40B Aruba 6400 48-port 1GbE Class 6 PoE and 4-port SFP56 Module 10.04.1000

R0X41A Aruba 6400 48-port HPE Smart Rate 1/2.5/5GbE Class 6 PoE and4-port SFP56 Module

10.04.1000

R0X42A Aruba 6400 24-port 10Gbase-T and 4-port SFP56 Module 10.04.1000

R0X43A Aruba 6400 24-port SFP+ and 4-port SFP56 Module 10.04.1000

R0X44A Aruba 6400 48-port 10/25GbE SFP28 Module 10.04.2000

R0X45A Aruba 6400 12-port 40/100GbE QSFP28 Module 10.04.2000

JL762A Aruba 6300M 48-port 1GbE and 4-port SFP56 Power-to-Port 2 FanTrays 1 PSU Bundle

10.04.3000

R0X27A Aruba 6410 Switch 10.05.0001

JL741A Aruba 6410 96-port 1GbE Class PoE 4 and 4-port SFP56 Switch 10.05.0001

Transceiver support


Changes to transceiver support with this version of software:

n No new transceiver support

Refer to the Transceiver Guide for complete details on all supported transceivers.

EnhancementsThis section lists enhancements added to this branch of the software.

Software enhancements are listed in reverse-chronological order, with the newest on the top of the list.Unless otherwise noted, each software version listed includes all enhancements added in earlier versions.

The number listed with the category is used for tracking purposes.

Version 10.08.0001

Category Description

Auto VLAN creation Automates VLAN creation on access switches for authenticated clients.

BGP BGP fast-external-failover is now enabled by default.

Device fingerprinting Support for device fingerprinting collector for CPDI integration, enablesvisibility of hostname, device type and device OS.

DHCP relay Added DHCP relay coexistence with DHCP server for both IPv4 and IPv6.

Inclusive terminology As part of advancing HPE's and Aruba's commitment to racial justice, we aretaking a much-needed step in overhauling engineering terminology to reflectour belief system of diversity and inclusion. Seehttps://blogs.arubanetworks.com/spectrum/our-responsibility-to-stand-up-to-racism-and-inequality/ for Aruba's stand on inclusivity.

IP client tracker Enables IP address visibility of UBT clients for RADIUS accounting.

IP sub-interface Allows multiple IP addresses on a single routed interface.Supports unicast andmulticast routing for both IPv4 and IPv6.Supports OSPF, BGP and PIM for both IPv4 and IPV6.Supported on RoP, L3 lags and split interfaces.

Job Scheduler Added the ability to execute required CLI commands at a specific time anddate. This can be repeated at periodic intervals.

Loopback IP redistribution inOSPF

Allows redistribution of IPv4 and IPv6 addresses of loopback interfaces inOSPFv2 and OSPFv3.

MAC Tables74408

Added an SNMP trap notification if there is a MAC address change.

MAC Tables84378

Added the clear mac command to delete a specific MAC on one or moreVLANs.

Mixed role Added ability to override role attributes with standard or Vendor SecificAttributes (VSAs).Enabled downloadable GW role, captive portal, and VLAN override.

https://support.hpe.com/hpsc/doc/public/display?docId=a00028947en_us

https://blogs.arubanetworks.com/spectrum/our-responsibility-to-stand-up-to-racism-and-inequality/

https://blogs.arubanetworks.com/spectrum/our-responsibility-to-stand-up-to-racism-and-inequality/


Category Description

Multi Domain Authentication Allows port access for a specified number of voice and data devices.

Network Load Balancing (NLB) Provides load balancing technology for server clustering developed onMicrosoft Windows Server.Supports load sharing and redundancy among servers within a cluster.

Precision Time Protocol (PTP) Enables precise clock synchronization across distributed devices, needed fortime critical applications like AVB and financial systems.Support for transparent clock with end-to-end delay mechanism. (Aruba 6300Switch Series only)

Private VLAN Enables traffic isolation for users on the same VLAN.Support for isolated, community, and primary VLANs.

Security Ensures configuration integrity.Limit concurrent users for web access.

Services on the overlay Supports RADIUS server over VXLAN for IPv4 and IPv6.

Transceivers160269

Added display in dBM for DOM thresholds in the output of the showinterface dom detail command.

Troubleshooting on the overlay Supports ping over VXLAN for IPv4 and IPv6.Supports traceroute over VXLAN for IPv4 and IPv6.

VSX162842

NOTE: Applies only to the Aruba 6400 Switch Series.

Updated the warning message displayed when shutting down an SwitchVirtual Interface (SVI) with an active gateway enabled to be more informativeabout the risks of doing such a shutdown.

VXLAN VXLAN GBP and Role-based Policies: Enables micro segmentation and rolebased policies across the VXLAN overlay.Dual VTEP termination and VXLAN GBP relay: Allows stub fabric extenderVTEPs to relay VXLAN GBP between static and dynamic VXLAN tunnels.

FixesThis section lists released builds that include fixes found in this branch of the software. Software fixes arelisted in reverse-chronological order, with the newest on the top of the list. Unless otherwise noted, eachsoftware version listed includes all fixes added in earlier versions.

The Symptom statement describes what a usermight experience if this is seen on the network. The Scenariostatement provides additional environment details and trigger summaries. When available, theWorkaroundstatement provides aworkaround to the issue for customers who decide not to update to this version ofsoftware.

The Bug ID is used for tracking purposes.

Version 10.08.0001


Category Bug ID Description

ARP 191536 Symptom/Scenario:When the switch is rebooted with an SVI shutdown, ifthe IP address is changed and the SVI re-enabled, the old VLAN IP addressstill replies to an ARP request received.Workaround:Delete and then add back the SVI.

BSP 95761NOTE: Applies only to the Aruba 6400 Switch Series.

Symptom/Scenario: The line module fails to boot after an FPGA updatehas been interrupted.

ConfigManagement

191612 Symptom: Copying a configuration file to startup either fails or completesbut does not configure everything defined in it.Scenario:When copying a configuration file that uses windows style CRLF(\r\n) to the startup config, it either fails or completes but does notconfigure everything defined in it.Workaround: Change the file line endings to UNIX format (\n)

CredentialManager

94938 Symptom:During boot, the following message is observed, after whichthe features to not function:

---------------------------------------------------------------------

... ...

[OK] Starting HPE Credential Manager.

... ...

[FAILED] Failed to start HPE Credential Manager.

See 'systemctl status hpe-credmgr.service' for details.

[DEPEND] Dependency failed for Halon NTP Helper Daemon.

[DEPEND] Dependency failed for Radius Server TrackingDaemon.

[DEPEND] Dependency failed for Port Access Security Daemon.

[DEPEND] Dependency failed for Captive Portal daemon.

[DEPEND] Dependency failed for TACACS+ Server TrackingDaemon.

[DEPEND] Dependency failed for IPsec Configurator ModuleDaemon.

[DEPEND] Dependency failed for Tunneled Node Daemon.

[OK] Stopped HPE Credential Manager.

Starting HPE Credential Manager.

... ...

-------------------------------------------------------------------------

Scenario: If the startup config is large and takes an extensively long timeto load or in a VSF environment if members must wait an excessively longtime for the conductor to come up or if a hardware failure delays or blocksthe VSF role determination for an excessive amount of time, an errormessage displays during boot and various features do not function afterboot.



Workaround: If there is no hardware defect, a power cycle of the switchor entire VSF stack typically resolves the issue.

Diagnostics 173341 Symptom/Scenario: The IPtraf diagnostic utility does not work.

Interfaces 177432NOTE: Applies only to the Aruba 6300 Switch Series.

Symptom: An interface is set as available for receiving traffic before it isready, causing an issue for internal VLANs used by the ports that belong toa LAG.Scenario: After an event related to system reboot, for example an imageupgrade or switchover, the OSPFv2/v3 sessions do not resume, causingtraffic to not flow through the network.Workaround: Perform the following steps:

1. Remove the LAG from the LAG member ports (physical interfaces).

2. Shut down the physical interfaces.

3. Add the physical interfaces back to the LAG.

4. Enable the physical interfaces using the no shutdown command.

L3 Addressing 164817 Symptom/Scenario: The SNMPMIB OID IP-FORWARD-MIB::inetCidrRouteIfIndex returns an invalid output.

L3 Addressing 174746 Symptom: Packets entering a tunnel trigger an MTU violation; however,the violation does not trigger an ICMP message as expected.Scenario:When large MTU packets enter a tunnel with a smaller MTU, thepackets trigger an MTU violation that does not trigger the expectedICMP message from the switch back to the sender.Workaround:Use statically configured MTU rather than PMTU discoverywhen using tunnels.

L3 Routes 159221NOTE: Applies only to the Aruba 6300 Switch Series.

Symptom: Traffic is not forwarded on some routes or routes experienceslow forwarding with a log message similar to switchd_agent[9044]:debug|LOG_ERR|LC|1/5|L3|L3_ASIC|Hardware Route, createfailed for prefix: ....Scenario: The route forwarding engine has six tables to hold "common"prefixes and a "best match" table to hold all the rest. If the local sitenetwork makes heavy use of prefixes not hard-coded as"common" prefixes, the "best match" table can run out of space. Once thetables are full, additional prefixes in the tables fail to forward or forwardvery slowly.Workaround: Renumber the network to fit into the per-prefix capacities ofthe switch.

L3 Routes 78485NOTE: Applies only to the Aruba 6300 Switch Series.

Symptom: A VXLAN packet is encapsulated in the wrong VLAN.Scenario:When the switch is configured with a VXLAN VNI to VLANmapping for VLAN x and a packet is received for another VLAN (VLAN y),the VXLAN packet is encapsulated in the wrong VLAN.



MAC Tables 86543,154852,159156,190398

NOTE: Applies only to the Aruba 6400 Switch Series.

Symptom: Traffic in a VSX pair is dropped.Scenario:When a VSX pair is in VRRP BACKUP/BACKUP mode, traffic usingVRRP MAC as the destination MAC that hits the VSX pair will be dropped.

Port Access 188042 Symptom: Clients fail to onboard and the error Failed to apply PortAccess Policy is seen in the log.Scenario:When the port-access onboard-method precedentsdevice-profile aaa command is executed and clients logoff andattempt to login again, the clients fail to onboard and an error is logged.Workaround: Reboot the line card where the port-access policy failed toapply.

sFlow 151822 Symptom: The sFlow sampled packets from a LAG contain the ifIndex ofthe member port instead of the LAG itself.Scenario:When sFlow sampling is enabled on a LAG interface, the sFlowsampled packets from the LAG contain the ifIndex of the member portrather than the ifIndex of the LAG.

VSF 91074NOTE: Applies only to the Aruba 6300 Switch Series.

Symptom:Unable to log into the CLI of stack members.Scenario: After a series of continuous reboots lasting about 15 hours of amember of the stack, users are unable to log into the CLI of that memberand logging into the master switch is delayed.Workaround: Power cycle the entire stack.

Issues and workaroundsThe following are known open issues with this branch of the software.

The Symptom statement describes what a usermight experience if this is seen on the network. The Scenariostatement provides additional environment details and trigger summaries. When available, theWorkaroundstatement provides aworkaround to the issue.

Version 10.08.0001


EVPN 173356 Symptom/Scenario: Attribute values on EVPN routes reset todefault after a VxLAN flap.Workaround: Clear BGP using the clear bgp * command.

EVPN 174088 Symptom/Scenario: The configured value for the BGP default localpreference is not carried over EVPN routes.Workaround: Inject the local preference from the non-EVPN fabricneighbor using the route-map command.

OSPF 149301 Symptom: The switch shows unexpected behavior in the OSPFv2/3DLOGs.Scenario:When debug ospfv2 packet or debug ospfv3 packetis enabled with the ip filter, the switch shows unexpected behaviorin the OSPFv2/3 DLOGs.



Workaround:Use debug ospfv2 packet or debug ospfv3packet with the port filter and grep for the required IP (v4 or v6)address.

OSPF 160179 Symptom/Scenario: ARB does not inject the default route in aTotally Stubby Area with loopback in Area 0.0.0.0.Workaround: Assign one or more physical interfaces to Area0.0.0.0.

Port Access 156628 Symptom: The port-access daemon crashes.Scenario:When port security is enabled on a port where the port-security client-limit is configured with a value lower than thenumber of the port-security static clients configured on the port,after a downgrade from 10.07 to 10.05 or 10.06 the port-accessdaemon crashes.Workaround: Prior to the downgrade, set the port-security limitconfiguration to a value equal to or higher than the number of staticport-security clients configured on the port.

Feature Caveats

Feature Description

ACLsNOTE: Applies only to the Aruba 6300 Switch Series.

In a VSF stack, the swtich may fail to log events for the matching access-listentries. ACL functionality is not impacted; access-list entries are appliedproperly and only the logging is incorrectly generated.

Aruba CX Mobile AppNOTE: Applies only to the Aruba 6300 Switch Series.

VSF stack formation is blocked when there are reserved autojoin interfaces(25, 26, 49, 50) in the stack topology.

BGPNOTE: Applies only to the Aruba 6300 Switch Series.

In multi-VRF environments, the use of OSPF routing between VRRP peersshould be used instead of BGP.

Classifiers For Classifier policy modifications to be secure, Aruba strongly encouragesmodifications be done as a three-step process: Bring down the port, modify,and bring the port back up.

Classifiers Policies containing both MAC and IPv6 classes are not allowed.

CMF Automatic downgrade of the startup–config is not supported during asoftware downgrade. To restore a configuration use the proceduredocumented under Manual configuration restore for software downgrade.

CMF No other checkpoint besides "startup-configuration" gets migrated during theupgrade process.

Counters (6400 only) Bytes/errors/drops count in show interface <IF-NAME> and showinterface <IF-NAME> queues can have up to 10% deviation. This willmanifest mainly when running at line rate with small packet sizes and after a


Feature Description

port goes up/down.

Counters (6400 only) The "Bytes" counter is not supported in show interface <IF-NAME> queuesoutput.

DHCP Server, DHCP Relay, andDHCP Snooping

DHCP Relay and DHCP Snooping can co-exist on the same switch.

DHCP Snooping and DHCP Server cannot co-exist on the same switch.

DHCP Snooping, DHCP Relay, and DHCP Server together cannot co-exist onthe same switch.

Dynamic segmentation Dynamic segmentation does not work with RADIUS server group configuredwith FQDN. Use IP address configuration.

EVPN iBGP split-horizon rule is not followed between different address families. Useroute-map to block the routes getting advertised to the iBGP peer.

Flow control (6400 only) Flow control is not supported.

ICMP Redirect The switch may only software forward 100pps IP frame that trigger ICMPredirect.

Line module Hot Swap andReboot (6400 only)

Concurrent physical hot insert/removal or reboot of a line-module is notsupported. Subsequent insert/removal or reboot of a line-module must beinitiated only after preceding attempts have been completely processed bythe system.For hot insert youmust wait until the preceding line-module has reached the"ready" state before inserting subsequent line-modules. For hot removal youmust wait until the line-module is no longer present in the system. See the CLIcommand show module for line-module status information.Aruba recommends line-modules be gracefully shut down before removal.Use the CLI config command module <SLOT-ID> admin-state[diagnostic | down | up] to change the administrative state of the line-module.Line module reboot and hot removal is not a hitless operation. Up to 2seconds of traffic loss may be expected when any module is rebooted orremoved from the system. Hot insert does not result in any traffic loss.

Multicast and VXLAN ROP extension for VSX border leaf for clients is not supported.VXLAN must be configured prior to configuring VSX.Distributed Anycast Gateway is not supported (same IP address for SVI andAG).IPv6 multicast is not supported for VXLAN overlay.Multicast support for static VXLAN in the overlay has limited support. ContactAruba Support for details.Multicast traffic with a Null Source IP (0.0.0.0) gets flooded.

Priority queues (6400 only) A maximum of four (4) priority queues is supported.

RADIUS Authorization by means of HPE VSAs is not supported.

Reduction in TCAM entries(6400 only)

On some line cards, a small number (~200) of TCAM entries are used forinternal purposes.

REST REST supports the 'admin' and 'operator' roles but does not work withTACACS+ command authorization.


Feature Description

RIP/RIPng Redistribute RIP/RIPng is not supported in BGP/BGP+.

RIP/RIPng RIP/RIPng metric configuration support is not available.

SFTP When the path to the SFTP server crosses segments with different MTU framesizes, file transfers will fail. Configure the same MTU on all nework segmentson the path to the SFTP server to use SFTP to transfer files.

Sub-interface BFD is not supported on a sub-interface.For multicast support on a sub-interface:

1. When ROP/Sub-interface as uplink is used towards multicast source, aPIM enabled point-to-point Transit VLAN over ISL between VSX devicesshould be added to ensure an alternate path to reach upstreammulticastsource. This Transit VLAN is not carried on VSX LAGs. (A dedicated point-to-point link between VSX primary and secondary can also be used.)

2. PIM Active/Active configuration is recommended for multicast clientsconnected to downstream VSX LAGs. PIM active/active does not provideDR redundancy for upstream receivers connected over ROP or sub-interfaces (i.e. multicast traffic impact when DR fails)

3. Anycast RP with MSDP is recommended. For BSR/C-RP, a PIM peeringover point-to-point Transit VLAN between VSX devices is needed. In caseof BSR/C-RP, convergence time is higher than Anycast RP configurationwhen active RP fails.

4. If KA is used for the P2P sub-interface link, KA has to be in a different VRF.

Tunnels When configuring tunnels (VXLAN/IP tunnels) with the underlay as a staticroute, the next-hop IP should be an SVI or ROP IP and not configured as theActive-Gateway.

VRF VRF names are limited to 31 characters.

VRRP-MD5 authenticationinterop

Not supported with Comware-based switches

VRRP VRRP Preemption Delay Timer (preempt delay minimum) may be ignoredafter a switch reboot or power cycle.

VRRP and VXLAN VRRP and VXLAN are mutually exclusive.

VSX and Static VXLAN (6400only)

Static VXLAN on VSX configuration is not supported. Use VSX and EVPN or VSXand HSC.

Upgrade informationVersion 10.08.0001 uses ServiceOS FL.01.09.0002.


If a switch has RPVST enabled and the native VLAN ID configured for a trunk interface is not the default VLAN ID 1,and the native VLAN ID is also used as the management VLAN, the switch may not be accessible over the trunkinterface after upgrading from any 10.04.00xx version of software to 10.08.xxxx.To fix the issue after an upgrade, log into the switch using the OOBM interface or serial port console andconfigure the following:

switch# configure

switch(config)# spanning-tree rpvst-mstp-interconnect-vlan <VLAN_ID>

where <VLAN_ID> is the native VLAN ID configured on the trunk interface.If there are multiple trunk interfaces configured on the switch, each with a different VLAN ID, contact the ArubaSupport Team.

Do not interrupt power to the switch during this important update.

When upgrading from software versions before 10.05.0001, if the switch is configured with an entry in a class-map or an Access List that matches AH or ESP traffic, the policy will fail to apply, as these options are no longerpermitted. Remove such entries from the configuration prior to upgrading to 10.08.0001 or remove the respectiveentries from ACLs or Class that failed to apply after the upgrade to 10.08.0001.


When upgrading from a version of software prior to version 10.05.0001, if the switch is configured with IGMP orMLD snooping options such as "forward", "fastleave", "forced-fastleave", or "blocked" at the VLAN context, afterupgrading to this software version, you will need to reconfigure these options for each interface from theinterface configuration context.Example config before 10.05.0001:

vlan 2

ip igmp snooping forward 1/1/1

ip igmp snooping blocked 1/1/2

ip igmp snooping force-fastleave 1/1/3

ip igmp snooping fastleave 1/1/4

Example config to be added after upgrade to this software version:

interface 1/1/1

ip igmp snooping forward vlan 2

interface 1/1/2

ip igmp snooping blocked van 2

interface 1/1/3

ip igmp snooping forced-fastleave vlan 2

interface 1/1/4

ip igmp snooping fastleave vlan 2

Some Network Analytics Engine (NAE) scripts may not function properly after an upgrade. Aruba recommendsdeleting existing NAE scripts before an upgrade and then reinstalling the scripts after the upgrade. For moreinformation, see the Network Analytics Engine Guide.

Manual configuration restore for software downgrade

To restore a previous configuration when downgrading to a previous version of software, follow these steps:

1. Use the show checkpoint command to see the saved checkpoints and ensure that you have a checkpointthat is an exact match of the target software version (see the Image Version column in the output of thecommand, for example, FL.10.06.0100).

This checkpoint can be the startup-config-backup automatically created during the initial upgrade or anyother manually created checkpoint for the target software version.

2. Copy the backup checkpoint into the startup-config.

3. Boot the switch to the target version (lower version), making sure to select no when prompted to save thecurrent configuration.

Performing the upgrade


This versionmay contain a change of BootROM from the current running version. A BootROM update is a non-failsafe update. Do not interrupt power to the switch during the update process or the update could permanentlydamage the device.

1. Copy the new image into the non-current boot bank on the switch using your preferredmethod.2. Depending on the version being updated, theremay be device component updates needed. Preview

any devices updates needed using the boot system <BOOT-BANK> command and entering nwhenasked to continue.For example, if you copied the new image to the secondary boot bank and no device componentupdates are needed, you will see this:

switch# boot system secondaryDefault boot image set to secondary.Checking if the configuration needs to be saved...

Checking for updates needed to programmable devices...Done checking for updates.

This will reboot the entire switch and render it unavailableuntil the process is complete.Continue (y/n)? n

In this example, 3 device updates will bemade upon reboot, one of which is a non-failsafe device:



2 device(s) need to be updated during the boot process.The estimated update time is between 2 and 3 minute(s).There may be multiple reboots during the update process.

1 non-failsafe device(s) also need to be updated.Please run the 'allow-unsafe-updates' command to enable these updates.

This will reboot the entire switch and render it unavailableuntil the process is complete.Continue (y/n)? n

3. When ready to update the system, if a non-failsafe device update is needed, make sure the systemwill not have any power interruption during the process. Invoke the allow unsafe updates

command to allow updates to proceed after a switch reboot. Proceed to step 4 within the configuredtime.

switch# configswitch(config)# allow-unsafe-updates 30

This command will enable non-failsafe updates of programmable devices for


the next 30 minutes. You will first need to wait for all line and fabricmodules to reach the ready state, and then reboot the switch to beginapplying any needed updates. Ensure that the switch will not lose power,be rebooted again, or have any modules removed until all updates havefinished and all line and fabric modules have returned to the ready state.

WARNING: Interrupting these updates may make the product unusable!

Continue (y/n)? y

Unsafe updates : allowed (less than 30 minute(s) remaining)

4. Use the boot system <BOOT-BANK> command to initiate the upgrade. On the switch console port anoutput similar to the following will be displayed as various components are being updated:



3 device(s) need to be updated during the boot process.The estimated update time is between 2 and 3 minute(s).There may be multiple reboots during the update process.

This will reboot the entire switch and render it unavailableuntil the process is complete.Continue (y/n)? yThe system is going down for reboot.

Looking for SVOS.

Primary SVOS: Checking...Loading...Finding...Verifying...Booting...

ServiceOS Information:Version: <serviceOS_number>Build Date: yyyy-mm-dd hh:mm:ss PDTBuild ID: ServiceOS:<serviceOS_number>:6303a2a501ba:202006171659SHA: 6303a2a501bad91100d9e71780813c59f19c12fe

Boot Profiles:

0. Service OS Console1. Primary Software Image [xx.10.07.0010]2. Secondary Software Image [xx.10.08.0001]

Select profile(secondary):

ISP configuration:Auto updates : enabledVersion comparisons : match (upgrade or downgrade)Unsafe updates : allowed (less than 29 minute(s) remaining)

Advanced:Config path : /fs/nos/isp/config [DEFAULT]Log-file path : /fs/logs/isp [DEFAULT]Write-protection : disabled [DEFAULT]


Package selection : 0 [DEFAULT]

3 device(s) need to be updated by the ServiceOS during the boot process.The estimated update time by the ServiceOS is 2 minute(s).There may be multiple reboots during the update process.

MODULE 'mc' DEVICE 'svos_primary' :Current version : '<serviceOS_number>'Write-protected : NOPackaged version : '<version>'Package name : '<svos_package_name>'Image filename : '<filename>.svos'Image timestamp : 'Day Mon dd hh:mm:ss yyyy'Image size : 22248723Version upgrade needed

Starting update...

Writing... Done.Erasing... Done.Reading... Done.Verifying... Done.Reading... Done.Verifying... Done.

Update successful (0.5 seconds).

reboot: Restarting system

Multiple componentsmay be updated and several reboots will be triggered during these updates. When allcomponent updates are completed, the switch console port will arrive at the login prompt with a displaysimilar to following:

(C) Copyright 2017-2021 Hewlett Packard Enterprise Development LP

RESTRICTED RIGHTS LEGENDConfidential computer software. Valid license from Hewlett Packard EnterpriseDevelopment LP required for possession, use or copying. Consistent with FAR12.211 and 12.212, Commercial Computer Software, Computer SoftwareDocumentation, and Technical Data for Commercial Items are licensed to theU.S. Government under vendor's standard commercial license.

We'd like to keep you up to date about:* Software feature updates* New product announcements* Special events

Please register your products now at: https://asp.arubanetworks.com

switch login:

Aruba recommends waiting until all upgrades have completed before making any configuration changes.

Chapter 2Aruba security policy

Aruba security policyA Security Bulletin is the first published notification of security vulnerabilities and is the only communicationvehicle for security vulnerabilities.

n Fixes for security vulnerabilities are not documented inmanuals, release notes, or other forms of productdocumentation.

n A Security Bulletin is released when all vulnerable products still in support life have publicly availableimages that contain the fix for the security vulnerability.

The Aruba security policy can be found at https://www.arubanetworks.com/en-au/support-services/sirt/.Security bulletins can be found at https://www.arubanetworks.com/en-au/support-services/security-bulletins/.

Security bulletin subscription serviceYou can sign up at https://sirt.arubanetworks.com/mailman/listinfo/security-alerts_sirt.arubanetworks.comto initiate a subscription to receive future Aruba Security Bulletin alerts via email.


https://www.arubanetworks.com/en-au/support-services/sirt/

https://www.arubanetworks.com/en-au/support-services/security-bulletins/

https://www.arubanetworks.com/en-au/support-services/security-bulletins/

https://sirt.arubanetworks.com/mailman/listinfo/security-alerts_sirt.arubanetworks.com

aos-cx 10.08.0001 release notes · 2021. 8. 18. ·...

Documents