145 Rio Robles

San Jose, CA 95134

+1 877-801-7082

Customer Release Notes

Matrix® DFE-Diamond, DFE-Platinum, NAC and N Standalone Series

Firmware Version 7.63.05.0002
September 2015

INTRODUCTION:

This document provides specific information for version 7.63.05.0002 of firmware for the Matrix Distributed
Forwarding Engine (DFE) Diamond, Platinum, and NAC modules, and for the Matrix N Standalone (NSA) Series
chassis. The DFE modules may be installed in the Matrix N7, Matrix N5, Matrix N3, Matrix N1, or the Matrix E7
chassis. This version of firmware supports the following DFE and NSA modules:

Diamond Modules
7GR4202-30 7GR4270-12 7GR4280-19 7KR4290-02
7KR4297-02 7KR4297-04

Platinum Modules
2G4082-25 7G4270-09 7G4285-49 7H4383-49
2G4072-52 7G4270-10 7H4202-72 7H4385-49
7G4202-30 7G4270-12 7H4203-72 7K4290-02
7G4202-60 7G4280-19 7H4284-49 7K4297-02
7G4205-72 7G4202-72 7H4382-25 7K4297-04
7G4282-49 7G4282-41 7H4382-49

Network Expansion Modules

7G-6MGBIC,
7S-DSNSA7-01 7S-NSTAG-01 7S-CUSTOM
7G-6MGBIC-A/B
7K-2XFP-6MGBIC 7S-DSNSA7-01NPS 7S-NSTAG-01NPS 7S-CUSTOM-NPS

NAC Modules
2S4082-25-NAC 7S4280-19-NAC

Extreme Networks recommends that you thoroughly review this document prior to
installing or upgrading this product.
For the latest firmware versions, visit: http://support.extremenetworks.com/

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 1 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
PRODUCT FIRMWARE SUPPORT:

Status Firmware Version Product Type Release Date

Current Version 7.63.05.0002 Customer Release September 2015
Previous Version 7.63.04.0002 Customer Release May 2015
Previous Version 7.63.03.0001 Customer Release December 2014
Previous Version 7.63.02.0002 Customer Release November 2014
Previous Version 7.63.01.0006 Customer Release November 2014
Previous Version 7.62.10.0001 Customer Release July 2014
Previous Version 7.62.09.0001 Customer Release June 2014
Previous Version 7.62.08.0002 Customer Release May 2014
Previous Version 7.62.07.0002 Customer Release December 2013
Previous Version 7.62.06.0004 Customer Release August 2013
Previous Version 7.62.04.0002 Customer Release February 2013
Previous Version 7.62.03.0004 Customer Release December 2012
Previous Version 7.62.02.0004 Customer Release August 2012
Previous Version 7.62.01.0007 Customer Release March 2012
Previous Version 7.42.02.0002 Customer Release March 2012
Previous Version 7.41.03.0009 Customer Release February 2012
Previous Version 7.41.02.0014 Customer Release December 2011
Previous Version 7.31.04.0002 Customer Release October 2011
Previous Version 7.31.03.0010 Customer Release September 2011
Previous Version 7.21.03.0003 Customer Release September 2011
Previous Version 7.21.02.0002 Customer Release June 2011
Previous Version 7.21.01.0015 Customer Release February 2011
Previous Version 7.11.03.0001 Customer Release February 2011
Previous Version 7.11.02.0003 Customer Release January 2011
Previous Version 7.11.01.0025 Customer Release November 2010

HIGH AVAILABILITY UPGRADE (HAU) FW COMPATIBILITY:

This version is HAU compatible with future releases whose HAU compatibility key is:
‘fc5dd48c98b28adc6c6876528986191d093ad043’
(The HUA key is reported using the CLI command ‘dir images’).

HARDWARE COMPATIBILITY:

This version of firmware is supported on all hardware revisions.

BOOT PROM COMPATIBILITY:

This version of firmware is compatible with all boot prom versions.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 2 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
INSTALLATION INFORMATION:

Important Upgrade Information for Upgrades to 7.XX Firmware:

It is critical that you read and understand the “Transitioning to Firmware v7.0” document before upgrading an N‐
Series platform from firmware release 6.01 or later to v7.11. Visit:

http://support.extremenetworks.com/

Minimum Memory Requirement

Release 7.11 requires that all N‐Series modules have a minimum of 256MB of memory installed. Use the show
system utilization storage command to determine the memory installed in each slot of your release 6.x system.
The amount of installed memory is specified in the output for each slot in the RAM information row.

show system utilization storage

Storage Utilization:
Slot: 1
Type Description Size (Kb) Available (Kb)
-------------------------------------------------------------------
RAM RAM device 1 262144 69130

(A 256 MB memory upgrade, part number: DFE-256MB-UGK is available from Extreme Networks.)
Minimum Firmware Release Requirement
Release 7.11 requires a minimum firmware release of 6.01 or later be installed on your N‐Series system before
upgrading to Release 7.11. If you need to upgrade to 6.01, see Extreme Networks Support Knowledgebase article
5040: How to Firmware Upgrade a Matrix N‐Series Switch for upgrade details, including links to other articles
pertaining to firmware upgrades. To view article 5040, go to:http://support.extremenetworks.com/, click the
Search Knowledgebase link, and then enter 5040 as the search criteria.

IMPORTANT: Possible Actions Required Prior to Upgrade

Default Interface Modification

If you have configured a management IP address (“set ip address”) and a router IP interface is configured for the
same VLAN as the host port, the router interface must be configured to proxy ARP. With “no ip proxy”
configured, the system does not respond to ARPs for the management IP address and the address is
unreachable.

Example Problem Configuration:

The management IP address is 100.1.1.1 and the host port VPID is configured to VLAN 200.
There is a router interface with IP address 100.1.1.2/24 also on VLAN 200 with the setting ‘no ip proxy’.

The strategy used to convert 6.x to 7.x configuration is intended to minimize any operational differences between
versions. Prior to the upgrade, several management applications running on the device used the management IP
address (100.1.1.1) as the source of the packets that were sent from those applications. When the system is
upgraded, this configuration is automatically converted such that 100.1.1.1/32 is configured on a loopback
interface. The user had changed the default setting on the router interface VLAN 200 to “no ip proxy”. This
prevents the system from responding to ARPs for 100.1.1.1, and therefore the address becomes unreachable
after the upgrade.

In this example, we recommend enabling proxy ARP on router interface VLAN 200 prior to upgrading.

RIP Configuration Loss:

Additional care is required when upgrading configurations with RIP. The “network” commands under “router rip”
are missing after the upgrade making RIP non-operational on desired interfaces. This problem, discovered after
9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 3 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
this firmware was released, will be resolved in a future revision of firmware. For additional details, see the “Known
Restrictions” section of this document.

Static LAG Behavior:

In N‐Series releases prior to 7.x, existing static LAGs became operational even when LACP was globally
disabled. In 7.x and later, globally disabling LACP prevents the processing of any other LACP configuration.
This change in static LAG behavior affects N‐Series installations upgrading from releases earlier
than 7.x, when static LAGs are configured and the global state of LACP has been disabled in the
switch configuration using the ‘set lacp disable’ command.

‘set port ratelimit’ Command Removed

For release 7.0 and later, the set port ratelimit command is deprecated. Inbound and outbound port rate limiting is
now only configurable within a QoS Class of Service (CoS) using the IRL (inbound rate limiter) and TxQ
(outbound rate shaper) or ORL (outbound rate limiter) resources.
If you currently have ‘set port ratelimit’ command configuration in your 6.x firmware, see the “Transitioning to
Firmware v7.0” document for conversion instructions before upgrading.

NOTE:
Prior to any firmware upgrade, save the existing working configuration of the system by using the ‘show config
outfile <filename> ‘ command. You can use this file if needed to revert back to the original firmware and
configuration.
Caution! Activating a saved configuration file can result in loss of password/secret data. Prior to using the
'configure' command, please review the possibilities and safeguards discussed in Knowledgebase Article 5335.

Installing a New DFE Module

When installing a new DFE type module to an existing system, the system’s operating firmware image needs to
be compatible with the new DFE. It is recommended that the system be upgraded prior to installing the new DFE.
If the system is not upgraded prior to the installation, the new DFE does not complete initialization and join the
rest of the chassis. It remains in a halted state until the running chassis is upgraded to a compatible firmware
version.

Minimum DFE Firmware Image Required:

Model Model
Model Number FW Version FW Version FW Version
Number Number
7H4382-25 3.11.04 7G4270-09 3.11.04 7GR4270-12 5.36.03
7H4382-49 1.07.19 7G4270-10 3.11.04 7GR4280-19 5.36.03
7H4383-49 2.00.13 7G4270-12 1.07.19 7GR4202-30 5.36.03
7H4284-49 3.00.33 7G4280-19 5.14.01 7KR4290-02 5.36.03
7H4385-49 4.21.16 7G4202-30 1.07.23 7KR4297-02 6.02.01.0006
7H4202-72 3.11.04 7G4282-41 3.11.04 7KR4297-04 6.02.01.0006
7H4203-72 2.00.13 7G4202-60 3.11.04
7G4285-49 5.26.04 7K4290-02 4.05.05
7G-6MGBIC-B 5.41.25 7G4282-49 5.27.01 7K4297-02 6.02.01.0006
7G-6MGBIC-A 4.05.07 7G4202-72 5.27.01 7K4297-04 6.02.01.0006
7G-6MGBIC 1.07.23 7G4205-72 5.26.04
2G4082-25 5.36.03
7S4280-19-
6.02.03.0002
7K-2XFP- NAC
5.41.25
6MGBIC 2S4082-25-
6.02.03.0002
NAC

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 4 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
Matrix N Standalone Series (NSA) Modules Minimum Firmware Image Required:

Model Number FW Version

2G4072-52 4.21.04

In addition, a minimum FW revision is required for each type of Matrix N-Series chassis. They are detailed below:

Model Number FW Version

6C107 1.07.19
7C107 1.07.19
7C103 1.07.19
7C105-P 4.21.16
7C111 5.13.04

System Behavior
The Matrix DFEs, when combined in a chassis, selects a master module to control the overall management of the
system. All information that the master module controls is distributed to all modules in the chassis. In the event
that the master module is unable to continue the management task, another module automatically assumes
responsibility for answering management queries and distributing system information.

If a new DFE is inserted into the system, the new DFE inherits all system parameters and all firmware files stored
on each module in the system. Any firmware files stored on the new device, which are not common to the system,
are automatically removed. If the new DFE does not have a copy of the current system’s boot image, it is
automatically upgraded, and then the module re-initializes and joins the system.

NOTE: If the new DFE requires a newer firmware image than the image running in the chassis, the master
module MUST be upgraded to the newer firmware before inserting the new DFE. If the system is not upgraded
prior to the installation, the new DFE does not complete initialization and join the rest of the chassis. It remains in
a halted state until the running chassis is upgraded to a compatible firmware version.

The system treats the following conditions as if a new module has been installed:
 Module changes slots
 Network Interface Module is added to a module
 Network Interface Module is removed from a module

If a module needs to be replaced, it inherits all the configuration settings of the previous module as long as the
new module is an exact replacement of model number, slot number, and optional interface module (if one was
previously installed). Any configuration files that were stored in the file system of the newly inserted module are
not deleted and are available to reconfigure the system.

NAC User Capacities

All Diamond modules default to 256 authenticated users per port with a maximum value of 2,048 users per port.
This includes modules 2S4082-25-NAC and 7S4280-19-NAC. 802.3 LAG ports support 256 users by default with
a maximum of 2,048 users per port.

DFE-Diamond Multi-User Capacities

All Diamond modules default to 256 authenticated users per port with a maximum value of 1,024 users per port.
This includes modules 7GR4202-30, 7GR4270-12, 7GR4280-19, 7KR4290-02 7KR4297-02, and 7KR4297-04.
802.3 LAG ports support 256 users by default with a maximum of 1,024 users per port.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 5 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
DFE-Platinum Multi-User Capacities
Access modules, defined as fixed high density copper ports (10/100 or 10/100/1000), support up to 8
authenticated users per port. This includes modules 2G4082-25, 7G4282-41, 7G4282-49, 7G4202-60,
7G4202-72, 7G4285-49, 7G4205-72, 7H4202-72, 7H4203-72, 7H4382-25, 7H4382-49, 7H4383-49, and
7H4385-49.

Uplink modules, defined as modular SFP, 10 Gbps and 100 FX ports, support up to 128 authenticated users per
port. This includes modules 7K-2XFP-6MGBIC, 7G-6MGBIC-(A/B), 7G4202-30, 7G4270-12, 7G4280-19,
7H4284-49, 7K4290-02, 7K4297-02, and 7K4297-04. 802.3 LAG ports support 128 users.

The standalone device 2G4072-52, supports up to 8 authenticated users per port on the fixed 10/100/1000 ports
and 128 authenticated users on the MGBIC ports.

NOTE: By default, a module supports up to 1,024 authenticated users and the system (chassis) supports up to
1,024 authenticated users.

Multi-User Capacities Licensing

Two optional licenses that increase multi-user capacities are available.

The N-EOS-PPC license increases user port capacity from the default capacity, to the maximum allowable
system value. The N-EOS-PPC license is applied to a module and is required if default port user capacities are to
be exceeded. (The system value can be increased with the addition of the N-EOS-PUC. For more details, see
below.)

N-EOS-PPC - Port Capacities License

• Requires a license for each DFE module requiring additional user capacity
• Removes the per port restriction of 8 or 128 users per port for a specified module
• Increases the users per port to a maximum value of 1,024, with at default value of 256 users/port
• Increases the users per module up to maximum allowable system value

When present, the PPC license defaults the user capacity at 256 users per port. You can override this value using
the command ‘set multiauth port numusers’ and increase it to the maximum allowable by the system.

The N-EOS-PUC license increases the total number of users in a chassis to 2,048 users. The license can be
used in any multi-slot, N1 or 2G chassis.

N-EOS-PUC - Extra Chassis User Capacities License

• Adds users to the default 1,024 system capacity
• Increases the total number of users per chassis to 2,048 users
• Increases individual capacity, when present, not to exceed 2,048 users
When a module has both the N-EOS-PPC and the N-EOS-PUC licenses installed, the maximum port
user capacity can be increased to a maximum of 2,048 users/port, allowing the entire system capacity
to be consumed on a single port.

Summary
Authenticated Users/Per Port
PPC-License
No Lic Lic
License
PUC-

No Lic 8/128 1024

Lic 8/128 2048

Port Mirroring

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 6 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
The Matrix device provides support for 16 mirroring destination ports in most chassis. DFE-Platinum modules in
the Matrix N1 chassis support 64 mirrors. The mirrors can be a mix of port, VLAN, and IDS. An IDS mirror
accounts for 8 destination ports (8 being the number of physical ports supported in an IDS mirror). One-to-many
(1 to many) mirrors, where a VLAN or port could be mirrored to multiple destination ports, is supported. In
addition, many-to-one (many-to-1) mirrors, where multiple ports or VLANs can be mirrored to a single destination
port, is also supported. A many-to-1 or 1-to-many port or VLAN mirror counts as one destination port.
Example configurations for a DFE-Platinum in a Matrix N7 chassis:

16 port mirrors (any or all of which can be many-to-1 or 1-to-many)

16 VLAN mirrors (any or all of which can be many-to-1or 1-to-many)
− 8 port and 8 VLAN mirrors (any or all of which can be many-to-1or 1-to-many)
− 12 port and 4 VLAN mirrors (any or all of which can be many-to-1or 1-to-many)
− 8 port and 1 IDS mirror (any or all of which can be many-to-1or 1-to-many)
− 8 VLAN and 1 IDS mirror (any or all of which can be many-to-1or 1-to-many)
− 4 port and 4 VLAN and 1 IDS mirror (any or all of which can be many-to-1or 1-to-many)

Note that the examples above are provided to illustrate the number and types of mirrors we support, as well as
how they can be used concurrently. The mirror configurations are not limited to these examples.

The Port and VLAN mirror function does not mirror error frames.

Type of Service (ToS) Re-Write

The ability to re-write the ToS field is supported. This includes the ability to re-write the ToS byte based on policy
classification or inbound port rules in conjunction with the CoS Table.

Preservation of Quality of Service (QoS) through the router

• Routed frames may contain the original .1p priority or have the priority modified using Policy

Policy CoS
• Provide ToS rewrite, rate limiter and 16 TX queues selection controls
• Policy Manager includes performance enhancements to allow automated rate limiter configuration
and CoS Marking in transmitted frames
• L2 Policy ToS marking
• Rate Limiter violation notification (and optional disabling of violating ports)

Capacities
• Support for 256 CoS entries
• 4 TX queues per port—(16 TX queues supported on 7GR4270-12, 7G4270-12, 7G4270-09, &
7G4270-10)
• 8 RX rate limiters—(32 RX rate limiters supported on 7GR4270-12, 7G4270-12, 7G4270-09 &
7G4270-10)
• Support for TXQ rate shapers
o No Support for TX rate limiters
• System wide unicast limit of 64K unique, 802.1p/ToS/VLAN/ARP translations (MAC header)

Management
• Support for Enterasys CoS MIB

Link Aggregation (LAG)

The N-Series DFE-Platinum and Diamond modules installed in NSA/N1/N3/N5/N7, support a total of 62 LAGs per
chassis. There is limit of 64 ports/LAG.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 7 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
Multi-User 802.1X
Authentication of multiple 802.1X clients on a single port is supported. This is an extension of the existing multi
authentication mechanism. It will replace the existing single user 802.1X code and supplement the existing
Multiple MAC and PWA+ authentication methods.

This feature will only operate correctly when the intermediate switch forwards EAP frames, regardless of
destination MAC address (addressed to either unicast or reserve multicast MAC).

To be standards compliant, a switch is required to filter frames with the reserved multicast DA. To be fully multi-
user 802.1X compatible, the intermediary switch must either violate the standard by default or offer a
configuration option to enable the non-standard behavior. Some switches may require the Spanning Tree Protocol
to be disabled to activate pass-through.

Use of a non-compatible intermediary switch will result in the 802.1X authenticator missing multicast destined
users’ logoff and login messages. Systems used by multiple consecutive users will remain authenticated as the
original user, until the re-authentication period has expired.

The multi-user 802.1X authenticator must respond to EAP frames with directed (unicast) responses. It must also
challenge new user MAC addresses discovered by the multi-user authentication/policy implementation.

Compatible supplicants include Microsoft Window XP/2000/Vista, Symantec Sygate Security Agent, and Check
Point Integrity Client. Other supplicants may be compatible.

The enterasys-8021x-extensions-mib and associated CLI will be required to display and manage multiple users
(stations) on a single port.

Matrix E7 Firmware Compatibility

If you are installing these modules in the Matrix E7 chassis, the minimum versions of firmware for the other
compatible modules are:

6x1xx-xx 4.11.15
6x2xx-xx 4.08.50 or 5.05.05
6x3xx-xx 4.08.50 or 5.05.05

DFE Shutdown Procedure

Before removing a DFE from the chassis, the user is required to “shutdown” the module. This can be
accomplished by using the OFFLINE/RESET switch on the front panel of the module. The management LED will
change from solid green to a green/amber combination to notify the user that the device is shutting down. When
shutdown is complete, the management LED will change to an off/amber combination indicating it is safe to pull
the device out of the chassis and will not cause network disruption. Pulling any DFE out of the chassis before it
has been shut down is discouraged and will result in ~ 30 seconds of down time. The only safe time to pull a
device out of the chassis and avoid potential downtime is after a shutdown and the management LED is blinking
in the off/amber combination.

The OFFLINE/RESET switch has the following operation:

Tap (press for less than 1 second) shuts the DFE down.
Press and hold (press for 6 seconds) resets the device without a shutdown.

The halt after a shutdown is timed at 60 seconds. Once the time has expired the device will automatically
initialize. This is the suggested mechanism to reset the device. It is safe to press and hold the OFFLINE/RESET
switch after the shutdown has completed in order to reboot the device in a more timely fashion. As the chassis is
a single distributed system (hardware, databases, and persistent storage), an indication to the device that a piece
of the system is about to be removed is necessary to minimize the effect on the rest of the network.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 8 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
Power over Ethernet Control Code Upgrade
Each release of DFE firmware contains within it a copy of PoE microcontroller code. This code is installed in the
microcontroller’s flash memory system any time the DFE boots and discovers the installed code is not the
appropriate version. When up or downgrading DFE firmware, you may experience an additional delay in PoE
delivery of a few minutes while this step completes.

Matrix E7 Proxy Function

The DFE modules provide a function called “proxy” when installed in the Matrix E7 chassis. This function provides
1st and 2nd generation modules (which have only 4 backplane ports that connect to slots 1–5) with the ability to
communicate with modules installed in slots 6 and 7, by way of an intermediate (proxy) module installed in one of
the first 5 slots.

A packet entering a port on a 1st or 2nd generation module in one of the first 5 slots is transmitted to the FTM1
backplane connection of the “proxy” module in one of the first five slots. This proxy module can then forward that
packet to either slot 6 or 7.

The lowest numbered slot containing a module capable of providing the proxy function will always be the proxy
module.

Prioritized and Tagged Traffic

In the version 4.00.xx release and beyond, policy rules which explicitly DROP (not just assign a VLAN), will drop
the traffic, even if a VLAN_ID is present in the TCI field. This behavior differs from earlier releases and may have
an unexpected impact on tagged network traffic.

Router Capacities
The following table defines the router capacities:

ARP Entries (per router / per chassis) 32,000

Static ARP Entries 1,024
Route Table Entries 25,000
OSPF Areas 6
OSPF LSA Type 1 – Router Links 512
OSPF LSA Type 2 – Networks Links 512
OSPF LSA Type 3 – Summary Networks 8,000
OSPF LSA Type 4 – Summary ASBRs 3,000
OSPF LSA Type 5 – AS External Links 10,000
OSPF LSA Type 7 – NSSA External Links 4,000
OSPF LSA Type 9 – Opaque Subnet-only 512
OSPF LSA Type 10 – Opaque Area 512
OSPF LSA Type 11 – Opaque AS 512
OSPF Neighbors 60
Static Routes 1,024
RIP Routes 3,000
Configured RIP Nets 300
VRRP Interfaces 256
Routed Interfaces 256
Access Rules 5,000
Access Rules – Per ACL 5000
Policy Based Routing Entries 100
RIP ECMP Paths 8

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 9 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
Router Links in Area 100
Secondaries per Interface 128
Secondary Interfaces per Router 2,000
IP Helper addresses (per router/ per interface) 5,120 / 20
IGMP Entries 64
OSPF ECMP Links 8
VRF 8

Multicast Capacities
IGMP Static Entries 64
IGMP *,G and S,G Groups1 16K/16K3
IGMP Snooping Flow Capacity 4K/16K3
Multicast Routing (PIM/DVMRP flows) 4K
IGMP Clients2 16K
1
Group entries may be consumed for each egress VLAN of a routed flow.
2
A client is defined as a reporter subscribing to a *,G or S,G group, or a source of a multicast flow.
3
Using the optional command “set igmp number-flows maximum.”

DHCP Capacities
DHCP Server Leases 1,024
DHCP Pools 100
Some of these limits may not be enforced by the firmware and may cause unknown results if exceeded.

Advanced License Keys

• N-EOS-L3 - An advanced license key is required for VRF, LSNAT, PIM, OSPF, DVMRP and Extended
ACLs. However ‘show’ commands for these features are available in the base image.
• N-EOS-PPC - Port user capacity licensing to increase user port capacities from the default capacity to
256 users. The maximum value for users/port is the maximum allowed by the system.
• N-EOS-PUC - Chassis user capacity licensing is used to increase user capacity from the default to 2048
users per system (Now supported in the N1 Chassis and 2G4072-52).

N-EOS-L3 and N-EOS-PPC functionality is included in Diamond modules without the need for additional
licenses.

Memory Upgrade
All DFE Platinum and Diamond modules ship with the 256MB DRAM installed by default.
These features are available by default:
• Protocol Independent Multicast (PIM),
• Extended routing capacities (see table above),
• Load Share Network Address Translation (LSNAT),
• Network Address Translation (NAT),
• Transparent Web Cache Balancing (TWCB),
• Radius Snooping,
• NetFlow

NETWORK MANAGEMENT SOFTWARE:

NMS Version No.

NetSight Suite 5.0

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 10 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
*ACL management has been migrated into NetSight Console.

NOTE: If you install this image, you may not have control of all the latest features of this product until the next
version(s) of network management software. Please review the software release notes for your specific network.

PLUGGABLE PORTS SUPPORTED:

MGBICs Description
MGBIC-LC01 1 Gb, 1000Base-SX, IEEE 802.3 MM, 850 nm Short Wave Length, 220/550 M, LC SFP
MGBIC-LC03 1 Gb, 1000Base-SX-LX/LH, MM, 1310 nm Long Wave Length, 2 Km, LC SFP
1 Gb, 1000Base-EZX, IEEE 802.3 SM, 1550 nm Long Wave Length, 110 KM, LC SFP
MGBIC-LC07
(Extended Long Reach)
MGBIC-LC09 1 Gb, 1000Base-LX, IEEE 802.3 SM, 1310 nm Long Wave Length, 10 Km, LC SFP
MGBIC-MT01 1 Gb, 1000Base-SX, IEEE 802.3 MM, 850 nm Short Wave Length, 220/550 M, MTRJ SFP
MGBIC-02 1 Gb, 1000Base-T, IEEE 802.3 Cat5, Copper Twisted Pair, 100 M, RJ 45 SFP
MGBIC-08 1 Gb, 1000Base-LX/LH, IEEE 802.3 SM, 1550 nm Long Wave Length, 80 KM, LC SFP
1 Gb, 1000Base-BX10-U Single Fiber SM, Bidirectional 1310nm Tx / 1490nm Rx, 10 Km,
MGBIC-BX10-U
Simplex LC SFP (must be paired with MGBIC-BX10-D)
1 Gb, 1000Base-BX10-D Single Fiber SM, Bidirectional, 1490nm Tx / 1310nm Rx, 10 Km,
MGBIC-BX10-D
Simplex LC SFP (must be paired with MGBIC-BX10-U)
1 Gb, 1000Base-BX40-U Single Fiber SM, Bidirectional, 1310nm Tx / 1490nm Rx, 40 Km,
MGBIC-BX40-U
Simplex LC SFP (must be paired with MGBIC-BX40-D)
1 Gb, 1000Base-BX40-D Single Fiber SM, Bidirectional, 1490nm Tx / 1310nm Rx, 40 Km,
MGBIC-BX40-D
Simplex LC SFP (must be paired with MGBIC-BX40-U)
1 Gb, 1000Base-BX120-U Single Fiber SM, Bidirectional, 1490nm Tx / 1590nm Rx, 120 Km,
MGBIC-BX120-U
Simplex LC SFP (must be paired with MGBIC-BX120-D)
1 Gb, 1000Base-BX120-D Single Fiber SM, Bidirectional, 1590nm Tx / 1490nm Rx, 120 Km,
MGBIC-BX120-D
Simplex LC SFP (must be paired with MGBIC-BX120-U)
MGBIC-N-LC04 100 Mb, 100Base-FX, IEEE 802.3 MM, 1310 nm Long Wave Length, 2 KM, LC SFP
MGBIC-LC04 100 Mb, 100Base-FX, IEEE 802.3 MM, 1310 nm Long Wave Length, 2 KM, LC SFP
MGBIC-LC05 100 Mb, 100Base-LX10, IEEE 802.3 SM, 1310 nm Long Wave Length, 10 KM, LC SFP

Xenpaks Description
10GBASE-ER 10 Gb, 10GBASE-ER, IEEE 802.3 SM, 1550 nm Long Wave Length, 40 Km, SC Xenpak
10GBASE-LR 10 Gb, 10GBASE-LR, IEEE 802.3 SM, 1310 nm Long Wave Length, 10 Km, SC Xenpak
10GBASE-SR 10 Gb, 10GBASE-SR, IEEE 802.3 MM, 850 nm Short Wave Length, 33/82 M, SC Xenpak
10GBASE-LX4 10 Gb, 10GBASE-LX4, IEEE 802.3 MM/SM, 1310 nm Long Wave Length, 300/240 M /
10 Km, SC Xenpak
10GBASE-ZR 10 Gb, 10GBASE-ZR, IEEE 802.3 SM, 1550 nm Long Wave Length, 80 KM, SC Xenpak

XFPs Description
10GBASE-ER-XFP 10 Gb, 10GBASE-ER, IEEE 802.3 SM, 1550 nm Long Wave Length, 40 Km, LC XFP
10GBASE-LR-XFP 10 Gb, 10GBASE-LR, IEEE 802.3 SM, 1310 nm Long Wave Length, 10 Km, LC XFP
10GBASE-SR-XFP 10 Gb, 10GBASE-SR, IEEE 802.3 MM, 850 nm Short Wave Length, 33/82 M, LC XFP
10GBASE-CX4-XFP 10 Gb, 10GBASE-CX4, IEEE 802.3 TwinAxial, Copper SFF-8470, 15 M, LC XFP
10GBASE-ZR-XFP 10 Gb, 10GBASE-ZR, SM, 1550 nm Long Wave Length, 80 Km, LC XFP

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 11 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

NOTE: Installing third party or unknown pluggable ports may cause the device to malfunction and display MGBIC
description, type, speed and duplex setting errors.

SUPPORTED FUNCTIONALITY:

Features
Multiple Authentication Types Per Port
Layer 2 through 4 VLAN Classification Entity MIB
- 802.1X, PWA+, MAC
Multiple Authenticated Users Per Port
Layer 2 through 4 Priority Classification IP Routing
- 802.1X, PWA+, MAC
Dynamic VLAN/Port Egress
DVMRP Static Routes
Configuration
SNTP Ingress VLAN Tag Re-write RIP v2
Web-based configuration (WebView) VLAN-to-Policy Mapping OSPF
Multiple local user account RMON – Statistic, History, Alarms, Host,
OSPF ECMP
management HostTopN,
RMON Matrix groups, Host, HostTopN,
Denial of Service (DoS) Detection OSPF Alternate ABR
Events, Capture and Filter
Passive OSPF support SMON – VLAN and Priority Statistics RIP ECMP, CIDR configuration
Distributed Chassis Management (Single Virtual Router Redundancy Protocol
802.1X – Authentication
IP Address) (VRRP)
802.1D – 1998 SNMP v1/v2c/v3 ICMP
802.1Q – Virtual Bridged Local Area Protocol Independent Multicast -
Port Mirroring
Networking Sparse Mode (PIM-SM)
GARP VLAN Registration Protocol
Flow Setup Throttling Proxy ARP
(GVRP)
802.1p – Traffic Class Expediting MAC locking (Static/Dynamic) Basic Access Control Lists
802.1w – Rapid Reconfiguration of
Node/Alias table Extended ACLs
Spanning Tree
Auto MDI-X Media Dependent Interface
802.1s – Multiple Spanning Trees Policy-Based Routing Crossover Detect (Enhanced for non
auto negotiating ports)
802.1t – Path Cost Amendment to
SSH v2 DHCP Server
802.1D
802.3 – 2002 OSPF NSSA, equal cost multi-path DHCP Relay
802.3ad – Link Aggregation (128
Audit trail logging Jumbo Frame support
users)
802.3x – Flow Control RADIUS Client Directed Broadcast
Load Share Network Address 7K-2XFP-6MGBIC,
FTP/TFTP Client
Translation (LSNAT) 7G-6MGBIC-(A/B) support
Static Multicast Configuration Telnet – Inbound/Outbound Cisco CDP v1/2
Broadcast Suppression Configuration File Upload/Download CLI Management
Inbound and Outbound Rate Limiting Text-based Configuration Files DFE CPU and task Debugging
Strict and Weighted Round Robin
Syslog RADIUS (Accounting, Snooping)
Queuing
Split RADIUS management and
IGMP v1/v2/v3 and Querier support Span Guard
authentication
SMON Port and VLAN Redirect RAD (Remote Address Discovery) Link Flap detection
FTM1 Proxy Bridge Cabletron Discovery Protocol (CDP) Daylight Savings Time
TACACS+ NetFlow v5/v9 RFC 3580 with Policy support
Type of Service (ToS) Re-write LLDP and LLDP-MED Spanning Tree Loop Protection

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 12 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
Features
TWCB (Transparent Web Cache
NAT(Network Address Translation) VRF-Aware LSNAT
Balancing)
Multi-VRF (IPv4) VRF-Aware NAT VRF Static Route Leaking
VRF-Aware TWCB VRF-Aware Policy Based Routing
802.1Qaz ETS, (Data Center Bridging –
PIM-SSM
Enhanced Transmission Selection)

FIRMWARE CHANGES AND ENHANCEMENTS:

Problems Corrected in 7.63.05.0002

RADIUS Problems Corrected in 7.63.05.0002 Introduced In:
RADIUS accounting requests may be sent for management sessions that have been
4.00.50
terminated if incorrect authorization attributes are returned from the RADIUS server.
Enabling or disabling the RADIUS accounting state over time may result in terminated
network sessions (macauthentication, 802.1x, PWA, etc.) to continue to cause the 4.00.50
transmission of RADIUS accounting requests after their termination.

QoS Problems Corrected in 7.63.05.0002 Introduced In:

CoS Flood control is applied to protocol packets. 7.00.01

Problems Corrected in 7.63.04.0002

Management Problems Corrected in 7.63.04.0002 Introduced In:
When Syslog servers are configured using any of the following commands, switches lose
(leak) 144 bytes of memory:

show support
show config
show config logging

If commands are issued frequently enough, switches reset, logging a message similar to:
7.11.01
Message 3/30
EDR Record 07.62.05.0001H 07/27/2014 19:55:11
Severity/Facility: FATAL/KERNEL
Task: tCLI0
Injection Point: memPartLib.c:2498
Address: 0x00000000

memPartAlloc: block too big 84624 bytes (0x10 aligned) in partition 0x2234548

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 13 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

PoE Problems Corrected in 7.63.04.0002 Introduced In:

When a chassis has no PoE-capable modules, switches lose (leak) memory if any of the
following commands are issued:

show support
show config
show config inlinepower

If commands are issued frequently enough, switches reset, logging a message similar to:
7.00.01
Message 3/30
EDR Record 07.62.05.0001H 07/27/2014 19:55:11
Severity/Facility: FATAL/KERNEL
Task: tCLI0
Injection Point: memPartLib.c:2498
Address: 0x00000000

memPartAlloc: block too big 84624 bytes (0x10 aligned) in partition 0x2234548

SNTP Problems Corrected in 7.63.04.0002 Introduced In:

With SNTP unicast client configured, after 497 days, SNTP time requests may stop being sent. 4.05.08

Syslog Problems Corrected in 7.63.04.0002 Introduced In:

When performing the "set logging server" command, the service may not be created
7.41.02
properly when the server IP address is modified.

Problems Corrected in 7.63.03.0001

Spanning Tree Problems Corrected in 7.63.03.0001 Introduced In:
A temporary loop may be created when the root bridge relinquishes its root status and the
direction of root in the network reverses (for example: designated ports become 7.00.01
root/alternate ports and root/alternate ports become designated).

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 14 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
Feature Enhancements in 7.63.02.0002
Spanning Tree Enhancements in 7.63.02.0002
LoopProtect is enhanced to coordinate more closely with changes in point-to-point status, mainly through the
MultiSource function. LoopProtect does not allow a non–point-to-point port to forward. The MultiSource
function detects the reception of BPDUs from multiple sources on a given port. If this occurs and the
AdminPoinToPoint value indicates that auto-detection is used to determine the operational point-to-point
value (which is the default administrative value), it sets the operational point-to-point value to false.

Prior function of LoopProtect would use the operational point-to-point value of false to prevent the refresh of
the LoopProtect BPDU reception timer for a designated port. On expiry, a LoopProtect event would be
indicated and the port state would become discarding. The new function is to force timer expiry immediately
for a port on transition to non–point-to-point status for both designated and root port roles. Rather than
waiting seconds for the port to become discarding, it discards immediately.

The MultiSource function has also been updated to use the MAC address of the transmitting bridge
embedded in the BPDU rather than the BPDU packet header source MAC address for source address
comparison. This removes any delays in MultiSource detection allowed for LAG ports due to the fact that a
LAG may change its port MAC address based on changes to port membership. Also, a change in point-to-point
status due to port duplex change would result in the same quicker response.

Problems Corrected in 7.63.02.0002

Spanning Tree Problems Corrected in 7.63.02.0002 Introduced In:
A port on the root bridge may select a backup role instead of a designated role, if:
• It receives a BPDU from another bridge where the role in the flags field indicates a designated
role 7.00.01
• The root identifier is the ID of the receiving bridge
• The transmitting port ID is lower than the receiving port ID

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 15 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
Feature Enhancements in 7.63.01.0006
Cryptography Enhancements in 7.63.01.0006
Three new ciphers have been added to SSH:
aes128-ctr AES in Counter mode, with 128-bit key
aes192-ctr AES in Counter mode, with 192-bit key
aes256-ctr AES in Counter mode, with 256-bit key

Five new Encrypt-then-MAC (ETM) MACs have been added to SSH:

[email protected]
SHA-1 with 20-byte digest and key length, encrypt-then-mac
[email protected]
MD5 with 16-byte digest and key length, encrypt-then-mac
[email protected]
RIPEMD-160 algorithm with 20-byte digest length, encrypt-then-mac
[email protected]
SHA-1 with 20-byte key length and 12-byte digest length, encrypt-then-mac
[email protected]
MD5 with 16-byte key length and 12-byte igest length, encrypt-then-mac

The allowed cipher list and allowed MAC list used by the SSH Client and SSH Server are now configurable
using the CLI:
set ssh ciphers <cipher-list> (list is in order of precedence from high to low)
set ssh macs <macs-list> (list is in order of precedence from high to low)
clear ssh ciphers (that is, revert to default ciphers list)
clear ssh macs (that is, revert to default MACs list)

The default values for these lists contain all possible ciphers or MACs. (Names with an asterisk indicate not
supported in FIPS mode):

Allowed Ciphers List (default):

aes128-ctr, aes192-ctr, aes256-ctr, aes128-cbc, aes192-cbc,
aes256-cbc, 3des-cbc, blowfish-cbc*, cast128-cbc*,
[email protected]*
Allowed MACs List (default):
[email protected], [email protected]*,
[email protected]*, [email protected],
[email protected]*, hmac-sha1, hmac-md5*, hmac-ripemd160*,
[email protected]*, hmac-sha1-96, hmac-md5-96*

Problems Corrected in 7.63.01.0006

Host Problems Corrected in 7.63.01.0006 Introduced In:
If the chassis is configured in a way that forces building of hardware flows at Layer 4 level,
Precision Time Protocol frames (UDP port 319) received on a 10G port will frequently be sent 7.62.09
(looped) back out the 10G port.
Module might reset with messages similar to: "DSI exception" and “Thread Name: tDSrecv4”. 7.00.01
N7 chassis segments when clearing bonding config on neighbor router. 2.00.13

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 16 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
Platform Tree Problems Corrected in 7.63.01.0006 Introduced In:
System instability might be experienced with messages similar to "Interhost Unit 1 no rx
6.00.02
space in Net Pool".
Module might reset with messages similar to: "Chassis coherency timeout exceeded". 6.11.01

Spanning Tree Problems Corrected in 7.63.01.0006 Introduced In:

A root or alternate port may get stuck in a state where it will not respond to a proposal
BPDU with an agreement BPDU. This will cause port forwarding for the connected
designated port to use timers rather than the rapid forwarding mechanism. Additionally, if 7.60.01
the designated port is configured for lp (Loop Protect), it will detect a loop protect event and
remain in the listening state.
If spanning tree is configured to have autoedge detection disabled and a linked port is
configured to have portadmin disabled, the root port and the alternate ports may not be 7.60.01
able to send response BPDUs to a proposal by an attached bridge.

Link Aggregation Problems Corrected in 7.63.01.0006 Introduced In:

When a port is added to a LAG, there may be a delay of up to 5 seconds before a port will
transition from collecting to distributing. This may result in a loss of traffic sent over that 1.07.19
new LAG link from the peer for that time.

Problems Corrected in 7.62.10.0001

Spanning Tree Problems Corrected in 7.62.10.0001 Introduced In:
BPDUs are not processed when marked for discard by Policy. The port role and state will be
designated forwarding. When the port is an inter-switch link and the attached port is 4.00.50
designated forwarding, a loop will form if there is redundancy.

STP/RSTP/MSTP Problems Corrected in 7.62.10.0001 Introduced In:

When a port has link loss, a new port role is not immediately calculated. If this is a root port, it
7.62.05
will remain root port until some other event causes a root election.

Problems Corrected in 7.62.09.0001

Platform Problems Corrected in 7.62.09.0001 Introduced In:
When exposed to high rates of certain types of ICMP traffic, a DFE chassis may become
unstable. Individual blades may reset and cause the generation of log messages similar to:
7.00.01
<1>System[1]Chassis coherency timeout exceeded, resetting or
<1>DistServ[1.tDSserv5]peerStatus.5 this server has been invalidated

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 17 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
Problems Corrected in 7.62.08.0002
Platform Problems Corrected in 7.62.08.0002 Introduced In:
Doing a set on a large range of data could cause a board reset.

Example: cfm vlan-table primary 99 selector 1-98,100-4094

The syslog will show an error similar to below: 8.11.04

<1>NonVol[1.tNVolCUp]cleanup:Remove() on store=0, fileIndex=2863311530 m
ajorId=140 failed retval=8, write_file_num=50 ( 0x00d12590 0x00a79af4 0x
00a81504 0x01686324 0x00000000 )
and a core file will be generated.

RMON Problems Corrected in 7.62.08.0002 Introduced In:

RMON alarm is not generating further rthresh events after a first one when using type
5.01.58
absolute.

SNMP Problems Corrected in 7.62.08.0002 Introduced In:

Continuous poll of TCP or UDP mibs may result in the exhaustion of memory resulting in an
7.40.00
out of memory reset action on a specific slot.

Problems Corrected in 7.62.07.0002

LLDP Problems Corrected in 7.62.07.0002 Introduced In:
The MAC address used by LLDP on the N1 and NSA systems is 00-00-00-00-00-00. 7.60.01
NONVOL Problems Corrected in 7.62.07.0002 Introduced In:
The NONVOL cleanup task can write incomplete files out to the NONVOL store that will not be
detected until a reboot or the next time cleanup runs for that store and component:
3.00.33
<3>NonVol[8.tNVolCUp]nvFilePtrMgr::verify(3) calcCsum() failed. store=5, fileIdx=10.51,
udpSum=0x77e366a, sumCount=65534
The NONVOL cleanup task can write incomplete files to the NONVOL store that will not be
detected until a reboot: NonVol[1.tusrAppInit]nvFilePtrMgr::verify(0) checksum failure. 3.00.33
store=4, fileIdx=0.37, udpSum=0x8f8dd5a, sumCount=65527
The NONVOL cleanup task can cause a DSI reset:
Exc Vector: DSI exception(0x00000300) 3.00.33
Thread Name: tNVolCUp
The NONVOL cleanup task can become stuck causing high system utilization:
debug utilization show -i
NAME TID PRI STATUS 5sec 1min 5min 3.00.33
Got tid = 1 from successful call to getNextTaskId()
tNVolCUp 240412704 195 READY 99.37 99.28 99.27
Platform Problems Corrected in 7.62.07.0002 Introduced In:
Reading a file from another blade (Ex: show file or configure) could cause a DSI/reset, usually
if remote file is being updated, or remote connection goes away (other blade resets or 7.00.01
bonding goes away).

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 18 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
Platform Problems Corrected in 7.62.07.0002 Introduced In:
At boot time the following errors may be seen in the log:
<163>Sep 19 14:46:02 0.0.0.0 NonVol[1.tusrAppInit]validate_files: Unknown record
type;store=1,offset=4105,file=0.80, type=0,rawMaj=0,rawMin=0,rawLen=0
<163>Sep 19 14:46:02 0.0.0.0 NonVol[1.tusrAppInit]validate_files: file=1/0.80 rewinding over
3.00.33
incomplete record. Truncating to size 4105
<163>Sep 19 14:46:02 0.0.0.0 NonVol[1.tusrAppInit]nvFilePtrMgr::fFlush(5) fflush(0x72b03b0)
retval=-1, errno=9
Configuration could have been lost due to file corruption and should be verified.
Configuration files saved on the system can get corrupted during uncontrolled resets (power
7.00.01
loss, DSI, pulled blade).
Running "chkdsk repair" could cause a reset. This command is only available from debug, or
7.00.01
during boot if filesystem corruption is detected.
Switching Problems Corrected in 7.62.07.0002 Introduced In:
Precision Time Protocol (PTPv1) UDP broadcast port 139, when being forwarded through
1.07.19
switch, may not function reliably.

Problems Corrected in 7.62.06.0004

CLI Problems Corrected in 7.62.06.0004 Introduced In:
‘show port operstatuscause’ command does not display port information. 7.62.05
Neighbor Discovery (Layer 1) Problems Corrected in 7.62.06.0004 Introduced In:
CLI output for the "show neighbors" command will infrequently exclude one or more
7.31.02
neighbors from one or more modules.
Routing Problems Corrected in 7.62.06.0004 Introduced In:
When a board is removed from the chassis, all new routing flows requiring an reframer
resource will be soft forwarded and not have a hardware resource built for it, until a chassis 7.22.02
sync occurs (via a board insertion or master re-sync).
Secure Copy (SCP) Problems Corrected in 7.62.06.0004 Introduced In:
Secure Copy (scp) file transfers do not work (i.e., "copy
scp://<user>@<host>//<path>/<source-file> slot1/<destination-file>"). A workaround is to 7.62.05
use ftp rather than scp.

SNMP Problems Corrected in 7.62.06.0004 Introduced In:

The ifOutQLen object in IF-MIB returns the depth of the transmit queue instead of the
1.07.19
number of packets on that queue.
SSH Problems Corrected in 7.62.06.0004 Introduced In:
The SSH Client, which allows users to SSH from the switch to another device, will not work if
the '-q' (quiet) option is specified on the command line. A workaround is to not use the '-q' 7.62.05
option (i.e., use "ssh [email protected]" instead of "ssh -q [email protected]".
If a new SSH connection request is received within ~30ms of a "set ssh hostkey reinit"
command, then the host master slot will log a DSI exception in Thread Name: tSshC.
Although the window of vulnerability is brief, SSH Clients which have an auto-reconnect 7.00.01
feature will be susceptible to this defect. If your SSH Client has auth-reconnect, either
disable the option or do not issue the "set ssh hostkey reinit" command from that SSH Client.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 19 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
SSH Problems Corrected in 7.62.06.0004 Introduced In:
When upgrading from pre-7.40 to post-7.40 releases the SSH Server's hostkey will be
reinitialized. Following the upgrade SSH Clients will issue some kind of warning regarding
the hostkey change. In order to connect via SSH, the old hostkey will have to be deleted
from the SSH Client's host key cache. Here is an example message from OpenSSL's SSH
Client:
[host]> ssh [email protected]
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
7.40.01
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! 7.40.01
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the DSA host key has just been changed.
The fingerprint for the DSA key sent by the remote host is
59:0f:05:7c:e7:ce:2b:23:ac:0b:b5:4e:77:ae:80:ef.
Please contact your system administrator.
Add correct host key in ~/.ssh/known_hosts to get rid of this message.
Offending key in ~/.ssh/known_hosts:45
DSA host key for 10.4.99.4 has changed and you have requested strict checking.
Host key verification failed.
VRRP Problems Corrected in 7.62.06.0004 Introduced In:
A large number of active VRRP instances on the device may cause some of the instances to
7.00.01
transition out of backup state.

Problems Corrected in 7.62.04.0002

HAU Problems Corrected in 7.62.04.0002 Introduced In:
A small amount of memory is leaked every time an High Availabilty Upgrade Group is
7.60.01
configured or cleared and every time there is a distribution SYNC.
IGMP Problems Corrected in 7.62.04.0002 Introduced In:
IGMP can misprogram egress ports when receiving mutlicast on a 10G port. 7.00.01

SSH Problems Corrected in 7.62.04.0002 Introduced In:

After running the Codenomicon test suite, test #9874 followed by test #9875, CLI access is
7.00.01
lost. This is true for both remote and console CLI sessions.
Executing a command from an SSH session that displays a large amount of data and scrolling
back to display output that has scrolled off the window will cause the SSH keep-alive to 7.00.01
timeout. When this happens, the SSH session will not exit properly, stranding the session.
The settings for SSH client keep-alive were found to be too short (15 seconds). They have
7.41.02
been reverted back to the original values of 150 seconds.
VRRP Problems Corrected in 7.62.04.0002 Introduced In:
The VRRP instance does not restart when a Virtual IP is removed. 7.60.01

Problems Corrected in 7.62.03.0004

CLI Problems Corrected in 7.62.03.0004 Introduced In:
The DFE adds a carriage return character (\r) at the end of syslog messages. These are
7.70.01
unexpected by some syslog servers.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 20 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
IGMP-Snooping Problems Corrected in 7.62.03.0004 Introduced In:
IGMP may reset with a core with multicast traffic running. 7.31.02
LACP Problems Corrected in 7.62.03.0004 Introduced In:
A blade may log the following message and reset: "DistServ[12.tDsBrdOk]serverWatchDog.2,
client 17(LAG) in recv for 6463 tics" This happens when ports are detaching and/or attaching
7.60.01
to a LAG. This has been seen at chassis startup and with blade pulls, typically in a bonded
chassis with some LAG ports in standby.
OSPF Problems Corrected in 7.62.03.0004 Introduced In:
When running OSPF, if route ranges are configured for advertise and do-not-advertise, they
7.20.01
will take effect depending on order of configuration.
If an OSPF network type is configured for a loopback interface, packets are looped back into
7.20.01
the process and DUPLICATE_ROUTER_ID messages are logged every hello interval seconds.
When running OSPF, an assert may occur in tRtrPtcls thread, with the following in the log
7.11.01
message, "SMS assert in qodmrt2.c at line 232 : (null) INVALID BRANCH 0 (null) 0".
While running OSPF, an assert could occur in tRtrPtcls with the following log "SMS assert in
7.20.01
qodmmnt.c at line 249 : (null) INVALID BRANCH 0 (null) 0".
When running OSPF, a DSI can occur in thread tRtrPtcls with the following message displayed
7.20.01
"SMS assert in qorcfnd3.c at line 125 : (null) external_route_cb != NULL 0 (null) 0".
If an LSA is received with an invalid mask, the invalid destination will be installed into the
7.00.01
route table.
When running OSPF, if a summary route changes, and it is the destination of an external LSA's
7.20.01
forwarding address, the external route may disappear from the route table.
When running OSPF as an ABR, subnets from a non-backbone area may not to be
7.20.01
summarized, causing incorrect routing tables.
When using the range command in OSPF, an assert may occur in thread tRtrPtcls with the
following log, "SMS assert in qorcagg.c at line 78 : == agg_cb->previous_active 1 agg_cb- 7.20.01
>active 0".
When an OSPF router is the translator for an NSSA area and the command "spf lsa-thresholds
4294967295 4294967295 0 0" is configured, if a type 7 LSA is flushed from the database, the 7.20.01
type 5 LSA will remain in the database.
When a backup NSSA ABR takes over as translator, it does not translate the type 7 LSAs until a
7.20.01
change occurs in the NSSA database to trigger the routing calculation.
It is possible to calculate a path through a stub area for an external destination in OSPF,
7.00.01
instead of through the backbone.
When OSPF acts as an ABR it will inject type 4 LSAs into an area for ASBRs which are reachable
7.20.01
in that area, though this is unneccessary.
When resetting the system, OSPF will come up without any interfaces or neighbors even
7.30.01
though the network command is configured.
When running OSPF, if a summary route changes and it is the destination of an external LSA's
7.20.01
forwarding address, the external route may disappear from the route table.
Platform Problems Corrected in 7.62.03.0004 Introduced In:
"show system" displays incorrect power supply type of 6C207-1 when a 6C207-3 power supply
7.00.01
is installed.
Policy based Routing Problems Corrected in 7.62.03.0004 Introduced In:
Policy Based Routing is applied to packets destined to router's IP address. 7.00.01

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 21 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
Feature Enhancements in 7.62.02.0004
Netflow Enhancements in 7.62.02.0004
Netflow was changed to allow control over the type of in and out interface ifIndexes that are exported in
Netflow records. In versions prior to 7.21, system always exported interface ifIndex numbers associated with
fe.x.y, ge.x.y,tg.x.y or lag.0.y ports in Netflow export data. Starting with 7.21 the system exported IP interface
ifIndexes (vlan.0.y) if the flow was routed and the lower level interface ifIndexes if the frame was switched.
Starting with this release the CLI command “set netflow export-data [enable/disable] higher-layer” may be
used to control this behavior. The default behavior is disabled and is consistent with versions prior to 7.21.
Systems upgraded to this release will require configuration of this CLI if export of higher-level interfaces is
desired.
Jumbo Enhancements in 7.62.02.0004
Jumbo frames are now forwarded when the destination is not a learned unicast MAC address.

Problems Corrected in 7.62.02.0004

802.1X Problems Corrected in 7.62.02.0004 Introduced In:
EAPOL version 2 frames are not processed by the switch software when received from a
5.42.04
802.1X supplicant.
CDP Problems Corrected in 7.62.02.0004 Introduced In:
Some Cabletron Discovery Protocol neighbors do not return chassis data and the Device IP/ID
should be displayed instead. This would allow 1st and 2nd gen products to be properly 5.42.xx
identified.
CONFIG Problems Corrected in 7.62.02.0004 Introduced In:
Enabling C2 or FIPS security mode, when loaded from a configuration file, will always log the
following unsupported command error messages, even though the settings are successfully
applied.
<163>Feb 10 12:58:08 0.0.0.0 CLI[2]restoreCmdsFromTmpCfg():No support for "set security 7.62.00
fips mode enable"
<163>Feb 10 12:58:08 0.0.0.0 CLI[2]restoreCmdsFromTmpCfg():No support for "set security
profile c2"
COS Problems Corrected in 7.62.02.0004 Introduced In:
The port based priority to queue (set port priority-queue) settings override the COS priority to
7.30.01
queue mappings when COS is globally enabled after system reset.
Removing COS port-config groups may not reset ports from the group back to the default COS
5.01.58
port-config group.
DHCP Problems Corrected in 7.62.02.0004 Introduced In:
The CLI option command found under 'ip dhcp pool', displays incorrect characters when the
hex keyword is used. Display in 'show running-config': option 43 instance 0 hex
7.00.01
01075369656d656e73031773646c703a2f2f3137322e32302e302e333a3138343Í033
^ should be 3
LAG Problems Corrected in 7.62.02.0004 Introduced In:
Multicast over LAG is hashing to a single port with outport algorithm set to dip-sip or da-sa
7.60.01
regardless of the source or destination of the flow.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 22 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
NETFLOW Problems Corrected in 7.62.02.0004 Introduced In:
Netflow records for flows egressing a LAG port are not exported. 7.30.01
When generating Netflow records for routed flows, the interfaces in the records are always
7.20.01
routed (VLAN) interfaces.
OSPF Problems Corrected in 7.62.02.0004 Introduced In:
Loopback interfaces accept the OSPF interface command, ‘ip ospf cost’ but only use 0 in LSA
Unknown
updates.
OSPF trap configuration lost after a system reset. 7.21.01
When a system has two ABRs between area A and area B, and both are configured with the
same aggregate to summarize routes from area A into area B, then it is possible for one ABR
7.20.01
to install an aggregate route pointing to the other router instead of the reject route for that
aggregate.
OSPF stub networks will not be filtered from the route table using a distribute-list filter route-
7.20.01
map that matches on route-src. Display will indicate route-src is 0.0.0.0 for OSPF stub routes.
The OSPF command, ‘passive-interface’, accepts any port string, but can only process VLAN
interfaces. Entering a physical port may improperly convert it to a VLAN interface. This may
7.20.01
allow a VLAN router interface to become passive when it should be active or not part of the
OSPF domain.

Routing Problems Corrected in 7.62.02.0004 Introduced In:

Subnet broadcast packets are processed by 'ip helper-address' and directed broadcast
7.00.01
features forwarding two packets out of the router.
DHCP requests destined to the routers MAC with a limited broadcast IP are not processed by
7.00.01
the 'ip helper-address' feature.
SNTP Problems Corrected in 7.62.02.0004 Introduced In:
SNTP does not update the time when the client is configured in broadcast mode. 7.30.01
Spanning Tree Problems Corrected in 7.62.02.0004 Introduced In:
The CLI command ‘show spantree stats’ for non-zero SIDs displays a NULL root ID. 7.61.02
Tracked Objects Problems Corrected in 7.62.02.0004 Introduced In:
Upgrading to version 7.6x and higher from a previous version causes a portion of the probe
configuration to disappear. The probe reverts to the default values for these attributes.

The following probe sub-mode command data is lost during the upgrade.
description: Configure the description of this tracked object
faildetect: The failure detection objects
7.62.00
inservice: Set the inservice state
open: Time to wait for TCP 3-way handshake to complete
passdetect: The pass detection objects
receive: Wait time for server to respond to a probe

The ACV configuration data is not lost during the upgrade.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 23 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
Tracked Objects Problems Corrected in 7.62.02.0004 Introduced In:
The router will reset if the Tracked Object Manager (responsible for the management of
probes) generates the following SYSLOG:

<160>May 22 15:22:41 10.21.130.55 DeltaLst[1.tEmanate10]Add error(entry) CTrackObjMgr (

... <traceback omitted> ... )

The reset occurs when the 'inservice' command is entered for a probe when the following
conditions apply: 7.20.01
1. The probe did not have the 'inservice' command configured.
2. The probe must have associated sessions.
The 'session' column in the 'show probe <name>' command is not zero.
3. The Tracked Object Manager's scheduler must not have started.
The following SYSLOG is generated at level 6 when the scheduler starts:
<166>Jul 1 10:15:13 1.1.1.1 Trackobj[4]Router global: Tracked Object Manger: Scheduler
Started

Feature Enhancements in 7.62.01.0007

HA Upgrades Enhancements in 7.62.01.0007

High Availability Upgrades (HAU) are supported in the N-Series multislot chassis (N3/N5/N7) when the target
firmware version is HAU compatible.

This feature provides a sequenced upgrade where one module or group of modules is rebooted to new
firmware while the others remain operational. When the first module(s) are upgraded and then become
operational the remaining modules in the system are then upgraded. A system utilizing LAG ports comprised of
physical ports spanning multiple modules in the chassis can be upgraded without loss of connectivity or
topology disruption.

Fabric Routring Feature Enhancements in 7.62.01.0007

Fabric Routing is an Extreme Networks extension to VRRP for the coreflow(2) based switch/routers K/N/S.
The function allows the use of standby routers to function as active standby routers. The fabric route mode
allows a VRRP instance in the backup state to forward IPv4 and IPv6 packets destined for the VRRP MAC
address. This feature provides for sharing of the traffic load across VRRP routers. This feature is discussed in
detail in the VRRP chapter of the N-Series Configuration Guide found here:
http://support.extremenetworks.com/.

Problems Corrected in 7.62.01.0007

ARP Problems Corrected in 7.62.01.0007 Introduced In:

When an ARP packet sent to the broadcast MAC address (ff:ff:ff:ff:ff:ff) is received on an
interface it is forwarded to all the remaining ports on the VLAN. This is normal and expected
except when "ip proxy-arp local" is enabled. When "ip proxy-arp local" is configured on the 7.00.01
interface the packet should not be forwarded to the other ports in the VLAN but the packets
are currently forwarded.
CLI Problems Corrected in 7.62.01.0007 Introduced In:
There is a small memory leak in the "show config" command. Issuing this command
7.61.02
repeatedly for 90+ minutes will result in a DSI.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 24 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
FDB Problems Corrected in 7.62.01.0007 Introduced In:
Static MAC unicast and mutlicast addresses may not restore correctly upon reboot. 7.60.01

IP Stack Problems Corrected in 7.62.01.0007 Introduced In:

Enabling PIM on an interface could result in the following message and a slot reset: "Unknown
7.00.01
DSI in tNet0 Exc Vector: DSI exception (0x00000300) Thread Name: tNet0"
LLDP Problems Corrected in 7.62.01.0007 Introduced In:
The SNMP MIB lldpV2DestMacAddress returns the incorrect value when requested. 7.30.01
MSTP Problems Corrected in 7.62.01.0007 Introduced In:
Board may reset at startup due to an invalid memory access through a null pointer. Reset
7.00.01
requires multiple spanning tree configuration.

Neighbor Discovery Problems Corrected in 7.62.01.0007 Introduced In:

Some Cisco IP phones may not accept the advertise voice VLAN. Problem observed with Cisco
6941 and 6945 models. Root Cause: CiscoDp packets are transmitted without the switch and 7.30.01
router capabilities bit set.
Netflow Problems Corrected in 7.62.01.0007 Introduced In:
Infrequently, when Netflow is enabled, after a reboot or IP address configuration, the chassis
will fail to generate Netflow records. Also the chassis could suffer degradation in 7.11.02
communications with it's IP stack.
Platform Problems Corrected in 7.62.01.0007 Introduced In:
When upgrading from 06.12.XX to 07.0X.XX, the default interface is set to the first interface
configured, not the interface for the vlan configured for host.0.1 under 06.12.xx as shown by 7.00.01
the statement: "set port vlan host.0.1 <vlan>".
Message similar to this one might get generated and board will reset while system is trying to
halt the board: "Message 16/47 Exception PPC750 Info 07.11.01.0025 02/02/2011 7.00.01
05:35:39 Exc Vector: ISI exception(0x00000400) Thread Name: tTsPol"
System resets scheduled via CLI or SNMP will not persist following a power cycle or the
occurrence of another system reset. Following the power cycle the "show reset" command
7.40.00
will display all scheduled resets, but when the scheduled time(s) arrive the system will not be
reset.
Debug syslog messages generated when an option module is replaced with an option module
7.30.01
of a different media type. "ERROR - 43104(tg.4.104) overwriting 42104(ge.4.104)"
PIM Problems Corrected in 7.62.01.0007 Introduced In:
Enabling PIM on an interface could result in the following, along with a slot reset: "Unknown
7.00.01
DSI in tNet0 Exc Vector: DSI exception (0x00000300) Thread Name: tNet0"
PIM Anycast RP may not replicate PIM Register messages to the other peers in the set if any
7.11.01
one of the peers is not reachable.
Routing Protocols Problems Corrected in 7.62.01.0007 Introduced In:
Pinging an interface address of a VRRP router that does not match the subnet of the client can
result in packet loss while ping is in progress. If the destination IP address is a virtual IP "non-
7.01.02
owner" address, the router erroneously responds using the same VMAC on the local subnet
for which it is the backup router.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 25 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
Routing Protocols Problems Corrected in 7.62.01.0007 Introduced In:
VRRP non-owner addresses are allowed access to Telnet and SNMP. Only ICMP is permitted. 7.41.02
SNMP Problems Corrected in 7.62.01.0007 Introduced In:
If both IPv4 and IPv6 management addresses are configured and interface for either of these
addresses goes down, then the SNMPagent may stop functioning due to an "invalid file 7.30.01
descriptor" and the board will reset.
Configuration command 'set snmp user' requires better help and error messages for password
7.40.00
support.
There is a small memory leak in the "show config" command. Issuing this command
7.40.00
repeatedly for 90+ minutes will result in a DSI.
SSH Problems Corrected in 7.62.01.0007 Introduced In:
If an SSH host key is generated while in FIPS mode, that key will not work in firmware versions
7.40.00
prior to 7.41 which do not support FIPS mode.
STP Problems Corrected in 7.62.01.0007 Introduced In:
A watchdog timeout reset may occur when configuring Spanning Tree multiple instances. 7.00.01
VRRP Problems Corrected in 7.62.01.0007 Introduced In:
VRRP non-owner addresses are allowed access to Telnet and SNMP. Only ICMP is permitted. 7.41.02
Pinging an interface address of a VRRP router that does not match the subnet of the client can
result in packet loss while ping is in progress. If the destination IP address is a virtual IP "non-
7.01.02
owner" address, the router erroneously responds using the same VMAC on the local subnet
for which it is the backup router.

Problems Corrected in 7.42.02.0002

OSPF Problems Corrected in 7.42.02.0002 Introduced In:

When removing an OSPF process from the Global Router Context, the OSPF interface
configured parameters will be removed from a VRF whose ID is the same numerical value as 7.30.01
the ID of the OSPF process being removed.
When removing a configured OSPF md5 authentication from an interface using "no ip ospf
message-digest-key X", all other configured OSPF interface options, i.e. hello-interval etc, are 7.40.01
also removed.

Platform Problems Corrected in 7.42.02.0002 Introduced In:

System resets scheduled via CLI or SNMP will not persist following a power cycle or the
occurance of another system reset. Following the power cycle the "show reset" command will
7.40.00
display all scheduled resets, but when the scheduled time(s) arrive the system will not be
reset.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 26 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
VRF Problems Corrected in 7.42.02.0002 Introduced In:
When removing an interface from a VRF, an assert may occur in tRtrPtcls with the following
message logged "SMS assert in qcrprs.c at line 358 : || ((grp_target_cb-
>gtrg_current_operation == QCRP_GROUP_TRG_OP_QUERY) && (grp_target_cb-
>gtrg_base.trg_distptr == route_cb)) 0 (((grp_target_cb->gtrg_current_operation == 7.20.01
QCRP_GROUP_TRG_OP_QUERY_DFLT_1) || (grp_target_cb->gtrg_current_operation ==
QCRP_GROUP_TRG_OP_QUERY_DFLT_2)) && (grp_target_cb->gtrg_base.trg_distptr == NULL)
&& (route_cb == &LOCAL.fib_pat_default_route)) 0”
VRRP Problems Corrected in 7.42.02.0002 Introduced In:
Non-owner virtual IP address is pingable when accept-mode is disabled. 7.41.03

Problems Corrected in 7.41.03.0009

ARP/ND Problems Corrected in 7.41.03.0009 Introduced In:
The router will respond to ARPs and Neighbors Solicitations even if the associated VLAN
7.00.01
interface is down.
It is possible to enter an invalid VLAN interface when entering the router configuration
7.20.01
command "ipv6 neighbor" or "arp" to create static ND or ARP entries.
IPv6 Neighbor Cache entries for the Neighbor Discover Protocol will not be updated by
7.30.01
received Neighbor Solicitations when the cache entry is not in the "Reachable" state.
The maximum number of ARP packets that can be processed for each blade has been
increased from 1000 to 2200. ARP packets are no longer limited to 100 packets per second per UNTARGETED
port.
When a blade boots up it may cause some IPv6 interfaces to enter a "stalled" state where the
7.30.01
IPv6 link-local address does not complete DAD.
IPv6 Neighbor Discovery packets are limited to 100 packets per second per port. UNTARGETED
The host neighbor table (used by the host stack for Neighbor Discovery) will keep entries for
7.41.03
ten minutes even if the entry has been deleted from the Router Neighbor Table.
VRRP configurations require the same addresses on two different interfaces. Even though only
one of the interfaces can be master at a time both interfaces may try to be master at the
7.30.01
same time. When this occurs DAD will fail and one of the two interfaces will be stalled until
the interface is bounced.
CoS Problems Corrected in 7.41.03.0009 Introduced In:
When using the "all" option with "show config", CoS may not display all "cos port-
configuration" settings and print the error: "ProcessCfgCosPortCfgVarBinds Error".

When using the "all" option with "show config", CoS may not display all "cos port-resource"
5.42.xx
settings and print the error: "cliCfgCllBkcos_port_resource Error".

When using the "all" option with "show config", CoS may not display all "cos settings" and
print the error: "processCfgCosSettings Error".
Clearing the CoS resource flood control configuration may fail ("Clear failed" returned in CLI) if
7.30.01
the resource has already detected a violation.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 27 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
DAD Problems Corrected in 7.41.03.0009 Introduced In:
The box may crash when a link-local address passes or fails DAD. Whether or not the box
crashes depends on the state of various other tasks in the box. For example if the IP stack is
trying to send a packet at the time the link-local address passes or fails DAD then the box will
crash.
Here is an example of the message that resets the box:
7.41.02
Message 145/325 Exception PPC750 Info 07.41.02.0011 10/06/2011 16:53:59
Exc Vector: System Reset - Watchdog Timeout exception (0x00000100)
Thread Name: tNet0
Exc Addr: 0x011956b0
Thread Stack: 0x0bf9f000..0x0bf9c000
Stack Pointer: 0x0bf9e9d0
ICMP Problems Corrected in 7.41.03.0009 Introduced In:
Pinging a remote virtual IP that uses the same VRID as local virtual IP and also default gateway
for ping client, can result in unexpected L2 thrashing in the network and potential outage
during the ping session. The destination IP address of ping must also be a virtual IP "non- 7.01.02
owner" address.
Non-owner is a VRRP term where participating routers use same virtual IP address.
When the router receives a "Packet too big" IPv6 ICMP message, it should store the new Path
MTU for at least 5 minutes, but the Path MTU is immediately removed and the router will 7.41.03
fragment only one packet.
IGMP Problems Corrected in 7.41.03.0009 Introduced In:
Multicast flows will not be properly aged out resulting in mismatched tables across slots. 7.20.01
When doing a "set igmp disable" or "set igmp delete", IGMP may not cleanup all multicast
7.30.01
groups, and traffic may still be sent to the original clients.
LAG ports can be removed from multicast flows when modules are removed from the system. 7.00.01
IPsec/IKE Problems Corrected in 7.41.03.0009 Introduced In:
When a large IKE configuration is provisioned, there is a possibility that IPSecurity USE flows
and security associations will remain in the configuration. These flows and security
associations in question are in-fact removed from the stack, and will have no effect on the 7.40.01
system. Once the security association times out, it will be removed from the view of the
administrator.
When removing a programmed IKE map from the default IPsec instance, when multiple IKE
maps are provisioned, it is possible to crash the box. The chance of the crash increases when 7.40.01
the system is busy and when you have a full IKE configuration.
When configuring IKE, the ipiked daemon was being restarted to resolve timing issues related
7.41.02
to configuration. A side effect of this was a memory leak.
Ipsecurity could significantly slow down the system during IKE configuration. 7.40.00
OSPF encryption could not be removed from a VLAN interface once applied. The only work
7.61.02
around is to reset the system.
After failure of the master blade with an active IKE configuration, the new master will not be
7.61.02
notified of the primary IP addresses and will not be able to setup the IKE connection.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 28 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
IPsec/IKE Problems Corrected in 7.41.03.0009 Introduced In:
When adding or removing IPsec encryption from and OSPF connection, you may see
'ipsecurity unlock when lock' messages. When this occurs there is a small window where data 7.61.02
is unprotected, which could result in unpredictable behavior.
LSNAT Problems Corrected in 7.41.03.0009 Introduced In:
When an LSNAT VIP is active and is on an interface that is VRRP backup, an ICMP request to
7.00.01
the VIP will not respond.
Mirroring Problems Corrected in 7.41.03.0009 Introduced In:
When there are 2 or more mirrors active, if a blade resets, is reset, or is removed, the mirrors
7.31.03
may not function correctly afterwards.
MLD Problems Corrected in 7.41.03.0009 Introduced In:
Multicast ICMPv6 echo requests are not delivered to remote networks by the router. 7.30.01

NAT Problems Corrected in 7.41.03.0009 Introduced In:

Bindings may not age out on slave slots causing NAT temp bindings to be exhausted, causing
7.30.01
high distribution CPU utilization.

NDS Problems Corrected in 7.41.03.0009 Introduced In:

The command "show neighbor" could cause the system to reboot. 7.30.01
NetFlow Problems Corrected in 7.41.03.0009 Introduced In:
It is possible when NetFlow is enabled, after a reboot or IP address configuration, the chassis
will fail to generate NetFlow records. Also, the chassis could suffer degradation in 7.11.02
communications with it's IP stack.
OSPF Problems Corrected in 7.41.03.0009 Introduced In:
When running OSPF with a large number of ECMP routes, an assert in tRtrPtcls can occur with
the following message: "SMS assert in qodmrts.c at line 1023 : > table_update->num_routes 0 7.21.03
0 0".
Configuring many VLAN interfaces with "ip ospf message-digest-key 7 md5 secret" can cause a
reset after issuing either "show config" or "show running-config" or any variant of those
commands. Inventory Manager via SNMP request can indirectly invoke "show config" which
7.31.03
can cause the reset. The number of interfaces depends on the length of the secret. For
example, a 10 character secret can cause a reset when 32 or more interfaces use the same
md5 authentication command.
PIM-SM Problems Corrected in 7.41.03.0009 Introduced In:
A DSI exception followed by a reset in thread name tDSsync5 may occur after booting a
system that has PIM RP configuration using the "access-list" method. Message with header
similiar to this will be logged at the time of reset: 7.30.01
Exc Vector: DSI exception (0x00000300)
Thread Name: tDSsync5
Enabling PIM on an interface could result in the following, along with a slot reset: Unknown
7.00.01
DSI in tNet0 Exc Vector: DSI exception (0x00000300) Thread Name: tNet0
PIM Anycast RP may not replicate PIM Register messages to the other peers in the set if any
7.11.01
one of the peers is not reachable.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 29 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
PIM-SM Problems Corrected in 7.41.03.0009 Introduced In:
The following PIM configuration using 'access lists' is not restored on reboot or failover:
ip pim rp-address <A.B.C.D> group-list xxx
7.30.01
ip pim rp-candidate <A.B.C.D> group-list xxx
<interface-mode> ip pim neighbor-filter xxx
PIM static-rp-override configuration is not restored on reboot or failover. 7.30.01
Platform Problems Corrected in 7.41.03.0009 Introduced In:
Slot in chassis may reset with the following showing in the persistent message log: "Exc
7.11.01
Vector: DSI exception (0x00000300)Thread Name: tDSsync3 Exc Addr: 0x00000000".
PoE Problems Corrected in 7.41.03.0009 Introduced In:
PoE might stop providing power and will not recover until board or 48V power is reset. 4.21.09
RADIUS Problems Corrected in 7.41.03.0009 Introduced In:
Creating a RADIUS authentication or accounting server through Policy Manager fails. 7.41.02
Route Map Problems Corrected in 7.41.03.0009 Introduced In:
A Reset can occur if a large route-map is suspended during display via “show running config”
or “show route-map”. This is often seen in conjunction with an error message similar to the
following: 7.11.01
DistServ[1.tDsBrdOk]serverWatchDog.5, client 53(RtrRmap) in recv for 6003 tics (
0x008a068c 0x0049119c 0x00482034 0x00b5f5b4 0xeeeeeeee )
Route-Map probe state may not match route-map next-hop state after a sync. 7.01.02
SNMP Problems Corrected in 7.41.03.0009 Introduced In:
If both IPv4 and IPv6 management addresses are configured and the interface for either of
these addresses goes down, then the SNMPagent may core due to an "invalid file descriptor", 7.30.01
and the board will reset.
VRRP Problems Corrected in 7.41.03.0009 Introduced In:
VRRP non-owner addresses are allowed access to Telnet and SNMP. Only ICMP is permitted. 7.41.02
Unable to ping virtual IP address from a module that has been reset or newly inserted in a
7.21.02
chassis.

Feature Enhancements in 7.41.02.0014

Host Enhancements in 7.41.02.0014
If user authentication fails during SSH login, the switch now delays 4 seconds before re-prompting the user for
his/her username and password. This delay only applies to SSH user authentication method "password". No
delay has been added to SSH authentication methods "none" (used by the SSH client to detect which
authentication methods the server supports).
The existing delays for TELNET and Console login were increased by 4 seconds. These 2 login methods used to
delay 1 second after the first failure, 2 seconds after the second failure, and so on. The delays are now 5
seconds after the first failure, 6 seconds after the second, 7 after the third, and so on.
MAC Locking Enhancements in 7.41.02.0014
Options to disable port if first arrival threshold is reached and to retain first arrival entries upon port disable.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 30 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
MSCHAP Enhancements in 7.41.02.0014
MSCHAP supports RADIUS authentications for host access. This allows the system to receive password age
indications and prompt access users to update their passwords.

RADIUS Enhancements in 7.41.02.0014

RADIUS over IPv6 and new IPv6 RADIUS attributes are supported.

Security Enhancements in 7.41.02.0014

Support for a FIPS 140-2 compliant cryptography module. The feature is enabled by the “set security fips mode
enable”.
Limited support for Internet Key Exchange (IKE) when using IPSEC with RADIUS server communications.

SYSLOG Enhancements in 7.41.02.0014

SYSLOG applications are now grouped as non-secure or secure. Secure log entries are written to a separate file
directory “secure/logs” are only accessible by users with SuperUser access. These log files cannot be deleted by
any user class. The oldest log files are automatically overwritten when more than 10 log files (approx 2.5MB)
exist.
User access and command execution related syslog messages are now associated with the new “security”
syslog application.
Syslogging for DHCP assignments.
Added syslog messages to report syslog local file has been compresses and a new current .log file is active. A
number of traps were added to mirror data previously reported only in syslog and a number of syslogs that
were only reported in traps.

System Enhancements in 7.41.02.0014

Support for an additional persistent security log.
Support for Secure Copy (SCP).
IPSec for Host to RADIUS server sessions.
Added new security profile “command and Control” configured with the “set security profile c2” CLI command.
This profile alters default values for various features required for JITC (US Military Join Interoperability Test
Command) compliance and also alters the required access level (from RW to SU) for certain commands to
comply with security groupings required for JITC compliance.

Problems Corrected in 7.41.02.0014

ACL Problems Corrected in 7.41.02.0014 Introduced In:

A blade may log the following message and reset: “DistServ[2.tDsBrdOk]serverWatchDog.5,
client 39(RtrACL)in recv for 6531 tics" when there is a lot of traffic along with a big access list 7.00.01
configuration attempting to count hits on access list rules.

ARP/NDProblems Corrected in 7.41.02.0014 Introduced In:

Each time the router synchronizes ARP or ND entries to other blades the resources in use
count will increment by the number of ARP/ND entries involved in the synchronization. This
causes the router to believe more ARP/ND resources are being consumed than actually are 7.00.01
and may cause the router to run out of resources. The counter only affects the Global VRF
(Virtual Router) other VRFs are not affected.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 31 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

ARP/NDProblems Corrected in 7.41.02.0014 Introduced In:

The router will not respond to Router Solicitations received on some blades. 7.31.03
When the master blade fails over to another blade existing ARP and ND entries will no longer
timeout at the expected times. This may cause entries to remain in the same state until all Unknown
entries are cleared via the "clear arp" and "clear ipv6 neighbors" commands.

Auth Problems Corrected in 7.41.02.0014 Introduced In:

If the system authentication login type is set to either RADIUS or TACACS the local database
will still be attempted if either of those remote protocols are not able to authenticate a 5.42.xx
management session.

CLI Problems Corrected in 7.41.02.0014 Introduced In:

The CLI command "set system password history" does not return an error when an out of
UNTARGETED
range value is entered.
The CLI commands for "set system password <options>" does not return error when invalid
UNTARGETED
parameters are entered.
When the reset command is being audited, if the user answers incorrectly to the question “Do
5.42.xx
you want to continue” which should be y or n, the status is still OK.
Executing the "configure <filename>" command does not check to ensure the <filename> is a
1.07.19
file that exists.
Certain terminal programs may default to outputting the DEL character when the Backspace
key is pressed. This will cause a user to not be able to backspace properly over their answer to 1.07.19
a confirmation question in the CLI.
The following configuration settings would get reset to defaults if they were set to non-
default values on a 07.40+ code version and then the image was set back to a 07.30 revision:
set system lockout attempts 3
set system lockout time 15
set system lockout inactive 0 7.00.01
set system password aging disabled
set system password history 0
set system password length 8
set system password min-required-chars uppercase 0 lowercase 0 numeric 0 special 0
Entering '?' at end of 'set banner login/motd <banner>' command does not display <cr>
1.07.19
signifying the command is complete.
The syslog message "unexpected error(time out)" may be observed if a session is closed while
5.42.04
issuing a "show port status" command.
Executing the command "show interface" may cause the router to reset. 7.00.01

CoS Problems Corrected in 7.41.02.0014 Introduced In:

"clear cos port-config txq all" does not remove the arb-slice settings. 7.00.01
CTRL-C during a Class of Service command may result in a SYSLOG message (level error)
5.42.xx
stating that the command failed.
Disabling options under the Class of Service command port-resource flood-ctrl will not remove
7.00.01
the entry, if all values have been removed.
The Class of Service settings command tos-value does not correctly read all values. 5.01.58

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 32 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
DAD Problems Corrected in 7.41.02.0014 Introduced In:
The Duplicate Address Detection (DAD) status of IPv6 addresses will remain tentative on non-
master blades when the master blade has already completed DAD and a new blade is added 7.31.03
to the system. This problem does not occur if all blades boot at the same time.

DHCP Problems Corrected in 7.41.02.0014 Introduced In:

DHCP request with option 51 (lease time) in the packet will allocate a lease with the time
specified in the packet and ignore the configured lease time for the pool if the time is greater 7.00.01
than 60 second and less the 100 days.
Static host lease using the same MAC address cannot be configured in multiple dhcp pools. 5.42.04
Unable to clear active lease with the 'clear ip dhcp binding'. This is due to a DHCP Discovery
7.00.01
packet being sent to an active lease that matches the MAC or the client ID.
The 'clear ip dhcp binding' may not clear out the active lease. This will occur when a DHCP
7.00.01
Discovery packet is received that matches the MAC or client ID of the active lease.
A DHCP discover message to active lease will cause the lease to ageout in 10 seconds which is
7.30.01
the offer ageout time instead of the active lease ageout time.

Entity-MIB Problems Corrected in 7.41.02.0014 Introduced In:

Linecards do not fully reflect the appropriate values for the entStateEntry in the ENTITY-MIB
7.30.01
when halted for hardware or firmware reasons.
The entStateAlarm leaf of the ENTITY-MIB does not correctly reflect the alarm bits that have
7.30.01
been set for a particular entity.

Host Problems Corrected in 7.41.02.0014 Introduced In:

The IPv6 packet reassembly timeout period has been increased from 5 seconds to 60 seconds
7.03.01
in order to comply with RFC2460 (see section 4.5).
When attempting to traceroute to an unreachable host, traceroute prints bogus rtt values
7.00.01
instead of asterisks.

HostDos Problems Corrected in 7.41.02.0014 Introduced In:

'hostDoS badSIP' and 'hostDoS spoof' will flag IPv6 neighbor advertisements received with
source IPv6 address equal to a configured address on the received interface seen during
7.11.01
duplicate address detection. In this case, duplicate address detection does not function
properly resulting in duplicate addresses on the network.
If 'hostDoS badSIP' is configured and the router, acting as a DHCP relay agent, forwards any
BOOTP reply packet with the broadcast bit set, then hostDoS will flag the packet as a 'badSIP' 7.00.01
attack. The packet is still transmitted correctly.
Enabling HostDos portscan will prevent telnet sessions to host addresses. 7.40.01

ICMPv6 Problems Corrected in 7.41.02.0014 Introduced In:

ICMPv6 packets with bad next headers are silently dropped. The host should respond to the
7.21.01
sender with an ICMPv6 "Parameter Problem" message.
ICMPv6 error messages are not sent if destination IPv6 address is a link-local address and is
7.20.01
not present in the neighbor cache.
If the result of an IPv6 route lookup yields an egress interface equal to the ingress interface
and the nexthop from the route lookup is an IPv6 link-local address. No ICMPv6 redirect 7.20.01
message was sent to source of packet.
9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 33 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

IGMP Problems Corrected in 7.41.02.0014 Introduced In:

"show config all igmp" or "show config all mld" may not display all igmp (or mld)
7.40.01
configuration.
Incorrect syslog for invalid source IP may be displayed when an adjacent router is reset. 7.30.01
IGMG groups may not be removed after the last member leaves the group. 7.30.01
IGMPv3 groups records may incorrectly remain in the INCLUDE state. 7.30.01

IKE Problems Corrected in 7.41.02.0014 Introduced In:

A memory leak occurs when removing a provisioned IKE map from a default instance when
7.40.01
multiple IKE maps are provisioned.
A small memory leak may occur when the crypto configuration is displayed via the CLI. 7.40.01
After an IKE QUICK MODE negotiation, the IKE SA (created by the MAIN MODE negotiation)
would occasionally disappear causing all QUICK MODE and INFORMATIONAL messages related
7.40.01
to that IKE SA to be ignored. Subsequent QUICK MODE negotiations would require another
MAIN MODE to be negotiated before the provisioned timeout.
Using a config delimiting character ('}', '{', "'", "\"", '#') in the pre-shared key breaks the IKE
daemon linux-style config. The PSK should be converted to ascii-encoded hex when 7.40.01
programming IKE.
Using an IKE map with require flows enabled (request flag _not_ set), with a src/dst network
range would result in the 'show ipsec flow' command displaying not programmed. This is only 7.40.01
a display issue and would not cause any issues with an active IKE connection.
IKE configurations that are only applicable to the default VRF would appear in all non-default
7.40.01
VRF's show running. VRF validation should be performed for all IKE show running commands.
No restrictions were put on the lifetimes for IKE main/quick mode negotiations. Setting these
values to zero would set the IKE daemon into a constant negotiation loop. Limits should be
implemented to match that of the IKE implementation in the Microsoft Windows Server 2008.
7.40.01
Main mode is limited to 1-2879 minutes. Quick mode is limited to 5-2879 minutes / 20480-
2147483647 KB. Any IKE maps/policies configured outside of these ranges will be invalid on
upgrade.
When configuring multiple IKE connections that are using policies with the same SA/DA, IKE
maps are internally linked to the wrong policy. This could potentially cause a crash, which was 7.40.01
more likely if the system was under load.

IPsec Problems Corrected in 7.41.02.0014 Introduced In:

Removing a virtual link with encryption from the running-config will generate an unrelated
7.31.03
error message. "Error: Each 64 bit block of a 3des key must differ".
It was possible for the displayed IPSec security associations to reflect an inaccurate
representation of the system configuration. Security Associations now have an expiration 7.40.01
timer associated with them, and will be cleaned up in this situation.
When negating IPSecurity "authentication" and "encryption" commands, the obscured
password will only be deleted if the negated command type (authentication or encryption) 7.40.01
matches the command used for configuring IPSecurity.

IPv4 Forwarding Problems Corrected in 7.41.02.0014 Introduced In:

IPv4 default route configured as 'reject' or 'blackhole' is not displayed in output of commands
7.20.01
'show running-config' or 'show ip route' even though the route is configured.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 34 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

LAG Problems Corrected in 7.41.02.0014 Introduced In:

Inserting a new blade into a chassis may cause all filter database entries on a LAG port to be
7.00.01
flushed.

LinkFlap Problems Corrected in 7.41.02.0014 Introduced In:

Continuous linkflap violation is observed after disabling ports. 4.00.50

LLDP/CDP/CiscoDP Problems Corrected in 7.41.02.0014 Introduced In:

If a neighbor is formed with LLDP or CDP along with CiscoDP, the Device ID found in the "show
neighbor" command for CiscoDP may not match the Device ID shown in "show neighbor - 7.30.01
verbose".

LSNAT Problems Corrected in 7.41.02.0014 Introduced In:

It is possible when an FTP binding is allowed to age out that when the FTP connection ages,
traffic will be dropped due to unauthorized access to/from a real server, causing additional 7.00.01
traffic being generated from the server.

MACAuth Problems Corrected in 7.41.02.0014 Introduced In:

"Show Macauthentication" followed by an invalid port string incorrectly displays the CLI
4.05.07
header.
SNMP queries to the etsysMACAuthenticationSessionTable may take long periods of time if
5.42.xx
many inactive policy sessions have accrued over time.
The command "set macauth authallocated" would return "OK" rather than "FAILED" when
6.12.01
invalid data was entered.
The command 'clear macauthentication significant-bits' would not clear the significant bits
7.31.02
and instead state an error message.
MAC locking first arrivial entries persist after disabling MAC locking on a given port or
5.42.xx
disabling MAC locking globally.

Mirroring Problems Corrected in 7.41.02.0014 Introduced In:

If a LAG port is the source port of a port mirror and a Line Card that contains at least one
underlying port in that LAG is reset, or removed and replaced, the mirror may not function
correctly thereafter. In addition, error messages similar to following may be logged: 7.30.01
Dune[7.dTcmTask]Petra[0] Received Interrupt PETRA_IRE_FAP_PORT_ERR instance 0, count
30, value= 0x1
When needing to decide which mirrors to apply for a given flow, a Vlan mirror would
7.11.01
incorrectly take precedence over a Policy Mirror or Port Mirror.

MultiAuth Problems Corrected in 7.41.02.0014 Introduced In:

Failed authentication attempt entries would not be cleared or reused. 7.31.03

Multicast Problems Corrected in 7.41.02.0014 Introduced In:

In chassis with large amounts of L3 Multicast flows, some flows may not be removed from
7.30.01
hardware when they should be. This can lead to flows not being re-established correctly.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 35 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

NetFlow Problems Corrected in 7.41.02.0014 Introduced In:

When a "set netflow port [port-string] disable" command is issued with the optional direction
(rx, tx or both) included, the direction should be ignored and the port(s) set to disable. 7.03.01
However, instead, the port(s) are enabled for the direction in the cli command.

OSPF Problems Corrected in 7.41.02.0014 Introduced In:

The code descriptions in output of 'show ip route' and 'show ipv6 route' spell OSPF with a 0
7.00.01
(zero) in one instance.
The command "show ip ospf interface" does not display tunnel interfaces. 7.40.01
Configuration of an out-of-range value for ospf graceful-restart restart-interval will cause
7.20.01
OSPF to restart.
Loopback networks matching a configured OSPF range will not be summarized by the area
7.20.01
border router.
The "redistribute bgp" CLI option appears in OSPFv3 configuration mode on platforms which
7.30.01
do not support BGP.
Tunnel interfaces default to type BROADCAST in OSPF. They can be configured to be POINT-
7.40.01
TO-POINT.
Unrecognized OSPF encrypted virtual-link configuration is now ignored and will no longer
7.31.02
cause a DSI exception.
Display of OSPFv3 network and link advertisements use dotted decimal notation for the link id
which makes it difficult to determine what interface index the link id represents when the ID is 7.30.01
greater than 255.
When running OSPF with duplicate router-ID's and a virtual link configured between these
routers, an assertion failure and system reset can occur in thread, tRtrPtcls. The message log 7.00.01
will display "SMS assert in ntlavll.c at line 231 : != AVL3_IN_TREE(*node) 0 0 0 ".

PIM Problems Corrected in 7.41.02.0014 Introduced In:

The commands "show ip pim rp" and "show ip pim rp-hash" show RP information for groups
7.30.01
configured for SSM.

Platform Problems Corrected in 7.41.02.0014 Introduced In:

Changing or creating a password would fail even if all requirements were met, with the
following message:
Please enter old password:
Please enter new password: 6.00.02
Error: Password does not meet the minimum change requirement.
This happens when "set system password substring-match-len" is set larger than the new
password entered.
Non-default console configuration of USB console ports is lost after a reset following a
7.00.01
'configure' of the device.
"set system password aging disable" has no effect. 7.40.01
A Machine Check Exception may occasionally occur at bootup causing an extra reboot. 7.30.01
Clearing a linecard that is still in the process of initializing may cause the chassis to reboot. 7.31.02

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 36 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
Platform Problems Corrected in 7.41.02.0014 Introduced In:
During the execution of a "clear config all" command, the following syslogs may be seen on
blades with large configurations:
Message 12/65 Syslog Message 07.41.02.0001 07/27/2011 11:33:18
<1>DistServ[7.tDsBrdOk]serverWatchDog.5, client 43(FileMgr) in recv for
6557 tics 7.30.01
Message 15/65 Syslog Message 07.41.02.0001 07/27/2011 11:33:09
<3>NonVol[7.tDSrecv5]Error: nonVolStoreClear(6) timed out.
Message 16/65 Syslog Message 07.41.02.0001 07/27/2011 11:32:13
<3>System[7]Starting to clear all persistent data on this module.
Message logged will not provide detail for customer to evaluate the situation, if the system
last operational time is ahead of the current time found in the Real Time Clock at boot time is 7.01.04
greater than one half hour.
The output of 'show support' can pause for durations of 30 seconds with output such as
5.21.25
"Timed out waiting for response from device 2" displayed after these pauses.
"set port mdix <port> mdi" results in hardware being configured for "mdix" (crossover) mode
and "set port mdix <port> mdix" results in hardware being configured for "mdi" (straight- 7.00.01
through) mode; reversed from what would be expected.
Setting port speed on a phantom port changes other ports speed/duplex. 7.30.01
Default speed and duplex is inconsistent for ports of unknown type. 6.00.02

PoE Problems Corrected in 7.41.02.0014 Introduced In:

Using manual module power assignments might incorrectly allocate power to the modules. 7.30.01

RADIUS Problems Corrected in 7.41.02.0014 Introduced In:

An inactive and incomplete RADIUS authentication server could be configured through the CLI
7.00.01
using the "set radius realm" command.
Configuring an IPv4 radius server with the NAC utility will fail. 7.40.01
Entries in the deprecated radiusAuthServerTable and radiusAccServerTable do not return any
7.40.01
values.
If configured via SNMP a radius server may be in the active state when it is not fully
7.30.01
configured.
Inactive RADIUS servers are persistently stored across reboots. 7.40.01

Route-Map Problems Corrected in 7.41.02.0014 Introduced In:

The connection level may not be appropriately set for Route-Maps in Non-Global VRF's. 7.20.01
The numeric range accepted via the CLI for the route-map match metric commands is greater
7.21.01
than the range of values that can possibly be matched.
A redistribution route-map clause that matches a tunnel interface will not redistribute routes
7.40.01
into the protocols.
In rare cases, after a sync event, negating a route-map may fail to work properly. 7.21.01

Routing Problems Corrected in 7.41.02.0014 Introduced In:

During router failover, the new router blade may reset during IPv6 route updates. 7.21.01
Given a chassis with static routes configured, inserting a card with a different set of static
routes in nonvol such that the sum total of static routes configured in the chassis plus the new 7.00.01
slot exceed the maximum allowed causes the new slot to reset during boot.
9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 37 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

Routing Problems Corrected in 7.41.02.0014 Introduced In:

Help text for the Route-Map med and local-preference commands lack accepted range of
7.30.01
values.

SNMP Problems Corrected in 7.41.02.0014 Introduced In:

SNMP user passwords cleartext passwords show up in CLI audit records. 6.01.01
SNMPv3 traps uses on-link IPv6 address instead of the management IPv6 address as its
7.20.01
source.
SNMP user privacy password configuration not configured when the "configure" command,
along with a configuration file, is used to restore SNMP user configuration, resulting in loss of 7.40.01
SNMP v3 access.
A failure to open an IPv4 or IPv6 trap transport may result in a system reset. 7.40.01

SSH Problems Corrected in 7.41.02.0014 Introduced In:

If a user enters "set ssh hostkey ?", <cr> is listed as an option, it should not be. 6.11.01
Ungracefully disconnected SSH sessions can become hung and cannot be cleared using the
2.00.13
'disconnect' command.
Ungracefully disconnected SSH sessions can hang indefinitely. If four sessions become hung
7.00.01
the SSH server will not allow any new connections.
CLI sessions can become hung when attempting to disconnect a session which is running the
7.21.01
SSH client.
The maximum number of failed login attempts for SSH sessions does not match the value set
7.00.01
with the "set system lockout attempts" command, it is hardcoded to 7 attempts.
If the user doesn't enter their password within a minute they are disconnected without a
7.11.01
proper error message.
If a user attempts to disconnect the console session while it is running the SSH client, the
7.21.01
console session will hang indefinitely.
The maximum number of login attempts for SSH is six and is not affected by the 'set system
7.00.01
lockout attempts' command.
Secure Copy uses on-link IP instead of the management IP as its source address. 7.30.01
CLI help for the host option does not show the "user@" syntax. 7.20.01
SSH child tasks sometimes do not clean up and exit properly, eventually making it so no new
7.00.01
SSH sessions can be established.
When attempting to disconnect an SSH session which the server has lost contact with, the
7.00.01
session will remain established.

Switching Problems Corrected in 7.41.02.0014 Introduced In:

Frames of Ethertype 0x0800 did not have valid Version 4 IP header, and frames of Ethertype
0x86dd did not have a valid Version 6 IP header were correctly prevented from being routed, 7.00.01
but were also prevented from being switched.

SYSLOG Problems Corrected in 7.41.02.0014 Introduced In:

In code versions prior to 7.40.01, plaintext password strings may still appear in the syslog and
7.00.01
security log messages. They should be obscured.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 38 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
SYSLOG Problems Corrected in 7.41.02.0014 Introduced In:
Invalid syslog messages, logging that the account has been locked are issued upon user
exceeding the failed login attempts, when lockout time is configured to 0 (disabled).
1.07.19
<165>Jun 2 15:51:32 110.1.198.8 CLI[7]User: admin has been disabled
<165>Jun 2 15:51:32 110.1.198.8 CLI[7]User: admin failed login from 10.1.5.50(ssh)
Performing the command "set logging application <mneumonic> level <level> servers
<servers>" with an invalid value entered for the application <mneumonic> results in the 3.00.33
server list defined as <servers> being applied to all logging applications.
"set logging local file" option configuration is lost when reverting to firmware versions prior to
7.40.01
7.41.01.
Configuration of logging server defaults utilizing "set logging default [facility] [severity] [port]"
incorrectly overrides individual logging server configuration of those same parameters if the
1.07.19
logging server parameters are configured the same as defaults (i.e. facility(local4), severity(8),
or port(514).
Logging server configuration indexes decrement by one or disappear when upgrading from
7.40.01
versions prior to 7.41.01.
The source string in a CLI command audit syslog message is not large enough to hold an IPv6
7.00.01
source address string.
Obscure passwords in syslog and security log messages. In code versions prior to 7.40.01,
7.00.01
plaintext password strings may still appear in the syslog and security log messages.

System Problems Corrected in 7.41.02.0014 Introduced In:

Fabric Queue credit messages may get dropped resulting in lower than expected forwarding
7.0
rates. This is most noticeable on some systems moving 78 byte packets.
When a blade is reset (or a new blade is inserted into a running chassis), routed interfaces will
7.41.01
bounce link during the initialization process.

VLAN Problems Corrected in 7.41.02.0014 Introduced In:

"set port vlan <port-string> <pvid>" CLI command could cause a system reboot if an internal
7.30.01B
SNMP request times out.

VRF Problems Corrected in 7.41.02.0014 Introduced In:

It is possible to delete an interface from a VRF other than the VRF on which the interface was
7.20.01
created.

VRRP Problems Corrected in 7.41.02.0014 Introduced In:

Static routes using vrrp associated ip address as a nexthop will generate this message
"RtrVRRP[1.tVrrpEvt]Failed: IP <virtual IP Addres> adding to vlan <ID>" when the vrrp instance
7.01.03
becomes master on boot up. This will prevent ARP from responding to requests directed to
the virtual gateway.
the Master priority value displayed in the 'show ip vrrp verbose' may not reflect the correct
7.01.02
priority when the instance is in the master state and when critical ip is configured.
Unable to ping virtual IP address when it is received on an interface other than the interface
7.30.01
that vrrp is configured.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 39 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

VRRP Problems Corrected in 7.41.02.0014 Introduced In:

A list of commands requires the vrrp instance to be disabled before the following command
can be take effect.
vrrp accept-mode
vrrp address
7.00.01
vrrp advertise-interval
vrrp preempt
vrrp primary-address
vrrp priority

Webview Problems Corrected in 7.41.02.0014 Introduced In:

While actively logged in through the http application webview, and the webview port is
changed using the command line interface command "set webview port" command, could
5.42.04
result in slot instability and message similar to "<1>DistServ[1.tDsBrdOk]serverWatchDog.1,
client 8 in recv for 6725 tics".
With a configuration of "set logging application Webview level X" where X is either 7
(information) or 8 (debugging) the following message is seen at startup:
7.40.01
Webview[11]wbmHelperTask(): Receive message: Webview status changed to enabled, value
65616(0x10050)

Problems Corrected in 7.31.04.0002

ACL Problems Corrected in 7.31.04.0002 Introduced In:

A blade may log the following message and reset: “DistServ[2.tDsBrdOk]serverWatchDog.5,
client 39(RtrACL)in recv for 6531 tics" under high traffic loads and a large access list 7.00.01
configurations.

CLI Problems Corrected in 7.31.04.0002 Introduced In:

A reset caused by a DSI exception occurs when executing a CLI script file that contains the
'show config outfile' command. The CLI task executing the command will be listed in the 5.35.16
exception message.
The "set port vlan <port-string> <pvid>" CLI command could cause a DSI exception and reset if
an internal SNMP request times out. The CLI task executing the command will be listed in the 7.30.01
exception message.
The audit log for a CLI script which contains the 'show config outfile' command displays NULL
5.35.16
information.
A buffer overrun could occur while generating CLI syslog when executing CLI through an IPv6
7.00.01
telnet or SSH session.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 40 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
Config Problems Corrected in 7.31.04.0002 Introduced In:
The following configuration settings would get reset to defaults if they were set to non-
default values on a 07.40+ code version and then the image was set back to a 07.30 revision:

set system lockout attempts 3

set system lockout time 15
7.00.01
set system lockout inactive 0
set system password aging disabled
set system password history 0
set system password length 8
set system password min-required-chars uppercase 0 lowercase 0 numeric 0 special 0

IGMP Problems Corrected in 7.31.04.0002 Introduced In:

An invalid source IP may be inappropriately syslogged when an adjacent router is reset. 7.30.01

L2 Forwarding Problems Corrected in 7.31.04.0002 Introduced In:

Frames of Ethertype 0x0800 that do not have valid Version 4 IP header are correctly
7.00.01
prevented from being routed, but are also prevented from being switched.

MultiAuth Problems Corrected in 7.31.04.0002 Introduced In:

Failed authentication attempts count toward multiauth capacities. 7.31.03

PoE Problems Corrected in 7.31.04.0002 Introduced In:

Using manual module power assignments might incorrectly allocate power to the modules. 7.30.01

VRRP Problems Corrected in 7.31.04.0002 Introduced In:

Unable to ping a VRRP virtual IP address on an interface that doesn't have VRRP enabled. 7.30.01

Feature Enhancements in 7.31.03.0010

Multicast Enhancements in 7.31.03.0010

IGMPv3 and Source Specific Multicast (PIM-SSM).

Routing Enhancements in 7.31.03.0010

User defined descriptions for router interfaces.

DCB Enhancements in 7.31.03.0010

Support added for 802.1Qaz ETS, (Data Center Bridging – Enhanced Transmission Selection).

PIM Enhancements in 7.31.03.0010

The ability to change the internal priority of a Static RP lower than a Candidate RP via the "[no] ip pim static-rp-
override" command was added.

NDS Enhancements in 7.31.03.0010

New TLV’s, extensions and syslog additions - LLDP - 802.3AB 2009, added show neighbor verbose option to CLI,
and added show neighbor information to ‘ShowSupport’ output.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 41 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

Spanning Tree Enhancements in 7.31.03.0010

802.1Q-2005 restrictedRole and restrictedTCN functionality.

SNTP Enhancements in 7.31.03.0010

Simple Network Time Protocol support for MD5 authentication.

LACP Enhancements in 7.31.03.0010

Addition of standby ports for LAG ports; ‘show lacp’ and portStandbyReason for ports within a LAG ‘show port
lacp’.

CLI Enhancements in 7.31.03.0010

The reset scheduled via CLI (i.e., "reset in|at hh:mm reason") as well as all SNMP initiated timed operations
(i.e., resetHardware, imageDownload, configurationUpload, etc.) are now redundant (all entries will persist
following reset or failure of the master slot) and persistent (pending entries will persist following reset or
failure of the chassis).

Problems Corrected in 7.31.03.0010

802.1x Problems Corrected in 7.31.03.0010 Introduced In:

Directed EAPOL identity requests are not sent in response to non-EAPOL traffic. 7.00.01
802.1x sessions re-authenticating with an active VLAN ID do not clear the VLAN if no VLAN ID
7.00.01
is present in the RADIUS authentication transaction.
802.1x authentications do not allow for the appropriate number of RADIUS transmissions for
each RADIUS transaction. The number of retransmissions configured is used as a maximum for 5.42.xx
the entire 802.1x authentication process.

ACL Problems Corrected in 7.31.03.0010 Introduced In:

When issuing the command "show router limits <VRF-name>", the in use information
displayed is for all ACLs configured across all VRFs rather than just the VRF specified in the 7.11.02
command.
The CLI configuration of an extended ACL for IPV4 using the AH keyword should be
deprecated. The command should be removed from the CLI and existing AH rules should be
7.00.01
changed to remarks in access lists. The protocol for AH (Authentication Header) was allowed
previously but was never implemented in packet filtering.
When an IPv6 access list is removed from host access by the "no ipv6 host-access <acl-name>"
7.20.01
kill connections, established by deny rules being hit, fail to be reaped.
A host-access list applied in the global router controls access for host-directed frames
7.21.01
received on VLANs in other VRFs.
The command "show limits" should show the chassis limits, but for ACLs the in-use column
7.03.02
was not including contributions from VRFs other than the global VRF.
The VRF name has been added to the syslog output for ACL rule logging. 7.03.02

ARP/ND Problems Corrected in 7.31.03.0010 Introduced In:

The 'pub' option on the 'set arp' command is ignored, but should cause an error message
7.00.01
when used.
The router does not have a method to configure timeout values for Neighbor Discovery (ND)
7.20.01
cache entries.
9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 42 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
ARP/ND Problems Corrected in 7.31.03.0010 Introduced In:
Configured link-local addresses on loopback interfaces will not display the interface identifier
along with the IPv6 address. For example if you configure a loopback link-local address of
7.20.02
fe80::6 the address will be displayed as fe80::6 instead of fe80::6%loop.0.x as it should be
displayed.
Neighbor Solicitations and Neighbor Advertisements sent to the router may change the
7.21.01
physical address of the Neighbor Cache entry even if the Neighbor Cache entry is not dynamic.
When performing Neighbor Discovery for packets that are forwarded through the router, the
router will send up to ten (10) Neighbor Solicitations before sending an ICMP Destination 7.21.01
Unreachable packet. The router should only send three (3) Neighbor Solicitations.
The host stack and router maintain separate ND caches. Locally generated traffic and routed
7.21.01
traffic may require multiple Neighbor Discovery processes.
Under a very heavy load ARP entries may fail to resolve. 7.00.01
The interval between Neighbor Solicitations is based on the "ipv6 nd retransmit-time"
configuration command instead of the "ipv6 nd ns-interval" interface command. The actual
interval used may come from a number of sources but the value used should first come from 7.21.01
the interface command, then the configuration command, then any NS interval that has been
received from router advertisements.
Sending a large number of ARPs using multiple ports on multiple blades may cause the system
7.01.02
to temporarily run out of packet buffers needed to keep all blades up to date.
The router does not restrict the number of ARP or ND entries that can be associated with a
Unknown
specific interface.
The following message may incorrectly get generated for VRRP addresses: “<165>Jun 23
07:20:00 11.0.0.1 RtrArpProc[1]11.0.0.4 responds to ARP requests using a Sender Hardware
Address [00-00-11-fa-00-00] that does not match the L2 source address [00-00-11-ff-00-00].”
Additionally the Sender Hardware Address does not exist in the Filter Database. This is often Unknown
caused by Network Load Balanced Servers without a corresponding switch configuration.
Please create a static Filter Database Entry for: 00-00-11-fa-00-00 (see release notes or
configuration guide)

CDP Problems Corrected in 7.31.03.0010 Introduced In:

A ctCDPNeighborCapabilities MIB request will return an invalid value. It should return the bits
7.00.01
value in the format defined in the MIB.
The command "show neighbor" will not display all neighbor protocols. If a neighbor is
7.00.01
received by multiple protocols, only one protocol is displayed.
Occasionally the mibs ctCDPNeighborLastChange and ctCDPNeighborLastDelete will reset to a
5.42.xx
value of zero when no change or delete was made.

CEP Problems Corrected in 7.31.03.0010 Introduced In:

Customer configured CEP detection entries are ignored after reboot of standalone devices or
5.25.16
a single module in a chassis by itself.

CiscoDP Problems Corrected in 7.31.03.0010 Introduced In:

The capabilities field in the Cisco discovery protocol packet is generated incorrectly. It uses
the Cabletron discovery protocol bit format instead. This causes other devices to 5.42.xx
misunderstand our capabilities when Cisco discovery protocol is used.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 43 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

CiscoDP Problems Corrected in 7.31.03.0010 Introduced In:

Changing the CiscoDp holdtime value will not take effect in packets transmitted directly after
5.42.xx
configured.

CLI Problems Corrected in 7.31.03.0010 Introduced In:

The command "set port alias" accepts VLAN interfaces but fails to set the alias for VLAN. 7.00.01
CLI help text for set/show/clear authentication command displays the help text for
Unknown
set/show/clear arp.
CLI error messaging for invalid range vlan-list argument is inconsistent. 6.12.01
The 'clear console' command would not clear the console config for all slots. 1.07.19
In the CLI, the "dir" output may not display which image is marked for "Boot". 4.21.11
In router mode, the interface command shows "tunnel" as a valid interface type. 7.21.01
The command "configure slot<x>/" is accepted as a valid command. 7.00.01
CLI scripts executed via the script command can end before the entire script has executed if
5.35.16
the script contains blank lines.
Cannot <ctl-c> out of 'show support' once it is running. 5.31.17
A CLI session timeout from a console VRF CLI context results in the prompt displaying that
7.03.06
previous VRF on the next console login when the user enters 'config' mode.
Show command options for BGP and IS-IS are displayed on hardware platforms that do not
support these features. If these commands are entered on these platforms no output will be 7.20.01
displayed.
Pasting a large amount of CLI commands into a SSH or Telnet CLI session results in the loss of
7.00.01
input characters and thus commands will fail.

CoS Problems Corrected in 7.31.03.0010 Introduced In:

Some COS CLI commands could fail but still return an OK status. 5.01.58
The CLI command "clear cos violations [irl/orl] all" command does not clear violation
4.05.08
counters.
The etsysCosFloodCtrlResourceAction does not return correct values. 7.00.01
Setting the etsysCosFloodCtrlViolationClearTable MIB does not result in Flood Control
7.00.01
Violation counters being cleared.
Setting etsysCosFloodCtrlResourceClearCounters MIB does not lead to Flood Control Counters
7.00.01
being cleared.
N-Series Diamond DFE modules do not support COS ORL settings, but they are available via
7.11.01
CLI.
The command options of "set cos port-resource" will clear current options when a new option
1.07.19
is configured.
"show cos port-config flood-ctrl...append" displays incorrect error message
1.07.19
when attempting to add a port to a non-existent port group.
Execution of "show cos port-config" cli command leads to loss of available memory (memory
7.00.01
leak).
The command "clear cos syslog" does not clear configuration back to default values. 5.42.xx
The Class of Service port-resource command only accepts one resource value per line. 5.01.58
The command "set cos port-resource syslog" contains a misleading description of command. 7.00.01
The command "set cos settings <cos-list> flood-ctrl" contains a misleading description of
7.00.01
command.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 44 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
CoS Problems Corrected in 7.31.03.0010 Introduced In:
The command "set cos port-resource flood-ctrl" contains an invalid unit type of tbps. 7.00.01
The mibs etsysCosTxqReference, etsysCosIrlReference and etsysCosOrlReference allow
7.00.01
configuration of an invalid reference number.
Changes to COS reference mappings will not take effect on established flows that are
5.42.xx
programmed in the hardware.
When clearing Class of Service violations, the violations are not removed. If configured to
disable a port when a violation is hit, the port will be disabled from the violation that should 7.00.01
have been removed.
COS syslog flood control violation messages are not including the packet detail when the
7.01.02
extended syslog setting is enabled.
CLI command "show config cos" fails to display COS port-resource flood-ctrl information. 7.21.01
CLI command "clear cos all-entries" fails to clear COS syslog portion. 7.00.01
Flood-ctrl violated port is displayed as Not-violated in the "show cos violation flood-ctrl -i" CLI
6.12.03
command for group-index 0.0.
Additional options following the all keyword in the command "clear cos port-resource
5.42.xx
<resource type> all [additional options]" will result in the resource not being fully removed.
"show cos settings <cos-list>" does not display values for valid COS indexes if the list contains
5.42.xx
a COS index not configured.
Maximum supported port type value in error messages for cos commands are not always
5.42.xx
correct.
COS violation SNMP TRAP oid is missing the last digit which scopes the violation to the correct
5.42.xx
notification leaf for IRL, ORL and flood control.
"show config" may not include all COS IRL configuration settings in the output. 5.42.xx
SNMP get for etsysCosFloodCtrlPortTypeCapabilities does not return anything. 5.42.xx
Flood-ctrl rate limiters are not being applied on lag ports. 7.01.03
CLI command "clear cos port-resource <irl | orl | flood-ctrl | txq> <group-type-index>" fails to
7.01.02
remove the port resource for types other than 0.
COS SYSLOG rate limiter violation messages are logged at INFO instead of NOTICE. 5.42.04

DHCP Problems Corrected in 7.31.03.0010 Introduced In:

The CLI command 'show router limits application dhcp' will not display the number of
Unknown
reserved entries for DHCP server.
The CLI command 'show ip local pool' does not show the total number of in use entries. 7.00.01
Issuing the 'show ip dhcp binding <IP address>' command will cause other CLI sessions to hang
7.00.01
permanently.
All leases are blocked when the nexthop in route lookup for lease IP does not match interface
7.00.01
that the DHCP server is configured on.
Issuing the command 'no ip dhcp pool <pool name>' can cause a reset when lease is being
7.00.01
allocated.

FDB Problems Corrected in 7.31.03.0010 Introduced In:

Learned entry discards (dot1dTpLearnedEntryDiscards) may not have been reported correctly.
1.07.19
The number reported may be less than the true number.
If an out of range mac age time was entered via the cli command "set mac age", the valid
1.07.19
range was not displayed in the error message.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 45 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

FDB Problems Corrected in 7.31.03.0010 Introduced In:

Help string for "set mac unicast-as-multicast" command is misleading. The help string
indicated that the command effected behavior of static mac unicast entries. Command
1.07.19
actually just treated unicast mac addresses as their multicast equivalent with regards to static
multicast addresses.

Host Problems Corrected in 7.31.03.0010 Introduced In:

SNMP set of the read-only ifAdminStatus for host.0.1 causes a syslog message to be
generated.”<163>Mar 26 13:42:54 0.0.0.0 ifMIB[1.tEmanate10]setIfMibVal ifindex:9998 leaf:6 6.00.02
pret:4. 1 set errors”.
The error message: "Error in creating IP address" will appear when adding more than the
maximum number of IP addresses to an interface. The error message should indicate the table 7.00.01
is full.
Packets denied by access list filtering do not cause an ICMP "admin prohibited" error message
7.03.02
to be generated back to the source.
ifLastChange (1.3.6.1.2.1.2.2.1.9) may report an incorrect value on startup which could be
1.07.19
greater than the value of sysUpTime (1.3.6.1.2.1.1.3.0).
If the number of available sockets is dangerously low (0-3 available sockets) prior to a TFTP,
the file transfer will fail (as expected). fileMgr was not handling this failure gracefully, as it
1.07.19
would try to read and/or close closed file descriptors. This improper handling of closed file
descriptors following a TFTP failure has been fixed.
Ping to an unbound local address will stop receiving inbound packets if another ping is started
which explicitly binds to the same local address. Other applications which allow outbound 7.00.01
address binding (i.e., traceroute, ssh, telnet) are not susceptible to this bug.
TCP packets with flags field set to 0 are sent to the host. 7.00.01
The router may display the following message when generating output for the "show ip
7.21.02
interface brief" command: "Unable to get ip address string for ip address <ipAddress>".
Duplicate Address Detection is not performed on IPv6 link-local addresses whether it is
7.20.01
enabled or not.
A manually configured IPv6 address will be removed from the configuration if Duplicate
7.21.01
Address Detection (DAD) fails for the address.
The IPv6 source address is not consistent and cannot be configured as it can for IPv4. 7.20.01
When upgrading/downgrading the system firmware version, the default ip interface config is
7.21.02
sometimes lost after a subsequent reset.
If an interface has a unique MAC address configured, then an IPv6 packet destined to that
7.20.01
interface and received on a different interface will be dropped by the host.
The command 'show ipv6 route <prefix/prefix-length> longer-prefixes' will only show the
7.20.01
route matching the given prefix and prefix-length. Routes with longer prefixes are not shown.
If the user changes the default interface within 1 or 2 minutes of a system reboot the system
2.00.13
may crash due to EMANATE task accessing a bad File Descriptor while trying to send a trap.
Loopback interfaces will not become operational after resetting if before resetting the state is
administratively down and the loopback interface is re-enabled using the "set port enable" Unknown
command instead of using the "no shutdown" command in configuration mode.
When an "ipv6 nd prefix" command exists in the router configuration the "show ipv6
interface" command will display the prefix twice in the "Advertising Prefixes" section with 7.21.01
slightly different data. The first display contains the correct information.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 46 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
Host Problems Corrected in 7.31.03.0010 Introduced In:
If the target address of a 'ping' or 'traceroute' command was an IP address,
and if a DNS server was configured, then a reverse DNS lookup would be
attempted prior to sending any 'ping' or 'traceroute' packets.
In the case where the DNS server was down or misconfigured, ping and
traceroute would wait for a DNS response (which never came) before
7.00.01
proceeding with the IP address which they were given to begin with.
To avoid this potential delay, ping an traceroute will no longer initate
a reverse DNS lookup if the target is specified as an IP Address (i.e.,
"134.141.3.150"). Ping and traceroute will continue to issue a DNS
lookup if the target is specified as a hostname (i.e., "extremenetworks.com").
Manually changing the link-local address for an interface may cause the router to have two
7.20.01
link-local addresses on the interface, but the router will report only one.
If a link-local address is changed from the default value (via the "ipv6 address fe80::xx link-
local command), changed again, then removed (via the "no ipv6 address command") the 7.20.01
interface will end up with a link-local address of "::".
If the system's default IP address is deleted, there is a chance the SNMPagent process will
enter a loop which consumes a large amount CPU cycles. The problem resolves itself when a 2.00.13
default IP address is added back in.
IPv6 fragmentation reassembly may time out prematurely if fragments are
7.00.01
received out-of-order.
Host packets sent to a loopback interface may corrupt adjacent packet
buffers, which in turn result in a "Exc Vector: DSI exception (0x00000300), Thread Name:
tNet0" message and reset. Outbound packet sizes most 7.00.01
susceptible to this corruption include (but are not limited to) 61-64,
125-128, and 253-256 bytes.

HostDos Problems Corrected in 7.31.03.0010 Introduced In:

The HostDoS-portScan feature is supposed to filter inbound packets which are addressed to
"closed" TCP/UDP ports. However, HostDoS's list of "open" ports was not being updated when
the SSH, TELNET or Webview services were disabled, nor when the Webview port was
reconfigured to a non-default value. As a result, the switch would not filter DoS attacks on
ports 22, 23 and/or 80, even though the corresponding services (SSH, TELNET and
7.00.01
Webview/HTTP, respectively) were disabled. In addition, if the Webview port was
reconfigured to anything other than its default port (80), HostDoS would continue to allow
packets sent to port 80 and would filter packets sent to the configured Webview port. Also as
part of this fix, ports 7(ECHO) and 443(SSL) were moved from the "open" list to the "closed"
list, as these services are not supported by the switch.
The hostDoS vector 'lanD' can now be disabled. 7.00.01
A packet with a broadcast destination MAC address and source IP equal to destination IP will
7.20.01
generate two hostDoS syslog messages and increase the hostDoS lanD statistics by 2.
Processing performed by hostDoS 'smurf' or 'fraggle' could cause a board to deadlock and
7.01.02
reset.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 47 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

IGMP Problems Corrected in 7.31.03.0010 Introduced In:

If the IGMP VLAN group membership interval is lengthened sufficiently, reporters age out
before the next membership query. Data delivery will cease until the next general query and 6.12.01
group membership is restored.
Router module resets with message "serverWatchDog.2, client 9 in recv for 6322 tics" if more
7.00.01
than 2048 IGMP leaves are processed in a very short time.
When running IGMP it is possible to see the following message in the syslog when a
connected chassis is rebooted. 7.00.01
“CIgmp::GroupTableAdd Error: have flow @ index 26132, but no base entry”.
It is possible when a blade is inserted into the chassis or a blade is reset that multicast
7.00.01
flow/flows may be momentarily flooded then re-learned again.
It is possible for IGMP to flood multicast data flows to incorrect ports due to mis-programmed
7.11.01
hardware.
It is possible when doing a config append for IGMP to reset with the following message:
7.11.01
“CIgmp::PortTableDel GrpIdx:12412 bad IP type:2!!!!”
After many iterations of the CLI command "set igmp disable <VLAN>" for the same VLAN, it is
possible for IGMP to lose track of its hardware resources resulting in the inability to continue 7.11.01
routing new flows.
A device running IGMP with multicast data flows and reporters may experience a reset with
the following message in the log: 7.11.01
“CIgmp::GroupTableAddPortToGroupEntry Src port mismatch”
It is possible for IGMP to lose its static configuration when removing or resetting a blade
where static ports are set. This results in data not flowing to the correct destination after the
7.11.01
slot has rebooted. It may be necessary to save config, clear config, and re-apply config to fully
fix this situation, but this is not necessary in all cases.
With IGMP enabled the following messages may be in the message log upon boot:
“Message 2/57 Syslog Message
<3>System[7]Finished receiving a copy of slot ???'s store” 7.11.01
“Message 3/57 Syslog Message
<3>NonVol[7.tDSrecv7]bulkMoveRecv_dd:failed to get copy of store ??, retry later”
It is possible to see the message below when a slot is reset:
“100.10.10.2 IGMP[4.tIgmpInp]CIgmpEtsc::EventProcessor verify failed - please run 'debug 7.21.01
igmp verify 1'”.
IGMP running with multicast traffic may reset with the following message:
“Exc Vector: DSI exception (0x00000300) 7.21.01
Thread Name: tDSrecv2”.
When there are more than 128 IGMP VLANS enabled, it is possible for the "show igmp
7.03.02
enable" command to not display all enabled VLANS correctly.
If 'show igmp config <vid>' with value outside the valid VLAN range, the command will display
7.00.01
all enabled VLANS.
It is possible when routing multicast using IGMP, if a blade is reset, that IGMP group tables
6.12.01
may be out of sync, resulting in flows not reaching destinations.
IGMP may not deliver MCAST data to all ports set in a static entry. 7.11.01
IGMP show reporters CLI command keyword "portlist" should have been "port-list". 7.00.01
IGMP will accept and act upon multicast flows that have a bad IP hardware checksum. 6.00.02

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 48 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
IGMP Problems Corrected in 7.31.03.0010 Introduced In:
When the etsysMgmdExtMib etsysMgmdExtDiscoveredRouterTable is walked it will stop after
7.11.01
the first entry is displayed, even though there is further data that should be displayed.
When running DVMRP, the command "show ip igmp groups interface <ifName>" may show
7.00.01
IGMP group memberships for interfaces other than the requested interface.
If the etSysMgmdExtMib is queried for the etsysMgmdExtStatsCntrsTable, the
etsysMgmdExtStatsCntrsGroupFull leaf may display zero(0), which is not a valid value. This 7.00.01
causes no functional issues.
IGMP query max response time values from 1-9 deciseconds set via the MIB will display as 0
7.00.01
using the "show igmp vlan" or "show igmp config" CLI commands.

IGMP/MLD Problems Corrected in 7.31.03.0010 Introduced In:

IGMP will display all reporters if a bad port is entered in the port-list. 7.11.01

IGMPv3 Problems Corrected in 7.31.03.0010 Introduced In:

Multicast flows may not be routed correctly when IGMPv3 (or MLDv2) include/exclude-source
reports are present on both the source VLAN and destination VLAN before the actual data 7.30.01
flow is started.

IPv4 Forwarding Problems Corrected in 7.31.03.0010 Introduced In:

The addition of a primary address will inadvertently delete an existing static
route if the following 4 criteria are met:
1) Natural mask of the new primary address matches the static route's mask.
For example, 10.x.x.x is considered a class-A address so the natural
mask will be 255.0.0.0.
2) Static route and primary address have the same network address
7.00.01
(as defined by the natural mask, not the configured mask).
3) Static route and primary address are on the same interface.
4) The interface is up.
Example Route and Address which meet these conditions:
Static Route: 10.0.0.0/8 10.21.64.1 vlan.0.1
Primary Address: 10.21.64.21 255.255.192.0 vlan.0.1
ICMP error messages are generated for packets containing ICMP error messages. 7.00.01
ICMP error messages are generated for IPv4 packets which were not the first fragment of a
7.00.01
fragmented IP datagram.
ICMP error message incorrectly sent for offending packets containing link-layer multicast
7.00.01
destination MAC address.
A packet received on an interface with an egress ACL configured is checked against that ACL if
7.21.01
the route lookup for the destination IP address of the packet results in a route not found.
ICMP error datagrams only included the IP header and first 8 bytes of the original IP
datagram. It will now include as much of the original IP datagram that will fit in a 576 byte 7.00.01
packet.

LAG Problems Corrected in 7.31.03.0010 Introduced In:

Cannot abbreviate status or counter in the command "show port lacp port <port>
1.07.19
status/counter".

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 49 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

LAG Problems Corrected in 7.31.03.0010 Introduced In:

When more than one ports padminsyspri setting is configured with the "set port lacp port"
command, a subsequent "show configuration" does not show all the configured ports for 1.07.19
padminsyspri. The values are available from an SNMP get.
Entering of control-c while the command "show port lacp port *.*.* status detail sort lag" is
1.07.19
running occasionally results in an SNMP error message to the console.
Error messages seen upon entering out of range data for "set lacp" commands do not display
1.07.19
the out of range value.
After a blade reset, when the blade is back in service it may not have a LAG MAC address
1.07.19
consistent with the other blades for configured LAGs.
The command "show port lacp port counters" does not show an error message when an
1.07.19
unsupported port is input.
The LACP MIB dot3adAggAggregateOrIndividual incorrectly returns 1 for lags with a single
1.07.19
port.
LACP edit for receiving marker PDU's, MarkerPDUsRx, does not increment upon receipt of
Unknown
marker PDU's.
If an N-Series receives non-LACP IEEE Slow Protocol frames, the ports that those frames are
received on may not be able to join a LAG. Non-LACP IEEE Slow Protocol frames are frames
7.00.01
with a MAC DA of 01-80-c2-00-00-02, a EtherType of 0x8809, and a Slow Protocol Sub-Type
that is not 1 or 2. An example of this would be a Ethernet OAM protocol frame.
When a physical port joins a LAG, existing hardware flows on the original underlying ports of
the LAG may be unnecessarily removed and re-established. This could lead to brief disruption 6.00.02
in network traffic.

LLDP Problems Corrected in 7.31.03.0010 Introduced In:

A lldpXMedRemXPoEPDTable MIB request will return both PoE PD and PSE neighbors. It
7.00.01
should only return PD neighbors.
If Ctrl-C command is issued while running the "clear lldp all" command, the device will
5.42.xx
occasionally reboot.
Occasionally when running the command "show config", lldp network-policy configuration is
5.42.xx
displayed for an invalid port.
The command "show lldp port local-info" will cause the device to reboot, if the configured
7.00.01
system name exceeds 180 characters.

LLDP/CiscoDP Problems Corrected in 7.31.03.0010 Introduced In:

LLDP will not transmit an Ipv6 address in a LLDP packet when the management interface is
only configured with an IPv6 address.
Cisco CDP will not read the address, from a Cisco CDP packet, if the address is an IPv6 address. 7.11.01
Cisco CDP will not transmit an Ipv6 address in Cisco CDP packets. If no IPv4 address is
configured, Cisco CDP packets will transmit IPv4 address of 0.0.0.0.

LSNAT Problems Corrected in 7.31.03.0010 Introduced In:

A non-descriptive error "Error: command failed: Generic error" may result from some invalid
7.20.01
configuration commands with LSNAT, NAT and TWCB.
'show support' displays debug statistics for appsvc applications (LSNAT, NAT & TWCB) when
7.01.02
the applications are not configured.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 50 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
MAC Authentication Problems Corrected in 7.31.03.0010 Introduced In:
"set macauth authallocated" with a value outside of the valid range would improperly display
4.00.50
"<port> failed to be set."
Failed MAC authentication sessions are not cleared from a port on interface down/up events. 7.00.01
Failed authentication session are unable to be cleared via the
7.00.01
etsysMultiAuthStationClearUsers or etsysMultiAuthPortClearUsers MIB entries.

MACLock Problems Corrected in 7.31.03.0010 Introduced In:

MacLocking and the MAC Address table get out of sync when enabling or disabling
7.01.04
MacLocking on individual ports.
"show config all maclock" would improperly not display those settings for ports which are set
5.01.58
to disabled.

Mirroring Problems Corrected in 7.31.03.0010 Introduced In:

Cannot configure a PC.X.Y port as a mirror port. 7.00.01
Excessively high CPU utilization by the SNMP process may result if attempting to clear all port
mirrors for a module by executing a 'clear port mirror' command without specifying an upper
port boundary value. 6.00.02
Example: "clear port mirror ge.1.1- ge.1.1-" could take 30 minutes to finish. While the
command is running the SNMP process was using ~87% of the CPU.
When a frame destined for the chassis (ex, Spanning Tree, Management Frames, etc), needed
to be mirrored because ingress port or VLAN was being mirrored, a small percentage of those 7.00.01
frames would not be mirrored successfully.
A partial, benign CLI command - "set port mirroring" is generated by show config. 7.11.01
On N chassis, not all underlying ports in a IDS mirror are used for flow distribution. 7.00.01
When a port is configured for enhanced mirror mode, frames ingressing that port may not
7.11.01
have egress port mirrors applied correctly.

MultiAuth Problems Corrected in 7.31.03.0010 Introduced In:

MultiAuth module trap is not able to be configured to non-default settings. 7.11.01
'clear multiauth station' command would fail to clear the multiauth station(s). 7.11.01
When a particular slot or entire chassis is reset, the multiAuth system trap configuration is
7.11.01
reset to default value (disabled).

NAT Problems Corrected in 7.31.03.0010 Introduced In:

The help display for "ip nat translations" refers to 'napt' or 'natpt' instead of 'nat'. 7.01.02

NetFlow Problems Corrected in 7.31.03.0010 Introduced In:

Netflow may continue reporting records for flows ingressing ports, even if Netflow reporting
4.00.50
for that port is disabled, if the destination of the flow is the internal IP stack.
If Netflow is unable to send packets to Netflow server, it may generate excessive syslog
message log messages similar to: 7.30.01
netflow[4.tNetflow]netflow_rebind_socket(): Failed getIpV4Primary()

OSPF Problems Corrected in 7.31.03.0010 Introduced In:

When OSPF is configured with passive interfaces and "no router ospf " is executed, when
7.00.01
OSPF is re-added, the passive interface configuration will return.
9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 51 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

OSPF Problems Corrected in 7.31.03.0010 Introduced In:

A reset and error message: "memPartAlloc: to big", is recorded in the log. This issue is possible
in network topologies using OSPF under severe conditions like continuous interface thrashing 7.00.01
(DOWN then UP) or continuous resetting of neighboring routers.
Clearing the global VRF, will remove all OSPFv2 interface configured parameters in all non-
7.20.01
global VRFs.
If the OSPF area authentication command is configured in a prior release, an upgrade will
7.20.01
cause the loss of related area commands, stub or NSSA.
For some configurations using OSPF, changing the revision back to 7.11 or earlier may place
the system in continuous reset. This can be remedied by clearing the OSPF configuration 7.11.01
before booting the older image and then restoring the OSPF configuration.
OSPFv2 network command entered with a valid network with mask 255.255.255.255, matches
7.00.01
all interfaces, as mask is treated as a wildcard mask instead of subnet mask.
The negation of the OSPF area virtual link keychain command, "no area 0.0.0.140 virtual-link
130.1.1.1 keychain ospf" can cause an assert in thread tRtrPtcls, message log is "SMS assert in
7.20.01
asemib.c at line 526 : >= amb_test->ips_hdr.ctrl_size 368 (amb_test->oid_offset + (2 *
sizeof(NBB_ULONG)))".
If an OSPF area range is configured in a VRF, and that same area is active in the global router
7.20.01
or another VRF, that range will be applied to those VRFs.
After a router failover, OSPF can fail to redistribute rip routes. 7.21.01
After a router failover, OSPF can fail to redistribute static routes. 7.21.01

PIM Problems Corrected in 7.31.03.0010 Introduced In:

The ability to configure a PIM Candidate RP using an access-list to define the group ranges was
1.07.19
added.
“Show ip mcache” lists incorrect outgoing interfaces for a given S,G mroute entry. 7.00.01
The implementation of the etsysPimExtIfTable contained an object that was not defined in the
MIB. Thus, the values returned are incorrect because the defined objects are offset by the
7.00.01
undefined object. The user should also see that some of the returned types do not match the
object's defined type.
The management master blade may log a message similar to "SMS assert in qptmuti2.c at line
7.00.01
230 : <= lower_bound 1920000 upper_bound 90000 " and reset.
The management module may log a message similar to "SMS assert in ntlcltim.c at line 547 : <
7.00.01
duration -5001" and then reset.
Mcache entries may not time out correctly after starting and stopping a quick burst of IP
7.00.01
multicast traffic.
Excessive errors of the following are found in message log when a limit has been exceeded for
routing protocols (RIP,OSPF,BGP,PIM, and DVMRP) – 7.03.01
“<3>rtrUtils[1.tRtrPtcls]TrackAllocMemory failed to alloc control block. “
"show ip mcache" may show a very long age for entries if the system time is set back to
7.00.01
before the cache entries were created.
PIM Assert detection and processing can consume excessive CPU resources. 7.00.01

PIM/DVMRP Problems Corrected in 7.31.03.0010 Introduced In:

PIM or DVMRP is limited to 255 IP interfaces (not the supported 256). 7.00.01

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 52 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
Platform Problems Corrected in 7.31.03.0010 Introduced In:
Large configuration settings may cause a board to reset. Syslog messages similar to below
should be in the log:
<1>NonVol[2.tNvProcQ]processProcWriteQ:openWrSet() failed on store=0, fileIndex=0
7.00.01
majorId=99 token=4294967295 retval=7
<3>NonVol[2.tNvProcQ]nvFilePtrMgr::fopen_ab(5,0,0,99, 5)
fopen(/flash1/nonvol/0/b0000000.063,ab+) filePtr==NULL errno=3997698
While processing the unexpected shutdown of another blade in the system backplane,
7.00.01
hardware may be left in an inoperative state, requiring all blades in the system to reset.
"show system hardware" does not display overall chassis power supply redundancy status. 7.11.01
File corruption may be detected at boot-up. The following error will be in the message log and
on the console (the store and file index will vary):
7.00.01
<0>NonVol[5.tusrAppInit]validate_files: The persistent store 5 has been corrupted at file 0.9.
This data has been erased and the board will reset.
SNMP requests and/or CLI requests may return incorrect values for etsysJumboEnetFrameMIB
6.01.01
while modules / blades are being removed or reset.
A message, similar to "System[1]The board in slot 5 of the chassis is not operational.", is seen
1.07.19
during normal operation.
The error "Error: Ambiguous" will occur using the 'set physical alias' and 'set physical assetid'
Unknown
commands if the keywords for those commands are not fully typed out.
A blade will log the following message and reset: “<1>DistServ[1.tDsBrdOk]serverWatchDog.7,
client 41(nvClient) in recv for 6896 tic”
7.00.01
This condition happens when soft forwarding a lot of traffic (unlearned) along with many
writes to nonvol such as the creation of dynamic policy profiles.
If a large amount a data is being written to nonvolatile memory by a high priority task, the
cleanup task may be kept from running and cause us to exceed our maximum file index which
will cause setting to not be saved. The following messages will be in the log:
7.21.01
“<1>NonVol[6.tNvProcQ]processProcWriteQ:openWrSet() failed on store=6, fileIndex=4100
majorId=9 token=4294967295 retval=8”
“<3>NonVol[6.tNvProcQ]fopen_ab: invalid fileIdx 4100, storeNum 6, major 9”
A link trap for interfaces will be sent when an interface goes up or down even if it is
7.01.02
configured not to send the trap.
The real-time clock will lose time between resets in the range of 1 microsecond up to a
7.00.01
potential of 2 seconds with each reset.
The following error may be reported when a lot of multicast flows are changed. "Switch Fabric
7.00.01
soft memory error."
When a blade is reset (or a new blade is inserted into a running chassis), routed interfaces will
7.00.01
bounce link during the initialization process.

PoE Problems Corrected in 7.31.03.0010 Introduced In:

PoE trap with unknown port state might be generated when PD device is connected to the
7.00.01
port and it requests power.
When pethMainPowerUsageOnNotification or pethMainPowerUsageOffNotification traps are
generated they will contain current usage threshold instead of current power consumption 4.21.09
information.
Messages indicating status of the PoE power supplies will not be displayed if PoE capable line
7.00.01
cards are not present or not configured.
9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 53 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

PoE Problems Corrected in 7.31.03.0010 Introduced In:

PoE power supplies status information will be unavailable in a chassis which does not contain
7.00.01
at least one PoE capable module.

Policy Problems Corrected in 7.31.03.0010 Introduced In:

Only the first option changes when multiple options were given for 'set / clear policy syslog'. 4.00.50
"set policy rule icmptype" would accept values greater than 255 (0xFF). 4.00.50
"set policy profile/rule cos" would accept values up to 4095, while the max allowed is 255. 5.01.58
"show policy rule ipdest / ipsource" were available for non DFE-GOLD devices. 6.00.02
"show policy rule syslog / trap / tci-overwrite / disable-port" now includes the "prohibit"
7.00.01
option.
"set policy rule udpdestportip, udpsourceportip, tcpdestportip, and tcpsourceportip" would
7.00.01
accept values for the port outside of the valid range (0-65535).
"set policy dynamic syslog-default prohibit" and "set policy dynamic trap-default prohibit"
7.00.01
would result in an error message.
Policy global admin rule created when port-string specifies an invalid port. 7.00.01
Policy llcDsapSsap rule mask will default to an invalid mask value (40) regardless of the
6.12.07
llcDsapSsap rule type entered (LLC, SNAP, 802.3 IPX).
User applied policy profile precedence configuration persists after profile rule is deleted. 7.01.03
Policy Ethertype and VLAN rules may be entered with a mask such that, after being masked
the rules would appear to be invalid in the config. ex. "set policy rule 1 vlantag 2 mask 3" 7.00.01
would show up in the config as "set policy rule 1 vlantag 0 mask 3".
Attempting to configure more than the maximum allowed policy rules would not result in an
6.00.02
error message.
The etsysPolicyRuleResult1 leaf of the ENTERASYS-POLICY-PROFILE-MIB sometimes returns an
incorrect value. In this case the Policy Manager application will not allow the Policy rule to be 7.00.01
removed.
Policy traps would not be sent the first time a trap condition was met, instead transmitting
7.00.01
every time other than the first.
Policy admin-rules for port <x>.<y>.1 may be lost upon reset. 7.00.01
Policy may lose syslog / trap message queues, which will cause it to stop sending syslog and
trap messages, resulting in the message 7.00.01
"Policy[x.tDispatch]assertActions():msgQxRecv(notifyQ) failed".
Policy traps are sent every time a rule hit occurred if "syslog every-time" was set. 7.00.01
'show policy syslog' would ignore CLI options; 'clear policy syslog' would return an error if no
4.00.50
options were entered.
Valid policy commands fail after an invalid value is entered with a set policy rule command. It
6.00.02
may take a few valid ‘set policy rule’ commands to clear the command fail condition.
Modifying "policy invalid action" will not affect behavior while multiauth mode is set to strict. 7.00.01
Policy admin-pid rules could occasionally be lost upon reset. 7.00.01
Creating a policy admin rule with an invalid bridge port creates a rule that cannot be deleted. 7.00.01
When entering a policy name, if it was greater than sixty-four characters long it would be
6.00.02
truncated down to sixty-four characters without indicating that was the case.
RFC3580 VLAN Tunnel assignment may be lost for port <x>.<y>.1 upon blade reset. 7.00.01

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 54 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
PTOPO Problems Corrected in 7.31.03.0010 Introduced In:
When the network address is not received from LLDP, CtronDp, or CiscoDp, the network
5.42.xx
address viewed in the "show neighbor" command will incorrectly display an address.
Occasionally, the mib ctCDPNeighborPortName will return a value different than what was
7.00.01
received from the neighbor.

PWA Problems Corrected in 7.31.03.0010 Introduced In:

The error message when attempting to enter a PWA banner of greater than 255 characters
4.00.50
indicates that the maximum number of characters allowed is 256 characters.

RADIUS Problems Corrected in 7.31.03.0010 Introduced In:

Authentication failure will occur for multiauth clients due to RADIUS response frames that
5.42.xx
have errors and have not yet been validated as from a configured RADIUS server.
AAA authorization information level logging may indicate a 0 for tunnel group ID when a valid
7.00.01
tunnel group ID has been received from the RADIUS server and successfully processed.
Inserting a new blade into the system may result in RADIUS error messages "Trying to get local
aggregate counters for unknown core server x" if the configuration storage of the new blade 7.11.01
contains server configuration that is not present on the running system configuration.
The RADIUS client will send more than the configured number of retransmissions per server
7.00.01
for each transaction if server timeouts occur.
AAA log message reports inaccurate number of retries when output:
“AAA[2]RADIUS Attempted the configured number of retries (21) to all authentication servers
without a server response for (username 'deepak') on port com.2.1” 6.12.01
It is outputting the total number of transmissions as opposed to the number of
retransmissions.
The RADIUS client software sends the standard RADIUS Calling_Station_Id attribute with
upper case hexadecimal for authentication requests but with lower case hexadecimal for 6.11.01
accounting requests.

RADIUS Snooping Problems Corrected in 7.31.03.0010 Introduced In:

etsysRadiusSnoopingPortAuthenticationsAllocated would accept a set of 0. 6.00.02
"radSnoopEtsc::radSnoopPolicyCallback() - NULL mac address received" log event is output
under certain undetermined conditions. This message and the condition it is describing can 7.11.01
occur under normal operating conditions and is harmless.
When queried etsysRadiusSnoopingSessionInitialize would return "0" (undefined) rather than
6.12.01
"2" (false).
Radius-Snooping timeout is not distributed correctly between blades. 6.12.03

RIP Problems Corrected in 7.31.03.0010 Introduced In:

The loopback interface address is now being propagated to neighboring routers when using
7.00.01
the network command.
show limits displays RIP limits greater than the chassis limit when aggregating over all VRFs
7.00.01
configured.
If a customer applies a redistribution route-map to a RIP router in a VRF, and the ACL
associated with the route map is modified. The changes are not applied until the ‘redistribute’ 7.21.02
command is reconfigured.
Static routes are not redistributed into RIP after a chassis reset. 7.21.01
9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 55 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

RMON Problems Corrected in 7.31.03.0010 Introduced In:

An attempt to modify an RMON etherStatsOwner name results in the owner name being set
1.07.19
to the default value.
RMON Matrix statistics are not updating correctly. 5.42.xx
The command "show rmon stats" provides a counter value for 1024-1518 octets that rolls
5.01.58
over at 32 bits instead of the expected 64 bits.
RMON filter and channel entries may not sync when a new module is installed in the chassis
5.42.xx
that was previously in the chassis.
RMON capture may not include received multicast packets such as LLDP, CDP, CISCODP, LAG,
7.00.01
and GVRP.
The ‘set rmon capture’ command allows offset values greater than that allowed (655535). 5.01.58
The ‘set rmon capture’ command allows input of values less than that allowed (-1). 5.01.58
RMON events are no longer logged if the host master blade is reset. 5.01.58
RMON topN will use a duration value of 60 seconds regardless of the value input. 4.00.50
A DSI exception, similar to DSI exception (0x00000300) Thread Name: tRmonRecv, may occur
5.01.58
when using RMON capture in the presence of jumbo packets.
At the CLI, setting rmon topn hindex in a separate command after setting rmon Topn duration
4.00.50
will reset the duration value to the default.
Entering an RMON topn size value for number of entries that is greater than 2147483647 is
5.01.58
displayed as negative in a subsequent show config.
Clearing of RMON stats counters a large number of times or performing a large number of
deletions and creations of RMON stats or history indices may result in a loss of RMON stats at
7.00.01
the CLI or a loss of response at the CLI. Entering the command(s): "clear rmon stats to-
defaults" / "clear rmon history to-defaults" may alleviate the problem if it has occurred.
Entering an RMON capture slice or loadsize value of the max UINT32 will
5.01.58
result in a -1 value shown in a subsequent mibwalk of the associated MIB value.
Setting the RMON capture loadsize value too large, such as to 2147483647, when working
with jumbo frames, may results in an SNMP error such as CloneVarBind: Unable to clone vb- 5.01.58
>value.os_value.
RMON capture settings with mismatched slice and loadsize values
5.01.58
may display part of a subsequent packet at the end of the captured frame.
Entering multiple RMON capture configurations, though only one is active, as can be done via
netsight, along with modification of RMON control asksize/loadsize values, can cause blade
5.01.58
reset and log a message such as DistServ[1.tRmonStat]checkGuardBand.1.sendMsg(pre) for
30 (buffer 8).
Entering the command "clear rmon filter channel" at the CLI will return an error message
similar to "CLI[7]User:admin; Source:console; Action:"clear rmon filter channel 2 "; Status:Fail" 5.01.58
whether the command fails or not.
The asksize option of the RMON capture command may not take effect
when entered separately from the other RMON capture options. This 5.01.58
may result in an unexpected output size when reviewing an RMON capture.
Use of RMON capture may reduce throughput of multicast traffic that is ingressing or
7.00.01
egressing on a port that is configured for RMON capture. VLAN flooded traffic is unaffected.

Router Problems Corrected in 7.31.03.0010 Introduced In:

The Router does not send a gratuitous ARP when an IPv4 interface becomes operational. 1.07.19
9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 56 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
Router Problems Corrected in 7.31.03.0010 Introduced In:
An IPv6 static route could be added which specified the loopback address as the destination
7.20.01
prefix.

Routing Problems Corrected in 7.31.03.0010 Introduced In:

If you attempt to delete a static route that does not exist, two extraneous syslog messages
may be displayed similar to these: "StaticRt[1.tConsole]model vrf 0 ip route 78.1.1.0/24
7.21.01
10.1.1.7 vlan.0.10 1", "StaticRt[1.tConsole]route vrf 0 ip route 78.1.1.0/24 10.1.1.7 recursive
1"

SMON Problems Corrected in 7.31.03.0010 Introduced In:

The order of help strings for the set/show/clear smon commands are inconsistent. TBD
The SMON Statistics creation command does not change the owner-string of an existing
7.00.01
statistics collection.
At time of SMON priority or VLAN stats deletion, very infrequently, one or more blades in
chassis may reset. A message that starts similar to following will be left in log:
“Message 11/244 Exception PPC750 Info 07.31.01.0007T 04/25/2011 16:24:34 1.07.19
Exc Vector: DSI exception (0x00000300)
Thread Name: tMcnxCnt”

SNMP Problems Corrected in 7.31.03.0010 Introduced In:

System loses SNMP connectivity with possible message output to the console similar to
6.00.02
“Emanate[1.SNMPSubAgt]Connection to 127.0.2.2 failed!”
Message similar to "Emanate[1.SNMPagent]Master agent select encountered invalid file
7.00.01
seen" encountered just after boot up.
Traps with an IPv6 source address would not be updated with the correct address when the
7.11.01
default IPv6 interface was deleted or changed.

SNTP Problems Corrected in 7.31.03.0010 Introduced In:

Change in behavior: SNTP will now use the default interface for the source address of client
7.00.01
requests if configured.

SSH Problems Corrected in 7.31.03.0010 Introduced In:

Disconnecting an SSH session is incorrectly reported as a telnet session disconnect.

STP Problems Corrected in 7.31.03.0010 Introduced In:

When setting adminedge and adminpathcost, and applying the setting to multiple ports, if
4.00.50
there is a failure for any port the processing will stop and the remaining ports will not be set.
If the request is for a single SID and that SID is not enabled for backuproot, a message is
5.11.21
displayed stating that no SIDs have backuproot enabled. This may or may not be true.
Incorrect values are returned when querying the MIB objects etsysMstpPortDesignatedRoot
5.41.25
and etsysMstpPortDesignatedBridge.
A query for etsysMstpTopologyChangeInProgress returns 0 rather than 2 to indicate false. 4.00.50
‘clear mac address’ cli operations may falsely display failure messages. 1.07.19

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 57 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

STP Problems Corrected in 7.31.03.0010 Introduced In:

The "show config all" command output shows set commands for FTM1 backplane ports for
adminedge and adminpathcost. These are not allowed for backplane ports. If a configuration
4.00.50
file created with this command is used in a "configure" command, the "set" commands for the
backplane ports will fail.
Spanning tree will not unlock a port that has been locked by Spanguard when the port
configuration for portadmin is changed from enabled to disabled. The port will be unlocked 7.00.01
when spanguardlocktime expires.
A port enabled for loop protect, configured with a non-loop protect capable partner, does not
transition to listening state when it stops receiving BPDUs and the receive timer expires. It 7.00.01
may make that transition at some indeterminate time later.
When decoding a badly formed MST BPDU, such that it should be treated as a RST BPDU in
accordance with clause 14 of the 802.1Q specification, the PVI is not marked as RST. This
7.00.01
causes the MST packet counters to increment rather than the RST counters. Since it is
otherwise decoded as RST there will be no other adverse effects.
A value is returned for the deprecated MIB leaf etsysStpDiagMstiPortTopChanges. 7.00.01
etsysStpDiagRootHistoryStpID Table MIB should be populated at the time the Spanning Tree
5.35.16
instance is created.
Restoring an invalid Spanning Tree instance index value from persistent memory causes a
7.00.01
continual reset follow a firmware downgrade.
"set spantree lpthreshold" command help text enhanced to supply value range. 5.41.25
The "set spantree mstmap" command failed silently when attempting to map FID 4095 to a
5.35.16
SID.
Enhance "set spantree spanguardtimeout" help text by giving a value range. 5.42.04
Enhance help text for "set spantree disputedbpduthreshold" by adding value range. 5.41.25

SYSLOG Problems Corrected in 7.31.03.0010 Introduced In:

For IPv6 interface configurations, the syslog message header displays 0.0.0.0 instead of the
7.20.02
appropriate IPv6 address.
When configuring logging server index 8, the following error may occur
"Entry for index 8 does not exist on the system logging server table." or the following warning 7.00.01
may occur "ParseSubIdOctal, bad digit: 8".
Once a management IPv4/IPv6 address is programmed, and removed, and then the system
name is configured, and removed, the source field in the syslog message will revert to an 7.20.01
empty field, when it should revert to 0.0.0.0.
After issuing the command "set logging here enable", expected log messages seen at the
7.21.01
console are not seen on the telnet/ssh session.
When performing a "show logging server" command, the "Description" field contents is
1.07.19
truncated to 17 characters.

Telnet Problems Corrected in 7.31.03.0010 Introduced In:

A telnet login attempt that was allowed to timeout would, in some cases, not close down
properly. When this happens, the resources for that telnet session are not freed properly. 1.07.19
When this occurs 4 times, the user is not able to login remotely.
A processor exception can occur when a user exits a telnet session. 1.07.19

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 58 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
TWCB Problems Corrected in 7.31.03.0010 Introduced In:
Multiple 'ip twcb webcache redirect out' entries are not allowed within one interface
7.02.02
configuration.

VLAN Problems Corrected in 7.31.03.0010 Introduced In:

The set/clear vlan egress CLI commands are slow. For example, to configure 4K VLANs it will
5.13.04
take several minutes for the command to complete.
Modifying VLAN egress through the "set port vlan" CLI may generate the following CLI error:
5.01.58
“Static VLAN xxxx egress configuration failed”.
Traffic sourced from the Host IP stack should have 802.1p priority of 7, instead of zero. It
7.00.01
should be possible for policy to override this value.

VRF Problems Corrected in 7.31.03.0010 Introduced In:

No error message generated when a router limit is set for a non-configurable application. 7.20.01
A crash may occur if a configuration exists such that packet would be delivered from a
Unknown
loopback interface. For example if a route is configured to use a loopback interface.
The 'script' command does not allow for VRF context awareness. 7.21.01

VRRP Problems Corrected in 7.31.03.0010 Introduced In:

Nexthop address from a static route that matches a VRRP associative address will prevent the
associative address to be used as a virtual gateway address.
7.00.01
The following syslog message will appear when VRRP state becomes master.
RtrVRRP[1.tVrrpEvt]Failed: IP <associative address> adding to <interface>.
‘vrrp critical-ip’ will not accept disable keyword. 7.21.02
Removing an IP address from an interface that matches VRRP IP address will cause the
instance to intfdown state even if another IP address on the interface exist that match the 7.00.01
VRRP IP address.

WebView Problems Corrected in 7.31.03.0010 Introduced In:

A system name with a length of 255 characters won't be displayed correctly in webview. 7.11.01

Feature Enhancements in 7.21.03.0003

GBIC Enhancements in 7.21.03.0003

MGBIC-BX120-U and MGBIC-BX120-D are now supported.

Problems Corrected in 7.21.03.0003

DVMRP Problems Corrected in 7.21.03.0003 Introduced In:

DVMRP may not advertise routes to some neighbors if the number of DVMRP interfaces in a
7.00.01
router exceeds 32.

Host Problems Corrected in 7.21.03.0003 Introduced In:

For packets originating from the host destined to a given IPv6 address, the source address
7.11.01
chosen is inconsistent between reboots or IPv6 address configuration.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 59 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

MAC Authentication Problems Corrected in 7.21.03.0003 Introduced In:

Disabling LACP on a device which has MAC Authentication enabled and ports set to
authentication-optional will cause authentication failures for routed packets received on
7.00.01
those ports. A work around is to disable LACP on all ports in the system "set port lacp port
*.*.* disable" and set the LACP global state to enabled "set lacp enable".

OSPF Problems Corrected in 7.21.03.0003 Introduced In:

When running OSPF a DSI can occur in thread tRtrPtcls, message displayed is "SMS assert in
7.20.01
qodmint3.c at line 1449 : (null) avll_rc 0 (null) 0".
When running OSPF a DSI can occur in thread tRtrPtcls, message displayed is
7.00.01
"SMS assert in ntlavll.c at line 644 : != AVL3_IN_TREE(*node) 0 0 0".

Routing Problems Corrected in 7.21.03.0003 Introduced In:

Hardware connections for flows destined to multicast MAC addresses are not aged out when
7.00.01
route changes occur that yield a better path for those flows.

SSH Problems Corrected in 7.21.03.0003 Introduced In:

When a user uses an SSH client to access a device and then uses the 'ssh' command to SSH to
another device or machine, closing the originating remote SSH client session will strand the
device's SSH client session and accompanying resources. This will result in a loss of remote 7.00.01
management connectivity when this process is repeated using up the 4 available remote
connections.
When a user telnets into the device from a telnet client and then uses the SSH command to
SSH to another device or machine, closing the originating telnet client session will strand the
SSH client session and accompanying resources. This will result in a loss of remote 7.00.01
management connectivity when this process is repeated using up the 4 available remote
connections.

Feature Enhancements in 7.21.02.0002

GBICs Enhancements in 7.21.02.0002

MGBIC-BX40-U and MGBIC-BX40-D are now supported.

Load Balancing Enhancements in 7.21.02.0002

The router is able to detect when a routed frame’s destination MAC Address is not found in the L2 filter
database. It periodically attempts to resolve this condition by forcing an ARP request. This action assumes the
Response packet will be sourced from the desired MAC address. If the ARP response received is sourced from
a different MAC address, the router assumes the associated system is a Network Load Balancer or similar
system comprised of multiple physical machines responding to a single “virtual” IP address. These server
systems expect that the switch will flood their traffic to all ports on the destination VLAN.

(Discussion continued on the following page)

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 60 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
Load Balancing Enhancements in 7.21.02.0002
Starting with 7.21.02.0002, a message is periodically displayed when this condition is detected similar to the
following:

"1.2.3.4 responds to ARP requests using a Sender Hardware Address that does not match the L2 source
address. Additionally the Sender Hardware Address does not exist in the Filter Database. This is often caused
by Network Load Balanced Servers without a corresponding switch configuration. Please create a static Filter
Database (FDB) Entry for: 00:12:33:44:55:66 (see release notes or configuration guide)"

In this example “1.2.3.4” is the IP address of the suspected virtual server and “00:12:34:56:78:9A” is the MAC
address found in the ARP returned in response packet.

Extreme Networks switch routers that report these messages are probably not optimally configured. The
flooded traffic will be subjected to the soft forwarding path’s rate limiters. This traffic will also compete for the
slow path resources and the first packets from other new flows.

To force the virtual server packets to take a hardware switch path you must configure an entry in the FDB. If
the destination MAC is multicast (Group bit is set) then you must issue:
“set mac multicast <vlan-id> <mac-address> <port-string>”, where port-string is a list of ports that further
scope the flooding.

For example, for VLAN 123, virtual server MAC address 01-AA-BB-CD-EF-11, with physical servers on ports
ge.1.2, ge.1.3, and ge.1.4, you would issue :
“set mac multicast 123 01-AA-BB-CD-EF-11 ge.1.2-4”.
You can use “*.*.*” for a port string if all ports in the VLAN should receive the frames.

In the case where the virtual server is using a unicast MAC address you must issue two commands:

The first command is “set mac unicast-as-multicast enable” which causes the system to search static multicast
entries for a unicast MAC that does not have a unicast entry in the filter database. For the second command,
you will also need to program a static multicast entry using the multicast version or the desired unicast MAC
address i.e., enter the unicast MAC with the group bit set. Using the sample message output above and the
vlan/port string from the previous example the command would be “set mac multicast 123 01-12-34-56-78-9A
ge.1.2-4”

Occasionally the message will be displayed with a VRRP MAC address. These messages should be ignored and
will not be displayed by future versions of firmware.

Problems Corrected in 7.21.02.0002

ARP Problems Corrected in 7.21.02.0002 Introduced In:

ARPs performed in an attempt to refresh the L2 Filter Database are not rate limited and will
result in unexpectedly high levels of CPU utilized by the ARP and related router distribution 7.21.01
tasks.
Rate limiters used to protect the system from excessive ARP and IPv6 Neighbor Discovery
packets are not properly configured to allow brief bursts of packets. This causes packets to be 7.11.01
dropped unnecessarily.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 61 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

CEP Problems Corrected in 7.21.02.0002 Introduced In:

Active CEP end stations do not show up in the "show cep connection" CLI command output or
the etsysConvEndPointConnPortMacAddress leaf of ENTERASYS-CONVERGENCE-END-POINT- 5.35.16
MIB.

Host Problems Corrected in 7.21.02.0002 Introduced In:

UDP frames destined for the switch’s host IP address with a length field of zero cause the
7.00.01
system to log a tNet0 DSI exception (0x00000300) error message and reset.
The device IP stack will stop processing packets after receiving many ICMPv6 echo requests to
the all-nodes address (ff02::1) on an interface which has IPv6 disabled. This affects
7.20.01
management, routing protocols and any other feature requiring IP. A workaround is to enable
IPv6 on all interfaces with the command "ipv6 enable".
The configuration of "router config IPv6 host-access" is deleted on reboot or reset of the
7.03.01
management master slot.
The system will log a "DSI exception" for task "tnet0" message and reset if a malformed IPv6
packet is received which meets all of the following criteria: Packet's Destination MAC is
addressed to the switch's link-local port, the IPv6 Header's "Next Header" field is set to 7.00.01
0x3a(ICMPv6), and the IPv6 Header's "Payload Length" field is set to 0 (this is the
malformation).

ICMP Problems Corrected in 7.21.02.0002 Introduced In:

A packet with a layer 2 non-unicast destination MAC address destined to an IP directed
broadcast with a TTL equal to 1, results in a Time Limit Exceeded ICMP error datagram being
7.20.01
sent to the source of the packet. ICMP errors should not be sent when destination MAC is
non-unicast.

LSNAT Problems Corrected in 7.21.02.0002 Introduced In:

While new LSNAT / NAT / TWCB bindings are being created a "New Vserver bind failed, can't
find vserver Id: 0" and / or a "DSI exception (0x00000300) Thread Name: tDSrecv5 " message 7.03.01
may be logged. The DSI exception results in a blade reset.
LSNAT / NAT FTP file transfers may fail if the data transfer time exceeds the binding idle
7.03.01
timeout value.
“Dropped packets originated from a real server xx times” messages should be displayed at
7.03.01
INFO rather than NOTICE level.
While new LSNAT / NAT / TWCB bindings are being created, it is possible to receive a message
log "New Vserver bind failed, can't find vserver Id: 0" and / or a "DSI exception (0x00000300) 7.03.01
Thread Name: tDSrecv5 ".
While new LSNAT / NAT / TWCB bindings are being deleted, it is possible to receive a "DSI
7.03.01
exception (0x00000300) Thread Name: tDSrecv5 ".
With sticky configured on the VIP server, when a real server goes down, bindings associated
7.00.01
with the sticky entry and the real server will not be deleted.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 62 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
Mirroring Problems Corrected in 7.21.02.0002 Introduced In:
Any flow that is one-arm routed (back out same port it came in on), and also needed to be
mirrored, would not successfully be routed. It would be correctly sent out mirror destination
7.00.01
port, but not routed back out ingress port. This problem exists with any form of mirroring -
port, vlan, or policy.

Neighbor Discovery Problems Corrected in 7.21.02.0002 Introduced In:

When a LLDP, CtronDp, or CiscoDp neighbor does not advertise a network address, the "show
neighbor" command will continue to display an address. The network address advertised is
5.42.xx
the primary IP address of the default interface. When the default interface or IP is changed
CiscoDp continues to advertise the old address.
If a LLDP, CtronDp, or CiscoDp packet is received that contains a VLAN tag, the packet will not
5.42.xx
be accepted. The neighbor will not be displayed in the ‘show neighbor’ command.

NetFlow Problems Corrected in 7.21.02.0002 Introduced In:

Time stamps used in NetFlow records and PWA HTTP frames will be incorrect on standalone
5.01.58
devices when the time zone offset is set or summertime is enabled.

OSPF Problems Corrected in 7.21.02.0002 Introduced In:

When OSPF is redistributing a route, it is prevented from installing a route into the routing
7.11.01
table, regardless of preference if it is for the same destination.
An Assertion failure and reset can occur when processing an inter-area route to an ASBR. The
7.00.01
message logged is “SMS assert in qorcfnd2.c at line 625".
A reset may occur while retransmitting Link State Advertisements. The message "SMS assert
7.00.01
in qoamlsts.c at line 1218:" will be logged.

PoE Problems Corrected in 7.21.02.0002 Introduced In:

PoE may log a message similar to “<163>Dec 15 22:36:11 0.0.0.0 System[7]PoE controller is
not accessible.”, when a recoverable communication error occurs while checking power
7.00.01
supply status. When this happens, the PoE controller remains operational, and power delivery
is not affected.

Policy Problems Corrected in 7.21.02.0002 Introduced In:

Layer 4 Policy rules could be improperly applied to IPv4 streams with an Authentication
7.00.01
Header.
Layer 3 / 4 Policy rules could be improperly applied to IPv6 streams on the N-series. 7.00.01

RIP Problems Corrected in 7.21.02.0002 Introduced In:

If a RIP route was received from the same router, poison reverse would not take effect. 1.07.19

Routing Problems Corrected in 7.21.02.0002 Introduced In:

If more than 20 forward-protocol UDP ports are configured some may not be restored after
7.11.01
reset.
The ipDefaultRouterLifetime mib object may repeatedly return the same value when walked. 7.20.01

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 63 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

Routing Problems Corrected in 7.21.02.0002 Introduced In:

If a large number of route deletes occur in conjunction with a route add to some subnet and a
route with a shorter prefix exists for that subnet, then connections setup using the route with
7.03.01
the shorter prefix may not be removed when the route add takes place. This results in traffic
taking a suboptimal path.
IP directed broadcast packets (e.q. Wake-on-LAN) received on one primary/secondary subnet
configured on an interface will not be forwarded to their destination secondary/primary 7.20.02
subnet configured on the same interface. Instead it is treated as an IP redirect case.
Redistribution entries into RIP and BGP using route-maps will become inactive after the route-
7.20.01
map is deleted. The entry will have to be deleted and reentered.
It is possible for flows to be filtered when their egress interface goes down, even though an
7.00.01
alternate route exists.
A system actively using route-maps in packet forwarding decisions may reset when deleting
related hardware flow entries. A message similar to "<1>DistServ[x.xxxxxxx]x_lock.5 7.01.03
semTake(12000) failed 3997700 " will be logged.
An IP redirect will be sent for every packet received from one configured subnet on an
interface, if it is destined to a different subnet configured on the same interface (e.g. received
on the primary subnet destined to a secondary subnet configured on the same interface). 7.20.02
These packets will be soft forwarded and subjected to rate limiting (120mbit on N, 30Kpps on
S) per ingress ASIC.

SNMP Problems Corrected in 7.21.02.0002 Introduced In:

If the system's default IP address is deleted, the SNMPagent process may enter a loop which
consumes a large amount CPU cycles. "show system utilization" will display this under 7.01.02
"SNMP". The problem resolves itself when a default IP address is once again configured.
A single SNMP query to the ipForward MIB table may take several minutes to complete. A
7.20.01
typical SNMP query tool will timeout before data is returned.

Spanning Tree Problems Corrected in 7.21.02.0002 Introduced In:

A memory leak may occur when a "show config" command is aborted during processing of
5.35.16
Spanning Tree configuration.

SSH Problems Corrected in 7.21.02.0002 Introduced In:

SSH sessions can not be established after running host vulnerability test suite. Unknown
When SSH is used to access the system and then the client 'ssh' command is used to connect
to another device, closing the originating remote SSH session will strand the system's SSH
7.00.01
client session and accompanying resources. This will result in a loss of remote management
connectivity when this process is repeated using up the 4 available remote connections.
If user-A attempts to SSH into the device when there are already three active telnet or SSH
sessions, and prior to user-A's authentication (i.e., while the SSH server is waiting for user-A to
7.00.01
enter a valid password) user-B creates a fourth telnet or SSH session, then user-A's SSH
session will hang indefinitely.
When the CLI pager is enabled, an outbound SSH session may hang. 7.20.01

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 64 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
SSH Problems Corrected in 7.21.02.0002 Introduced In:
The following scenario will hang SSH resources: SSH to switch, then Telnet from switch, then
exit session with SSH escape sequence "~.". The resources hung are (a) the "tSshM#" task, and
(b) one of the four available SSH/Telnet sessions.
7.00.01
Note that the hung resources will eventually be freed if CLI logout is enabled(i.e., "set logout
10" will free resources after 10 minutes). If logout is disabled (i.e., "set logout 0"), then the
resources can only be cleared by a management master blade reboot.

Switching Problems Corrected in 7.21.02.0002 Introduced In:

Frames will not be forwarded properly after a reboot when they are received on a LAG port,
forwarded by a Static MAC Multicast entry (SMM), and the LAG port is not on the destination
7.00.01
list of the SMM. These frames will also not be forwarded if the lag formed after the SMM
entry was created.
Untagged layer 2 non-unicast packets destined to a class D IP address and not consumed by IP
7.20.01
multicast or the host IP stack are flooded to the wrong VLAN.

System Problems Corrected in 7.21.02.0002 Introduced In:

"show system hardware" displays incorrect dip switch "on/off" settings if switch 1 and 8 are
6.00.02
not set to the same value, or if switches were changed after initial boot-up.
A blade running a pre-07_XX_XX image, inserted into a chassis running an 07_XX_XX image,
may get stuck in a continuous reset loop.

The 07_XX_XX blades will show the following in the syslog:

7.21.01
<2>DistServ[1.tDsBrdOk]Issuing reboot command to slot # due to version mismatch (1)

The pre-07_XX_XX blade will show the following in its syslog:

<3>Dispatch[7.tDispatch]icpu unk app id: id = 20 ; slot = 5; ver = 0:0

VLAN Problems Corrected in 7.21.02.0002 Introduced In:

"show system hardware" displays incorrect dip switch "on/off" settings if switch 1 and 8 are
6.00.02
not set to the same value, or if switches were changed after initial boot-up.
A blade running a pre-07_XX_XX image, inserted into a chassis running an 07_XX_XX image,
may get stuck in a continuous reset loop.

The 07_XX_XX blades will show the following in the syslog:

7.21.01
<2>DistServ[1.tDsBrdOk]Issuing reboot command to slot # due to version mismatch (1)

The pre-07_XX_XX blade will show the following in its syslog:

<3>Dispatch[7.tDispatch]icpu unk app id: id = 20 ; slot = 5; ver = 0:0

VRF Problems Corrected in 7.21.02.0002 Introduced In:

VRFs cannot be created without a license key on N-Series Diamond DFE blades. 7.21.01

VRRP Problems Corrected in 7.21.02.0002 Introduced In:

After a VRRP failover, a reset occurs with the following log message.
"serverWatchDog.5, client 91(ipIfMgr) in recv for x tics ( 0xXXXXXXXX 0xXXXXXXXX 7.00.01
0xXXXXXXXX 0xXXXXXXXX 0xeeeeeeee )".

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 65 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

VRRP Problems Corrected in 7.21.02.0002 Introduced In:

Executing commands "show logging buffer" or "show support" may temporarily prevent
proper operation of VRRP and result in the following message "VRRP State Change(event 7.00.01
master timeout)".
After a VRRP failover, a reset occurs with the following log message.
"serverWatchDog.5, client 91(ipIfMgr) in recv for x tics ( 0xXXXXXXXX 0xXXXXXXXX 7.00.01
0xXXXXXXXX 0xXXXXXXXX 0xeeeeeeee )".

Feature Enhancements in 7.21.01.0015

Dual IPv4 and IPv6 Management Enhancements in 7.21.01.0015

Support has been added to provide access to all management application via IPv4 and IPv6.

VRF Enhancements in 7.21.01.0015

Support for the multiple VRFs has been added with this release.
An interface configured to a particular VRF is considered a member of that VRF.
VRFs can either be static or dynamic.
Static VRFs employ only static or policy based routing.
Dynamic VRFs employ dynamic routing protocols such as …
• OSPF
• RIP
• PIM
• DVMRP
• VRRP
The default VRF is known as the Global Router and only interface assigned to the Global Router may be used to
manage the device.

VRF-Aware LSNAT Enhancements in 7.21.01.0015

With the introduction of VRF support, LSNAT has been modified to operate within a VRF or between a VRF and
the Global Router.

VRF-Aware NAT Enhancements in 7.21.01.0015

With the introduction of VRF support, NAT has been modified to operate within a VRF or between a VRF and
the Global Router.

VRF-Aware TWCB Enhancements in 7.21.01.0015

With the introduction of VRF support, TWCB has been modified to operate within a VRF or between a VRF and
the Global Router.

Route Leaking Enhancements in 7.21.01.0015

With the introduction of VRF support, Static Routing has been modified to allow routes to leak from a VRF to
the Global Router and vice versa.

VRF-Aware Policy-Based Routing Enhancements in 7.21.01.0015

With the introduction of VRF support, Policy Based Routing has modified to allow inter-vrf routing based on
Route-Maps.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 66 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
VRF-Aware DHCP Relay Enhancements in 7.21.01.0015
With the introduction of VRF support, DHCP Relay has been modified to allow DCHP requests to be relayed
either within a VRF or between a VRF and the Global Router.

TWCB Enhancements in 7.21.01.0015

The TWCB feature now allows multiple webcaches (http-ports) to be applied to a single interface. The
maximum number of Web Caches has been increased to a chassis maximum of 50.

SSH Enhancements in 7.21.01.0015

SSH Client is now supported allowing outbound SSH sessions.

Secure Copy Enhancements in 7.21.01.0015

Secure Copy file transfer method is now supported.

NetFlow Enhancements in 7.21.01.0015

This release changes the export behavior of Netflow. The N-Series now exports the router interface on routed
frames and the physical interface for non-routed frames. This change was made because in many
configurations a router interface spans multiple physical ports and customers found it difficult to gather
Netflow statistics for a router interface. In a future FW release this behavior will become user configurable.
This release provide several enhancements:
Export controls for Source/Destination MAC address and VLANs,
Multiple export destinations

OSPF Enhancements in 7.21.01.0015

Multiple instances of OSPF are supported .
Support for OSPF wildcard translator is added in 7.21.
A command entered as network 10.10.0.0 255.255.0.0 area 0.0.0.0 is translated to network 10.10.0.0
0.0.255.255 area 0.0.0.0.

License Behavior Enhancements in 7.21.01.0015

A reboot is no longer required after the applying an advanced license. (The "set advanced license" command
no longer requires a reboot.).

MIB Enhancements in 7.21.01.0015

Support for Ctron-environment-mib.
Support for the Enterasys-LSNAT-mib.
Support for the Enterasys -NAT- mib.
Support for the Enterasys -TWCB- mib.

GBICs Enhancements in 7.21.01.0015

MGBIC-BX10-U and MGBIC-BX10-D are now supported.

Problems Corrected in 7.21.01.0015

ACL Problems Corrected in 7.21.01.0015 Introduced In:

ACL log message is enhanced to display IP precedence name as well as decimal value. 7.00.01
Only 255 ingress ACLs can be applied. Limit should be 256. 7.02.01
9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 67 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

ACL Problems Corrected in 7.21.01.0015 Introduced In:

Access list syslog messages are sometimes lost. 7.11.01
ACL log messages for permit and deny actions may not be logged as often as expected. 7.03.01
Changing an Access List that is applied inbound to an interface such that it no longer denies IP
7.00.01
multicast traffic, does not take effect until the interface is bounced, or the 'mroute' is cleared.
An extended ACL rule setting a DSCP value of 10 (AF11) is incorrectly displayed as CS7 by the
7.11.01
show config or show running config commands.
In access list lookup, rules that reference the TOS byte (Precedence:3 bits, TOS:4 bits, or
DSCP:6 bits) were incorrectly checking the entire 8 bit packet tos byte against the rule. This
7.11.01
could result in matching the wrong rule and returning the wrong permit/deny action from the
lookup.

ARP Problems Corrected in 7.21.01.0015 Introduced In:

It is possible to configure static ARP entries with a broadcast MAC address using the 'set arp'
7.00.01
command.
With proxy-arp enabled you may be unable to ping the LSNAT VIP interface. 7.01.02
A reset may occur when processing ARP packets that change an existing MAC to IP address
7.00.01
association. This crash is timing dependent and very rare.

CDP Problems Corrected in 7.21.01.0015 Introduced In:

If multiple neighbors are connected on the same port, CDP MIB calls will not return all
7.00.01
neighbors.
Occasionally when an invalid Ctron CDP packet is received, the system will reset. 5.42.xx

CiscoDP Problems Corrected in 7.21.01.0015 Introduced In:

The "set ciscodp port" command fails to set the command options "cos-ext", "trust-ext", or
"vvid" when more than one of the options are specified in a single command. This does not 5.31.17
issue an error message but it fails to set the commanded values.
"show config" can potentially reset while displaying the CiscoDP portion of the configuration. 5.14.04
A CDP mib request will not return a neighbor if configured to have a CiscoDP neighbor on a
5.42.xx
lower port number than the CDP neighbor.

DHCP Problems Corrected in 7.21.01.0015 Introduced In:

Malformed DHCP request (missing End option) sent to DHCP server causes reset. 7.00.01
Instances of VRRP in the backup state may transition to master during heavy load of DCHP
7.00.01
requests.
Setting 'ip dhcp ping packet' to zero causes all leases to be blocked. 7.00.01

DVMRP Problems Corrected in 7.21.01.0015 Introduced In:

The CLI command "show ip dvmrp route address" is not able to show route by IP address. 7.00.01

Hardware Problems Corrected in 7.21.01.0015 Introduced In:

Duplicate buffer errors can cause board resets. 7.00.01

Host Problems Corrected in 7.21.01.0015 Introduced In:

An extra newline ('\n') is added to the banner commands (motd and login) after utilizing the
6.00.02
'configure <file>' command.
9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 68 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
Host Problems Corrected in 7.21.01.0015 Introduced In:
When executing a 'show rmon history' command after a 'set length' command, 'q' or 'control-
1.07.19
c' will not function.
A blade reset can occur when setting the RADIUS accounting server MIB with an incomplete
RADIUS accounting server configuration or when setting the accounting timeout or retries 7.11.01
values.
If a user logs in via SSH and RADIUS is enabled, two authentication requests are send to the
7.03.01
RADIUS server.
The following message is seen at boot
up:EM[4.SNMPSubAgt]pethPsePortMan::etsysPsePortCapabilitySelectTest(): value 2 is not 6.12.01
supported on powerDsinePoE.
Console or Telnet sessions may become unresponsive to input after issuing the command
7.00.01
"show ip protocol"

HostDos Problems Corrected in 7.21.01.0015 Introduced In:

The HostDos 'LanD' and 'BadSip' threats are incorrectly disabled by default. 7.11.01
‘hostDoS synFlood' is incorrectly triggered on TCP packets with SYN-ACK bits set. 7.00.01

ICMP Problems Corrected in 7.21.01.0015 Introduced In:

DSI reset occurs after an ICMP request sourced from an IPv4 address of the router destined to
7.00.01
another IPv4 address of the router at a rate of 200+ pkt/sec.
ICMP redirects will be sent to the source of the packet whenever the ingress and egress
interface of the routed packet is the same. In the past, routing packets between two subnets 7.00.01
configured on the same interface would not result in redirects.
Router will send ICMP redirects to remote hosts. It should only send redirects to directly
7.00.01
connected devices.
The range of the ping command's "-c <number of ping packets>" option should be 1 to
4294967295 (0xffffffff).
Entering "-c" in the range of 0x80000000 to 0xfffffffe results in zero packets being sent.
Entering a "-c" value of 0xffffffff results in the switch rapidly and continuously sending pings. 7.00.01
The switch should send ICMP-Echo requests at the default interval of 1 per second, but in this
case there is no delay between each received ICMP-EchoReply and transmission of the next
ICMP-Echo request. This will generate a flood of ICMP packets.

IGMP Problems Corrected in 7.21.01.0015 Introduced In:

If a blade containing a static IGMP config is inserted into a chassis, with no static IGMP config,
the chassis will incorrectly accept the static from the new blade. This may result in traffic 7.11.01
being mis-directed.
During module resets, "CIgmpEtsc::DelDestVlanFromSrcVlanRebuildCalc srcVid = destVid"
7.01.02
messages may appear in messageLog syslog.
"show ip igmp groups group <group_address>" does not display all groups (group/interface). 7.00.01
The command "show ip igmp groups" incorrectly classifies IGMP version 1 reporters as IGMP
7.00.01
version 2.
If "show igmp flows" or "show igmp reporters" is run in a loop, the device will eventually reset
7.00.01
due to lack of memory.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 69 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

IGMP Problems Corrected in 7.21.01.0015 Introduced In:

If a device's configuration contains any static IGMP settings for VLAN "x" and set igmp delete
"x" is executed at the CLI, after the next reset, a show config at the CLI may cause a 7.03.01
permanent hang, requiring a system NONVOL clear.
When a static IGMP group is set to include a LAG port, a routed flow may not properly be sent
7.11.01
to the static destination.
If "show igmp groups" is executed from the CLI or telnet, an entry with a group address of
7.00.01
"0.0.0.0" may display in the database output.
When adding an IGMP static, it is possible to see nonvol block move update messages on the
7.11.01
CLI.
It is possible for a reset to occur while appending a configuration from a file with an error log
7.00.01
stating: ‘tDistServ x_lock.2 semTake(12000) failed’.
Any IGMP protocol packet with a packet length set to a value lower then actual IP header
packet length will cause IGMP to reset with a DSI error as below: 6.12.01
'Exc Vector: DSI exception (0x00000300) Thread Name: tIgmpInp'.
If an IGMP protocol packet is received with an IP option length of 0, IGMP may spin in an
7.01.02
endless loop taking 100% CPU in the’ igmpInputTask’.

IP Helper Problems Corrected in 7.21.01.0015 Introduced In:

'no ip directed-broadcast <acl Name>' only removes the ACL from the command. 7.11.01
'ip directed-broadcast' shows up on loopback interfaces that have the same number as VLAN
7.11.01
interfaces that have directed-broadcast configured.
'syncBegin: mode:master Sending global config for vrf' syslog message shows up during
7.00.01
system bootup.
DCHP relay is not forwarded back to client when 'ip helper-address' is a directed broadcast
7.11.02
address.

IPv6 Problems Corrected in 7.21.01.0015 Introduced In:

Receipt of IPV6 packets with malformed IPV6 option headers could lead to resets. 7.00.01

LAG Problems Corrected in 7.21.01.0015 Introduced In:

Packets are not forwarded over LAG after reset. 7.00.01

LLDP Problems Corrected in 7.21.01.0015 Introduced In:

Display of LLDP port configuration for management address tx-tlv may reflect only a subset of
5.42.04
the actual configuration.
When a management IP is not present, the command "show lldp port local-info" will fail to
5.42.xx
run. An error message of "Set failed" will be returned when executing the command.
When a management IP address is not present, the command "show config" will not display
5.42.xx
all of the LLDP configuration.
If the management IP address is not present, the command "show config" will not display all
5.42.xx
the LLDP configuration.
Occasionally when a blade is reset, the remaining blades will not show 'set lldp port tx-tlv
mgmt-addr' configuration of the reset blade ports in 'show config', even when the blade is 7.00.01
operational again.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 70 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
LLDP Problems Corrected in 7.21.01.0015 Introduced In:
If malformed LLDP, CtronDp, or CiscoDp packets are received, the router occasionally enters a
5.42.xx
state where new neighbors can not be added.

MAC Locking Problems Corrected in 7.21.01.0015 Introduced In:

The clear maclock stations "type static" parameter will not remove static maclock stations if
7.00.01
used with the port-string parameter.

Mirroring Problems Corrected in 7.21.01.0015 Introduced In:

The CLI command 'show mirror' does not display mirror index configuration. 7.00.01
Policy mirror to a LAG and physical port can be configured, but is unsupported. Only one of
7.11.01
the mirror ports will mirror the traffic.
The syslog audit for the CLI command 'set mirror create' and 'set mirror enable/disable' will
incorrectly display the 'create', 'enable', or 'disable' keywords twice in the syslog message 7.00.01
string.
A port mirror may not be operational when it is part of a N:1 IDS mirror that includes a source
7.11.01
that is also configured as an enhanced port mirror interface.

NAT Problems Corrected in 7.21.01.0015 Introduced In:

A reset 'tDSrecv5' may occur while processing NAT packets. 7.11.01
At times it is possible that a message like Dispatch[1.tRtrASvcMain]0x103e328 : -43 =
7.11.01
(0x2ebb24d, 54, *0x24ffbe68=20 ) could be displayed, without causing any adverse effects.

NDS Problems Corrected in 7.21.01.0015 Introduced In:

When multiple NDS protocols are enabled for a given port, disabling transmission of one
protocol causes the neighbor to be aged out of the neighbor table of the receiving device. In
5.31.17
this case, the neighbor should not be aged out of the table since it should still be receiving
NDS packets.

NetFlow Problems Corrected in 7.21.01.0015 Introduced In:

The Netflow Template Timer has a valid range of 1-3600 minutes. However the MIB allowed a
4.00.50
setting of 0.
The 'etsysNetflowExportInterface' MIB table should report all interfaces as an ingress or
egress port in netflow records. The host interface should be reported as an egress interface, 4.00.50
but was not included in this table.
After netflow is disabled on a port, non-forwarding flows that had been established prior to
4.00.50
the port being disabled, would still have netflow records generated for them.
In all previous firmware revisions the netflow cli reported error stats incorrectly. Records
4.00.50
Dropped where reported as "Export Packets Failed".

OSPF Problems Corrected in 7.21.01.0015 Introduced In:

When running OSPF and configuring multiple neighbors, a DSI can occur in thread tRtrPtcls
with the following message, "<PRD_NBASE>() Assertion Failed:'nbr_cb->parent_interface_cb 7.00.01
== if_cb' ".
When running OSPF, a DSI can occur in thread tRtrPtcls with the following message displayed
7.00.01
"SMS assert in qorcfnd3.c at line 125 : (null) external_route_cb != NULL 0 (null) 0".

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 71 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

OSPF Problems Corrected in 7.21.01.0015 Introduced In:

When running OSPF in an NSSA area, the route table will display routes as E1/E2 for external
7.00.01
instead of N1/N2 for nssa-external.
When running OSPF in an NSSA area and a path metric or metric-type change is made to an
7.00.01
nssa-external route, the translated type 5 LSA will not reflect the change.
When a RADIUS server is reachable via routes learned from OSPF, large amounts of traffic
requiring authentication can inhibit the forming of OSPF adjacencies, resulting in the users 7.00.01
delaying or never authenticating.
OSPF areas cannot be configured to use authentication. Commands are accepted, but have no
effect. The command has been deprecated, Authentication is now configured on an interface 7.00.01
instead of area.
When running OSPF, if previously configured NSSA areas are removed, the router will
7.00.01
continue to advertise itself as ASBR even if it is not.
When OSPF graceful restart is enabled, 'clear ip ospf' process will execute gracefully without a
7.00.01
warning to the user.
When removing administrative distance configuration for OSPF, internal and external distance
7.00.01
must be negated separately.
A reset occurs due to an assertion failure within OSPF when a neighboring router resets. The
following message is logged; '<3>sms[5.tRtrPtcls]SMS assert in qonmlst2.c at line 381 : (null) 7.00.01
retrans xmit_ref_count == 0 0 (null)'.
The syslog message 'Error joining Multicast group. ips->return_code' appears when two OSPF
7.11.01
instance are configured on the router.
When filtering OSPF routes from the route table using a filter route-map, a match on route-src
7.11.01
will fail.
Unclear error message is returned when attempting to configure OSPF without an advanced
7.00.01
license. "Error creating OSPF process 2: AMB_RC_NO_SUCH_OBJECT".
'Error joining Multicast group. ips->return_code' syslog message after a blade has been added
7.03.01
or removed. This message can also appear when 2 or more OSPF instance are configured.
When running OSPF, with aggregates configured, a DSI can occur in thread 'tRtrPtcls', with the
following message "SMS assert in qorcagg.c at line 118 : (null) route_entry->path_type != 7.00.01
QORC_PATH_TYPE2_EXT 0 (null) 0".

PIM Problems Corrected in 7.21.01.0015 Introduced In:

An Anycast-RP peer does not send register messages to other Anycast-RP peers for some
7.00.01
multicast streams.
A DSI Exception message with Thread Name 'MRTM' will be logged on the routing master
4.00.50
blade and the blade resets when PIM-SM is enabled.
New Designated Router (DR) does not register to Rendezvous Point (RP) when the DR
7.00.01
changes.
If a PIM BSR Candidate is configured with a non-default priority, changing the BSR Candidate
7.00.01
address without setting a new priority does not reset the configured priority.
IP multicast flows, for which PIM does not have an RP, show up in "show ip mroute" with a
null inbound interface, however with no Flag indicating it is a Null Forwarding Entry, and these 7.00.01
entries will never age out.
Multicast flows do not recover after reset and show up in mroute table with "null" as the
7.00.01
inbound interface.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 72 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
PIM Problems Corrected in 7.21.01.0015 Introduced In:
Multicast flows are not received by all reporters after the source router is reset. 7.00.01

PIM/SNMP Problems Corrected in 7.21.01.0015 Introduced In:

Walking the 'pimStdMIB' causes the chassis to hang when a Candidate RP is configured with
7.00.01
only priority, no group/mask configured.

Platform Problems Corrected in 7.21.01.0015 Introduced In:

On N-Series hardware the entPhysicalTable is not updated for fans and power supplies until
7.00.01
60 seconds after the system is manageable.
Doing a large configuration (data sets) under load may cause the background copying of the
redundant stores to fail. The following would be seen in the log file: 7.11.01
‘NonVol[2.tDSrecv7]bulkMoveRecv_dd:failed to get copy of store 1’.
System instability may result in a message log entry with "Chassis coherency timeout
7.00.01
exceeded, resetting".
PoE Power Redundancy status is not present in the 'show system hardware' CLI. 7.00.01
When a blade fails to unexpectedly shutdown another blade, contact between the two can be
7.01.02
lost until reset.
The physical 'assetId' for power supply is not read/writeable. 7.00.01
Blade to blade communication can be corrupted under heavy data rates. 7.00.01
Jumbo frame contents can be corrupted upon reception. 7.00.01
A fast interface 'oper status' change of up/down/up could result in filter connections being
put in place for packets egressing the interface that are not removed on the final transition of 7.11.01
'oper status' to up.
Reset may occur in a chassis with more that 64 "loop" interfaces configured. 7.00.01
At boot time the following messages may be seen in the log. Some configuration settings will
be missing as a result.
<3>NonVol[8.tusrAppInit]get_data(9,43006,0x131e4080,168):openRdGet(8,2654,0x9,-1)==8 7.00.01
<3>NonVol[8.tusrAppInit]nvFilePtrMgr::fopen_rb(1,8,2654,9,-1)
fopen(/flash1/nonvol/8/b0002654.009,ab+) filePtr == NULL errno=3670019
If 06.12.07.XXXX or 06.12.08.XXXX image is used on a 7KR4297-04, 7KR4297-02, 7KR4290-02,
7K4297-04, 7K4297-02, 7K4290-02, or 7K-2XFP-6MGBIC blade, this debug message "<163>Nov
6.12.07
17 09:36:53 100.10.10.3 MeigsIIE[5.tMacPoll]chip1GPortErrHandler(6): val = 0xffffffff != 0x5FF
for port 0" may occasionally show up while the blade is being shut down.

PoE Problems Corrected in 7.21.01.0015 Introduced In:

The following error messages are seen when selecting 8023.at capability on POE DFE:
'PEM[5.SNMPSubAgt]pethPsePortMan::etsysPsePortCapabilitySelectSet(): 6.12.01
bcPoESetPortCapabilitySelectSet(0, 2) failed'. It should report 'not supported'.
Going from auto POE power allocation to manual POE power allocation leads to power
7.00.01
available mismatch.
'show system hardware' CLI display is inconsistent between DFE and S when displaying PoE
Firmware Version and there is no PoE power applied; DFE displays "Unknown" and S displays 7.00.01
"Unavailable".

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 73 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

PoE Problems Corrected in 7.21.01.0015 Introduced In:

The following error message instead of 'not supported' is seen when selecting power limit
greater than 20000 on DFE:
6.12.01
PEM[1.SNMPSubAgt]pethPsePortMan::etsysPsePortPowerLimitSet():
pdPoESetPortPowerLimit(0, 34000) failed.
Sometimes a message similar to "i2c:I2C Bus 6.4 fault <3>i2c[4.tPoeIntr]I2C Bus 6.4" is logged. 7.11.01

Policy Problems Corrected in 7.21.01.0015 Introduced In:

Policy storing a large number of files to nonvol causing errors at boot up. 7.00.01

QoS Problems Corrected in 7.21.01.0015 Introduced In:

Removing a cos txq, irl or flood-ctrl group entry and reseting the device may cause the port
5.42.xx
bindings to map to a different group after reset.

RADIUS Problems Corrected in 7.21.01.0015 Introduced In:

Watchdog timeout DSI can occur when RADIUS authentications are occurring before the
7.00.01
chassis reaches a steady state fully operational status.

RIP Problems Corrected in 7.21.01.0015 Introduced In:

RIP Split-horizon and poison reverse is not working on ECMP interfaces. 7.00.01
RIP text authentication did not add the text key to the RIP packets when sending to a peer.
7.00.01
Peers would reject the packets when receiving the packets.
Passive RIP interfaces will not be restored when using configure command. RIP interfaces will
boot in default state of active. This is only seen when said interfaces have MD5 authentication 7.11.01
configured.

RMON Problems Corrected in 7.21.01.0015 Introduced In:

Occasionally after configuring RMON host and topN parameters, a slot reset may occur with a
message similar to "freeing memory in free list PARTITION: 0x33ac8f8 PTR=0x19f6d710 5.01.58
BLOCK: free block at 0x19f6d710, 60 bytes".
When running an RMON capture in a busy system, memory allocations may be made for
packet capture that may not be released. The amount of memory loss depends on the size of
the packet for capture. The amount of capture packets resulting in a memory leak is
7.00.01
dependent on how busy the system is and the rate of packets for capture. A system in this
state will eventually run out of memory and the system will reset if it continues in this state
for a long period of time.

Route Maps Problems Corrected in 7.21.01.0015 Introduced In:

The ‘route-map clear counters’ command does not clear the counters of the final entry. 7.11.01
Route-Maps being used in conjunctions with 'IP Policy Priority Only' may incorrectly drop
7.11.01
frames.

Router Problems Corrected in 7.21.01.0015 Introduced In:

After a reset event when the system has multiple equal cost paths for a route, 'tDSrecv5' DSI
7.00.01
may occur.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 74 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
Routing Problems Corrected in 7.21.01.0015 Introduced In:
When route table limit is set to 25000, a 'clear router' causes the OSPF LSA 3 and 5 limits to be
set to 3000 and 4000, respectively. These are the limits for a route table of 12K. After a 'clear 5.11.21
router', these limits are not removed from the router config.
Unable to configure 256 interfaces on N system. 7.00.01
Upon initial configuration of a device, if the default IP interface <x> is specified before that
interface is created, it may remain in the "oper down" state and thereby not be installed in
7.00.01
the IP route table. This is correctable by issuing a 'config->interface <x> no shutdown'
command.
The command "show router limits" claims that 278 interfaces can exist at the same time, but
7.00.01
only 277 interfaces can actually exist at the same time.
Nexthop addresses in static routes must not equal any configured address, but it was possible
7.00.01
to add/change an interface IP address to equal the value of nexthop in a static route.
Reject and black hole routes are not programmed in the IP stack. 7.11.01
The command 'show ip route <address>' would not display the default route, for any address
7.00.01
reachable via the default route.
Removing a router interface involved in any router configuration may cause a reset. 7.01.03
A "Watchdog Timeout Exception" occurs with process 'tDSrecv5', after clearing then re-
7.00.01
applying the router configuration.
When deleting static routes configured with a nexthop and interface, the interface given did
7.00.01
not need to match the static route in order for the command to be successful.
A route tag value of 0 was allowed when configuring a static route, though the value of 0 was
7.11.01
ignored. A value of 0 should not be allowed during configuration.
Users could add a blackhole or reject route and a forwarding route to the same subnet. The
7.11.01
last route entered would be promoted to the route table.
The command 'show ip route' with subnet and mask or subnet and prefix length entered as
7.11.01
arguments will not display blackhole nor reject routes.
The command "ip forwarding" does not appear in the output for the "show running-config all"
7.11.01
command.
The command 'set ip address x.x.x.x mask x.x.x.x' will change the IP address of the default
interface without interactively verifying that the user is aware of the impact of the change to 7.11.03
system reachability.
The help text of "interface" command under configuration mode incorrectly shows that it is
7.00.01
valid to enter an alias name.
When configuring static routes using the form of the command 'ip route <subnet>/<prefix-
length> vlan <vlan-id>' the vlan-id value was not validated resulting in a recursive static route 7.00.01
configured with a nexthop of 0.0.0.0.

SNMP Problems Corrected in 7.21.01.0015 Introduced In:

The Extreme Networks 'etsysMgmtAuthFailNotification' and
'etsysMgmtAuthSuccessNotification 'traps encode their 'etsysMgmtAuthInetAddress' variable
incorrectly. The bound value is an ASCII representation of the 'InetAddress', rather than the
7.00.01
'InetAddress' itself. If for example an authentication failure originates from '10.21.1.84', the
trap 'etsysMgmtAuthInetAddress' variable will contain octet data '31 30 2E 32 31 2E 31 2E 38
34' rather than '0A 15 01 54'.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 75 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

SNMP Problems Corrected in 7.21.01.0015 Introduced In:

The SNMPv2 'authenticationFailure' trap encodes its 'etsysMgmtAuthUserName' variable
incorrectly. The bound value contains 24 octets consisting of the correct name followed by
garbage. If for example an SNMP message specifies an unsupported community name of
6.01.01
'foobar', the trap 'etsysMgmtAuthUserName' variable will contain octet data '66 6F 6F 62 61
72 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx' (xx = indeterminate octets) rather than
'66 6F 6F 62 61 72' (which is the ASCII representation of 'foobar').
ifLastChange' (1.3.6.1.2.1.2.2.1.9) may report an incorrect value on startup which could be
1.07.19
greater than the value of 'sysUpTime' (1.3.6.1.2.1.1.3.0).
The IP-Forwarding MIB inetCidrRouteEntries would not be displayed if the board contained no
7.00.01
forwarding interface. This support has been added.

SNTP Problems Corrected in 7.21.01.0015 Introduced In:

"show sntp" displays version 3 rather than 4. 6.00.02

SSH Problems Corrected in 7.21.01.0015 Introduced In:

After running a stress test in which many SSH sessions are connected and disconnected, it is
6.01.01
possible that only one SSH session may be established.
During certain stress tests designed to attack TCP port 22, it is possible for SSH sessions to
7.00.01
become stuck in a inoperable state. The result is new SSH connections will not be accepted.
When an SSH user logged into the system the IP address shown in the log message was
7.00.01
incorrect (0.0.0.0).
After a reboot, a misleading log message may appear:"SSH Server reinitialized". 7.00.01
When a user disables SSH, a misleading log message appears: "server reinitialized". 7.00.01
Re-initializing the SSH server, while active SSH sessions are open, can cause a system reset. 7.11.01
Pasting a large number of characters into an SSH session can cause the session to lock up and
7.00.01
be disconnected.
Under certain conditions SSH sessions can be stranded where both 'ro' and 'admin' sessions
7.00.01
are no longer connected, but the device still sees them, and they never timeout.
If a user re-initializes the SSH server an unnecessary log message appears: "SSH Server
7.11.01
reinitialized".
If a user executes the "show support" command and this command takes longer to complete
than the CLI session timeout, the SSH session can hang. Attempts to kill the session with the 7.11.01
"disconnect" command are unsuccessful.

SYSLOG Problems Corrected in 7.21.01.0015 Introduced In:

Occasionally 'tWatchDog' reset occurs without producing a core file. 1.07.19
Temporary configuration entries will show up in the running config when the command "set
logging here enable" is entered from a telnet or SSH session. The temporary entries for
1.07.19
example look like this:
set logging server 6 ip-addr localhost descr [email protected](telnet) state enable.
Output from command "show logging buffer" or "show support" will become stranded and
1.07.19
result in information stating "show support is currently running in another session."

Telnet Problems Corrected in 7.21.01.0015 Introduced In:

Telnet session disconnects during a config append operation. 1.07.19

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 76 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
VRF Problems Corrected in 7.21.01.0015 Introduced In:
Diamond HW license remains after Diamond module is removed and subsequent chassis
7.00.01
reboot.

VRRP Problems Corrected in 7.21.01.0015 Introduced In:

'vrrp critical-ip <vrid> <ipv4 address> <priority>' allows addresses of 224.0.0.0 to
7.00.01
239.255.255.255 and 255.255.255.255.
'ip vrrp' commands are configurable under loopback interface. 7.11.01
'CRITICAL IP Interface Down' syslog message does not appear the first time that the interface
7.00.01
is down.
Modifying an existing 'critical ip' command by changing priority causes the state of the 'critical
7.00.01
ip' to go down and cannot be brought up.
A 32-bit host route matching a non-owner VRRP IP address will not removed from the FIB
when the route is deleted causing connectivity issues to the IP address when accept-mode is 7.00.01
configured.

Problems Corrected in 7.11.03.0001

802.1d Filter Database Problems Corrected in 7.11.03.0001 Introduced In:

When MAC age time is changed, occasionally the new age time will not be applied to learned
MAC addresses that were present at the time of the change. This problem will happen only 6.01.01
very infrequently. For the vast majority of age time changes, the problem will not be seen.
When the MAC age time is modified, some learned mac addresses that existed in the
database at time of MAC age time modification, may no longer be aged. This issue will occur
1.07.19
only very infrequently. For the vast majority of instances where the mac age time is modified,
this issue will not occur.

Packet Dispatch Problems Corrected in 7.11.03.0001 Introduced In:

Chassis sequence errors reported to syslog. 7.00.01

File Management Problems Corrected in 7.11.03.0001 Introduced In:

Slot may remain segmented from rest of the chassis, with older version of software installed. 7.00.01

Management Problems Corrected in 7.11.03.0001 Introduced In:

When there is a fan or power supply status change in the chassis, there will not be a chassis
7.11.01
MIB entConfigChange trap notification generated.
When pethPsePortTable is queried with request type GetNext, certain entries are skipped. 7.00.01
When ctBroadcastCtlTable is queried with request type GetNext, certain entries are skipped. 7.00.01
When etsysJumboEnetFrameTable is queried with request type GetNext, certain entries are
7.00.01
skipped.

Spanning Tree Problems Corrected in 7.11.03.0001 Introduced In:

The MSTI Bridge Priority field in an MSTI message will contain an incorrect value if the MSTI
bridge priority differs from the CIST bridge priority. This may result in a topology that differs
7.00.01
from the configured topology. This may also cause a port to remain in a disputed condition
and to not reach the forwarding state.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 77 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
Problems Corrected in 7.11.02.0003

ACLs Problems Corrected in 7.11.02.0003 Introduced In:

Discontiguous wildcards are not allowed in the configuration of access list rules. 7.00.01

ARP Problems Corrected in 7.11.02.0003 Introduced In:

If the number of dynamic ARP entries learned was equal to the maximum number of entries
that could be contained in the ARP table, the user would be blocked from adding any static 7.00.01
ARP entries.

Link Flap Problems Corrected in 7.11.02.0003 Introduced In:

The CLI command "set linkflap action" could cause a DSI/reset in the master blade if another
blade in the chassis is reset/pulled during its execution. The following syslog messages can be
found when this happens:
5.01.58
Emanate[1.tCLI0]freed octet string with separate octet_ptr
Default[1.tCLI0]memPartFree: invalid block 0x40 in partition 0x1d48008
Also a DSI exception with Task tCfgCLI, and injection point memPartLib.c will be created.

NetFlow Problems Corrected in 7.11.02.0003 Introduced In:

For flows containing an Authentication Header, Netflow reports the incorrect protocol type.
7.00.01
Protocol type 51 is being reported instead of the real protocol type (TCP/UDP/etc).
Netflow may log messages similar to:
"Default[1.tNetflow]Bad fd state 'closed' detected in POST:__wrap_bind expected open for 7.00.01
FD = 149". During this event, netflow may fail to export records.
When Netflow is enabled, then disabled, and there is no other configuration present to force
flow establishment at Layer 4, flows should no longer be establishing at Layer 4. However 7.03.01
flows would still be established at Layer 4.

OSPF Problems Corrected in 7.11.02.0003 Introduced In:

When running OSPF with a heavy traffic load with virtual links, a DSI exception can occur in
7.11.01
thread tRtrPtcls.
When running OSPF, a DSI can occur in thread tRtrPtcls with the following message "SMS
7.00.01
assert in qodmfsm.c at line 880 : (null) INVALID BRANCH 0 (null) 0" displayed.
When running OSPF, a DSI can occur in thread tRtrPtcls with the following message displayed
"SMS assert in qopmrst2.c at line 717 : (null) lsa_header->ls_type == 7.00.01
QOPM_LSA_TYPE_NETWORK 0"

Platform Problems Corrected in 7.11.02.0003 Introduced In:

When a physical alias is configured for a port on a blade that has the portable config switch
set, and that blade is moved to another slot in the chassis or a different slot number in a
different chassis, a message similar to the following may be seen during that blade's
7.00.01
initialization:
<3>Entitymb[3.tusrAppInit]registerPhysicalEntry():(1,14,14,3):No free entries for specified
type.

PoE Problems Corrected in 7.11.02.0003 Introduced In:

POE redundancy status shown as 'not supported' in POE capable chassis. 6.12.01

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 78 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
PWA Problems Corrected in 7.11.02.0003 Introduced In:
Malformed TCP packet options length field will cause tLwipTCP task to consume nearly all CPU
5.41.25
resources while using Web-Based authentication (i.e. Port Web Authentication (PWA)).
With PWA enabled, occasionally a blade will reset due to a DSI exception with Thread Name
7.00.01
"tLwipTCP".

RIP Problems Corrected in 7.11.02.0003 Introduced In:

RIP network commands are missing after upgrade from release 6.12 to 7.11.01, causing RIP to
7.11.01
be non-operational on effected interfaces.
A reset occurs when RIP keychains are configured after system is rebooted.
The following error is in the message log.

“<165>Oct 12 15:25:22 120.100.100.7 Default[4.tDSrecv5]freeing invalid block, possible

7.11.01
overrun or underrun
PARTITION: 0x1f88948
PTR=0xc8dbfd0
BLOCK: allocated at 0x0c8dbfd0, 275 bytes”

Router Problems Corrected in 7.11.02.0003 Introduced In:

System may crash while removing router interfaces with dependent router protocol
7.00.01
information.
DSI exception (0x00000300) - Thread Name: tRtrCP-I and tMcnxInv may occur rarely. 6.12.03
Removal of a route-map name from an interface when load policy or priority settings are non-
default, may result in the route-map name being removed in persistent memory. The route- 7.00.01
map name could be inadvertently restored after a reset.

SNMP Problems Corrected in 7.11.02.0003 Introduced In:

Around the time of Inventory Management Backups, and possibly other file related
operations, there could be a reset that will leave a message similar this in log:
1.07.19
STACK OVERRUN! Sbase: a336498, SLimit: a3324a0, SEnd: a332498, SCur: a334078, MaxUse:
0x3fc0, BadLoc: a3324d8, BadVal: a3324f8, Next: eeeeeeee, Entry: 8586a8, tName: tRowMg

Feature Enhancements in 7.11.01.0025

Important Release Information Enhancements in 7.11.01.0025

Prior to this release the switch and router operated as separate entities and had their own IP stacks. The switch
and router stacks are now unified. This allows for a common set of IP interface, arp table, route tables and
applications to be used. IP interfaces can now be configured and used to manage the device even when routing
features are not enabled. This replaces the host interface and eliminates need for a router specific SNMP
context for router MIBs.
The CLI has been restructured and unified. The router context has been removed. Platform show/telnet etc…
commands may now be executed while in router mode.
Numerous MIBS, enterprise and standards based, have been added. See the tables at the end of this
document.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 79 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

Important Release Information Enhancements in 7.11.01.0025

IGMP’s internal data structures have changed significantly resulting in significant capacity improvements. In
typical edge deployments where the majority of flows are switched or routed directly to reporters (edge
devices) the capacity has doubled. The capacity in at typical pure routed (core) environment is 400% of what
was achievable with 6.xx firmware.

ACL Enhancements in 7.11.01.0025

Up to 9 characters of an access-list name is added to the prompt when configuring an access-list. If the access-
list name is 9 characters or less in length, the entire name is added to the prompt. If the access-list name is
longer than 9 characters, the prompt will be modified by adding the first 4 characters of the name, followed by
an asterisk, followed by the last 4 characters of the name. Two sample prompts are shown below, one for the
access-list name "longAclName" and another for the access-list name "aclName".

E7 Chassis(rw-cfg-std-acl-long*Name)->
E7 Chassis(rw-cfg-std-acl-aclName)->

Arp Enhancements in 7.11.01.0025

'show ip arp' command was enhanced to provide more information.

Broadcast Suppression Enhancements in 7.11.01.0025

Port broadcast suppression has been modified to support rate limits as low as 1 packet per second.

CiscoDP Enhancements in 7.11.01.0025

‘show neighbor’ now displays MAC addresses in a consistent format.

DHCP Enhancements in 7.11.01.0025

The CLI command “show ip dhcp binding” output now includes the client-identifier.
DHCP increased configurable option size from 50 to 255 bytes.

FDB Enhancements in 7.11.01.0025

The output of the "show mac" command now includes the count of learned MAC addresses.

Host Enhancements in 7.11.01.0025

New show command added for quick display of configured interfaces and status.
E7 Chassis(rw)->show ip int brief

IPv4 IPv6 Admin Oper

Interface IP Address Netmask Fwding Fwding Status Status
------------ --------------- --------------- -------- -------- ------ ------
lo.0.1 127.0.0.1 255.255.255.255 - - up up
loop.0.1 1.1.1.1 255.255.255.255 - - up up
vlan.0.1 10.21.130.151 255.255.128.0 disabled disabled up up

HostDos Enhancements in 7.11.01.0025

HostDos now supports violation counters for all attack vectors.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 80 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
LACP Enhancements in 7.11.01.0025
A new feature is added that will disassociate a port from an aggregator. The CLI command is: "clear lacp history
<port-string>." Forgetting the information (SYS-ID+KEY) would mean that single-ports would not rebuild an
aggregator and that the next time the aggregation formed it would not necessarily use the same lag port.

Licensing Enhancements in 7.11.01.0025

A slight change in behavior of the DFE when a PUC license is removed:
1) A removal of the license will clear excess users.
2) The removal of a blade which implicitly carries a PUC (Diamond) will not clear excess users.

NAT/LSNAT Enhancements in 7.11.01.0025

New vserver command: "[no] binding match source-port any | exact"
default: "binding match source-port exact"
Description:
When the vserver "binding match source-port any" mode is set, SLB connections through the vserver will
create a binding that will match any source port the client uses destined to the same vserver vip (virtual IP
address) and UDP/TCP port.

The match any source-port mode provides a means for SLB to setup fewer bindings per client for simple load
balancing cases. The implications of setting up only one binding per client means there is only one load
balancing decision made for this client -> vserver for all TCP/UDP connections. Once the binding is setup the
client is stuck to the initial real server for all connections to the same vserver.

Note 1:
The match any source-port mode is automatically over-ridden for the
following cases:
ALG: FTP Control/Data, TFTP
Any vserver using a source NAT pool.

Note 2:
The match any source-port mode should not be used if multiple vservers are configured to use real servers that
have the same IP address and destination UDP/TCP port.
Support for NAT/SLB for 5 tuple matched bindings (TCP, sip, dip, dport, sport). The bindings are removed faster
when the TCP RESET or FIN flag is detected in flow (hardware only). Removal time is configurable.
It was possible to configure an extended ACL for use with NAT prior to this release, but the extended list was
interpreted as a standard list. It is now possible to match the IP protocol, source and/or destination IP, and
TCP/UDP source and/or destination ports as described by an extended access list.
LSNAT performance and robustness enhancements have been implemented.

MAC Authentication Enhancements in 7.11.01.0025

MAC-Authentication new-user authentication rate has been increased over 100x. We now support in excess of
3000 users-per-second.

Management Enhancements in 7.11.01.0025

Service ACLs are supported.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 81 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

Mirroring Enhancements in 7.11.01.0025

Policy/Flow based port mirror feature allows network administrators to monitor traffic received at a particular
port on the network by defining a class of traffic that will be duplicated (mirrored) to another port.

NAT Enhancements in 7.11.01.0025

Extended ACLs are now supported for NAT.

NetFlow Enhancements in 7.11.01.0025

Added export of flow data for hardware switched mcast frames (only Input interface data is exported). Now
properly support RX, TX, or both options per port. (Previously treated both as RX).

Node Alias Enhancements in 7.11.01.0025

Time of MAC address and protocols learned in Node Alias are now displayed as date and time rather than
sysUptime.

PIM Enhancements in 7.11.01.0025

ANYcast routing protocol for PIM is supported.
PIM MIB support.

PIM-SM Enhancements in 7.11.01.0025

PIM MIB was not supported (now supports RFC 5060).
Global, interface, and neighbor statistics have been added to "show ip pim" command.

Platform Enhancements in 7.11.01.0025

‘clear port duplex' and 'clear port speed' commands have been added.

Policy Enhancements in 7.11.01.0025

Support has been added to the SecureNetworks framework (policy) to support the mirroring of traffic based on
a Profile Assignment or a Traffic Classification Rule hit.

PWA Enhancements in 7.11.01.0025

Added the ability to make the decision to replace the TCI on a Rule-By-Rule basis within policy. Previously, this
ability was restricted to by port or by Policy-Profile.
The deprecated "set policy classify" CLI commands have been removed.
The etsysPolicySupportedPortList leaf of the ets-policy-mib is now supported.
CLI help for "set policy maptable" has been improved.
CLI help for set-policy-profile-name has been improved.
New CLI commands to clear PWA attributes.

RADIUS Snooping Enhancements in 7.11.01.0025

"set radius-snooping flow" command now allows for the "standard" keyword to be specified for the UDP port
which sets the UDP port to 1812.

RIP Enhancements in 7.11.01.0025

Only RIP version 2 is supported in this firmware version. RIP version 1 is no longer supported.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 82 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
Route-Map Enhancements in 7.11.01.0025
Redistribution route-maps are now able to be displayed individually.
Additional match and set route-map commands have been implemented to augment existing functionality.

Additions to Redistribution Route-Maps:

match tag <tag id>
match metric <metric>
match metric range <metric Min> <metric Max>
set metric <metric>
set metric increment <amount>
set metric decrement <amount>
set metric-type <type-1 | type-2>

Additions to Filter Route-Maps:

match tag range <tag id Min> <tag id Max>
match metric range <metric Min> <metric Max>

Routing Enhancements in 7.11.01.0025

Static route tags are supported.
Extra set & match clauses for Routes Maps are supported.
Increased supported number of RouteMaps Nexthops from 5 to 128.
Blackhole routing is supported.
The 'set router limits' command has been deprecated.

SNMP Enhancements in 7.11.01.0025

Support was added for AES-128.

Spanning Tree Enhancements in 7.11.01.0025

Spantree is added as a logging application. This allows user control of Spanning Tree Syslog messages.

VLAN Enhancements in 7.11.01.0025

Significant performance enhancements were made to the VLAN subsystem to ensure timely application of
VLAN egress change.

Problems Corrected in 7.11.01.0025

802.1x Problems Corrected in 7.11.01.0025 Introduced In:

If a station successfully authenticates via 802.1X twice (once via machine-auth, once via user
login) and is successfully authenticated both times and, only the first authentication returned
5.25.16
a RFC3580 VLAN-Tunnel-Attribute, the VLAN-Tunnel would continue to be used. RADIUS-
Snooping was also susceptible to this behavior.
Dot1x user traffic will continue to have admin-rule/tunnel rules applied to traffic for 1 minute
5.41.25
after the authenticated session is terminated.
A user authenticated with 802.1X in strict mode will be denied access to the network when
the user's workstation attempts to reauthenticate after the switch's authentication mode is
Unknown
changed to multi-user mode. The authentication session for the user will stay in the
disconnected state.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 83 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

802.1x Problems Corrected in 7.11.01.0025 Introduced In:

A system reset due to a "Watchdog Timeout exception" could occur when a large number of
5.01.58
users are simultaneously authenticating.
A RADIUS session timeout attribute return value of 0 will cause the dot1x/multiauth session to
5.21.25
immediately timeout after a successful authentication.
When extreme number of authenticated sessions are torn down, various "DistServ" SYSLOG
5.01.58
messages indicating chassis instability could be logged.
When a policy is applied to a port that has 802.1X configured to challenge the user, EAPOL
frames received on any other port set to forced-auth or forced-unauth are forwarded by the
Unknown
switch. These forwarded frames will cause other workstations running 802.1X to
reauthenticate; degrading the authenticated users' connection to the network.
When 802.1X is configured for mulit-user mode and a LAG port that is configured to require
authentication is used as an inter-switch link, users connected to the remote switch via that Unknown
LAG port may be denied access to the network due to a failure to authenticate.
When asking for help with the "set dot1x auth-config reauthenabled" command, the response
5.25.16
will be the help messages from the "set dot1x auth-config keytxenabled" command.
The show dot1x auth-session-stats command will not display the following counters: Session
5.01.58
Octets Rx, Session Octets Tx, Session Frames Rx, and Session Frames TX.
The "show dot1x" command is not available for users with Read-Only access rights. 5.01.58
MIB gets for the following MIB items will always return 0. (etsysMulti1xSessionOctetsRx,
etsysMulti1xSessionOctetsTx, etsysMulti1xSessionFramesRx, and 5.01.58
etsysMulti1xSessionFramesTx)
Performing a MIB get for etsysMulti1xActiveSupplicantAddress will not return any results. 5.01.58
When 802.1X is enabled and in strict single-user mode, the authenticator will allow more than
5.41.25
1 supplicant to be authenticated per port at a time.
When 802.1X is configured for mulit-user mode and a LAG port that is configured to require
authentication is used as an inter-switch link, users connected to the remote switch via that
6.11.01
LAG port may be denied access to the network due to a failure of the authenticator switch to
send EAPOL packets across the lag.
Performing a MIB get for dot1xAuthEapolRespFramesRx will always return
5.01.58
dot1xAuthEapolRespIdFramesRx.
The management LED may flash amber indicating a write to the nonvolatile memory is
5.01.64
happening during initialization when 802.1X was previously enabled on the device.
The session-timeout values returned from the Radius servers are not getting passed into
5.01.58
Dot1x.
The tDot1x task may utilize 100% of the CPU for prolonged periods of time when many users
5.01.58
are removed simultaneously by the system either through a port event or CLI command.
While in strict mode, 802.1X now correctly operates on the underlying ports of a LAG, not on
Unknown
stations received over the virtual bridge port formed by the lag.
Directed EAPOL identity requests are sent in response to non-EAPOL traffic. 5.01.58

ACL Problems Corrected in 7.11.01.0025 Introduced In:

If the only traffic from Source MAC is dropped due to an ACL action, that MAC may eventually
1.07.19
age from the Filter Database.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 84 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
ARP Problems Corrected in 7.11.01.0025 Introduced In:
Proxy ARP with the "default-route" option will not respond to an ARP request if the default
route interface is the same interface that receives the ARP request. This problem does not 6.11.01
exist if the "local" option is included in the configuration command.
Occasionally a DSI Exception message with Thread Name "tSyslogD" will be logged and the
system will reset, when the system attempts to transmit a very large syslog message. It is 1.07.19
extremely rare to send such a message in a normal operating environment.
Static ARP entries may be associated with the incorrect interface. Configuration of static ARP
entries should take a user defined interface, or make a one-time selection of the associated 4.00.50
interface. Once configured, this association should not change.

CDP Problems Corrected in 7.11.01.0025 Introduced In:

The help line for CDP "hold-time" should be revised for clarity. 5.21.25
SNMP-GET of lldpConfigManAddrPortsTxEnable has wrong index. 5.41.25
Enabling CDP on lag does not return error message. 5.21.25
"show config" output does not include CDP configuration for 'enabled' ports 5.21.25
CDP allows configuring a minimum hold time of 10 seconds when it should be 15 seconds. 5.42.xx
ctCDPNeighborLastDelete is never updated. 5.21.25
ctCDPNeighborType MIB returns dot1q regardless of device capabilities. 5.42.xx

CEP Problems Corrected in 7.11.01.0025 Introduced In:

'show cep connections' will not show CEP connections created on a lag port. 6.11.01
A misconfigured syslog message will be seen when Policy is unable to disable CEP on a port. 5.25.16
When running a large configure or configure append (usually with CEP/client 74), a reset can
happen with the following messages in log:
<1>DistServ[5.tDsBrdOk]serverWatchDog.3, client 74 in recv for 7312 tics 1.07.19
<3>NvDist[5.tDSrecv7]recvMsg:vxAlloc from procWriteQBufPool=0x8e03370 cmd=0
count=0x00919d failed
CEP will add connections for packets coming from NDS (LLDP-MED and CISCO) even if CEP is
5.42.xx
globally disabled.
The command "clear cep port" is not a valid command without also specifying a port-string
5.35.16
and type.

CiscoDP Problems Corrected in 7.11.01.0025 Introduced In:

'clear ciscodp' does not return all configured port settings to the defaults. 5.25.16
ciscodp hold time range (10-255) can not be set below 15. 5.21.25
The CLI command "show config ciscodp" is slow and consumes high amounts of CPU for the
Unknown
SNMP task.

CLI Problems Corrected in 7.11.01.0025 Introduced In:

A problem introduced in 6.01.01 where entering an out of range integer value in a CLI
6.01.01
command would result in subsequent command failures.
CLI syntax errors for bad values are not descriptive enough to point out the underlying error. 1.07.19
Aborting "show port counters" or "show port priority-queue" CLI commands with CTRL-C, may
1.07.19
cause an unexpected reset of the device.
CLI user cannot enter uppercase 'Q' to quit out of 'more' prompt. 1.07.19

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 85 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

CLI Problems Corrected in 7.11.01.0025 Introduced In:

Setting the CLI screen length (set length n) to a non-zero value, and performing a 'telnet' to an
1.07.19
outbound server results in double character output to the local session.
Running 'show support' in every available CLI session can hang all CLI sessions until a reset of
6.12.01
the chassis, if its execution hangs in each session.

Config Problems Corrected in 7.11.01.0025 Introduced In:

The DHCP talk can deadlock and cause the "show running configuration" command to display
6.02.02
"Configuration temporarily locked by another user."
A DSI exception will occur if a configure append operation is performed on a config file that
1.07.19
contains an invalid 'ip address' command.
A 'show config' command will continually fail with 'Error writing configuration' after a CLI
1.07.19
session times out in the middle of a 'show config'.
Attempts to configure from a file that does not exist, result in the misspelled message "does
5.35.16
not exit." being displayed.
Setting the 'allowed-interval' for an admin user will not result in that setting appearing in a
6.12.01
'show config'.
The execution of "show config" during chassis segmentation will cause the retrieval of CiscoDP
MIB values to fail in the CLI. When this happens, it exposes a firmware problem that would
5.35.16
cause the processor to read from an invalid memory address. This bad memory access causes
the device to reset.

CoS Problems Corrected in 7.11.01.0025 Introduced In:

The Class of Service command "show cos unit" does not show only one rate type if a type is
5.01.58
requested. When a single rate type is requested all rate types are displayed.
The Class of Service command "clear cos port-config irl all" does not clear all IRL port-config.
5.01.58
The names associated with the default IRL are not cleared to the default values.
IRL Violation Time (etsysCosIrlViolationLastChange) is not updated when the violation table
5.01.58
changes.
The command "show config cos" will cause an error message to display. 5.01.58
The Class of Service command "clear cos port-resource irl all violators" does not clear all
4.00.50
violations. All ports remain in violated state after running the clear command.
The Class of Service command "show cos unit flood port" does not display the rate type
5.01.58
flood's units.
The mib etsysCoSFloodCtrlPortGroupName accepts a string with an invalid length. 4.00.50
The command "clear cos all-entries" does not clear all cos entries. Txq entries are not re-
Unknown
initialized with the default values.
The Class of Service IRL violation counter is not incremented when the port hits the violation
5.01.58
trigger.
Attempts to modify a fixed parameter for a default COS index (COS 0-7 are associated with
1.07.19
802.1P priorities 0-7) do not generate warning messages.

DHCP Problems Corrected in 7.11.01.0025 Introduced In:

On a user initiated reset, DHCP leases modified in the last 15 minutes are not correct in the
4.00.50
database.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 86 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
DVMRP Problems Corrected in 7.11.01.0025 Introduced In:
A DVMRP route may not be sent back to the originator with the correct metric to indicate
3.00.33
dependency.
When a downstream DVMRP neighbor sends a new genId, previously pruned traffic may not
2.00.13
be grafted upstream.
DVMRP Prunes with source netmask (255.255.255.255) may prune all sources matching that
3.00.33
sources network.
DVMRP routes may persist in a hold-down state after DVMRP is disabled. 2.00.13
Routing protocols would crash (resulting in module reset) processing DVMRP prunes from
3.00.33
downstream router.
When running PIM-SM on an interface, and issuing a "no ip dvmrp" command on that
4.11.12
interface, PIM-SM is disabled on that interface.
When running DVMRP with many S,G mroute pruned on an interface, the router may reset
3.00.33
with a "ASSERT dvmrpTimerSet" message.

Entity MIB Problems Corrected in 7.11.01.0025 Introduced In:

"Entity doesn't exist!" returned from set physical alias command for existing entities. 5.01.58

FDB Problems Corrected in 7.11.01.0025 Introduced In:

Permanent unicast filter database entry does not change to ageable when set to ageable. 6.00.02
In rare cases a command to clear all mac addresses "clear mac all" could cause a reset if static
5.21.25
entries were provisioned.
"displayDot1qTpFdbEntry Error: Invalid source port" error message may be seen while
running the command "show mac" in a system undergoing a high rate of change in the filter 5.35.16
database.
MAC moves not reported ( syslog or trap) for LAG ports. 6.01.01
Help strings for cli "show mac" commands were not clear as to whether source ports applied
1.07.19
to ingress or egress source ports.
When the mac age-time is changed from 65535 to a different value, the hardware age-time is
6.12.01
now correctly restored to its default value.

Flow Limiting Problems Corrected in 7.11.01.0025 Introduced In:

Flow limiting traps did not include the required interface name varbind 5.01.58
CLI should allow access to "show" commands in RO only mode. 4.00.50
Flow Limiting cli help strings did not display correct default actions. 4.00.50
The CLI allows Flow Limiting Notification Interval to be set to invalid (out of range) values. 4.00.50
The CLI allows Flow Limiting action limits to be set to invalid (out of range) values. 4.00.50
When read, the etsysFlowLimitingSystemClearStats OID would have returned an incorrect
4.00.50
value.
When a port's status goes oper down, the firmware will automatically clear all Node and Alias
2.00.13
entries on that port.

GVRP Problems Corrected in 7.11.01.0025 Introduced In:

Per port GVRP failed registrations (dot1qPortGvrpFailedRegistrations) counter does not
1.07.19
increment under some circumstances.
Configuring 64 spanning tree instances may cause the board to reset when GVRP is enabled. 5.01.58

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 87 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

GVRP Problems Corrected in 7.11.01.0025 Introduced In:

"clear garp timer" help string displays "default: all ports" even though a valid port-string is
6.11.01
required.
Setting the GARP port timers or GVRP port enabled status could cause the system to crash
1.07.19
due to lack of memory resources.

Host Problems Corrected in 7.11.01.0025 Introduced In:

Remote device management via telnet etc. can be lost after receiving too many ICMP redirect
1.07.19
messages.
The syslog message "arp info overwritten for 0a01cbfb by 00:00:1d:0e:dc:20" is produced
when an existing ARP entry is overwritten with a new MAC address. The IP address 1.07.19
"0a01cbfb" is shown is hexadecimal but should be in dotted quad format.
In very rare conditions syslog messages will sometimes be transmitted from the device with
an internal loopback source IP address. This has no ill effect but can make the packets un- 1.07.19
routable and/or subject to filtering at the receiver.
"set system utilization threshold" can be set to exceed the limit of 1000. 5.01.58
Illegal number of arguments error displayed for the valid command "set vlan interface 4091
6.12.01
enable volatile" .
In rare cases a DSI Exception message with Thread Name tFtpdServ will be logged and the
system will reset after multiple images have been downloaded to the device in quick 4.11.12
succession.
Creating 43 static ARP entries with the "set arp" command will use up all static and dynamic
ARP resources for host management. It will not be possible to contact any new IP addresses 1.07.19
not already statically configured.
Host doesn't reply to ICMP echoes marked with certain DSCP values. 1.07.19
The "egress" command was not listed alphabetically. 5.01.58
A DSI Exception message with Thread Name tNet0 and Exc Addr of objVerify is issued during
5.01.58
the closing of a telnet session or after issuing a "reset" command.

HostDos Problems Corrected in 7.11.01.0025 Introduced In:

Use of checkspoof was limited in ECMP topologies. Checkspoof required the interface a
packet was received on to also be an interface in a route to the source of the packet. With
ECMP topologies, a packet destined for a router interface on a stub network could arrive from
a neighbor router also on the stub network because ECMP on neighboring routers directed
4.00.50
the packet in that direction. This would cause a checkspoof error. We have now implemented
'ip checkspoof loose-mode' that weakens the restriction to only requiring a route to source of
the packet ignoring the interface the packet arrived on. The option 'ip checkspoof strict-mode'
provides the legacy feature.

IGMP Problems Corrected in 7.11.01.0025 Introduced In:

With a large IGMP database it is possible for a "show config" to take much longer than it
5.32.06
would be expected to. The command does eventually complete.
If a command such as the following is entered at the cli when no IGMP static entry for the
given group is already active, a "Command Failed" message will be shown on the console. set 5.26.05
igmp static 239.192.35.36 1 modify include-ports ge.7.20
IGMP V3 Joins are not flooded out all ports. 5.35.16
A received IGMP Query of 0.0.0.0 will cause querier re-election. 5.35.16
9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 88 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
IGMP Problems Corrected in 7.11.01.0025 Introduced In:
IGMP should not store last reporter information as it requires an excessive amount of
6.00.02
memory.
When a configuration is loaded containing the igmp set number-groups command, it is
possible that the device may need to be reset twice for this configuration to be properly 6.01.01
enabled.
When setting igmp number-groups, the command may not take effect until a reset is issued. If
6.01.01
additional blades are inserted prior to the reset, it may require a second reset of the device.
When a slot in the chassis is reset, IGMP may not multicast flood to other routers properly. 6.00.02
If the following CLI command is entered a "Command Failed" message is displayed.
6.00.02
set igmp protocols classification 1.
On a diamond module, the "configure slot#/filename" may fail if you have several igmp
groups in the configuration file (usually greater than 4).

You will get an error similar to this:

"<162>Sep 20 14:24:50 0.0.0.0 IGMP[3.tDSrecv2]Received new active number of groups = 1.07.19
16384, Resetting to take effect"

The switch resets, stopping the configuration and subsequent configuration commands are
not executed.
Some port members may not be displayed using the show igmp reporters CLI command. 6.01.01
IGMP protocol frames with bad IP checksum may be processed on a LAG interface. 6.02.02
IGMP querier re-elect will occur when configured in IGMP V1 mode and a v2 query packet is
6.02.05
received.
When entering "show igmp static" at the cli, it is possible that the display will show erroneous
6.11.01
ports in the port lists.
IGMP shows incorrect QuerierIP after the router interface for that vlan is shutdown then no
6.11.01
shutdown.
After a spanning tree failover from one lag port to another, multicast flows may be seen
6.02.04
egressing out a blocked lag port.
When a blade that is running the router is reset, IGMP may stop forwarding multicast flows to
6.11.01
some reporters due to faulty mcast hardware programming.
Some IGMP groups may not be displayed using the show igmp groups CLI command. 6.02.05
When sending 4096 multicast flows into the device, the IGMP database will only accept 4095. 6.02.05
IGMP last member query interval value is displayed 10 times the actual value. 6.12.01
If the CLI command "show igmp counters" is run repeatedly it is possible for the device to
6.00.02
reset due to lack of memory.
When the number of static entries added exceeds the maximum there is no error message
6.02.05
displayed to indicate that the command failed.
The CLI command "show igmp vlan" leaks memory and may cause the blade to reset if used
6.02.05
repeatedly
No warning message is displayed if IGMP is disabled on a vlan while a multicast routing
4.00.50
protocol (PIM/DVMRP) is enabled on that vlan interface.

LACP Problems Corrected in 7.11.01.0025 Introduced In:

Spanning tree bounces LAG port state on master failover. 5.42.04

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 89 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

LACP Problems Corrected in 7.11.01.0025 Introduced In:

DFE 10GbaseX ports may not be correctly initialized after boot preventing them from properly
6.00.02
joining their LAG.
The "set port lacp port" command allows the invalid configuration of lag.x.y ports. Only
6.02.01
physical ports should be accepted.
Front panel ports occasionally are removed from LAG ports when a blade in the chassis resets. 1.07.19
Within the port lacp command, an invalid option of asyspri is configurable. 1.07.19
In rare instances, during rapid LACP state transitions, it was possible that a port would be
mistakenly left as un-aggregatable to the LACP state-machine, even though the partner was
now communicating that the port was aggregateable. Such a port will remain in the 1.07.19
"selected", but not "attached" state. The condition would be cleared upon a link toggle of the
offending port.
Port would detach from lag when changing timers from short to default. 1.07.19
LAG ports were not displayed in the "show port egress" CLI command when wildcards were
5.01.58
used for the port-string option field.
Help text in "set lacp outportAlgorithm" refers to "sip-dip" rather than "dip-sip." 2.00.13
The show port lacp status command does not always sort properly when selecting the sort lag
5.41.25
option.
When link goes down for a physical port belonging to a lag, the port may not be removed
from the list of ports in the lag from which destination ports are chosen. The result is that 2.00.13
transmits are attempted out the unlinked port.

Licensing Problems Corrected in 7.11.01.0025 Introduced In:

Diamond DFE blades should automatically carry an N-EOS-PPC entitlement. With the
introduction of 7.x firmware, such an entitlement is automatically granted to all Diamond DFE 6.00.02
modules, in prior releases a license string needed to be configured.

Link Flap Problems Corrected in 7.11.01.0025 Introduced In:

Linkflap violations are only counted on a port if the action defined for a port is disable. They
4.00.50
are not incremented if there is no action, sylog, or trap configured.
Unless interface down was also configured, link flap syslog and trap actions would not show
4.00.50
up in "show config"
Linkflap when configured to generate syslog messages on violations, failed to do so. 4.00.50

LLDP Problems Corrected in 7.11.01.0025 Introduced In:

'show lldp port remote-info' command does not display full Port Description and System
5.25.16
Description info
LLDP 'show port local-info' command displays some invalid output. 5.41.25
LLD PDU doesn't contain 'mgmt addr' TLV despite having the tlv enabled for TX. 5.41.25
LLD PDU PMD Auto-Negotiation Advertised Capability field contains incorrect information. 5.42.xx
'show lldp port status' returns two messages, when only one is needed. 5.41.25
'show config lldp' has wrong value for lldp port network-policy vid set to dot1p. 5.41.25
Ports associated with LAG's retain optional configured LLDP TLV's after being cleared "clear
5.25.16
lldp"
SYSLOG message is displayed as a NDS debug application and contains internal port number
5.42.xx
instead of interface name.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 90 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
LSNAT Problems Corrected in 7.11.01.0025 Introduced In:
SLB FTP connections using sticky persistence could inconsistently cause FTP sessions to hang. 6.01.01
SLB configuration was possibly lost during a module reset event. 6.01.01
SLB vserver IP addresses may remain in the route table after all real servers become
6.11.01
unreachable.
The LSNAT vserver client command does not function properly. 6.11.01
The slb vserver virtual "service" setting was ignored. 6.11.01
SLB real server mode cannot be entered when the maximum number of real servers is already
6.02.01
configured.
Large LSNAT real server configurations can cause ping failures due to system load. 5.42.xx
SLB vserver IP addresses are not redistributed via OSPF when the vserver transitions into
Unknown
service.
SLB bindings may fail to time out during heavy load. 6.11.01
SLB bindings may time out when the flow rate is on the order of one packet per minute. 6.02.01
SLB real-server 'allow access' features are not working with 'stickiness' configurations. 6.11.01
SLB incorrectly translates the TCP header of the response to the client, when the MAC address
6.02.01
of the next hop gateway changes as a result of redundant firewalls fail over.
When modifying LSNAT configurations with active LSNAT traffic, LSNAT may log a message
similar to "DistServ[1.tDsBrdOk]serverWatchDog.4, client 57 in recv for 8182 tics" and reset 6.01.01
the blade.
When connecting to two different LSNAT Vservers using the same port and using persistence
level STICKY, LSNAT will log a message similar to "Could not open connection to the host on 6.01.01
port 23: Connect failed", and not allow a connection to the second Vserver.
When modifying LSNAT configurations with active LSNAT traffic, LSNAT may log a message
similar to "Exc Vector:System Reset - DSI exception.. Thread Name: tDSrecv4" and reset the 6.01.01
blade.

MAC Authentication Problems Corrected in 7.11.01.0025 Introduced In:

Administrator is unable to force re-authentication for a mac-auth session which failed RADIUS
authentication (either for timeout or invalid credentials). This could have been remedied by
5.01.58
setting the mac-auth quiet-period. The user is now able to revert the failed session to its
default state through the existing CLI/MIB controls for macauthentication portinitialize.
Flows were not being removed from hardware when macauth was enabled. This could lead to
improper delivery of frames until such time as some other event removed the flows (link loss, 4.00.50
re-application of policy, successful authentication).
Reboot is required for N-EOS-PUC and N-EOS-PPC licenses to take effect. MACAuth "auth-
allowed" should reflect the multi-user "allowed-users" and use the lower of this or "auth- 5.01.58
allocated"
The "clear macauthentication authallocated", "clear macauthentication quietperiod" and
"clear macauthentication reautheperiod" are allowed to be entered without a port(s)
4.00.50
specification but do not functionally do anything. These commands must be entered with a
port(s) specification.
Macauth authallocated can be set to zero. Mib states this value must be non-zero. 3.51.01
During a "show config" if the port-based configuration for quiet-period, reauth-period, or
auth-allocated was set to zero, settings for other ports could be inappropriately combined 4.00.50
with this port.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 91 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

MAC Authentication Problems Corrected in 7.11.01.0025 Introduced In:

A reauth-period of zero will not be restored properly on subsequent boot. 4.00.50

MAC Lock Problems Corrected in 7.11.01.0025 Introduced In:

If a MAC-Locking static entry was toggled inactive, then re-activated, in the presence of
learned traffic, the re-activation was ignored (as the entry had become a MAC-Locking first- 4.00.50
learned entry). The reactivation is now handled correctly.
Maclock is not supported on 10Gbase-x ports. 5.01.58
MAC-Locking can become enabled even if the feature is globally disabled, if an individual port
2.00.13
is subsequently enabled.
Cannot clear statically configured maclocked entries. 6.12.01

Mirroring Problems Corrected in 7.11.01.0025 Introduced In:

When a port in an IDS mirror goes down (link down, etc), flows should be re-distributed
among all remaining ports. Occasionally not all remaining ports would be used in the re- 1.07.19
distribution.
Sometimes the TX option of the port mirroring command fails to send the relevant traffic to
6.00.02
the monitor port.
Sometimes A DSI exception message with Thread Name tSMON will be logged and the system
6.11.01
will reset when a port mirror with a 10G source port is configured.
Vlan mirrors will not be restored when loading from a config file. 6.01.01

MultiAuthProblems Corrected in 7.11.01.0025 Introduced In:

idleTime and sessionTime should be kept using one second granularity rather than 10
seconds, meaning a +/- 10 second (or 20 second total between the two) error could be 5.01.58
expected.
The command "show multiauth session" does not display the correct Session Timeout value if
5.01.58
the user was authenticated via dot1x.
Accessing an invalid instance for the etsysMultiAuthStationClearUsers MIB caused a syslog
message similar to "<3>EMAM[1.SNMPSubAgt]sessionStationEntryGet(0):addr.getData() 5.41.25
failed".
Authenticated sessions will not be terminated when changing the authentication mode from
strict to multi-user. Users authenticated and given access rights to the network using strict
Unknown
mode will not be rechallenged and will remain authenticated with the same access rights
when the authentication mode is changed from strict to multi-user.
"clear multiauth precedence" inappropriately returns "Clear Failed". 4.00.50
It is possible for IGMP report counters to not increment correctly for each reporter. 6.02.01
When transitioning back and forth between multiauth mode "multi" and "strict",
authentication sessions are torn down. This action can take some time and was deferred to a
5.42.04
separate task to prevent a reset with the following message: serverWatchDog.1, client 62 in
recv for 8030 tics.
In multiauth mode "multi" it is now possible to clear user sessions, even when the maximum
6.11.01
allowed number of sessions was set to one.
It is possible that the IGMP group table may miss flows in its CLI output. 6.12.02
The "set multiauth precedence" command does not display the set radius-snooping
6.11.01
precedence in the output for show configuration.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 92 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
MultiAuthProblems Corrected in 7.11.01.0025 Introduced In:
"show config all" would incorrectly display the state of the "multiauth trap port" commands if
no traps were configured. It displayed "set multiauth trap port x.y.z". It will now correctly 5.01.58
display "clear multiauth trap port x.y.z all".
The help text for the "clear multiauth session-timeout" and "clear multiauth idle-timeout"
5.31.17
commands incorrectly indicates that a set will occur, not a clear.
The help string for the "show multiauth session", "show multiauth station" and "show
multiauth counters" commands indicates that the lack of a port string specification causes the 4.21.09
output of all ports. A port string must be specified for these commands.
In the CLI display of "show multiauth session" the "Last Attempt Time" is inaccurate (the
4.00.50
corresponding MIB variable is correct).
MIB leaf etsysMultiAuthSystemAdminPrecedence could be inappropriately configured with
4.00.50
duplicate authentication agents. This configuration would have no operational effect.
It is possible for multicast flows to be interrupted temporarily when inserting a new blade in
6.02.05
the chassis.
The etsysMultiAuthSessionVlanTunnelAttribute object (and the corresponding VLAN attribute
in the display from "show multiauth sessions") will return 4095 (or "Unknown" in the CLI) in
5.42.04
the event that VlanAuthorization is either globally disabled or disabled on the port on which
the authentication occurred.
Authenticated users' sessions are no longer terminated when a port transitions from auth-
4.00.50
required to auth-optional.
CLI command "show multiauth session" now correctly displays the session's associated policy
6.00.02
as inactive when no policy (but a vlan-tunnel-attribute) is applied.
When large numbers of multiauth sessions either are active in the system or have been active
Unknown
in the system the "show multiauth session" command runs slowly.
The "show multiauth session" command leaks 20 bytes every time it is run. 5.25.16
In rare instances, possibly after a link drop, the number of multi-auth users reported on a port
may be negative. Should this occur, no users will be able to authenticate on the port until a 5.42.xx
reset of the module (or the system should it occur on a lag port).

NAT Problems Corrected in 7.11.01.0025 Introduced In:

NATed FTP flows may not work properly on LAG ports. 6.00.02
CLI options for clearing bindings were added for NAT, LSNAT, and TWCB. "clear ip nat
6.00.02
translation".

NetFlow Problems Corrected in 7.11.01.0025 Introduced In:

When the netflow cache is disabled, the netflow export record failed count may continue to
4.00.50
slowly increment for up to several minutes.
Occassionally a NETFLOW error message in conjunction with blades resetting and polling of
NETFLOW MIBs or CLI, simultaneously occurs. 5.31.17
"<3>netflow[1.tEmanate10]getCacheEntry(0):sendMessage(ackMsg)!=kDs_good"
Debug Netflow syslog messages are occasionally displayed when a blade resets while using
the Netflow CLI or Netflow MIB.
<163>Aug 18 10:09:19 255.255.255.0 5.31.17
netflow[2.tEmanate10]getPortData(32001,val,0,0,0):sendMessage(ackMsg)!=kDs_good;send
Mask=0x10000000

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 93 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

Node Alias Problems Corrected in 7.11.01.0025 Introduced In:

A show config, done shortly after boot, could show default max entries per port setting in
2.00.13
Node and Alias.
The CLI commands "set nodealias maxentries" help strings may not accurately reflect the
2.00.13
actual range of entries supported on that port.
If there was a non-default port based Node and Alias configuration (port disabled or max
entries) for a port on an option module and that option module was removed, or a like blade
6.12.01
without that option module was substituted, that blade may not boot successfully until
nonvol is cleared on it.

OSPF Problems Corrected in 7.11.01.0025 Introduced In:

The command, "show ip ospf interface" does not display all configured OSPF interfaces. 3.00.33
When running OSPF and a cost change is made on a stub network, the routing table does not
6.02.02
reflect the new shorter path.
When running OSPF and redistributing a connected loopback interface, the configured
6.01.01
network mask is ignored and /32 is used as a default.
When OSPF is configured with nested virtual links, the route table is empty on the end router,
6.11.01
as it does not run the spf calculation for its attached area.
When running OSPF, show ip route <A.B.C.D> displays an incorrect cost metric for an E2 route,
6.12.03
show ip route displays the correct one.
An assertion failure and system reset is detected in thread, tRtrPtcls during a router failover.
The message log will display an assertion failure notice of "<sms[2.tRtrPtcls]SMS assert : (null)
(if_cb->neighbors_in_state[AMB_OSPF_NBR_FULL] > 0) || (lsdb_cb->entry_status == Unknown
QODM_STATUS_MAXAGE_ACTIVE) || (lsdb_cb->entry_status ==
QODM_STATUS_PENDING_DELETE) 0 (null) 0".
OSPF md5 authentication will not occur on interfaces with secondary IP addresses that do not
have a corresponding network command under "router ospf". Adjacencies on interfaces not Unknown
properly configured as such will not form and appropriate system log messages are seen.

PIM-SM Problems Corrected in 7.11.01.0025 Introduced In:

High PIM multicast flow counts may result in router lockup and/or reset. 4.00.50
With PIM enabled, Loopback interfaces show up in "pim interface" table as vlan 0. 4.00.50
PIM upstream changes may cause the routing protocols to lock up resulting in loss of both
4.11.12
unicast and multicast routing.
After a router failover, the "show ip mforward" table may show 'unknown' rather than
'sparse' for forwarding multicast flows. Note: This command was replaced with "show ip 6.00.02
mcache" in 7.x firmware.
PIM DR Priorities between 2147483648 and 4294967294 show up as negative numbers in
4.11.12
"show ip pim interface".
PIM static or candidate RPs address of 0.0.0.0 can not be set. 4.11.12
PIM drops neighbor adjacencies and BSR advertisements when neighbored up to another
4.11.12
router via more than approximately one hundred interfaces.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 94 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
PIM-SM Problems Corrected in 7.11.01.0025 Introduced In:
PIM "ip pim rp-candidate" priority may be incorrectly interpreted as an attribute of the
Group/Mask pair, when in fact it is an attribute of the Candidate RP. The command should be
rewritten to separate setting the priority off into its own command. 4.11.12
"ip pim rp-candidate 192.168.1.1 226.0.0.0 255.0.0.0
", "ip pim rp-candidate 192.168.1.1 priority"
DSI exception in "PIM" thread causes module to reset. 4.11.12
Certain IP Multicast configurations/topologies with high number of flows and high number of
5.35.16
reporters may not stabilize correctly.
PIM is enabled by default on Loopback interfaces. 4.11.12
PIM Assert message has a different preference/metric than what the route table indicates. 4.11.18

Platform Problems Corrected in 7.11.01.0025 Introduced In:

The system time can drift from the real-time clock by 1 second for every few hours that have
1.07.19
elapsed.
When 6 out of 7 blades in the chassis are unexpectedly shutdown, the blade which was not
4.00.50
shutdown will reset in ~3 minutes with a "serverWatchDog" message.
Device occasionally times out while attempting to simultaneously copy the firmware image
and copy the configuration from another blade in the chassis.
3.00.33
Time out is accompanied by the following message and a reset of the blade.
"<1>DistServ[1.tDsBrdOk]serverWatchDog.7, client 41 in recv for 8267 tics"
The CLI processor will not accept the '\?' sequence at the end of a line when entering a "set
5.01.58
banner [motd | login]" command.
Under severe reset stress test (repeatedly resetting module after module), the sockets used to
communicate between blades would be reused and could contain fragments of previous data
Unknown
streams. In some rare cases these fragments could be interpreted as reset commands from
the chassis master. Socket tear-down and re-use behavior was safeguarded.
System instability and slot resets may occur, with messages similar to the following in the
message log:
6.00.02
SYSLOG message initiated reset Thread Name: tDSservX
Where "X" is a number ranging between 1 and 3 or 5 and 7.
Message similar to “<164>Mar 7 11:25:28 100.10.20.1 PortCli[1.tConsole]unexpected error”
might be displayed on 7G-6MGBIC-B or 7K-2XFP-6MGBIC uplinks when setting speed to 100 6.00.02
on 1 Gig SFP or setting speed to 1000 on 100BASE-FX SFP.
A watchdog timeout exception will happen when performing many unexpected resets. 6.11.01
The system may log a message similar to "PACKET BUFFER MANAGER ERROR:
6.11.01
PktBufferQ.cxx,464 Allocated non hardware buffer to firmware queue" and reset.
When the admin/SU is changing a password for a user (set system login <user>), the message
"new password must be different than the current password” may be displayed if the new 6.01.01
password is zero length (<cr>).
The error message "Interhost out of Transmit Buffers happened 20 more times!" could occur
if a transmit resource is not freed when an error path is taken during transmit, for a packet
5.42.04
whose encoded slot number in the destination mac address does not decode to a valid slot in
the chassis.
A chassis can get stuck in a state where more than one blade thinks it is the master module of
1.07.19
the chassis, thus segmenting the chassis.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 95 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

Platform Problems Corrected in 7.11.01.0025 Introduced In:

In rare instances, a chassis which dissolved from several boards to just a single board could
get caught waiting for the, now nonexistent, boards to finish synchronization. Eventually this 5.01.58
remaining board would reset.
A read-only user cannot execute the 'show banner' command. 3.00.33
A read-only user can see a 'clear console' command which is only available to non read-only
1.07.19
users.
A query of the ifMauAutoNegRemoteFaultAdvertised or ifMauAutoNegRemoteFaultReceived
6.00.02
MIB objects may not respond with the correct information.
If a new user with other than "super-user" access is created and enabled, while 'set system
6.01.01
lockout inactive' is set, the new user will be disabled.
A user will be locked out of the CLI if 'set system lockout inactive' is set and the master
module on which the user has logged in, just prior to the inactive timeout occurring, is 6.01.01
removed.
Setting the password to a previous password incorrectly informs the user that the setting was
4.05.07
successful when 'set system password history' is set.
CLI messages are confusing when changing the properties of an existing local CLI user. 6.01.01
Insertion of a new blade into an operational chassis (1 or more blades currently running)
occasionally causes the chassis to reset and become segmented. The new blade will display
the following log messages:
<3>System[5]One or more boards are present in the chassis but are not fully functional.
<3>NvDist[5.tNvFinIn]nvDistInitFinal():allSet==false after 31 iterations.ok:valid:- 2.00.13
>1)1:0;2)0:0;3)1:1;4)0:0;5)1:1;6)0:0;7)1:1 _isAuthBySlotValid:0x15000000
<3>Dispatch[5.tSelfDiag]ftm2 heartbeat check: slot 1 silent for 10 periods

To recover you can power off the chassis then power back up.
A user can set a password to a previously used password even though the 'set system
4.11.12
password history' config is set.
Blade may reset with "Program Exception" in tDispatch task due to memory corruption Unknown
System instability may result with messages posted to the command line interface such as
"Chassis coherency timeout exceeded, reseting" during 802.1d filter database conflict 1.07.19
resolution (when MAC addresses are moving between ports. )
Using Ctrl-C during "show port status" CLI command occasionally causes "unexpected error,
6.00.02
aborting command" message to be displayed.
Using Ctrl-C during "show port flowcontrol" CLI command occasionally causes "unexpected
6.00.02
error, aborting command" message to be displayed.
In rare instances, after periods of chassis instability, a condition could occur whereby the
6.00.02
chassis can never regain stability, constantly rebooting with "Rdy2Switch" SYSLOG messages.
A read-only user cannot use the 'dir' command. 1.07.19

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 96 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
Platform Problems Corrected in 7.11.01.0025 Introduced In:
A read-only CLI user can enter the 'default' option on various CLI commands to make settings
persistent. Commands include:
set cli completion
set logout
1.07.19
set length
set line-editor
set history
set width
Occasionally the system time on a blade can be corrupted so that it falls back several years,
5.01.58
sometimes resulting in the blade resetting.
In rare cases a DSI Exception message with Thread Name tRowMgr will be logged and the
system will reset after performing certain operations in the ENTERASYS-CONFIGURATION-
MANAGEMENT-MIB. Attempting to explicitly set etsysConfigMgmtChangeRowStatus to 5.41.25
"destroy" while etsysConfigMgmtChangeOperStatus is still in the "running" state may cause
this.
Blade may reset with DSI message in task tDispatch due to memory corruption Unknown
Breaking out of the command "show port egress" with a control-c will occasionally result in
5.01.58
the reset of a blade with a DSI exception for the tConsole thread.
On N Series products, some packet error detections may not work if the packet flow is using
non default priority. This includes IPV4 check sum verification (could route packet with bad
IPV4 checksum), TTL verification (could route packets that have TTL expired and traceroute 1.07.19
may not function), and max packet size verification (may pass packets that are larger than
max size for flow and MTU discovery may not function).
The traps sent for the events boardOperational, boardNonOperational, boardRemoval,
1.07.19
boardInsertion, envTempNormal, and envTempHot do not include all defined fields.
Enabling negotiation on ports that already have negotiation enabled, causes renegotiation
6.01.01
(and link bounce).
Occasionally the download and overwriting of a firmware image using TFTP (Trivial File
Transfer Protocol) may fail. Seen with command "copy tftp://<ip- 1.07.19
addr>/<source_image_name> <destination_image_name> ".
A message such as "<0>Rdy2swch[1.tRdy2Swtch]Initialization failed to complete(516 seconds
allotted, 516 seconds elapsed). ConfigReset:[2], incomplete." could be seen when performing
6.12.01
a 'configure' of the chassis. In this case, the configure will hang and the chassis will reset
without completing the desired configuration.
Configuring system name with "set system name <string>" and a name greater than 41 bytes,
may cause Webview to malfunction, resulting in a remote browser managing the device with
3.00.33
http://<host-address> to display “The page cannot be displayed” when displaying the system
information.
Port broadcast Peak Rates and Peak Rate Times are calculated and displayed incorrectly for 10
1.07.19
Gig ports. They always display as 0.
Blade may reset with "Program Exception" in thread name: INTERRUPT due to memory
Unknown
corruption

PoE Problems Corrected in 7.11.01.0025 Introduced In:

Continuous PoE subsystem hardware failures might result in board reset. 4.21.09

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 97 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

PoE Problems Corrected in 7.11.01.0025 Introduced In:

Power Over Ethernet (POE) may not be delivered to groups of 48 or 24 ports for brief periods
of time. An error similar to "<163>Apr 8 14:51:23 142.58.183.251
6.12.01
i2c[3.tPoENotify]i2cWriteReadPOE: status: -1 - Unable to transmit data to POE 1" will be
logged and any attached POE powered equipment will power cycle and reboot.
“show inlinepower” will display “faulty” Oper Status when power available on a blade is
Unknown
smaller than power consumed.
‘show port inlinepower’ CLI will display 802.3at devices as 8023af PD Type. 6.12.01
“show inlinepower” on DFE will display “on” Oper Status when there is no power usage. 6.12.01
Available Power will occasionally not get updated on the blade after POE power toggle.
6.12.01
Resetting the blade or power cycling PoE power supplies can be used as a workaround.
pethMainPowerUsageOn traps are sent regardless of whether POE power usage is above or
6.12.01
below CLI configured Usage Threshold.

Policy Problems Corrected in 7.11.01.0025 Introduced In:

"clear policy port-hit" is now fully functional. 5.32.06
The display filters of "drop" and "forward" for "show policy rule" now correctly filter and only
5.41.25
display the desired entries instead of always displaying only the "drop" rules.
Added missing ifAlias varbind object to etsysPolicyRulePortHitNotification policy trap. 6.01.01
"clear policy port-hit" is now fully functional. 5.32.06
The display filters of "drop" and "forward" for "show policy rule" now correctly filter and only
5.41.25
display the desired entries instead of always displaying only the "drop" rules.
Added missing ifAlias varbind object to etsysPolicyRulePortHitNotification policy trap. 6.01.01
When trap is sent upon policy rule hit, the incorrect profile name is included. 6.01.01
Routed frames lose their associated transmit queue (assigned by policy). The frames 802.1p
priority, which may have been selected by policy, can be used to choose transmit queue by 5.01.58
configuring COS values 0 - 7 which map to 802.1p priorities.
Use of the deprecated "set policy classify" CLI commands could cause loss of existing policy
2.00.13
configuration. These commands have now been removed from the CLI.
The CLI help text for "set policy rule xxx vlantag" has been corrected to display the proper
4.00.50
maximum value.
The CLI help text for policy rule type ICMP type:code has been corrected. 4.00.50
The CLI help for policy rule type udpsourceport, tcpsourceport, udpdestport and tcpdest port
5.01.58
has been removed on platforms which support udpsourcportIP, etc. rule types.
The CLI help for policy rule of type admin-pid profile range has been corrected. 4.00.50
CLI command "show policy rule admin-profile port" now correctly displays all relevant rules. 4.00.50
The CLI and MIB output for "Result1". In the past this was the "dynamically" assigned value
which incorrectly excluded the statically assigned value as a possible result (which it would be
in multiauth mode).
5.01.58
This has been modified so that it is more in line with what the MIB demands, that this is the
PID which will be applied to frames matching this rule. As such the value is more accurately
described as the "Operational PID".
If CTRL-C was used to abort a show-policy-rule CLI command, it was possible for memory to be
5.01.58
freed twice, causing a reset.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 98 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
Policy Problems Corrected in 7.11.01.0025 Introduced In:
If an out of range CoS value was specified for a set-policy-rule CLI command, a SYSLOG
5.01.58
warning would appear, these have been replaced with an appropriate CLI feedback message.
CLI help for set-policy-rule is now correct for the CoS attribute. 5.01.58
SYSLOG warning messages should not be displayed when port-strings are mismatched in
5.01.58
policy CLI commands.
RO CLI users now have access to the "show vlanauthorization" commands. 5.25.16
Policy rules continue to be applied when removed from policy allowed-type. 5.42.xx
Warning SYSLOG messages are no longer generated when the user tries to configure more
5.01.58
than the supported number of policy rules.
When mapTableResolution was set to useVTA (i.e. ignore Policy, use VLAN Tunnel Attributes)
and there is no VLAN Tunnel Attribute available the Profile-Id in the Radius-Access-Accept is 5.31.17
inappropriately used.
We will correctly forward frames when the map-table-resolution for 3580 VTA responses is
set to VTA, even when the policy-invalid-action is set to drop. The drop action should be 5.41.25
ignored, since the map-table-resolution instructs us to ignore the policy component.
Appropriate default rule-data-masks are now applied to user input in the policy CLI for UDP
5.01.58
and TCP source and destination rules when the optional post-fixed IP address is not specified.
Extraneous SYSLOG warning messages are displayed after a "clear policy rule" CLI command is
4.00.50
successfully completed.
An error occurs when attempting to set policy admin-profile rules, if the maximum value for
4.05.08
the index is selected.
Policy profile rule-precedence is now displayed during "show-config-all" output. 4.00.50
If a VLAN egress list (tagged, untagged, or forbidden) of a Policy Profile contained enough
VLANs to make the ASCII representation of the list greater than 128 characters the output of
4.00.50
show config would be improperly formatted. At each line boundary a comma would be
missing from the list, combining two vlans into one.
clear policy usage-list now correctly clears the rule-hit table. 5.42.xx
etsysPolicyRulePortHitNotification Trap varbinds are missing or sent in the wrong order 5.42.xx
Warning level log event "<165>Mar 26 13:59:11 99.1.1.1 Emanate[1.tEmanate1]snmpd:
Internal error (invalid nominator in etsysPolicyClassificationEntry_test)" is displayed when 5.01.58
attempting set to deprecated SNMP MIB table etsysPolicyClassificationEntry.

PTOPO Problems Corrected in 7.11.01.0025 Introduced In:

CDP displays network address as port ID in 'show neighbors'. 5.31.17

PWA Problems Corrected in 7.11.01.0025 Introduced In:

PWA may log a message similar to "<163>Apr 17 15:22:15 0.0.0.0
PWA[1.tusrAppInit]pwaGlRestore() - nonvol_gl_next_tag(61,3078) minorTag:3078 unknown" 4.00.50
at bootup. There is no negative system behavior.
The PWA login timeout does not support the longer timeout needs of hand-held devices. 5.01.58

RADIUS Problems Corrected in 7.11.01.0025 Introduced In:

RADIUS log events messages are terse and often do not describe the issue they are reporting. 1.07.19
AAA information level log events are not output for some events and are often not
1.07.19
appropriately descriptive of the issue they are reporting.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 99 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

RADIUS Problems Corrected in 7.11.01.0025 Introduced In:

The RADIUS authentication and accounting configuration allowed for duplicate servers with
4.00.50
the same IP address and port to be added with different indices.
A supplicant EAPOL Start frame was ignored if it was sent during a current RADIUS
authentication transaction for that supplicant. The processing of that frame would be delayed
6.11.01
until the current transaction was finished. This timing is worse when multiple RADIUS
authentication servers are configured and one or more of them is currently unavailable.
When the RADIUS client software receives valid but unsupported RADIUS packet codes, it
outputs an error level log event that does not appropriately detail what is occurring. No log 1.07.19
event is necessary for this issue.
An invalid RADIUS packet attribute length of 1 in authentication or accounting response
1.07.19
frames sent from the server to the RADIUS client software causes the system to reset.
The "set radius retries" and "set radius timeout" commands can be entered without a value
5.42.xx
for retries or timeout, respectively. These commands require a value to be specified.
Invalid RADIUS response frames from the RADIUS server to the system, containing attribute
5.01.58
length fields with values less than the required two bytes, cause the RADIUS software to hang.
If all RADIUS authentication and/or accounting servers are removed from a realm in use, the
5.41.25
"Core is not initialized" error level log message is output.
If a RADIUS authentication or accounting server is removed from the configuration, while
active transactions are still occurring with that server non-descriptive error level, RADIUS log 5.01.58
messages may be output.
Occasionally the error message "Radius[4.tAggCnt]Trying to get local aggregate counters for
6.11.01
unknown core server X" can occur during initialization.

RADIUS Snooping Problems Corrected in 7.11.01.0025 Introduced In:

RADIUS Snooping timeout handling for RADIUS requests that have not received a RADIUS
response was inaccurate to a degree of plus or minus 10 seconds. This timeout is set using the 6.11.01
"set radius-snooping timeout" command.
The "set multiauth session-timeout radius-snooping <timeout>" and "set multiauth idle-
timeout radius-snooping <timeout>" commands do not show up as part of the output of the 6.11.01
"show configuration" command.
The "set radius-snooping port initialize" command leaks memory. 6.11.01
The "show radius-snooping flow all" command leaks memory. 6.11.01
The RADIUS Snooping log message "Received unexpected policy modify rule for mac <mac
address> and port <port number>, pid <value>" is output at error level for an event the occurs 6.11.01
during normal operation.
Occasionally the system may log a "etsHwBreakPoint : addr = 0x00000000". This typically
6.11.01
requires high multiauth authentication loads.
The "show multiauth counters chassis" command does not display RADIUS Snooping counters. 6.11.01
When a RADIUS response frame is received by the RADIUS Snooping component, with
unsupported attributes, several cryptic log messages are output at warning log level or higher. 6.11.01
Additional data should be reported.
Error level log messages "Access-Response frame (udp port XX, id XX) for mac unknown using
flow XX failed validation on port unknown" are output from the RADIUS Snooping Component 6.11.01
when RADIUS response frames are received but the matching RADIUS request frames are not.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 100 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
RADIUS Snooping Problems Corrected in 7.11.01.0025 Introduced In:
Two RADIUS Snooping SNMP MIB variables
(etsysRadiusSnoopingFlowUnsupportedReqPackets and
6.11.01
etsysRadiusSnoopingFlowUnsupportedRspPackets) are supported by the software but not
present in the released etsysRadiusSnoopingMIB.
The log message "RADIUS Snooping and policy are out of sync for session <mac address" is
displayed when the number of actual users sessions being authenticated by the switch is
6.11.01
greater than the number of users allowed by the "set radius-snooping port authallocated
<port-string>" command.
If the lag port master changes blades, any RADIUS Snooping sessions that were initiated on lag
6.11.01
ports will no longer be displayed using the "show radius-snooping session" command.

RFC 3580 Problems Corrected in 7.11.01.0025 Introduced In:

RFC 3580 tunnel attributes are ignored when users are authenticated using 802.1X and multi-
Unknown
user mode set to strict.

RIP Problems Corrected in 7.11.01.0025 Introduced In:

RIPv2 hold timer takes up to 180 seconds to remove a downed route in the routing table
2.00.13
when it should take 120 seconds.
When redistributing OSPF into RIP, routes learned from OSPF disappear from RIP routing table
6.00.02
on neighbor.
Routing Table does not receive all updates from neighbor when RIP network has over 1000
Uknown
routes.

RMON Problems Corrected in 7.11.01.0025 Introduced In:

Multiple deletion and addition of RMON stats indices along with multiple "clear rmon stats to-
defaults" commands may result in a system reset with a message similar to 6.11.01
"<1>distServ[2.tDSync2]sendMessage.26214 invalid client id in message(17)".
The command show rmon topN <index> displays results for all entries, not for the specified
3.00.33
index.
Out of range RMON alarm input values are not checked for and may result in a DSI exception. 1.07.19
Incorrect MIB set of an RMON topNHost may be allowed. 1.07.19
An SNMP RMON channel multiple entry object set may not be fully completed. 1.07.19
With an RMON event configured, entering the command show config occasionally results in a
system reset with a DSI exception similar to "Exc Vector: DSI exception (0x00000300) Thread 4.00.50
Name: tConsole Exc Addr: 0x00c42bc4 <getLenOsVal_HexData+0xc>".
RMON collisions not displayed upon entry of the "show rmon stats" command. 3.51.01
RMON capture buffer times seen at the cli and from a MIB get show the uptime of the device
when the packet was captured instead of the amount of time that has passed since the 5.01.58
capture was started.
RMON capture slice and loadsize values are not set when input value is greater than 65535. 5.01.58
RMON log entry removal has a small memory leak. 1.07.19
Removal of an RMON alarm entry or the timeout of an alarm entry occasionally will result in a
reset similar to "Exc Vector: DSI exception (0x00000300)
5.01.58
Thread Name: tDSrecv5 Exc Addr: 0x0080ccf8 rmonAlarmTable::setEntryStatus(rmonCtrlEntry
*, RMON_ROW_STATUS, int)+0x48>".

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 101 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

RMON Problems Corrected in 7.11.01.0025 Introduced In:

An RMON filter entry is not cleared when the channel option is used with the clear command. 5.01.58
The help option for changing the RMON history interval is incorrect. 3.51.01
Input of incorrect offset values in the "set rmon capture" command may not be reported. 5.01.58
System uptime is displayed incorrectly upon a "show rmon capture" when an RMON channel
5.01.58
is cleared and a capture entry is configured.
A MIB set of bufferControlMaxOctetsGranted of a value of -1 is not input correctly. 5.01.58
The default value of duration in the "set rmon topN properties" command is an out of range
5.01.58
value of 0. This causes a error when reloading a config with the command entered in it.
The RMON history utilization output is calculated incorrectly for the default 1800 second
3.51.01
interval, and may be calculated incorrectly for intervals over 30 due to a buffer overrun.

Route-Map Problems Corrected in 7.11.01.0025 Introduced In:

ACL Names are incorrectly displayed as "0" in redistribution 'route-map match ip address'
6.11.01
clauses.

Router Problems Corrected in 7.11.01.0025 Introduced In:

There was no syslog notification for detection of a duplicate IP address being equal to a router
6.02.01
interface's IP address.
Configuration of selected UDP broadcast forwarding to IP helper addresses was not
6.01.01
persistent.
UDP forwarding only works with limited broadcast, not directed broadcast. Uknown

Routing Problems Corrected in 7.11.01.0025 Introduced In:

A combination of a static route change at about the same time as an interface state change
could trigger a mismanagement of the data table holding the routes. This would result in 6.12.01
memory corruption and subsequent reset.
Static routes with indirect next-hops are not removed from the active routing table when they
5.31.17
are unreachable.

SMON Problems Corrected in 7.11.01.0025 Introduced In:

When a SMON stat is created the DFE should start counting stats from time of creation, it
1.07.19
could have included some stats from prior to creation.
Display of SMON Statistics cannot be aborted with ctrl-c sequence. 6.01.01
An SMON VLAN Statistics collection configured for a VTAP interface reports wrong statistics
6.01.01
for any VLAN other than the VTAP VLAN number.
SMON CLI help string contains an extra "vlan". 6.01.01
When reporting SMON VLAN/Priority stats, multicast flows (both L2 and L3) that were
1.07.19
switched via hardware were not correctly accounted for.

SNMP Problems Corrected in 7.11.01.0025 Introduced In:

Conditions could arise where excessive amounts of informational messages can get generated
1.07.19
to the message log with the word "Emanate" as part of the message.
The tcpCurrEstab value may not match the number of rows in the tcpConnTable of the
1.07.19
RFC1213-MIB.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 102 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
SNMP Problems Corrected in 7.11.01.0025 Introduced In:
A DSI exception on task tEmanate may occur upon out of bound entries of RMON filter data,
1.07.19
mask, and notmask SNMP accesses.
The "subtree" option of the "set snmp notifyfilter" command should limit the first sub-id to
the range 0-3, but does not. If a value outside this range is configured, it will be accepted but
will fail to be restored after a device reset. Instead, the SNMPagent message "Can't make 'xx' 1.07.19
into an OID" followed by "ProcessConfigRecordForcingIndexOrder: Error, cannot parse token
xx" should be displayed.
Aborting SNMP CLI commands may emit the message "Unknown status code: -101." This
1.07.19
message is spurious and does not indicate any real failure.
A DSI Exception will occur when an SMON Data Capabilities MIB SNMP Get PDU is received
6.12.01
containing an invalid, extremely large instance identifier.

SSH Problems Corrected in 7.11.01.0025 Introduced In:

If the SSH console is exited with output still trying to be display (for example do a "show
config all" and then close your Putty session) the tSshSesn# task will hang waiting to finish its 2.00.13
write. This hung task will now be closed on the idle session timeout (set/show logout).
Master slot reset occurs if a closed SSH session still has buffered output trying to be written to
the, now closed, pipe.
5.42.xx
"Exc Vector: DSI exception (0x00000300)
Thread Name: tSshSrvr"
Clearing the IP address that an orphaned SSH session is still attached to may cause the
management blade to reset with the following in the message log:
5.42.xx
"Exc Vector: System Reset - Watchdog Timeout exception (0x00000100)
Thread Name: tSshSesn1"
Chassis coherency/segmentation issues can occur if using 2 or more SSH sessions with heavy
output (such as show support). This causes the management blade to lose backplane
5.42.xx
connectivity to the other blades in the chassis. The following may be seen in the message log:
"Mem check error... Task tHostRecv:".
Sending mutated protocols to the switch can cause the SSH control task to attempt to allocate
6.11.01
an unreasonable amount of memory resulting in a reset.
The SSH server may become unstable and cause a reset. 6.12.01

STP Problems Corrected in 7.11.01.0025 Introduced In:

LAG ports bounce operstatus when a module is introduced into the chassis resulting in
3.00.33
temporary loss of connectivity.
When root bridge is lost the network may take a long time to reconverge. 4.00.50
MAC moves seen between front panel port and FTM1 port when the chassis is in a separate
4.00.50
MST region from the CIST root bridge.
The message "STP Port Event: Multiple BPDU source MAC addresses received on Port = <port-
string>" is written to the syslog when BPDUs from multiple sources are seen on a point-to-
5.25.16
point link. This indicates that the link will be treated as a shared LAN from the perspective of
the Spanning Tree protocol.
"Show config" produces invalid output for the porthello configuration variable. Subsequent
4.00.50
loading of the config file causes the "set spantree porthello" command to fail.
When clearing adminpathcost for a port, if an invalid SID is provided, a usage message is
4.05.07
printed rather than an error message indicating the source of the error.
9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 103 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

STP Problems Corrected in 7.11.01.0025 Introduced In:

Failure to check error status when processing a "show spantree config" command causes high
5.11.21
CPU utilization and repeated output until the error condition is cleared.
High CPU utilization when loop causes high rate of BPDUs to be received on a port. 4.00.50
Spanning tree ports requiring authorization, but not yet authorized, do not receive BPDUs
transmitted to it and therefore will not block ports which would have blocked had the BPDU 4.00.50
been received and processed. This may cause a spanning tree loop.
Unable to delete created SIDs. 4.00.50
Spanning tree data on different blades gets out of sync. Subsequent use of data from
4.00.50
distributed messages without validation may lead to reset.
Distributed spanning tree sid data becomes out of sync between blades which leads to
5.41.25
corruption of configuration data.
An invalid value provided to the "set spantree mstcfgid rev" command causes usage message
4.00.50
rather than an error message.
The "clear spantree fwddelay" command does not set fwddelay to the default value. 5.42.04

Switching Problems Corrected in 7.11.01.0025 Introduced In:

With no gateway configured, the DFE would not process ICMP requests 1.07.19
If a soft forwarded frame is mirrored, and it was to have its TOS-remarked, the frame would
6.11.01
be sent out the mirrored port corrupted.
If in L4 mode, IPv4 flows with some amount of option words will be soft switched. 1.07.19
Help string for "show port ingress-filter" implied that it would only show ports that had
ingress filtering enabled. It really showed the ingress-filtering status for all ports. String has 1.07.19
been modified to make this clear.
Traffic traversing a DFE 10G ports may be dropped when all ports within a chassis are disabled
Unknown
then re-enabled.

SYSLOG Problems Corrected in 7.11.01.0025 Introduced In:

Syslog uses an ephemeral UDP source port, instead of the well defined SYSLOG source port
2.00.13
(514).
SYSLOG should report more descriptive messages for server reconnect attempts like "Reopen
1.07.19
attempted for current.log" and "reconnect attempted for server 1(1.2.3.4).

TACACS+ Problems Corrected in 7.11.01.0025 Introduced In:

The help for "clear tacacs session authorization" indicates that accounting parameters will be
5.35.16
cleared.
An information level log event indicating "Status:Fail" may be generated for some tacacs
5.35.16
commands regardless of whether the action of the command is successful or not.
When tacacs single connect is enabled, the software is not sending an indication of support
for single connect to the tacacs server. This results in a lack of single connect functionality as 5.35.16
well as a log event indicating "AAA[TACACS+:Server aborted connection".
The SNMP MIB description for etsysTacacsClientSesnAuthValue describes incorrect default
5.25.16
values for read-only, read-write, and superuser authorization.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 104 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
Telnet Problems Corrected in 7.11.01.0025 Introduced In:
Disabling inbound Telnet, and then re-enabling, can result in the inability to Telnet to the
1.07.19
device.
A CLI session with output pended by XON/XOFF flowcontrol will pend indefinitely, reducing
1.07.19
the number of available sessions.
Receiving a Telnet NOP command from a Telnet client will cause that Telnet session to hang. 1.07.19

TWCB Problems Corrected in 7.11.01.0025 Introduced In:

'show ip twcb connections' counters did not balance. Established should equal created minus
6.12.01
deleted.

VLAN Problems Corrected in 7.11.01.0025 Introduced In:

A layer 2 network loop with spanning tree disabled may cause abnormally high CPU utilization
5.01.58
when dynamic egress is enabled.
"show vlan" CLI command shows incorrect creation time of VLANs. 5.41.25
Redundant error message occurs when executing "port vlan" commands against invalid ports. 5.11.21
The non-Default Name for VLAN 1 does not appear in show config. 5.42.xx
When making changes to the VLAN egress list, it is possible for the command to error and
display the following message:<163>Oct 3 13:22:24 15.3.1.5 BrdgMIB[1.tConsole]int
5.42.xx
cliShowConfigEgress(cfgBuffer *, semaphore *, int *, int, char *, char *): failed to get default
egress for default vlan.
VLAN egress mapping wrong/incomplete after MSTP config changes. 6.11.01
"show port egress" output is incorrect when an RFC3580 VLAN Tunnel Attribute caused the
5.31.17
egress.
The port host.0.1 was not displayed in the "show port egress" CLI command even when it
5.01.58
should have been included.

VRRP Problems Corrected in 7.11.01.0025 Introduced In:

VRRP preempt enabled would not preempt if the VRRP priorities are the same and the SRC IP
6.01.01
in the packet was less than the primary IP.
MIB vrrpAssoIpAddrRowStatus is not allowing the adding or removing of rows. 6.01.01
VRRP is only validating the last byte of the source mac address of a VRRP packet instead of the
4.00.50
whole source mac address.
VRRP MD5 authentication passes even if the VRRP packet has no message digest. 6.00.02
When VRRP transitions to backup, the existing hardware connections for that VLAN were not
6.01.01
removed.
VRRP packet error syslog messages are not throttled, resulting in high rates of syslog
6.01.01
messages.
When changing the accept mode of a VRRP Vrid, the message displayed ("Error: Cannot
6.00.02
modify the accept mode when VR is enabled") contains the term VR instead of VRID.
Watchdog reset within tVrrpEvt task occurs on interface bounce with a very large number of
Uknown
VRRP virtual IP addresses configured.
A DSI reset occurs in tVrrpEvt after a blade reset. Uknown

WebView Problems Corrected in 7.11.01.0025 Introduced In:

Adding egress to any VLAN greater than 999 via WebView will cause the device to reset. 3.00.33

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 105 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
KNOWN RESTRICTIONS AND LIMITATION:

Routing Compatibility

To be completed prior to upgrading to the 7.11 version of code

RIP Configuration file manipulation instructions:

The benefit of the RIP network command is to summarize the number of interfaces that run RIP.
The network command must be converted to make use of the wildcard bits parameter. Wildcard bits allow the
operator to be as specific or general as desired.

Consider a 2 interface configuration running RIP.

6.12 command:
interface vlan 50
ip address 50.0.0.1 255.255.255.0
no shutdown
exit
interface vlan 51
ip address 50.0.1.1 255.255.255.0
no shutdown
exit

router rip
network 50.0.0.1
network 50.0.1.1
exit

The conversion is done by editing the text configuration file generated by the “show config outfile” and used as
input for the “configure” command. Under “router rip”, add the wildcard bits to the network command as
shown in the examples below. The wildcard bits parameter is in dotted decimal notation and in the reverse
order of the subnet mask.

Continued on the following page…

Converted command in 7.11.01 - enables RIP on interfaces vlan.0.50 and vlan.0.51
router rip
network 50.0.0.1 0.0.0.0
network 50.0.1.1 0.0.0.0
exit

Alternative use as a single network command enabling both interfaces.

router rip
network 50.0.0.0 0.0.255.255
exit
The ability to enable OSPF routing is dependent upon entering the key from the routing license.
For ACL logging, the user must set severity level to 6 or higher.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 106 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
NetSight Router Services Manager
NetSight Router Services Manager is not supported when using the 6.x firmware or greater on the Matrix N-
Series.
Module/Hardware Compatibility (6000 Modules)
6X1XX modules (First Generation modules) must be configured to transmit 802.1Q tagged frames on the FTM1
backplane when a DFE module is installed in the same chassis. Failure to do so, results in corruption of some
frames received by the DFE modules.
DFE modules will not operate and are not supported in a SmartSwitch 6000 or Matrix E7 chassis running the
SecureFast firmware, unless the DFE modules have the FTM1 backplane ports disabled.
DFEs installed in a SmartSwitch 6000 chassis will not properly execute the non append form of the CLI configure
command. The workaround is to clear the config, allow the system to boot back up, and then issue the CLI
‘config <slot#filename> apend’ command.
DFE modules 7H4382-25, 7H4382-49, and the 7H4383-49 are supported in a SmartSwitch 6000 Chassis. Boot
code version 1.00.15 is required to support this functionality. Please contact Customer Support to request
assistance in upgrading the boot code.

DFE modules in a SmartSwitch 6000 chassis do not propagate MST information on the FTM1 backplane port and
only run in RSTP mode. If the DFEs are to all be in the same region, they must all have connectivity back to the
regional root bridge via the front panel ports.
The 6SSRM-02 module is incompatible with the DFE modules and must not be present in the system.
6E233-49 modules at Revision ‘OB’ and earlier will not function properly when a DFE is placed in a SmartSwitch
E7 and 6000 Chassis. They are not compatible and must not be used in the same chassis as FTM1 capable DFEs.
Rev 0C and newer have ASIC backplane logic and are compatible with the DFE.
When DFEs are installed in a chassis with 1st Generation E7 modules, it is recommended that legacy path cost on
the DFE be enabled. Interoperability with Matrix E7 2nd and 3rd generation modules is not affected.
DFE Compatibility
The 7K4290-02 does not support 10GBASE-LR XENPAK optics (Part Number 64P0202) modules manufactured by
JDS Uniphase.
The 7G4280-19 and 7G4282-41 modules require a 7G-6MGBIC-A/B version of the optional Mini-GBIC daughter
card. The 7G4280-19 and 7G4282-41 modules do not support the 7G-6MGBIC version and will report an
incompatibility in the system log if the module is installed.
For approximately 15 seconds during the boot-up process, the port status LEDs on the 7H4202-72 DFE switch
model may be randomly illuminated. This does not indicate a problem. Once the unit has completed its boot
sequence, the status LEDs will display correct states for all ports.
802.1w rapid reconfigurations will not occur with 2nd and 3rd Generation Matrix E7 modules running images
prior to 05.04.12. Newer versions of the 2nd and 3rd Generation E7 products resolve this issue.
10/100/1000 ports require CAT-5 cables using all 4 pairs. Many CAT-5 RJ-21 crossover cables have only 2 pairs
and will not work.
Gigabit ports can process Jumbo frame sizes up to 10,239 bytes.
DHCP
The N-Series DHCP server is limited to providing 1000 “local” leases. It cannot issue leases to remote networks.
It is recommended that all DHCP info be cleared prior to configuration changes being made.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 107 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
CLI (Command Line Interface)
Do not "flow control" CLI "show support" output. Many Terminal emulators (putty, teraterm etc) will pend the
CLI output transfer when the user scrolls back. Doing this during certain output sections of "show support" may
result in holding off the system's distribution mechanism. A Client watchdog reset and message log entry similar
to the following may result: "<1>DistServ[1.tDsBrdOk]serverWatchDog.5, client 76 in recv for 8949 tics".
After initiating a ‘configure’ command the system should be allowed to complete the configuration process.
Boards should not be added or removed.
Users writing their own CLI configuration files should add a ‘wait 10’ command after each ‘msti sid xxx create’
command to ensure the command does not fail. This will be corrected in a future release.
When using the copy command to upload or download files, the use of a drive selection (i.e., C:) for windows
systems is not supported in the URL. The user must use a path that is on the ‘current’ drive from the TFTP or FTP
server’s perspective.
The ‘clear config all’ command does not clear the IP address or the default route of the system. This was done
intentionally to preserve remote connectivity to the system.
CLI response time may be sluggish if management of the system is under heavy use.
The use of the “word” or “host” option in commands, such as ‘Ping’, ‘Traceroute’, or ‘Telnet’, does not support
the translation between domain names and IP addresses (DNS). In all instances the IP address needs to be
defined.
WebView
RMON statistics, when viewed via WebView can display negative values.
WebView configuration allows gigabit ports on the 7G-6MGBIC to be configured with more than 4 Tx queues if
the all port, all slots Gigabit selection is made. The 7G-6MGBIC supports 4 Tx queues only and should be
configured separately.
The web configuration page for rate limit configuration may return an error indicating a set operation was
unsuccessful. This is an erroneous message as the set is successful. This issue will be addressed in a future
release.
LAG (Link Aggregation Groups)
XP/SSR versions 10.00.01 and prior, inappropriately forward LACProtocol Frames. DFE and other systems
running LACP in a network with earlier versions of XP/SSR may form invalid LAG topologies which in turn will
affect STP’s ability to form proper topologies. In networks with earlier versions of firmware, the user must
configure switch ports adjacent to the XP/SSR to not run LACP protocol.
DFE modules support 802.3ad Link Aggregation. Insure that the attached device is properly provisioned to
support this method. Interoperability with prior forms of trunking can be accomplished using statically
configured aggregations.
Link Aggregation Group (LAG) partners must have the “LACPTimeout” parameter set to the same value. The
Extreme Networks X-Pedition platform has this parameter set to “short” by default which is different than other
Extreme Networks products.
It is recommended that port settings are applied to both the LAG port and the underlying physical port.

A LAG cannot be created with only one port, but it is now possible to RE-FORM a LAG with only one port. A LAG
is now maintained even if only one port is RECONNECTED (including if this occurs through a reboot).
It is recommended that Round Robin distribution algorithm not be used on LAG ports when fragmented frames
exist in the network. Use of Round Robin can result in the fragments being sent out different ports causing out
of order packets.
Port Mirroring
The Port and VLAN mirror function does not mirror errored frames.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 108 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
Multicast
Router IP Multicast counters don't increment when receiving multicast traffic. ‘show ip traffic mcast’ counter
support will be addressed in a future release.
Protocol Independent Multicast - Dense Mode (PIM-DM) is not supported in this release. This feature will be
addressed in a future release.
System
If any module does not go through a controlled shutdown procedure, the system may experience a ~ 30-second
interruption in order to synchronize the distributed tables and process the change to switch fabric. This includes
a module being removed without properly shutting it down.
If the timeout value for Telnet sessions is changed to zero, meaning that Telnet sessions are set to never
timeout, and four Telnet sessions do not terminate properly, the system will no longer allow access via Telnet.
Access to the system CLI will only be available via a local console session and the active Telnet sessions will need
to be terminated using the ‘disconnect’ command.
The system’s filtering database may age out an entry prior to the aging of the related entry in the router’s ARP
table. If the aged address is involved in a unidirectional conversation, the frames will be flooded. This may
happen in a configuration where the conversation between the two end stations is able to take different routed
paths through the network.
Protocol control frames such as Spanning Tree and GVRP may not be processed on ports with ingress filtering
enabled.

Any problems other than those listed above should be reported to our Technical Support Staff.

IETF STANDRDS MIB SUPPORT:

RFC No. Title

RFC0147 Definition of a socket
RFC0768 UDP
RFC0781 Specification of (IP) timestamp option
RFC0783 TFTP
RFC0791 Internet Protocol
RFC0792 ICMP
RFC0793 TCP
RFC0826 ARP
RFC0854 Telnet
RFC0894 Transmission of IP over Ethernet Networks
RFC0903 A Reverse Address Resolution Protocol
RFC0919 Broadcasting Internet Datagrams
RFC0922 Broadcasting IP datagrams over subnets
RFC0925 Multi-LAN Address Resolution
RFC0950 Internet Standard Subnetting Procedure
RFC0959 File Transfer Protocol
RFC1027 Proxy ARP
RFC1027 Using ARP - transparent subnet gateways
RFC1034 Domain Names - Concepts and Facilities
RFC1035 Domain Names - Implementation and Specification
RFC1071 Computing the Internet checksum
RFC1112 Host extensions for IP multicasting

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 109 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

RFC No. Title

RFC1122 Requirements for IP Hosts - Comm Layers
RFC1123 Requirements for IP Hosts - Application and Support
RFC1191 Path MTU discovery
RFC1213 MIB-II
RFC1245 OSPF Protocol Analysis
RFC1246 Experience with the OSPF Protocol
RFC1323 TCP Extensions for High Performance
RFC1349 Type of Service in the Internet Protocol Suite
RFC1387 RIPv2 Protocol Analysis
RFC1388 RIPv2 Carrying Additional Information
RFC1389 RIPv2 MIB Extension
RFC1492 TACAS+
RFC1493 BRIDGE- MIB
RFC1517 Implementation of CIDR
RFC1518 CIDR Architecture
RFC1519 Classless Inter-Domain Routing (CIDR)
RFC1624 IP Checksum via Incremental Update
RFC1659 RS-232-MIB
RFC1721 RIPv2 Protocol Analysis
RFC1722 RIPv2 Protocol Applicability Statement
RFC1723 RIPv2 Carrying Additional Information
RFC1724 RIPv2 MIB Extension
RFC1812 General Routing
RFC1850 OSPFv2 MIB
RFC1886 DNS Extensions to support IP version 6
RFC1924 A Compact Representation of IPv6 Addresses
RFC1981 Path MTU Discovery for IPv6
RFC2001 TCP Slow Start
RFC2012 TCP-MIB
RFC2013 UDP-MIB
RFC2018 TCP Selective Acknowledgment Options
RFC2030 SNTP
RFC2080 RIPng (IPv6 extensions)
RFC2082 RIP-II MD5 Authentication
RFC2096 IP Forwarding Table MIB
RFC2104 HMAC
RFC2117 PIM -SM Protocol Specification
RFC2131 Dynamic Host Configuration Protocol
RFC2138 RADIUS Authentication
RFC2233 The Interfaces Group MIB using SMIv2
RFC2236 Internet Group Management Protocol, Version 2
RFC2328 OSPFv2
RFC2329 OSPF Standardization Report
RFC2338 VRRP
RFC2362 PIM-SM Protocol Specification
RFC2370 The OSPF Opaque LSA Option
RFC2373 RFC 2373 Address notation compression
RFC2374 IPv6 Aggregatable Global Unicast Address Format
RFC2375 IPv6 Multicast Address Assignments

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 110 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
RFC No. Title
RFC2428 FTP Extensions for IPv6 and NATs
RFC2450 Proposed TLA and NLA Assignment Rule
RFC2453 RIPv2
RFC2460 IPv6 Specification
RFC2461 Neighbor Discovery for IPv6
RFC2462 IPv6 Stateless Address Autoconfiguration
RFC2463 ICMPv6
RFC2464 Transmission of IPv6 over Ethernet
RFC2474 Definition of DS Field in the IPv4/v6 Headers
RFC2475 An Architecture for Differentiated Service
RFC2545 BGP Multiprotocol Extensions for IPv6
RFC2553 BasiCSocket Interface Extensions for IPv6
RFC2577 FTP Security Considerations
RFC2578 SNMPv2-SMI
RFC2579 SNMPv2-TC
RFC2581 TCP Congestion Control
RFC2597 Assured Forwarding PHB Group
RFC2613 SMON-MIB
RFC2618 RADIUS Client MIB
RFC2620 RADIUS Accounting MIB
RFC2674 P/Q-BRIDGE- MIB
RFC2697 A Single Rate Three Color Marker
RFC2787 VRRP MIB
RFC2819 RMON MIB
RFC2827 Network Ingress Filtering
RFC2863 IF-MIB
RFC2864 IF-INVERTED-STACK-MIB
RFC2865 RADIUS Authentication
RFC2865 RADIUS Accounting
RFC2894 RFC 2894 Router Renumbering
RFC2922 PTOPO-MIB
RFC2934 PIM MIB for IPv4
RFC3101 The OSPF Not-So-Stubby Area (NSSA) Option
RFC3137 OSPF Stub Router Advertisement
RFC3273 HC-RMON-MIB
RFC3291 INET-ADDRESS-MIB
RFC3376 Internet Group Management Protocol, Version 3
RFC3411 SNMP Architecture for Management Frameworks
RFC3412 Message Processing and Dispatching for SNMP
RFC3412 SNMP-MPD-MIB
RFC3413 SNMP Applications
RFC3413 SNMP-NOTIFICATIONS-MIB
RFC3413 SNMP-PROXY-MIB
RFC3413 SNMP-TARGET-MIB
RFC3414 SNMP-USER-BASED-SM-MIB
RFC3415 SNMP-VIEW-BASED-ACM-MIB
RFC3417 SNMPv2-TM
RFC3418 SNMPv2 MIB
RFC3446 Anycast RP mechanism using PIM and MSDP

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 111 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

RFC No. Title

RFC3484 Default Address Selection for IPv6
RFC3493 Basic Socket Interface Extensions for IPv6
RFC3509 Alternative Implementations of OSPF ABRs
RFC3513 RFC 3513 IPv6 Addressing Architecture
RFC3542 Advanced Sockets API for IPv6
RFC3576 Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)
RFC3584 SNMP-COMMUNITY-MIB
RFC3595 Textual Conventions for IPv6 Flow Label
RFC3596 DNS Extensions to Support IP Version 6
RFC3621 POWER-ETHERNET-MIB
RFC3623 Graceful OSPF Restart
RFC3635 ETHERLIKE-MIB
RFC3678 Socket Interface Ext for Mcast Source Filters
RFC3704 Network Ingress Filtering
RFC3769 Requirements for IPv6 Prefix Delegation
RFC3879 Deprecating Site Local Addresses
RFC4007 IPv6 Scoped Address Architecture
RFC4022 MIB for the Transmission Control Protocol (TCP)
RFC4113 MIB for the User Datagram Protocol (UDP)
RFC4133 ENTITY MIB
RFC4167 Graceful OSPF Restart Implementation Report
RFC4188 Bridge MIB
RFC4193 Unique Local IPv6 Unicast Addresses
RFC4222 Prioritized Treatment of OSPFv2 Packets
RFC4268 ENTITY-STATE-MIB
RFC4268 ENTITY-STATE-TC-MIB
RFC4291 IP Version 6 Addressing Architecture
RFC4292 IP Forwarding MIB
RFC4293 MIB for the Internet Protocol (IP)
RFC4294 IPv6 Node Requirements
RFC4443 ICMPv6 for IPv6
RFC4541 IGMP Snooping
RFC4541 MLD Snooping
RFC4560 DISMAN-PING-MIB
RFC4560 DISMAN-TRACEROUTE-MIB
RFC4560 DISMAN-NSLOOKUP-MIB
RFC4601 PIM-SM
RFC4602 PIM-SM IETF Proposed Std Req Analysis
RFC4604 IGMPv3 & MLDv2 & Source-Specific Multicast
RFC4607 Source-Specific Multicast for IP
RFC4608 PIM--SSM in 232/8
RFC4610 Anycast-RP Using PIM
RFC4668 RADIUS Client MIB
RFC4670 RADIUS Accounting MIB
RFC4750 OSPFv2 MIB
RFC4836 MAU-MIB
RFC4836 IANA-MAU-MIB
RFC4861 Neighbor Discovery for IPv6
RFC4862 IPv6 Stateless Address Autoconfiguration

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 112 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
RFC No. Title
RFC4884 RFC 4884 Extended ICMP Multi-Part Messages
RFC4940 IANA Considerations for OSPF
RFC5059 Bootstrap Router (BSR) Mechanism for (PIM)
RFC5060 PIM MIB
RFC5095 Deprecation of Type 0 Routing Headers in IPv6
RFC5240 PIM Bootstrap Router MIB
RFC5250 The OSPF Opaque LSA Option
RFC5294 Host Threats to PIM
RFC5519 MGMD-STD-MIB
RFC5798 Virtual Router Redundancy Protocol (VRRP) Version 3

EXTREME NETWORKS PRIVATE ENTERPRISE MIB SUPPORT:

Title Title Title

ENTERASYS-IETF-P-BRIDGE-MIB-EXT-
CISCO-CDP-MIB ENTERASYS-RADIUS-AUTH-CLIENT-MIB
MIB
ENTERASYS-RESOURCE-UTILIZATION-
CISCO-NETFLOW-MIB ENTERASYS-IF-MIB-EXT-MIB
MIB
CISCO-TC ENTERASYS-LICENSE-KEY-MIB ENTERASYS-SNTP-CLIENT-MIB
ENTERASYS-SPANNING-TREE-
CT-BROADCAST-MIB ENTERASYS-LICENSE-KEY-OIDS-MIB
DIAGNOSTIC-MIB
CTIF-EXT-MIB ENTERASYS-LINK-FLAP-MIB ENTERASYS-SYSLOG-CLIENT-MIB
ENTERASYS-MAC-AUTHENTICATION-
CTRON-ALIAS-MIB ENTERASYS-TACACS-CLIENT-MIB
MIB
CTRON-BRIDGE-MIB ENTERASYS-MAC-LOCKING-MIB ENTERASYS-UPN-TC-MIB
ENTERASYS-VLAN-AUTHORIZATION-
CTRON-CDP-MIB ENTERASYS-MAU-MIB-EXT-MIB
MIB
ENTERASYS-MGMT-AUTH-
CTRON-CHASSIS-MIB ENTERASYS-VLAN-INTERFACE-MIB
NOTIFICATION-MIB
CTRON-ENVIROMENTAL-MIB ENTERASYS-MGMT-MIB IANA-ADDRESS-FAMILY-NUMBERS-MIB
CTRON-MIB-NAMES ENTERASYS-MIB-NAMES DEFINITIONS IEEE8021-PAE-MIB
CTRON-OIDS ENTERASYS-MSTP-MIB IEEE8023-LAG-MIB
DVMRP-MIB ENTERASYS-MULTI-AUTH-MIB LLDP-EXT-DOT1-MIB
CTRON-Q-BRIDGE-MIB-EXT ENTERASYS-MULTI-USER-8021X-MIB LLDP-EXT-DOT3-MIB
ENTERASYS-NETFLOW-MIB
ENTERASYS-FLOW-LIMITING-MIB LLDP-EXT-MED-MIB
(v5 & v9)
ENTERASYS-AAA-POLICY-MIB ENTERASYS-OIDS-MIB DEFINITIONS LLDP-MIB
ENTERASYS-CLASS-OF-SERVICE-MIB ENTERASYS-OSPF-EXT-MIB RSTP-MIB
ENTERASYS-CONFIGURATION-
ENTERASYS-PIM-EXT-MIB U-BRIDGE-MIB
MANAGEMENT-MIB
ENTERASYS-CONVERGENCE-END-
ENTERASYS-POLICY-PROFILE-MIB USM-TARGET-TAG-MIB
POINT-MIB
ENTERASYS-DIAGNOSTIC-MESSAGE- ENTERASYS-POWER-ETHERNET-EXT-
ENTERASYS-TWCB-MIB
MIB MIB
ENTERASYS-DNS-RESOLVER-MIB ENTERASYS-PWA-MIB ENTERASYS-NAT-MIB
ENTERASYS-RADIUS-ACCT-CLIENT-EXT-
ENTERASYS-DVMRP-EXT-MIB ENTERASYS-LSNAT-MIB
MIB

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 113 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes

Title Title Title

ENTERASYS-IEEE8023-LAG-MIB-EXT- ENTERASYS-IETF-P-BRIDGE-MIB-EXT- ENTERASYS-VRRP-EXT-MIB
MIB MIB DEFINITIONS
ENTERASYS-IETF-BRIDGE-MIB-EXT-MIB ENTERASYS-IF-MIB-EXT-MIB SNMP-RESEARCH-MIB
ENTERASYS-JUMBO-ETHERNET-FRAME-
ENTERASYS-RIPv2-EXT-MIB
MIB

Extreme Networks Private Enterprise MIBs are available in ASN.1 format from the Extreme Networks web site
at: www.extremenetworks.com/support/policies/mibs/. Indexed MIB documentation is also available.

SNMP TRAP SUPPORT:

RFC No. Title

New Root
RFC 1493
Topology Change
ospfIfStateChange
ospfVirtIfStateChange
ospfNbrStateChange
ospfVirtNbrStateChange
RFC 1850
ospfIfConfigError
ospfVirtIfConfigError
ospfMaxAgeLsa
ospfOriginateLsa
Cold Start
RFC 1907 Warm Start
Authentication Failure
RFC 4133 entConfigChange
RFC 2668 ifMauJabberTrap
risingAlarm
RFC 2819
fallingAlarm
linkDown
RFC 2863
linkup
RFC 2922 ptopoConfigChange
vrrpTrapNewMaster
RFC 2787
vrrpTrapAuthFailure
pethPsePortOnOffNotification
RFC 3621 pethMainPowerUsageOnNotification
pethMainPowerUsageOffNotification
entStateOperEnabled
RFC4268
entStateOperDisabled
Enterasys-mac-locking-mib etsysMACLockingMACViolation

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 114 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
RFC No. Title
boardOperational
boardNonOperational
wgPsInstalled
wgPsRemoved
wgPsNormal
wgPsFail
Cabletron-Traps.txt
wgPsRedundant
wgPsNotRedundant
fanFail
fanNormal
boardInsertion
boardRemoval
etsysPseChassisPowerRedundant
Enterasys-power-ethernet-ext-mib etsysPseChassisPowerNonRedundant
etsysPsePowerSupplyModuleStatusChange
Enterasys-link-flap-mib etsysLinkFlapViolation
etsysIetfBridgeDot1qFdbNewAddrNotification
etsysIetfBridgeDot1dSpanGuardPortBlocked
Enterasys-ietf-bridge-mib-ext-mib etsysIetfBridgeDot1dBackupRootActivation
etsysIetfBridgeDot1qFdbMovedAddrNotification
etsysIetfBridgeDot1dCistLoopProtectEvent
etsysFlowLimitingFLowCountActionLimit1
Enterasys-flow-limiting-mib
etsysFlowLimitingFLowCountActionLImit2
etsysMgmtAuthSuccessNotificiation
Enterasys-notification-auth-mib
etsysMgmtAuthFailNotificiation
etsysMultiAuthSuccess
etsysMultiAuthFailed
etsysMultiAuthTerminated
Enterasys-multi-auth-mib
etsysMultiAuthMaxNumUsersReached
etsysMultiAuthModuleMaxNumUsersReached
etsysMultiAuthSystemMaxNumUsersReached
etsysMstpLoopProtectEvent
Enterasys-spanning-tree-diagnostic-mib etsysStpDiagCistDisputedBpduThresholdExceeded
etsysStpDiagMstiDisputedBpduThresholdExceeded
Lldp-mib lldpNotificationPrefix (IEEE Std 802.1AB-2004)
Lldp-ext-med-mib lldpXMedTopologyChangeDetected (ANSI/TIA-1057)
Enterasys-class-of-service-mib etsysCosIrlExceededNotification
Enterasys-policy-profile-mib etsysPolicyRulePortHitNotification
Enterasys-mstp-mib etsysMstpLoopProtectEvent

RADIUS ATTRIBUTE SUPPORT:

This section describes the support of RADIUS attributes on the DFE modules. RADIUS attributes are defined in
RFC 2865 and RFC 3580 (IEEE 802.1X specific).

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 115 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
RADIUS AUTHENTICATION AND AUTHORIZATION ATTRIBUTES:
Attribute RFC Source
Called-Station-Id RFC 2865, RFC 3580
Calling-Station-Id RFC 2865, RFC 3580
Class RFC 2865
EAP-Message RFC 3579
Filter-Id RFC 2865, RFC 3580
Framed-MTU RFC 2865, RFC 3580
Idle-Timeout RFC 2865, RFC 3580
Message-Authenticator RFC 3579
NAS-IP-Address RFC 2865, RFC 3580
NAS-Port RFC 2865, RFC 3580
NAS-Port-Id RFC 2865, RFC 3580
NAS-Port-Type RFC 2865, RFC 3580
NAS-Identifier RFC 2865, RFC 3580
Service-Type RFC 2865, RFC 3580
Session-Timeout RFC 2865, RFC 3580
State RFC 2865
Termination-Action RFC 2865, RFC 3580
User-Name RFC 2865, RFC 3580
User-Password RFC 2865

RADIUS ACCOUNTING ATTRIBUTES:

Attribute RFC Source

Acct-Authentic RFC 2866
Acct-Delay-Time RFC 2866
Acct-Interim-Interval RFC 2866
Acct-Session-Id RFC 2866
Acct-Session-Time RFC 2866
Acct-Status-Type RFC 2866
Acct-Terminate-Cause RFC 2866
Calling-Station-ID RFC 2865

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 116 of 117

F0615-O
 DFE-Diamond/Platinum, NAC and N Standalone Customer Release Notes
GLOBAL SUPPORT:

By Phone: 603-952-5000
1-800-872-8440 (toll-free in U.S. and Canada)

For the Extreme Networks Support toll-free number in your country:

www.extremenetworks.com/support/contact/

By Email: [email protected]

By Web: www.extremenetworks.com/support/

By Mail: Extreme Networks, Inc.

145 Rio Robles
San Jose, CA 95134 (USA)

For information regarding the latest software available, recent release notes revisions, or if you require additional
assistance, please visit the Extreme Networks Support web site.

9/18/2015 P/N: 9038823-04 Subject to Change Without Notice Page: 117 of 117

F0615-O