Notices

The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.

Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise website.

Acknowledgments

Microsoft® and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Release Notes

Description

This release note covers software versions for the ArubaOS-CX 10.00 branch of the software.

NOTE:

If you run the show version command on the 8320, the version number will display TL.10.00.xxxx, where xxxx is the minor version number.

ArubaOS-CX is a new, modern, fully programmable operating system built using a database-centric design that ensures higher availability and dynamic software process changes for reduced downtime. In addition to robust hardware reliability, the ArubaOS-CX operating system includes additional software elements not available with traditional systems, including the features included in the Enhancements section of this release note.

Version 10.00.0006 was the initial build of major version 10.00 software.

Product series supported by this software:

  • Aruba 8320 Switch Series

Important information

To avoid damage to your equipment, do not interrupt power to the switch during a software update.

Version history

All released versions are fully supported by Hewlett Packard Enterprise, unless noted in the table.

Version number Release date Based on Remarks
10.00.0019 2018-07-19 10.00.0018 Released, fully supported, and posted on the web.
10.00.0018 2018-05-18 10.00.0017 Released, fully supported, and posted on the web.
10.00.0017 n/a 10.00.0016 Never released.
10.00.0016 2018-05-01 10.00.0015 Released, fully supported, and posted on the web.
10.00.0015 2018-04-23 10.00.0014 Released, fully supported, and posted on the web.
10.00.0014 2018-04-06 10.00.0013 Released, fully supported, and posted on the web.
10.00.0013 2018-03-28 10.00.0012 Released, fully supported, and posted on the web.
10.00.0012 2018-03-13 10.00.0011 Released, fully supported, and posted on the web.
10.00.0011 n/a 10.00.0010 Never released.
10.00.0010 2018-02-28 10.00.0008 Released, fully supported, and posted on the web.
10.00.0009 n/a   Never built.
10.00.0008 2018-02-15 10.00.0007 Released, fully supported, and posted on the web.
10.00.0007 2018-01-29 10.00.0006 Released, fully supported, and posted on the web.
10.00.0006 2018-01-10   Initial release of ArubaOS-CX 10.00 for the 8320 switch. Released, fully supported, and posted on the web.

Products supported

This release applies to the following product models:

Product number Description
JL479A Aruba 8320 48p 10G SFP/SFP+ and 6p 40G QSFP+ with X472 5 Fans 2 Power Supply Switch Bundle
JL579A Aruba 8320 32p 40G QSFP+ with X472 5 Fans 2 Power Supply Switch Bundle
JL581A Aruba 8320 48p 1G/10GBASE-T and 6p 40G QSFP+ with X472 5 Fans 2 Power Supply Switch Bundle

Compatibility/interoperability

The switch web agent supports the following web browsers:

Browser Minimum supported versions
Edge (Windows)

38

Chrome (Ubuntu)

54 (desktop)

56 (mobile)

Firefox (Ubuntu)

52

Safari (MacOS, IOS Only)

10

NOTE:

Internet Explorer is not supported.

The following table provides information on compatibility of the switches found in this release note with network management software:

Management software Supported version(s)
Airwave

8.2.6

Network Automation 10.10, 10.11, 10.20, 10.21, 10.30, 10.40
Network Node Manager i 10.10, 10.20, 10.21, 10.30, 10.40
IMC

7.3 (E0506P05)

NOTE:

For more information, see the respective software manuals.

Minimum supported software versions

NOTE:

If your switch or module is not listed in the below table, it runs on all versions of the software.

Product number Product name Minimum software version
JL579A Aruba 8320 32p 40G QSFP+ with X472 5 Fans 2 Power Supply Switch Bundle 10.00.0008
JL581A Aruba 8320 48p 1G/10GBASE-T and 6p 40G QSFP+ with X472 5 Fans 2 Power Supply Switch Bundle 10.00.0013
Q9G82A Aruba 40G QSFP+ LC ER4 40km SMF XCVR 10.00.0018

Enhancements

This section lists enhancements added to this branch of the software.

Software enhancements are listed in reverse-chronological order, with the newest on the top of the list. Unless otherwise noted, each software version listed includes all enhancements added in earlier versions.

Version 10.00.0019

No enhancements were included in version 10.00.0019.

Version 10.00.0018

Transceivers

Support for the Aruba 40G QSFP+ LC ER4 40km SMF XCVR (Q9G82A) transceiver has been added.

Version 10.00.0017

Version 10.00.0017 was never released.

Version 10.00.0016

No enhancements were included in version 10.00.0016.

Version 10.00.0015

No enhancements were included in version 10.00.0015.

Version 10.00.0014

No enhancements were included in version 10.00.0014.

Version 10.00.0013

Hardware support

Support for the Aruba 8320 48p 1G/10GBASE-T and 6p 40G QSFP+ with X472 5 Fans 2 Power Supply Switch Bundle (JL581A) has been added.

PVST convergence

Added support for Access Port-type to send STP IEEE BPDUs to achieve PVST convergence.

PVST interoperability

Added support for interoperability with Cisco PVST.

Version 10.00.0012

No enhancements were included in version 10.00.0012.

Version 10.00.0011

Version 10.00.0011 was never released.

Version 10.00.0010

No enhancements were included in version 10.00.0010.

Version 10.00.0009

Version 10.00.0009 was never built.

Version 10.00.0008

Hardware support

Support for the Aruba 8320 32p 40G QSFP+ with X472 5 Fans 2 Power Supply Switch Bundle (JL579A) has been added.

Version 10.00.0007

VLAN names

Support was added for the space character to be used in VLAN naming.

Web UI and REST certificates

Added Web UI and REST certificates hashed with SHA256 and RSA2048.

Version 10.00.0006

Checkpoint configuration management

Makes it easy to manage and roll back configurations, including automatic rollback in case of network failure. The built-in database acts as a network record, enabling support for multiple configuration checkpoints and the ability to roll back to a previous configuration checkpoint.

Aruba Network Analytics Engine: AI for Networking

The Aruba Network Analytics Engine is a first-of-a-kind built-in framework for network assurance and remediation. Combining the full automation and deep visibility capabilities of the ArubaOS-CX operating system, this unique framework allows monitoring, troubleshooting, and network data collection through simple scripting agents.

ArubaOS-CX REST API

Switches running the ArubaOS-CX software are fully programmable with a REST (Representational State Transfer) API, allowing easy integration with other devices both on premises and in the cloud. This programmability, combined with the Aruba Network Analytics Engine, accelerates network administrator's understanding of, and response to, network issues. The ArubaOS-CX REST API enables programmatic access to the ArubaOS-CX database at the heart of the switch. Because everything in the switch is modeled in a structured way, coupled with its programmability, it's capable of being highly automated. By using a structured model, changes to the content and formatting of the CLI output do not affect the programs you write.

VLAN configuration display on trunk interface

Support was added to display VLAN configurations on a trunk interface. To display the configuration, use the show interface trunk command. For example: 

switch# show interface trunk
----------------------------------------------------------------------
Port    Native VLAN   Trunk VLANs                                       
----------------------------------------------------------------------
1/1/17  None          10,20,30,40
1/1/19  20            20,30

VLAN custom description

Added support for a VLAN description string. To create a VLAN description string, in the VLAN context use the command description <string>. For example: 

switch(vlan10)# description my custom VLAN description

Other software features

Other software features found in this release include the following:

Category Features
Layer 2

IEEE 802.3

Long frame (1518 to 1536 bytes)

Jumbo frame (1536 to 9216 bytes)

VLAN

IEEE 802.1Q

IEEE 802.1p

RSTP (802.1w)

MSTP (802.1s)

LACP (802.3ad)

Mirroring

RPVST+

Loop Protect

LLDP

MVRP

Layer 3

ARP

IP datagram forwarding

IP options

TCP (RFC 793)

UDP (RFC 768)

ICMP

IPv6 ND

IPv6 FIB

Layer 3 routing interface

VRF Lite

Routing
IPv4 routing:

  • Static route

  • OSPF

  • BGP

IPv6 routing:

  • IPv6 static route

  • OSPFv3

Multicast

IGMP snooping

IGMP v2/v3

PIM-SM

ACL & QoS

Remarking 802.1p, DSCP, IP precedence, and local precedence by ACL rule

Mapping 802.1p, DSCP, IP precedence, or local precedence to output queue

Strict Priority

Basic ACL

Advanced ACL

Rate limiting

Deficit Weighted Round Robin (DWRR)

Port priority

Management

SNMP v2/v3

Public MIBs

Private (Enterprise) MIBs

Syslog/Debug

Airwave

IMC

CLI

Dual-image

Console login

SSH login

Web UI

sFlow

Control Plane Policing

Application protocols

Ping

DNS client

DHCP client

DHCP relay

TFTP client

SFTP client

NTP client

High Availability

VRRP

MCLAG

Security

RADIUS

TACACS+

Fixes

This section lists released builds that include fixes found in this branch of the software. Software fixes are listed in reverse-chronological order, with the newest on the top of the list. Unless otherwise noted, each software version listed includes all fixes added in earlier versions.

The Symptom statement describes what a user might experience if this is seen on the network. The Scenario statement provides additional environment details and trigger summaries. When available, the Workaround statement provides a workaround to the issue for customers who decide not to update to this version of software.

NOTE:

The number that precedes the fix description is used for tracking purposes.

Version 10.00.0019

CPU Utilization

CR_35960

Symptom: The switch reports incorrect CPU utilization in the output of the show system command.

Scenario: In certain conditions, the switch may fail to update the true CPU utilization information in the output of the show system command and keep reporting the last recorded value.

Workaround: Make a change to the polling interval of the system resources utilization using the system resource-utilization poll-interval command to get it out of the stuck state.

The default value for poll-interval is 10, hence toggle to some other value and then revert it back to 10. For example: 

switch(config)# system resource-utilization poll-interval 15
switch(config)# system resource-utilization poll-interval 10

Version 10.00.0018

MCLAG

CR_30910

Symptom: VLAN interfaces are always up, even when they are not active on any physical port.

Scenario: In a split-brain condition, the VLAN interfaces are not brought down when all the ports associated with them are also down.

Version 10.00.0017

Version 10.00.0017 was never released.

Version 10.00.0016

MCLAG

CR_32753

Symptom: The gateway IP address randomly becomes unreachable.

Scenario: In an Active-Gateway setup, the gateway IP address may randomly become unreachable.

Workaround: Disable the ISL link between the switches, remove and re-add the active-gateway configuration.

Version 10.00.0015

CPU Utilization

CR_28803

Symptom/Scenario: The switch experiences CPU utilization spikes in a relatively steady environment.

Workaround: These CPU utilization spikes are transient.

DHCP Relay

CR_32077

Symptom: The switch experiences intermittent DHCP forwarding failures.

Scenario:The switch incorrectly sets source port 68 for DHCP Relay packets.

Event Log

CR_31967

Symptom: The switch event log is incorrectly classified as WARN.

Scenario: The switch is incorrectly classifying the debug event log A transaction has failed with error code 5 as a warning (WARN) event.

Workaround: Disregard the WARN classification, as this is really a DEBUG message.

LEDs

CR_31773

Symptom: Port LED shows an incorrect link status.

Scenario: When 1G port is connected and negotiates a link with a peer device, the port status LED is amber instead of green.

Workaround: Use the show interface command to verify port link status.

CR_31779

Symptom: Port LED shows incorrect activity status for some of the 1G ports.

Scenario: When there is network activity on the 1G port, the port activity LED does not indicate the correct state. When the cable is removed while traffic is running through the port, the activity LED shows an inconsistent state.

Workaround: There is no functional impact on traffic.

Spanning Tree

CR_32336

Symptom: In certain cases, spanning tree fails to converge.

Scenario: When an interface participating in the spanning tree is changed from L2 to L3 and back to L2 interface, spanning tree may fail to converge.

Workaround: Disable and re-enable spanning tree whenever converting an L2 interface to an L3 interface.

Transceivers

CR_29206

Symptom: Switch Interface remains stuck in "waiting for link state".

Scenario: When using 1G optical transceivers with SX and LX technologies, after a switch reboot or port state toggle, the switch interface may get stuck in "Waiting for link" status: 
State information: Waiting for link
Workaround: Remove and re-insert the optical cable or disable and re-enable the interface: 
interface <port-list>
  shutdown
  no shutdown

Version 10.00.0014

MCLAG

CR_31769

Symptom: The switch crashes and reboots when configuring MC-LAG.

Scenario: When adding a switch port to a multi-chassis interface, after removing the same port from the inter-switch-link (ISL) interface, the switch may crash and reboot.

Workaround: Add another port to the ISL interface, before configuring the previous port to a multi-chassis interface.

CR_31957

Symptom: The switch event logs show frequent additions and deletions of L3 host entries.

Scenario: When a mac-address move notification is received from the peer MC-LAG, the ArubaOS-CX switch may trigger frequent additions and deletions of the L3 host, such as: 
|ops-switchd|1710|LOG_INFO|AMM|-|Deleted L3 host entry for ip 10.121.2.20
|ops-switchd|1708|LOG_INFO|AMM|-|Added L3 host entry for ip 10.121.2.20

Spanning Tree

CR_31376

Symptom: The network experiences spanning-tree instability issues.

Scenario: In a mixed spanning-tree topology with an ArubaOS-CX switch running RPVST on VLAN 1 and interoperating with a peer device running RSTP or RPVST, the spanning-tree may experience instability issues and frequent topology changes (TCN).

Workaround: Disable and re-enable the extended system-id on the ArubaOS-CX switch.

Version 10.00.0013

Event Log

CR_30649

Symptom: The switch event log reports a crash for the 'rsyslogd' process.

Scenario: In certain conditions, the switch may report in event logs a crash for "rsyslogd" process in a message similar to: 

rsyslogd crashed due to signal:6

Workaround: The process will automatically restart after the crash and generate a core dump file listed in the show core-dump all command.

Jumbo Frames

CR_30683

Symptom: Switch fails to process some jumbo packets.

Scenario: Packets with a size greater than 9166 are not processed by the switch.

Workaround: Configure the switch MTU size to less than 9166.

Multicast

CR_22901

Symptom/Scenario: When deleting an interface with a PIM-RP configuration, the RP-Candidate configuration remains.

Workaround: Remove the RP configuration prior to deleting the interface.

CR_31167

Symptom: The switch enters a hung state and fails to reboot or failover to the second management module (if running on a chassis switch with dual management modules).

Scenario: When multiple IGMP reports for well known multicast group addresses are received, over time the switch may enter into a hung state and fail to reboot the switch to the second management module (if running on a chassis switch with dual management modules).

Workaround: Monitor switch memory utilization and if it is observed to increase over time, manually reboot the entire switch or switch over to the second management module to prevent entering the hung state. If the switch is already in a hung state, reboot the switch to clear the hung state.

Routing

CR_30663

Symptom: The switch fails to fallback to an alternate route.

Scenario: When using the default static route and specific static routes, the switch fails to fallback to an alternate route if the primary path is disabled.

Workaround: Disable and re-enable the default route.

SNMP

CR_31123

Symptom: The SNMP process randomly crashes.

Scenario: When there are simultaneous SNMP queries processed by the switch, such as SNMP walks and show tech collection, the SNMP process may crash and generate a core file listed in the show core-dump all command.

Workaround: The SNMP process will restart immediately after the crash.

Spanning Tree

CR_30621

Symptom: Spanning tree enters an inconsistent state.

Scenario: After a switch reboot, the switch interfaces participating in the spanning tree path may be incorrectly initialized causing the spanning tree topology to enter into an inconsistent state and potentially cause network loops.

Workaround: Disable and re-enable spanning tree from the CLI, forcing a complete spanning tree reconvergence: 
switch(config)# no spanning-tree
switch(config)# spanning-tree

Version 10.00.0012

ACLs

CR_28709

Symptom: The switch is not able to apply certain ACLs.

Scenario: When an ACL in configured with VLAN rules (e.g.: "permit any any any vlan 40"), the switch does not apply the ACL and it returns an error message similar to 

configuration does not match active configuration.
run 'access-list all reset' to reset all access-lists to match active configuration.

Workaround: Remove the ACL rule for VLAN. Please note, that packets will not be filtered on VLAN tags.

DHCP Relay

CR_29443

Symptom: The DHCP-relay debug message displays with an incorrect severity level.

Scenario: The DHCP-relay debug message for a discarded packet received on an interface with no IP address assigned is incorrectly classified as an error message. For example: 
hpe-relay[1555]: debug|LOG_ERR|AMM|1/5|DHCPRELAY|DHCPRELAY|Packet discarded on interface ABDC as Interface IP address is 0.

Workaround: This is a debug message indicating the valid reason for the packet discard.

LEDs

CR_29982

Symptom: Switch LEDs incorrectly report the associated event or component state.

Scenario: Incorrect LED states occur

  • after a switch is initialized following a boot. The global status LED on the front panel is lit solid-amber instead of solid-green.

  • when a switch component fails. The global status LED on the front panel does not display as slow-flashing-amber simultaneously with the failing component LED, such as transceiver, power supply, and fan.

  • when a power supply fault is detected. The power supply LED on the front panel shows solid-amber instead of slow-flashing-amber.

Workaround: Use the show environment fan | led | power-supply | temperature command for more details on the operation status of the respective component. The switch component alerts are also reported in the output of the show events command.

MCLAG

CR_30430

Symptom: The switch experiences traffic loss on non-ECMP next-hop routes.

Scenario: After one of the MCLAG nodes is rebooted, the switch may fail to redirect non-ECMP next-hop routes over the MCLAG and the switch may experience traffic loss on these links.

Workaround: Disable the affected non-ECMP links or reboot both MCLAG switches to clear the state.

TACACS

CR_30213

Symptom: The SSH daemon crashes with an error similar to signal - 11.

Scenario: When TACACS authentication is configured without group access and the "priv-lvl" TACACS+ attribute is configured with upper case, the SSH daemon may crash upon login with a TACACS authenticated account. For example: 
aaa authentication login default tacacs local

service = exec {
        PRIV-LVL = 15
       }

Workaround: Use RADIUS authentication for switch SSH access or configure the "priv-lvl" TACACS+ attribute in lower case.

Version 10.00.0011

Version 10.00.0011 was never released.

Version 10.00.0010

No fixes were included in version 10.00.0010.

Version 10.00.0009

Version 10.00.0009 was never built.

Version 10.00.0008

DHCPv6

CR_29827

Symptom: Network clients are not able to obtain an IPv6 address from some DHCPv6 servers.

Scenario: When the switch is configured as a DHCPv6 relay agent, network clients may not be able to obtain an IPv6 address from some DHCPv6 servers.

Workaround: Do not allow the DHCP server to use the UDP source port from the packet forwarded by the agent.

LAG

CR_27723

Symptom: The switch interface displays a lacp-block state.

Scenario: When using a 1000SX transceiver in an LAG interface, the switch interface may get stuck in lacp-block status in the output of the CLI command show lacp interfaces after a switch reboot. For example: 

Actor details of all interfaces:
------------------------------------------------------------------------------
Intf   Aggr   Port    Port   State   System-id         System  Aggr Forwarding
       Name   Id      Pri                              Pri     Key  State     
------------------------------------------------------------------------------
1/1/1  lag1(mc)1029    1     ALFNCD  98:f2:b3:68:01:30 65534   1    up        
1/1/2  lag2(mc)1037    1     ALFOE   98:f2:b3:68:01:30 65534   2    lacp-block
1/1/3  lag3(mc)1012    1     ALFNCD  98:f2:b3:68:01:30 65534   3    up

Workaround: Turn the interface on the peer side where this issue is seen OFF and then ON.

SNMP

CR_29892

Symptom/Scenario: When running multiple and repetitive SNMP queries, the switch memory utilization may increase over time.

Workaround: If observed switch memory utilization increasing over time, disable the SNMP agent on the switch using the no snmp-service vrf mgmt | default command and then re-enable the agent using the snmp-service vrf mgmt | default command.

Spanning Tree

CR_29754

Symptom: The switch incorrectly places ports in "blocking" state.

Scenario: In an MSTP configuration, if an event (such as disabling or disconnecting a port) is causing a topology change, switch ports may be incorrectly placed in "blocking" state, potentially causing two switches to become root and preventing the spanning-tree topology from properly converging. When this condition happens, the received and sent BPDU counters do not match in the output of the show spanning-tree detail command.

Workaround: Rebooting the switch will clear the incorrect port status and allow the spanning tree topology to properly converge.

Transceivers

CR_27891

Symptom:A link fails to come up.

Scenario: After a hot-swap of one type of 40G transceiver with a different type (for example, DAC with Optical), the switch link may fail to come up.

Workaround: Remove the transceiver and wait at least 15-20 seconds before re-inserting it.

CR_29072

Symptom: The switch is not be able to identify 40G transceiver JH231A with part number 1990-4554.

Scenario: When 40G transceiver JH231A with part number 1990-4554 is inserted in the switch port, the transceiver is not properly identified in the output of the show interface transceiver or show interface brief commands and the interface is not linked up. 

1/1/32    unknown     ??        ??              ??

Workaround: Use a transceiver with part number 1990-4557 instead of 1990-4554.

Version 10.00.0007

ARP

CR_28891

Symptom: In certain conditions, the switch experiences traffic loss.

Scenario: In a switch configured in an MCLAG topology with VRRP, when there is a MAC or ARP aging event or when the events are cleared using the clear mac-address [ port | vlan ] <PORTNAME | VLAN-ID> or clear arp commands, the switch may experience traffic drops.

Workaround: Reboot the switch.

BGP

CR_22531

Symptom: Unable to remove the password for a BGP neighbor.

Scenario: When attempting to remove the BGP neighbor password using the no neighbor <ip-address> password <password-string> command, the configured password is not removed.

Workaround: Remove the <password-string> from the command, using just no neighbor <ip-address> password.

CR_22993

Symptom: A route that should be denied per the AS path filter list is being permitted.

Scenario: A denied route in the AS path list is selected as best route in the BGP table when the routemap has a permit rule.

Workaround: Add a deny rule to the route map to filter out the route.

Classifier

CR_28867

Symptom: The switch does not properly honor the configured "estabilished" flag on TCP matching criteria.

Scenario: The switch incorrectly applies the "estabilished" flag to TCP synchronizing (SYN) packets matching the criteria.

Workaround: Do not use established flag in TCP matching criteria.

VLAN

CR_28993

Symptom/Sceanario: The switch fails to display the active-gateway configuration in the output of the show running-config interface <IFNAME> command.

Workaround: Use the show running-config command to display the active-gateway configuration for the VLAN interfaces.

Issues and workarounds

The following are known open issues with this branch of the software.

The Symptom statement describes what a user might experience if this is seen on the network. The Scenario statement provides additional environment details and trigger summaries. When available, the Workaround statement provides a workaround to the issue.

ARP

CR_25306

Symptom: IPv6 neighbor entry is updated with the wrong VLAN.

Scenario: When multiple parallel L3 links exist between the same physical neighbors, the IPv6 neighbor entry is updated with the wrong VLAN.

Workaround: Use L2 LAGs with SVI or L3 LAGs between the same physical neighbors.

CR_25334

Symptom: Total number of neighbors is greater than the configured cache limit.

Scenario: Neighbor addition to the ARP table is not guaranteed when the amount of total neighbors is greater than the configured cache limit.

Workaround: Limit the total number of neighbors to be within the configured cache limit of 128K.

Jumbo Frames

CR_25546

Symptom: Traffic larger than configured MTU is dropped.

Scenario: When packet size is bigger than the configured egress interface MTU, packets are not fragmented and thus dropped.

Workaround: Configure the MTU on the egress interface such that fragmentation will not occur.

L3 Addressing

CR_12008

Symptom/Scenario: The switch does not send out RA Packets with lifetime=0 values before rebooting.

Workaround: Do one of the following:

  1. Configure minimum values for lifetime and advertisement intervals.

  2. Have multiple gateway routers and enable IPv6 Neighbor Unreachability Detection (NUD) on hosts.

CR_23936

Symptom: IPv6 RA is not advertised by the device.

Scenario: IPv6 RA is not advertised when configuring more than 120 VLANs with 8 IPv6 prefixes assigned to each VLAN.

Workaround: Limit the IPv6 RA-enabled VLAN below 120.

LAG

CR_24779

Symptom: LAG assignments across multiple VRFs are impacted following configuration replay from a saved checkpoint with port-vrf assignment configurations.

Scenario: LAG assignments across multiple VRFs are retained even though the VRFs were deleted and the startup configuration was copied to the running configuration.

Workaround: Reboot the switch after the configuration from a checkpoint has been restored.

Multicast

CR_23498

Symptom/Scenario: Configuring a default static route for all subnets causes multicast traffic loss.

Workaround: Configure a static route for each subnet. Alternatively, use OSPF/BGP for unicast routing.

NAE

CR_24268

Symptom: Network Analytics Engine (NAE) Agents report missing or inaccurate data.

Scenario: When the client and switch UTC times are mismatched, NAE reports missing or inaccurate data.

Workaround: Make sure the client and the switch translate to the same UTC time.

OSPF

CR_08491

Symptom/Scenario: OSPFv2 and OSPFv3 do not support detailed LSA show commands.

Workaround: Use the diag command, instead.

Transceivers

CR_27112

Symptom: The switch does not properly indicate the presence of a bad or unsupported transceiver.

Scenario: When a bad or unsupported transceiver is present in the switch, the switch does not trigger a blinking amber LED and it does not generate the error message indicating the faulty or unsupported transceiver.

Workaround: The link status is down when there is a bad or unsupported transceiver. Use the show interface brief command to confirm the interface is not available. Replace the bad or unsupported transceiver.

VRRP

CR_24910

Symptom: Unable to configure same IPv6 link local address as primary virtual IP address under different VRFs.

Scenario: Unique virtual link local addresses have to be configured for all VRRP IPv6 instances irrespective of VRF.

Workaround: Do not use the same virtual link local address across different VRFs.

Feature caveats

Feature Description
IGMP Snooping and MCLAG IGMP Snooping and MCLAG are mutually exclusive within a VLAN.
MVRP and MCLAG MVRP is mutually exclusive with MCLAG.
MCLAG and STP (RPVST+ or MSTP) Spanning Tree (RPVST+ and MSTP) is mutually exclusive with MCLAG.
RPVST+ and MSTP Spanning Tree can only run in MSTP or RPVST+ mode.
RPVST+ and MVRP RPVST+ is mutually exclusive with MVRP.
VRRP and Proxy ARP VRRP is mutually exclusive with Proxy ARP on the same interface.
IGMP/PIM on Loopback and GRE interfaces PIM and IGMP cannot be enabled on Loopback and GRE interfaces.
Supportability Syslog server configuration is supported on the default VRF for access over data ports.
Counters Layer 3 Route-only port counters are not enabled by default. Enabling them will reduce ipv4 route scale to 80K.
UDLD For a UDLD-enabled interface to not lose traffic during a failover operation, the result of multiplying 'interval' and 'retries' should be at least 8 seconds. The default values are 7000 ms (interval) x 4 (retries) = 28 seconds.
Network Analytics Engine (NAE) Agents monitoring a resource that has column type enum with a list of strings (as opposed to a single string enum) is not supported.
Network Analytics Engine (NAE) The following tables are not supported for NAE scripts: OSPF_Route, OSPF_LSA, OSPF_Neighbor, BGP_Route.
Network Analytics Engine (NAE) Network Analytics Engine (NAE) agents execute Command Line Interface (CLI) actions as 'admin' user, so they have permission to run any command by default. However, when the authentication, authorization and accounting (AAA) feature is enabled, the same restrictions applied to 'admin' will also apply to NAE agents. Keep that in mind when configuring the AAA service, e.g. TACACS+, and make sure to give admin user permission to run all commands needed by enabled agents. Otherwise, some CLI commands may be denied and their outputs won't be available. Actions other than CLI won't be affected and will execute normally. Also, NAE agents won't authenticate, thus the AAA service configuration must not block authorization for unauthenticated 'admin' user. ClearPass doesn't support such configuration, so it cannot be used as a TACACS+ server.
Classifiers IPv4 egress ACLs can be applied only to route-only ports.
Classifiers Classifier policies, IPv6 and MAC ACLs are not supported on egress.
Classifiers DSCP remarking is performed only on routed packets.
Classifiers For security ACLs, HPE strongly encourages modifications be done as a two step process: Bring down the port and then modify.
Classifiers Policies containing both MAC and IPv6 classes are not allowed.
Classifiers Egress ACL logging is not supported.
REST REST supports the 'admin' and 'operator' roles but does not work with TACACS+ command authorization.
REST With the exception of ACLs and VLANs, REST APIs using POST/PUT/DELETE are not validated before performing the function. Therefore, to avoid unintended results or side effects, HPE recommends testing the API write action first.

Upgrade information

Version 10.00.0019 uses ServiceOS TL.01.01.0004.

IMPORTANT:

Do not interrupt power to the switch during this important update.

File transfer methods

The switches support several methods for transferring files to and from a physically connected device or via the network, including TFTP, SFTP, and USB. This section explains how to download and run new switch software.

Enabling the management port

You must be in the config context to enable the management port. If you have reset your switch to factory defaults, execute the following commands to enable the management port, after getting into the config context.

Prerequisites

The management port is connected and configured to use DHCP for obtaining the IP address. Both TFTP and SFTP use the management port to download the image onto the switch.

Procedure
  1. Enter the interface mgmt command. 
    switch(config)# interface mgmt
  2. Enter the ip dhcp command. 
    switch(config-if-mgmt)# ip dhcp
  3. Enter the no shutdown command. 
    switch(config-if-mgmt)# no shutdown
  4. Exit the interface mgmt context. 
    switch(config-if-mgmt)# exit

File transfer setup

TFTP

Before using TFTP to transfer the software to the switch, make sure:

  • A software version for the switch has been stored on a TFTP server accessible to the switch via management port. (The software file is typically available from the Switch Networking website at http://www.hpe.com/networking/support.)

  • The switch is properly connected to your network via the management port and has already been configured with a compatible IP address and subnet mask.

  • The TFTP server is accessible to the switch via IP. Before you proceed, complete the following:

    • Obtain the IP address of the TFTP server in which the software file has been stored.

    • Determine the name of the software file stored in the TFTP server for the switch (for example, ArubaOS-CX_8320_10_01_0001.swi.)

NOTE:

If your TFTP server is a UNIX workstation, ensure that the case (upper or lower) that you specify for the filename is the same case as the characters in the software filenames on the server.

SFTP

For some situations you may want to use a secure method to issue commands or copy files to the switch. By opening a secure, encrypted SSH session and enabling IP SSH file transfer, you can then use a third-party software application to take advantage of SFTP. SFTP provide a secure alternative to TFTP for transferring information that may be sensitive (like switch configuration files) to and from the switch. Essentially, you are creating a secure SSH tunnel as a way to transfer files with SFTP channels.

Before using SFTP to transfer the software to the switch, make sure:

  • A software version for the switch has been stored on a computer accessible to the switch via management port. (The software file is typically available from the Switch Networking website at http://www.hpe.com/networking/support.)

  • The switch is properly connected to your network via the management port and has already been configured with a compatible IP address and subnet mask.

  • The computer containing the software image is accessible to the switch via IP. Before you proceed, complete the following:

    • Obtain the IP address of the computer on which the software file has been stored.

    • Determine the name of the software file stored on the computer for the switch (for example, ArubaOS-CX_8320_10_01_0001.swi.)

  • Establish a secure encrypted tunnel between the switch and the computer containing the software update file (for more information, see the Fundamentals Guide for your switch).

    NOTE:

    This is a one-time procedure. If you have already setup a secure tunnel, you can skip this step.

  • Enable secure file transfer using the ssh server vrf <VRF-name> command (for more information, see the Command-Line Interface Guide for your switch). 

    switch(config)# ssh server vrf mgmt
USB

Before using USB to transfer the software to the switch, make sure to:

  • Store a software version on a USB flash drive.

  • Insert the USB device into the switch's USB port.

  • Determine the name of the software file stored on the USB flash drive.

  • Enable USB on the switch: 

    switch(config)# usb 
switch(config)# do usb mount
switch(config)# do show usb
Enabled: Yes
Mounted: Yes

Copying the software and rebooting the switch

Procedure
  1. Copy the software to the secondary flash on the switch using the copy <remote-URL> {primary | secondary} [vrf <VRF-name>] command (for more information, see the Command-Line Interface Guide for your switch).

    • For TFTP: 

      switch# copy tftp://10.0.9.50/ ArubaOS-CX_8320_10.01.0001.swi secondary vrf mgmt
The secondary image will be deleted.

Continue (y/n)? y
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  258M    0  258M    0     0  1829k      0 --:--:--  0:02:24 --:--:-- 1910k
100  258M    0  258M    0     0  1829k      0 --:--:--  0:02:24 --:--:-- 1829k

Verifying and writing system firmware...
Success

    • For SFTP: 

      switch# copy sftp://jdoe@10.0.9.50/ArubaOS-CX_8320_10.01.0001.swi secondary vrf mgmt
The secondary image will be deleted.

Continue (y/n)? y
djoe@10.0.9.50’s password: 
Connected to 10.0.9.50.
sftp> get ArubaOS-CX_8320_10.00.0005.swi ArubaOS-CX_8320_10.00.0005.swi.dnld
Fetching /users/djoe/ArubaOS-CX_8320_10.00.0005.swi to ArubaOS-CX_8320_10.00.0005.swi.dnld
/users/djoe/ArubaOS-CX_8320_10.00.0005.swi  100%  259MB  48.4MB/s   00:05    

Verifying and writing system firmware...
Success

    • For USB: 

      switch# copy usb:/ ArubaOS-CX_8320_10.01.0001.swi secondary
The secondary image will be deleted.

Continue (y/n)? y

Verifying and writing system firmware...
Success

    When the switch finishes downloading the software file, it displays this progress message: 

    Verifying and writing system firmware…
  2. When the installation finishes, confirm the version and the file saved to disk are what was transferred. Do this using the show images command (for more information, see the Command-Line Interface Guide for your switch). 
    switch# show images
---------------------------------------------------------------------------
ArubaOS-CX Primary Image
---------------------------------------------------------------------------
Version : TL.10.01.0001
Size    : 271 MB
Date    : 2017-11-20 19:12:29 PST
SHA-256 : df1b9cb3ddb66ed6b637a35a2f51637fad63baab58dfd32057ceaf1a36c970e2

---------------------------------------------------------------------------
ArubaOS-CX Secondary Image
---------------------------------------------------------------------------
Version : TL.10.00.0005
Size    : 271 MB
Date    : 2017-11-20 19:12:29 PST
SHA-256 : df1b9cb3ddb66ed6b637a35a2f51637fad63baab58dfd32057ceaf1a36c970e2

Default Image : primary

------------------------------------------------------
Management Module 1/1 (Active)
------------------------------------------------------
Active Image       : primary
Service OS Version : TL.01.02.0003
BIOS Version       : TL-01-0006
  3. You must reboot the switch to implement the newly downloaded software image using the boot system [primary | secondary | serviceos] command (for more information, see the Command-Line Interface Guide for your switch). 
    switch# boot system
Checking for updates needed to programmable devices...
Done checking for updates.

46 device(s) need to be updated during the boot process.
The estimated update time is 28 minute(s).
There may be multiple reboots during the update process.


This will reboot the entire switch and render it unavailable
until the process is complete.

Continue (y/n)? y
The system is going down for reboot.
  4. Upon successful reboot, execute the show system command and verify the correct firmware revision. 
    switch# show system  
Hostname           : switch                          
System Description : My switch
System Contact     : John Doe
System Location    : ROS-R3-UPR-R10
Vendor             : Aruba
Product Name       : 8320
Chassis Serial Nbr : xxxxxxxxxx
Base MAC Address   : e0:07:1b:cb:41:3c
ArubaOS-CX Version : TL.10.00.0005
Time Zone          : UTC
Up Time            : up 2 minutes
CPU Util (%)       : 6
Memory Usage (%)   : 5

Hewlett Packard Enterprise security policy

A Security Bulletin is the first published notification of security vulnerabilities and is the only communication vehicle for security vulnerabilities.

  • Fixes for security vulnerabilities are not documented in manuals, release notes, or other forms of product documentation.

  • A Security Bulletin is released when all vulnerable products still in support life have publicly available images that contain the fix for the security vulnerability.

Finding Security Bulletins

Procedure
  1. Go to the HPE Support Center - Hewlett Packard Enterprise at www.hpe.com/support/hpesc.
  2. Enter your product name or number and click Go.
  3. Select your product from the list of results.
  4. Click the Top issues & solutions tab.
  5. Click the Advisories, bulletins & notices link.

Websites

Networking Websites

Hewlett Packard Enterprise Networking Information Library

www.hpe.com/networking/resourcefinder

Hewlett Packard Enterprise Networking Software

www.hpe.com/networking/software

Hewlett Packard Enterprise Networking website

www.hpe.com/info/networking

Hewlett Packard Enterprise My Networking website

www.hpe.com/networking/support

Hewlett Packard Enterprise My Networking Portal

www.hpe.com/networking/mynetworking

Hewlett Packard Enterprise Networking Warranty

www.hpe.com/networking/warranty

General websites

Hewlett Packard Enterprise Information Library

www.hpe.com/info/EIL

For additional websites, see Support and other resources.

Support and other resources

Accessing Hewlett Packard Enterprise Support

Information to collect

  • Technical support registration number (if applicable)

  • Product name, model or version, and serial number

  • Operating system name and version

  • Firmware version

  • Error messages

  • Product-specific reports and logs

  • Add-on products or components

  • Third-party products or components

Accessing updates

IMPORTANT:

Access to some updates might require product entitlement when accessed through the Hewlett Packard Enterprise Support Center. You must have an HPE Passport set up with relevant entitlements.

Customer self repair

Hewlett Packard Enterprise customer self repair (CSR) programs allow you to repair your product. If a CSR part needs to be replaced, it will be shipped directly to you so that you can install it at your convenience. Some parts do not qualify for CSR. Your Hewlett Packard Enterprise authorized service provider will determine whether a repair can be accomplished by CSR.

For more information about CSR, contact your local service provider or go to the CSR website:

http://www.hpe.com/support/selfrepair

Remote support

Remote support is available with supported devices as part of your warranty or contractual support agreement. It provides intelligent event diagnosis, and automatic, secure submission of hardware event notifications to Hewlett Packard Enterprise, which will initiate a fast and accurate resolution based on your product's service level. Hewlett Packard Enterprise strongly recommends that you register your device for remote support.

If your product includes additional remote support details, use search to locate that information.

Remote support and Proactive Care information

HPE Get Connected
www.hpe.com/services/getconnected
HPE Proactive Care services
www.hpe.com/services/proactivecare
HPE Proactive Care service: Supported products list
www.hpe.com/services/proactivecaresupportedproducts
HPE Proactive Care advanced service: Supported products list
www.hpe.com/services/proactivecareadvancedsupportedproducts

Proactive Care customer information

Proactive Care central
www.hpe.com/services/proactivecarecentral
Proactive Care service activation
www.hpe.com/services/proactivecarecentralgetstarted

Regulatory information

To view the regulatory information for your product, view the Safety and Compliance Information for Server, Storage, Power, Networking, and Rack Products, available at the Hewlett Packard Enterprise Support Center:

www.hpe.com/support/Safety-Compliance-EnterpriseProducts

Additional regulatory information

Hewlett Packard Enterprise is committed to providing our customers with information about the chemical substances in our products as needed to comply with legal requirements such as REACH (Regulation EC No 1907/2006 of the European Parliament and the Council). A chemical information report for this product can be found at:

www.hpe.com/info/reach

For Hewlett Packard Enterprise product environmental and safety information and compliance data, including RoHS and REACH, see:

www.hpe.com/info/ecodata

For Hewlett Packard Enterprise environmental information, including company programs, product recycling, and energy efficiency, see:

www.hpe.com/info/environment

Documentation feedback

Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hpe.com). When submitting your feedback, include the document title, part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.