Enhancements for WC 16.11

AOS-S Switch Release Notes

Submit Search

5400R/3810M (KB) 2920 (WB) 2930M/F (WC) 2530 (YA/YB) 2540 (YC)

Enhancements

This section lists enhancements added to this branch of the software.

Software enhancements are listed in reverse-chronological order, with the newest on the top of the list. Unless otherwise noted, each software version listed includes all enhancements added in earlier versions

Table 1: Enhancements
Version	Software	Description	Category
16.11.0024	WC	From this release onwards the name Aruba will be updated to HPE ANW or HPE Aruba Networking in areas that are visible to the end user.	CLI
16.11.0023	WC	No enhancements were included in version 16.11.0023.	NA
16.11.0022	WC	Version 16.11.0022 is unavailable for download.	NA
16.11.0021	WC	No enhancements were included in version 16.11.0021.	NA
16.11.0020	WC	No enhancements were included in version 16.11.0020.	NA
16.11.0019	WC	No enhancements were included in version 16.11.0019.	NA
16.11.0018	WC	Support for the following 10G C-class transceivers: HPE Aruba Networking 10G SFP+ LC SR 400m OM4 MMF C-Class Transceiver (S2P30A) HPE Aruba Networking 10G SFP+ LC LR 10km SMF C-Class Transceiver (S2P31A) HPE Aruba Networking 10G SFP+ LC ER 40km SMF C-Class Transceiver (S2P32A)	C-Class Transceivers
16.11.0017	WC	Version 16.11.0017 is unavailable for download.	NA
16.11.0016	WC	Support for switches to send device level stats metric information indicating the total power consumed by switch to Central.	Central Integration
16.11.0015	WC	Support for removing old ciphers in the host key algorithm has been added. A new configuration option has been introduced which allows customers to remove ssh-rsa ciphers. Customers will be able to remove and disable outdated ssh-rsa ciphers in the host key algorithm using ip ssh host-key-algorithm.	SSH
16.11.0015	WC	Support to verify VSF error logs that are being sent to Central has been introduced. The show logging command can be used in the switch to verify VSF error events.	Central Integration
16.11.0013	WC	No enhancements were included in version 16.11.0014.	NA
16.11.0013	WC	No enhancements were included in version 16.11.0013.	NA
16.11.0012	WC	Support for https-based firmware downloads from Aruba Central has been added. The firmware has been embedded with trust anchor for verifying the firmware repository server certificate. Updates are made to verify the Subject Alternative Name (SAN) from the server certificate and to limit the newly added trust anchor for only https-based firmware downloads.	Central Integration
16.11.0011	WC	No enhancements were included in version 16.11.0011.	NA
16.11.0010	WC	The User Role feature of the switch is enhanced to allow configuring the authentication client limits for a port. The following new attributes are added under the device context of User Role. client-limit dot1x : Configure the 802.1X client-limit . client-limit mac-based: Configure the mac-based client-limit on the client’s port using the user-role. When a client is authenticated with an user role with above attributes, the ports client limit is temporarily overridden. Multiple overrides are allowed on same port using user role or RADIUS VSA, only if the new limits are greater than already applied limit.	User Role
16.11.0009	WC	Version 16.11.0009 is unavailable for download.	NA
16.11.0008	WC	No enhancements were included in version 16.11.0008.	NA
16.11.0007	WC	A new configuration option is added in LLDP to mention which VLANs IP address should be included in the outbound LLDP advertisements of switch ports. The IPv4/IPv6 address configured statically or dynamically assigned through DHCP on the specified management VLAN will be included in the outbound LLDP advertisements. Syntax: [no] lldp management-address vlan <vid> Interface level management address configuration will take precedence over the newly introduced management VLAN address. In case of Multinetting, first IP address in the interface will be advertised. Statically configured and dynamically assigned IP address of the LLDP management VLAN will be considered for advertising. If the LLDP management VLAN has both IPv4 and IPv6 address configured, then both IPv4 and IPv6 address will be advertised. If there is no IPv4 or IPv6 address present in the configured LLDP management VLAN, then the existing workflow will be used to select the management address. Refer to the Aruba 2530 Management and Configuration Guide for AOS-S 16.11 for more information on the workflow.	LLDP
16.11.0007	WC	To provide a secured management connection to the switch, the following improvements are made: Disabled TELNET on default configuration (no telnet-server). Disabled HTTP on default configuration (no web-management). Enabled HTTPS on default configuration (web-management ssl) using the installed self-signed certificate. Switch will redirect all HTTP request (including REST) to HTTPS, when HTTP is disabled and HTTPS is enabled. The above configuration changes will be applied on firmware upgrade of switches with default configuration, i.e. only for switches that meet the following configuration criteria: Only the default VLAN must be present. The default VLAN should have DHCP IP rather than a static IP. AirWave should not be configured. Aruba Central URL should not be configured. Manger password should not be configured.	Security
16.11.0006	WC	The IP Auth manager feature has been added to close a TCP connection from an unauthorized client by sending a TCP RST immediately after receiving a TCP SYN packet, rather than allowing a complete three-way TCP handshake and then sending a TCP RST. NOTE: When an unauthorized client connects via the OOBM port, the existing behaviour remains unchanged.	Security
16.11.0005	WC	No enhancements were included in version 16.11.0005.	NA
16.11.0004	WC	OSPF Route Filtering feature provides an option to filter the intra-area routes from installing into local FIB table. By using this, operator can create `distribute-list` with one or more network addresses which will be used to filter the intra area routes in OSPFv2/OSPFv3. Syntax: OSPFv2: distribute-list <IP-ADDR>/<Prefix-Len> OSPFv3: distribute-list <IPV6-ADDR>/<Prefix-Len> Refer to the Aruba 3810/5400R Multicasting and Routing Guide for AOS-S Switch 16.11 and Aruba 3810/5400R IPv6 Configuration Guide for AOS-S Switch 16.11 for more information.	OSPF/OSPFv3
16.11.0004	WC	Added support in Device fingerprinting (DFP) module to send protocol data to Aruba Central for telemetry. Added options-list parameter to device-fingerprinting CLI. Switch software is enhanced to collect DHCP options list and up to three instances of HTTP user agent headers. Syntax: device-fingerprinting [policy]<PROFILE_NAME> dhcp [option-num <NUM> \| options-list]. Refer to the Aruba 3810/5400R Access Security Guide for AOS-S Switch 16.11 for more information.	Device Finger Printing
16.11.0003	WC	The Enrollment over Secured Transport (EST) client feature is updated to download and renew the CA certificates from an EST server independent of application certificate enrollment. A new command `est-server <profile-name> cacerts-download` is added to enable independent CA certificate download from the EST server. This enhancement initiates automatic CA certificate download and renewal when the existing TA profile is about to expire. The switch will use the existing `est-server <profile-name> re-enrollment-prior-expiry` command to determine how many days in advance the renewal is to be done. A MIB has also been added to enable automatic download and renew of the CA certificates from the EST server. Refer to the Aruba 2930M/2930F Access Security Guide for AOS-S 16.11 and Aruba MIB and Trap Support Matrix for AOS-S 16.11 for more information.	EST
16.11.0002	WC	TCP timestamps are an extension to the original TCP stack, that was introduced to identify and reject old duplicate packets (PAWS) and to improve round-trip-time measurement. Using a scanner or other tool, an attacker can observe the TCP timestamp and determine the system uptime to gain information about the operational state of the system. To avoid such risks, a new command `ip tcp randomize-timestamp` has been introduced to randomize the TCP timestamp offsets per connection. Once the command is issued, all the newly established TCP sessions will a use random offset along with the timestamp. A MIB has also been added to enable or disable the randomization of TCP timestamp offsets. Refer to the Aruba 2930F/2930M Management and Configuration Guide for AOS-S 16.11 and Aruba MIB and Trap Support Matrix for AOS-S 16.11 for more information.	Security
16.11.0002	WC	This is an enhancement to an existing User-Based Tunneling `vlan-extend-enable` (VLAN-aware) mode. Silent devices like Programmable Logic Controller (PLC) devices do not initiate any traffic until they receive a message from the uplink server. Thus, such devices cannot leverage the benefits of colorless ports, which include being authenticated through a RADIUS server and being dynamically placed in a VLAN or being tunneled to a controller. To support such silent devices, a new command `tunneled-node-server ubt-wol-enable vlan <VLAN-ID-LIST>` has been introduced. This command configures the silent client so that the controller allows the first packet from the silent server to reach the silent client without a user tunnel. This will initiate user authentication and tunnel formation. A MIB has also been added to enable User-Based Tunneling Wake-on-LAN (WoL) on the specified VLANs. Refer to the Aruba 2930F/2930M Management and Configuration Guide for AOS-S 16.11 and Aruba MIB and Trap Support Matrix for AOS-S 16.11 for more information.	Support for Silent Device
16.11.0001	WC	Updated all non-inclusive terminologies. Refer to Terminology Change for more information.	-