AOS-CX 10.13.1040 Release Notes

Copyright Information

© Copyright 2024 Hewlett Packard Enterprise Development LP.

This product includes code licensed under certain open source licenses which require source compliance. The corresponding source for these components is available upon request. This offer is valid to anyone in receipt of this information and shall expire three years following the date of the final distribution of this product version by Hewlett Packard Enterprise Company. To obtain such source code, please check if the code is available in the HPE Software Center at https://myenterpriselicense.hpe.com/cwp-ui/software but, if not, send a written request for specific software version and product for which you want the open source code. Along with the request, please send a check or money order in the amount of US $10.00 to:

Hewlett Packard Enterprise Company
Attn: General Counsel
WW Corporate Headquarters
1701 E Mossy Oaks Rd Spring, TX 77389
United States of America.

Notices

The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.

Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise website.

Acknowledgments

Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Products Supported

This release applies to the 6300 and 6400 Switch series. The following table lists any applicable minimum software versions required for that model of switch.

If your product is not listed in the following table, no minimum software version is required.

Important information for 6300 and 6400 Switches

Aruba switches covered by this release note use eMMC or SSD storage. This is non-volatile memory for persistent storage of configuration, files, databases, scripts, and so forth. Aruba recommends updating to version 10.06.0100 or later (including this release) to implement significant improvements to memory usage and prolong the life of the switch.

Do not interrupt power to the switch during a software update.

If using the WebUI, you should clear the browser cache after upgrading to this version of software before logging in to the switch using a WebUI session. This will ensure the WebUI session downloads the latest changes. Do not upgrade to 10.13 using REST API or WebUI unless your switch is running 10.09.1060, 10.10.1020 or later versions of these releases.

Switch fans will run at full speed when a fault is detected with the temperature sensors in the switch. This is normal behavior to ensure overheating does not occur. Should the fans run at full speed at unexpected times, check the output of show environment temperature and show environment fans, then contact support for further assistance.

AOS-CX BGP

AOS-CX BGP implementations support resolving a BGP route's nexthop to a default route (0.0.0.0/0). However, this is not generally recommended in network deployments. Considering the default route to be the last resort route, resolving the BGP route's nexthop to a default route can cause potential routing loops in the network, if they are not properly designed and monitored. Route flaps and/or traffic drops may be observed in such cases.

In 10.11.0001, the command route recursive-lookup default-route has been introduced under the vrf context to support BGP route's nexthop resolving to a default route in the Route table. This command is enabled by default.

RPVST and VLAN Configuration

If a switch has RPVST enabled and the native VLAN ID configured for a trunk interface is not the default VLAN ID 1, and the native VLAN ID is also used as the management VLAN, the switch may not be accessible over the trunk interface after upgrading from any 10.04.00xx version of software.

To fix the issue after an upgrade, log into the switch using the OOBM interface or serial port console and configure the following:

switch# configure
switch(config)# spanning-tree rpvst-mstp-interconnect-vlan <VLAN ID>

where <VLAN_ID> is the native VLAN ID configured on the trunk interface.

If there are multiple trunk interfaces configured on the switch, each with a different VLAN ID, contact the Aruba Support Team.

PoE Feature and Software Upgrades

If the switch has the always-on PoE feature enabled, during the upgrade from a version of software prior to 10.05.0001 to this version of software, PoE Powered Devices (PDs) will lose power from the switch as the switch will power cycle during the update. Plan a time for upgrading the switch when loss of power to the PDs attached to the switch can be mitigated.

Restoring Previous Configuration

To restore a previous configuration when downgrading to a previous version of software, follow these steps:

1. Use the show checkpoint command to see the saved checkpoints and ensure that you have a checkpoint that is an exact match of the target software version (see the Image Version column in the output of the command, for example, FL.10.0x.yyyy). This checkpoint can be the startup-config-backup automatically created during the initial upgrade or any other manually created checkpoint for the target software version.
2. Copy the backup checkpoint into the startup-config.
3. Boot the switch to the target version (lower version), making sure to select no when prompted to save the current configuration.

AOS-CX 10.13 is a Long Supported Release (LSR)

• LSRs are long lived releases where Aruba will introduce new features and new hardware, and park hardware (that is, this may be the last major release supported) as needed.
• LSRs are maintained and supported for 5 years (i.e., Initial Release + 5 years)
• Initial Release to End of Maintenance (EOM*): Bug and vulnerability patching with releases reducing in frequency over time.
• EOM to End of Support (EOS): Vulnerability patching on an as needed basis for High or Critical Common Vulnerability Scoring System (CVSS) issues.

For information about Short Supported Releases (SSRs) and Long Supported Releases (LSRs), see https://www.arubanetworks.com/support-services/end-of-life/arubaos-software-release/.

Upgrade Path

Refer to the Approved Product Lists sites for the Common Criteria, FIPS 140-2 and DoDIN APL to obtain the product certification details. Products should be used as evaluated and defined in the respective configuration guides.

• Common Criteria: https://www.niap-ccevs.org/Product/
• FIPS 140-2: https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Validated-Modules/Search
• DoDIN APL: https://aplits.disa.mil/processAPList.action

This product includes code licensed under the GNU General Public License, the GNU Lesser General Public License, and/or certain other open-source licenses. A complete machine-readable copy of the source code corresponding to such code is available upon request. This offer is valid to anyone in receipt of this information and shall expire three years following the date of the final distribution of this product version by Hewlett Packard Enterprise Company. To obtain such source code, send a check or money order in the amount of US $10.00 to:

Hewlett Packard Enterprise Company
Attn: General Counsel
6280 America Center Drive
San Jose, CA 95002
U.S.A.

Please specify the product and version for which you are requesting source code. You may also request a copy of this source code free of charge at: https://hpe.com/software/opensource

Version history

All released versions are fully supported by Aruba, unless noted in the table.

Compatibility/interoperability

The switch web agent supports the following web browsers:

Internet Explorer is not supported.

Recommended versions of network management software for switches found in this release note:

For more information, see the respective software manuals.

To upgrade software using NetEdit, make sure to upgrade to the above version of NetEdit first and then execute the switch software upgrade on devices discovered by this version of NetEdit.

Enhancements

There are no enhancements introduced in this release.

Resolved Issues

This section lists fixes found in this branch of the software. The Symptom statement describes what a user might experience if this issue is seen on the network. The Scenario statement provides additional environment details and trigger summaries. When available, the Workaround statement provides a workaround to the issue for customers who chooses not to update to this version of software.

For a list of issues resolved in the previous releases of 6300 and 6400 switches, refer to the AOS-CX Release Notes Portal.

The Bug ID is used for tracking purposes.

Resolved Issues

interface vlan <vlan id>
arp ipv4 <IPV4_ADDR> mac <MAC_ADDR>
no arp ipv4 <IPV4_ADDR> mac <MAC_ADDR>

Feature Caveats

The following are feature caveats that should be taken into consideration when using this version of the software.

!
route-map rmap permit seq 10
! set local-preference 50
router bgp 100
 vrf red
 neighbor 1.1.1.2 remote-as 100
 address-family ipv4 unicast
 neighbor 1.1.1.2 activate
 neighbor 1.1.1.2 route-map rmap in
 exit-address-family
!

router bgp 1
 neighbor 1.1.1.1 remote-as 2
 address-family 12vpn evpn
 neighbor 1.1.1.1 activate
 neighbor 1.1.1.1 next-hop-unchanged
 neighbor 1.1.1.1 send-community extended
 exit-address-family
!

Known Issues

The following are known open issues with this branch of the software. The Symptom statement describes what a user might experience if this is seen on the network. The Scenario statement provides additional environment details and trigger summaries. When available, the Workaround statement provides a workaround to the issue.

copy tftp://[20:1::100];blocksize=1375/image.swi secondary
vrf vrf1

Upgrade information

AOS-CX 10.13.1040 for the 6400 Switch series uses ServiceOS FL.01.14.0002

For 6400 only: To execute an In Service Software Upgrade (ISSU) to your switch must be running one of the following supported releases:

Manual configuration restore for software downgrade

To restore a previous configuration when downgrading to a previous version of software, follow these steps:

1. Use the show checkpoint command to see the saved checkpoints and ensure that you have a checkpoint that is an exact match of the target software version (see the Image Version column in the output of the command, for example, FL.10.xx.yyyy). This checkpoint can be the startup-config-backup automatically created during the initial upgrade or any other manually created checkpoint for the target software version.
2. Copy the backup checkpoint into the startup-config.
3. Boot the switch to the target version (lower version), making sure to select no when prompted to save the current configuration.

Hardware updates

The 6400 switch series chassis hardware images may have a different upgrade sequence if programmable device updates are pending that require a power cycle. To determine if there are pending upgrades:

1. Issue the command show needed-updates [next-boot [primary|secondary]] and check the output of the command see if it indicates that one or more devices need to be updated.
2. Issue the command show needed-updates [primary|secondary] and check the output to see which updates are required for the current switch image.
3. Issue the command allow-unsafe-updates <NUM_MINUTES> if any non-failsafe device such as an icbbp_secondary needs to be updated.
4. Issue the command show fabric and show module repeatedly until the output of this command shows that all modules are in the Ready state.
5. Perform a manual chassis power-cycle. If no remote power control is available, physically unplug all the power cables wait at least ten seconds, and plug the power cables back in. This is the only way to clear the write-protection security set on the switch hardware.
6. Wait for the chassis to reboot, and log in to the command-line interface as an admin user (or with an account with similar privileges).
7. Issue the command show fabric and show module repeatedly until the output of this command shows that all modules are in the Ready state.
8. Issue the command show needed-updates.
9. If the output of the command show needed-updates doesn't report any further needed updates or other issues such as a needed power-cycle, then the switch update is complete.
10. However, if icbbp_primary was updated since the last chassis power-cycle, you may need to repeat this process and perform a second power cycle, to get the newly-updated switch image.

Performing the software upgrade

For additional upgrade and downgrade scenarios, including limitations of automatic upgrade and downgrade scenarios provided by the Configuration Migration Framework (CMF), refer to the AOS-CX 10.13 Fundamentals Guide.

This version may contain a change of BootROM from the current running version. A BootROM update is a non-failsafe update. Do not interrupt power to the switch during the update process or the update could permanently damage the device.

1. Copy the new image into the non-current boot bank on the switch using your preferred method.
2. Depending on the version being updated, there may be device component updates needed. Preview any devices updates needed using the boot system <BOOT-BANK> command and entering n when asked to continue.

For example, if you copied the new image to the secondary boot bank and no device component updates are needed, you will see this:

switch# boot system secondary
Default boot image set to secondary.
Checking if the configuration needs to be saved...
Checking for updates needed to programmable devices...
Done checking for updates.
This will reboot the entire switch and render it unavailable until the process is complete.
Continue (y/n)? n

In this example, three device updates will be made upon reboot, one of which is a non-failsafe device:

switch# boot system secondary
Default boot image set to secondary.
Checking if the configuration needs to be saved...
Checking for updates needed to programmable devices...
Done checking for updates.
3 device(s) need to be updated during the boot process.
The estimated update time is between 2 and 3 minute(s).
There may be multiple reboots during the update process.
1 non-failsafe device(s) also need to be updated.
Please run the 'allow-unsafe-updates' command to enable these updates.
This will reboot the entire switch and render it unavailable until the process is complete.
Continue (y/n)? n

3. When ready to update the system, if a non-failsafe device update is needed, make sure the system will not have any power interruption during the process. Invoke the allow unsafe updates command to allow updates to proceed after a switch reboot. Proceed to step 4 within the configured time.

switch# config
switch(config)#2 allow-unsafe-updates 30
This command will enable non-failsafe updates of programmable devices for the next 30 minutes. You will first need to wait for all line and fabric modules to reach the ready state, and then reboot the switch to begin applying any needed updates. Ensure that the switch will not lose power, be rebooted again, or have any modules removed until all updates have finished and all line and fabric modules have returned to the ready state.
WARNING: Interrupting these updates may make the product unusable!
Continue (y/n)? y
Unsafe updates : allowed (less than 30 minute(s) remaining)

4. Use the boot system <BOOT-BANK> command to initiate the upgrade. On the switch console port an output similar to the following will be displayed as various components are being updated:

switch# boot system secondary
Default boot image set to secondary.
Checking if the configuration needs to be saved...
Checking for updates needed to programmable devices...
Done checking for updates.
3 device(s) need to be updated during the boot process.
The estimated update time is between 2 and 3 minute(s).
There may be multiple reboots during the update process.
This will reboot the entire switch and render it unavailable until the process is complete.
Continue (y/n)? y
The system is going down for reboot.
Looking for SVOS.

Primary SVOS: Checking...Loading...Finding...Verifying...Booting...

ServiceOS Information:
Version: <serviceOS number>
Build Date: yyyy-mm-dd hh:mm:ss PDT
Build ID: ServiceOS:<serviceOS number>:6303a2a501ba:202006171659
SHA: 6303a2a501bad91100d9e71780813c59f19c12fe

Boot Profiles:
0. Service OS Console
1. Primary Software Image [xx.10.12.1000]
2. Secondary Software Image [xx.10.13.0001]

Select profile(secondary):

ISP configuration:
Auto updates : enabled
Version comparisons : match (upgrade or downgrade)
Unsafe updates : allowed (less than 29 minute(s) remaining)

Advanced:
Config path : /fs/nos/isp/config [DEFAULT]
Log-file path : /fs/logs/isp [DEFAULT]
Write-protection : disabled [DEFAULT]
Package selection : 0 [DEFAULT]

3 device(s) need to be updated by the ServiceOS during the boot process.
The estimated update time by the ServiceOS is 2 minute(s).
There may be multiple reboots during the update process.

MODULE 'mc' DEVICE 'svos_primary' :
Current version : '<serviceOS number>'
Write-protected : NO
Packaged version : '<version>'
Package name : '<filename>.svos'
Image filename : '<svos_package_name>'
Image timestamp : 'Day Mon dd hh:mm:ss yyyy'
Image size : 22248723
Version upgrade needed

Starting update...
Writing... Done.
Erasing.. Done.
Reading... Done.
Verifying... Done.
Reading.. Done.
Verifying... Done.
Update successful (0.5 seconds).
reboot: Restarting system

Multiple components may be updated and several reboots will be triggered during these updates. When all component updates are completed, the switch console port will arrive at the login prompt with a display similar to following:

(C) Copyright 2017-2023 Hewlett Packard Enterprise Development LP
RESTRICTED RIGHTS LEGEND
Confidential computer software. Valid license from Hewlett Packard Enterprise Development LP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.

We'd like to keep you up to date about:
Software feature updates
New product announcements
Special events
Please register your products now at: https://asp.arubanetworks.com

switch login:

Aruba recommends waiting until all upgrades have completed before making any configuration changes.

Chapter 2

Other resources

Aruba is committed to ensuring you have the resources you need to be successful. Check out these learning and documentation resources:

• AOS-CX switch software documentation portal: https://www.arubanetworks.com/techdocs/AOS-CX/help_portal/Content/home.htm
• AOS-CX technical training videos on YouTube: https://www.youtube.com/playlist?list=PLsYGHuNuBZcbWPEjjHuVMqP-Q_UL3CskS

Chapter 3

Aruba security policy

A Security Bulletin is the first published notification of security vulnerabilities and is the only communication vehicle for security vulnerabilities.

• Fixes for security vulnerabilities are not documented in manuals, release notes, or other forms of product documentation.
• A Security Bulletin is released when all vulnerable products still in support life have publicly available images that contain the fix for the security vulnerability.

The Aruba security policy can be found at https://www.arubanetworks.com/en-au/support-services/sirt/.
Security bulletins can be found at https://www.arubanetworks.com/en-au/support-services/security-bulletins/. You can sign up at https://sirt.arubanetworks.com/mailman/listinfo/security-alerts_sirt.arubanetworks.com to initiate a subscription to receive future Aruba Security Bulletin alerts via email.