This feature introduces Intercept ARP from-us packets and queues them with DSCP 48 marked from-us packets.

When a QoS policy is configured on an interface, this takes from-us ARP packets and queues them with the from-us DSCP traffic on the local priority queue if one is present. If the local priority queue is not configured, then they will be queued with the transit DSCP-48 traffic.

This feature introduces filter support for IEEE BPDU frames.

In order to prevent endpoints unexpectedly joining a bridge/switch domain, there is a need for a mechanism to completely block the processing of BPDUs on selected interfaces. Further, the interface should not issue any BPDUs. Essentially, STP needs to be disabled on a selected interface.

Need support for Intel X552/X557-AT2 NICs 0x15AD (10GBASE-T). This is the built-in Broadwell-DE NIC.

The current statistics/counter retrieval API for to the DPDK for QoS statistics is only 32-bits wide, this provides a common statistics retrieval API across both the DPDK and the hardware platforms.

Support ENTITY-MIB, ENTITY-STATE-MIB, and ATT-VROUTER-ENTITY-STATE-MIB.

This feature adds minor enhancements to the system that will improve the system acceptance testing experience by the customer and will aid the field teams with general troubleshooting.

• Dataplane – No new CLIs introduced for this component, but the show tech-support has been enhanced to show:
  • Dataplane ARP state
  • Routes stored in the dataplane so they can be compared with the routes stored in the RIB to identify any discrepencies
• Journald – A new CLI introduced to disable rate limiting for journald so that a complete set of logs can be collected for better debugging:
  • Set system journal rate-limit burst <size>, where <size> are the number of messages (default 1000 messages) to log in a given time interval, for example <time> (default 30s)
  • Set system journal rate-limit <time>
• IPsec – No new CLIs introduced for this component, but the log levels for IPsec have been adjusted to reflect the correct intention with the existing CLI. For log-mode private set with set security vpn ipsec logging log-modes private, Strongswan levels used to be set to: chd=3, ike=3 these have been changed to chd=3, ike=4, mgr=2.
• Systemd – No new CLIs introduced for this component, but show tech-support has been enhanced to show:
  • Current systemd status
  • Show any services that failed to start

This feature introduces changes to SSH client and server interop.

Add CLI support to enable the following legacy SSH algorithms:

• Client: Host key algorithm ssh-dss
• Server: Key exchange algorithms diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1

A new CLI is required to set the libvirt XML disk cache to avoid QCOW2 corruption in the case of a hard power off.

Dataplane L2 support introduces a range of improvements.

This feature includes:

• Storm control, adding:
  • An SNMP trap notification mechanism
  • Interface disable ability, such that the operator has configuration flexibility for the action
  • Configuration and policing at the sub-interface level
• Display transceiver information
• Upgrade 100G Evora driver to Europa
• Enable virtual output queues for L2 and L3 forwarding

Add enable/disable/sync-period CLI and functionality to enable to BMC clock sync using IPMI.

This feature provides a range of CLI support to improve SEL functionality.

Provide CLI support to:

• Configure SEL to work in capacity or circular mode.  In capacity mode, when the SEL is full, the system should generate a syslog notification.  In circular mode, the SEL will wrap when full
• Enable/disable mirroring of SEL log entries to syslog
• Purge the SEL

Add support for port isolation, or the ability to disable hardware switching and punt traffic to the dataplane using the Broadcom Hurricane 3 chip.

Port monitor support improves a range of features on the Marvell 88E6190X chip set.

This adds support for the following on the Marvell 88E6190X chip set:

• VLAN support, with MAC learning
• Access port – single VLAN assigned to port for untagged traffic
• VLAN trunking (802.1q), including settingwhat VLANs are allowed on the port
• Setting the native VLAN of a trunk port for untagged traffic on the trunk port
• SPAN/port monitor – add support for the switch ports to be a source or destination

This adds support for the switch ports to be a source or destination on the Broadcom Hurricane 3 BCM56160 and BCM56172 chip sets.

This adds support for 802.1q, including setting which VLANs are allowed on the port.

Support VLAN, with MAC learning, on Broadcom Hurricane 3 switch.

Add a command to set the sysObjectId, so that each platform can have a separate sysObject Id.

Display speed and duplex information for each interface on the show interfaces command.

Move QoS to use 64 bit counters, and provide a CLI to show them.

Add support for 25 GB Intel XXV 710 dual port PCIE card.

Packet drops must include tail-drops and WRED drops; no-buffer drops must be reported as a major alarm event.

Support QoS on a per-logical VLAN interface basis, with the ability of having different QoS settings/policy on each individual logical VLAN interface.

Support QoS on a per-port basis, with the ability of having different QoS settings/policy on each individual port.

WRED must be configurable per queue basis; at least three WRED pofiles must be supported per queue.

A hardware queue must be configurable to set its depth and WRED thresholds, using units in packets, bytes, or in msec.

Class-based WFQ, LLQ mechanisms must be supported.

raffic shaping parameters should be configurable as a percentage of interface bandwidth as well as an absolute rate.

Traffic shaping must be supported on egress direction; shaping functionality must be applied on main interface.

QoS policy must support specifying bandwidth (CIR, PIR) weight per queue basis.

Hierarchical scheduler with shaping functionality must account for L2 overheads which, in Ethernet, just include 18 bytes (for 802.1Q tagged), and additional 4 bytes for CRC.

Unassigned and unused bandwidth must be available for use by all classes, be distributed in order of scheduling priority, and weighted round-robin basis.

Each QoS scheduler must support at least eight queue, each queue mapped to a forwarding class.

Support classification based on TOS (precedence/DSCP).

Ability to assign a forwarding class to any locally originated control and management traffic, configurable through QoS policy.

Support functionality to mark ethernet COS bits (0-7) on outgoing packets.

Support for full diff-serv functionality support: RFC 2597 and RFC 3246.

Generate syslog events for SFP insertion and removal. Note that this is for inserting and removing the transceiver, not the fiber.

Restrict the maximum burst size of 63 KB. When using a shape rate of 500M, the current minimum burst duration is 1 ms, which gives a burst greater than 63 KB.

Implement the data path for Broadcom Hurricane 3 switch devices using custom header support.

This features ensures that users only see the information they are authorized to see.

We allow filtering of modeled commands and configuration data, but this still allows users to see information that they shouldn't be allowed to see. Part of this is due to our use of a Linux based shell where all the commands used to implement the modeled commands are available to the user. We would like to keep the model of using Bash as our shell as it allows for operator convenience, but we'd like it to be more secure

To solve the isolation problem in a non-brittle way, we can create a sandbox container for non-superuser users. This sandbox would contain our CLI, coreutils, grep, sed, perl, and the endpoint for the VCI bus; this is enough to allow the CLI to function and for scripts to run and be written. The container would need to be ephemeral and get created on user login and removed on user logout. The user's home directory from the main system should be mounted in the container to allow for persistent information to be store across CLI sessions. The container would need to be in a shared uid namespace, an isolated pid namespace, and an isolated network namespace with no interfaces - commands like ip addr won't work anymore. This will ensure that this user can only access what he/she is allowed to access through the RBAC policy. This sandbox can be placed in a cgroup to protect the system from malicious users.

Configuration of a vhost interface as the destination of a span session is blocked in the CLI, this means that a host VM can't be used as a monitoring VNF, this removes that restriction.