cnMatrix Release 4.5-r3 is now available at https://support.cambiumnetworks.com/files/cnmatrix/.
cnMatrix-EXTX Release Notes - 4.5-r3.pdf (833.0 KB)
Attention: Software downgrade from 4.5 to an earlier version will cause configuration on the switch to be lost (reset to default settings). This limitation will be addressed in a future release.
New Features
cnMatrix Release 4.5 brings new functionality supported on EX2K, EX1K, TX2K and TX1K.
ACL on VLAN
Prior to 4.5 ACL can only be applied on switch ports. This feature allows ACL to be applied on VLANs. It implements a set of CLI commands that would allow the user to set an ACL on a VLAN, from the VLAN config menu.
Set the ACL 100 to VLAN 10
(config)# vlan 10
(config-vlan)# mac access-group 100 in
Remove the ACL from a VLAN
(config)# vlan 10
(config-vlan)# no mac access-group 100 in
PBA Action Localization
PBA action localization allows the same PBA policies to apply different settings based on certain device characteristics (a.k.a. device localization). This simplifies policy definition (no need for multiple policies with different actions) and allows action criteria to be changed by updating the device localization data. Localization allows the user to design network-wide (represented by a cnMaestro switch group) PBA policies that can have their associated action settings (i.e., the action context) easily customized for specific devices as needed. Refer to the User Guide for complete details.
This feature is available only for cnMaestroX.
PBA MAC List Support
PBA MAC list support allows PBA rules to be enhanced to support a non-contiguous range of MAC addresses for device identification. A user can download files that contain a list of MAC addresses. These named MAC lists can then be associated with rules using a new âMAC listâ rule type. When such a rule is associated with a PBA policy, the list of MAC addresses is consulted when determining if the policy matches the device identification data (i.e., a MAC address in this scenario) during the policy evaluation process. Refer to the User Guide for complete details.
This feature is available only for cnMaestroX.
Password encryption service
The password encryption service obfuscates the cleartext passwords in the configuration. The service is disabled by default, enabling it will encrypt all existing passwords in the configuration and will make sure the new passwords will be automatically encrypted. Disabling the service will leave the existing passwords encrypted, but new passwords will no longer be encrypted.
Enables password encryption service.
(config)# service password-encryption
Disables password encryption service.
(config)# no service password-encryption
CPU Monitor
When enabled, the cnMatrix switch captures the received packets that hit CPU (protocol packets, management packets). The packets are store within a buffer in DRAM and do not persist through a reboot. Once the data is captured, it can be displayed in hex format to CLI console.
Data can be exported as a packet capture (PCAP) file to allow for further examination. Typically used for advanced troubleshooting related to cnMatrix. Parameters are configured in exec mode and they are temporary. As result, the configuration is not stored within the switch configuration and does not remain in place after a system reboot.
Note: This feature does not capture data traffic exchanged between connected devices.
Set the buffer limit to be dumped.
(config)# cpu-monitor buffer-size
Set the maximum size of packet to be dumped.
(config)# cpu-monitor packet-size
Set the limit of packets to be dumped.
(config)# cpu-monitor packets-limit
Set the default values for CPU Monitor process.
(config)# default cpu-monitor
Display CPU Monitor parameters and the process status.
# show cpu-monitor config
Display CPU Monitor packets to CLI console in hex format.
# show cpu-monitor output
Clear the CPU Monitor buffer.
# clear cpu-monitor
Export CPU Monitor buffer as .pcap file to a remote server.
# copy cpu-monitor tftp://
# copy cpu-monitor scp://
# copy cpu-monitor sftp://
Enhancements
Display SFP/SFP+ Transceiver Diagnosis
The diagnosis parameters of an optical transceiver are included in the CLI command âshow interface transceiverâ. Refer to the cnMatrix MIB Archive for the SNMP MIB.
ACL Enhancement
ACL parameter to match TCP ACK/SYNC bit
Configure ACL filter with ACK bit set, RST bit not set and SYN bit set:
(config-ext-nacl)# permit tcp any any ack-set rst-not-set syn-set
Configure ACL filter with ACK bit not set, RST bit set and SYN bit can have any value:
(config-ext-nacl)# deny tcp any any ack-not-set rst-set
Egress VLAN Translation
Prior to 4.5 VLAN translation is supported only for inbound ACL. The egress VLAN translation allows the VLAN ID to be modified in the outbound direction.
Configure ACL to modify VLAN ID:
(config)# mac access-list extended 1
(config-ext-macl)# permit any any sub-action modify-vlan 100
Apply outbound ACL on the port:
(config-if)# mac access-group 1 out
DHCP Option 66 Enhancement
In Release 4.4 DHCP option 66 was supported for auto configuration of a factory defaulted switch, zero-touch provisioning. Release 4.5 allows creating new user and modifying the password of user admin in the configuration file to be installed on the switch using option 66.
Real-time DC CRPS Input Voltage
cnMatrix TX2K allows removable CRPS Power Supply which accepts 36V-72V input range. There are use cases that require the monitoring of the real-time voltage that feeds input to the CRPS. The existing CLI command âshow system power-supplyâ will display the current input voltage. Refer to the cnMatrix MIB Archive for the SNMP MIB.
Bug Fixes
Tracking | Product | Feature | Description |
---|---|---|---|
4127 | All | QinQ | Traffic is not passing through LACP after rebooting the peer LACP switch |
4244 | All | QinQ | Removing the customer-vlan on a CE port does not affect the pvid setting of the port |
4315 | All | ACL | ACL in consolidated mode may not become effective after access-list commit
|
4461 | All | EEE | Disabling Energy-Efficient-Ethernet on a port is not restored after reboot (Ticket 305851, 329750) |
4465 | All | DHCP Server | The lease time in DHCP binding table is inaccurate (Ticket 320857) |
4522 | All | cnMaestro | Configuration fails with error fsusrMgmtUserLockRelTime
|
4533 | All | cnMaestro |
interface vlan range command can be executed in the cnMaestroâs User-Defined Overrides |
4552 | All | PBA/cnMaestro | cnMaestro becomes out-of-sync when a port mode transitions back to access or trunk upon clearing a PBA policy eg. device is removed from a port (Ticket 315622) |
4558 | All | SSH | Segmentation fault occurs while running ACAS tools to monitor the switch |
4565 | All | QinQ | Devices connected to CE port are unable to get DHCP IP address |
4588 | All | ACL | ACL in consolidated mode may not restore after switch reboot |