Enhancements for YC 16.11

AOS-S Switch Release Notes

Submit Search

5400R/3810M (KB) 2920 (WB) 2930M/F (WC) 2530 (YA/YB) 2540 (YC)

Enhancements

This section lists enhancements added to this branch of the software.

Software enhancements are listed in reverse-chronological order, with the newest on the top of the list. Unless otherwise noted, each software version listed includes all enhancements added in earlier versions.

Table 1: Enhancements
Version	Software	Description	Category
16.11.0027	YC	No enhancements were included in version 16.11.0027.	NA
16.11.0026	YC	The following features are to be implemented to enhance STP visibility: STP port status – Learning/Forwarding/Blocking/Disabled/BPDU-Error STP port role – Designated/Alternate/Root/Backup/Conductor Ports disabled information – If ports are disabled by bpdu_guard, root_guard, loop_guard, pvid_mismatch, or rpvst_guard. Root Bridge information of the switch – Identify the switch that is the root bridge. STP instances – Instance ID. STP instance priority - Priority of the respective STP instances. STP mode configured on the device – MSTP/RSTP. STP topology changes – The number of topology changes. Topology change flag. Last topology change occurred at.	Event Log
16.11.0025	YC	Support for the AOS-S switches to send the message-authenticator attribute in RADIUS requests and to validate the same in responses from the server.	Radius
16.11.0024	YC	From this release onwards the name Aruba will be updated to HPE ANW or HPE Aruba Networking in areas that are visible to the end user.	CLI
16.11.0023	YC	No enhancements were included in version 16.11.0023.	NA
16.11.0022	YC	Version 16.11.0022 is unavailable for download.	NA
16.11.0021	YC	No enhancements were included in version 16.11.0021.	NA
16.11.0020	YC	No enhancements were included in version 16.11.0020.	NA
16.11.0019	YC	No enhancements were included in version 16.11.0019.	NA
16.11.0018	YC	No enhancements were included in version 16.11.0018.	NA
16.11.0017	YC	Version 16.11.0017 is unavailable for download.	NA
16.11.0016	YC	Support for switches to send device level stats metric information indicating the total power consumed by switch to Central.	Central Integration
16.11.0015	YC	Support for removing old ciphers in the host key algorithm has been added. A new configuration option has been introduced which allows customers to remove ssh-rsa ciphers. Customers will be able to remove and disable outdated ssh-rsa ciphers in the host key algorithm using ip ssh host-key-algorithm.	SSH
16.11.0014	YC	No enhancements were included in version 16.11.0014.	NA
16.11.0013	YC	No enhancements were included in version 16.11.0013.	NA
16.11.0012	YC	Support for https-based firmware downloads from Aruba Central has been added. The firmware has been embedded with trust anchor for verifying the firmware repository server certificate. Updates are made to verify the Subject Alternative Name (SAN) from the server certificate and to limit the newly added trust anchor for only https-based firmware downloads.	Central Integration
16.11.0011	YC	No enhancements were included in version 16.11.0011.	NA
16.11.0010	YC	The User Role feature of the switch is enhanced to allow configuring the authentication client limits for a port. The following new attributes are added under the device context of user role. client-limit dot1x : Configure the 802.1X client-limit . client-limit mac-based: Configure the mac-based client-limit on the client’s port using the User Role. When a client is authenticated with an user role with the above attributes, the ports client limit is temporarily overridden. Multiple overrides are allowed on same port using user role or RADIUS VSA, only if the new limits are greater than already applied limit.	User Role
16.11.0009	YC	Version 16.11.0009 is unavailable for download.	NA
16.11.0008	YC	No enhancements were included in version 16.11.0008.	NA
16.11.0007	YC	A new configuration option is added in LLDP to mention which VLANs IP address should be included in the outbound LLDP advertisements of switch ports. The IPv4/IPv6 address configured statically or dynamically assigned through DHCP on the specified management VLAN will be included in the outbound LLDP advertisements Syntax: [no] lldp management-address vlan <vid> Interface level management address configuration will take precedence over the newly introduced management VLAN address. In case of Multinetting, first IP address in the interface will be advertised. Statically configured and dynamically assigned IP address of the LLDP management VLAN will be considered for advertising. If the LLDP management VLAN has both IPv4 and IPv6 address configured, then both IPv4 and IPv6 address will be advertised. If there is no IPv4 or IPv6 address present in the configured LLDP management VLAN, then the existing workflow will be used to select the management address. Refer to the Aruba 2530 Management and Configuration Guide for AOS-S 16.11 for more information on the workflow.	LLDP
16.11.0007	YC	To provide a secured management connection to the switch, the following improvements are made: Disabled TELNET on default configuration (no telnet-server). Disabled HTTP on default configuration (no web-management). Enabled HTTPS on default configuration (web-management ssl) using the installed self-signed certificate. Switch will redirect all HTTP request (including REST) to HTTPS, when HTTP is disabled and HTTPS is enabled. The above configuration changes will be applied on firmware upgrade of switches with default configuration, i.e. only for switches that meet the following configuration criteria: Only the default VLAN must be present. The default VLAN should have DHCP IP rather than a static IP. AirWave should not be configured. Aruba Central URL should not be configured. Manger password should not be configured.	Security
16.11.0006	YC	The IP Auth manager feature has been added to close a TCP connection from an unauthorized client by sending a TCP RST immediately after receiving a TCP SYN packet, rather than allowing a complete three-way TCP handshake and then sending a TCP RST. NOTE: When an unauthorized client connects via the OOBM port, the existing behavior remains unchanged.	Security
16.11.0005	YC	No enhancements were included in version 16.11.0005.	NA
16.11.0004	YC	No enhancements were included in version 16.11.0004.	NA
16.11.0003	YC	No enhancements were included in version 16.11.0003.	NA
16.11.0002	YC	TCP timestamps are an extension to the original TCP stack, that was introduced to identify and reject old duplicate packets (PAWS) and to improve round-trip-time measurement. Using a scanner or other tool, an attacker can observe the TCP timestamp and determine the system uptime to gain information about the operational state of the system. To avoid such risks, a new command `ip tcp randomize-timestamp` has been introduced to randomize the TCP timestamp offsets per connection. Once the command is issued, all the newly established TCP sessions will a use random offset along with the timestamp. A MIB has also been added to enable or disable the randomization of TCP timestamp offsets. Refer to the Aruba 2540 Management and Configuration Guide for AOS-S 16.11 and Aruba MIB and Trap Support Matrix for AOS-S 16.11 for more information.	Security
16.11.0001	YC	Updated all non-inclusive terminologies. Refer to Terminology Change for more information.	-