Cumulus Linux 3.6 Release Notes

Follow

Overview

These release notes support Cumulus Linux 3.6.0 and 3.6.1, and describe currently available features and known issues. 

Stay up to Date 

  • Please sign in and click Follow above so you can receive a notification when we update these release notes.
  • Subscribe to our product bulletin mailing list to receive important announcements and updates about issues that arise in our products.
  • Subscribe to our security announcement mailing list to receive alerts whenever we update our software for security issues.

{{table_of_contents}}

What's New in Cumulus Linux 3.6

Cumulus Linux 3.6 contains the following new features, platforms and improvements:

Licensing

Cumulus Linux is licensed on a per-instance basis. Each network system is fully operational, enabling any capability to be utilized on the switch with the exception of forwarding on switch panel ports. Only eth0 and console ports are activated on an un-licensed instance of Cumulus Linux. Enabling front panel ports requires a license.

You should have received a license key from Cumulus Networks or an authorized reseller. To install the license, read the Cumulus Linux Quick Start Guide.

Installing Version 3.6

If you are upgrading from version 3.0.0 or later, use apt-get to update the software.

Cumulus Networks recommends you use the -E option with sudo whenever you run any apt-get command. This option preserves your environment variables, such as HTTP proxies, before you install new packages or upgrade your distribution.

  1. Retrieve the new version packages: 
    [email protected]:~$ sudo -E apt-get update
  2. If you are using any early access features from an older release, remove them with:
    [email protected]:~$ sudo -E apt-get remove EA_PACKAGENAME
  3. Upgrade the release: 
    [email protected]:~$ sudo -E apt-get upgrade
  4. To include additional Cumulus Linux packages not present in your current version, run the command:
    [email protected]:~$ apt-get install nclu hostapd python-cumulus-restapi linuxptp
    If you already have the latest version of a package installed, you see messages similar to: nclu is already the newest version. You might also see additional packages being installed due to dependencies.
  5. Reboot the switch:
    [email protected]:~$ sudo reboot

Note: If you see errors for expired GPG keys that prevent you from upgrading packages when upgrading to Cumulus Linux 3.6 from 3.5.1 or earlier, follow the steps in Upgrading Expired GPG Keys.

Note: In Cumulus Linux 3.6.0, the upgrade process has changed. During an upgrade to 3.6.0 from 3.5 or earlier, certain services might be stopped. These services are not restarted until after the switch reboots, which results in some functionality being lost during the upgrade process.

During the upgrade, you will see messages similar to the following:

/usr/sbin/policy-rc.d returned 101, not running 'stop switchd.service'
/usr/sbin/policy-rc.d returned 101, not running 'start switchd.service'

At the end of the upgrade, if a reboot is required, you see the following message:

*** Caution: Service restart prior to reboot could cause unpredictable behavior
*** System reboot required ***

Do not restart services manually until after rebooting, or services will fail.

For upgrades post 3.6.0, if no reboot is required after the upgrade completes, the upgrade will stop and restart all upgraded services and will log messages in the /var/log/syslog file similar to the ones shown below. (In the examples below, only the frr package was upgraded.)

Policy: Service frr.service action stop postponed
Policy: Service frr.service action start postponed
Policy: Restarting services: frr.service
Policy: Finished restarting services
Policy: Removed /usr/sbin/policy-rc.d
Policy: Upgrade is finished

For additional information about upgrading, see Upgrading Cumulus Linux in the Cumulus Linux User Guide.

New Install or Upgrading from Versions Older than 3.0.0

If you are upgrading from a version older than 3.0.0, or installing Cumulus Linux for the first time, download the Cumulus Linux 3.6.0 installer for Broadcom or Mellanox switches from the Cumulus Networks website, then use ONIE to perform a complete install, following the instructions in the quick start guide.

Note: This method is destructive; any configuration files on the switch are not saved; copy them to a different server before upgrading via ONIE.

Important! After you install, run apt-get update, then apt-get upgrade on your switch to make sure you update Cumulus Linux to include any important or other package updates.

Updating a Deployment that Has MLAG Configured

If you are using MLAG to dual connect two switches in your environment, and those switches are still running Cumulus Linux 2.5 ESR or any other release earlier than 3.0.0, the switches will not be dual-connected after you upgrade the first switch. To ensure a smooth upgrade, follow these steps:

  1. Disable clagd in the /etc/network/interfaces file (set clagd-enable to no), then restart the switchd, networking, and FRR services.
    [email protected]:~$ sudo systemctl restart switchd.service
    [email protected]:~$ sudo systemctl restart networking.service
    [email protected]:~$ sudo systemctl restart frr.service
  2. If you are using BGP, notify the BGP neighbors that the switch is going down:
    [email protected]:~$ sudo vtysh -c "config t" -c "router bgp" -c "neighbor X.X.X.X shutdown"
  3. Stop the Quagga (if upgrading from a version earlier than 3.2.0) or FRR service (if upgrading from version 3.2.0 or later):
    [email protected]:~$ sudo systemctl stop [quagga|frr].service 
  4. Bring down all the front panel ports:
    [email protected]:~$ sudo ip link set swp<#> down
  5. Run cl-img-select -fr to boot the switch in the secondary role into ONIE, then reboot the switch.
  6. Install Cumulus Linux 3.6 onto the secondary switch using ONIE. At this time, all traffic is going to the switch in the primary role.
  7. After the install, copy the license file and all the configuration files you backed up, then restart the switchd, networking, and Quagga services. All traffic is still going to the primary switch.
    [email protected]:~$ sudo systemctl restart switchd.service
    [email protected]:~$ sudo systemctl restart networking.service
    [email protected]:~$ sudo systemctl restart quagga.service
  8. Run cl-img-select -fr to boot the switch in the primary role into ONIE, then reboot the switch. Now, all traffic is going to the switch in the secondary role that you just upgraded to version 3.6.
  9. Install Cumulus Linux 3.6 onto the primary switch using ONIE. 
  10. After the install, copy the license file and all the configuration files you backed up.
  11. Follow the steps for upgrading from Quagga to FRRouting.
  12. Enable clagd again in the /etc/network/interfaces file (set clagd-enable to yes), then run ifreload -a.
    [email protected]:~$ sudo ifreload -a
  13. Bring up all the front panel ports:
    [email protected]:~$ sudo ip link set swp<#> up
  14. Now the two switches are dual-connected again and traffic flows to both switches.

 Perl, Python and BDB Modules

Any Perl scripts that use the DB_File module or Python scripts that use the bsddb module won't run under Cumulus Linux 3.6.

Documentation

You can read the technical documentation here.

Issues Fixed in Cumulus Linux 3.6.1

The following is a list of issues fixed in Cumulus Linux 3.6.1 from earlier versions of Cumulus Linux. 

Release Note ID Summary Description

RN-766 (CM-19006)
On the Broadcom Trident II+ and Maverick platform, in an external VXLAN routing environment, the switch does not rewrite MAC addresses and TTL, so packets are dropped by the next hop

On the Broadcom Trident II+ and Maverick based switch, in an external VXLAN routing environment, when a lookup is done on the external-facing switch (exit/border leaf) after VXLAN decapsulation, the switch does not rewrite the MAC addresses and TTL; for through traffic, packets are dropped by the next hop instead of correctly routing from a VXLAN overlay network into a non-VXLAN external network (for example, to the Internet).

This issue affects all traffic from VXLAN overlay hosts that need to be routed after VXLAN decapsulation on an exit/border leaf, including:

  • Traffic destined to external networks (through traffic)
  • Traffic destined to the exit leaf SVI address

This issue should be fixed in the Trident III ASIC.

To work around this issue, modify the external-facing interface for each VLAN sub-interface by creating a temporary VNI and associating it with the existing VLAN ID.

For example, if the expected interface configuration is:

auto swp3.2001
iface swp3.2001
    vrf vrf1
    address 45.0.0.2/24
# where swp3 is the external facing port and swp3.2001 is the VLAN sub-interface

auto bridge
iface bridge
    bridge-vlan-aware yes
    bridge ports vx-4001
    bridge-vids 4001

auto vx-4001
iface vx-4001
    vxlan-id 4001
    <... usual vxlan config ...>
    bridge-access 4001
# where vnid 4001 represents the L3 VNI

auto vlan4001
iface vlan4001
    vlan-id 4001
    vlan-raw-device bridge
    vrf vrf1

Modify the configuration as follows:

auto swp3
iface swp3
    bridge-access 2001
# associate the port (swp3) with bridge 2001

auto bridge
iface bridge
    bridge-vlan-aware yes
    bridge ports swp3 vx-4001 vx-16000000
    bridge-vids 4001 2001
# where vx-4001 is the existing VNI and vx-16000000 is a new temporary VNI
# this is now bridging the port (swp3), the VNI (vx-4001),
# and the new temporary VNI (vx-16000000)
# the bridge VLAN IDs are now 4001 and 2001

auto vlan2001
iface vlan2001
    vlan-id 2001
    vrf vrf1
    address 45.0.0.2/24
    vlan-raw-device bridge
# create a VLAN 2001 with the associated VRF and IP address

auto vx-16000000
iface vx-16000000
    vxlan-id 16000000
    bridge-access 2001
    <... usual vxlan config ...>
# associate the temporary VNI (vx-16000000) with bridge 2001

auto vx-4001
iface vx-4001
    vxlan-id 4001
    <... usual vxlan config ...>
    bridge-access 4001
# where vnid 4001 represents the L3 VNI

auto vlan4001
iface vlan4001
    vlan-id 4001
    vlan-raw-device bridge
    vrf vrf1

RN-860 (CM-20695)
Tab completion with 'net add vxlan' command produces traceback in the log

When using tab completion with the net add vxlan command, the following traceback appears in the log:

ERROR: 'name'
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/nclu/__init__.py", line 789, in get_lldp
lldp[value['name']] = value['chassis'][0]['name'][0]['value']
KeyError: 'name'

This issue is fixed in Cumulus Linux 3.6.1.


RN-876 (CM-20776)
EVPN symmetric IRB with numbered neighbors omits the NEXTHOP attribute when advertising to an external router

With EVPN symmetric routing (including type-5 routes) you can only advertise host routes or prefix routes learned through EVPN to a VRF peer if EVPN peering uses BGP unnumbered. If the BGP peering is numbered, the NEXTHOP of MP_REACH attribute is not included, which causes the neighbor to reply with a BGP notification.

This issue is fixed in Cumulus Linux 3.6.1.


RN-887 (CM-20474)
VXLAN Encapsulation drops ARP QinQ tunneled packets

When an ARP request or response (or IPv6 NS/NA) packet with double VLAN tags (such as 802.1Q over 802.1Q), is sent to a VXLAN overlay, the outer VLAN tag is stripped during VXLAN encapsulation. If the receiving VTEP is a Broadcom Trident II + platform, the post VXLAN decapsulated packet is incorrectly directed to the control plane. As the packet traverses the linux kernel VXLAN interface into the VLAN-aware bridge device, the exposed inner VLAN tag is incorrectly used for VLAN filtering against the outer VLAN set, causing the packet to be discarded.

This issue is fixed in Cumulus Linux 3.6.1.


RN-897 (CM-20086)
FRR doesn't support hostnames starting with a digit

NCLU reports an error attempting to configure FRR when the configured hostname begins with a digit:

unknown: buffer_flush_available: write error on fd -1: Bad file descriptor

To work around this issue, change the hostname of the switch to begin with an alphabetic character; not a digit.

This issue is fixed in Cumulus Linux 3.6.1.


RN-904 (CM-20800)
NCLU net add and net del commands missing for EVPN type-5 default originate

The NCLU net add and net del commands are missing for the default originate EVPN type-five route feature.

This issue is fixed in Cumulus Linux 3.6.1.


RN-907 (CM-20829)
netd fails on start after apt upgrade to 3.6.0 with "ImportError: No module named time"

When you use the apt-get upgrade command to upgrade to Cumulus Linux 3.6.0 and you select to keep the currently-installed version of netd.conf (by typing N at the prompt), netd fails to start after reboot and you see errors in the logs when you try to restart netd.

This issue is fixed in Cumulus Linux 3.6.1.


RN-933 (CM-20781)
NCLU 'net add bgp neighbor' command with swp1, swp2, or swp1-2 causes TB NameError

Issuing the net add bgp neighbor command with swp1, swp2 or swp1-2 causes the following error:

TB NameError: global name 'ifname_expand_glob' is not defined.

This issue is fixed in Cumulus Linux 3.6.1.


RN-935 (CM-20772)
ACL rule unable to match interface eth0 when belonging to VRF

ACL rules do not block incoming packets when interface eth0 belongs to a VRF.

This issue is fixed in Cumulus Linux 3.6.1.


RN-936 (CM-20418)
ACL to only allow ARP prevents ARP on SVIs

ACL rules that only allow ARP packets prevent ARP packets from reaching SVIs.

This issue is fixed in Cumulus Linux 3.6.1.


RN-937 (CM-19301)
Increase maximum sflow sampling ratio

The maximum sflow sampling ratio is too low and might overload the switch CPU.

This is fixed in Cumulus Linux 3.6.1. The ratio is increased to 1:100000 in hsflowd.


RN-944 (CM-20841)
netd fails to start for apt-upgrade from 3.3.2 to 3.6.0

When upgrading from Cumulus Linux 3.3.2 to 3.6.0 using the netd.conf file from version 3.3.2, netd fails to start and displays the error ImportError: No module named frr-reload.

This issue is fixed in Cumulus Linux 3.6.1.


RN-945 (CM-20311)
Security: DSA-4157-1 for openssl issues CVE-2017-3738 CVE-2018-0739

The following CVEs were announced in Debian Security Advisory DSA-4157-1, and affect the openssl package.

This issue is fixed in Cumulus Linux 3.6.1.

--------------------------------------------------------------------------

Debian Security Advisory DSA-4157-1 [email protected]

https://www.debian.org/security/ Salvatore Bonaccorso

March 29, 2018 https://www.debian.org/security/faq

--------------------------------------------------------------------------

Package : openssl

CVE ID : CVE-2017-3738 CVE-2018-0739

Multiple vulnerabilities have been discovered in OpenSSL, a Secure Sockets Layer toolkit. The Common Vulnerabilities and Exposures project identifies the following issues:

CVE-2017-3738

David Benjamin of Google reported an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli.

CVE-2018-0739

It was discovered that constructed ASN.1 types with a recursive definition could exceed the stack, potentially leading to a denial of service.

Details can be found in the upstream advisory:

https://www.openssl.org/news/secadv/20180327.txt

For the oldstable distribution (jessie), these problems have been fixed in version 1.0.1t-1+deb8u8. The oldstable distribution is not affected by CVE-2017-3738.

For the stable distribution (stretch), these problems have been fixed in version 1.1.0f-3+deb9u2.

We recommend that you upgrade your openssl packages.

For the detailed security status of openssl please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/openssl


RN-946 (CM-20603)
Security: DSA-4172-1 for perl issues CVE-2018-6797 CVE-2018-6798 CVE-2018-6913

The following CVEs were announced in Debian Security Advisory DSA-4172-1 and affect the perl package.

This issue is fixed in Cumulus Linux 3.6.1.

--------------------------------------------------------------------------

Debian Security Advisory DSA-4172-1 [email protected]

https://www.debian.org/security/ Salvatore Bonaccorso

April 14, 2018 https://www.debian.org/security/faq

--------------------------------------------------------------------------

Package : perl

CVE ID : CVE-2018-6797 CVE-2018-6798 CVE-2018-6913

Multiple vulnerabilities were discovered in the implementation of the Perl programming language. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2018-6797

Brian Carpenter reported that a crafted regular expression could cause a heap buffer write overflow, with control over the bytes written.

CVE-2018-6798

Nguyen Duc Manh reported that matching a crafted locale dependent regular expression could cause a heap buffer read overflow and potentially information disclosure.

CVE-2018-6913

GwanYeong Kim reported that 'pack()' could cause a heap buffer write overflow with a large item count.

For the oldstable distribution (jessie), these problems have been fixed in version 5.20.2-3+deb8u10. The oldstable distribution (jessie) update contains only a fix for CVE-2018-6913.

For the stable distribution (stretch), these problems have been fixed in version 5.24.1-3+deb9u3.

We recommend that you upgrade your perl packages.

For the detailed security status of perl please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/perl


RN-949 (CM-21038)
VRF stops working when /etc/resolv.conf does not exist

When upgrading to Cumulus Linux 3.6.0, if the /etc/resolv.conf file does not exist and eth0 is configured with a static IP address, the switch fails to start VRFs after reboot.

This issue is fixed in Cumulus Linux 3.6.1.


RN-958 (CM-21095)
NCLU 'net add bgp neighbor ' command does not create or enable the interface if it is not previously defined

When you run the net add bgp neighbor <interface> command, the interface is only added if previously defined.

This issue is fixed in Cumulus Linux 3.6.1.


RN-962 (CM-21026)
DHCP request packets in VXLAN decapsulation do not go to CPU

On Broadcom platforms configured with a VXLAN centralized routing gateway, DHCP discover packets are not correctly processed for DHCP relay.

This issue is fixed in Cumulus Linux 3.6.1.

New Known Issues in Cumulus Linux 3.6.1

The following issues are new to Cumulus Linux and affect the current release.

Release Note ID Summary Description

RN-875 (CM-20779)
On Mellanox switches, withdrawal of one ECMP next-hop results in the neighbor entry for that next hop to be missing from hardware

On a Mellanox switch, when you withdraw one ECMP next hop, the neighbor entry for that next hop is missing from the hardware.

To work around this issue, manually delete the ARP entry from kernel with the arp -d command to repopulate it in the hardware.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-938 (CM-20979)
Removing a VLAN from a bridge configured with VXLAN results in an outage

Removing a VLAN from a bridge configured with VXLAN causes a network service outage until the configuration change is reverted with the net rollback last command.

To work around this issue, remove the VNI interface first, then remove the unused VLAN from the bridge.

This issue is being investigated at this time.


RN-939 (CM-20944)
On Maverick switches, random links might not come up on boot when enabling RS FEC with 100G AOC cables

On Maverick 100G switches, after enabling FEC on links with 100G AOC cables, random links do not come up after a reboot.

To work around this issue, disable FEC on 100G AOC links.

This issue is being investigated at this time.


RN-940 (CM-20813)
On Mellanox switches, packets are not mirrored on matching '-out-interface bond0' SPAN rules

Span rules that match the out-interface as a bond do not mirror packets.

This is a regression of an earlier issue and is being investigated at this time.


RN-941 (CM-20806)
When configuring layer 2 VPN EVPN in vtysh, if the route-target matches the VNI and AS number, the configuration does not display the route target

When configuring layer 2 VPN EVPN in vtysh, if a route-target matches both the AS number and the VNI number, the route target does not display in the configuration. This is currently the default behavior.

This issue is being investigated at this time.


RN-942 (CM-20693)
In NCLU, you can only set the community number in a route map

In NCLU, you can only set the community number in a route map. You cannot set other community options such as no-export, no-advertise, or additive.

This issue is being investigated at this time.


RN-943 (CM-20639)
The neighbor table and EVPN routes are not updated on receiving GARP from a mobile IP address

The neighbor table and EVPN routes do not update properly on receiving GARP packets from a mobile IP address.

This issue is being investigated at this time.


RN-947 (CM-20992)
RS FEC configuration cleared and not re-installed on switchd restart, leaving links down

During switchd restart, the RS FEC configuration is not re-installed to the interfaces to which it was previously applied.

This issue is being investigated at this time.


RN-948 (CM-17494)
The default arp_ignore mode does not prevent reachable neighbor entries for hosts not on the connected subnet

In certain cases, a peer device sends an ARP request from a source IP address that is not on the connected subnet and the switch creates a STALE neighbor entry. Eventually, the switch attempts to keep the entry fresh and sends ARP requests to the host. If the host responds, the switch has REACHABLE neighbor entries for hosts that are not on the connected subnet.

To work around this issue, change the value of arp_ignore to 2. See Default ARP Settings in Cumulus Linux for more information.


RN-951 (CM-21048)
NCLU command fails to delete the VRF static route

The NCLU command net del routing route does not delete a static route within a VRF.

To work around this issue, delete the VRF static route using vtysh, either directly in configuration mode or with vtysh -c.

This issue is being investigated at this time.


RN-952 (CM-21090)
NCLU 'net show bridge macs' command improperly displays the 'never' keyword

When you use the net show bridge macs command and a MAC address has just been updated, the never keyword improperly displays in the command output.

This issue is being investigated at this time.


RN-953 (CM-21082)
Virtual device counters not working as expected

Virtual device counters are not working as expected. The TX counter increments but the RX counter does not.

This issue is being investigated at this time.


RN-954 (CM-21062)
Redundant NCLU commands to configure the DHCP relay exits with return code 1

When using the NCLU command to add a redundant DHCP relay, the command exits with an error instead of displaying a message that the DHCP relay server configuration already contains the IP address.

This issue is being investigated at this time.


RN-955 (CM-21060)
NCLU 'net show configuration' output is out of order

When you run the net show configuration command after upgrading to Cumulus Linux 3.6, the interfaces display are out of order in the command output.

This issue is being investigated at this time.


RN-956 (CM-21055)
On Mellanox switches, the destination MAC of ERSPAN GRE packets is set to all zeros

On Mellanox switches, the destination MAC of ERSPAN GRE packets is set to all zeros; therefore, the packets are dropped by the first transient switch.

This issue is being investigated at this time.


RN-959 (CM-21167)
BGP aggregate created but left inactive in the routing table

If you use BGP to generate an aggregate, the aggregate shows up in the BGP table but is listed in zebra as inactive.

This issue is being investigated at this time.


RN-960 (CM-21154)
Deleting an interface with the NCLU command does not remove the interface in frr.conf

When you use NCLU to delete an interface, the associated configuration is not removed from the frr.conf file.

This issue is being investigated at this time.


RN-963 (CM-21362)
Bringing down a bridge member interface sets the interface MTU to 1500 and the bridge MTU to 1500

When you bring down an interface for a bridge member, the MTU for the interface and the MTU for the bridge are both set to 1500.

To work around this issue, run ifdown on the interface, then run the sudo ip link set dev <interface> mtu <mtu> command.

For example:

sudo ifdown swp3
sudo ip link set dev swp3 mtu 9192

As an alternative, in the /etc/network/interfaces file, add a post-down command to reset the MTU of the interface. For example:

auto swp3
iface swp3
    alias BNBYLAB-PD01HV-01_Port3
    bridge-vids 106 109 119 141 150-151
    mtu 9192
    post-down /sbin/ip link set dev swp3 mtu 9192

RN-964 (CM-21319)
When upgrading to Cumulus Linux 3.6, static routes in the default VRF are associated with other VRFs

When you upgrade to Cumulus Linux 3.6.x, static routes configured in the frr.conf file become associated with the VRF configured above them.

This issue is currently being investigated.


RN-965 (CM-21313, CM-15657)
Errors occur if comma-separated globs exist in the /etc/network/interfaces file

If you edit the /etc/network/interfaces file manually and add bridge VIDs to an interface using the NCLU syntax (comma separated globs), you see an error similar to the following:

ERROR: numbers_to_glob() could not extract any IDs from ['1,4,1000,1002,1006']

To work around this issue, separate globs with spaces when manually editing the /etc/network/interfaces file.

This issue is currently being investigated.


RN-966 (CM-21297)
TACACS authenticated users in 'netshow' or 'netedit' groups cannot issue 'net' commands after upgrade to Cumulus Linux 3.6

When upgrading from a previous release to Cumulus Linux 3.6, TACACS-authenticated users mapped to tacacs0 thru tacacs15 users with the netshow or netedit user groups cannot run net commands and they see the following error:

ERROR: You do not have permission to execute that command

This behavior is seen when upgrading with simple authentication only and occurs without a restricted shell for command authorization being enabled.

This problem is not present on a binary install of 3.6.0 or 3.6.1 and only happens when upgrading from previous releases.

To work around this issue, edit the /etc/netd.conf file, add the tacacs user group to the groups_with_show list, and add the tacacs15 user to the users_with_edit list as below:

# Control which users/groups are allowed to run "add", "del",
# "clear", "abort", and "commit" commands.
users_with_edit = root, cumulus, vagrant, tacacs15
groups_with_edit = netedit

# Control which users/groups are allowed to run "show" commands.
users_with_show = root, cumulus, vagrant
groups_with_show = netshow, netedit, tacacs

After making this change, restart netd with the sudo systemctl restart netd command.


RN-969 (CM-21278)
NCLU 'net show lldp' output has PortDescr as Remote Port

When you run the net show lldp command, the command output incorrectly displays the remote port as the port description.

To work around this issue, run the net show interface command when connected to Cisco equipment.

This issue is currently being investigated.


RN-970 (CM-21203)
VXLAN and tcam_resource_profile set to acl-heavy, causes the switch to crash

Changing tcam_resource_profile to acl-heavy on a switch with VXLAN enabled and attempting to apply the configuration with a switchd restart, causes switchd to fail to restart, netd to crash, the switch to become temporarily unresponsive, and a cl-support to be generated.

To work around this issue, remove the acl-heavy profile or the VXLAN configuration.

This issue is currently being investigated.


RN-971 (CM-20501)
cl-ecmpcalc is not supported on Maverick (Broadcom 5676x) ASICs

The cl-ecmpcalc tool is not supported on platforms based on ASICs in the Broadcom 5676x (Maverick) family.

This issue should be fixed in an upcoming release of Cumulus Linux.

Issues Fixed in Cumulus Linux 3.6.0

The following is a list of issues fixed in Cumulus Linux 3.6.0 from earlier versions of Cumulus Linux. 

Release Note ID Summary Description

RN-545 (CM-13800)
OSPFv3 redistribute connected with route-map broken at reboot (or ospf6d start)

This issue only affects OSPFv3 (IPv6).

This issue is fixed in Cumulus Linux 3.6.0.


RN-608 (CM-16145)
Buffer monitoring default port group discards_pg only accepts packet collection type

The default port group discards_pg does not accept packet_extended or packet_all collection types.

This issue is fixed in Cumulus Linux 3.6.0.


RN-704 (CM-18886, CM-20027)
ifreload causes MTU to drop on bridge SVIs 

When you run the ifreload command on a bridge SVI with an MTU higher than 1500, the MTU resets to 1500 after the initial ifreload -a, then resets to its original value when running ifreload -a for the second time.

This issue is fixed in Cumulus Linux 3.6.0.


RN-743 (CM-18612)
Routes learned through BGP unnumbered become unusable

In certain scenarios, the routes learned through BGP unnumbered become unusable. The BGP neighbor relationships remain but the routes cannot be forwarded due to a failure in layer 2 and layer 3 next hop/MAC address resolution.

To work around this issue, restart FRR.

This issue is fixed in Cumulus Linux 3.6.0.


RN-766 (CM-19006)
On the Broadcom Trident II+ and Maverick platform, in an external VXLAN routing environment, the switch does not rewrite MAC addresses and TTL, so packets are dropped by the next hop

On the Broadcom Trident II+ and Maverick based switch, in an external VXLAN routing environment, when a lookup is done on the external-facing switch (exit/border leaf) after VXLAN decapsulation, the switch does not rewrite the MAC addresses and TTL; for through traffic, packets are dropped by the next hop instead of correctly routing from a VXLAN overlay network into a non-VXLAN external network (for example, to the Internet).

This issue affects all traffic from VXLAN overlay hosts that need to be routed after VXLAN decapsulation on an exit/border leaf, including:

  • Traffic destined to external networks (through traffic)
  • Traffic destined to the exit leaf SVI address

This issue should be fixed in the Trident III ASIC.

To work around this issue, modify the external-facing interface for each VLAN sub-interface by creating a temporary VNI and associating it with the existing VLAN ID.

For example, if the expected interface configuration is:

auto swp3.2001
iface swp3.2001
    vrf vrf1
    address 45.0.0.2/24
# where swp3 is the external facing port and swp3.2001 is the VLAN sub-interface

auto bridge
iface bridge
    bridge-vlan-aware yes
    bridge ports vx-4001
    bridge-vids 4001

auto vx-4001
iface vx-4001
    vxlan-id 4001
    <... usual vxlan config ...>
    bridge-access 4001
# where vnid 4001 represents the L3 VNI

auto vlan4001
iface vlan4001
    vlan-id 4001
    vlan-raw-device bridge
    vrf vrf1

Modify the configuration as follows:

auto swp3
iface swp3
    bridge-access 2001
# associate the port (swp3) with bridge 2001

auto bridge
iface bridge
    bridge-vlan-aware yes
    bridge ports swp3 vx-4001 vx-16000000
    bridge-vids 4001 2001
# where vx-4001 is the existing VNI and vx-16000000 is a new temporary VNI
# this is now bridging the port (swp3), the VNI (vx-4001),
# and the new temporary VNI (vx-16000000)
# the bridge VLAN IDs are now 4001 and 2001

auto vlan2001
iface vlan2001
    vlan-id 2001
    vrf vrf1
    address 45.0.0.2/24
    vlan-raw-device bridge
# create a VLAN 2001 with the associated VRF and IP address

auto vx-16000000
iface vx-16000000
    vxlan-id 16000000
    bridge-access 2001
    <... usual vxlan config ...>
# associate the temporary VNI (vx-16000000) with bridge 2001

auto vx-4001
iface vx-4001
    vxlan-id 4001
    <... usual vxlan config ...>
    bridge-access 4001
# where vnid 4001 represents the L3 VNI

auto vlan4001
iface vlan4001
    vlan-id 4001
    vlan-raw-device bridge
    vrf vrf1

RN-785 (CM-19422)
NCLU 'net show interface detail' command does not display detailed output

The net show interface swp# command returns the same output as net show interface swp# detail.

To view the additional information typically presented, use alternative commands. For example, to view the module information and statistics, use ethtool swp# and ethtool -S swp#.

This issue is fixed in Cumulus Linux 3.6.0.


RN-787 (CM-19418)
NCLU 'net add hostname' creates an inconsistency between /etc/hostname and /etc/hosts files

Running the net add hostname <hostname> command updates both the /etc/hostname file and the/etc/hosts file. However, NCLU modifies the hostname value passed to the /etc/hostname file, removing certain characters and converting the hostname to lowercase, whereas the hostname passed to the /etc/hosts file is passed through as is, creating an inconsistency between the two files.

To work around this issue, manually set the hostname in both the /etc/hostname file and the /etc/hosts file using a text editor such as vi or nano.

This issue is fixed in Cumulus Linux 3.6.0.


RN-793 (CM-19321)
FRR does not detect the bandwidth for 100G interfaces correctly

FRR correctly detects the bandwidth for both 10G interfaces and 40G interfaces. However, it does not do so for 100G interfaces. Setting link speed manually does not fix this issue.

To work around this issue, restart the FRR service:

[email protected]:~$ sudo systemctl restart frr.service

This issue is fixed in Cumulus Linux 3.6.0.


RN-801 (CM-19195)
In VXLAN routing, border leafs in MLAG use anycast IP address after FRR restart

For type-5 routes, when an MLAG pair is used as border leaf nodes, the MLAG primary and secondary nodes use their respective loopback IP addresses as the originator IP address to start, but switch to using the MLAG anycast IP address after an FRR restart.

This issue is fixed in Cumulus Linux 3.6.0.


RN-803 (CM-19456)
EVPN and IPv4 routes change origin after redistribution

EVPN routes are re-injected into EVPN as type-5 routes when a type-5 advertisement is enabled. This issue occurs when advertising different subnets from different VTEPs into a type-5 EVPN symmetric mode environment.

This issue is fixed in Cumulus Linux 3.6.0.


RN-806 (CM-19241)
FRR removes all static routes when the service is stopped, including those created by ifupdown2

Whenever FRR is restarted, it deletes all routes in the kernel with a protocol type of BGP, ISIS, OSPF, and static. When you upgrade FRR and the service is stopped, the static routes defined in the /etc/network/interfaces file and installed using ifupdown2 are also removed.

To work around this issue, configure static routes in the /etc/network/interfaces file as follows:

post-up ip route add  via  proto kernel

For example:

auto swp2
iface swp2
  post-up ip route add 0.0.0.0/0 via 192.0.2.249 proto kernel

This issue is fixed in Cumulus Linux 3.6.0.


RN-807 (CM-17159)
NCLU 'net show interface <bond>' command shows interface counters that are not populated

The output of the NCLU net show interface <bond> command shows misleading and incorrect interface counters.

This issue is fixed in Cumulus Linux 3.6.0.


RN-809 (CM-19120)
The 'netshow lldp' command displays an error

When running the netshow lldp command, the output displays the following error:

[email protected]:~# netshow lldp
ERROR: The lldpd service is running, but '/usr/sbin/lldpctl -f xml' failed.

However, the NCLU net show lldp command works correctly.

This issue is fixed in Cumulus Linux 3.6.0.


RN-815 (CM-19630)
Bridge MAC address clashing when eth0 is part of the same broadcast domain

Cumulus Linux uses the eth0 MAC address as the MAC address for bridges. If eth0 is part of the same broadcast domain, you experience outages when upgrading.

To work around this issue, manually change the bridge MAC address in the /etc/network/interfaces file.

This issue is fixed in Cumulus Linux 3.6.0.


RN-821 (CM-19898)
The 'net show interface' command output missing information

The net show interface command output is missing LACP, CLAG, VLAN, LLDP, and physical link failure information.

This issue is fixed in Cumulus Linux 3.6.0.


RN-824 (CM-19667)
The show ipv6 route ospf command results in an unknown route type

When you run the vtysh -c 'show ipv6 route ospf json' command to show IPv6 routes through OSPF, you see the error Unknown route type. To work around this issue, you must specify ospf6 in the command:

[email protected]:~$  vtysh -c 'show ipv6 route ospf6 json'

This issue is fixed in Cumulus Linux 3.6.0.


RN-826 (CM-16865)
The compute unique hash seed default value is the same for each switch

The algorithm that calculates hashing is the same on every switch instead of being unique.

This issue is fixed in Cumulus Linux 3.6.0.


RN-828 (CM-19748)
Security: Debian Security Advisory DSA-4110-1 for exim4 issue CVE-2018-6789

The following CVE was announced in Debian Security Advisory DSA-4110-1, and affects the exim4 package. While this package is no longer in the Cumulus Linux installation image, it is still in the repo3 repository. Cumulus Linux is built on Debian Jessie.

This issue is fixed in Cumulus Linux 3.6.0.

-------------------------------------------------------------------------
Debian Security Advisory DSA-4110-1 [email protected]
https://www.debian.org/security/ Salvatore Bonaccorso
February 10, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : exim4
CVE ID : CVE-2018-6789
Debian Bug : 890000
Meh Chang discovered a buffer overflow flaw in a utility function used in the SMTP listener of Exim, a mail transport agent. A remote attacker can take advantage of this flaw to cause a denial of service, or potentially the execution of arbitrary code via a specially crafted message.
For the oldstable distribution (jessie), this problem has been fixed in version 4.84.2-2+deb8u5.
For the stable distribution (stretch), this problem has been fixed in version 4.89-2+deb9u3.


RN-829 (CM-19660)
Security: Debian Security Advisory DSA-4052-1 for Bazaar issue CVE-2017-14176

The following CVE was announced in Debian Security Advisory DSA-4052-1, and affects the Bazaar version control system.

This issue is fixed in Cumulus Linux 3.6.0.

-------------------------------------------------------------------------
Debian Security Advisory DSA-4052-1 [email protected]
https://www.debian.org/security/ Salvatore Bonaccorso
November 29, 2017 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : bzr
CVE ID : CVE-2017-14176
Debian Bug : 874429

Adam Collard discovered that Bazaar, an easy to use distributed version control system, did not correctly handle maliciously constructed bzr+ssh URLs, allowing a remote attackers to run an arbitrary shell command.

For the oldstable distribution (jessie), this problem has been fixed in version 2.6.0+bzr6595-6+deb8u1.

For the stable distribution (stretch), this problem has been fixed in version 2.7.0+bzr6619-7+deb9u1.


RN-830 (CM-19595)
Security: Debian Security Advisory DSA-4098-1 for curl issues CVE-2018-1000005 CVE-2018-1000007

The following CVEs were announced in Debian Security Advisory DSA-4098-1, and affect the curl package.

This issue is fixed in Cumulus Linux 3.6.0.

-------------------------------------------------------------------------
Debian Security Advisory DSA-4098-1 [email protected]
https://www.debian.org/security/ Alessandro Ghedini
January 26, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : curl
CVE ID : CVE-2018-1000005 CVE-2018-1000007
Two vulnerabilities were discovered in cURL, an URL transfer library.

CVE-2018-1000005
Zhouyihai Ding discovered an out-of-bounds read in the code handling HTTP/2 trailers. This issue doesn't affect the oldstable distribution (jessie).

CVE-2018-1000007
Craig de Stigter discovered that authentication data might be leaked to third parties when following HTTP redirects.

For the oldstable distribution (jessie), these problems have been fixed in version 7.38.0-4+deb8u9.


RN-831 (CM-19507)
Security: Debian Security Advisory DSA-4091-1 for mysql issues CVE-2018-2562 CVE-2018-2622 CVE-2018-2640 CVE-2018-2665 CVE-2018-2668

The following CVEs were announced in Debian Security Advisory DSA-4091-1, and affect all mysql packages, including mysql-* and libmysql-*.

This issue is fixed in Cumulus Linux 3.6.0.

-------------------------------------------------------------------------
Debian Security Advisory DSA-4091-1 [email protected]
https://www.debian.org/security/ Salvatore Bonaccorso
January 18, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : mysql-5.5
CVE ID : CVE-2018-2562 CVE-2018-2622 CVE-2018-2640 CVE-2018-2665 CVE-2018-2668

Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.59, which includes additional changes. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details:

https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-59.html
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

For the oldstable distribution (jessie), these problems have been fixed in version 5.5.59-0+deb8u1.


RN-832 (CM-19458)
Security: Debian Security Advisory DSA-4089-1 for bind9 issue CVE-2017-3145

The following CVE was announced in Debian Security Advisory DSA-4089-1, and affects the bind9 package.

This issue is fixed in Cumulus Linux 3.6.0.

-------------------------------------------------------------------------
Debian Security Advisory DSA-4089-1 [email protected]
https://www.debian.org/security/ Salvatore Bonaccorso
January 16, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : bind9

CVE ID : CVE-2017-3145
Jayachandran Palanisamy of Cygate AB reported that BIND, a DNS server implementation, was improperly sequencing cleanup operations, leading in some cases to a use-after-free error, triggering an assertion failure and crash in named.

For the oldstable distribution (jessie), this problem has been fixed in version 1:9.9.5.dfsg-9+deb8u15.

For the stable distribution (stretch), this problem has been fixed in version 1:9.10.3.dfsg.P4-12.3+deb9u4.

We recommend that you upgrade your bind9 packages.


RN-833 (CM-19446)
Security: Debian Security Advisory DSA-4086 for libxml2 issue CVE-2017-15412

The following CVE was announced in Debian Security Advisory DSA-4086-1, and affects the libxml2 package.

This issue is fixed in Cumulus Linux 3.6.0.

--------------------------------------------------------------------------
Debian Security Advisory DSA-4086-1 [email protected]
https://www.debian.org/security/ Salvatore Bonaccorso
January 13, 2018 https://www.debian.org/security/faq
--------------------------------------------------------------------------

Package : libxml2
CVE ID : CVE-2017-15412
Debian Bug : 883790

Nick Wellnhofer discovered that certain function calls inside XPath
predicates can lead to use-after-free and double-free errors when
executed by libxml2's XPath engine via an XSLT transformation.

For the oldstable distribution (jessie), this problem has been fixed
in version 2.9.1+dfsg1-5+deb8u6.


RN-834 (CM-19385)
Security: Debian Security Advisories DSA-4082 for kernel issues CVE-2017-8824 CVE-2017-15868 CVE-2017-16538 CVE-2017-16939 CVE-2017-17448 CVE-2017-17449 CVE-2017-17450 CVE-2017-17558 CVE-2017-17558 CVE-2017-17741 CVE-2017-17805 and more

The following CVEs were announced in Debian Security Advisory DSA-4086-1, and affect the Linux kernel.

This issue is fixed in Cumulus Linux 3.6.0.

--------------------------------------------------------------------------
Debian Security Advisory DSA-4082-1 [email protected]
https://www.debian.org/security/ Salvatore Bonaccorso
January 09, 2018 https://www.debian.org/security/faq
--------------------------------------------------------------------------

Package : linux
CVE ID : CVE-2017-8824 CVE-2017-15868 CVE-2017-16538
CVE-2017-16939 CVE-2017-17448 CVE-2017-17449 CVE-2017-17450
CVE-2017-17558 CVE-2017-17741 CVE-2017-17805 CVE-2017-17806
CVE-2017-17807 CVE-2017-1000407 CVE-2017-1000410

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2017-8824

Mohamed Ghannam discovered that the DCCP implementation did not correctly manage resources when a socket is disconnected and reconnected, potentially leading to a use-after-free. A local user could use this for denial of service (crash or data corruption) or possibly for privilege escalation. On systems that do not already have the dccp module loaded, this can be mitigated by disabling it:

echo >> /etc/modprobe.d/disable-dccp.conf install dccp false

CVE-2017-15868

Al Viro found that the Bluebooth Network Encapsulation Protocol (BNEP) implementation did not validate the type of the second socket passed to the BNEPCONNADD ioctl(), which could lead to memory corruption. A local user with the CAP_NET_ADMIN capability can use this for denial of service (crash or data corruption) or possibly for privilege escalation.

CVE-2017-16538

Andrey Konovalov reported that the dvb-usb-lmedm04 media driver did not correctly handle some error conditions during initialisation. A physically present user with a specially designed USB device can use this to cause a denial of service (crash).

CVE-2017-16939

Mohamed Ghannam reported (through Beyond Security's SecuriTeam Secure Disclosure program) that the IPsec (xfrm) implementation did not correctly handle some failure cases when dumping policy information through netlink. A local user with the CAP_NET_ADMIN capability can use this for denial of service (crash or data corruption) or possibly for privilege escalation.

CVE-2017-17448

Kevin Cernekee discovered that the netfilter subsystem allowed users with the CAP_NET_ADMIN capability in any user namespace, not just the root namespace, to enable and disable connection tracking helpers. This could lead to denial of service, violation of network security policy, or have other impact.

CVE-2017-17449

Kevin Cernekee discovered that the netlink subsystem allowed users with the CAP_NET_ADMIN capability in any user namespace to monitor netlink traffic in all net namespaces, not just those owned by that user namespace. This could lead to exposure of sensitive information.

CVE-2017-17450

Kevin Cernekee discovered that the xt_osf module allowed users with the CAP_NET_ADMIN capability in any user namespace to modify the global OS fingerprint list.

CVE-2017-17558

Andrey Konovalov reported that that USB core did not correctly handle some error conditions during initialisation. A physically present user with a specially designed USB device can use this to cause a denial of service (crash or memory corruption), or possibly for privilege escalation.

CVE-2017-17741

Dmitry Vyukov reported that the KVM implementation for x86 would over-read data from memory when emulating an MMIO write if the kvm_mmio tracepoint was enabled. A guest virtual machine might be able to use this to cause a denial of service (crash).

CVE-2017-17805

Dmitry Vyukov reported that the KVM implementation for x86 would over-read data from memory when emulating an MMIO write if the kvm_mmio tracepoint was enabled. A guest virtual machine might be able to use this to cause a denial of service (crash).

CVE-2017-17806

It was discovered that the HMAC implementation could be used with an underlying hash algorithm that requires a key, which was not intended. A local user could use this to cause a denial of service (crash or memory corruption), or possibly for privilege escalation.

CVE-2017-17807

Eric Biggers discovered that the KEYS subsystem lacked a check for write permission when adding keys to a process's default keyring. A local user could use this to cause a denial of service or to obtain sensitive information.

CVE-2017-1000407

Andrew Honig reported that the KVM implementation for Intel processors allowed direct access to host I/O port 0x80, which is not generally safe. On some systems this allows a guest VM to cause a denial of service (crash) of the host.

CVE-2017-1000410

Ben Seri reported that the Bluetooth subsystem did not correctly handle short EFS information elements in L2CAP messages. An attacker able to communicate over Bluetooth could use this to obtain sensitive information from the kernel.

For the oldstable distribution (jessie), these problems have been fixed in version 3.16.51-3+deb8u1.


RN-836 (CM-19353)
NCLU 'net del' and 'net add bridge' commands do not work in the same 'net commit'

If a bridge is previously configured and you run the net del all and the net add bridge commands in the same net commit, all bridge and VLAN commands fail and no bridge or VLAN configuration is added to the switch.

This issue is fixed in Cumulus Linux 3.6.0.


RN-837 (CM-19919)
PCIe bus error (Malformed TLP) on the Dell Z9100 switch

Certain Dell Z9100 switches running Cumulus Linux have a different string coded in the Manufacturer field of the SMBIOS/DMI information. This discrepancy sometimes causes a problem with timing during the boot sequence that leaves switchd in a failed state.

To work around this issue, perform either a single cold reboot (power cycle the switch) or two warm reboots (run the reboot command twice).

This issue is fixed in Cumulus Linux 3.6.0.


RN-861 (CM-20694)
NCLU 'net show lldp' command traceback on 'descr'

When you run the net show lldp command, the netd process crashes and does not recover. This occurs because the LLDP peer does not send the description field in the TLV (which is optional), so NCLU cannot parse the information.

To work around the issue, make sure that the LLDP peer device is configured to send the LLDP description in the TLV.

This issue is fixed in Cumulus Linux 3.6.0.


RN-862 (CM-20416)
The error message 'snmpd[xxx]: truncating integer value > 32 bits' repeating in syslog

When the switch or snmpd is running for more than 497 days, the following error message repeats in syslog:

snmpd[xxxx]: truncating integer value > 32 bits

This issue is resolved by limiting the number of log messages to 10 occurrences.


RN-863 (CM-20372)
The IPv6 default gateway GUA is not reachable through ICMP in a VXLAN configuration

When a server tries to reach the IPv6 default gateway global unique address (GUA) over a VXLAN enabled fabric, the communication fails if the gateway resides on a platform with the Broadcom Trident II + ASIC, as incorrect hardware programming fails to forward the packet to the control plane for termination.

This issue is fixed in Cumulus Linux 3.6.0.


RN-864 (CM-20272)

Security: Debian Security Advisory DSA-4154-1 for net-snmp issue 
CVE-2015-5621 
CVE-2018-1000116

The following CVE was announced in Debian Security Advisory DSA-4154-1, and affects the net-snmp package.

This issue is fixed in Cumulus Linux 3.6.0.

Debian Security Advisory DSA-4154-1 [email protected]
https://www.debian.org/security/ Salvatore Bonaccorso
March 28, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : net-snmp
CVE ID : CVE-2015-5621 CVE-2018-1000116
Debian Bug : 788964 894110

A heap corruption vulnerability was discovered in net-snmp, a suite of
Simple Network Management Protocol applications, triggered when parsing
the PDU prior to the authentication process. A remote, unauthenticated
attacker can take advantage of this flaw to crash the snmpd process
(causing a denial of service) or, potentially, execute arbitrary code
with the privileges of the user running snmpd.

For the oldstable distribution (jessie), these problems have been fixed
in version 5.7.2.1+dfsg-1+deb8u1.

For the stable distribution (stretch), these problems have been fixed
before the initial release.

We recommend that you upgrade your net-snmp packages.

For the detailed security status of net-snmp please refer to its
https://security-tracker.debian.org/tracker/net-snmp

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


RN-865 (CM-20344)
On the Broadcom Trident II + ASIC, traceroute to an external host skips the anycast gateway address

When using traceroute from a server over a routed VXLAN overlay, the overlay router is not correctly accounted for in the path list. You might see the overlay router as an unknown hop or a repetition of the preceding hop. This applies for both IPv4 and IPv6.

This issue is fixed in Cumulus Linux 3.6.0.


RN-866 (CM-20182)
On Mellanox switches, ACL rules that match a TCP port do not work for encapsulated VXLAN packets

For an incoming VXLAN encapsulated packet, the inner packet does not match on the TCP port successfully after decapsulation.

This issue is fixed in Cumulus Linux 3.6.0.


RN-867 (CM-20126)
Implement forwarding table profiles for Maverick

Maverick switches should have layer 2 and layer 3 table sizes when using cl-resource-query.

This issue is fixed in Cumulus Linux 3.6.0.


RN-868 (CM-20069)
Link-down does not work on SVIs configured in a VRF

The link-down yes configuration in the /etc/network/interfaces file has no effect on shutting down SVI interfaces configured in a VRF. SVIs configured without a VRF are not affected.

This issue is fixed in Cumulus Linux 3.6.0.


RN-869 (CM-20002)
Kernel route uses the bridge VRR interface instead of the bridge interface

In the kernel routing table, the bridge VRR interface is used instead of the bridge interface. This causes ARP packets to be sourced from the VRR interface instead of the physical interface.

This issue is fixed in Cumulus Linux 3.6.0.


RN-870 (CM-19959)
Internal loopback ports on Tomahawk switches set to 40G cause traffic to throttle

The internal loopback ports on a Tomahawk switch should be set to the highest speed of which the port is capable. However, due to a software defect, the ports can be set to 40G, which throttles traffic. When configuring Tomahawk internal loopback ports, make sure the port is not configured to a speed other than 100G. If it is, first remove the configuration on that port, reboot the system, then reconfigure the loopback port in the /etc/cumulus/ports.conf file.

This issue is fixed in Cumulus Linux 3.6.0.


RN-871 (CM-19906)
Security: Debian Security Advisory DSA-4120-1 for Linux kernel issues CVE-2018-5750

The following CVEs were announced in Debian Security Advisory DSA-4120-1, and affect the Linux kernel.

The issue is fixed in Cumulus Linux 3.6.0.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4120-1 [email protected]
https://www.debian.org/security/
January 19, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : linux
CVE ID : CVE-2018-5750 

It was found that the acpi_smbus_hc_add function in drivers/acpi/sbshc.c in the Linux kernel through 4.14.15 allows local users to obtain sensitive address information by reading dmesg data from an SBS HC printk call.

See https://patchwork.kernel.org/patch/10174835/ for further details.


RN-872 (CM-19753)
On Mellanox Spectum platforms configured with BGP unnumbered and multipath, cl-ecmpcalc fails on two links

On Mellanox Spectrum platforms, cl-ecmpcalc reports that the nexthop does not have multiple paths. For example:

Error: traffic to IP Address:31.0.0.31 will not ECMP

This issue is fixed in Cumulus Linux 3.6.0.


RN-873 (CM-18076)
Platform-aware validation checker for ports.conf

Cumulus Linux provides a new /etc/cumulus/ports.conf file validator that finds both syntax and platform-specific errors, and provides a reason for each invalid line. Errors are shown when you run the net commit command or the validate-ports script. Previously, the net commit command failed silently, with no error message.

The following example shows a ports.conf file snippet that has a problem with split ports:

...
# QSFP28 ports
#
# <port label> = [40G|50G|100G]
#   or when split = [2x50G|4x10G|4x25G|disabled
1=4x10G
2=100G
3=4x10G
4=disabled
...

The above snippet in the ports.conf file produces in the following error message when you run the net commit command:

[email protected]:~# net commit 
Error: 1 invalid lines found in /etc/cumulus/ports.conf:
[Line 57]:'2=100G'
  Invalid because: 2 is blocked by port 1 but is marked '100G' rather than disable[d]

This issue is fixed in Cumulus Linux 3.6.0.


RN-874 (CM-16293)
NCLU 'net show interface' output should be fewer than 80 characters

The output for the net show interface command can be more than 130 characters wide without line wrapping, which can be difficult to read on a 80 character wide terminal.

This issue is fixed in Cumulus Linux 3.6.0. The net show interface output is now fewer than 80 characters long for 80 character wide terminals.


RN-905 (CM-19649)
LLDP-MED network policy not working after port flaps

LLDP-MED includes voice VLAN and DSCP values. When you configure LLDP, the service works when the port is first brought up, but the switch stops sending LLDP-MED TLVs after a link state transition.

This issue is fixed in Cumulus Linux 3.6.0.


RN-909 (CM-20543)
NCLU 'net del time ntp server *' command crashes netd

Removing all NTP servers from the configuration with the net del ntp server * command (using * as a wildcard to match all servers) causes netd to crash.

This issue is fixed in Cumulus Linux 3.6.0.


RN-910 (CM-20483)
On the Dell 4148F-ON switch, portwd tries to make 10G ports into 40G

On the Dell 4148F-ON switch, ports swp53 and swp54 do not link up with installed 10G DACs.

This issue is fixed in Cumulus Linux 3.6.0.


RN-911 (CM-20411)
OSPF is up after BFD fails in a point-to-point network

When a BFD session fails in a point-to-point network, the OSPF adjacency with the neighbor is not brought down.

This issue is fixed in Cumulus Linux 3.6.0.


RN-912 (CM-19801)
QinQ not working without a restart in traditional mode bridge

When changing the inner and outer VLANs of a double-tagged bridge interface using ifreload, the port's VLAN translation key is not updated correctly, causing an incorrect VLAN translation.

This issue is fixed in Cumulus Linux 3.6.0.


RN-913 (CM-19728)
NCLU 'ip forward' command has incorrect syntax and does not show in configuration

When you disable IP forwarding on an interface with the NCLU ip forward off command and commit the change, the command shows as unsupported when you run net show configuration commands.

This issue is fixed in Cumulus Linux 3.6.0.


RN-914 (CM-19727)
VRF not generated when used in BGP configuration

When you run the NCLU net add bgp vrf command, the VRF is not created in the /etc/network/interfaces file.

This issue is fixed in Cumulus Linux 3.6.0.


RN-915 (CM-19689)
The default syslog level for DHCP Relay results in too many messages

The default syslog severity level for DHCP Relay is 6, which causes too many syslog messages.

This issue is fixed in Cumulus Linux 3.6.0.


RN-916 (CM-19666)
netd crashes when you add unicode characters in SNMP commands

Unicode characters in SNMP commands cause netd to crash.

This issue is fixed in Cumulus Linux 3.6.0.


RN-917 (CM-19629)
FRR package code dependency causes FRR reload failure

Reloading a running FRR instance without a restart fails and generates errors in the log due to code failing dependencies.

This issue is fixed in Cumulus Linux 3.6.0.


RN-918 (CM-19615)
On the Tomahawk ASIC, the nexthop of a route in a VRF points to an incorrect interface

The nexthop of a route common to two VRFs points to an incorrect interface.

This issue is fixed in Cumulus Linux 3.6.0.


RN-919 (CM-19452)
NCLU 'net show lldp' command causes netd to crash

The netd process crashes when you run the net show lldp command and does not recover.

This issue is fixed in Cumulus Linux 3.6.0.


RN-920 (CM-19374)
sFlow sampling causes RX-DRP in kernel

sFlow sampling is causing the RX-DRP counter in the net show counters command output to increment.

This issue is fixed in Cumulus Linux 3.6.0.


RN-921 (CM-19370)
Link Local IPv6 address is not associated with a VRF

Link Local IPv6 addresses cannot be used to source SSH traffic inside a VRF such as the management VRF.

This issue is fixed in Cumulus Linux 3.6.0.


RN-922 (CM-20237)
Security: Debian Security Advisory DSA-4151-1 for librelp issue CVE-2018-1000140 

The following CVEs were announced in Debian Security Advisory DSA-4151-1, and affect the librelp package.

This issue is fixed in Cumulus Linux 3.6.0

Debian Security Advisory DSA-4151-1 [email protected]
https://www.debian.org/security/ Salvatore Bonaccorso
March 26, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : librelp
CVE ID : CVE-2018-1000140

Bas van Schaik and Kevin Backhouse discovered a stack-based buffer
overflow vulnerability in librelp, a library providing reliable event
logging over the network, triggered while checking x509 certificates
from a peer. A remote attacker able to connect to rsyslog can take
advantage of this flaw for remote code execution by sending a specially
crafted x509 certificate.

Details can be found in the upstream advisory:
http://www.rsyslog.com/cve-2018-1000140/

For the oldstable distribution (jessie), this problem has been fixed
in version 1.2.7-2+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 1.2.12-1+deb9u1.

We recommend that you upgrade your librelp packages.

For the detailed security status of librelp, please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/librelp


RN-923 (CM-20093)
Security: Debian Security Advisory DSA-4140-1 for libvorbis issue CVE-2018-5146 

The following CVEs were announced in Debian Security Advisory DSA-4140-1, and affect the libvorbis package.

This issue is fixed in Cumulus Linux 3.6.0

--------------------------------------------------------------------------
Debian Security Advisory DSA-4140-1 [email protected]
https://www.debian.org/security/ Salvatore Bonaccorso
March 16, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : libvorbis
CVE ID : CVE-2018-5146
Debian Bug : 893130

Richard Zhu discovered that an out-of-bounds memory write in the
codeboook parsing code of the Libvorbis multimedia library could result
in the execution of arbitrary code.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.3.4-2+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 1.3.5-4+deb9u2.


RN-924 (CM-20066)
Security: Debian Security Advisory DSA-4136-1 for curl issues CVE-2018-1000120 CVE-2018-1000121 CVE-2018-1000122 

The following CVEs were announced in Debian Security Advisory DSA-4136-1, and affect the curl package.

This issue is fixed in Cumulus Linux 3.6.0.

Debian Security Advisory DSA-4136-1 [email protected]
https://www.debian.org/security/ Alessandro Ghedini
March 14, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : curl
CVE ID : CVE-2018-1000120 CVE-2018-1000121 CVE-2018-1000122

Multiple vulnerabilities were discovered in cURL, an URL transfer library.

CVE-2018-1000120

Duy Phan Thanh discovered that curl could be fooled into writing a
zero byte out of bounds when curl is told to work on an FTP URL with
the setting to only issue a single CWD command, if the directory part
of the URL contains a "%00" sequence.

CVE-2018-1000121
Dario Weisser discovered that curl might dereference a near-NULL
address when getting an LDAP URL due to the ldap_get_attribute_ber()
fuction returning LDAP_SUCCESS and a NULL pointer. A malicious server
might cause libcurl-using applications that allow LDAP URLs, or that
allow redirects to LDAP URLs to crash.

CVE-2018-1000122

OSS-fuzz, assisted by Max Dymond, discovered that curl could be
tricked into copying data beyond the end of its heap based buffer
when asked to transfer an RTSP URL.

For the oldstable distribution (jessie), these problems have been fixed
in version 7.38.0-4+deb8u10.

For the stable distribution (stretch), these problems have been fixed in
version 7.52.1-5+deb9u5.

We recommend that you upgrade your curl packages.

For the detailed security status of curl, please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/curl


RN-925 (CM-20030)
Security: Debian Security Advisory DSA-4100-1 for tiff (libtiff) issues CVE-2017-9935 CVE-2017-11335 CVE-2017-12944 CVE-2017-13726 CVE-2017-13727 CVE-2017-18013 

The following CVEs were announced in Debian Security Advisory DSA-4100-1, and affect the tiff package.

This issue is fixed in Cumulus Linux 3.6.0.

Debian Security Advisory DSA-4100-1 [email protected]
https://www.debian.org/security/ Moritz Muehlenhoff
January 27, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : tiff
CVE ID : CVE-2017-9935 CVE-2017-11335 CVE-2017-12944 CVE-2017-13726
CVE-2017-13727 CVE-2017-18013

Multiple vulnerabilities have been discovered in the libtiff library and
the included tools, which may result in denial of service or the
execution of arbitrary code.

For the oldstable distribution (jessie), these problems have been fixed
in version 4.0.3-12.3+deb8u5.

For the stable distribution (stretch), these problems have been fixed in
version 4.0.8-2+deb9u2.
We recommend that you upgrade your tiff packages.

For the detailed security status of tiff, please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tiff


RN-926 (CM-19996)
Security: Debian Security Advisory DSA-4133-1 for isc-dhcp issues CVE-2017-3144 CVE-2018-5732 CVE-2018-5733 

The following CVEs were announced in Debian Security Advisory DSA-4133-1, and affect the isc-dhcp package.

This issue is fixed in Cumulus Linux 3.6.0.

Debian Security Advisory DSA-4133-1 [email protected]
https://www.debian.org/security/ Salvatore Bonaccorso
March 07, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : isc-dhcp
CVE ID : CVE-2017-3144 CVE-2018-5732 CVE-2018-5733
Debian Bug : 887413 891785 891786

Several vulnerabilities have been discovered in the ISC DHCP client,
relay and server. The Common Vulnerabilities and Exposures project
identifies the following issues:

CVE-2017-3144

It was discovered that the DHCP server does not properly clean up
closed OMAPI connections, which can lead to exhaustion of the pool
of socket descriptors available to the DHCP server, resulting in
denial of service.

CVE-2018-5732

Felix Wilhelm of the Google Security Team discovered that the DHCP
client is prone to an out-of-bound memory access vulnerability when
processing specially constructed DHCP options responses, resulting
in potential execution of arbitrary code by a malicious DHCP server.

CVE-2018-5733

Felix Wilhelm of the Google Security Team discovered that the DHCP
server does not properly handle reference counting when processing
client requests. A malicious client can take advantage of this flaw
to cause a denial of service (dhcpd crash) by sending large amounts
of traffic.

For the oldstable distribution (jessie), these problems have been fixed
in version 4.3.1-6+deb8u3.

For the stable distribution (stretch), these problems have been fixed in
version 4.3.5-3+deb9u1.

We recommend that you upgrade your isc-dhcp packages.

For the detailed security status of isc-dhcp, please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/isc-dhcp


RN-927 (CM-19961)
Security: Debian Security Advisory DSA-4132 for libvpx issue CVE-2017-13194 

The following CVEs were announced in Debian Security Advisory DSA-4132-1, and affect the libvpx package.

This issue is fixed in Cumulus Linux 3.6.0.

-------------------------------------------------------------------------
Debian Security Advisory DSA-4132-1 [email protected]
https://www.debian.org/security/ Moritz Muehlenhoff
March 04, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : libvpx
CVE ID : CVE-2017-13194

It was discovered that incorrect validation of frame widths in the libvpx
multimedia library may result in denial of service and potentially the
execution of arbitrary code.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.3.0-3+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 1.6.1-3+deb9u1.

We recommend that you upgrade your libvpx packages.

For the detailed security status of libvpx please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libvpx


RN-928 (CM-19253)
Security: Debian Security Advisory DSA-4068-1 for rsync issues CVE-2017-16548 CVE-2017-17433 CVE-2017-17434 

The following CVEs were announced in Debian Security Advisory DSA-4068-1, and affect the rsync package.

This issue is fixed in Cumulus Linux 3.6.0.

Debian Security Advisory DSA-4068-1 [email protected]
https://www.debian.org/security/ Salvatore Bonaccorso
December 17, 2017 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : rsync
CVE ID: CVE-2017-16548  CVE-2017-17433 CVE-2017-17434
Debian Bug : 880954 883665 883667

Several vulnerabilities were discovered in rsync, a fast, versatile,
remote (and local) file-copying tool, allowing a remote attacker to
bypass intended access restrictions or cause a denial of service.

For the oldstable distribution (jessie), these problems have been fixed
in version 3.1.1-3+deb8u1.

For the stable distribution (stretch), these problems have been fixed in
version 3.1.2-1+deb9u1.


RN-929 (CM-19303)
Security: Debian Security Advisory DSA-4073-1 for linux kernel issues CVE-2017-8824 CVE-2017-16995 CVE-2017-17448 CVE-2017-17449 CVE-2017-17450 CVE-2017-17558 CVE-2017-17712 CVE-2017-17741 CVE-2017-17805 CVE-2017(17806,17807,1000407,1000410) 

The following CVEs were announced in Debian Security Advisory DSA-4073-1, and affect the linux package.

This issue is fixed in Cumulus Linux 3.6.0.

Debian Security Advisory DSA-4073-1 [email protected]
https://www.debian.org/security/ 
December 23, 2017 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : linux
CVE ID : CVE-2017-8824 CVE-2017-16995 CVE-2017-17448
CVE-2017-17449 CVE-2017-17450 CVE-2017-17558
CVE-2017-17712 CVE-2017-17741 CVE-2017-17805 CVE-2017-17806
CVE-2017-17807 CVE-2017-1000407 CVE-2017-1000410

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

CVE-2017-8824

Mohamed Ghannam discovered that the DCCP implementation did not
correctly manage resources when a socket is disconnected and
reconnected, potentially leading to a use-after-free. A local
user could use this for denial of service (crash or data
corruption) or possibly for privilege escalation. On systems that
do not already have the dccp module loaded, this can be mitigated
by disabling it:
echo >> /etc/modprobe.d/disable-dccp.conf install dccp false

CVE-2017-16995

Jann Horn discovered that the Extended BPF verifier did not
correctly model the behaviour of 32-bit load instructions. A
local user can use this for privilege escalation.

CVE-2017-17448

Kevin Cernekee discovered that the netfilter subsystem allowed
users with the CAP_NET_ADMIN capability in any user namespace, not
just the root namespace, to enable and disable connection tracking
helpers. This could lead to denial of service, violation of
network security policy, or have other impact.

CVE-2017-17449

Kevin Cernekee discovered that the netlink subsystem allowed
users with the CAP_NET_ADMIN capability in any user namespace
to monitor netlink traffic in all net namespaces, not just
those owned by that user namespace. This could lead to
exposure of sensitive information.

CVE-2017-17450

Kevin Cernekee discovered that the xt_osf module allowed users
with the CAP_NET_ADMIN capability in any user namespace to modify
the global OS fingerprint list.

CVE-2017-17558

Andrey Konovalov reported that that USB core did not correctly
handle some error conditions during initialisation. A physically
present user with a specially designed USB device can use this to
cause a denial of service (crash or memory corruption), or
possibly for privilege escalation.

CVE-2017-17712

Mohamed Ghannam discovered a race condition in the IPv4 raw socket
implementation. A local user could use this to obtain sensitive
information from the kernel.

CVE-2017-17741

Dmitry Vyukov reported that the KVM implementation for x86 would
over-read data from memory when emulating an MMIO write if the
kvm_mmio tracepoint was enabled. A guest virtual machine might be
able to use this to cause a denial of service (crash).

CVE-2017-17805

It was discovered that some implementations of the Salsa20 block
cipher did not correctly handle zero-length input. A local user
could use this to cause a denial of service (crash) or possibly
have other security impact.

CVE-2017-17806

It was discovered that the HMAC implementation could be used with
an underlying hash algorithm that requires a key, which was not
intended. A local user could use this to cause a denial of
service (crash or memory corruption), or possibly for privilege
escalation.

CVE-2017-17807

Eric Biggers discovered that the KEYS subsystem lacked a check for
write permission when adding keys to a process's default keyring.
A local user could use this to cause a denial of service or to
obtain sensitive information.

CVE-2017-1000407

Andrew Honig reported that the KVM implementation for Intel
processors allowed direct access to host I/O port 0x80, which
is not generally safe. On some systems this allows a guest
VM to cause a denial of service (crash) of the host.

CVE-2017-1000410

Ben Seri reported that the Bluetooth subsystem did not correctly
handle short EFS information elements in L2CAP messages. An
attacker able to communicate over Bluetooth could use this to
obtain sensitive information from the kernel.

Debian disables unprivileged user namespaces by default, but if they
are enabled (via the kernel.unprivileged_userns_clone sysctl) then
CVE-2017-17448 can be exploited by any local user.


RN-930 (CM-19367)
Adding MTU to bonded interfaces creates an incorrect interface

When adding the MTU to bonded interfaces, NCLU creates an incorrect interface in the /etc/network/interfaces file.

This issue is fixed in Cumulus Linux 3.6.0.


RN-931 (CM-19675)
Static route remains inactive following link flap

When a static route is removed from the zebra routing table because an interface is transitioning to down state, the static route remains inactive when the interface comes back up if an alternate route still exists.

This issue is fixed in Cumulus Linux 3.6.0.


RN-934 (CM-19605)
The kernel reports incorrect link state for 10G BASE-LR on Broadcom switches

On Broadcom switches, the link status for the 10G BASE-LR and 10G BASE-SR might incorrectly display as up after you disconnect the cable.

This issue is fixed in Cumulus Linux 3.6.0.

Known Issues in Cumulus Linux 3.6.0

The following issues are new to Cumulus Linux and affect the current release.

Release Note ID Summary Description

RN-382 (CM-6692)
FRR: Removing a bridge using  ifupdown2 does not remove it from the configuration files

Removing a bridge using ifupdown2 does not remove it from the FRR configuration files. However, restarting FRR successfully removes the bridge.

This issue is being investigated at this time.


RN-389 (CM-8410)
switchd supports only port 4789 as the UDP port for VXLAN packets

switchd currently allows only the standard port 4789 as the UDP port for VXLAN packets. If a hypervisor uses a non-standard UDP port, VXLAN exchanges with the hardware VTEP do not work; packets are not terminated and encapsulated packets are sent out on UDP port 4789.

This issue is being investigated at this time.


RN-406 (CM-9895)
Mellanox SN2700 power off issues

The Mellanox SN2700 or SN2700B switch appears to be unresponsive for at least three minutes after a PDU power cycle is issued, if any of the following occur:

  • A shutdown or poweroff command is executed
  • A temperature sensor hits a critical value and shuts down the box

RN-537 (CM-12967)
Pause frames sent by a Tomahawk switch are not honored by the upstream switch

When link pause or priority flow control (PFC) is enabled on a Broadcom Tomahawk-based switch and there is over-subscription on a link, where the ASIC sends pause frames aggressively, the upstream switch does not throttle enough.

If you need link pause or PFC functionality, use a switch that does not use the Tomahawk ASIC.


RN-602 (CM-15094)
sFlow interface speed incorrect in counter samples

Counter samples exported from the switch show an incorrect interface speed.

This issue is being investigated at this time.


RN-604 (CM-15959)
ARP suppression does not work well with VXLAN active-active mode

In some instances, ARP requests are not suppressed in a VXLAN active-active scenario, but instead get flooded over VXLAN tunnels. This issue is caused because there is no control plane syncing the snooped local neighbor entries between the MLAG pair; MLAG does not perform this sync, and neither does EVPN.

This issue is being investigated at this time.


RN-640 (CM-16461)
Cumulus VX OVA image for VMware reboots due to critical readings from sensors

After booting a Cumulus VX virtual machine running the VMware OVA image, sometimes messages from sensors appear, indicating that the "Avg state" is critical, with all values displayed as 100.0. A cl-support is generated.

This issue is being investigated at this time.


RN-656 (CM-17617)
The switchd heartbeat fails on Tomahawk switches with VXLAN scale configuration (512 VXLAN interfaces)

When a Tomahawk switch has 512 VXLAN interfaces configured, the switchd heartbeat fails. This can cause switchd to dump core.

To work around this issue, disable VXLAN statistics in switchd. Edit /etc/cumulus/switchd.conf and comment out the following line:

[email protected]:~$ sudo nano /etc/cumulus/switchd.conf

...

#stats.vxlan.member = BRIEF

...

Then restart switchd for the change to take effect. This causes all network ports to reset in addition to resetting the switch hardware configuration.

[email protected]:~$ sudo systemctl restart switchd.service
 

RN-744 (CM-18986)
Unable to modify BGP ASN for a VRF associated with layer 3 VNI

After editing the frr.conf file to modify the the BGP ASN for a VRF associated with a layer 3 VNI, the change is not applied.

To work around this issue, first delete the layer 3 VNI, then try to modify the BGP VRF instance.


RN-750 (CM-17457)
On Maverick switches, multicast traffic limited by lowest speed port in the group

The Maverick switch limits multicast traffic by the lowest speed port that has joined a particular group.

This issue is being investigated at this time.


RN-751 (CM-17157)
Pull source-node replication schema patch from upstream

The upstream OVSDB VTEP schema has been updated multiple times and now contains a patch to support source-node replication. This patch is not included with the latest version of Cumulus Linux.

Cumulus Networks is currently working to fix this issue.


RN-753 (CM-18170)
MLAG neighbor entries deleted on link down, but ARP table out of sync when bond comes back up and system MAC address changed

The MLAG neighbor entries are deleted when the switch goes down; however, the ARP table is out of sync when the bond comes back up and the system MAC address is changed.

To work around this issue, ping the SVI address of the MLAG switch or issue an arping command to the host from the broken switch.


RN-754 (CM-15812)
Multicast forwarding fails for IP addresses whose DMAC overlaps with reserved DIPs

Multicast forwarding fails for IP addresses whose DMAC overlaps with reserved DIPs.

This issue is being investigated at this time.


RN-755 (CM-16855)
Auto-negotiation ON sometimes results in NO-CARRIER

If a two nodes on both sides of a link change from auto-negotiation off to auto-negotiation on for both sides during a short interval (around one second), the link might start flapping or stay down.

To work around this issue and stop the flapping, turn the link down on the switch with the command ifdown swpX, wait a few seconds, then bring the link back up with the command ifup swpX. Repeat this on the other side if necessary.


RN-757 (CM-18537)
On Mellanox switches, congestion drops not counted

On the Mellanox switch, packet drops due to congestion are not counted.

To work around this issue, run the command sudo ethtool -S swp1 to collect interface traffic statistics.


RN-758 (CM-17557)
If sFlow is enabled, some sampled packets (such as multicast) are forwarded twice

When sFlow is enabled, some sampled packets, such as IPMC, are forwarded twice (in the ASIC and then again through the kernel networking stack).

This issue is being investigated at this time.


RN-760 (CM-18682)
smonctl utility JSON parsing error

There is a parsing error with the smonctl utility. In some cases when JSON output is chosen, the smonctl utility crashes. The JSON output is necessary to make the information available through SNMP.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-762 (CM-15677)
SBUS error warnings on Tomahawk switches

SBUS error warnings display on Tomahawk switches.

This issue is being investigated at this time.


RN-763 (CM-16139)
OSPFv3 does not handle ECMP properly

IPv6 ECMP is not working as expected in OSPFv3.

This issue is being investigated at this time.


RN-764 (CM-17434)
On Broadcom switches, all IP multicast traffic uses only queue 0 

On Broadcom switches, IPv4 and IPv6 multicast traffic always maps into queue 0.

This issue is being investigated at this time.


RN-778 (CM-19203)
On Dell 4148F-ON and 4128F-ON switches with Maverick ASICs, configuring 1G or 100M speeds requires a ports.conf workaround

1G and 100M speeds on SFP ports do not work automatically on Dell S4148F-ON and S4128F-ON switches.

To enable a speed lower than 10G on a port on the S4148F and S4128F platforms, you must dedicate an entire port group (four interfaces) to a lower speed setting. Within a port group, you can mix 1G and 100M speeds, if needed. You cannot mix 10G and lower speeds.

To work around this issue:

  1. In the /etc/cumulus/ports.conf file, set each of the four ports in the port group to 1G. Port groups are swp1-4, swp5-8, swp9-12, and so on, and start with swp31-35 on the right half of the switch. For example, to enable ports swp5-swp8 to link up at to 100M or 1G speeds, add the following to the ports.conf file:
    5=1G
    6=1G
    7=1G
    8=1G
  2. Restart switchd:
    [email protected]:~$ sudo systemctl reset-failed switchd; sudo systemctl restart switchd
  3. Configure the interfaces.

    On RJ45 SFPs (1G-BaseT), set the link speed to 1000 for 1G or 100 for 100M and turn off auto-negotiation for each of the four ports in the port group, as shown in the example commands below. Note that auto-negotiation still functions internally on the RJ45 side from within the 1G-BaseT SFP PHY to the neighboring NIC.

    [email protected]:~$ net add interface swpXX
    [email protected]:~$ net add interface swpXX link speed 1000
    [email protected]:~$ net add interface swpXX link autoneg off
    [email protected]:~$ net commit

    These commands create the following configuration in the /etc/network/interfaces file:

    auto swpXX
    iface swpXX
     link-speed 1000
     link-duplex full
     link-autoneg off

    On Fiber SFPs (1G-BaseSX, 1G-BaseLX), enable auto-negotiation for each of the four ports in the port group, as shown in the example commands below. Auto-negotiation is not required but allows unidirectional fiber link detection.

    [email protected]:~$ net add interface swpXX
    [email protected]:~$ net add interface swpXX link autoneg on
    [email protected]:~$ net commit

    These commands create the following configuration in the /etc/network/interfaces file:

    auto swpXX
    iface swpXX
      link-autoneg on

RN-788 (CM-19381)
dhcrelay does not bind to interfaces that have names longer than 14 characters

The dhcrelay command does not bind to an interface if the interface's name is longer than 14 characters.

To work around this issue, change the interface name to be 14 or fewer characters if dhcrelay is required to bind to it.

This issue is currently being investigated.


RN-790 (CM-19014)
Configuring DHCP relay with VRR breaks ifreload

When you configure DHCP relay with VRR, the ifreload command does not work as expected; for example, the IP address might be removed from an SVI.

This issue is currently being investigated. 


RN-799 (CM-16493)
No way to configure IPv6 link-local addrgenmode using ifupdown2 or NCLU

You cannot use NCLU or ifupdown2 to enable or disable of the IPv6 link-local eui-64 format.

To work around this limitation, you can use the following iproute2 command:

[email protected]:~$ sudo ip link set swp# addrgenmode {eui-64|none}

Note that this command does not persist across a reboot of the switch.

This issue is currently being investigated.


RN-808 (CM-15902)
In EVPN, sticky MAC addresses move from one bridge port to another

In EVPN environments, sticky MAC addresses move from one bridge port to another on soft nodes.

This issue is currently being investigated.


RN-822 (CM-19788)
Using the same VLAN ID on a subinterface and bridge VIDs for a given port is not easily corrected

If you configure a VLAN under a VLAN-aware bridge and create a subinterface of the same VLAN on one of the bridge ports, the bridge and interface compete for the same VLAN and if the interface is flapped, it stops working. Correcting the configuration and running the ifreload command does not resolve the conflict. To work around this issue, correct the bridge VIDs and restart switchd or delete the subinterface.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-823 (CM-19724)
Multicast control protocols are classified to the bulk queue by default

PIM and MSDP entries are set to the internal COS value of 6 so they are grouped together with the bulk traffic priority group in the default traffic.conf file. However, PIM, IGMP, and MSDP are considered control-plane and should be set to the internal COS value of 7.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-825 (CM-19633)
cl-netstat counters count twice for VXLAN traffic in TX direction

This is expected behavior. Multicast frames are being dropped at the transmit port of the same interface on which they are received. This is known as a split-horizon correction, which is required for multicast to operate correctly.


RN-827 (CM-14300)
cl-acltool counters for implicit accept do not work for IPv4 on management (ethX) interfaces

The iptables are not counting against the default INPUT chain rule for packets ingressing ethernet interfaces.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-860 (CM-20695)
Tab completion with the  'net add vxlan' command produces a traceback in the log

When using tab completion with the net add vxlan command, the following traceback appears in the log:

ERROR: 'name' 
Traceback (most recent call last): 
File "/usr/lib/python2.7/dist-packages/nclu/__init__.py", line 789, in get_lldp 
lldp[value['name']] = value['chassis'][0]['name'][0]['value'] 
KeyError: 'name'

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-875 (CM-20779)
On Mellanox switches, withdrawal of one ECMP next-hop results in the neighbor entry for that next hop missing from hardware

On a Mellanox switch, when you withdraw one ECMP next hop, the neighbor entry for that next hop is missing from the hardware.

To work around this issue, manually delete the ARP entry from kernel with the arp -d command to repopulate it in the hardware.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-876 (CM-20776)
EVPN symmetric IRB with numbered neighbors omits the NEXTHOP attribute when advertising to an external router

With EVPN symmetric routing (including type-5 routes) you can only advertise host routes or prefix routes learned through EVPN to a VRF peer if EVPN peering uses BGP unnumbered. If the BGP peering is numbered, the NEXTHOP of MP_REACH attribute is not included, which causes the neighbor to reply with a BGP notification.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-877 (CM-20745, CM-20678)
NCLU 'net show interface' commands report wrong mode in output for trunk ports

The net show interface command output displays the mode as Access/L2 instead of Trunk/L2.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-878 (CM-20741)
NCLU 'net pending' command does not show 'net add vxlan vni bridge access '

When you issue the net pending command, the resulting output is missing the VXLAN VNI and bridge access additions.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-879 (CM-20724)
NCLU treats interface names with a hyphen as a range

If you create an interface name that includes a hyphen (-), Cumulus Linux treats the interface as a range of interfaces.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-880 (CM-20672)
In Mellanox buffer monitoring, packet statistics per priority ignore priority 7

The buffer monitoring tool on Mellanox switches only shows priority 0 thru 6 for the all_packet_pg statistics; priority 7 is not shown.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-881 (CM-20665)
On Tomahawk+ switches, 100G DAC cables don’t link up on 3 out of the 6 ports when auto-negotiation is on

100G Copper Direct Attach Cables (DAC) might not link up on ports 49, 51, and 52 when auto-negotiation is set to on.

To work around this issue, disable auto-negotiation on both sides of the cables plugged into these ports or move the 100G DACs to ports 50, 53, or 54.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-882 (CM-20648)
When using VRF route leaking on a Mellanox switch, forwarded packets are copied to the CPU several times

When using VRF Route leaking on Mellanox switches in a VLAN-unaware bridge configuration, the packets for a locally attached leaked host are software forwarded.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-883 (CM-20644)
If the PTP services are running when switchd is restarted, the PTP services need to be restarted

When using PTP and switchd.service is restarted, the PTP services need to be restarted after switchd.service with the following commands:

systemctl reset-failed ptp4l.service phc2sys.service
systemctl restart ptp4l.service phc2sys.service

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-884 (CM-20534)
Dynamic leaking of routes between VRFs occurs through the default BGP instance

The default BGP instance must be provisioned and always exist for proper operation of dynamic leaking of routes between VRFs.

This issue is currently being investigated.


RN-885 (CM-20530)
NCLU 'net show interface' command shows 'NotConfigured' for unnumbered interfaces

When an interface is configured for OSPF/BGP unnumbered, the net show interface command shows NotConfigured instead of showing that it is unnumbered.

This issue is currently being investigated.


RN-886 (CM-20508)
On Mellanox and Broadcom switches, the Cumulus-Resource-Query-MIB defines buffer utilization objects but returns nothing

The Cumulus-Resource-Query-MIB defines the ability to gather buffer utilization status but when these objects are polled, they return nothing.

This issue is currently being investigated.


RN-887 (CM-20474)
VXLAN Encapsulation drops ARP QinQ tunneled packets

When an ARP request or response (or IPv6 NS/NA) packet with double VLAN tags (such as 802.1Q over 802.1Q), is sent to a VXLAN overlay, the outer VLAN tag is stripped during VXLAN encapsulation. If the receiving VTEP is a Broadcom Trident II + platform, the post VXLAN decapsulated packet is incorrectly directed to the control plane. As the packet traverses the linux kernel VXLAN interface into the VLAN-aware bridge device, the exposed inner VLAN tag is incorrectly used for VLAN filtering against the outer VLAN set, causing the packet to be discarded.

To work around this issue, disable VXLAN routing on the Trident II + switch by editing the /usr/lib/python2.7/dist-packages/cumulus/__chip_config/bcm/datapath.conf file, then restart switchd.

vxlan_routing_overlay.profile = disable
sudo systemctl restart switchd.service

This issue is currently being investigated.


RN-888 (CM-20468, CM-20357)
Routes in a VRF learned through iBGP or multi-hop eBGP get leaked even if their next hops are unresolved

Routes in a VRF learned through iBGP or multi-hop eBGP are marked as installed even when they are not installed in the source VRF.

This issue is currently being investigated.


RN-889 (CM-20415)
NCLU 'net add routing import-table' command results in an FRR service crash

The FRR service crashes when you run the net add routing import-table command. To work around this issue, do not use the NCLU command.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-890 (CM-20415)
On Maverick QCT LY7, Tomahawk+ AS7312 and DNI AG5648 switches, sysfs tree differences cause portwd startup failure 

Inserting a 1000 BASE-T RJ-45 SFP adapter into a Maverick QCT LY7, Tomahawk + AS7312 or DNI AG5648 switch causes portwd to fail to start, resulting in the switch being unusable.

To work around this issue, do not use 1000BASE-T RJ-45 modules on the impacted switches.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-891 (CM-20684)
On Mellanox switches, attempts to configure a VRF with a nexthop from another VRF results in an sx_sdk daemon crash and loss of forwarding functionality

VRF Route Leaking is not supported on Mellanox platforms in 3.6.0. Attempts to configure a VRF with a nexthop from another VRF can result in an sx_sdk daemon crash and loss of forwarding functionality. Do not configure VRF import to leak routes between VRFs.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-892 (CM-20370)
In VXLAN active-active mode, the IPv6 default gateway LLA is not reachable through ICMP

In a VXLAN active-active mode configuration, a ping from a host within the VXLAN fabric towards the gateway (LLA) fails.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-893 (CM-20363)
IPv6 RA should include all on-link prefixes as prefix information

IPv6 RAs from a router can be used to do some host auto-configuration. The main aspects that can be auto-configured are the prefixes which are on-link (which can be used by the host to autoconfigure its addresses) and the default router. Some other information can also be indicated. FRR does have support to "advertise" some of these parameters. To work around this issue, configure the prefixes explicitly for announcement through RA using the IPv6 nd prefix command.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-894 (CM-20177)
Inter-subnet routing intermittently stops working in a central VXLAN routing configuration

In a VXLAN centralized routing configuration, IPv6 hosts (auto-configured using SLAAC) might experience intermittent connectivity loss between VXLAN segments (inter-subnet routing) within the data center fabric (EVPN type-5 external routes are not affected). The NA message has the wrong flag set (the router flag is not set, which is incorrect behavior based on RFC 4861, Section 4.4).

To work around this issue, configure bridge-arp-nd-suppress off under VNI interfaces for all VTEP devices.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-895 (CM-20160)
I2C bus hangs after setting speed to 40G on 100G/40G DAC on a Maverick 4148T switch

On Maverick 4148T switches, the l2C bus can hang, causing the fans and temperature sensors to be unreadable and the log file to fill with the error message:

ismt_smbus 0000:00:13.0 completion wait timed out

To work around this issue, reboot the switch.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-896 (CM-20139)
On Mellanox switches, egress ACL (destination port matching) on bonds is not allowed

An ACL rule that matches on an outbound bond interface fails to install. For example, a rule like this fails.

[iptables]
-A FORWARD --out-interface  -j DROP

To work around this issue, duplicate the ACL rule on each physical port of the bond. For example:

[iptables]
-A FORWARD --out-interface  -j DROP
-A FORWARD --out-interface  -j DROP

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-897 (CM-20086)
 

NCLU reports an error when attempting to configure FRR when the configured hostname begins with a digit:

unknown: buffer_flush_available: write error on fd -1: Bad file descriptor

To work around this issue, change the hostname of the switch to begin with an alphabetic character; not a digit.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-898 (CM-20034)
Fiberstore SFP1G-LX-31 optic causes i2c bus to hang and switch to reboot

Using the Fiberstore SFP1G-LX-31 SFP module can cause the system to reboot.

This issue is currently being investigated.


RN-899 (CM-20028)
On the Dell-S4148 switch, you can't configure ports on the second pipeline into a gang

On the Dell S4148 switch, when you try to configure any of the ports on the second pipeline (port 31-54) into a gang (40G/4) through the ports.conf file, switchd fails.

This issue is currently being investigated.


RN-900 (CM-20026)
OSPF default-information originate stops working if removed and added in quick succession

When OSPF is originating a default route, and the command is removed from the process, then re-added, the router stops advertising the default route. Configuring the default-information originate command a second time causes it to start working.

This issue is currently being investigated.


RN-901 (CM-19936)
'rdnbrd' should not be enabled with EVPN

If you start rdnbrd in an EVPN configuration, local and remote neighbor entries are deleted. Enabling rdnbrd in an EVPN configuration is not supported.


RN-902 (CM-19699)
BGP scaling not hashing southbound traffic from Infra switches

When routing traffic from Infra switches back through VXLAN, the switches choose one spine through which to send all flows.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-903 (CM-19643)
Disabling 'bgp bestpath as-path multipath relax' still leaves multipath across AS for EVPN

When BGP multipath is enabled, EVPN prefix (type-5) routes imported into a VRF always form multipath across paths that originate even from a different neighbor AS. This happens even if the as-path-relax configuration is disabled or not applied.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-904 (CM-20800)
NCLU 'net add' and 'net del' commands missing for EVPN type-5 default originate

The NCLU net add and net del commands are missing for the default originate EVPN type-5 route feature.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-907 (CM-20829)
'netd' fails on a reboot after upgrade to 3.6.0 with the error ImportError: No module named time

When you use the apt-get upgrade command to upgrade to Cumulus Linux 3.6.0 and you select to keep the currently-installed version of netd.conf (by typing N at the prompt), netd fails to start after reboot and you see errors in the logs when you try to restart it.

This issue is being investigated at this time.


RN-908 (CM-20789)
In symmetric VXLAN/EVPN, FRR crashes when flapping the peer link

In a symmetric VXLAN/EVPN environment, flapping the peer link causes FRR to crash on the peer switch. The issue is not seen if the clagd-vxlan-anycast-ip is not configured.

This issue is being investigated at this time.


RN-932 (CM-20869)
Bridge loop causes BGP EVPN to install remote MAC as a local MAC and does not recover automatically

A bridge loop causes frames that arrive through EVPN to be forwarded back to the EVPN bridge. After resolving the forwarding loop, the bridge FDB table recovers, but BGP does not recover automatically. Because the MAC appears to move rapidly, BGP installs the remote MAC as a local entry and advertises it out. Even though the bridge FDB table appears to be correct, bridged traffic destined to the misprogrammed MAC fails.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-933 (CM-20781)
NCLU 'net add bgp neighbor' command with swp1, swp2, or swp1-2 causes TB NameError

Issuing the net add bgp neighbor command with swp1, swp2 or swp1-2 causes the following error:

TB NameError: global name 'ifname_expand_glob' is not defined.

This issue should be fixed in an upcoming release of Cumulus Linux.


RN-972 (CM-21003)
Cumulus Linux does not forward PTP traffic by default

Cumulus Linux 3.6.0 or later does not forward transit precision time protocol (PTP) packets as PTP is not enabled by default in Cumulus Linux. To work around this issue, downgrade the switch to Cumulus Linux 3.5.3.

This issue should be fixed in an upcoming release of Cumulus Linux.

 

Have more questions? Submit a request

Comments

Powered by Zendesk