Overview
These release notes support Cumulus Linux 3.5.0, 3.5.1, 3.5.2 and 3.5.3, and describe currently available features and known issues.
Stay up to Date
- Please sign in and click Follow above so you can receive a notification when we update these release notes.
- Subscribe to our product bulletin mailing list to receive important announcements and updates about issues that arise in our products.
- Subscribe to our security announcement mailing list to receive alerts whenever we update our software for security issues.
{{table_of_contents}}
What's New in Cumulus Linux 3.5
Cumulus Linux 3.5 contains the following new features, platforms and improvements:
- New platforms include:
- Accton OMP-800 chassis/Cumulus Express CX-10256-S (100G)
- Delta 9032-v1 (100G Tomahawk) and AG7648 (10G Trident II)
- Broadcom Maverick-based 10G switches, including Dell S4128F-ON
- Edgecore AS5812 AC with 3Y PSU
- Facebook Wedge-100S now generally available
- Mellanox Spectrum A1 chipsets in the 2100, 2410 and 2700 models; Mellanox 2740 (100G) and 2740B (40G)
- Quanta LY7 (10G)
- 10GBASE-LR BiDi optics
- Symmetric VXLAN routing
- VLAN-aware bridge support for ovs-vtepd, for VXLAN solutions using controllers
- OSPF is now VRF-aware
- Voice VLAN
- PIM now supports overlapping IP addresses and IP multicast boundaries
- Bridge layer 2 protocol tunnels
- The SNMP Cumulus-Counters-MIB file includes a new table
pfcClCountersTable
for link pause and priority flow control counters - The bridge MAC address is now set to the MAC address of eth0
- See what's new and different with NCLU in this release
Note: The EA version of netq
is not supported under Cumulus Linux 3.5.
Licensing
Cumulus Linux is licensed on a per-instance basis. Each network system is fully operational, enabling any capability to be utilized on the switch with the exception of forwarding on switch panel ports. Only eth0 and console ports are activated on an un-licensed instance of Cumulus Linux. Enabling front panel ports requires a license.
You should have received a license key from Cumulus Networks or an authorized reseller. To install the license, read the Cumulus Linux Quick Start Guide.
Installing Version 3.5
If you are upgrading from version 3.0.0 or later, use apt-get
to update the software.
Cumulus Networks recommends you use the -E
option with sudo
whenever you run any apt-get
command. This option preserves your environment variables — such as HTTP proxies — before you install new packages or upgrade your distribution.
- Retrieve the new version packages:
cumulus@switch:~$ sudo -E apt-get update
- If you are using any early access features from an older release, remove them with:
cumulus@switch:~$ sudo -E apt-get remove EA_PACKAGENAME
- Upgrade the release:
cumulus@switch:~$ sudo -E apt-get upgrade
- Reboot the switch:
cumulus@switch:~$ sudo reboot
Note: If you see errors for expired GPG keys that prevent you from upgrading packages when upgrading to Cumulus Linux 3.5.2 or 3.5.3 from 3.5.1 or earlier, follow the steps in Upgrading Expired GPG Keys.
New Install or Upgrading from Versions Older than 3.0.0
If you are upgrading from a version older than 3.0.0, or installing Cumulus Linux for the first time, download the Cumulus Linux 3.5.0 installer for Broadcom or Mellanox switches from the Cumulus Networks website, then use ONIE to perform a complete install, following the instructions in the quick start guide.
Note: This method is destructive; any configuration files on the switch will not be saved, so please copy them to a different server before upgrading via ONIE.
Important! After you install, run apt-get update
, then apt-get upgrade
on your switch to make sure you update Cumulus Linux to include any important or other package updates.
Updating a Deployment that Has MLAG Configured
If you are using MLAG to dual connect two switches in your environment, and those switches are still running Cumulus Linux 2.5 ESR or any other release earlier than 3.0.0, the switches will not be dual-connected after you upgrade the first switch. To ensure a smooth upgrade, follow these steps:
- Disable
clagd
in the/etc/network/interfaces
file (setclagd-enable
to no), then restart theswitchd
, networking and FRR services.
cumulus@switch:~$ sudo systemctl restart switchd.service
cumulus@switch:~$ sudo systemctl restart networking.service
cumulus@switch:~$ sudo systemctl restart frr.service - If you are using BGP, notify the BGP neighbors that the switch is going down:
cumulus@switch:~$ sudo vtysh -c "config t" -c "router bgp" -c "neighbor X.X.X.X shutdown"
- Stop the Quagga (if upgrading from a version earlier than 3.2.0) or FRR service (if upgrading from version 3.2.0 or later):
cumulus@switch:~$ sudo systemctl stop [quagga|frr].service
- Bring down all the front panel ports:
cumulus@switch:~$ sudo ip link set swp<#> down
- Run
cl-img-select -fr
to boot the switch in the secondary role into ONIE, then reboot the switch. - Install Cumulus Linux 3.5 onto the secondary switch using ONIE. At this time, all traffic is going to the switch in the primary role.
- After the install, copy the license file and all the configuration files you backed up, then restart the
switchd
, networking and Quagga services. All traffic is still going to the primary switch.
cumulus@switch:~$ sudo systemctl restart switchd.service
cumulus@switch:~$ sudo systemctl restart networking.service
cumulus@switch:~$ sudo systemctl restart quagga.service - Run
cl-img-select -fr
to boot the switch in the primary role into ONIE, then reboot the switch. Now, all traffic is going to the switch in the secondary role that you just upgraded to version 3.5. - Install Cumulus Linux 3.5 onto the primary switch using ONIE.
- After the install, copy the license file and all the configuration files you backed up.
- Follow the steps for upgrading from Quagga to FRRouting.
- Enable
clagd
again in the/etc/network/interfaces
file (setclagd-enable
to yes), then runifreload -a
.
cumulus@switch:~$ sudo ifreload -a
- Bring up all the front panel ports:
cumulus@switch:~$ sudo ip link set swp<#> up
- Now the two switches are dual-connected again and traffic flows to both switches.
Perl, Python and BDB Modules
Any Perl scripts that use the DB_File
module or Python scripts that use the bsddb
module won't run under Cumulus Linux 3.5.
Documentation
You can read the technical documentation here.
Issues Fixed in Cumulus Linux 3.5.3
The following is a list of issues fixed in Cumulus Linux 3.5.3 from earlier versions of Cumulus Linux.
New Known Issues in Cumulus Linux 3.5.3
The following issues are new to Cumulus Linux and affect the current release.
Release Note ID | Summary | Description |
RN-790 (CM-19014) |
Configuring DHCP relay with VRR breaks ifreload |
When you configure DHCP relay with VRR, the ifreload command does not work as expected; for example the IP address might be removed from an SVI. This issue is currently being investigated. |
RN-820 (CM-19908) |
RADIUS and TACACS Plus should use pam_syslog not openlog/syslog/closelog |
The pam_syslog() interface is now being used to send messages to the system logger, which changes the message format. For example, with an incorrect password, the old message format for TACACS Plus is: Feb 27 21:06:02 switch3 PAM-tacplus[17368]: auth failed 2 The new message format for TACACS Plus is: Feb 27 21:04:08 switch3 sshd[16676]: pam_tacplus(sshd:auth): auth failed 2 This issue should be fixed in the next release of Cumulus Linux. |
RN-821 (CM-19898) |
The net show interface command output missing information |
The This issue should be fixed in the next release of Cumulus Linux. |
RN-822 (CM-19788) |
Using the same VLAN ID on a subinterface and bridge VIDs for a given port is not easily corrected |
If you configure a VLAN under a VLAN-aware bridge and create a subinterface of the same VLAN on one of the bridge ports, the bridge and interface compete for the same VLAN and if the interface is flapped, it stops working. Correcting the configuration and running the ifreload command does not resolve the conflict. To work around this issue, correct the bridge VIDs and restart switchd or delete the subinterface. This issue should be fixed in the next release of Cumulus Linux. |
RN-823 (CM-19724) |
Multicast control protocols are classified to the bulk queue by default |
PIM and MSDP entries are set to the internal COS value of 6 so they are grouped together with the bulk traffic priority group in the default This issue should be fixed in the next release of Cumulus Linux. |
RN-824 (CM-19667) |
The show v6 route ospf command results in an unknown route type |
When you run the cumulus@switch:~$ vtysh -c 'show ipv6 route ospf6 json' This issue should be fixed in the next release of Cumulus Linux. |
RN-825 (CM-19633) |
cl-netstat counters count twice for VXLAN traffic in TX direction |
This is expected behavior. Multicast frames are being dropped at the transmit port of the same interface on which they are received. This is known as a split-horizon correction, which is required for multicast to operate correctly. This issue should be fixed in the next release of Cumulus Linux. |
RN-826 (CM-16865) |
The compute unique hash seed default value is the same for each switch |
The algorithm that calculates hashing is the same on every switch instead of being unique. This issue should be fixed in the next release of Cumulus Linux. |
RN-827 (CM-14300) |
cl-acltool counters for implicit accept do not work for IPv4 on management (ethX) interfaces |
The iptables are not counting against the default INPUT chain rule for packets ingressing ethX interfaces. This issue should be fixed in the next release of Cumulus Linux. |
RN-828 (CM-19748) |
Security: Debian Security Advisory DSA-4110-1 for exim4 issue CVE-2018-6789 |
The following CVE was announced in Debian Security Advisory DSA-4110-1, and affects the exim4 package. While this package is no longer in the Cumulus Linux installation image, it is still in the repo3 repository. Cumulus Linux 3.5.3 is built on Debian Jessie. This issue should be fixed in the next version of Cumulus Linux. ------------------------------------------------------------------------- |
RN-829 (CM-19660) |
Security: Debian Security Advisory DSA-4052-1 for Bazaar issue CVE-2017-14176 |
The following CVE was announced in Debian Security Advisory DSA-4052-1, and affects the Bazaar version control system. This issue should be fixed in the next version of Cumulus Linux. ------------------------------------------------------------------------- Adam Collard discovered that Bazaar, an easy to use distributed version control system, did not correctly handle maliciously constructed bzr+ssh URLs, allowing a remote attackers to run an arbitrary shell command. For the oldstable distribution (jessie), this problem has been fixed in version 2.6.0+bzr6595-6+deb8u1. For the stable distribution (stretch), this problem has been fixed in version 2.7.0+bzr6619-7+deb9u1. |
RN-830 (CM-19595) |
Security: Debian Security Advisory DSA-4098-1 for curl issues CVE-2018-1000005 CVE-2018-1000007 |
The following CVEs were announced in Debian Security Advisory DSA-4098-1, and affect the curl package. This issue should be fixed in the next version of Cumulus Linux. ------------------------------------------------------------------------- CVE-2018-1000005 CVE-2018-1000007 For the oldstable distribution (jessie), these problems have been fixed in version 7.38.0-4+deb8u9. |
RN-831 (CM-19507) |
Security: Debian Security Advisory DSA-4091-1 for mysql issues CVE-2018-2562 CVE-2018-2622 CVE-2018-2640 CVE-2018-2665 CVE-2018-2668 |
The following CVEs were announced in Debian Security Advisory DSA-4091-1, and affect all mysql packages, including mysql-* and libmysql-*. This issue should be fixed in the next version of Cumulus Linux. ------------------------------------------------------------------------- Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.59, which includes additional changes. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details: https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-59.html For the oldstable distribution (jessie), these problems have been fixed in version 5.5.59-0+deb8u1. |
RN-832 (CM-19458) |
Security: Debian Security Advisory DSA-4089-1 for bind9 issue CVE-2017-3145 |
The following CVE was announced in Debian Security Advisory DSA-4089-1, and affects the bind9 package. This issue should be fixed in the next version of Cumulus Linux. ------------------------------------------------------------------------- CVE ID : CVE-2017-3145 For the oldstable distribution (jessie), this problem has been fixed in version 1:9.9.5.dfsg-9+deb8u15. For the stable distribution (stretch), this problem has been fixed in version 1:9.10.3.dfsg.P4-12.3+deb9u4. We recommend that you upgrade your bind9 packages. |
RN-833 (CM-19446) |
Security: Debian Security Advisory DSA-4086 for libxml2 issue CVE-2017-15412 |
The following CVE was announced in Debian Security Advisory DSA-4086-1, and affects the libxml2 package. This issue should be fixed in the next version of Cumulus Linux. -------------------------------------------------------------------------- Package : libxml2 Nick Wellnhofer discovered that certain function calls inside XPath For the oldstable distribution (jessie), this problem has been fixed |
RN-834 (CM-19385) |
Security: Debian Security Advisories DSA-4082 for kernel issues CVE-2017-8824 CVE-2017-15868 CVE-2017-16538 CVE-2017-16939 CVE-2017-17448 CVE-2017-17449 CVE-2017-17450 CVE-2017-17558 CVE-2017-17558 CVE-2017-17741 CVE-2017-17805 and more |
The following CVEs were announced in Debian Security Advisory DSA-4086-1, and affect the Linux kernel. These issues should be fixed in the next version of Cumulus Linux. -------------------------------------------------------------------------- Package : linux Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. Mohamed Ghannam discovered that the DCCP implementation did not correctly manage resources when a socket is disconnected and reconnected, potentially leading to a use-after-free. A local user could use this for denial of service (crash or data corruption) or possibly for privilege escalation. On systems that do not already have the dccp module loaded, this can be mitigated by disabling it: echo >> /etc/modprobe.d/disable-dccp.conf install dccp false Al Viro found that the Bluebooth Network Encapsulation Protocol (BNEP) implementation did not validate the type of the second socket passed to the BNEPCONNADD ioctl(), which could lead to memory corruption. A local user with the CAP_NET_ADMIN capability can use this for denial of service (crash or data corruption) or possibly for privilege escalation. Andrey Konovalov reported that the dvb-usb-lmedm04 media driver did not correctly handle some error conditions during initialisation. A physically present user with a specially designed USB device can use this to cause a denial of service (crash). Mohamed Ghannam reported (through Beyond Security's SecuriTeam Secure Disclosure program) that the IPsec (xfrm) implementation did not correctly handle some failure cases when dumping policy information through netlink. A local user with the CAP_NET_ADMIN capability can use this for denial of service (crash or data corruption) or possibly for privilege escalation. Kevin Cernekee discovered that the netfilter subsystem allowed users with the CAP_NET_ADMIN capability in any user namespace, not just the root namespace, to enable and disable connection tracking helpers. This could lead to denial of service, violation of network security policy, or have other impact. Kevin Cernekee discovered that the netlink subsystem allowed users with the CAP_NET_ADMIN capability in any user namespace to monitor netlink traffic in all net namespaces, not just those owned by that user namespace. This could lead to exposure of sensitive information. Kevin Cernekee discovered that the xt_osf module allowed users with the CAP_NET_ADMIN capability in any user namespace to modify the global OS fingerprint list. Andrey Konovalov reported that that USB core did not correctly handle some error conditions during initialisation. A physically present user with a specially designed USB device can use this to cause a denial of service (crash or memory corruption), or possibly for privilege escalation. Dmitry Vyukov reported that the KVM implementation for x86 would over-read data from memory when emulating an MMIO write if the kvm_mmio tracepoint was enabled. A guest virtual machine might be able to use this to cause a denial of service (crash). Dmitry Vyukov reported that the KVM implementation for x86 would over-read data from memory when emulating an MMIO write if the kvm_mmio tracepoint was enabled. A guest virtual machine might be able to use this to cause a denial of service (crash). It was discovered that the HMAC implementation could be used with an underlying hash algorithm that requires a key, which was not intended. A local user could use this to cause a denial of service (crash or memory corruption), or possibly for privilege escalation. Eric Biggers discovered that the KEYS subsystem lacked a check for write permission when adding keys to a process's default keyring. A local user could use this to cause a denial of service or to obtain sensitive information. Andrew Honig reported that the KVM implementation for Intel processors allowed direct access to host I/O port 0x80, which is not generally safe. On some systems this allows a guest VM to cause a denial of service (crash) of the host. Ben Seri reported that the Bluetooth subsystem did not correctly handle short EFS information elements in L2CAP messages. An attacker able to communicate over Bluetooth could use this to obtain sensitive information from the kernel. For the oldstable distribution (jessie), these problems have been fixed in version 3.16.51-3+deb8u1. |
RN-836 (CM-19353) |
The `net del` and `net add bridge` commands do not work in the same net commit |
If a bridge is previously configured and you run the This issue should be fixed in the next version of Cumulus Linux. |
RN-1002 (CM-21566) |
FRR next-hop resolution changes are not updated when applying VRF to an interface after routes are configured in FRR |
When adding new SVIs and static VRF routes in FRR, the appropriate VRF is applied to the interface in the kernel after the static routes are configured in FRR. When the kernel interface changes to the appropriate VRF, FRR next-hop resolution is not updated with the valid connected next-hop interface. To work around this issue, remove and re-add the static routes. This issue is being investigated at this time. |
Issues Fixed in Cumulus Linux 3.5.2
The following is a list of issues fixed in Cumulus Linux 3.5.2 from earlier versions of Cumulus Linux.
New Known Issues in Cumulus Linux 3.5.2
The following issues are new to Cumulus Linux and affect the current release.
Release Note ID | Summary | Description |
RN-806 (CM-19592) |
FRR removes all static routes when service is stopped, including those created by ifupdown2 |
Whenever FRR is restarted, it deletes all routes in the kernel with a protocol type of BGP, ISIS, OSPF, and static. When you upgrade FRR and the service is stopped, the static routes defined in the interfaces file and installed using ifupdown2 are also removed. To work around this issue, configure static routes in the post-up ip route add <prefix> via <next-hop address> proto kernel For example: auto swp2 iface swp2 post-up ip route add 0.0.0.0/0 via 192.0.2.249 proto kernel This issue should be fixed in the next release of Cumulus Linux. |
RN-807 (CM-17159) |
NCLU `net show interface <bond>` command shows interface counters that are not populated |
The output of the NCLU This issue is currently being investigated. |
RN-808 (CM-15902) |
In EVPN, sticky MAC addresses move from one bridge port to another |
In EVPN environments, sticky MAC addresses move from one bridge port to another on soft nodes. This issue is currently being investigated. |
RN-809 (CM-19120) |
`netshow lldp` command displays an error |
When running the netshow lldp command, the output displays the following error: cumulus@switch:~# netshow lldp ERROR: The lldpd service is running, but '/usr/sbin/lldpctl -f xml' failed. However, the NCLU This issue should be fixed in the next release of Cumulus Linux. |
RN-810 (CM-19601) |
Security: Wireshark vulnerabilities DSA-4101 CVE-2018-5334 CVE-2018-5335 CVE-2018-5336 |
The Wireshark security vulnerabilities were announced after the branch for Cumulus Linux 3.5.2 was frozen. Wireshark is not installed in the base Cumulus Linux image; it is an optional package. And since these vulnerabilities are relatively minor, they will be fixed in the next Cumulus Linux release. Following is the Debian security advisory DSA-4101-1: -------------------------------------------------------------------------- Debian Security Advisory DSA-4101-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff January 28, 2018 https://www.debian.org/security/faq -------------------------------------------------------------------------- Package : wireshark CVE ID : CVE-2018-5334 CVE-2018-5335 CVE-2018-5336 It was discovered that wireshark, a network protocol analyzer, contained several vulnerabilities in the dissectors/file parsers for IxVeriWave, WCP, JSON, XML, NTP, XMPP and GDB, which could result in denial of dervice or the execution of arbitrary code. For the oldstable distribution (jessie), these problems have been fixed in version (1.12.1+g01b65bf-4+deb8u13. For the stable distribution (stretch), these problems have been fixed in version 2.2.6+g32dac6a-2+deb9u2. |
RN-811 (CM-18702) |
BGP unnumbered neighbor stays down after reload and interface flap |
The BGP unnumbered neighbor does not come back up after issuing the reload command or after an interface flap. This issue is specific to how RA suppression is disabled by FRRouting for BGP unnumbered interfaces. By default, RA suppression is enabled. However, when BGP unnumbered interfaces are configured, RA suppression is disabled. The issue can arise depending on your FRR configuration. If you push an frr.conf configuration to the switch and it did not include the no ipv6 nd suppress-ra option, then FRR adds that to running configuration, but it is still not present in frr.conf. When you run FRR reload, RA suppression gets enabled again, as it's not in frr.conf. The next time an interface flaps, BGP unnumbered is unable to establish peering. To work around this issue, frr.conf has been pushed and the frr.service gets restarted. The additional write in FRR syncs both saved and running configurations. This issue should be fixed in the next release of Cumulus Linux. |
RN-814 (CM-19658) |
NCLU `net add VXLAN` commands out of order |
When creating a VNI, the To work around this issue, manually reorder the commands so that This issue should be fixed in the next release of Cumulus Linux. |
RN-815 (CM-19630) |
Bridge MAC address clashing when eth0 is part of the same broadcast domain |
Cumulus Linux 3.5.0 and above uses the eth0 MAC address as the MAC address for bridges. If eth0 is part of the same broadcast domain, you experience outages when upgrading to 3.5.x. To work around this issue, manually change the bridge MAC address in the This issue should be fixed in the next release of Cumulus Linux. |
Issues Fixed in Cumulus Linux 3.5.1
The following is a list of issues fixed in Cumulus Linux 3.5.1 from earlier versions of Cumulus Linux.
New Known Issues in Cumulus Linux 3.5.1
The following issues are new to Cumulus Linux and affect the current release.
Issues Fixed in Cumulus Linux 3.5.0
The following is a list of issues fixed in Cumulus Linux 3.5.0 from earlier versions of Cumulus Linux.
Release Note ID | Summary | Description |
RN-125 (CM-1576) |
Network LSA with an old router ID isn't flushed out by the originator |
When the router ID is changed, the router should remove the previous network LSA (link-state advertisement) that it generated based on the IP address on the interface in the Network LSA. This issue is fixed in Cumulus Linux 3.5.0. The fix now changes the router ID upon changing rather than having to wait for the max age timer. |
RN-387 (CM-8163) |
Quagga appears to not honor passive interfaces if VRR is active |
In a VRR configuration, any interface-specific routing configuration (e.g., OSPF mode of operation) specified on the subinterface having a virtual IP address does not take effect. This is because when an operator has specified a virtual IP on a bridge, the system creates another internal interface bridge with the virtual IP and MAC. These two interfaces are treated distinctly by Quagga, so any interface-specific routing configuration on the bridge does not get carried over to the second bridge. As a workaround, a VRR deployment needing any interface-specific routing configuration on the interface with a virtual IP address, the routing configuration must also be specified against the internally-created virtual interface. This issue is fixed in Cumulus Linux 3.5.0. |
RN-448 (CM-11302) |
Using the json option in the "show ip bgp" command causes peer session flaps |
This issue causes peer session flaps on Penguin Arctica 4806XP and Supermicro SSE-X3648S switches. It occurs with 16K IPv4 prefixes and only when you run However, on switches with Tomahawk ASICs, with 61K IPv4 prefixes and default timers, the same show ip bgp json command causes all peer sessions to go down. This issue is fixed in Cumulus Linux 3.5.0. |
RN-542 (CM-13461) |
Polling the BGP RIB with "show ip bgp" causes the peer to flap if the RIB has more than 600K entries |
This is a known issue that's currently being investigated. The Quagga log shows these commands taking a very long to execute. To work around this issue, Cumulus Networks recommends you use larger keepalive/hold timers — 60 and 180 seconds, respectively. This issue is fixed in Cumulus Linux 3.5.0. |
RN-598 (CM-15575) |
clagd process restarts when updating backup-ip |
An error was found when an accidental change was made to the backup IP, and then corrected. This issue is fixed in Cumulus Linux 3.5.0. |
RN-646 (CM-17704) |
switchd crashes when auto-negotiation is enabled on 10G LR/SR interfaces |
When auto-negotiation is enabled on a 10G LR or SR interface, switchd might crash and cannot be restarted unless you reboot the whole switch. This issue was a regression of an earlier issue and has been fixed again in Cumulus Linux 3.5.0. |
RN-649 (CM-17778) |
The clagd service fails to start if the backup IP is over a management VRF |
The This issue was a regression of an earlier issue and has been fixed again in Cumulus Linux 3.5.0. |
RN-650 (CM-17843) |
NCLU: cannot configure FRR if all FRR daemons are disabled | A regression occurred where upgraded instances did not keep previous Quagga configurations. This meant that once the instance booted into 3.4.0, FRR was not configured.
This issue was a regression of an earlier issue and has been fixed again in Cumulus Linux 3.5.0. |
RN-653 (CM-17856) |
Enabling PFC on Mellanox switches may cause switchd to crash |
On Cumulus Linux versions 3.3.0 and later, enabling priority flow control (PFC), explicit congestion notification (ECN) or link pause on Mellanox Spectrum-based switches may cause the switchd process to crash. To work around this issue, populate the appropriate unlimited_egress_buffer_port_set parameter in the /etc/cumulus/datapath/traffic.conf file. The default range should be "swp<a>-swp<z>", where "swp<a>" is the first front panel port in /var/lib/cumulus/porttab and "swp<z>" is the last front panel port in the porttab file. For example, to configure this parameter for PFC, use: # priority flow control pfc.port_group_list = [pfc_port_group] pfc.pfc_port_group.cos_list = [0] pfc.pfc_port_group.port_set = swp1-swp5 pfc.pfc_port_group.port_buffer_bytes = 25000 pfc.pfc_port_group.xoff_size = 10000 pfc.pfc_port_group.xon_delta = 2000 pfc.pfc_port_group.tx_enable = true pfc.pfc_port_group.rx_enable = true pfc.pfc_port_group.unlimited_egress_buffer_port_set = swp1-swp16 For ECN, the parameter would be ecn.ecn_port_group.unlimited_egress_buffer_port_set = swp1-swp16. For link pause, the parameter would be link_pause.pause_port_group.unlimited_egress_buffer_port_set = swp1-swp16. This issue was a regression of an earlier issue and has been fixed again in Cumulus Linux 3.5.0. |
RN-657 (CM-18080) |
All multicast traffic on Trident II+ switches is software forwarded when RIOT is enabled |
When RIOT is enabled on a Trident II+ switch, all multicast traffic gets software forwarded. To work around this issue, disable RIOT on the switch. Edit the /usr/lib/python2.7/dist-packages/cumulus/__chip_config/bcm/datapath.conf file and change the vxlan_routing_overlay.profile setting to disable: vxlan_routing_overlay.profile = disable Then restart cumulus@switch:~$ sudo systemctl restart switchd.service This issue is fixed in Cumulus Linux 3.5.0. |
RN-658 (CM-17338) |
Power cycling a connected host may result in control plane traffic failure on a 10G BASE-T Trident II+ switch |
Switches with the Trident II+ chipset running Cumulus Linux 3.3.0 or later may experience a failure to transmit frames from the control plane following a power-cycle of a device connected via 10GBASE-T. This can result in complete loss of connectivity from the switch control plane to connected devices. To work around this issue, restart switchd with sudo systemctl restart switchd. This issue was a regression of an earlier issue and has been fixed again in Cumulus Linux 3.5.0. |
RN-672 (CM-18154) |
Redistribute neighbor service rdnbrd does not add zebra route if connected host moves to a different interface |
This situation occurs if the host was reachable via a given port (say swp1), and then also becomes reachable via a second port (say swp2). In this case, the routing table entry gets updated to point to swp2, but the neighbor entry on swp1 remains reachable. If the host stops responding on swp2, the neighbor entry on swp1 remains reachable and keeps getting refreshed. As the entry on swp2 transitions to a FAILED status, the rdnbrd service removes the route from table 10, but table 10 does not get notified of a neighbor change and thus doesn't have an entry for this connected neighbor. The only workaround is to restart the rdnbrd service, but this is not advised, especially in the case if the host moves around the network frequently, as would be the case if the host is a virtual machine. This issue is fixed in Cumulus Linux 3.5.0. |
RN-673 (CM-18254) |
On Mellanox switches, the switch ports are in operational DOWN status |
This issue arose after upgrading to Cumulus Linux 3.4.2 and occurs under the following conditions:
To work around this issue, set auto-negotiation to on for every affected interface at both ends: cumulus@switch:~$ net add interface swp1-52 link autoneg on cumulus@switch:~$ net pending cumulus@switch:~$ net commit This issue was a regression of an earlier issue and has been fixed again in Cumulus Linux 3.5.0. |
RN-674 (CM-17577) |
Cannot set the MTU for switch ports that is different than the MTU for eth0 |
You cannot set both a global MTU and an individual MTU in a policy file. For example, this configuration does not work: root@leaf01:/home/cumulus# cat /etc/network/ifupdown2/policy.d/mtu.json { "address": {"defaults": { "mtu": "9216" }}, "ethtool": {"iface_defaults": {"eth0": {"mtu": "1500"}}} } This issue is fixed in Cumulus Linux 3.5.0. |
RN-675 (CM-17735) |
When EVPN with ARP suppression is enabled, the total neighbor entries are limited by the RIOT profile, which defaults to 8K entries |
When ARP suppression is turned on, a VXLAN SVI is configured on the bridge. In Cumulus Linux 3.4.z, VXLAN routing is enabled by default, so the neighbors are being learned and programmed in the Broadcom Trident II+ ASIC. The Trident II+ default profile supports up to 8k next hop entries, after which the following error messages are logged: switchd[20053]: hal_bcm_l3.c:1283 CRIT bcm_l3_egress_create unit 0 mod 0 \ port -2147483640 vlan 0 intf 10240 failed: Table full These messages do not affect forwarding. To work around this issue, disable VXLAN routing.
Note: Restarting switchd causes all network ports to reset in addition to resetting the switch hardware configuration. This issue is fixed in Cumulus Linux 3.5.0. |
RN-689 (CM-18369) |
On a Trident II+ switch, using VXLAN RIOT breaks the VRF setting in the L3_IIF table |
On a Trident II+ switch, VXLAN RIOT is enabled by default. However, a problem occurred with the VLAN-to-L3_IIF table setting that indicates the VRF. This caused switchd to fail to set the L3_IIF attribute in a new table entry, thus incorrect L3_IIF and profile attributes, including the VRF ID, were used for packet processing. This affected any routed interface, such as bonds, VLAN subinterfaces, and SVIs. As a result, you might be unable to ping the address of the WAN-facing interface on a border leaf switch. The workaround involved disabling the VXLAN RIOT setting in the datapath.conf file. This issue was a regression of an earlier issue and has been fixed again in Cumulus Linux 3.5.0. |
RN-696 (CM-17040) |
After rebooting a Cumulus Express 5812-54X switch, ports with 1000Base-T SFP are down when auto-negotiation is on |
For 1000Base-T interfaces, auto-negotation should be set to no. To work around this issue, disable auto-negotation on these interfaces. This issue is fixed in Cumulus Linux 3.5.0. |
RN-698 (CM-17205) |
When updating neighbor entries in hardware, a Mellanox switch returns "neigh_add failed. err: Entry Already Exists" error |
This error occurs when VRR is configured. This issue is fixed in Cumulus Linux 3.5.0. |
RN-699 (CM-18951) |
ifupdown2 policy applied incorrectly for eth0 |
On Cumulus Linux, the This issue is fixed in Cumulus Linux 3.5.0. |
RN-700 (CM-17209) |
When both MLAG switches share the same IP address, it causes a loop |
When configuring MLAG, if the This issue is fixed in Cumulus Linux 3.5.0. The |
RN-701 (CM-17226) |
MLAG clagd service exits due to misconfiguration |
The switch stops the This issue is fixed in Cumulus Linux 3.5.0. |
RN-703 (CM-17432) |
An ACL fails to match traffic after an interface is bounced and the internal VLAN ID is changed |
This issue is fixed in Cumulus Linux 3.5.0. |
RN-705 (CM-17468) |
If lacp-bypass-allow is configured, `net show config commands` displays a bond configuration incorrectly |
If cumulus@leaf03:~$ net show config commands ... net add bridge bridge vlan-aware net add bond server03 bond lacp-bypass-allow net add bond server03 bond slaves swp1 net add bond server03 bridge access 20 net add bond server03 clag id 3 net add bond server03 stp bpduguard net add hostname leaf03 Since This issue is fixed in Cumulus Linux 3.5.0. |
RN-706 (CM-18771) |
On Broadcom switches, IGMP snooping not working as expected |
Multicast traffic is flooded to all bridge ports even if there is a valid snooped (*,G) entry. This issue is fixed in Cumulus Linux 3.5.0. |
RN-707 (CM-17804) |
MLAG goodbye message over peerlink not always sent |
In an MLAG configuration, when the primary switch goes down, Cumulus Linux now sends a goodbye message over the backup link as well as over the peerlink. |
RN-708 (CM-18749) |
MLAG bridge mbd timer issue |
MLAG does not sync the bridge This issue is fixed in Cumulus Linux 3.5.0. |
RN-709 (CM-17839) |
Mellanox switch returns parameter errors for bond configuration: "VLAN: Failure - port is LAG member" |
A Mellanox switch returns the following errors in syslog for a bond configuration: 2017-08-28T10:06:17.596911-07:00 mlx-2700-01 sx_sdk: VLAN: Failure - port is LAG member (Parameter Error) 2017-08-28T10:06:17.616588-07:00 mlx-2700-01 sx_sdk: VLAN: Failure - port is LAG member (Parameter Error) 2017-08-28T10:06:17.619505-07:00 mlx-2700-01 sx_sdk: VLAN: Failure - port is LAG member (Parameter Error) This issue is fixed in Cumulus Linux 3.5.0. |
RN-710 (CM-18663) |
Incorrect NCLU IPv6 SNMP configuration |
Valid IPv6 addresses cannot be bound by This issue is fixed in Cumulus Linux 3.5.0. |
RN-711 (CM-17842) |
NCLU net show lldp command reports wrong mode in LLDP output for Trunk/L2 |
The This issue is fixed in Cumulus Linux 3.5.0. |
RN-712 (CM-18634) |
BGP IPv4 default-originate command fails next hop check when using unnumbered with IPv6 addresses |
BGP unnumbered does not support IPv6 GUA addresses on the interface which is peering IPv6. This issue is fixed in Cumulus Linux 3.5.0. |
RN-713 (CM-18473) |
New functionality within NCLU is enabled automatically after an upgrade |
All NCLU components are now enabled by default after an upgrade, unless explicitly disabled. If you edit the |
RN-714 (CM-18458) |
1G SFP ports flap when reloading settings with ifreload -a |
If a 1G fibre SFP is installed in a 10G SFP+ port and the port speed is not specified (auto-negotiation is on), reloading settings with the This issue is fixed in Cumulus Linux 3.5.0. |
RN-715 (CM-18012) |
clagctl reports a host as single-attached when both MLAG peer switches are down |
In an MLAG configuration, This issue is fixed in Cumulus Linux 3.5.0. |
RN-716 (CM-18433) |
netd crashes if the default user cumulus is removed |
If you remove the default user This issue is fixed in Cumulus Linux 3.5.0. |
RN-717 (CM-18023) |
NCLU does not add `ip igmp` before applying the `igmp join group` command |
NCLU does not add This issue is fixed in Cumulus Linux 3.5.0. |
RN-718 (CM-18031) |
The NCLU OSPF message-digest-key command is incorrectly translated to the FRRouting configuration |
The following NCLU command: cumulus@switch:~$ net add vlan 501 ospf message-digest-key 7 md5 ospf Gets incorrectly translated to the following in the FRRouting configuration, ip ospf message-digest-key 7 md5 ip ospf The correct syntax should be: ip ospf message-digest-key 7 md5 ospf This issue is fixed in Cumulus Linux 3.5.0. |
RN-719 (CM-18052) |
After stopping the hsflowd service, sFlow continues to sample, causing buffer drops |
If you stop the This issue is fixed in Cumulus Linux 3.5.0. |
RN-720 (CM-18355) |
Change in default multicast buffer size |
Sending multicast traffic to several interfaces while one interface is congested leads to dropped packets on all receivers. In Cumulus Linux 3.5.0, the default multicast buffer size has been changed so that the buffer size per port cannot be more than 128K (1024 cells). |
RN-721 (CM-18069) |
OSPFv3 (IPv6) does not install IPv6 prefix into the OSPFv3 RIB |
This issue is fixed in Cumulus Linux 3.5.0. |
RN-722 (CM-18318) |
On Mellanox Spectrum switches, sFlow does not work when enabled on a bond member interface |
The Mellanox Spectrum switch does not create or export flow samples when the sampled traffic flow is ingress AND egress on a bond interface. This issue is fixed in Cumulus Linux 3.5.0. |
RN-723 (CM-18161) |
Running ifreload bounces the loopback interface if an IPv6 address defined before an IPv4 address |
To work around this issue, edit the configuration in This is incorrect: auto lo iface lo inet loopback address 2001:db8::1/128 address 192.0.2.1/32 This is correct: auto lo iface lo inet loopback address 192.0.2.1/32 address 2001:db8::1/128 This issue is fixed in Cumulus Linux 3.5.0. |
RN-725 (CM-11824) |
LACP protocol status flag in /proc/net/bonding/<name> output |
A new status line is added to the output to indicate the LACP protocol status per member interface. |
RN-727 (CM-14152) |
ifreload not re-enabling IGMP snooping |
This issue is fixed in Cumulus Linux 3.5.0. |
RN-728 (CM-14790) |
No license error message from ifreload and NCLU commands |
If a license file is not installed for switchd, You now see a warning message indicating that a license file is not installed. |
RN-729 (CM-16099) |
Logging for MLAG role change |
It is not clear in MLAG logging what the switch's role is at any given time. More logging is now added to specify what the role of the switch is. |
RN-731 (CM-16233) |
netd crashes when configuring nameserver with no resolv.conf file |
If you remove the This issue is fixed in Cumulus Linux 3.5.0. |
RN-733 (CM-16612) |
VXLAN interfaces stay down after ifreload -a |
After issuing the only if there is no MLAG peer connectivity. This issue is fixed in Cumulus Linux 3.5.0. |
RN-734 (CM-16716) |
SPAN rules on a VXLAN VNI interface fail to install |
Installing SPAN rules on a VXLAN VNI interface results in an installation error. This issue is fixed in Cumulus Linux 3.5.0. |
RN-735 (CM-16862) |
Unable to start a service if VRF name contains a dash (-) |
If a VRF name contains a dash (-), any service you try to start fails with the message "Invalid VRF name." This issue is fixed in Cumulus Linux 3.5.0. |
RN-736 (CM-18619) |
Multiple DHCP relay forwarding requests overlap on outgoing interface |
Multiple DHCP relay forwarding requests are replicated erroneously to a server that does not serve that subnet. This issue is fixed in Cumulus Linux 3.5.0. |
RN-739 (CM-18790) |
Confusing message received on IP unnumbered interface even though packet is forwarded |
When DHCP relay is configured and a DHCP packet is received on an IP unnumbered interface, a Discard message is logged even though the DHCP packet is forwarded. This issue is fixed in Cumulus Linux 3.5.0. |
RN-740 (CM-18847) |
Unreachable IPv6 route cache entries for connected network not removed when carrier restored |
When traffic originating from the kernel is generated and destined to a connected VRF IPv6 global address while the connected interface is carrier-down, an unreachable route cache entry is created against the loopback interface: cumulus@leaf01:~$ ip -6 ro ls cache table NAME unreachable 2001:DB8::5 dev lo metric 0 cache error -101 pref medium When the carrier is restored, this entry remains and subsequent route lookups continue to return unreachable results erroneously: cumulus@leaf01:~$ sudo vrf task exec NAME ping6 2001:DB8::5 connect: Network is unreachable This issue is fixed in Cumulus Linux 3.5.0. |
RN-752 (CM-16683) |
VXLAN MAC addresses change on reboot, which also affects the bridge MAC address |
When you reboot the switch, VXLAN MAC addresses change. The bridge MAC address also changes and is set to the MAC address of eth0. This issue is fixed in Cumulus Linux 3.5.0. |
RN-767 (CM-17475) |
Security: Linux kernel issues fixed in Cumulus Linux 3.5.0: DSA-3945-1 CVE-2017-7346 CVE-2017-7482 CVE-2017-7533 CVE-2017-7541 CVE-2017-7542 CVE-2017-9605 CVE-2017-10810 CVE-2017-10911 CVE-2017-11176 CVE-2017-1000365 |
The following CVEs that were announced in Debian Security Advisory DSA-3945-1 apply to packages maintained and built by Cumulus Networks. They have been fixed in Cumulus Linux 3.5.0 (package version 4.1.33-1+cl3u10): -------------------------------------------------------------------------- Package : linux Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2017-7346 CVE-2017-7482 CVE-2017-7533 CVE-2017-7541 CVE-2017-7542 CVE-2017-9605 CVE-2017-10810 CVE-2017-10911 / XSA-216 CVE-2017-11176 CVE-2017-1000365 For the oldstable distribution (jessie), these problems have been fixed in version 3.16.43-2+deb8u3. |
RN-768 (CM-18121) |
Security: Linux kernel issues fixed in Cumulus Linux 3.5.0: DSA-3981-1, CVE-2017-7518, 7558, 10661, 11600, 12134, 12146, 12153, 12154, 14106, 14140, 14156, 14340, 14489, 14497, 1000111, 1000112, 1000251, 1000252, 1000370, 1000371, 100038 |
The following CVEs that were announced in Debian Security Advisory DSA-3981-1 apply to packages maintained and built by Cumulus Networks. They have been fixed in Cumulus Linux 3.5.0 (package version 4.1.33-1+cl3u10): -------------------------------------------------------------------------- Package : linux Several vulnerabilities have been discovered in the Linux kernel that may lead to privilege escalation, denial of service or information leaks. CVE-2017-7518 CVE-2017-10661 (jessie only) CVE-2017-11600 CVE-2017-12134 / #866511 / XSA-229 This issue can be mitigated by disabling merges on the underlying back-end block devices, e.g.: CVE-2017-12153 CVE-2017-12154 CVE-2017-14106 CVE-2017-14140 CVE-2017-14156 CVE-2017-14340 CVE-2017-14489 CVE-2017-14497 (stretch only) Cumulus Linux is not vulnerable. The vulnerable code is not present in the Cumulus Linux kernel. CVE-2017-1000111 CVE-2017-1000112 CVE-2017-1000251 / #875881 CVE-2017-1000252 (stretch only) Cumulus Linux does not enable KVM functionality, and therefore is not vulnerable. CVE-2017-1000370 CVE-2017-1000371 CVE-2017-1000380 Debian disables unprivileged user namespaces by default, but if they are enabled (via the kernel.unprivileged_userns_clone sysctl) then CVE-2017-11600, CVE-2017-14497 and CVE-2017-1000111 can be exploited by any local user. For the oldstable distribution (jessie), these problems have been fixed in version 3.16.43-2+deb8u5. |
RN-769 (CM-18624) |
Security: FRR and Quagga issue fixed in Cumulus Linux 3.5.0: DSA-4011-1 CVE-2017-16227 |
The following CVEs that were announced in Debian Security Advisory DSA-4011-1 apply to the FRRouting package and upstream Quagga package. They have been fixed in Cumulus Linux 3.5.0 (package version 3.1+cl3u1 and 3.1+cl3u3): -------------------------------------------------------------------------- Package : quagga It was discovered that the bgpd daemon in the Quagga routing suite does not properly calculate the length of multi-segment AS_PATH UPDATE messages, causing bgpd to drop a session and potentially resulting in loss of network connectivity. For the oldstable distribution (jessie), this problem has been fixed in version 0.99.23.1-1+deb8u4 or the stable distribution (stretch), this problem has been fixed in version 1.1.1-3+deb9u1. |
RN-770 (CM-18462) |
Security: mysql issues fixed in Cumulus Linux 3.5.0: DSA-4002-1 CVE-2017-10268 CVE-2017-10378 CVE-2017-10379 CVE-2017-10384 |
The following security issues announced in DSA-4002-1 apply to Debian packages distributed as part of Cumulus Linux. They have been fixed in the Cumulus Linux 3.5.0 release (version 5.5.58-0+deb8u1 of the mysql package): ------------------------------------------------------------------------- https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-58.html For the oldstable distribution (jessie), these problems have been fixed in version 5.5.58-0+deb8u1. |
RN-771 (CM-18606) |
Security: curl issue fixed in Cumulus Linux 3.5.0: DSA-4007-1 CVE-2017-1000257 |
The following security issues announced in DSA-4007-1 apply to Debian packages distributed as part of Cumulus Linux. They have been fixed in the Cumulus Linux 3.5.0 release (version 7.38.0-4+deb8u8 of the curl package). -------------------------------------------------------------------------- Package : curl Brian Carpenter, Geeknik Labs and 0xd34db347 discovered that cURL, an URL transfer library, incorrectly parsed an IMAP FETCH response with size 0, leading to an out-of-bounds read. For the oldstable distribution (jessie), this problem has been fixed in version 7.38.0-4+deb8u7. |
RN-772 (CM-19011) |
Security: libcurl issue fixed in Cumulus Linux 3.5.0: DSA-4051 CVE-2017-8816 CVE-2017-8817 |
The following security issues announced in DSA-4051-1 apply to Debian packages distributed as part of Cumulus Linux. They have been fixed in the Cumulus Linux 3.5.0 release (version 7.38.0-4+deb8u8 of the curl and libcurl3 packages). -------------------------------------------------------------------------- Package : curl Two vulnerabilities were discovered in cURL, an URL transfer library. CVE-2017-8816 CVE-2017-8817 For the oldstable distribution (jessie), these problems have been fixed in version 7.38.0-4+deb8u8. |
RN-773 (CM-18609) |
Security: wget issue fixed in Cumulus Linux 3.5.0: DSA-4008-1 CVE-2017-13089 CVE-2017-13090 |
The following security issues announced in DSA-4008-1 apply to Debian packages distributed as part of Cumulus Linux. They have been fixed in the Cumulus Linux 3.5.0 release (version 1.16-1+deb8u4 of the wget package). -------------------------------------------------------------------------- Package : wget Antti Levomaeki, Christian Jalio, Joonas Pihlaja and Juhani Eronen discovered two buffer overflows in the HTTP protocol handler of the Wget download tool, which could result in the execution of arbitrary code For the oldstable distribution (jessie), these problems have been fixed in version 1.16-1+deb8u4. |
RN-774 (CM-18676) |
Security: openssl issue fixed in Cumulus Linux 3.5.0: DSA-4017-1 CVE-2017-3735 CVE-2017-3736 |
The following security issues announced in DSA-4017-1 apply to Debian packages distributed as part of Cumulus Linux. They have been fixed in the Cumulus Linux 3.5.0 release (version 1.0.1t-1+deb8u7 of the openssl package). -------------------------------------------------------------------------- Package : openssl1.0 Multiple vulnerabilities have been discovered in OpenSSL, a Secure Sockets Layer toolkit. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2017-3735 Details can be found in the upstream advisory: https://www.openssl.org/news/secadv/20170828.txt CVE-2017-3736 Details can be found in the upstream advisory: https://www.openssl.org/news/secadv/20171102.txt |
RN-775 (CM-18752) |
Security: postgresql-common issue fixed in Cumulus Linux 3.5.0: DSA-4029-1 CVE-2017-8806 |
The following security issues announced in DSA-4029-1 apply to Debian packages distributed as part of Cumulus Linux. They have been fixed in the Cumulus Linux 3.5.0 release (version 165+deb8u3 of the postgresql-common package). -------------------------------------------------------------------------- Package : postgresql-common It was discovered that the pg_ctlcluster, pg_createcluster and pg_upgradecluster commands handled symbolic links insecurely which could result in local denial of service by overwriting arbitrary files. For the oldstable distribution (jessie), this problem has been fixed in version 165+deb8u3. |
RN-776 (CM-18763) |
Security: postgresql issue fixed in Cumulus Linux 3.5.0: DSA-4027-1 CVE-2017-15098 |
The following security issues announced in DSA-4027-1 apply to Debian packages distributed as part of Cumulus Linux. They have been fixed in the Cumulus Linux 3.5.0 release (version 9.4.15-0+deb8u1 of the postgresql-9.4 package). -------------------------------------------------------------------------- Package : postgresql-9.4 A vulnerabilitiy has been found in the PostgreSQL database system: Denial of service and potential memory disclosure in the json_populate_recordset() and jsonb_populate_recordset() functions. For the oldstable distribution (jessie), this problem has been fixed in version 9.4.15-0+deb8u1. |
RN-777 (CM-18907) |
Security: libxml-libxml-perl issue fixed in Cumulus Linux 3.5.0: DSA-4042 CVE-2017-10672 |
The following security issues announced in DSA-4042-1 apply to Debian packages distributed as part of Cumulus Linux. They have been fixed in the Cumulus Linux 3.5.0 release (version 2.0116+dfsg-1+deb8u2 of the libxml-libxml-perl package). -------------------------------------------------------------------------- Package : libxml-libxml-perl A use-after-free vulnerability was discovered in XML::LibXML, a Perl interface to the libxml2 library, allowing an attacker to execute arbitrary code by controlling the arguments to a replaceChild() call. For the oldstable distribution (jessie), this problem has been fixed in version 2.0116+dfsg-1+deb8u2. |
RN-779 (CM-19181) |
Active cables (10G fiber, 1G fiber, sometimes 1G RJ45) not working on Dell S4148F-ON S4128F-ON |
On Dell S4148F-ON and S4128F-ON switches, the following cables do not work on SFP ports:
This issue is fixed in Cumulus Linux 3.5.0. There is an additional issue that prevents 1G interfaces from working on Dell 4148F and 4128F switches. For further details and the workaround for 1G SFP ports on Dell 4148F and 4128F switches, see RN-778. |
RN-840 (CM-18641) |
The Mellanox kernel driver does not handle bond sample packets correctly |
A Mellanox switch cannot create and export flow samples when the sampled traffic flow is both ingress and egress on a bond interface. This affects topologies where bonded hosts are transiting the switch to a bonded uplink. This issue is fixed in Cumulus Linux 3.5.0. |
New Known Issues in Cumulus Linux 3.5.0
The following issues are new to Cumulus Linux and affect Cumulus Linux 3.5.0.
Previously Known Issues in Cumulus Linux 3.5.0
The following issues also affect the current release.
Comments