cnMatrix Release 4.1-r3 is now available at https://support.cambiumnetworks.com/files/cnmatrix/ .
This release is compatible with EX2K, EX1K, and TX2K cnMatrix models.
cnMatrix-EXTX Release Notes - 4.1-r3.pdf (849.0 KB)
What’s New in 4.1
cnMatrix Software Release 4.1 is supported on all cnMatrix hardware platforms: EX2K, EX1K and TX2K.
The cnMatrix 4.1 software archive file can be loaded on both EX and TX models. The archive file name contains EX and TX model names - cnMatrix-EXTX-4.1-r3.img.tar.gz.
Support for new TX model
Release 4.1 supports a new TX model, cnMatrix TX2028RF-P
IPv6 ND RA Guard
This feature prevents malicious and unwitting IPv6 Neighbor Discovery Router Advertisement packets entering the network at the edge. This feature can be enabled on a per-port basis.
cnMatrix(config-if)# ipv6 nd raguard attach-policy {host | router}
By attaching the “host” policy to a port, the IPv6 ND RA packets received on that port will be dropped at ingress. By attaching the “router” policy, the IPv6 ND RA packets will be allowed on that port.
By default, the “router” policy is attached to all ports.
To view the per-port configuration and statistics, use the command:
cnMatrix# show ipv6 nd raguard
IPv6 Neigbor Discovery RA Guard:
Port Policy Dropped Forwarded
RAs RAs
------ ------ --------- ---------
Gi0/1 Router 189
...
MAC Authentication Bypass - MAB
(also known as MAC Based Port Network Access Control)
This is the feature that allows authenticating non-802.1x capable devices based on their MAC address. The switch can use either the local dot1x database or a RADIUS (Remote Authentication Dial In User Service) server to authenticate the MAC address. For the local database, use the MAC address without any separator as the username and password, as shown in this example:
dot1x local-database aabbccddeeff password aabbccddeeff permission allow
When MAB is enabled, the authentication process will first try to identify any dot1x capable device connected on the port. When that fails, the same amount of time will be spent trying to acquire the MAC address of the device. Once the MAC address has been acquired, the switch will check that it is allowed access to the network, either locally or using a RADIUS server. If the MAC address has not been acquired during this time, the authentication process will start all over again. Despite not sending any identity-request messages during the MAC address acquisition, the switch will still listen for EAP-start messages and will initiate dot1x authentication once such a message is received.
To enable MAB on a port, you need to type the following commands:
| Command | Explanation |
|---|---|
configure terminal |
Enter global configuration mode |
interface gigabitEthernet 0/1 |
Enter interface configuration mode |
dot1x port-control auto |
Enable authentication on the port |
dot1x mac-auth-bypass |
Enable MAB |
dot1x reauth-max 3 |
(Optional) Configure the number of times the switch will try to authenticate dot1x devices. |
dot1x timeout tx-period 30 |
(Optional) Configure the time to wait for dot1x devices to respond. |
end |
Return to the privileged EXEC mode |
show dot1x interface gigabitEthernet 0/1 |
Displays the interface dot1x configuration. |
Once a device has been authenticated using MAB, further reauthentication attempts will use the same MAC address. To replace the MAC address, the link admin state or dot1x port-control must be bounced.
When in single-host mode, the switch will acquire the first MAC address and only this address will be allowed to access the network.
In multi-host mode, the switch will acquire the first MAC address and then allow any MAC address to access the network.
Port Network Access Control: Authorization
This feature adds the ability to change the access VLAN and 802.1p priority based on the attributes received from a RADIUS server. The authorization is disabled by default and can be enabled using the following commands:
| Command | Explanation |
|---|---|
configure terminal |
Enter global configuration mode |
aaa authorization network default group radius |
Set global dot1x authorization method to RADIUS |
end |
Return to the privileged EXEC mode |
show dot1x |
Displays global dot1x configuration |
For authorization to work, the following requirements must be met:
- The authentication method is set to RADIUS.
- The port is in access mode.
For dynamically assigning the VLAN, the switch expects the following attributes from the RADIUS server:
- Tunnel-Type
- Tunnel-Medium-Type
- Tunnel-Private-Group-ID
The Tunnel-Type attribute must be set to VLAN, the Tunnel-Medium-Type attribute must be set to IEEE-802 and the Tunnel-Private-Group-ID attribute must contain the VLAN ID as a string.
For dynamically assigning the 802.1p priority, the switch expects the User-Priority-Table attribute to contain the desired priority repeated 8 times. The reason for this is that cnMatrix 1k and 2k series only support overwriting the priority with a single value.
Here is an example user configuration for FreeRADIUS:
bob Cleartext-Password := "hello"
Service-Type = Framed-User,
Auth-Type := Accept,
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-id = "70",
User-Priority-Table = "44444444"
MSTP support in cnMaestro
Starting with version 4.1-r3, cnMatrix supports MSTP configuration and monitoring from cnMaestro.
New MSTP configuration:
- MSTP enable/disable
- region name
- revision name
- instance-to-VLAN mapping
- instance priority
- priority per port-instance and port-channel group instance.
cnMaestro will also monitor the MSTP state per port-instance.
STP Path Cost method
The switch will allow the user to select between the IEEE 802.1D-1998 (short) and the IEEE802.1T (long) default STP path cost values. This is a per-switch (global) STP configuration and can be set in each STP operating mode (RSTP, PVRST, MSTP). The default method is “long”.
To configure the path cost method via CLI, run the following command :
cnMatrix(config)# spanning-tree pathcost method { long | short}
The configuration is also available in the Web GUI, for each STP mode.
Path cost values will be immediately modified on the operational ports, and the STP trees will be recalculated accordingly. Ports on which the cost is set manually will not be affected by this global setting.
Port Security: MAC address learn limit
This feature aims to provide a way for the switch to restrict the access to the network to a certain number of devices per port, based on their MAC address. Typically, on access ports there is only one device which accesses the network, and by using this feature, the network administrator ensures that the other devices don’t use the user’s connection to access the network.
The feature allows the network administrator to configure the maximum number of devices that can access the network from a specific port, and the action to be taken in case the configured number is exceeded.
To configure this feature via CLI:
This command enables the feature and set the default maximum to “1” and “protect” as the default action:
cnMatrix(config-if)# switchport port-security
This command disables the feature:
cnMatrix(config-if)# no switchport port-security
This command set the maximum number of MAC addresses allowed per port:
cnMatrix(config-if)# switchport port-security maximum <1-1000>
This command set the action to be taken in case the configured number is exceeded:
cnMatrix(config-if)# switchport port-security violation {protect | restrict}
protect - When the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. The violation counter increments. You are not notified that a security violation has occurred.
restrict - When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. An SNMP trap is sent, a syslog message is logged, and the violation counter increments. By default, the feature is disabled. When enabled, the maximum number of allowed MAC addresses is set to 1, and the action is set to protect.
cnMatrix Support For cnMaestro SNMP Agent Configuration
The 4.1-r3 release includes configuration support for the following settings:
- SNMP Agent enable/disable
- SNMPv2c Read-Only Community Name
- SNMPv2c Read-Write Community Name
- Trap Receiver IPv4 Address
- SNMPv3 User Name
- SNMPv3 User Password
- SNMPv3 User Access (read-only, read-write)
- SNMPv3 User Authentication Protocol
- SNMPv3 User Privacy enable/disable
To display the entries that are created via cnMaestro, use the following command:
cnMatrix(config)# show running-config snmp
Note: entries are read-only but are displayed as comments to provide a complete picture of the current configuration.
Energy Efficient Ethernet
Energy Efficient Ethernet (EEE) is an 802.3az standard that is designed to reduce the power consumption of copper interfaces during idle periods.
EEE can be enabled on devices that support Low Power Idle (LPI) mode. When the device enters LPI mode power consumption is reduced by shutting down certain services that are not needed during idle periods.
For EEE to function, both devices must support LPI mode and they must have EEE enabled.
To enable/disable EEE, via CLI, use the energy-efficient-ethernet command from the interface configuration.
Or, from the Web GUI: navigate to System → Energy Efficient Ethernet.
This feature provides a way for the switch to count the number of link transition events per port. And display this count to the user. This information can be displayed via the show interfaces command, as well as via the show interfaces link-transitions CLI command, and it is also visible in the Port Basic Settings page in the Web GUI.
Counter for link-up/down events
The Link-Transitions Count feature provides a way for the switch to count the number of link transition events per port. The feature shows the number of link transition events on a per-port basis, for all ports available and the timestamp of the last transition.
Interface Description History
To assist with tracking the status of connected devices, a short interface description history is now available. cnMatrix maintains both the current interface description (configured manually or based on LLDP/PBA processing) and the previous interface description. Updating the interface description to a new value automatically save the previous interface description value. The previous interface description value is displayed using the CLI show interface command and through the Statistics → Interface → Interface Statistics Web page.
Fixed Issues
| Tracking | Product | Feature | Description |
|---|---|---|---|
| 3404 | All | SSH | Exceptions encountered when using monitoring tools which connect to the switch through SSH |
| 3433 | All | SSH | Memory leak when multiple SSH sensors are enabled on network monitoring tool such as PRTG |
| 3475 | All | DHCP | Server DHCP pool name is not properly generated by show running-config. This can cause configuration failure when CLI template is pushed from cnMaestro. |
| 3533 | All | Spanning-Tree | Root Bridge changes continuously when SNTP is enabled and the clock is synchronized |
| 3562 | All | SFP+ | Ubiquiti BiTi transceiver not configured by auto-detect. The transceiver type is listed as N/A, the wavelength is displayed incorrectly. |
| 3573 | All | LLDP | LLDP-based PBA policy now allows multiple LLDP neighbors on the same port. Device such as IP Phone can use LLDP detection with PBA policy |
| 3574 | All | SSH | SSH segmentation fault when running Tenable Nessus software tool |
Known Issues in release 4.1-r3
| Tracking | Product | Description | Workaround |
|---|---|---|---|
| 388 | All | DHCP Relay: The switch doesn’t relay all DHCP Release and Renew packets if there are more than 360 DHCP clients connected to the switch. | Use cnMatrix switch to relay DHCP packets for less than 360 DHCP clients. |
| 460 | All | LLDP port-id-subtype setting and DHCP server host hardware-type 3 setting are lost after boot. | Reconfigure the settings if they are lost after reboot. |
| 519 | All | UP7 traffic not equally serviced if received from 2 different ports - SP scheduler | N/A |
| 695 | All | Ping doesn’t work between 1/10 Gb interfaces or 1/10 Gb port-channels when STP mode is PVRST and more than 9 VLANs are created. | N/A |
| 838 | All | DHCP Snooping: When disabling DHCP Snooping globally, the DHCP Snooping VLAN configuration is cleared. | Reconfigure DHCP Snooping per VLAN. |
| 848 | All | Auto Attach: For phone detection it is advisable not to use rules with LLDP-CAP “phone” as matching criteria. | Phones can be identified using other data LLDP data, such as System Description, System Name or Chassis ID. |
| 946 | All | Routing is not working on routed port when static ARP is used | Use static ARPs only for VLAN interfaces. |
| 985 | All | Exec-timeout setting is lost after reboot. Reconfigure this setting after unit reboot. | |
| 1056 | All | Physical ports that are part of a port-channel are returning to VLAN 1 after remote peer is performing a boot default.
|
N/A |
| 1555 | All | When downloading agent using SFTP from SSH/telnet session, the download progress is displayed on the console interface, not in the current session. | N/A |
| 1828 | All | Establishing a SSH session between two cnMatrix devices is not working. | N/A |
| 2103 | All | CnMaestro Router Port configuration from CLI Templates will result in faulty port performance tracking | N/A |
| 2122 | All | RIPv1/RIPv1 compatible updates are not sent to the RIP neighbors (3.0.1-r4 does not work with RIPv1 RIP router) | Only connect cnMatrix 3.0.1-r4 to RIPv2 neighbors, and set the RIP send update to RIPv2 mode |
| 3669 | All | 802.1x : Single Host – MAC address of the client is learnt in all the VLANs configured on the switch | N/A |
| 3513 | All | cnMaestro MSTP: In some cases, for very long VLAN lists associated to MSTP instances, the configuration may fail | N/A |
| 3514 | All | cnMaestro MSTP: When the VLAN-instance mapping is updated, the user may experience a momentary traffic drop | N/A |
| 3646 | All | 802.1x: Vlan Priority Attribute can be configured on Radius server with the standard attribute User-Priority-Table and the value accepted is in the format “xxxxxxxx”. ( 8x ) | N/A |
| 3677 | All | 802.1x : Single Host - Multiple hosts can be authenticated on the same port | N/A |
| 3586 | All | Storm-control not working correctly on a SFP+ port with 1G transceiver. Packet are limited on that port at a rate 10 time grater than for a 1G port. | N/A |
| 3683 | All | Port MAC Limiting: Migrated MAC addresses are not deleted from the software FDB table after the limit is reached on the new port. | This is a display issue. Please ignore this output. |
Feature Notes
- If you remove the default IP address from mgmt0 interface and save the running-config the default IP address is restored after boot.
- DHCP Client is enabled by default on In-Band Ports from VLAN 1.
- On EX1028 and EX1028P, VLAN 1 has the default IP address 192.168.1.1
- The Out-of-Band port has the following default IP address: 192.168.0.1.
Limitations
| Tracking | Product | Description | Workaround |
|---|---|---|---|
| 265 | Flow control counters displayed by the command show interface flow control are not incremented on Extreme Ethernet interfaces (10Gbps). | ||
| 437 | All | SNTP Authentication is not supported for broadcast and multicast modes. | |
| 2103 | All | Router Port configuration from CLI Templates will result in faulty port performance tracking | Configuring a router port from a template can lead to unexpected monitoring behavior. The setting is not recommended while using cnMaestro. |
| 2603 | All | If a static IP is set on L3 interface from CLI/Web, the out-of-sync condition is not triggered by cnMaestro. |