Professional Documents
Culture Documents
Copyright Crossbeam Systems, 2011, ALL RIGHTS RESERVED CROSSBEAM, CROSSBEAM SYSTEMS, X-Series, XOS, X20, X30, X45, X60, X80, X80-S, and any logos associated therewith are trademarks or registered trademarks of Crossbeam Systems, Inc. in the U.S. Patent and Trademark Office, and several international jurisdictions. All other product names mentioned in this document may be trademarks or registered trademarks of their respective companies. 06784A
Firmware Upgrade
XOS V9.0.3 contains no firmware changes. See Minimum Firmware Version Requirements on page 10, Table 3 for complete firmware information. XOS V9.0.1 included the following firmware change: the bootloader version for NPM-86xx has changed to 2.0.0.9. This change allows support for the X45 Bundles.
X45 Bundles
NOTE: Sale of X45 Bundles was discontinued as of 12/31/2010. XOS V9.0.3 supports existing X45 Bundle hardware. X45 Bundles include an X45 chassis, pre-populated with either of two combinations of modules; the X45 8-Core kit, or the X45 16-Core kit. The modules are specific to the X45 chassis, and are easily identified by the -B on the faceplate of the module and the -R in the part number. These modules cannot be installed into an X80 chassis. See Table 1 on page 7 for module and part number information.
IPv6 Support
XOS V9.0.0 introduces support for IPv6 traffic on the X-Series Platform. Refer to the XOS Configuration Guide for detailed information on configuring IPv6 functionality in XOS. The following IPv6 features are in XOS V9.0.0:
Dual stack support for IPv4 and IPv6 routing. New IPv6 routing support for OSPFv3, BGPv4, and RIPng.
6to4 An IPv6 transition mechanism, enabling the transmission of IPv6 packets over an IPv4 network (generally the IPv4 internet) without configuring explicit tunnels. ISATAP Intra-Site Automatic Tunnel Addressing Protocol. An IPv6 transition mechanism that enables the transmission of packets between IPv6-enabled hosts/nodes over an IPv4 network. IPv6IP An IP-in-IP tunneling mechanism that encapsulates an IPv6 datagram within an IP datagram. GRE Generic Routing Encapsulation Encapsulates of a wide variety of network layer packets in IP tunneling packets.
See the New or Changed Commands Related to the IPv6 Protocol section in Chapter 2 of the XOS Command Reference Guide for information on IPv6-specific commands.
XOS V9.0.3 Release Notes May 19, 2011 2
Figure 1.
Figure 2.
DRBD (Distributed Replicated Block Device) used in CP redundancy SNMP server PostgreSQL database Java Runtime Tomcat web server
Incorporates recent linux security enhancements Full multicore processor support on CPM Support for 64-bit VAP group creation
A new x86_64 version of VAP operating system software called xslinux_v5_64 for APMs is included in this release. This VAP OS is for applications that require 64-bit support. The xslinux_v3 and xslinux_v5 VAP OS are supported in addition to the new xslinux_v5_64 VAP OS. The xslinux_v4 VAP OS is no longer supported.
See the application installation guide for each supported application to determine which VAP OS to use.
Usability Enhancements
A new swatch script, npmfragstats.swc, displays the output of the CLI command show vdf-status module np1 np2 np3 np4 in table format, providing a single view of virtual defragmentation statistics for all NPMs. The show interface detail command is enhanced to display IPv4, IPv6, and non-IPv4 frame statistics separately. The show interface command output now shows if an interface is not used in the configuration. A new chassis alarm that monitors CPU utilization on a per-core basis has been added. The utilization thresholds for each severity level are user-configurable.
See the Routing Software User Guide and the Routing Software V8.0.0 Release Notes for complete information on these and other features.
Check Point VSX NGX R67 is the latest virtual firewall product from Check Point Software Technologies, and requires the v5 kernel. Check Point Security Gateway R71.10, the latest release of the Check Point product line, includes support for IPv6. Check Point NGX R65 IPv6Pack, which provides cluster synchronization, accelerated IPv6 packets using SecureXL, and IPS support. See the Check Point TM NGX R65 IPv6Pack for Crossbeam Release Notes for instructions on installing and configuring this application. Sourcefire 3D Sensor v4.9.1 includes support for jumbo frames and IPv6. Sophos PureMessage V5.6 provides an e-mail filtering system that analyzes e-mail messages at the network gateway to protect organizations and enforce corporate communication policies.
See 7.0 Supported Software Applications on page 8 for a list of applications supported in this release.
A new command, configure acl-interface-mapping has been added. Use the configure acl-interface and configure acl-interface-mapping commands to configure the mapping of ACLs to interfaces. Refer to the XOS Command Reference Guide and the XOS Configuration Guide for a list of configuration considerations and additional information. The no parameter has been removed from the priority-delta command in the following contexts:
configure vrrp failover-group monitor-circuit <circuit_name> priority-delta configure vrrp failover-group monitor-interface <interface_type> <slot/port> priority-delta configure vrrp failover-group <failover_group_name> virtual-router vrrp-id <ID> circuit <circuit_name> priority-delta configure vrrp failover-group <failover_group_name> virtual_router vrrp-id <ID> circuit <circuit_name> vap-group <VAP_group_name> verify-next-hop-ip <IP_address> priority-delta configure vrrp vap-group <VAP_group_name> priority-delta configure vrrp vap-group priority-delta
The command bi-direct has been renamed to generate-reversed-flow under these contexts: configure vap-group <VAP_group_name> ip-flow-rule <IP_flow_rule_name> and configure vap-group <VAP_group_name> system-ip-flow-rule <System_IP_flow_rule_name> The range of values when priority-delta is enabled is 1-255 and the default value is 1. To disable priority-delta, set the value to 0 (zero).
XOS Configuration Guide XOS Command Reference Guide X80 Platform Hardware Installation Guide X45 Platform Hardware Installation Guide X-Series Module and FRU Installation Instructions (multiple documents) Install Server User Guide Install Server V6.1 Release Notes RSW Installation Guide RSW Version 8.0.0 Release Notes Check Point VPN-1 Power NGX R65 Installation and Configuration Guide Check Point Security Gateway R70 and R71 Installation and Configuration Guide Check Point NGX R65 IPv6Pack for Crossbeam Release Notes
Check Point R70 IPv6Pack for Crossbeam Release Notes Check Point FireWall-1 GX Installation and Configuration Guide Check Point VPN-1 Power VSX NGX R65 Installation and Configuration Guide Check Point VSX NGX R67 Installation and Configuration Guide Sophos PureMessage for UNIX 5.6.0 Installation Guide Installation and Configuration Guide for IDS Deployments of IBM Proventia Network IPS on Crossbeam X-Series Platforms Installation and Configuration Guide for IPS Deployments of IBM Proventia Network IPS on Crossbeam X-Series Platforms Serialization Cookbook: Firewall and IPS Multi-System High Availability Configuration Guide
*APM-8650 requires the use of the new fan tray module. See your Crossbeam representative for details.
vpn1-NGXR65-1.0.2.0-5.cbi vpn1-NGXR65-1.1.0.0-13.cbi
Check Point NGX R65 IPv6Pack Check Point R70 IPv6Pack Check Point FireWall-1 GX Check Point VPN-1 Power VSX NGX R65 Check Point VSX NGX R67 Check Point Security Gateway R70
IBM Proventia Network IPS 2.0 Imperva SecureSphere 7.0 Routing Software (RSW) V8.0.0 Sophos PureMessage V5.6 Sourcefire 3D Sensor, v4.9.1 Trend IMSS v7.0 Trend IWSS v3.1 Websense Web Security Gateway v6.3.2
See your Crossbeam representative for the latest list of supported applications. If you are running the Crossbeam Routing Software (RSW) application, XOS V9.0.x requires Routing Software (RSW) V8.0.0 or later.
Important: Be sure to reset the internal network value to an appropriate unused network, a private address range, or non-allocated address blocks defined by IANA. This configuration change requires a chassis reload.
9.2 Migration
IMPORTANT: Upgrading to XOS V9.0.3 from XOS V8.x requires the use of the migration process.
9.3 Upgrade
Upgrading from XOS V9.0.x
If you are currently running XOS V9.0.x, upgrades can be performed using the Automated Workflow System. The Automated Workflow System (AWS) combines multiple manual steps into simple menu selections to automate the upgrade of XOS software and firmware. AWS allows you to upgrade XOS software beginning with XOS V9.0.0. Refer to the Automated Workflow System section in Chapter 18 of the XOS Configuration Guide for more information.
The /var/log/messages file A message during login The Verify XOS software and firmware compatibility menu selection in the Automated Workflow System
A major alarm message The output from the revs_check utility From the System View and the Firmware View in GEM
5npm6FlashImage0015.dat 7npm6xbprc_R0010_130.dat
IMPORTANT: Starting with XOS 9.0.2, the NPM-8600, -8620, and -8650 modules will remain in a Maintenance state if the firmware does not meet minimum version requirements. All modules must have the same Focus FPGA version within a chassis. If boards do not boot up, check the /var/log/messages file for any FPGA firmware messages. Put affected boards into maintenance mode prior to upgrading them to the latest images. See the XOS Configuration Guide for information on updating the firmware.
IPv6 traffic is forwarded only to the Master VAP of a given VAP group that is receiving IPv6 traffic. When using dynamic routing, if the Master VAP fails, the failover time for IPv6 traffic will be longer than IPv4 traffic because the learned routes existed only on the Master VAP and therefore must be rebuilt on the new Master VAP.
10
ID 27709: ID 27716:
ID 16792:
An issue that resulted in messages such as the following has been resolved. These messages no longer appear in the log file. fw_2 kernel: do_vfs_lock: VFS is out of sync with lock manager! The output from the command show flow distribution now shows the correct uptime for the first NPM in some configurations.
ID 19566:
11
ID 21206: ID 21642: ID 23068: ID 23172: ID 23178: ID 23182: ID 23226: ID 23325: ID 23345: ID 23461: ID 23752:
The fabricstats swatch script now reports all byte counts correctly. Fixed an exception in the cbsstatsd function. On an NPM-86xx module, MLT child interfaces on a VRRP backup chassis no longer drop traffic. The VRRP monitor circuit configuration issue has been resolved. The irmd daemon no longer ends up in a loop resulting in maximum cpu activity. A rare NPM control plane communication issue has been resolved. Migration of a system with Check Point VSX R65 no longer displays an erroneous install command message. Migration results are now part of the SystemSoftwareReleaseHistory.log When provisioning a VAP-group with VSX installed, a previously configured group-interface containing the reserved keyword string int now returns an error properly. Users can now delete and recreate a VAP group associated with an MLT circuit carrying traffic for multiple VLANs, without an interruption in service. An unexpected system entry into an mwait state on a CPU no longer causes a persistent hang/lockup of the APM module.
13.1 NPM
ID 15145: ID 26070: The XOS architecture does not support traffic ingressing multiple times over a single bridge in a Layer 2 topology. When you reload NPMs on an X80-AC-1 chassis, the output of the show chassis and show module status CLI commands may be incomplete or delayed. There is no operational effect; traffic passes normally. When flows are in a re-routing state, the re-routing tag may not be displayed in show flow active output. Workaround: Use show flow-path active verbose to see the re-routing tag.
ID 26347:
12
13.2 APM
ID 15229: The following log message could be reported when creating new circuits or reloading a VAP group. The message can be ignored when seen under the above conditions. kernel: <circuit name>: Dropping NETIF_F_SG since no checksum feature. If a VAP group is configured with an xslinux_v5 kernel, and the device-name of a circuit that is associated with the VAP group begins with a number, the tcpdump utility reports this error: Invalid adapter index Workaround: Rename the circuit device-name to remove the leading digits.
ID 20256:
13.3 CPM
ID 25223: ID 26491: ID 26468: If you change the prompt on an APM, the Automated Workflow system cannot upgrade the firmware on that APM. Do not put large files, such as hot fixes, into the /tftboot/<vap_group>_common directory. This may cause delays when creating vap groups. GEM connectivity is lost using any management virtual IP address after performing one of the following: - configure remote box, unconfigure remote box, create ip-alias for management interfaces, or delete ip-alias for management interfaces Workaround: When this occurs, run the script /crossbeam/bin/cbs_cprm_scripts activate_mgmt_vip eth2 manually from the UNIX prompt on the CPM to restore connectivity. ID 26355: ID 27399: An SNMP ifEntry query on a bridge mode interface returns erroneous data and should be ignored. If a user creates a UNIX alias called su with a value of unix su, the Automated Workflow System (AWS) fails while trying to verify slot count and module information. Workaround: Before you use AWS, disable all command aliases.
13
Latin America: +1 978-318-7595 You can also report issues via e-mail to support@crossbeam.com. In addition, all of our service plans include access to the Crossbeam Customer Support Portal located at http://www.crossbeam.com/support/online-support/. The Crossbeam Customer Support Portal provides you with access to a variety of resources, including Customer Support Knowledgebase articles, technical bulletins, product documentation, and release notes. You can also access our real-time problem reporting application, which lets you submit new technical support requests and view all your open requests. Crossbeam Systems also offers extensive customer training on all of its products. For current course offerings and schedules, please refer to the Crossbeam Education Services Web pages located at http://www.crossbeam.com/support/training-services/.
14