cnMatrix release 4.5-r3

cnMatrix Release 4.5-r3 is now available at
cnMatrix-EXTX Release Notes - 4.5-r3.pdf (833.0 KB)

Attention: Software downgrade from 4.5 to an earlier version will cause configuration on the switch to be lost (reset to default settings). This limitation will be addressed in a future release.

New Features

cnMatrix Release 4.5 brings new functionality supported on EX2K, EX1K, TX2K and TX1K.


Prior to 4.5 ACL can only be applied on switch ports. This feature allows ACL to be applied on VLANs. It implements a set of CLI commands that would allow the user to set an ACL on a VLAN, from the VLAN config menu.

Set the ACL 100 to VLAN 10

(config)# vlan 10
(config-vlan)# mac access-group 100 in

Remove the ACL from a VLAN

(config)# vlan 10
(config-vlan)# no mac access-group 100 in

PBA Action Localization

PBA action localization allows the same PBA policies to apply different settings based on certain device characteristics (a.k.a. device localization). This simplifies policy definition (no need for multiple policies with different actions) and allows action criteria to be changed by updating the device localization data. Localization allows the user to design network-wide (represented by a cnMaestro switch group) PBA policies that can have their associated action settings (i.e., the action context) easily customized for specific devices as needed. Refer to the User Guide for complete details.

This feature is available only for cnMaestroX.

PBA MAC List Support

PBA MAC list support allows PBA rules to be enhanced to support a non-contiguous range of MAC addresses for device identification. A user can download files that contain a list of MAC addresses. These named MAC lists can then be associated with rules using a new ‘MAC list’ rule type. When such a rule is associated with a PBA policy, the list of MAC addresses is consulted when determining if the policy matches the device identification data (i.e., a MAC address in this scenario) during the policy evaluation process. Refer to the User Guide for complete details.

This feature is available only for cnMaestroX.

Password encryption service

The password encryption service obfuscates the cleartext passwords in the configuration. The service is disabled by default, enabling it will encrypt all existing passwords in the configuration and will make sure the new passwords will be automatically encrypted. Disabling the service will leave the existing passwords encrypted, but new passwords will no longer be encrypted.

Enables password encryption service.

(config)# service password-encryption

Disables password encryption service.

(config)# no service password-encryption

CPU Monitor

When enabled, the cnMatrix switch captures the received packets that hit CPU (protocol packets, management packets). The packets are store within a buffer in DRAM and do not persist through a reboot. Once the data is captured, it can be displayed in hex format to CLI console.

Data can be exported as a packet capture (PCAP) file to allow for further examination. Typically used for advanced troubleshooting related to cnMatrix. Parameters are configured in exec mode and they are temporary. As result, the configuration is not stored within the switch configuration and does not remain in place after a system reboot.

Note: This feature does not capture data traffic exchanged between connected devices.

Set the buffer limit to be dumped.

(config)# cpu-monitor buffer-size

Set the maximum size of packet to be dumped.

(config)# cpu-monitor packet-size

Set the limit of packets to be dumped.

(config)# cpu-monitor packets-limit

Set the default values for CPU Monitor process.

(config)# default cpu-monitor

Display CPU Monitor parameters and the process status.

# show cpu-monitor config

Display CPU Monitor packets to CLI console in hex format.

# show cpu-monitor output

Clear the CPU Monitor buffer.

# clear cpu-monitor

Export CPU Monitor buffer as .pcap file to a remote server.

# copy cpu-monitor tftp://
# copy cpu-monitor scp://
# copy cpu-monitor sftp://


Display SFP/SFP+ Transceiver Diagnosis

The diagnosis parameters of an optical transceiver are included in the CLI command ‘show interface transceiver’. Refer to the cnMatrix MIB Archive for the SNMP MIB.

ACL Enhancement

ACL parameter to match TCP ACK/SYNC bit

Configure ACL filter with ACK bit set, RST bit not set and SYN bit set:

(config-ext-nacl)# permit tcp any any ack-set rst-not-set syn-set

Configure ACL filter with ACK bit not set, RST bit set and SYN bit can have any value:

(config-ext-nacl)# deny tcp any any ack-not-set rst-set

Egress VLAN Translation

Prior to 4.5 VLAN translation is supported only for inbound ACL. The egress VLAN translation allows the VLAN ID to be modified in the outbound direction.

Configure ACL to modify VLAN ID:

(config)# mac access-list extended 1
(config-ext-macl)# permit any any sub-action modify-vlan 100

Apply outbound ACL on the port:

(config-if)# mac access-group 1 out

DHCP Option 66 Enhancement

In Release 4.4 DHCP option 66 was supported for auto configuration of a factory defaulted switch, zero-touch provisioning. Release 4.5 allows creating new user and modifying the password of user admin in the configuration file to be installed on the switch using option 66.

Real-time DC CRPS Input Voltage

cnMatrix TX2K allows removable CRPS Power Supply which accepts 36V-72V input range. There are use cases that require the monitoring of the real-time voltage that feeds input to the CRPS. The existing CLI command ‘show system power-supply’ will display the current input voltage. Refer to the cnMatrix MIB Archive for the SNMP MIB.

Bug Fixes

Tracking Product Feature Description
4127 All QinQ Traffic is not passing through LACP after rebooting the peer LACP switch
4244 All QinQ Removing the customer-vlan on a CE port does not affect the pvid setting of the port
4315 All ACL ACL in consolidated mode may not become effective after access-list commit
4461 All EEE Disabling Energy-Efficient-Ethernet on a port is not restored after reboot (Ticket 305851, 329750)
4465 All DHCP Server The lease time in DHCP binding table is inaccurate (Ticket 320857)
4522 All cnMaestro Configuration fails with error fsusrMgmtUserLockRelTime
4533 All cnMaestro interface vlan range command can be executed in the cnMaestro’s User-Defined Overrides
4552 All PBA/cnMaestro cnMaestro becomes out-of-sync when a port mode transitions back to access or trunk upon clearing a PBA policy eg. device is removed from a port (Ticket 315622)
4558 All SSH Segmentation fault occurs while running ACAS tools to monitor the switch
4565 All QinQ Devices connected to CE port are unable to get DHCP IP address
4588 All ACL ACL in consolidated mode may not restore after switch reboot

Hmmm some cool features esp the sfp diagnostics but for anyone wanting to go head first into this.Best to do it in the lab on non prod .

“Attention: Software downgrade from 4.5 to an earlier version will cause configuration on the switch
to be lost (reset to default settings). This limitation will be addressed in a future release.”

Also kudos for the vlan switch acl.Some vendors are selling templated vlan acl feature as “IOT Mode” or “ET Mode” and give you predefined pull down and make sure that the devices can’t send traffic on the local vlan except to the L3 gateway or L2 Address and will allow you select to allow leaking cdp/lldp on non trunk ports .Might be worth your while to prepackage this on cnMaestro.Gets a lot of traction with other manufacturers.

Some cool PBA enhancements as well.

Big ups to the switching team.You guys are continuously belting out features.


Can we please get this added to cnMaestro cloud? Thanks!

Hi Eric, 4.5-r3 is now available on cnMaestro for cnMatrix upgrade.

1 Like

Can we get more layer 3 features in cnmaestro without having to use the user-defined overrides. DHCP functions and other functions that are available in the local UI. Please put all of those in the cnmaestro cloud.