Limitations and restrictions
Security improvements have been made in this release, however some limitations still exist.
Disable spanning tree processing on individual ports
Since this feature turns off spanning tree on a particular link, it is possible for bridge loops to form, resulting in broadcast storms, a good understanding of the remote network is required before enabling this feature.
Multiple backplane support
The ability to configure the backplane that traffic uses is only available on Flexware uCPE platforms and the ability to configure the CPUs that the dataplane will use is only available on backplane interfaces.
Port monitor hardware support
This section details how additional load can effect port monitor sessions.
Backplane bandwidth and expected traffic patterns on the Flexware uCPE platform should be taken into account when port monitor sessions are configured. For XS uCPE, the backplane bandwidth is 2.5 G, and all eight front panel ports are 1 G. For S, M, and L uCPEs, the backplane interconnect is 10 G and the number of front panel ports ranges from 14 in S and M, to 40 in L, some of which support 10 G SFPs.
If the destination port is a vhost interface, mirrored packets for hardware-switched traffic will be punted to the CPU, causing additional load on the backplane interface, and should be taken into account when configuring port monitor sessions on the uCPE.
64-bit wide QoS counters
This feature can only be used after at least one QoS policy has been associated with an interface, the existing show queuing commands will be deprecated in a future release and superseded by show policy qos.
Support marking Ethernet COS bits (0-7) on outgoing packets
This feature should improve future flexibility and possible support multiple mark-ups.
This feature only supports a single mark-map on the UfiSpace S9500-30XS hardware, however the QoS configuration commands will allow multiple mark-maps to be defined. This is to allow for future flexibility and the possibility of supporting multiple mark-maps.
This feature is a replacement for QoS's use of the NPF match <match-name> dscp <dscp-value>
and and match <match-name> mark
pcp <pcp-value>
commands that can be used as packet classification rules by QoS. The QoS class command and the NPF match
commands will not be available on the SIAD platform, and the new commands introduced by this feature will only be available on the SIAD platform, so there is no possibility of these two sets of commands interfering with one another.
Shared storage and file access
This feature provides users with access to shared storage and files.
This feature works best with the user isolation feature, however shared storage may be configured on systems with user isolation disabled. Both of these configurations can open up sensitive information about the system and should be used sparingly. The writable shared directories should be cleaned up regularly.
Deprecation of TACACS+ local-user-name authorization argument
This feature allows TACACS+ to login as an already configured local user, however this capability will be removed in a future release.
The local-user-name authorization argument allows TACACS+ to login as an already configured local user. Alternatively, Vyatta also supports on-the-fly creation of a local user during the login process for TACACS+ users. This is done when local-user-name is not present in the session authorization reply. Support for this feature will be removed in a future release at which time presence of the local-user-name argument in authorization replies will cause an authorization failure
REST API spawn commands
This section details the REST API spawn commands.
When executed via the REST API, the spawn operational mode command is not run in the calling user's isolated environment. Therefore, the default ACM operational mode ruleset in 1903 is updated to prevent operator and admin level users from executing spawn.
# set system acm operational-ruleset rule 9971 action deny
# set system acm operational-ruleset rule 9971 command '/spawn/*'
# set system acm operational-ruleset rule 9971 group vyattaop
# set system acm operational-ruleset rule 9971 group vyattaadm
cmd=spawn
protocol=op-mode
service=vyatta-exec