0% found this document useful (0 votes)

356 views

FabricFlow RN v12.x.x.x Rev09 Published 01072022

Uploaded by

m_homossani

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

356 views

FabricFlow RN v12.x.x.x Rev09 Published 01072022

Uploaded by

m_homossani

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 130

Release 12.x.x.

x Rev 09 | Published: 01/07/2022

RELEASE NOTES
FabricFlow v12.x.x.x
This document provides a summary of the new features, defect corrections, and other
pertinent details for the FabricFlow™ v12.x.x.x release series.

Release Version* Release Type Release Date See Page

v12.4 major release 01/07/2022 9
v12.3.1 patch release 11/18/2021 28
v12.3 major release 10/11/2021 42
v12.2.2 patch release 07/28/2021 73
v12.2.1 patch release 07/01/2021 79
v12.2 major release 06/24/2021 84

Supported Platforms:
The following Niagara Networks platforms* are supported in FabricFlow v12.x.x.x:
• 2825 • 3299TT • 4248-6XL
• 2845 S2 • 3808 • 4272
• 2847 S2 • 3808E • 4432
• 3299 • 4248-6C • 4540

*Note: Not all platforms are supported for every release. See the “About this Release”
section of each individual release to view the specific platforms that are supported.

Niagara Networks™
FabricFlow v12.x.x.x Release Notes Rev 09

This page is intentionally left blank.

v12.4 Release Published: 01/07/2022 Page 2 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Contents:
1 FABRICFLOW VERSION 12.4 ............................................................................................ 9

1.1 About this Release ...................................................................................................... 9

1.2 Related Documentation ............................................................................................... 9

1.3 Upgrade and Downgrade Paths................................................................................. 10

Upgrade Paths ................................................................................................................................... 10

Downgrade Paths .............................................................................................................................. 11

1.4 What’s New in v12.4? ................................................................................................ 12

Highlighted Features ......................................................................................................................... 12

NR-3541: Include Link in FabricFlow GUI to Access Documentation/Support Portal ............ 12
NR-3372: Support GRE Tunnel Initiation on 3299 ..................................................................... 13
NR-3425: Stripping MPLS Labels (Headers) on Ingress Ports ................................................... 14
NR-7403: Show Device CPLD, TPM, and PTP Module Information........................................... 15
NR-6101: Include a System Uptime Command in CLI ............................................................... 16
NR-7962: Include “show management-if route" Information on the "show running-config”
Command ................................................................................................................................. 16
Packetron™ Packet Processing Features ........................................................................................ 17
New Feature Firmware Versions Available for Packetron Features ......................................... 17
NR-245, NR-273: Support Flow Slicing in Packetron.................................................................. 18

1.5 Resolved Issues in v12.4 ........................................................................................... 19

1.6 Known Issues and Workarounds in v12.4 .................................................................. 21

1.7 Known Limitations in v12.4 ........................................................................................ 26

2 FABRICFLOW VERSION 12.3.1 ....................................................................................... 28

2.1 About this Release .................................................................................................... 28

2.2 Related Documentation ............................................................................................. 28

2.3 What’s New in v12.3.1? ............................................................................................. 29

Highlighted Features ......................................................................................................................... 29

NR-68, NR-69: Support New Fixed Packet Broker Platforms .................................................... 29

v12.4 Release Published: 01/07/2022 Page 3 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Niagara 4248-6C Platform............................................................................................................ 29

Niagara 4540 Platform ................................................................................................................. 30
Rear-Panel Packetron Modules .................................................................................................... 31
NR-5604: Show COM Express Module and BIOS Information .................................................. 33
NR-6549, NR-6642: Support IO Module Mapping for Fans ...................................................... 34
Packetron™ Packet Processing Features ........................................................................................ 36
New Feature Firmware Versions Available for Packetron Features ......................................... 36

2.4 Resolved Issues in v12.3.1 ........................................................................................ 37

2.5 Known Issues and Workarounds in v12.3.1 ............................................................... 38

2.6 Known Limitations in v12.3.1 ..................................................................................... 40

3 FABRICFLOW VERSION 12.3 .......................................................................................... 42

3.1 About this Release .................................................................................................... 42

3.2 Related Documentation ............................................................................................. 42

3.3 Upgrade and Downgrade Paths................................................................................. 43

Upgrade Paths ................................................................................................................................... 43

Downgrade Paths .............................................................................................................................. 44

3.4 What’s New in v12.3? ................................................................................................ 45

Highlighted Features ......................................................................................................................... 45

NR-45: Support L2/L3 GRE Initiation and Termination for 3808E ........................................... 45
NR-1181: Support Port MAC Address Allocation ........................................................................ 46
NR-2896: Support Virtual Segments for Packet Brokers and Packetron ................................ 48
NR-3370: Support Redundancy on the 3808 and 3808E Platform .......................................... 50
NR-4123, NR-4124: Enhance the RADIUS and TACACS Pages for Server Configuration........ 51
NR-4517: Support Tap-Split and Tap-Aggregation Traffic Modes ............................................ 52
NR-4527: Manage Privileges for Input and Output Port Components on a Configuration
Map ........................................................................................................................................... 53
NR-5604: Show COM Express Module and BIOS Information .................................................. 56
Packetron™ Packet Processing Features ........................................................................................ 57
New Feature Firmware Versions Available for Packetron Features ......................................... 57

v12.4 Release Published: 01/07/2022 Page 4 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

NR-158, NR-3371: Introduce Packetron Application Filtering for Enhanced Traffic-Policy

Enforcement ............................................................................................................................. 58
NR-244: Support Additional Offset Headers for Packet Slicing ................................................ 59
NR-2538: Subscriber-Aware (GTP-U) Profile for Load Balancing ............................................. 60
NR-2896: Inline-Decryption Firewall Traffic Flow Using Virtual Segments .............................. 61
NR-3170: Change Certificate Information Options for Peer Verification in Inline Decryption
Profile ........................................................................................................................................ 62
NR-4120: Handle Unencrypted and Unmatched Traffic for Inline Decryption ...................... 62
NR-4838: Learn MAC through TLS SYN in Inline Decryption (ARP-less) ................................... 63
NR-4923: Managing Configuration Maps with Module Topology Issues ................................ 64
Additional Features ........................................................................................................................... 65
NR-3944: Websocket Support for NVC ........................................................................................ 65
NR-3694, NR-4067: Add Advanced Filter Search for Ports and Port Groups.......................... 65
NR-4323: Show Device Name & Model on Browser Tab ........................................................... 66

3.5 Resolved Issues in v12.3 ........................................................................................... 67

3.6 Known Issues and Workarounds in v12.3 .................................................................. 69

3.7 Known Limitations in v12.3 ........................................................................................ 71

4 FABRICFLOW VERSION 12.2.2 ....................................................................................... 73

4.1 About this Release .................................................................................................... 73

4.2 Related Documentation ............................................................................................. 73

4.3 What’s New in v12.2.2? ............................................................................................. 74

NR-4916: Optimize Copper Module Ports for Faster Segment Switching ............................... 74

4.4 Resolved Issues in v12.2.2 ........................................................................................ 77

4.5 Known Issues and Workarounds in v12.2.2 ............................................................... 77

4.6 Known Limitations in v12.2.2 ..................................................................................... 78

5 FABRICFLOW VERSION 12.2.1 ....................................................................................... 79

5.1 About this Release .................................................................................................... 79

5.2 Related Documentation ............................................................................................. 79

5.3 What’s New in v12.2.1? ............................................................................................. 80

v12.4 Release Published: 01/07/2022 Page 5 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

NR-4030: Support Tap-Split and Tap-Aggregation Traffic Modes ............................................ 80

5.4 Known Issues and Workarounds in v12.2.1 ............................................................... 82

5.5 Known Limitations in v12.2.1 ..................................................................................... 83

6 FABRICFLOW VERSION 12.2 .......................................................................................... 84

6.1 About this Release .................................................................................................... 84

6.2 Related Documentation ............................................................................................. 84

6.3 What’s New in v12.2? ................................................................................................ 85

Highlighted Features ......................................................................................................................... 85

NR-43: Support VLAN Priority for Filtering .................................................................................. 85
NR-135: Provide Microburst Detection on Ports ........................................................................ 86
NR-1052, NR-1967: Support IPv6 Port Egress Filters ................................................................. 87
NR-1571: Split “Config Save” into Three Separate User Privileges ........................................... 88
Packetron™ Packet Processing Features ........................................................................................ 90
New Feature Firmware Versions Available for Packetron Features ......................................... 90
NR-307, NR-308: Support Subscriber Sampling and Whitelists for Packetron Mobile
Visibility ..................................................................................................................................... 91
NR-169: Enhance the Packetron Inline-Decryption Configuration Process ............................ 93
NR-2606: Support URL Filtering for Packetron Inline-Decryption ............................................ 94
NR-2952: Support Transparent Cipher Mode for Inline-Decryption........................................ 95
NR-3646: Support Manual Gateway Configuration for Inline-Decryption.............................. 95
Bypass Segment Related Features................................................................................................... 96
NR-2528 Support Faster Heart-Beat Packet Transmission Intervals ....................................... 96

6.4 Resolved Issues in v12.2 ........................................................................................... 97

6.5 Known Issues and Workarounds in v12.2 ................................................................ 101

6.6 Known Limitations in v12.2 ...................................................................................... 102

APPENDIX A. OBTAINING RELEASE FILES FROM FTP SITE ........................................... 104

A.1 Downloading the Updated MIB Files ........................................................................ 105

A.2 Downloading the Firmware Installation Files ............................................................ 105

APPENDIX B. SAVING CURRENT CONFIGURATION SETTINGS ...................................... 107

v12.4 Release Published: 01/07/2022 Page 6 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

APPENDIX C. MANAGE V12.2 TO V12.4 UPGRADE ACCESSIBILITY FOR HIGH CPU

USAGE .................................................................................................................................. 108

APPENDIX D. UPGRADING THE FIRMWARE FROM V10.5 THRU V10.9 TO V12.4 .......... 112

D.1 Upgrading Packet Master Locally Using the GUI ..................................................... 112

APPENDIX E. UPGRADING THE FIRMWARE TO V12.4 ..................................................... 116

APPENDIX F. POSSIBLE ERROR MESSAGES DURING UPGRADE ................................. 120

APPENDIX G. FEATURE COMPATIBILITY MATRIX ........................................................... 121

v12.4 Release Published: 01/07/2022 Page 7 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

This page is intentionally left blank.

v12.4 Release Published: 01/07/2022 Page 8 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

1 FabricFlow Version 12.4

1.1 About this Release

Niagara Networks is pleased to bring you the release of FabricFlow v12.4, which includes
enhancements and improvements that benefit our customers. Please read the release notes
for v12.4 in their entirety before deploying new firmware.
Important! The v12.4 release is supported on the following platforms:
N2 2825, N2 2845, N2 2847, 3299, 3299TT, 3808, 3808E, 4248-6C, 4248-6XL, 4272, 4432,
and 4540

1.2 Related Documentation

The following documents from the most recent major release are available on the Niagara
Networks Help Center Portal at support.niagaranetworks.com:
• Niagara Packet Broker User Guide v12.4
• Niagara Bypass Switch User Guide v12.4
• Niagara Packetron™ User Guide v12.4
• Niagara FabricFlow REST API Guide v12.4

v12.4 Release Published: 01/07/2022 Page 9 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

1.3 Upgrade and Downgrade Paths

FabricFlow v12.4 is a major release. Depending on the firmware version you currently have
installed, you need to follow one of the applicable upgrade paths:

Upgrade Paths

Depending on the firmware version you currently have installed, follow one of the applicable
upgrade paths:

If you are currently on a firmware version that is earlier than v10.5, use the following
upgrade path:
1. First, upgrade to v10.5.0. (Refer to the upgrade instructions in the “B-Series Packet
Master Release Notes Rev 08c,” located on the Niagara Support Portal.
2. Then, upgrade from v10.5.0 to v12.4. (Refer to “Upgrading the Firmware from v10.5
thru v10.9 to v12.4” on page 112.)

If you are currently on a firmware version between v10.5 and v10.9, you can upgrade
directly to v12.4. However, this upgrade process requires three installation files. (Refer to
“Upgrading the Firmware from v10.5 thru v10.9 to v12.4” on page 112.)

If you are currently on a firmware version between v10.10.2 and later, you can upgrade
directly to v12.4. This upgrade process requires one installation file. (Refer to “Upgrading the
Firmware to v12.4” on page 116.)

If you are currently on firmware v12.0.0.x to v12.2.2, you can upgrade directly to v12.4.
This upgrade process requires one installation file. (Refer to “Upgrading the Firmware to
v12.4.”) Note: If your device is currently on v12.2, please read “Manage v12.2 to v12.4
Upgrade Accessibility for High CPU Usage” before upgrading to v12.4.

For 3808 and 3808E platforms currently on v12.1 and later

If your device is on v12.1 or 12.1.0.1, then you can upgrade the 3808 and 3808E platforms
directly to v12.3. This upgrade process requires one installation file. (Refer to “Upgrading the
Firmware to v12.4” on page 116.)

NOTE: If your 3808 device firmware is currently on v11.x, please refer to “FabricFlow Release
Notes for v12.1” for information on upgrading to v12.1. Release Notes are located on the
Niagara Support Portal

v12.4 Release Published: 01/07/2022 Page 10 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

For 3299 and 3299TT platforms currently on v5.0.3.1:

If your 3299 device is currently on v5.0.3.1, you must first use the migration tool provided to
migrate to v12.0.0.x before you can upgrade to v12.4. The migration tool is necessary to
migrate the system configurations (including the IP address of the device). The migration
tool is based on v12.0.0.x firmware only as the tool is written based on the CLI commands
present in v12.0.0.x. To migrate from v5.0.3.1 to v12.4, perform the following high-level
steps:
1. From v5.0.3.1, migrate the system configurations using the migration tool.

2. Upgrade to v12.0.0.x (preferably, v12.0.0.2 latest firmware).

3. Reboot the system.

At this point, v12.0.0.x firmware will be loaded with the migrated configurations.
4. Save the current system configuration using one of the following methods:
o In the GUI, navigate to System > Save Configuration to save the current
configuration options.
o In the CLI, use the following command to save the current configuration options:
Niagara# write startup-config
5. Upgrade to v12.4. (Refer to “Upgrading the Firmware to v12.4” on page 116.

6. Reboot the system.

The system should now be loaded with v12.4 firmware.

Downgrade Paths
If you need to perform a firmware downgrade, please contact a Niagara support
representative for guidance (https://www.niagaranetworks.com/support).

v12.4 Release Published: 01/07/2022 Page 11 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

1.4 What’s New in v12.4?

FabricFlow v12.4 provides the following firmware/software enhancements and changes:

Highlighted Features

NR-3541: Include Link in FabricFlow GUI to Access Documentation/Support

Portal
Supported Platforms: N2 2825, N2 2845, N2 2847, 3299, 3299TT, 3808, 3808E, 4248-6XL, 4248-6C,
4272, 4432, 4540

As of v12.4, a Support Portal link is provided in the FabricFlow GUI that enables you to
access documentation for the applicable release.

While on a selected GUI page, click the user icon at the top-right corner of the page
and then click Support Portal. The Support Portal Login Screen displays for you to sign
in and view documentation for the current release.

v12.4 Release Published: 01/07/2022 Page 12 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

NR-3372: Support GRE Tunnel Initiation on 3299

Supported Platforms: 3299, 3299TT

As of v12.4, GRE Tunneling is supported on the 3299 platform. GRE tunneling allows
‘Initiation,’ where the system encapsulates or wraps a packet’s payload (inner packet)
within an outer packet and then delivers that packet directly to a specified endpoint.

You can configure GRE Tunnels through the GUI, CLI or REST API. In the GUI, access
Packet Master > Tunnel Configuration > GRE Tunnel Configuration tab to configure
Initiation for the 3299.

Note: GRE Termination is not currently supported on the 3299 platform.

For instructions on how to configure GRE Initiation in the GUI, refer to the “Packet
Broker User Guide v12.4” located on the Niagara Support Portal.

v12.4 Release Published: 01/07/2022 Page 13 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

NR-3425: Stripping MPLS Labels (Headers) on Ingress Ports

Supported Platforms: 4248-6C, 4540

Note: As of FabricFlow v12.4, this feature applies to the following platforms only: 4248-6C
and 4540.

FabricFlow now enables you to strip the MPLS header on one or more Ingress ports. An
MPLS Header Stripping option is available for each port, which is disabled by default.
When enabled, you can strip up to seven labels, and MPLS headers can be stripped for
both L2 and L3 MPLS packets without the need to configure labels.

When MPLS headers are stripped at the port level, traffic is forwarded based on the
configuration maps created. Furthermore, you can have multiple input ports on a
configuration map, where only some of the ports have MPLS header stripping enabled.

In the GUI, you can enable or disable the MPLS Stripping option for a port under
Advanced properties.

In the CLI, use the following command to create the manage MPLS Stripping on an
Ingress port:
Niagara# configure terminal
Niagara(config)# interface ex 0/1
set mpls-stripping {enable | disable }

v12.4 Release Published: 01/07/2022 Page 14 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

NR-7403: Show Device CPLD, TPM, and PTP Module Information

Supported Platforms: N2 2825, N2 2845, N2 2847, 3299, 3299TT, 3808, 3808E, 4248-6XL, 4248-6C,
4272, 4432, 4540

In the FabricFlow GUI, the System Resources Page now shows the following information
for appliable Niagara Packet Broker platforms:

Note: Not all Niagara platforms will show the CPLD, TPM, or PTP module information.

CPLD Information

Shows the Complex Programmable Logic Device (CPLD) hardware circuit component
currently installed in the device.
• Primary Revision: Displays the revision of the first CPLD. This field cannot be
modified.
• Secondary Revision: Displays the revision of the second CPLD. This field cannot be
modified. (Applicable for certain devices only.)
• Tertiary Revision: Displays the revision of the third CPLD. This field cannot be
modified. (Applicable for certain devices only.)

TPM Information

Shows information about the Trusted Platform Module (TPM) installed in the device for
secure hardware design.
• Device Mode: Displays the type of TPM installed in the device. This field cannot be
modified.
• Firmware Version: Displays the current version of the TPM installed in the device.
This field cannot be modified.

v12.4 Release Published: 01/07/2022 Page 15 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

PTP Information

Shows information about the Precision Time Protocol (PTP) module installed in the
device for hardware clock synchronization.
• ASIC ID: Displays the application-specific integrated circuit identifier for the
microchip installed in the device. This field cannot be modified.
• Hardware Revision: Displays the current version of the PTP module hardware
installed in the device. This field cannot be modified.
• SW ID: Displays the current version of the PTP module software installed in the
device. This field cannot be modified.

In the CLI, use the following ‘show’ command to view system resource information for a
device:
Niagara# show system resources all

NR-6101: Include a System Uptime Command in CLI

Supported Platforms: N2 2825, N2 2845, N2 2847, 3299, 3299TT, 3808, 3808E, 4248-6XL, 4248-6C,
4272, 4432, 4540

In v12.4, a new CLI command is available to view device uptime, which is useful for
troubleshooting purposes. Use the following command:
Niagara# show system uptime

NR-7962: Include “show management-if route" Information on the "show

running-config” Command
Supported Platforms: N2 2825, N2 2845, N2 2847, 3299, 3299TT, 3808, 3808E, 4248-6XL, 4248-6C,
4272, 4432, 4540

You can now view the "show management-if route" information when using the "show
running-config" command. The information displays for both DHCP/Static IP modes.

v12.4 Release Published: 01/07/2022 Page 16 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Packetron™ Packet Processing Features

For detailed information about how to configure these Packetron features, refer to the
“Packetron User Guide v12.4” located on the Niagara Support Portal.

New Feature Firmware Versions Available for Packetron Features

Each Packetron module installed requires its own firmware to function properly. Typically,
the firmware loaded on Packetron modules is the default Packetron firmware. However,
certain Packetron features require you to install a feature-specific firmware onto the
Packetron module instead of the default Packetron firmware.

Packetron firmware files available for v12.4 include the following:

• Default Packetron default firmware: Packetron_Release_8.0.12
• Inline Decryption feature firmware: Packetron_Inline_Decryption_4.0.1
• Mobile Visibility feature firmware: Packetron_Mobile_Visibility_5.0.4
• Tap Decryption feature firmware: Packetron_Tap_Decryption_5.0.3

v12.4 Release Published: 01/07/2022 Page 17 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

NR-245, NR-273: Support Flow Slicing in Packetron

Supported Platforms: 2845 S2, 2847 S2, 4248-6C, 4540

Flow slicing is a Packetron processing feature designed to reduce the volume of network
traffic sent to appliance tools. By sending only the most essential parts of the network
traffic, Flow Slicing promotes more efficient packet processing and traffic-flow analysis.

In general, Flow Slicing is controlled by a combination of packet number and

uplink/downlink VLAN. You can create a Flow Slicing profile and configure Packetron to
process supported TCP, SCTP and UDP protocols in a traffic flow. You can also configure
Flow Slicing to process unsupported protocols, choosing to apply either a Forward or
Drop action to the traffic. Additionally, you can integrate Packet Slicing functionality along
with the Flow Slicing profile for a more robust solution. When used, instead of dropping
traffic, you can choose to slice packets from the traffic flow that remains after flow slicing
is performed.

In the FabricFlow GUI, access Packet Master > Packetron Configuration to create a
new Flow Slicing Packetron Profile.

For instructions on how to configure Packetron Flow Slicing in the GUI, refer to the
“Packetron User Guide v12.4” located on the Niagara Support Portal.

In the CLI, use the following command to create the Flow Slicing profile:
Niagara(config)# packetron profile PP1
Niagara(packetron-profile-PP1)#
packetron profile-type flow-slicing

The Flow Slicing feature is also supported in the FabricFlow REST API solution.

v12.4 Release Published: 01/07/2022 Page 18 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

1.5 Resolved Issues in v12.4

The following issues have been fixed in FabricFlow version 12.4:
Issue Description
NR-2923 When working with Packetron Mobile Visibility feature, if a user updates the
(NR-6460) new sampling rate value the change may not take effect, and the previous
sampling rate will remain active.
NR-4502 Customize the Syslogs for the startup-config save, flash backup save, and
remote TFTP save options based on the exact save operation performed.
NR-5081 When working with the Mobile Visibility feature, a filter with GTPv1 version
handles GTPU packets that belongs to GTPv2 session
NR-6151 Segment moves to Bypass with the critical appliance’s heartbeat type set to
monitoring when heartbeat is active on critical appliance ports.
NR-6152 System should display an error message when an invalid DLB flow size is
configured through REST API.
NR-6162 Cannot edit any protocol groups after creating 256 groups.
NR-6356 Multicast SNTP Source Address displays in reverse order in the GUI.
NR-6460 CLONE - Sampling is not applied when a filter is edited with a flow
configured.
NR-6541 Write startup command takes longer to happen when there are 4095 GRE
tunnels configured in the system.
NR-6873 New users with appropriate privileges should not be able to modify Filter
template.
NR-6949 Fan information does not display on the System Resources page for the
3808E.
NR-7028 Traffic Rate Statistics shows repeated output for split port in the GUI.
NR-7066 Ports do now show under "Traffic Rate Statistics" once a split port is
configured in GUI.
NR-7079 The 3299 Management Interface eth0 is not operationally UP when the
peer device port’s Admin status is toggled.
NR-7087 Port name configured with special character "_" does not show in the GUI.
NR-7310 Block MPLS Label configuration for certain devices in CLI/REST.
NR-7311 Block MPLS Label configuration for certain devices in the GUI.
NR-7378 On the 2825 platform, remove the "Segment Mode is configurable only for
module IO_N13115 (1G Copper Tap/Bypass)" informational message from
the IO Module GUI page.

v12.4 Release Published: 01/07/2022 Page 19 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Issue Description
NR-7385 Packetron profile name is removed when a profile type is changed via the
GUI.
NR-7504 On the 2825 platform, segment flaps when the HB generation mode is set
to Advanced in the 100G Bypass module.
NR-7543 A configuration map/priority endpoint used with an integer ID causes
system instability.
NR-7633 On the 4432 platform, certain 40G split ports do not receive traffic at Rx
side on split port 0/28.4 when there is bidirectional traffic.
NR-7968 On the 3299 platform, the console hangs when DHCP is configured without
valid DHCP server.
NR-7986 Remove the condition that SFP must be present from the Link Mode option
NR-8155 in the Online Help and User Guide.

v12.4 Release Published: 01/07/2022 Page 20 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

1.6 Known Issues and Workarounds in v12.4

The following have been identified as known issues in FabricFlow version 12.4:
Issue Description Workaround/Note
NR-1597 Sporadic port flapping happens on the Apply “shutdown” and “no shutdown”
4432 with 40G SFP. on the flapping ports.
NR-2703 In the Mobile Visibility feature for GTP-C
NR-5084 update, if you only update 'GTP-C
version, an error message displays.
NR-2871 Unable to add special characters to A user can use special characters
config file name saved to Flash. when saving config file using remote
TFTP.
NR-2923 When working with Packetron Mobile Instead of updating the sampling rate,
Visibility feature, if a user updates the delete and then recreate the Mobile
new sampling rate value, the change Visibility filter with the new sampling
might not take affect and the previous rate value.
sampling rate would remail active.
NR-3258 On 2825 and 2845 devices, segments in Perform one of the following tasks as
HB advanced mode are always Inline. a workaround for this issue:
Heartbeat generation mode advanced • Remove module from Bay 3.
pushes a segment to Inline state when
• Remove module from Bay 2.
the device with HB module has 100G
module in Bay 0, Bypass module in Bay • Remove module from Bay 1 (if
2, and module in Bay 3. present).
• Use basic heartbeat generation
instead of advanced.

NR-4258 When the 3808 is connected to a 4432 or No workaround is needed. The

4248-6XL device, and interface system will restore on its own.
shutdown/no shutdown/ commands are
performed, this causes the interface to
come UP after a delay of approximately
40 seconds.
NR-4536 The decrypted traffic is malformed in Use only a single certificate when
cases where the server is configured to configuring the server.
use a certificate chain. Only a single
certificate is accepted.

v12.4 Release Published: 01/07/2022 Page 21 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Issue Description Workaround/Note

NR-5081 In the Mobile Visibility feature, a filter
with GTPv1 handles GTPU packets that
belong to the GTPv2 session.
NR-5838 In v12.2, there are a maximum of 128 If you see errors, you can continue
segments. In v12.3, there are an because the errors will not affect
additional 300 virtual segments for a functionality in v12.2.
total 428 max segments. The reserved You can also use “write startup
VLANs are reserved for all 428 segments. downgrade” CLI command to avoid
When downgrading to v12.2 with the seeing the errors altogether.
additional VLAN and virtual segments
configured, the reserved VLANs for the
virtual segments will fail when the
system restore happens because the
virtual segments are not supported in
v12.2. As a result, errors will show.
NR-5876 The 4248-6C does not support split ports This known issue has specific
(NR-6763) simultaneously on all ports. Instead, limitations for the following Packetron
split-port capability depends on the module insertion scenarios:
number of Packetron modules installed • If no Packetron modules are
in the device. inserted - only three ports can
be split for fanout capability ─
ports 49, 50 and 52.
• If 1x Packetron module is
inserted - only one port can be
split ─ 49, 50 or 52.
• If 2x Packetron modules are
inserted - no ports can be split.
(Split ports is not supported for
this scenario.)

v12.4 Release Published: 01/07/2022 Page 22 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Issue Description Workaround/Note

NR-5880 There is a Speed set configuration There are two workarounds for this
limitation that affects the N4540 device. known issue:
A known limitation exists on the system • Workaround 1: Use only one
port speed setting. Customers cannot type of SFP in a single port
use mixed speeds like 25G, 10G, and 1G group.
in one group ports.
• Workaround 2: Apply the same
The N4540 has two groups of ports that force-speed setting on the
consist of four ports in each group N4540 and the peer device.
(group-1: ports 0/29-0/32, group-2: ports
0/33-0/36).
Customers must use the same types of
SFPs in all four ports from a single port
group, and the peer-side devices must
also have the same types of SFPs in use.
NR-6045 Mixing 10G and 25G is not supported
because the hardware simply does not
support it due to a lack of a 2.5 divider.
NR-6379 Sometimes a link is down with auto Perform "set auto-negotiation enable"
negotiation enabled on the AVAGO CLI command again on both sides.
AFCT-701SDDZ 1/10G dual-speed SFP.
The issue happens sporadically. (Note:
This issue is seen on BCM-series
platforms only.)
NR-6639 Configurations for features such as Below are the minimal downgrade
config maps, port-channel, and bypass versions for the settings to get
segment data are not getting restored in restored:
downgrade scenario. Normal upgrade is • 3299 device - 12.0.0.2
not affected.
• 3808 device - 12.1.0.1
• BCM device - 12.2
(I.e., if you downgrade to these
versions, the settings are restored
with the CLI "write startup
downgrade" command.)

v12.4 Release Published: 01/07/2022 Page 23 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Issue Description Workaround/Note

NR-6753 This known issue has the following key
points:
1. On copper SFPs Finisar FCLF-8521-3
and Finisar FCLF8521P2BTL (the new
revision of FCLF-8521-3), setting
force-speed is unsupported when
plugged into 1G Fiber I/0 module
appliance ports. (Setting force-speed
on copper ports for the 1G Copper
I/O module is not affected.)
2. When forcing the speed on a copper 2. To restore the link, change the
port with port speed of 10M/100M, physical (PHY) layer properties
the link may go DOWN with some with the “set phy-properties
peer devices. { optimized | default }
<slotid(0-7)>” command.
NR-6810 In Packetron, the first time a user Manually reboot Packetron after
switches from ‘All Features’ to switching from ‘All Features’ to
‘Deduplication Only’ mode, Packetron ‘Deduplication Only’ mode.
may crash and reboot after several
seconds of traffic processing happens.
NR-7049 Observed a link toggling issue in the There are two workarounds for this
4540 device from port 0/29-0/36 when known issue:
different speed SFP and links are • Workaround 1: Use only one
inserted. type of SFP in a single port
A known limitation exists on the system group.
port speed setting. Customers cannot
• Workaround 2: Apply the same
use mixed speeds like 25G, 10G, and 1G
force-speed setting on the
in one group ports.
N4540 and the peer device.
The N4540 has two groups of ports that
consist of 4 ports in each group (group-
1: ports 0/29-0/32, group-2: ports 0/33-
0/36).
Customers must use the same types of
SFPs in all four ports from a single port
group, and the peer-side devices must
also have the same types of SFPs in use.

v12.4 Release Published: 01/07/2022 Page 24 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Issue Description Workaround/Note

NR-7057 On the 4248-6C platform, the DUT This issue is not always reproducible.
interfaces do not link UP after link As a workaround, perform
down/UP events are performed across "shutdown/no shutdown" commands
the remote peer agent device. on the 4248-6C device.
Occasionally, a link is down when the
“shutdown/no shutdown” commands are
applied on the remote peer agent device
connected to the 4248-6C.
NR-7369 In the 4540 platform, even if you
configure VLAN priority, it is always '0' in
the outgoing packet of the L2-MPLS
traffic.
NR-7373 On the 4540 platform, the second
bypass segment (0/2) state does not
move to Inline when an appliance pair is
shared between two bypass segments
with heart-beat type set to EtherType in
both segments.
NR-7615 40G links may not be UP after 1. Wait about 10min to get the link
performing a Shut/No Shut action. up.
On certain devices, the link does not 2. Try to “shut/no shut” command on
come up immediately after “shut/no the interface to retrieve link UP
shut” operations are performed. This immediately.
behavior is seen approximately during
the first 10 mins but eventually the link
UP message is received.
NR-7621 When the traffic-mode (active-bypass) is 1. If you configure the traffic mode
configured before adding segment port, active bypass after adding
the traffic leads to in-discards. segment ports, the issue not
observed.
2. If the issue happens, toggle the
setting fix the issue. Set the
heartbeat and traffic modes to
something else, then change them
back to the desired setting.
NR-7872 An error message displays when a
configuration map’s bypass segment
advanced action is changed from Modify
VLAN to MPLS Strip.

v12.4 Release Published: 01/07/2022 Page 25 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Issue Description Workaround/Note

NR-7914 Downgrade to versions 12.3 and earlier Configurations should be cleared and
may not work properly on 4272 re-created when downgrading to
platforms. v12.3 and earlier on the 4272
platform.

1.7 Known Limitations in v12.4

FabricFlow v12.4 includes the following known limitations:
Issue Description
Limitations for Configuration Map Advanced Actions for v12.4
NR-5832 When a port is added as an output in a configuration map with advanced
action tag-vlan and an egress filter with permit action is attached to the
port, traffic matching the egress filter will egress out of the port with add
vlan action applied; however, the VLAN provided by the user will not be
added and original VLAN in the packet will be added.

NR-5742 Cannot install multiple L2 UDB offset base criteria to a configuration map.
NR-5844 When a port is added as an output port in the configuration map with strip
VLAN as advanced action and an egress filter with VLAN priority as a criteria
and permit action is created on the port, traffic will be dropped on the
egress port.

NR-6226 Advanced action Modify VLAN with apply-action “before-packetron” cannot

be used when a configuration map has a Packetron profile associated.
NR-6266 Performing Modify VLAN action before sending traffic to packetron is not
supported.
NR-6579 In a configuration map, adding VLAN as advanced action and modifying
MAC address action cannot be configured together. These two
configurations cannot coexist in a configuration map at the same time.

NR-6649 When a port is added as an output in a configuration map with advanced

action Tag-VLAN and an egress filter with permit action is attached to the
port, traffic matching the configuration map will egress out of the port with
add VLAN action applied; even though if it does not match with egress filter
criteria.
NR-6650 Packets get dropped in Egress filter when VLAN priority filter does not
match what is set for the advanced action Strip VLAN.

v12.4 Release Published: 01/07/2022 Page 26 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Issue Description
Limitations for the 4540 and 4248-6C platforms
NR-5489 If Port Bypass feature is enabled, you must reserve ports to use Port Bypass
functionality. Reserve the required number of data ports on the Reserved
tab of the Ports page. Once a port is reserved, it is not available for user
configuration; instead, it will be used specifically for Port Bypass until it is
no longer reserved. Additionally, if needed, one port must be reserved for
each port in a port-channel.
NR-6330 Microburst functionality is not supported.
NR-6270 L3 MPLS Strip advance action (via Configuration Map > Filter > Edit) is not
supported.
NR-6584 If an incoming packet with OuterVLAN as 4001 hits the configuration map
which has any filter criteria and advanced action as NONE, OuterVLAN 4001
will be stripped in the outcoming packet. The same applies to any
InnerVLAN, if present.
NR-6604 In L3 GRE Initiation and termination, Incoming VLAN will be retained in the
outer Ethernet frame of outgoing packet.
NR-6648 Untagged traffic will be filtered and forwarded when VLAN priority 0 is
configured as filter criteria in a configuration map.
NR-7012 The 4540 platform does not support mixed-speed SFP combinations, such
NR-7036 as 25G, 10G and 1G, in one group of ports. The ‘set force-speed’ setting in
the GUI or CLI is applied to all four ports from the group.
Additional Limitations
NR-6975 The system will not allow save configurations if there is already no storage
space left in the Flash the available space is not enough to hold the new
configuration information. In such cases, users will see a message in the
console that states "MSR Flash storage is nearly full and failed to save the
configurations," and a SYSLOG related to the Save failure also displays
(which is expected).
NR-8144 On 3299 platforms for v12.4, the following restriction applies:
• In general, if backup files were already created in a previous version,
they should not be removed as the files may be needed for restore
and use.
• However, if this causes a problem when saving additional backup
files, remove the old files and then save the new backup files.

v12.4 Release Published: 01/07/2022 Page 27 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

2 FabricFlow Version 12.3.1

2.1 About this Release

Niagara Networks is pleased to bring you the release of FabricFlow v12.3.1, which includes
enhancements and improvements that benefit our customers. Please read the release notes
for v12.3.1 in their entirety before deploying new firmware.
Important! The v12.3.1 release is supported on the following platforms:
3299, 3299TT, 4248-6C, and 4540

2.2 Related Documentation

The following documents from the most recent major release are available on the Niagara
Networks Help Center Portal at support.niagaranetworks.com:
• Niagara Packet Broker User Guide v12.3
• Niagara Bypass Switch User Guide v12.3
• Niagara Packetron™ User Guide v12.3
• Niagara FabricFlow REST API Guide v12.3

v12.4 Release Published: 01/07/2022 Page 28 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

2.3 What’s New in v12.3.1?

FabricFlow v12.3.1 provides the following firmware/software enhancements and changes:

Highlighted Features

NR-68, NR-69: Support New Fixed Packet Broker Platforms

Supported Platforms: 4248-6C, 4540

Niagara Networks is proud to introduce two new network packet broker platforms: Niagara
4248-6C and Niagara 4540. Both platforms are available in a 1U form factor and support a
robust set of packet broker and bypass features, including the powerful Packetron module
for advanced packet processing capabilities.

Niagara 4248-6C Platform

The Niagara 4248-6C is a fixed network packet broker designed to provide

100M/1G/10G/25G and 40G/100G connectivity. The 4248-6C enables complete network
visibility by optimizing traffic flows for advanced packet processing, intrusion detection,
intrusion prevention, analytics, and other network tools. This platform is purpose-built in a
reliable, space-saving, and easy-to-use package.

The Niagara 4248-6C comes in a 1U, fixed-configuration chassis unit that has 54 front-panel
ports. There are 48 x 100M/1G/10G/25G SFP+ ports and 6 x 40G/100G QSFP28 ports on the
front panel. Additionally, the FabricFlow v12.x.x.x supports split-port capabilities to break
down the port speed on a 1x40G or 1x100G port, across several different child ports, such
as 4x10G or 4x25G ports respectively (based on Packetron module presence).

v12.4 Release Published: 01/07/2022 Page 29 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

4248-6C SKU Descriptions

Chassis Description
4248-6C-MN-AC 4248-6C main chassis AC, includes two field replaceable power
supply units and two field replaceable fan units. OVP Enabled for
up to 2 rear Packetron modules (sold separately). Includes License
for 48 ports of 10/25Gb and 6 ports of 40/100Gb. Transceivers sold
and ordered separately.
4248-6C-MN-DC 4248-6C main chassis DC, includes two field replaceable power
supply units and two field replaceable fan units. OVP Enabled for
up to 2 rear Packetron modules (sold separately). Includes License
for 48 ports of 10/25Gb and 6 ports of 40/100Gb. Transceivers sold
and ordered separately.

Refer to the Niagara 4248-6C Quick Start Guide for more details about this new platform.

Niagara 4540 Platform

The Niagara 4540 is also a fixed network packet broker designed to provide 1G/10G/25G and
40G/100G connectivity.

The 4540 is a 1U, fixed-configuration chassis unit with 36 front-panel ports. There are
28 x 40G/100G QSFP28 ports and 8 x 25G SFP28 ports on the front panel. The 25G ports also
support 1G/10G port connectivity.

v12.4 Release Published: 01/07/2022 Page 30 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

4540 SKU Descriptions

Chassis Description
4540-MN-16P-AC 4540 main chassis AC, includes two field replaceable power
supply units and two field replaceable fan units. Supports 28
ports of 40/100Gb and 8 ports of 10/25Gb. OVP Enabled for up
to 2 rear Packetron modules (hardware modules and
applications sold separately). Includes License for 16 ports of
40/100Gb, 8 ports of 10/25Gb. Transceivers sold and ordered
separately.
4540-MN-16P-DC 4540 main chassis DC, includes two field replaceable power
supply units and two field replaceable fan units. Supports 28
ports of 40/100Gb and 8 ports of 10/25Gb. OVP Enabled for up
to 2 rear Packetron modules (hardware modules and
applications sold separately). Includes License for 16 ports of
40/100Gb, 8 ports of 10/25Gb. Transceivers sold and ordered
separately.
4540-LC-28P 4540 license upgrade to activate ports 17 through 28
(40/100GbE).

Refer to the Niagara 4540 Quick Start Guide for more details about this new platform.

Rear-Panel Packetron Modules

The Niagara 4248-6C and 4540 platforms offer the following rear modules that can be
installed on the back of the units. Note: The rear modules are not hot swappable.
Fan Modules Packetron Modules
The new packet broker platforms ship with two fan modules that are installed on the back
panel. Each module has two fans, for a total of four fans.

v12.4 Release Published: 01/07/2022 Page 31 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Both platforms also support up to two rear Packetron modules, supporting 200G processing
capability. The Packetron IO modules have enhanced packet processing capabilities to
reduce the processing load on the network packet broker. The Packetron module resembles
the fan module, but there is a built-in Packetron port on the inside of each module.

Note: The rear-panel Packetron module does not have a status LED. (NR-5546)

Refer to the Niagara Packetron User Guide for more details about using Packetron.

Packetron Module SKU Descriptions

Module Description
FXD-PKTRN-A-S Packetron processor acceleration module. Rear module. Up to
100Gbps processing. Includes Packet Slicing software licensing. 64GB
RAM. 512GB SSD. For FixedBroker product line.
FXD-PKTRN-A2-S Packetron processor acceleration module. Rear module. Up to
100Gbps processing. Includes Packet Slicing software licensing. 96GB
RAM. 512GB SSD. For FixedBroker product line.
FXD-PKTRN-A3-S Packetron processor acceleration module. Up to 100Gbps
processing. Includes Packet Slicing software licensing.
96GB RAM 1TB SSD

v12.4 Release Published: 01/07/2022 Page 32 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

NR-5604: Show COM Express Module and BIOS Information

Supported Platforms: 2825, N2 2845, N2 2847, 3299TT, 3808, 3808E, 4248-6XL, 4540, 4248-6C,
4272, 4432,

The FabricFlow system now displays the COM Express (computer-on-module) vendor and
type information, as well as the module’s BIOS-related data. The COM Express module
integrates core CPU and memory functionality into the network packet broker and bypass
hardware. Each platform’s hardware design may use a different type of COM Express
module. Therefore, knowing details about the type of COM module and BIOS installed helps
to troubleshoot possible device issues or limitations.

In the GUI, the System Resources page (System > System Resources) shows the following
Com Express and BIOS details:

In the CLI, use the following command to display the COM Express and BIOS details:
Niagara# show com-express information

NOTE: The 3299 hardware does not use Com Express.

v12.4 Release Published: 01/07/2022 Page 33 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

NR-6549, NR-6642: Support IO Module Mapping for Fans

Supported Platforms: 4248-6C, 4540

The fans in the 4248-6C and 4540 platforms are not hot swappable as in other Niagara
network packet brokers because the fans are part of the IO modules themselves.
Because of this, you cannot swap out a fan when there is a failure. It requires a system
shut down and the entire IO module replaced.

To understand which fan is failing and on what IO

module, you can view information in the GUI and CLI.

In the GUI, access the System Resources page to view

the operational status of each fan and in which bay the
fan is housed.

In the CLI use the “show system resources fan” and “show system resources all”
commands to view fan statuses:

v12.4 Release Published: 01/07/2022 Page 34 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Each fan in the I/O module is mapped to the Packetron module to show where each fan
is in systems with rear I/O module support such as the 4540 and 4248-6C.

To view the IO mapping in the GUI, access the Packet Master > IO Modules page.

In the CLI, use the “show hardware management information” command to view the
fan mapping on the rear panel.

The Status column has the following Indicators:

o F – Fixed; Cannot be removed.

o I – Inserted; Can be removed.

v12.4 Release Published: 01/07/2022 Page 35 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Packetron™ Packet Processing Features

For detailed information about how to configure these Packetron features, refer to the
“Packetron User Guide v12.3.1” located on the Niagara Support Portal.

New Feature Firmware Versions Available for Packetron Features

Packetron firmware files available for v12.3.1 include the following:

• Default Packetron default firmware: Packetron_Release_7.1.4
• Inline Decryption feature firmware: Packetron_Inline_Decryption_3.1.5
• Mobile Visibility feature firmware: Packetron_Mobile_Visibility_4.1.2
• Tap Decryption feature firmware: Packetron_Tap_Decryption_4.1.2

v12.4 Release Published: 01/07/2022 Page 36 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

2.4 Resolved Issues in v12.3.1

The following issues have been fixed in FabricFlow version 12.3.1:
Issue Description
NR-6139 Port toggles when configuring session load using the GUI.
NR-6303 Traffic does not pass on virtual trunk configuration maps when a segment
moves from Bypass to Inline state.
NR-6392 After performing a reboot, some of the split ports do not come UP.
NR-6540 Gateway IP disappears when the existing Static configuration are reapplied
in a GUI or SSH session.
NR-6753 Setting 100M force-speed on copper ports fails for the 3299 platform.
NR-7150 Need a new line in the “show running config” output of VM and third-party
profiles.

v12.4 Release Published: 01/07/2022 Page 37 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

2.5 Known Issues and Workarounds in v12.3.1

The following have been identified as known issues in FabricFlow version 12.3.1:
Issue Description Workaround/Note
NR-2923 When working with Packetron Mobile Instead of updating the sampling rate,
(NR-6460) Visibility feature, if a user updates the delete and then recreate the Mobile
new sampling rate value, the change Visibility filter with the new sampling
might not take affect and the previous rate value.
sampling rate would remail active.
NR-5876 The 4248-6C does not support split ports This known issue has specific
(NR-6763) simultaneously on all ports. Instead, limitations for the following Packetron
split-port capability depends on the module insertion scenarios:
number of Packetron modules installed • If no Packetron modules are inserted -
in the device. only three ports can be split for fanout
capability ─ ports 49,50, and 52.
• If 1x Packetron module is inserted -
only one port can be split ─ 49 or 50 or
52.
• If 2x Packetron modules are inserted -
no ports can be split. (Split ports is not
supported for this scenario.)

v12.4 Release Published: 01/07/2022 Page 38 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Issue Description Workaround/Note

NR-6753 This known issue has the following key
points:
1. On copper SFPs Finisar FCLF-8521-3
and Finisar FCLF8521P2BTL (the new
revision of FCLF-8521-3), setting
force-speed is unsupported when
plugged into 1G Fiber I/0 module
appliance ports. (Setting force-speed
on copper ports for the 1G Copper
I/O module is not affected.)
2. When forcing the speed on a copper 2. To restore the link, change the
port with port speed of 10M/100M, physical (PHY) layer properties
the link may go DOWN with some with the “set phy-properties
peer devices. { optimized | default }
<slotid(0-7)>” command.
NR-6810 In Packetron, the first time a user Manually reboot Packetron after
switches from ‘All Features’ to switching from ‘All Features’ to
‘Deduplication Only’ mode, Packetron ‘Deduplication Only’ mode.
may crash and reboot after several
seconds of traffic processing happens.
NR-7049 Observed a link toggling issue in the There are two workarounds for this
4540 device, from port 0/29-0/36, when known issue:
different speed SFP and links are • Workaround 1: Use only one type of
inserted. SFP in a single port group.
A known limitation exists on the system • Workaround 2: Apply the same force-
port speed setting. Customers cannot speed setting on the N4540 and the
use mixed speeds like 25G, 10G, and 1G peer device.
in one group ports.
The N4540 has two groups of ports that
consist of four ports in each group
(group-1: ports 0/29-0/32, group-2: ports
0/33-0/36).
Customers must use the same types of
SFPs in all four ports from a single port
group, and the peer-side devices must
also have the same types of SFPs in use.

v12.4 Release Published: 01/07/2022 Page 39 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

2.6 Known Limitations in v12.3.1

FabricFlow v12.3.1 includes the following known limitations:
Issue Description
Limitations for Configuration Map Advanced Actions for v12.3.1
NR-5832 When a port is added as an output in a configuration map with advanced
action tag-vlan and an egress filter with permit action is attached to the
port, traffic matching the egress filter will egress out of the port with add
vlan action applied; however, the VLAN provided by the user will not be
added and original VLAN in the packet will be added.
NR-5742 Cannot install multiple L2 UDB offset base criteria to a configuration map.
NR-5844 When a port is added as an output port in the configuration map with strip
VLAN as advanced action and an egress filter with VLAN priority as a criteria
and permit action is created on the port, traffic will be dropped on the
egress port.
NR-6226 Advanced action Modify VLAN with apply-action “before-packetron” cannot
be used when a configuration map has a Packetron profile associated.
NR-6266 Performing Modify VLAN action before sending traffic to packetron is not
supported.
NR-6579 In a configuration map, adding VLAN as advanced action and modifying
MAC address action cannot be configured together. These two
configurations cannot coexist in a configuration map at the same time.
NR-6649 When a port is added as an output in a configuration map with advanced
action Tag-VLAN and an egress filter with permit action is attached to the
port, traffic matching the configuration map will egress out of the port with
add VLAN action applied; even though if it does not match with egress filter
criteria.
NR-6650 Packets get dropped in Egress filter when VLAN priority filter does not
match what is set for the advanced action Strip VLAN.
Additional Limitations for the 4540 and 4248-6C platforms
NR-5489 If Port Bypass feature is enabled, you must reserve ports to use Port Bypass
functionality. Reserve the required number of data ports on the Reserved
tab of the Ports page. Once a port is reserved, it is not available for user
configuration; instead, it will be used specifically for Port Bypass until it is
no longer reserved. Additionally, if needed, one port must be reserved for
each port in a port-channel.
NR-6330 Microburst functionality is not supported in v12.3.1.
NR-6270 L3 MPLS Strip advance action is not supported in v12.3.1.

v12.4 Release Published: 01/07/2022 Page 40 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Issue Description
NR-6584 If an incoming packet with OuterVLAN as 4001 hits the configuration map
which has any filter criteria and advanced action as NONE, OuterVLAN 4001
will be stripped in the outcoming packet. The same applies to any
InnerVLAN, if present.
NR-6604 In L3 GRE Initiation and termination, Incoming Vlan will be retained in the
outer Ethernet frame of outgoing packet.
NR-6648 Untagged traffic will be filtered and forwarded when VLAN priority 0 is
configured as filter criteria in a configuration map.
NR-7012 The 4540 platform does not support mixed-speed SFP combinations, such
NR-7036 as 25G, 10G and 1G, in one group of ports.
The N4540 has two groups of ports that consist of four ports in each group
(group-1: ports 0/29-0/32, group-2: ports 0/33-0/36).
The ‘set force-speed’ setting in the GUI or CLI is applied to all four ports
from the group.

v12.4 Release Published: 01/07/2022 Page 41 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

3 FabricFlow Version 12.3

3.1 About this Release

Niagara Networks is pleased to bring you the release of FabricFlow v12.3, which includes
new features and improvements that benefit our customers. Please read the release notes
for v12.3 in their entirety before deploying new firmware.
Important! The v12.3 release is supported on the following platforms: N2 2845, N2 2847,
3299, 3299TT, 3808, 3808E, 4248-6XL, 4272, 4432

3.2 Related Documentation

The following documents from the most recent major release are available on the Niagara
Networks Help Center Portal at support.niagaranetworks.com:
• Niagara Packet Broker User Guide v12.3
• Niagara Bypass Switch User Guide v12.3
• Niagara Packetron User Guide v12.3.1
• Niagara FabricFlow REST API Guide v12.3

v12.4 Release Published: 01/07/2022 Page 42 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

3.3 Upgrade and Downgrade Paths

FabricFlow v12.3 is a major release. Depending on the firmware version you currently have
installed, you need to follow one of the applicable upgrade paths:

Upgrade Paths

Depending on the firmware version you currently have installed, follow one of the applicable
upgrade paths:

If you are currently on a firmware version that is earlier than v10.5, use the following
upgrade path:
7. First, upgrade to v10.5.0. (Refer to the upgrade instructions in the “B-Series Packet
Master Release Notes Rev 08c,” located on the Niagara Support Portal.
8. Then, upgrade from v10.5.0 to v12.3. (Refer to “Upgrading the Firmware from v10.5
thru v10.9 to v12.2” on page 112.)

If you are currently on a firmware version between v10.5 and v10.9, you can upgrade
directly to v12.3. However, this upgrade process requires three installation files. (Refer to
“Upgrading the Firmware from v10.5 thru v10.9 to v12.3” on page 112.)

If you are currently on a firmware version between v10.10.2 and later, you can upgrade
directly to v12.3. This upgrade process requires one installation file. (Refer to “Upgrading the
Firmware to v12.3” on page 116.)

If you are currently on firmware v12.0.0.x to v12.2.2, you can upgrade directly to v12.3.
This upgrade process requires one installation file. (Refer to “Upgrading the Firmware to
v12.3.”) Note: If your device is currently on v12.2, please read “Manage v12.2 to v12.3
Upgrade Accessibility for High CPU Usage” before upgrading to v12.3.

For 3808 and 3808E platforms currently on v12.1 and later

NOTE: If your 3808 device firmware is currently on v11.x, please refer to “FabricFlow Release
Notes v12.1” for information on upgrading to v12.1. Release Notes are located on the
Niagara Support Portal

v12.4 Release Published: 01/07/2022 Page 43 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

For 3299 and 3299TT platforms currently on v5.0.3.1:

If your 3299 device is currently on v5.0.3.1, you must first use the migration tool provided to
migrate to v12.0.0.x before you can upgrade to v12.3. The migration tool is necessary to
migrate the system configurations (including the IP address of the device). The migration
tool is based on v12.0.0.x firmware only as the tool is written based on the CLI commands
present in v12.0.0.x. To migrate from v5.0.3.1 to v12.3, perform the following high-level
steps:
1. From v5.0.3.1, migrate the system configurations using the migration tool.

2. Upgrade to v12.0.0.x (preferably, v12.0.0.2 latest firmware).

3. Reboot the system.

At this point, v12.0.0.x firmware will be loaded with the migrated configurations.
4. Save the current system configuration using one of the following methods:
o In the GUI, navigate to System > Save Configuration to save the current
configuration options.
o In the CLI, use the following command to save the current configuration options:
Niagara# write startup-config
5. Upgrade to v12.3. (Refer to “Upgrading the Firmware to v12.3.”)

6. Reboot the system.

The system should now be loaded with v12.3 firmware.

Downgrade Paths
If you need to perform a firmware downgrade, please contact a Niagara support
representative for guidance (https://www.niagaranetworks.com/support).

v12.4 Release Published: 01/07/2022 Page 44 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

3.4 What’s New in v12.3?

FabricFlow v12.3 provides the following firmware/software enhancements and changes:

Highlighted Features

NR-45: Support L2/L3 GRE Initiation and Termination for 3808E

Supported Platforms: 3808E

The 3808E platform now supports GRE Tunnel configuration. GRE tunneling in the 3808E
supports ‘Initiation,’ where the system encapsulates or wraps a packet’s payload (inner
packet) within an outer packet and then delivers that packet directly to a specified
endpoint. GRE tunneling also supports ‘Termination,’ where the packet is decapsulated
or unwrapped to reveal the payload when forwarding to an output port.

The 3808E supports up to 3000 Layer-2 and Layer-3 GRE tunnels, and you can configure
a tunnel in Dynamic mode or Static mode to resolve the destination address
automatically through address resolution protocol (ARP) or by manual configuration

You can configure GRE Tunnels through the GUI, CLI or REST API.

v12.4 Release Published: 01/07/2022 Page 45 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

NR-1181: Support Port MAC Address Allocation

Supported Platforms: N2 2845, N2 2847, 3299, 3299TT, 3808, 3808E, 4248-6XL, 4272, 4432

In v12.3 and earlier releases, we used the management MAC address to distribute the
MAC address to data ports. As of v12.3, FabricFlow now uses a device’s uploaded license
file for MAC address allocation.

FabricFlow will parse the license file to obtain the base MAC address as well as the
number of MAC addresses allowed for data ports as specified in the license.

NOTE: Currently, data-port MAC addresses are only used by the GRE, MPLS, and VXLAN
features in FabricFlow.

The following example shows how MAC addresses are determined for data ports in a
device:
Base MAC address: 00:0C:BD:0D:16:5E
Port 0/1 MAC address: 00:0C:BD:0D:16:5F => Base MAC + 1
Port 0/2 MAC address: 00:0C:BD:0D:16:60 => Base MAC + 2
As shown above, once a valid license is uploaded successfully, port MAC addresses are
assigned using the base MAC address +1, +2, +3 and so on, until each port is assigned a
unique address.

NOTE: If there are more data ports than there are available MAC addresses in the license
file, the system will still assign additional MAC addresses to the remaining ports. As a result,
there is a chance for data ports in two or more devices to have duplicate MAC addresses
when ports are assigned outside the boundary of available ports based on the license file
for each device.

MAC Address Assignment Scenarios

The following system scenarios describe how the MAC address allocation policy is
applied in different system configurations:

Scenario 1: Fresh Configuration (with a valid license uploaded before configuring the
system.)

Because a valid license file is uploaded first, a user can configure GRE, VXLAN, or MPLS
Stripping features. Port MAC addresses are assigned using the base MAC address +1, +2,
+3 and so on.

v12.4 Release Published: 01/07/2022 Page 46 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Scenario 2: Fresh Configuration (without a valid license uploaded before configuring

the system.)

Because no valid license file is uploaded, the port MAC addresses will be 00:00:00:00:00:00.
A user cannot configure any GRE, VXLAN, or MPLS Stripping features.

Scenario 3: Boot up a device with existing system configurations but license is NOT
present.

During a device bootup, if a valid license file is not present in the system, the saved
configurations (such as GRE tunnel, VXLAN tunnel, and configuration map with advanced
action of GRE or MPLS) are moved to Disabled state. Once a valid license file is uploaded,
these configurations will move to Active state automatically.

Scenario 4: Upgrade to v12.3 and then perform a system restore using a saved
configuration from an earlier version (with a valid license file present).

The configurations will be restored successfully. However, after the upgrade, the existing
port MAC addresses will change and are now assigned using the base MAC address +1, +2,
+3 and so on.

Note: When a system is upgraded to v12.3, syslogs are recorded during bootup stating that
the previous port mac addresses will change based on the new MAC address allocation
policy.

Scenario 5: Upgrade to v12.3 and then perform a system restore using a saved
configuration from an earlier version (without a valid license file present).

The configurations will be restored successfully. However, after the upgrade, features using
the data-port MAC addresses (i.e., GRE, VXLAN, or MPLS Stripping) will show as conflicting
configurations in the system.

When a valid license file does get uploaded, the existing Port MAC addresses will change
and will be assigned using the base MAC address +1, +2, +3 and so on. Additionally, the
conflicting configurations that depend on port MAC addresses will resync to use the
changed port MAC addresses.

Note: When a system is upgraded to v12.3, syslogs are recorded during bootup stating that
the previous port MAC addresses will change based on the new MAC address allocation
policy.

v12.4 Release Published: 01/07/2022 Page 47 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Scenario 6: Split ports MAC address allocation

The system will allocate the MAC addresses for the split ports during the split operation.
Each split port is assigned a static port MAC address; the assigned port MAC addresses will
remain with each split port even after a port is no longer split (i.e., no-split operation).

Similar to regular ports, if the split-port operation results in additional ports outside the
boundary of available ports based on the license file, the system will continue to assign
port MAC numbers until all ports in the system have a MAC address.

NR-2896: Support Virtual Segments for Packet Brokers and Packetron

Supported Platforms: 2825, N2 2845, N2 2847, 4248-6XL, 4272, 4432

FabricFlow creates bypass segments automatically for modular packet broker platforms.
These segments are created by default based on the hardware and cannot be deleted.
In v12.3 You can also create ‘virtual segments,’ which are user-defined software
segments that can utilize physical data ports as well as Packetron virtual ports (i.e.,
secondary ports) to configure a segment.

NOTE: Packetron virtual ports are only available if the modular packet broker has one or
more Packetron modules installed. Packetron is supported on the N2 2845 and N2 2847
platforms only.

For non-modular packet broker platforms, FabricFlow does not create segments
automatically. All segments must be created as user-defined virtual segments.

Bay/Segment ID vs Segment Name

The segments defined in a packet broker can have a combination of system-assigned

bay/segment IDs or a user-defined segment name.

v12.4 Release Published: 01/07/2022 Page 48 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Segment identification guidelines apply depending on the platform and type of

FabricFlow configuration tool used.

Virtual Segment Guidelines

Be aware of the following limitations when working with virtual segments in the
FabricFlow system.
• You can create a maximum of 32 virtual segments.
• The Packetron virtual port (i.e., secondary port) can only be used as network ports
in a segment.
• Passive-Bypass is not applicable for virtual segments.
• Tap-Bypass configuration is not supported if one of the segment network ports is a
Packetron virtual port.
• Segment Synchronization IDs can range from 1 to 428).

Inline-Decryption firewall traffic flow using Virtual Segments

In v12.3, to prevent possible traffic loss when a firewall appliance is down, you can
configure the client-firewall and server-firewall virtual ports as network ports of a virtual
segment and configure the firewall appliance as a segment appliance.

v12.4 Release Published: 01/07/2022 Page 49 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

For detailed configuration instructions, refer to the “Virtual Segments Configuration”

section of the “Packet Broker User Guide v12.3” and the “Inline-Decryption Firewall
Traffic Flow with Virtual Segments” located on the Niagara Support Portal.

NR-3370: Support Redundancy on the 3808 and 3808E Platform

Supported Platforms: 3808, 3808E

The 3808 platforms now support Redundancy configuration to deploy multiple instances
of a network device or traffic path for high availability (HA) within a network environment.

In the GUI, use the Redundancy page to view and define heart-beat and peer detail for
primary and secondary devices when deploying a redundancy solution.

You can now also use the Redundancy page to control the status of device ports when a
device is in Standby state.

For network ports, you can choose to drop (or) forward the network traffic when a device
moves to Standby. For non-network ports, traffic is not forwarded through the
configuration maps when a device is in Standby state. However, you can choose whether
to keep these ports in an operationally Up or Down state when the device is in Standby.

Note: These settings will not have an impact when a device is in Active state.

v12.4 Release Published: 01/07/2022 Page 50 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Be aware of the following restrictions and limitations when configuring redundancy ports
and settings:

For optimal redundancy operation on the 3808 platforms:

• The HB Drop Threshold should be set to 3.
• The HB Transmission Interval should be set to 100 ms.
• The HB total drop timeout (Drop Timeout = Tx Interval * Drop
Threshold) should be at least 300 ms.

For detailed configuration instructions, refer to the “Redundancy Configuration” section

of the “Packet Broker User Guide v12.3” located on the Niagara Support Portal.

NR-4123, NR-4124: Enhance the RADIUS and TACACS Pages for Server
Configuration
Supported Platforms: N2 2845, N2 2847, 3299, 3299TT, 3808, 3808E, 4248-6XL, 4272, 4432

In v12.3, changes were made to better support server configuration through the GUI and
REST API.

We made the following changes:

• A new Modify button shows on the Server Configuration page, which helps you
quickly edit the server when needed.
• You can now delete multiple servers at a time by selecting multiple checkboxes on
the Server Configuration page.
• The TACACS Active Server tab was removed and replaced with a dropdown option
on the TACACS tab to specify if the current server needs to be a primary/active
server.
• The RADIUS authentication type field was removed because only one option
[Authentication] is supported.
• In the REST API (i.e., Swagger), text fields are provided to fetch a particular server
configuration by including the IP Address Type and IP Address.

v12.4 Release Published: 01/07/2022 Page 51 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

NR-4517: Support Tap-Split and Tap-Aggregation Traffic Modes

Supported Platforms: 2825, N2 2845, N2 2847, 3299, 3299TT, 3808, 3808E, 4248-6XL, 4272, 4432

Two new traffic modes are available in v12.3 to support Active Tap functionality in the
FabricFlow bypass switch segments.

Tap-Split Mode

In Tap-Split mode, a copy of data traffic from network ports will be forwarded to the
appliance ports (i.e., N1—>A1, N2—>A2), and the traffic between the network ports will
continue to flow. If multiple appliances are present, a copy of the network port traffic will
be forwarded to all the appliance ports (i.e., N1—>A1, A3, N2—>A2, A4). Below is the
packet flow for Tap-Split mode.

Tap-Aggregation Mode

In Tap-Aggregation Mode, a copy of data traffic from both the network ports will be
forwarded to the appliance ports (i.e., (N1+N2)—>A1, A2), and the traffic between the
network ports will continue to flow. If multiple appliances are present, a copy of the
network port traffic will be forwarded to all the appliance ports (i.e., (N1+N2)—>A1, A2,
A3, A4). Below is the packet flow for Tap-Aggregation mode.

v12.4 Release Published: 01/07/2022 Page 52 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

In the GUI, you can set these new traffic modes on the Heart-beat tab, located under
Bypass > Segment #/# > Advanced. In the CLI, use the following command to set the
active tap traffic modes:
Niagara(config-bypass-segment)# traffic mode { load-balance | tool-
chain | active-bypass | passive-bypass | tap-split | tap aggregation }

NOTE: These traffic modes require that the Heart-beat mode be set to Manual-Inline. Also,
configuration maps are not visible when an Active Tap traffic mode is used.

NR-4527: Manage Privileges for Input and Output Port Components on a

Configuration Map
Supported Platforms: N2 2845, N2 2847, 3299, 3299TT, 3808, 3808E, 4248-6XL, 4272, 4432

In v12.3, you can implement user privileges for input port and output port components
added to a configuration map. The following privilege methods are available:

Hierarchical Privilege Method

When one or more configuration map components are added to the input port or output
port on a configuration map, the Hierarchical Privilege method is enabled by default.
With this privilege method, the system looks for the lowest privilege level assigned to a
user for the Ports, Port-Groups, and Configuration Maps privileges, then applies the
lowest privilege found to any configuration maps the user tries to create or modify.

For example, there might be a situation where a user is a member of a user group with
the following privilege levels assigned:

Ports – Modify Port Groups - Access Configuration Maps - Full

In this scenario, ‘Access’ level is the lowest privilege of the three. When Hierarchical
Privilege is enabled, since the user has only Access-level privilege for port-groups, they
cannot create a configuration map with a port-group added as output. Furthermore, for
existing configuration maps that already have a port-group added as output, the user
will have only Access-level privilege to those configuration maps. This means they cannot
make any changes to the ports or port-groups on the configuration map.

Note: In addition to Ports and Port-Groups, a Virtual Packetron Port is also considered an
input/output component on a configuration map and uses the privilege level assigned to the
‘System’ privilege on the User Group page.

v12.4 Release Published: 01/07/2022 Page 53 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Component-Level Privilege Method

There are two options available on the Configuration Map page, under Advanced
Properties > Hierarchical Privilege tab, which allow you to disable or enable the
Hierarchical Privilege method for input and output ports on a configuration map.

Note: You must have a user account that is a member of the ‘Administrator’ user group to
modify the Hierarchical Privilege settings.

When the Hierarchical Privilege method is disabled for an Input or Output port (or both),
the Component-Level Privilege method becomes enabled. With this privilege method,
the system looks at the privilege level assigned specifically to each individual input and
output component on a configuration map to determine the level of access a user has.

For example, there might be a situation where the Hierarchical Privilege setting is
disabled for the Input port on a configuration map. If a user is a member of a user group
with Ports 0/1, 0/2, and 2/2 privilege levels set to ‘Modify or Full,’ and Port-Groups
privilege level set to ‘Access,’ the user can add, delete, or modify Ports 0/1, 0/2, and 2/2
on a configuration map because the lowest privilege (i.e., Access) is not taken into
account. However, the user will have view-only access to the port-group on the
configuration map; they cannot add, modify, or delete a port group on the map.

v12.4 Release Published: 01/07/2022 Page 54 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

When the Component-Level Privilege Method is active, to modify any part of a

configuration map, a user must have ‘Modify/Full’ privilege assigned for the following:

To modify this component… User Group privilege must be set to…

Configuration Map Configuration Map – Modify-Full

Ports Ports – Modify/Full

Port-Groups Port-Groups – Modify/Full

Virtual Packetron Ports System – Modify/Full

A Note about Downgrading and Hierarchical Privilege: If one or both Hierarchical Privilege
options are disabled, and later, changes are made to a configuration map based on the
Component-Level Privilege settings, downgrading to an earlier firmware version may affect
what configuration maps a user can view. This is because earlier versions of the firmware only
support the Hierarchical Privilege method, which means the system will use the lowest privilege
level assigned to the Ports, Port-Groups, and Configuration Maps privilege settings to
determine if a user can view a configuration map.

v12.4 Release Published: 01/07/2022 Page 55 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

NR-5604: Show COM Express Module and BIOS Information

Supported Platforms: 2825, N2 2845, N2 2847, 3299TT, 3808, 3808E, 4248-6XL, 4272, 4432,

In the GUI, the System Resources page (System > System Resources) shows the following
Com Express and BIOS details:

In the CLI, use the following command to display the COM Express and BIOS details:
Niagara# show com-express information

NOTE: The 3299 hardware does not use Com Express.

v12.4 Release Published: 01/07/2022 Page 56 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Packetron™ Packet Processing Features

For detailed information about how to configure these Packetron features, refer to the
“Packetron User Guide v12.3” located on the Niagara Support Portal.

New Feature Firmware Versions Available for Packetron Features

Each Packetron module installed requires its own firmware to function properly.
Typically, the firmware loaded on Packetron modules is the default Packetron firmware.
However, certain Packetron features require you to install a feature-specific firmware
onto the Packetron module instead of the default Packetron firmware.

Packetron firmware files available for v12.3 include the following:

o Default Packetron default firmware: Packetron_Release_7.0.21
o Inline Decryption feature firmware: Packetron_Inline_Decryption_3.0.13
o Mobile Visibility feature firmware: Packetron_Mobile_Visibility_4.0.9
o Tap Decryption feature firmware: Packetron_Tap_Decryption_4.0.3

Note: If you are currently on a version of FabricFlow that is earlier than v10.12.3 and you
upgrade to v12.3, the following consideration applies:
If you decide to downgrade Mobile Visibility firmware on a Packetron module from
gsrm-2.0.0 to gsrm-1.0.32, the following error occurs:
Firmware upgrade for module 7 failed: Failed to mount the image.
Pktron Upgrade failed.

When this happens, the Packetron module configuration settings are temporarily cleared.
Note: The above does not apply if you are upgrading from v10.12.3 to v12.3.

v12.4 Release Published: 01/07/2022 Page 57 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

NR-158, NR-3371: Introduce Packetron Application Filtering for Enhanced

Traffic-Policy Enforcement
Supported Platforms: N2 2845, N2 2847

We overhauled the previous Packetron L7 Filtering feature for v12.3, and now offer a
brand-new, license-free solution to enforce and monitor application filtering on a
network.
As of v12.3, the previous L7 Filter feature has been replaced with the new license-free
Application Filtering solution.

The new Application Filtering feature uses the power of Packetron to provide
customizable traffic-policy processing based on a variety of application protocols,
categories, and breeds. The protocols are actual applications that you can restrict or
allow, such as Google, YouTube, and many more. Categories let you control traffic by the
type of application traffic that may come through the network, such as email, media, and
more. Breeds allow you to control traffic by the traffic’s indicated threat level, such as
safe or dangerous.

Using an application protocol group combined with one or more traffic policies,
Application Filtering enables you to restrict or allow matching traffic, which is useful when
monitoring and implementing traffic security across a network.

For example, a company could use Application Filtering on applications like Netflix and
Facebook and assign a ‘Drop’ traffic policy action to the filter. As incoming packets flow
through the company’s network, packets matched to Netflix or Facebook are dropped,
while unrestricted application traffic packets are forwarded as normal, as shown in the
above diagram.

In this example, using the Application Filtering profile essentially restricts employee
access to those unauthorized applications, meeting the requirements of the established
work policy.

v12.4 Release Published: 01/07/2022 Page 58 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

In addition to Drop and Forward actions that you can apply to incoming traffic, the
Application Filtering feature also allows you to send a copy of matching traffic to an out-
of-band (OOB) appliance, and you can also redirect matching traffic to a firewall.

Application Filtering not only allows you to restrict incoming traffic, you can also use this
filter for the reverse path to control traffic that is forwarded. For example, if an employee
is suspected of using Steam® online video game application at work, the Application Filter
could be used as a monitoring filter. To do this, connect a tap to Packetron and configure
Application Filtering to forward Steam packets. This way, if the employee tries to access
Steam while at work, the packets are forwarded to capture evidence of the employee
breaking work policy.

To deploy Application Filtering on the network, filter profiles are applied to the
configuration maps you create manually in FabricFlow. You can create one or more
Application Filtering profiles and attach them to one or multiple configuration maps.

You can configure the Application Protocols Group(s), the Packetron Application Filtering
Profile, and the Filtering Policy options using the GUI, CLI, or REST API.

For detailed configuration instructions, refer to the “Application Filtering Configuration”

section of the “Packetron User Guide v12.3” located on the Niagara Support Portal.

NR-244: Support Additional Offset Headers for Packet Slicing

Supported Platforms: N2 2845, N2 2847

In v12.3, the Packetron Packet Slicing feature now has the following Header Offset types
you can choose:

Header Offset Type: Indicates the type of packet to slice when the Offset Slice option is
selected. Choose one of the following: GTP-C, GTP-U, HTTP, HTTPS, IP, IPv4, IPv6, MPLS,
SSH, SCTP, TCP, UDP.

v12.4 Release Published: 01/07/2022 Page 59 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

NR-2538: Subscriber-Aware (GTP-U) Profile for Load Balancing

Supported Platforms: N2 2845, N2 2847

The Packetron Mobile Visibility feature now provides subscriber-aware load balancing as
a method to filter mobile network subscriber traffic more efficiently. In addition to the
core configuration settings for Mobile Visibility, specific options are available in the
Packetron Mobile Visibility profile that allow you filter and load balance GTP-U traffic in
a subscriber-aware manner. Packetron applies actions to the matching subscriber traffic
based on the filter action settings that are specified in the profile.

The following IP-address configurations will enable the system to load balance
uncorrelated GTP-U traffic based on subscriber traffic:
• User IP Address Configuration – User IP Address configuration is matched against
the inner-IP address to identify a subscriber for load balancing. The User IP Address
can have up to 20 IP addresses, along with masking parameters. This option supports
a combination of IPv4 and IPv6 addresses in the same list.
• Gateway IP Address Configuration (Core IP) – The Gateway IP Address uses
gateway protocols to filter subscriber-aware traffic. You can configure up to 10
unique IP addresses for each protocol type, which includes SGW, PGQ, SGSN, GGSN,
and Node B. However, masking is not supported for this configuration method.
For detailed configuration instructions, refer to the “Creating a Subscriber-Aware (GTP-U)
Profile for Load Balancing” section of the “Packetron User Guide v12.3” located on the
Niagara Support Portal.

v12.4 Release Published: 01/07/2022 Page 60 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

NR-2896: Inline-Decryption Firewall Traffic Flow Using Virtual Segments

Supported Platforms: N2 2845, N2 2847

Using the virtual segment configuration will achieve the following traffic flows, which
prevents possible traffic loss if a firewall appliance goes down:
• If the virtual segment status is Inline, traffic will flow via the firewall appliances.
• If the virtual segment status is Bypass, traffic will flow between the virtual ports of
client-firewall & server-firewall.
For detailed configuration instructions for Inline Decryption, refer to the “Inline
Decryption” section of the “Packetron User Guide v12.3” located on the Niagara Support
Portal.

v12.4 Release Published: 01/07/2022 Page 61 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

NR-3170: Change Certificate Information Options for Peer Verification in

Inline Decryption Profile
Supported Platforms: N2 2845, N2 2847

In the Inline Decryption profile, the Peer Verification option indicates whether to verify
the peer certificate for outbound connections. As of v12.3. when the Peer Verification
option is set to False, the related Certificate Information options become disabled and
are not configurable.

NR-4120: Handle Unencrypted and Unmatched Traffic for Inline Decryption

Supported Platforms: N2 2845, N2 2847

You can now configure what to do with unencrypted or unmatched traffic that flows
through the network for Packetron Inline-Decryption processing. New options are
available when you add a policy to the Packetron Inline-Decryption profile. You can
configure these new options using the GUI, CLI, or REST API.
• Unencrypted Action: When the Default TLS or HTTPS policy type is selected, this
option specifies how to handle unencrypted, non-TSL traffic. Required Option) This
option is mandatory when the policy type is set to Default TLS or HTTPS. Choose from
the following options:
• Deny: Indicates the unencrypted traffic will be dropped. No traffic output will
happen.
• Pass-through: Indicates the unencrypted traffic will be sent from client to
server and server to client without decryption. No secondary output traffic
will happen.
• Pass-through + OOB: Captures the unencrypted client and server traffic for
output to out-of-band appliances.
• Unmatched Filter Action: Specifies how to handle traffic that does not match any
policy type. Choose from the following options:
• Deny: Indicates the unmatched traffic will be dropped. No traffic output will
happen.
• Pass-through: Indicates the unmatched traffic will be sent from client to
server and server to client without decryption. No secondary output traffic
will happen.
• Pass-through + OOB: Captures the unmatched client and server traffic for
output to out-of-band appliances.

v12.4 Release Published: 01/07/2022 Page 62 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

• IP & Port Configuration: Specifies destination port and the source IP and
destination IP. (IPv4) Each policy should be configured with a destination
port/port-range. You can select a specific port number or select to use a port
range and then specify the minimum and maximum port. Enter source and
destination IP addresses with optional mask (IPv4). Click the plus sign (+) to
add more rows or the minus sign (-) to remove rows.
For detailed configuration instructions, refer to the “Inline-Decryption Configuration”
section of the “Packetron User Guide v12.3” located on the Niagara Support Portal.

NR-4838: Learn MAC through TLS SYN in Inline Decryption (ARP-less)

Supported Platforms: N2 2845, N2 2847

The Inline Decryption Client-side and Server-side Gateway configuration was enhanced
to include a new option – No ARP. When selected, Packetron will learn the MAC address
from the TCP SYN packets.

Therefore, the following three options are available when configuring the MAC Type field:

MAC Type: Indicates how the MAC address is resolved. Dynamic ARP is the default
option. Choose one of the following options:
• Dynamic ARP: Indicates the MAC address is resolved dynamically. If selected,
Packetron will use the ARP to resolve the uplink Gateway MAC address.
• Static: Indicates the MAC address is static. If selected, type the address in the MAC
address field.
• No ARP: Indicates Packetron will learn the MAC address from the TCP SYN packets.

v12.4 Release Published: 01/07/2022 Page 63 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

NR-4923: Managing Configuration Maps with Module Topology Issues

Supported Platforms: N2 2845, N2 2847

Version 12.3 introduces a way for the system handle individual configuration maps more
efficiently when a Packetron module goes down.

An Inline-Decryption profile is associated with a specific Packetron module. When the

same Packetron Inline-Decryption profile is added to different configuration maps, the
system makes those configuration maps part of the same module topology by assigning
the same topology ID to each related map. If for any reason a particular module topology
fails, the configuration maps associated with the topology will either become disabled or
bypass Packetron module processing altogether, depending on what is configured for
the Packetron Down Action setting.

Note: A module topology automatically tries to recover from a failure three times before the
topology process fails.

When a topology fails, a Syslog is generated for each related configuration map that
becomes disabled or moves to bypass. To manage the configuration maps related to a
topology failure, perform the following steps:
1. Review the Syslog to determine the configuration maps that are disabled and
require attention.

2. For each configuration map that is disabled, use the GUI or the CLI to remove the
Inline-Decryption profile from the configuration map and then save the map.
3. Add the same Inline-Decryption profile back to the configuration map and then
resave the map.

Once the profile is added to the configuration map, a topology ID is assigned, and the
traffic will flow based on the configuration map settings.

v12.4 Release Published: 01/07/2022 Page 64 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Additional Features

NR-3944: Websocket Support for NVC

Supported Platforms: N2 2845, N2 2847, 3299, 3299TT, 3808, 3808E, 4248-6XL, 4272, 4432

The Niagara network packet broker now supports Websocket connections for NVC. See
the “NVC v2.9 Release Notes” for more information.

NR-3694, NR-4067: Add Advanced Filter Search for Ports and Port Groups
Supported Platforms: N2 2845, N2 2847, 3299, 3299TT, 3808, 3808E, 4248-6XL, 4272, 4432

The Ports and Port Groups pages now have an advanced Filter dialog box that enables
you to sift through the port or port group records and display only those records that
meet specific search criteria. This is a handy tool when there are a lot of records to
search.

Access Packet Master > Ports > User Ports tab or Packet Master > Port Groups, then

click the Filter button to show the Filter dialog box. Select the filter options
to sift through the port records. Click Apply to display only those ports or port groups
that meet the selected search criteria. This is a handy tool to quickly filter or narrow down
the list when there are a lot of records to search.

v12.4 Release Published: 01/07/2022 Page 65 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

NR-4323: Show Device Name & Model on Browser Tab

Supported Platforms: N2 2845, N2 2847, 3299, 3299TT, 3808, 3808E, 4248-6XL, 4272, 4432

The browser tab for the FabricFlow application now shows the device name along with
device model on each GUI browser tab, which helps you to quickly find a device when
multiple browser tabs are open. Also, when you hover your mouse over a GUI browser
tab, the device name and model number displays.

v12.4 Release Published: 01/07/2022 Page 66 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

3.5 Resolved Issues in v12.3

The following issues have been fixed in FabricFlow version 12.3:
Issue Description
NR-3958 NP errors are seen if more than the maximum of L2 egress Filters (512) are
created on BCM platforms.
NR-4222 On the 3299 platform, check for optimization during Reboot/Power-Off and
Power-On cases.
NR-4284 The "show collector global params" and "show collector profile all"
commands are throwing ambiguous command error in CLI.
NR-4514 Observed DBGLock when removing Packetron profiles associated with
configuration maps.
NR-4582 NetFlow sampling interval in the CLI definition is incorrect, as the interval
value starts from 0.
NR-4813 Modifying the primary Radius server from Yes to No does not work.
NR-4867 The Packetron module does not come up after upgrade to v12.3.0.
NR-4982 Traffic Statistics page requires usability updates and the Help contents for
the page require updates as well.
NR-5020 Currently, the L3 tunnel-initiated packets with IPv6 payload have GRE
Protocol Type set to 0x0800, which is reserved for IPv4 payloads. The
correct type is 0x86DD for IPv6 payloads.
NR-5177 Observed “% Profile Update Failed: Success” message while configuring
NetFlow TCP matching fields.
NR-5184 Downloading GUI Configuration files fails even though the logs are present
in the system.
NR-5270 In the GUI on the Inline-Decryption profile page, the Filter action shows as
decrypt instead of OOB in the Policies section of the page.
NR-5476 GUI Configuration logs are always written to first log file in a particular
scenario.
NR-5526 Split port configurations are not restored when we downgrade from v12.3
to v12.2.
NR-5537 On BCM platforms, the standby device toggles between active/standby.
Also, all the network/non-network ports toggle when the HB link is up and
active.
NR-555 After performing split port and shut down on a range of ports in the 4432, a
port still remains UP on the peer side.

v12.4 Release Published: 01/07/2022 Page 67 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Issue Description
NR-5553 In certain situations, some filters do not install consistently in hardware
while associating a NetFlow profile to a configuration map.
NR-5572 Receiving the following message while associating NetFlow profile:
"Warning: The Packetron modules configuration failed. Packetron actions
will not take effect."
NR-5591 On the 3808, traffic flow is not working as expected in standby device when
HB mode is in Manual Inline.
NR-5624 Port-channel configuration maps are not forwarded to any traffic after a
reload when we have Load Balancing policy.
NR-5667 L2/L3 GRE and Dynamic VXLAN tunnels go down after a device reload.
NR-5896 Microburst status needs to be removed in the Filtering options in 3808 and
3299.
NR-6065 In 4248-6XL v12.2v GUI, a user cannot navigate to other pages in
configuration map filters.
NR-6071 Fan Status 2 on the N2 2847 S2 displays as "Not Operational." This issue
happens inconsistently.
NR-6290 When a user changes the IP mode of the 3299/3299T device from DHCP to
static, the gateway address gets lost and there is the device is unreachable.

v12.4 Release Published: 01/07/2022 Page 68 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

3.6 Known Issues and Workarounds in v12.3

The following have been identified as known issues in FabricFlow version 12.3:
Issue Description Workaround/Note
NR-1597 Sporadic port flapping happens on the Apply “shutdown” and “no
4432 with 40G SFP. shutdown” on the flapping ports.
NR-2871 Unable to add special characters to A user can use special characters
config file name saved to Flash. when saving config file using
remote TFTP.
NR-2923 When working with Packetron Mobile Instead of updating the sampling
Visibility feature, if a user updates the rate, delete and then recreate the
new sampling rate value, the change Mobile Visibility filter with the new
might not take affect and the previous sampling rate value.
sampling rate would remail active.
NR-3258 On 2825 and 2845 devices, segments in Perform one of the following tasks
HB advanced mode are always Inline. as a workaround for this issue:
Heartbeat generation mode advanced -Remove module from Bay 3.
pushes a segment to Inline state when -Remove module from Bay 2
the device with HB module has 100G
-Remove module from Bay 1 (if
module in Bay 0, Bypass module in Bay
present)
2, and module in Bay 3.
-Use basic heartbeat generation
instead of advanced.

NR-4258 When the 3808 is connected to a 4432 No workaround is needed. The

or 4248-6XL device, and interface system will restore on its own.
shutdown/no shutdown/ commands are
performed, this causes the interface to
come UP after a delay of approximately
40 seconds.
NR-5081 In the Mobile Visibility feature, a filter
with GTPv1 handles GTPU packets that
belong to the GTPv2 session.
NR-2703 In the Mobile Visibility feature for GTP-C
NR-5084 update, if you only update 'GTP-C
version, an error message displays.
NR-5831 When a user performs a reboot on a Perform ‘no split’ and ‘split’
4432 device with 40G QSFP split ports, operations on the affected port to
bring the split ports UP.

v12.4 Release Published: 01/07/2022 Page 69 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Issue Description Workaround/Note

the split ports occasionally remain
DOWN.
NR-5838 In v12.2, there are a maximum of 128 If you see errors, you can continue
segments. In v12.3, there are an because the errors will not affect
additional 300 virtual segments for a functionality in v12.2.
total 428 max segments. The reserved You can also use “write startup
VLANs are reserved for all 428 downgrade” CLI command to
segments. avoid seeing the errors altogether.
When downgrading to v12.2 with the
additional VLAN and virtual segments
configured, the reserved VLANs for the
virtual segments will fail when the
system restore happens because the
virtual segments are not supported in
v12.2. As a result, errors will show.
NR-6095 On the 3299 device, Syslog messages There is no workaround; however,
are too verbose at boot time when a after a link is established, the
1/10G dual-speed SFP is plugged into a messages no longer display.
1G Fiber I/O module). The messages are
caused by slightly inaccurate "soft-auto
negotiation" speed switching.
These messages do not affect
performance in any way.

NR-6379 Sometimes a link is down with auto Perform "set auto-negotiation

negotiation enabled on the AVAGO enable" CLI command again on
AFCT-701SDDZ 1/10G dual-speed SFP. both sides.
The issue happens sporadically. (Note:
This issue is seen on BCM-series
platforms only.)

v12.4 Release Published: 01/07/2022 Page 70 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

3.7 Known Limitations in v12.3

FabricFlow v12.3 includes the following known limitations:
Issue Description
NR-1506 When you modify a NetFlow configuration, Packetron must export all the
data collected for the previous configuration into a Flow Table. If traffic is
flowing at line rate, there could be up to 2097152 flow entries in the Flow
Table. Therefore, it may take up to 60 seconds to export all the flows that
are in the table.
As a workaround, you can disable the configuration map associated with
the NetFlow profile before you modify the profile for a period that is more
or equal to NetFlow "Active Timeout" (by default--130 seconds).
NR-2085 If using the Mozilla Firefox browser, you cannot use an IPv6 address to
access the Management GUI in Firefox versions 84, 85, and 86 because the
document.cookie is empty. This is described in the following existing
Mozilla Firefox issue:
https://bugzilla.mozilla.org/show_bug.cgi?id=1683593

Note: This issue does not affect Firefox versions 83 and earlier and versions 87
and later.

NR-3458 Version 12.3 supports switchname with more than 15 characters (up to 64).
v10.12.x supports switchname with a maximum of 15 characters.
If switchname is configured with more than 15 characters and a user tries
to downgrade to v10.12.x with the configuration of v12.2 (saved with write
startup-config in v12.2), then system instability is expected.
Workaround:
Because of this, if you configure v12.2 with a switchname more than 15
characters, and then plan to downgrade to v10.12.x versions, you need to
provide “write startup-downgrade,”
With this downgrade configuration, the switchname will be truncated to 15
characters (if originally configured for more than 15 characters).
This same configuration will work fine in v10.12.x versions without any
system instability.

v12.4 Release Published: 01/07/2022 Page 71 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Issue Description
NR-3700 The system will not allow a user to create two filters having the same
source/destination IP addresses but with different ERSPAN types.
For example, the following filters configuration is not valid:
packetron tunnel erspan t01 srcip 192.168.0.1 mask 32 dstip
10.10.0.1 version v2
packetron tunnel erspan t02 srcip 192.168.0.1 mask 32 dstip
10.10.0.1 version v3
The system will display an error message when a user tries to create and
save the second filter.
NR-3705 Setting force-speed to 10M and 100M is not supported on 1G copper SFPs
with SGMIII interface type configured. On the copper SFPs that use
1000Base-X interface type as the default (Finisar FCLF-8521-3, Finisar
FCLF8521P2BTL, Finisar FCLF8522P2BTL), only 1G speed is supported.
NR-3732 When a user connects two devices using Finisar Active Copper SFP, force
10M on one side and 100M on the other side, after 1-2 minutes, the 10M
side starts flapping.
There is no workaround for this issue. However, setting ports to 100M, 1G,
or Auto speed works fine. This limitation applies to 10M speed only.
NR-5003 L4 IP checksum is always recalculated. This is for L4 headers only.

v12.4 Release Published: 01/07/2022 Page 72 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

4 FabricFlow Version 12.2.2

4.1 About this Release

Niagara Networks is pleased to bring you the release of FabricFlow v12.2.2, which includes
new features and improvements that benefit our customers. Please read the release notes
for v12.2.2 in their entirety before deploying new firmware.

Important! The v12.2.2 release is supported on the following platforms: 3299 and 3299TT

4.2 Related Documentation

v12.4 Release Published: 01/07/2022 Page 73 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

4.3 What’s New in v12.2.2?

FabricFlow v12.2.2 provides the following firmware/software enhancements and changes:

NR-4916: Optimize Copper Module Ports for Faster Segment Switching

Supported Platforms: 3299, 3299TT

In v12.2.2, new enhancements were applied to the copper module for the 3299 platform,
which are designed to reduce the negotiation time and limit traffic loss during segment
switching scenarios.

The physical (PHY) layer settings were enhanced for better performance and are now
configurable, if needed, based on the desired peer device settings. You can use the CLI
to customize the following PHY properties for a more optimized link negotiation on the
copper ports (RJ45):
• Master/Slave Mode – Enables you to set the master-slave modes on the 3299
copper ports, which will force a link partner’s ports to have the applicable
master-slave settings when the copper port relays are switched from active to
passive state. This ensures the link partner’s ports will stay in an UP state with
minimal traffic loss.
• Crossover Mode – Enables you to set a fixed crossover mode that will force a
link partner’s ports to be in the proper crossover mode during an active to
passive state. This ensures the link stays in an UP state with minimal traffic loss.

Bay-level Copper Port Optimization Command

When you configure the copper port optimization at the Bay (slot) level, the underlying
‘crossover’ and ‘master-slave’ mode settings will be applied to all interface ports within
the selected bay. Use the following CLI command to configure these PHY settings at the
bay level:
Niagara# configure terminal
Niagara(config)# set phy-properties { optimized | default } <slotid(0-
7)>

Optimized - Crossover mode is set to MDIX and Master-Slave mode is set

to master or slave accordingly, for N1 and N2 ports within the selected
bay. ‘Optimized’ is the default boot mode for the supported copper
module and is applied automatically at each boot unless PHY properties
setting is changed to ‘Default’ option.
Default – Both the Crossover and Master-Slave modes are reset to
default.

v12.4 Release Published: 01/07/2022 Page 74 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Port-level Copper Port Optimization Commands

Configuring copper port optimization at the interface (physical port) level requires you
to set the ‘master-slave’ and ‘crossover’ mode settings individually, for each applicable
interface port. Use the following CLI command to configure these PHY settings at the
port level:
Niagara# configure terminal
Niagara(config)# interface ex 1/1
Niagara(config-if)# set master-slave-mode { default | auto | master |
slave }

Default - Master mode reset to default.

Auto - Negotiate with Peer device based on master/slave settings.
Master - Configure to master.
Slave - Configure to slave.

Niagara# configure terminal

Niagara(config)# interface ex 1/1
Niagara(config-if)# set crossover-mode { default | auto | MDI | MDIX }

Default - Crossover mode reset to default

Auto - Negotiate with Peer device based on crossover settings.
MDI - Configure to MDI.
MDIX - Configure to MDIX (MDI crossover).

Optimization Settings Guidelines

Please make note of how optimization settings will work based on existing configuration
settings.
• If there are no saved configurations present, all ports are set to ‘Optimized’ at
each boot.
• If configuration settings are saved before a system reload is performed, all ports
are restored based on the saved configuration settings.
• Configured ports will go DOWN and come UP after optimization settings are
made. If the settings are made at the bay level, all the ports within the bay will
go DOWN and UP.
• The last configured setting value (either bay-level or port-level) is always applied
and saved.

v12.4 Release Published: 01/07/2022 Page 75 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Show Copper Port Optimization Commands

Use the following ‘show’ command to view the crossover settings of all the copper
modules in the 3299 device:
Niagara# show port cross-over

Use the following ‘show’ command to view the master/slave settings of all the copper
modules in the 3299 device:
Niagara# show port master-slave

v12.4 Release Published: 01/07/2022 Page 76 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

4.4 Resolved Issues in v12.2.2

The following issues have been fixed in FabricFlow version 12.2.2:
Issue Description
NR-4222 Check for Optimization during Reboot / Power Off and Power On cases.

4.5 Known Issues and Workarounds in v12.2.2

The following have been identified as known issues in FabricFlow version 12.2.2:
Issue Description Workaround/Note
NR-2871 Unable to add special characters to A user can use special characters
config file name saved to Flash. when saving config file using
remote TFTP.

v12.4 Release Published: 01/07/2022 Page 77 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

4.6 Known Limitations in v12.2.2

FabricFlow v12.2.2 includes the following known limitations:
Issue Description
NR-2085 If using the Mozilla Firefox browser, you cannot use an IPv6 address to
access the Management GUI in Firefox versions 84, 85, and 86 because the
document.cookie is empty. This is described in the following existing
Mozilla Firefox issue:
https://bugzilla.mozilla.org/show_bug.cgi?id=1683593

Note: This issue does not affect Firefox versions 83 and earlier and versions 87
and later.

NR-3458 Version 12.2 supports switchname with more than 15 characters (up to 64).
v10.12.x supports switchname with a maximum of 15 characters.
If switchname is configured with more than 15 characters and a user tries
to downgrade to v10.12.x with the configuration of v12.2 (saved with write
startup-config in v12.2), then system instability is expected.
Workaround:
Because of this, if you configure v12.2 with a switchname more than 15
characters, and then plan to downgrade to v10.12.x versions, you need to
provide “write startup-downgrade,”
With this downgrade configuration, the switchname will be truncated to 15
characters (if originally configured for more than 15 characters).
This same configuration will work fine in v10.12.x versions without any
system instability.

v12.4 Release Published: 01/07/2022 Page 78 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

5 FabricFlow Version 12.2.1

5.1 About this Release

Niagara Networks is pleased to bring you the release of FabricFlow v12.2.1, which includes
new features and improvements that benefit our customers. Please read the release notes
for v12.2.1 in their entirety before deploying new firmware.

Important! The v12.2.1 release is supported on the following platform: 2825

5.2 Related Documentation

The following documents from the most recent major release are available on the Niagara
Networks Help Center Portal at support.niagaranetworks.com:
• Niagara Bypass Switch User Guide v12.2.1
• Niagara FabricFlow REST API Guide v12.2.1

v12.4 Release Published: 01/07/2022 Page 79 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

5.3 What’s New in v12.2.1?

FabricFlow v12.2.1 provides the following firmware/software enhancements and changes:

NR-4030: Support Tap-Split and Tap-Aggregation Traffic Modes

Supported Platforms: N2 2825

Two new traffic modes are available in v12.2.1 to support Active Tap functionality in the
FabricFlow bypass switch segments.

Tap-Split Mode

Tap-Aggregation Mode

v12.4 Release Published: 01/07/2022 Page 80 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

NOTE: These traffic modes require that the Heart-beat mode be set to Manual-Inline. Also,
configuration maps are not visible when an Active Tap traffic mode is used.

v12.4 Release Published: 01/07/2022 Page 81 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

5.4 Known Issues and Workarounds in v12.2.1

The following have been identified as known issues in FabricFlow version 12.2.1:
Issue Description Workaround/Note
NR-2871 Unable to add special characters to A user can use special characters
config file name saved to Flash. when saving config file using
remote TFTP.

v12.4 Release Published: 01/07/2022 Page 82 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

5.5 Known Limitations in v12.2.1

FabricFlow v12.2.1 includes the following known limitations:
Issue Description
NR-2085 If using the Mozilla Firefox browser, you cannot use an IPv6 address to
access the Management GUI in Firefox versions 84, 85, and 86 because the
document.cookie is empty. This is described in the following existing
Mozilla Firefox issue:
https://bugzilla.mozilla.org/show_bug.cgi?id=1683593

Note: This issue does not affect Firefox versions 83 and earlier and versions 87
and later.

v12.4 Release Published: 01/07/2022 Page 83 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

6 FabricFlow Version 12.2

6.1 About this Release

Niagara Networks is pleased to bring you the release of FabricFlow v12.2, which includes a
host of new features and improvements that benefit our customers. Please read the release
notes for v12.2 in their entirety before deploying new firmware.
Important! The v12.2 release is supported on the following platforms: 2825, 2845 S2, 2847 S2,
3808, 3808E, 3299, 3299TT, 4248-6XL, 4272, and 4432

6.2 Related Documentation

The following documents from the most recent major release are available on the Niagara
Networks Help Center Portal at support.niagaranetworks.com:
• Niagara Packet Broker User Guide v12.2
• Niagara Bypass Switch User Guide v12.2
• Niagara Packetron User Guide v12.2
• Niagara FabricFlow REST API Guide v12.2
• Integrating Packetron with VMware Feature Guide v10.12.3 (and later)

v12.4 Release Published: 01/07/2022 Page 84 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

6.3 What’s New in v12.2?

FabricFlow v12.2 provides the following firmware/software enhancements and changes:

NOTE: Niagara Networks recently migrated to a new project tracking tool. As a result, the
feature numbering convention is now: NR-XXX.

Highlighted Features

NR-43: Support VLAN Priority for Filtering

Supported Platforms: N2 2845, N2 2847, 3299, 3299TT, 3808, 3808E, 4248-6XL, 4272, 4432

The Niagara packet broker has the capability to filter packets based on different fields in
the Ethernet, IP, TCP and UDP headers. As of v12.1, the system can now also filter packets
based on the 3-bit VLAN priority field of the 802.1Q VLAN header.

The QoS VLAN Priority lets you assign a priority to outbound packets that contain the
specified VLAN-ID (VID). This 802.1 priority decides the outbound port queue to which
the packet is sent. Packets in a tagged VLAN carry the 802.1p priority with them to the
next downstream device.

You can use the CLI, REST API, or access Packet Master > Filter Templates > Filter
Criteria tab in the GUI to set VLAN Priority.

v12.4 Release Published: 01/07/2022 Page 85 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

NR-135: Provide Microburst Detection on Ports

Supported Platforms: 2825, N2 2845, N2 2847, 4248-6XL, 4272, 4432

FabricFlow v12.2 introduces Microburst Detection for device data ports, Packetron virtual
ports, and Packetron module ports.

Microbursts are small, random spikes in network traffic that happen within a very short
time interval, which can cause network interfaces to become oversubscribed and drop
packets as a result. A key challenge to mitigating microbursts is the ability to detect them
in the first place. Many tools that watch for traffic anomalies usually poll at time intervals
that do not allow for microburst detection. Furthermore, due to the transient nature of
microbursts, they are often missed by standard monitoring tools that average statistics
over multiple seconds.

FabricFlow provides several options to detect and notify users about microbursts that
occur on the various ports in the system.

You can configure Microburst Detection for data ports and Packetron virtual ports in the
GUI, using the Advanced Configuration dialog box on the Ports List page.

NOTE: You can configure Microburst Detection for Packetron module ports using the CLI.

In addition to configuring Microburst Detection, FabricFlow uses Syslog and SNMP Trap
messages to provide notification when microbursts happen. And statistical information
is also available to view in the GUI and CLI, which includes count detail for packets/bytes
dropped due to microburst activity.
For detailed information on how to configure the Microburst Detection feature, and view
microburst-related notifications and statistics, see the “Niagara Packet Broker User
Guide v12.2,” “Niagara Bypass Switch v12.2,” and “Niagara Packetron User Guide v12.2,”
located on the Niagara Support Portal.

v12.4 Release Published: 01/07/2022 Page 86 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

NR-1052, NR-1967: Support IPv6 Port Egress Filters

Supported Platforms: N2 2845, N2 2847, 3299, 3299TT, 3808, 3808E, 4248-6XL, 4272, 4432

FabricFlow now supports IPv6 port egress filtering on packet broker platforms. An egress
filter is applied to a port and helps to filter outgoing data packets before the data leaves the
network. Egress filters can help stop unsafe activity or data from accessing other systems or
networks.

NOTE: If you are configuring one of the following platforms, you must first reserve filter
resources before you can use an IPv6 filter as an egress filter on a port: N2 2845, N2 2847,
4272, 4432, 4248-6XL.

An egress filter must be created as a filter template first before you can apply it to a port.
Once configured, the egress filter is added to a port using the Port Properties page.

For detailed information on how to configure an egress filter on a port, see the “Niagara
Packet Broker User Guide v12.2,” located on the Niagara Support Portal.

v12.4 Release Published: 01/07/2022 Page 87 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

NR-1571: Split “Config Save” into Three Separate User Privileges

Supported Platforms: 2825, N2 2845, N2 2847, 3299, 3299TT, 3808, 3808E, 4248-6XL, 4272, 4432

The Group Configuration page enables you to set up user groups and specify the ports and
feature privileges to which each group will have access. In previous releases, there was only
a single ‘Config Save’ privilege option that controlled who could use start-up configuration,
flash configuration, and remote configuration save options in the system.

To allow more control over assigning privileges to these save functions, the ‘Config Save’
privilege was separated into the following individual save privileges: Start-up Config Save,
Flash Config Save, Remote Config Save.

Now, any user who needs to perform one or more of the above functions must be a member
of a user group that has the privilege for that function set to Modify or Full. For example, to
select ‘Start-up Config Save’ as a save option, the user should be part of a group that has
Start-up Config Save privilege set to Modify or Full.

To implement the new privileges:

1. Upgrade to v12.2.

2. Save the configurations in v12.2.

3. Reboot the system.

NOTE: If Steps 2 and 3 are not performed after an upgrade, the system privileges will function
in the same manner as earlier versions.

v12.4 Release Published: 01/07/2022 Page 88 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Backward Compatibility

When configurations are restored from firmware versions earlier than v12.2, the following
considerations apply:
• Because these are new privileges, whatever value was set for the old ‘Config Save’
privilege, that value is applied to the three new privileges. This is applicable when
configuration is restored from v10.12.0.1, v10.12.1, v10.12.2, or v10.12.3.
• If configuration is restored from firmware versions earlier than v10.12.0.1 the
‘System’ privilege value is applied to the three new privileges.

Privileges for Save, Erase, and Restore after Upgrading to v12.2

Based on this enhancement, the following table shows what privileges must be set to
perform tasks related to configuration save, erase, and restore:

Privileges for
Privileges for
System Privileges for v10.12.0.1,
versions earlier
Function v12.2 v10.12.1, &
than v10.12.0.1
v10.12.2

1 Save the start-up Start-up Config Start-up Config save Start-up Config save
configuration save privilege set privilege set to Modify privilege set to Modify /
to Modify / Full / Full Full

2 Save the configuration Flash save privilege Flash save privilege Flash save privilege set
to flash set to Modify / Full set to Modify / Full to Modify / Full

3 Save the configuration Remote save Remote save privilege Remote save privilege
to remote server privilege set to set to Modify / Full set to Modify / Full
Modify / Full

4 Restore the System privilege Start-up Config save System save privilege set
configurations from set to Full privilege (or) Flash to Modify / Full
flash / remote server / save (or) Remote save
HTTP / SCP. set to Modify / Full

5 Erase the System privilege System save privilege System save privilege set
configurations set to Full set to Modify / Full to Modify / Full

6 Modify the file name to System privilege Start-up Config save System save privilege set
be saved in flash / set to Full (or) Flash privilege (or) Flash to Modify / Full
remote server Save privilege set save (or) Remote save
to Full (or) Remote set to Modify / Full
save privilege set
to Full

v12.4 Release Published: 01/07/2022 Page 89 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Packetron™ Packet Processing Features

For detailed information about how to configure these Packetron features, refer to the
“Packetron User Guide v12.2” located on the Niagara Support Portal.

New Feature Firmware Versions Available for Packetron Features

Each Packetron module installed requires its own firmware to function properly.
Typically, the firmware loaded on Packetron modules is the default Packetron firmware.
However, certain Packetron features require you to install a feature-specific firmware
onto the Packetron module instead of the default Packetron firmware.

The Packetron firmware files available for v12.2 release are as follows:
o Default Packetron default firmware: Packetron_Release_6.1.11
o Inline Decryption feature firmware: Packetron_Inline_Decryption_3.1.9
o Mobile Visibility feature firmware: Packetron_Mobile_Visibility_3.0.16
o Tap Decryption feature firmware: Packetron_Tap_Decryption_3.0.7

Note: If you are currently on a version of FabricFlow that is earlier than v10.12.3 and you
upgrade to v12.2, the following consideration applies:
If you decide to downgrade Mobile Visibility firmware on a Packetron module from
gsrm-2.0.0 to gsrm-1.0.32, the following error occurs:
Firmware upgrade for module 7 failed: Failed to mount the image.
Pktron Upgrade failed.

When this happens, the Packetron module configuration settings are temporarily cleared.
Note: The above does not apply if you are upgrading from v10.12.3 to 12.2.

v12.4 Release Published: 01/07/2022 Page 90 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

NR-307, NR-308: Support Subscriber Sampling and Whitelists for Packetron

Mobile Visibility
Supported Platforms: N2 2845, N2 2847

Packetron Mobile Visibility introduces a new ‘Sampling’ feature that allows you to use
GTP-C traffic to sample incoming subscriber-aware traffic, which can then be sent to
various tools that may need the traffic data for further processing or analysis. Subscriber
sampling reduces the amount of traffic volume sent to the different tools, resulting in
more efficient data management and monitoring.

Sampling randomly selects active subscribers based on a user-defined sampling rate,

and then forwards the sampled subscriber traffic to an output port group (OPG). The
traffic from the OPG port can then be filtered and redirected to data ports.

Sampling options are available when configuring a Packetron Mobile Visibility profile in
the GUI, CLI, or REST API.

In addition to the new Sampling feature, Packetron Mobile Visibility also supports a new
‘Whitelist’ feature. A whitelist is a list of IMSI, IMEI, or MSISDN identifiers that can be used
as GTP-C filter match criteria when configuring a Mobile Visibility GTP-C Correlation filter.

Whitelists are configurable through the GUI, CLI, or REST API. A new Whitelist
Management tab is available in the GUI under Packet Master > Packetron > Mobile
Visibility Global Configuration.

v12.4 Release Published: 01/07/2022 Page 91 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

You can create a whitelist record in the system and then upload to the record, a whitelist
file that contains a list of entries for the type of identifier match criteria you want to use.
For example, if you want to use IMEIs as match criteria, then you would upload a whitelist
file that has a list of IMEIs and associate it to the whitelist record.

Each whitelist record must be linked to one or multiple Packetron modules and you can
have a maximum of 256 whitelists uploaded to a module.

Once a whitelist record is created, you can then use it as match criteria for a Mobile
Visibility profile with GTP-C Correlation filter.
For detailed information on how to configure Sampling options and Whitelists for
Packetron Mobile Visibility, see the “Niagara Packetron User Guide v12.2” located on the
Niagara Support Portal.

v12.4 Release Published: 01/07/2022 Page 92 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

NR-169: Enhance the Packetron Inline-Decryption Configuration Process

Supported Platforms: N2 2845, N2 2847

Changes were made to the Packetron Inline-Decryption feature to make the

configuration process more user friendly. We removed existing restrictions and
eliminated the creation of any ‘behind-the-scenes’ configuration maps, giving users more
control over the entire configuration process.

The following table shows a side-by-side comparison of the differences between how
Inline-Decryption was configured previously, and how it is now configured in v12.2.

Inline-Decryption Configuration Process Inline-Decryption Configuration Process

up to v10.12.3 in v12.2
1. Create an Inline-Decryption profile with This step is the same for v12.2.
password and URL.
2. Add the Inline-Decryption profile to a In v12.2 you can now add multiple input ports
configuration map with only one input port and and multiple output ports.
one output port. You can also add filters to the configuration
maps.
If same Packetron Inline-Decryption profile is
added to different configuration maps, all the
configuration maps will be identified as part of
the same topology (client-server).
3. The input port and output port cannot be used In v12.2, this restriction is no longer appliable.
in any other configuration map.
4. An internal reverse rule was created between User should explicitly create the reverse
the output and input port that directed the configuration maps
system to create reverse configuration maps
behind the scenes.
5. When creating the configuration map for the In v12.2, this restriction is no longer appliable.
firewall appliance, the internal reverse rule also
applied, making the system create configuration
maps behind the scenes.
6. Virtual ports cannot be added as output port of In v12.2 you can now add a virtual port as an
a configuration map. output port of a configuration map.
Note: If the virtual port is an output port on a
configuration map, only an advanced actions
‘none’ or ‘strip-vlan’ are supported.

v12.4 Release Published: 01/07/2022 Page 93 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

NR-2606: Support URL Filtering for Packetron Inline-Decryption

Supported Platforms: N2 2845, N2 2847

The Packetron Inline-Decryption feature was enhanced to support URL category filtering.
A URL category is the domain portion of a URL or a list of regular expressions that can
be matched against a URL in HTTPS traffic. You can use this optional category with the
Inline-Decryption feature to filter website URL categories with the purpose to block or
allow access to one or more website URLs.

For example, you can configure a Domain URL category that filters for any URL that ends
with .com. using the following category criteria:

For example:
*.com will match any URL that ends with “.com”
abc.com, cpu.com, niagara.com, etc.

You can also use a RegEx URL category to match any keyword pattern you have in a URL.
The RegEx type follows the same syntax that is used in the Packetron RegEx feature.

For example, you can configure a RegEx URL category that filters for any URL that ends
with /forbidden using the following category criteria:

For example:
/forbidden$ will match any URL that ends with
example.com/a/b/forbidden
“/forbidden”
some.domain/path/forbidden

URL categories are configurable through the GUI or CLI. A new URL Categories tab is
available in the GUI under Packet Master > Packetron > Packetron Configuration to enter
URL category criteria or upload a separate .txt file that contains a list of URL category
criteria.

URL categories are applied to one or more filters created for an Inline Decryption profile.
For detailed information on how to configure URL categories and apply to filters for
Inline-Decryption, see “Niagara Packetron User Guide v12.2” located on the Niagara
Support Portal.

v12.4 Release Published: 01/07/2022 Page 94 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

NR-2952: Support Transparent Cipher Mode for Inline-Decryption

Supported Platforms: N2 2845, N2 2847

In previous versions of Packetron Inline-Decryption, the cipher configuration had three

modes: Default, Security Levels, and Server Security Level. As of v12.2, a new cipher mode
called ‘Transparent’ is available when configuring Inline-Decryption profiles.

When ‘Transparent’ is selected, ciphers from the client’s ‘client hello’ are used to
negotiate with the server. Then, the negotiated cipher is used for client <-> decryption
connection.

NR-3646: Support Manual Gateway Configuration for Inline-Decryption

Supported Platforms: N2 2845, N2 2847

Packetron Inline-Decryption introduces new options to manually configure the server-

side gateway and client-side gateway MAC addresses.

When the gateway MAC address is configured, Packetron will obtain the address directly
from the MAC address field. However, if a user does not configure the Gateway MAC
address, Packetron will use the ARP to resolve the Gateway MAC address.

The gateway MAC address options are available when configuring the Packetron Inline-
Decryption profile.

The MAC type option can be dynamic or static. When set to dynamic, the ARP is used to
resolve the gateway MAC address. When set to static, the MAC Address field becomes
available so that you can enter the static MAC address.
For detailed information on how to gateway MAC address options for Packetron Inline-
Visibility, see the “Niagara Packetron User Guide v12.2,” located on the Niagara Support
Portal.

v12.4 Release Published: 01/07/2022 Page 95 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Bypass Segment Related Features

NR-2528 Support Faster Heart-Beat Packet Transmission Intervals

Supported Platforms: 2825, N2 2845, N2 2847, 3299, 3299TT, 3808, 3808E, 4248-6XL, 4272, 4432

The packet broker transmits heart-beat packets at user-defined intervals to monitor the
appliance of a bypass segment. In earlier releases, 30 milli-seconds was the lowest
interval supported for heart-beat packet transmission. In v12.2, the packet broker now
supports 10 milli-second intervals for heart-beat packet transmission. Additionally, the
software default for heart-beat packet transmission is now changed to 10 milli-seconds.

v12.4 Release Published: 01/07/2022 Page 96 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

6.4 Resolved Issues in v12.2

The following issues have been fixed in FabricFlow version 12.2:
Issue Description
NR-911 Segment Label, description changes not reflected in the REST GET endpoint.
NR-956 System RAM remains at 41% with frequent commands to clear Packetron
statistics and without any HTTP/HTTPS requests.
NR-1163 Port operations should be restricted when the synced unit has only ACCESS
level to PORTS section.
NR-1196 The "IconId" key is missing in the Ports GET response for the REST API.
NR-1288 Updated link status is not populated in the GET REST endpoints (/ports and
ports/status).
NR-1289 Configuration changes for Ports > Advanced Properties are not populated
in the REST API GET Response.
NR-1311 ERSPAN - Policy on unmatched packet action is not updated properly via
CLI.
NR-1632 3299 firmware upgrade fails because the image size is too large.
NR-1637 For GET all of L2/L3/UDB filter request and configuration map request, the
system sends "{ "respCode": 100, "respMsg": "Configuration Failed" }"
response.
NR-1642 In the CLI, Packetron firmware upgrade does not display the full list of
option parameters.
NR-1656 Unable to update port session load with REST API.
NR-1696 There is no option to GET/POST/PUT the management-if information
through Swagger.
NR-1885 GET Egress filters endpoint does not work in the Swagger REST API.
NR-2013 DNS Requests are being generated from the packet broker.
NR-2134 Occasionally, the “show system information" command will show interface
statuses.
NR-2274 Ports are not populated on the GRE Configuration dialog box.
NR-2283 Device 3299 for firmware 12.0 / 12.0.0.1 / 12.0.0.2, config changes do not
take effect on bypass segment "Range" configurations.
NR-2559 Static L2 GRE initiation traffic gets out discarded at the output port when
the segment is in bypass state.
NR-2560 Static L3 GRE encapsulation does not work correctly when the segment is in
bypass state.

v12.4 Release Published: 01/07/2022 Page 97 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Issue Description
NR-2579 Static L2 GRE termination is not working if the key is modified to the same
value for all the tunnels.
NR-2581 System allowing to create GRE tunnels more than the hardware limit when
split ports are used.
NR-2585 The Port Group dialog box displays unexpectedly.
NR-2586 In BCM platforms, traffic loss is observed when switching from primary to
backup ports in a port-channel and vice-versa, which is part of a bypass
segment configuration map.
NR-2587 The MPLS-strip advanced action radio button should be blocked when
output is virtual port.
NR-2590 Unable to modify the VLAN action from GUI.
NR-2594 In fixed NPBs, incorrect traffic is observed on appliance ports, when
Secondary appliance is added to traffic and with user-specific-traffic-flow
and failover mode as 'discard.'
NR-2608 Traffic gets in-discarded at the network ports when the traffic mode is
changed to tool-chain.
NR-2620 IPv6-flow label criteria should be removed from ingress filter in 3808 and
3299 devices.
NR-2756 On platforms 4432 and 4848-6XL, with firmware 10.12.3 installed, users are
unable to change port icon in GUI.
NR-2766 Traffic flow is not as expected when deleting second-to-last egress filter on
the physical port.
NR-2767 Egress Filter on the port disappeared when editing filter criteria of the filter
through CLI.
NR-2771 Critical Appliance heart-beat Type field should be removed in 3808 and
3299 as only one type of Critical Appliance heart-beat Type (Normal) is
supported.
NR-2801 All virtual port configuration maps remain disabled after performing a
restore.
NR-2804 A segment goes to bypass state when bringing primary appliance pair
down.
NR-2819 The Clear Statistics endpoint does not work for GTP correlation, GTP Load
Balance, TLS, and Tunnels.
NR-2832 The system should not allow a user to delete the last profile associated to a
configuration map if their virtual port is part of any map.

v12.4 Release Published: 01/07/2022 Page 98 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Issue Description
NR-2897 When the appliance ports are brought up with tap bypass enabled, this
causes system instability.
NR-2902 Alignment issues exist in the “show configuration map brief” response in
the CLI.
NR-3076 Many of the configurations are not restored properly when upgrading from
v10.12.3/v10.12.0 to v12.2.
NR-3107 Name field is not editable in the Edit Packetron Profile dialog box.
NR-3108 Reset option erases the name of the Inline-Decryption Policy and Filter.
NR-3129 Traffic gets dropped with advanced action tag vlan and egress filter added
with vlan priority for double tagged packets
NR-3153 L2/L3 GRE scaled termination tunnels are not retained after a reload.
NR-3159 When configuring a Mobile Visibility - GTP Correlation profile, the default
filter is removed when a user clicks the Reset button.
NR-3192 The Cancel button on the Bypass Segment > Advanced dialog box does not
work properly.
NR-3226 SNMP parameters from Solarwinds to packet broker device does not work.
NR-3254 Unable to remove SNMP Community index when the special characters are
included.
NR-3255 Non-admin group member should be able to access the 'show user active'
command in the CLI.
NR-3262 Memory leak happens when memory continues to increase for both RAM
and vsz of iss, when download sysconf request is invoked continuously via
script.
NR-3272 When segment mode is changed, the segment mode option for copper
module becomes greyed out in IO Modules page.
NR-3282 IPv4 remote manager service is not configured properly for several services
(SCP, SSH, TFTP).
NR-3456 PSU does not come on after disconnection the plug and then plugging back
into a power source.
NR-3464 When “Max Subscribers” option is changed for Mobile Visibility, a
confirmation dialog box should be invoked.
NR-3483 The system should validate Mobile Visibility "Max Subscribers" and "GSRM
Concurrent Bearer Limit" based on Packetron capabilities.
NR-3499 The GUI should allow the number of filters that are available.

v12.4 Release Published: 01/07/2022 Page 99 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Issue Description
NR-3524 The system should not allow a user to manage remote manager command
when all privileges are set to "None."
NR-3655 A user with "Modify" privilege for System and all other functions set to
"None" should not be allowed to restore the configurations in the GUI with
HTTP local.
NR-3666 NP errors display in the console while adding the maximum number of
Egress filters in the system.
NR-3782 Warning message is not flagged when subscribed maximum bandwidth of
packetron module (>80GB) is reached for particular scenarios in bare-metal
mode.
NR-3837 In Packetron Mobile Visibility, the GUI should not allow filters with a range
over the maximum 1M.
NR-3843 The following error is seen while downloading an SSL certificate from the
remote server: 'Error: Could not open the .pem file.'
NR-3945 User privileges do not work as expected when upgrading the system from
v10.12.3 to v12.2.
NR-3946 Crash seen during bypass segment update from GUI - Inconsistent (v12.2)
NR-3982 A segment does not move to Bypass state under the following scenario:
[ A secondary appliance is configured with strict-backup, and one primary
appliance is down and another primary is inactive.]
NR-4011 Remote Management - Rest IPv4 and IPv6 configuration prefix length
configuration displayed for Notation "Mask."
NR-4066 Bypass segment does not move back to an inline state when traffic
connection is restored after disabling bidirectional mode.
NR-4216 Creating or updating a Port channel with Round Robin port load type fails.
NR-4232 NetFlow GUI - Unable to delete Radius VSA record; NetFlow configure port
is moved to None when a user opens configuration dialog box.
NR-4321 Third Party and VM Modules are not getting updated to configure when a
particular feature is added to Packetron Modules tab.

v12.4 Release Published: 01/07/2022 Page 100 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

6.5 Known Issues and Workarounds in v12.2

The following have been identified as known issues in FabricFlow version 12.2:
Issue Description Workaround/Note
NR-2871 Unable to add special characters to A user can use special characters
config file name saved to Flash. when saving config file using
remote TFTP.
NR-3700 The system will not allow a user to The system will display an error
NR-4008 create two filters having the same message when a user tries to
source/destination IP addresses but with create and save the second filter.
different ERSPAN types.
For example, the following filters
configuration is not valid:
packetron tunnel erspan t01 srcip
192.168.0.1 mask 32 dstip
10.10.0.1 version v2
packetron tunnel erspan t02 srcip
192.168.0.1 mask 32 dstip
10.10.0.1 version v3

NR-3958 NP errors are seen on the console if

more than maximum L2 egress Filters
(512) are created in the system.
NR-3216 The following actions do not work
properly when a packet has VLAN
header with tag set to zero (0).
1) Advanced action - Strip VLAN
2) Advanced action - Modify VLAN when
packetron profile is added to the config
map.

v12.4 Release Published: 01/07/2022 Page 101 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

6.6 Known Limitations in v12.2

FabricFlow v12.2 includes the following known limitations:
Issue Description
NR-1295 L3 GRE initiation is applied to any packet that matches the payload
destination IP and associated VLAN. In the packet broker, all the ports are
associated with VLAN 4001.
The access port is not considered in this case and only the payload
destination IP is matched (i.e., if packet matching the destination IP is
received on any port), the packet is encapsulated in L3 GRE tunnel.
NR-2085 If using the Mozilla Firefox browser, you cannot use an IPv6 address to
access the Management GUI in Firefox versions 84, 85, and 86 because the
document.cookie is empty. This is described in the following existing
Mozilla Firefox issue:
https://bugzilla.mozilla.org/show_bug.cgi?id=1683593

Note: This issue does not affect Firefox versions 83 and earlier and versions 87
and later.

NR-2551 L4 port ranges do not work with IPv6 filters.

The following workaround scenarios will work:
• Assign the same port number to the min source port and max source
port fields in IPv6 filter.
• Assign the same port number to the min destination port and max
destination port fields in IPv6 filter.
Use the L4 port range in IPv4 filter, which does work.
NR-3115 A packet that passes in ingress with vlan stripped does not drop in egress
as vlan header is stripped; the packet passes through the output port. This
is related to BCM platforms.
NR-3129 Double-tagged traffic will be dropped for the following configuration:
1. Create a configuration map with advanced action set to Tag-Vlan.
2. Add a Pass-by Criteria egress filter in the output port of the
configuration map to forward IPv4 / IPv6 traffic.
NR-3181 Packetron module takes more time (>100 sec) to come up when upgrading
device to v10.12.3 from previous production images v10.12.x. This is
expected because of migration from NFS to SSD storage.

v12.4 Release Published: 01/07/2022 Page 102 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Issue Description
NR-3458 Version 12.2 supports switchname with more than 15 characters (up to 64).
v10.12.x supports switchname with a maximum of 15 characters.
If switchname is configured with more than 15 characters and a user tries
to downgrade to v10.12.x with the configuration of v12.2 (saved with write
startup-config in v12.2), then system instability is expected.
Workaround:
Because of this, if you configure v12.2 with a switchname more than 15
characters, and then plan to downgrade to v10.12.x versions, you need to
provide “write startup-downgrade,”
With this downgrade configuration, the switchname will be truncated to 15
characters (if originally configured for more than 15 characters).
This same configuration will work fine in v10.12.x versions without any
system instability.
NR-3996 Port speed of SFP FCLF8521P2BTL is supported for 1G only.
NR-4085 The left LED always displays SOLID GREEN due to design issues. However,
the right LED does behave correctly by FLASHING GREEN.
NR-4264 The two SFP+ ports on the 4432 support only 10G SFPs. 25G is not
supported and produces an error message.

v12.4 Release Published: 01/07/2022 Page 103 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Appendix A. Obtaining Release Files from FTP Site

The firmware and proprietary MIB files for the latest release are available on the Niagara
Networks-hosted FTP site. Connect to our site using a supported FTP client (this procedure
uses FileZilla as an example). Note: Please read the entire Appendix A section before you
proceed.

Depending on your device, download release files from the following location:
• For 2825, 2845 S2, 2847 S2, 4248-6XL, 4272, and 4432, use the following URL:
ftp.niagaranetworks.com/BCMPM_HUI3Y
• For 3299 and 3299-TT, use the following URL:
ftp.niagaranetworks.com/MVLBP_FA47E
• For 3808 and 3808E, use the following URL:
ftp.niagaranetworks.com/MVLPM_MXJC8
• For 4248-6C and 4540, use the following URL:
ftp.niagaranetworks.com/BCMPM_HUI3Y

Below are the login credentials to connect to the Niagara FTP site:
• User name: support Password: Niagara123!

To retrieve the installation files for the latest release:

1. Open an FTP client and set up the server

to which you want to connect. Below is
an example of the information to enter
using FileZilla FTP client.
2. Access Transfer Settings (or a
comparable option on your client).
3. Ensure the transfer mode is set to
Active.
4. Connect to the Niagara-hosted FTP file
server using the URL credentials listed
above.
5. Once connected, enter the remote directory name to locate the set of files for
download.

Note: If using FileZilla, you can add a bookmark for the remote directory to make navigation
easier. From the Main menu, select Bookmarks > Add Bookmarks. Then, choose Global
bookmark and type the remote directory path (e.g., /MVLBP_FA47E).

v12.4 Release Published: 01/07/2022 Page 104 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

A.1 Downloading the Updated MIB Files

The following MIB files were changed. Please download and use the updated MIB files to
ensure that SNMP functions correctly. Note: Do not change the downloaded file names.
• bypass.mib (changed in v12.3)
• IM.mib (changed in v12.4)
• Ifmib.mib (changed in v12.2)

A.2 Downloading the Firmware Installation Files

Depending on the version of software currently installed on your system, you may need one
or three different installation files. This section explains the files you need to download
depending on your current firmware version. It also describes the Checksum files you can
download to validate file integrity.

Note: Do not change any of the file names after you download an installation file.

A.2.1 If your current firmware version is between 10.5 and 10.9:

• Download the ‘new-fix-iss-updater’ file that matches your current version:

Download the applicable ‘new-fix-iss-updater’ file that matches the major release
version of software currently installed on your system. This file is necessary to
prepare your current system for the new upgrade process. The following files are
available for download on the FTP site:

o new-fix-iss-updater-img-BCM-release-iss-10.9.0-v5.bin
o new-fix-iss-updater-img-BCM-release-iss-10.8.0-v5.bin
o new-fix-iss-updater-img-BCM-release-iss-10.7.0-v5.bin
o new-fix-iss-updater-img-BCM-release-iss-10.5.1-v5.bin (for users on v10.5.0
or 10.5.1)
• Download the installation update files:

Download the following set of installation files needed for the upgrade. Note: Do not
change the downloaded file names.

o iss-onie-update-img-BCM-release-iss-12.4.0.bin
o iss-update-img-BCM-release-iss-12.4.0.bin

v12.4 Release Published: 01/07/2022 Page 105 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

A.2.2 If your current firmware version is 10.10.x.x and later:

• Download the installation update file:

Depending on your device, download the following installation file needed for the
upgrade. Note: Do not change the downloaded file name.

o For 2825, 2845 S2, 2847 S2, 4248-6XL, 4272, and 4432, use the following file:
iss-update-img-BCM-release-iss-12.4.0.bin
o For 3299 and 3299-TT, use the following file:
firmware-MVL-ARM-release-iss-12.4.0.img
o For 3808E, use the following file:
iss-update-img-MVL-release-iss-12.4.0.bin

NOTE: If your 3808 device firmware is currently on v11.x, please refer to

“FabricFlow Release Notes v12.1” for information on upgrading to v12.1 before you
upgrade to v12.4. Release Notes are located on the Niagara Support Portal.

A.2.3 Using Checksum to validate downloaded firmware files:

Two checksum files are available in the FTP directory where you obtain the FabricFlow
firmware. These files show what the checksums are supposed to be for each file.

You can download the SHA256SUMS and MD5SUMS are the checksum files that you can
download to validate the integrity of each installation file. Below is an example that shows
the MD5SUMS file content for a previous firmware build set.

(Note: This is not the actual MD5SUMS file for this release.)

v12.4 Release Published: 01/07/2022 Page 106 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Appendix B. Saving Current Configuration Settings

Before you begin the upgrade process, it is important that you save a copy of the current
configuration settings for your FabricFlow system. You can either save the configuration
settings to the system’s internal Flash memory or to a remote TFTP server. Additionally, you
can download a copy of the current configuration settings directly to your local computer.

Keep in mind that if you save the configuration settings to Flash memory, the settings are
restored automatically after you complete the upgrade and reboot the system. However, if
you save the settings remotely or download the settings to your local computer, then you
must perform a system restore after upgrading and rebooting the system.

In the GUI, access the System > Save Configuration page to save the current configuration.

Note: To save the system configuration file to a remote TFTP server, a file with the same
name must already exist on the server and have the correct permissions assigned.

v12.4 Release Published: 01/07/2022 Page 107 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Appendix C. Manage v12.2 to v12.4 Upgrade

Accessibility for High CPU Usage
IMPORTANT NOTE: PLEASE READ THE FULL PROCEDURE BEFORE INITIATING AN
UPGRADE FROM v12.2 TO A LATER VERSION. (APPLIES TO ALL PLATFORMS EXCEPT
3299 and 3299-TT.)

The following two issues in v12.2 release can cause a silent exhaustion of the SSD (flash
space) over time.
• https://niagara-networks.atlassian.net/browse/NR-4520
• https://niagara-networks.atlassian.net/browse/NR-4209

Once SSD exhaustion is reached, the following operations will fail:

• Saving the running configuration to the startup-configuration will fail.
• Upgrading the Packet Broker to another version will also not be possible.

Any device running v12.2 has the possibility of SSD exhaustion and subsequent operational
failure.

If your device is currently on v12.2, view the following pages for workarounds to perform
before upgrading to a later version.

v12.4 Release Published: 01/07/2022 Page 108 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Workarounds before Upgrading to v12.4

The main reason for SSD exhaustion is the accumulation of event logs over a long period of
time. If the unit is in this state, use the following steps to perform an upgrade:
1. Check the current flash usage on the system to see it is less than 80%. You can
check this either through the GUI or the CLI.
a) To check flash usage through the CLI, use the “show system resources all”
command and check the Current Flash Usage as shown below.

v12.4 Release Published: 01/07/2022 Page 109 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

b) To check flash usage through the GUI, use the system resource page as shown
below.

2. If the current flash usage is less than 80%, then you can proceed with the upgrade.

3. If the current Flash usage is greater than 80%, follow the steps for Option 1 first. If
the Flash usage is still greater than 80%, follow the steps for Option 2.

Option 1: Removing the Log Files before Upgrading

1. Execute the command “remove files from system” from the CLI to clear some of the
unwanted log files from the system.
2. Customers are advised to remove only the log files from /var/log directory.
3. Do not remove any of the files from the /broadcom/ or /marvell folders without the
consultation of the Support team.
4. Once the log files are cleared, check whether the current flash usage is below 80%.
If it is below 80%, SAVE THE RUNNING CONFIGURATION TO THE DISK (it’s also
advised to save the configurations in an external backup server) and then
proceed with the upgrade.

v12.4 Release Published: 01/07/2022 Page 110 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Option 2: Removing the Log Files before Upgrading

1. If there is enough space to save the configurations (Flash Usage is >=90%), but not
for performing an upgrade, then SAVE THE RUNNING CONFIGURATION IN THE
PACKET BROKER. We also recommend saving the configurations in an external
backup server.
2. Once the configurations are saved, reboot the Packet Broker and boot with v12.2
again.
3. After you reboot and then boot into v12.2, the flash usage should decrease below
80%.
4. You are ready to perform an upgrade to a later version.

Note: When the flash usage does not go below 80%, even after following the above two
options. Please contact the Niagara Support Team ([email protected]).

v12.4 Release Published: 01/07/2022 Page 111 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Appendix D. Upgrading the Firmware from v10.5

thru v10.9 to v12.4
The firmware upgrade process updates the firmware in the Niagara packet broker device to
the desired product version. This section explains how to perform a system firmware
upgrade through the Packet Master Web GUI.

Note: If you have not downloaded the necessary MIB and installations files, see “Obtaining
Release Files from FTP Site.” Also, if you have not saved a copy of the system configuration,
see “Saving Current Configuration Settings.”

D.1 Upgrading Packet Master Locally Using the GUI

In the Web GUI, access the System > Firmware Upgrade page to perform a firmware image
upgrade. If you saved the firmware installation files locally, use the HTTP option to retrieve
the files for the upgrade process.
Note: To perform a local install, the firmware installation files should be saved on the computer
where the Web GUI is being accessed. If you stored the files on a remote server, choose the TFTP
option to access the firmware files for upgrade.
Important: The installation files must be installed in the correct order. Follow the instructions in
this section to install the files correctly.

To upgrade the firmware using locally stored files:

5. Log in to the Packet Master Web GUI:

v12.4 Release Published: 01/07/2022 Page 112 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

6. Access the System > Firmware Upgrade page.

7. Click the System Firmware Upgrade button. The Upgrade dialog box displays

8. Select HTTP from the Upgrade Via drop-down list.

If you saved the firmware file to a remote server, select the TFTP option from the drop-down
list to retrieve the file and start the upgrade process.
9. Click Browse to locate and select the applicable fix updater file that matches your
current version. (See “If your current firmware version is between 10.5 and 10.9:” on
page105.)
10. Click Submit. (If needed, click Reset to clear the Browse field.)

v12.4 Release Published: 01/07/2022 Page 113 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

11. Wait for the fix update to complete. When finished, the Upgrade dialog box
redisplays.

12. Click Browse to select the following onie update file:

iss-onie-update-img-BCM-release-iss-12.4.0.bin
13. Wait for the onie update to complete, which may take a few minutes. When
complete, a message displays prompting you to reboot the device.
Note: Console access may be needed to continue the installation. If you receive a
message prompt, type “Y” or “Yes” and then press Enter to continue the installation.
14. Log in to the FabricFlow Web GUI.

15. Access the System > Firmware Upgrade page.

16. Click the System Firmware Upgrade button. The Upgrade dialog box displays.

17. Select HTTP from the Upgrade Via drop-down list.

18. Click Browse to select the following firmware image update file:
iss-update-img-BCM-release-iss-12.4.0.bin

v12.4 Release Published: 01/07/2022 Page 114 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

19. Wait for the image update to complete, which may take a few minutes. When
complete, a message displays prompting you to reboot the device.
You may also need to clear the browser cache before accessing the system after the
upgrade completes.
20. Log in to the FabricFlow Web GUI.

21. Access the System > System Information page to verify the system was
successfully updated to v12.4.
22. If your system configuration file was saved to flash memory, the system restores
the system files automatically after reboot. If your configuration file was stored in a
different location, access System > Remote Restore to restore system settings.

v12.4 Release Published: 01/07/2022 Page 115 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Appendix E. Upgrading the Firmware to v12.4

The firmware upgrade process updates the firmware in the Niagara packet broker device to
the desired product version. This section explains how to perform a system firmware
upgrade through the FabricFlow Web GUI.

• If you have not downloaded the necessary MIB and installations files, see “Obtaining
Release Files from FTP Site.” Also, if you have not saved a copy of the system
configuration, see “Saving Current Configuration Settings.”
• If your device has one of the following firmware versions installed, you can follow
the instructions in this section to upgrade directly to version 12.4:
v12.1, v12.1.0.1, v12.2, v12.2.1, v12.3, v12.3.1
• If your device has v12.2 firmware versions installed, first follow the instructions in
“Manage v12.2 to v12.3 Upgrade Accessibility for High CPU Usage.” Then, you can
follow the procedure in this section to upgrade to v12.3.
In the Web GUI, access the System > Firmware Upgrade page to perform a firmware image
upgrade. If you saved the firmware installation files locally, use the HTTP option to retrieve
the files for the upgrade process.
Note: To perform a local install, the firmware installation files should be saved on the computer
where the Web GUI is being accessed. If you stored the files on a remote server, choose the TFTP
option to access the firmware files for upgrade.

To upgrade the firmware using locally stored files:

1. Log in to the FabricFlow GUI:

v12.4 Release Published: 01/07/2022 Page 116 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

2. Access the System > Firmware Upgrade page.

3. Click the System Firmware Upgrade button. The Upgrade dialog box displays.

4. Select one of the following options from the Upgrade Via drop-down list:

o HTTP – Choose this option if the firmware file is stored on the local computer.
Proceed to Step 6.
o TFTP – Choose this option if the firmware file is stored on a remote server.
Proceed to Step 5.
5. If you selected TFTP:
Provide the TFTP server detail and then click Submit.

o Server Address Type – Choose if the IP address to the remote server is IPv4 or
IPv6.
o Server IP Address – Type the IP address of the remote server.

v12.4 Release Published: 01/07/2022 Page 117 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

o Firmware File Name – Type the firmware file name. Depending on your
platform, use one of the following:
For 2825, 2845 S2, 2847 S2, 4248-6XL, 4272, 4432, and 4540, use:
iss-update-img-BCM-release-iss-12.4.0.bin
For 3299 and 3299-TT, use:
firmware-MVL-ARM-release-iss-12.4.0.img
For 3808 and 3808E, use:
iss-update-img-MVL-release-iss-12.4.0.bin

6. If you selected HTTP:

Click Browse to select the firmware update file, and then click Submit.

For 2825, 2845 S2, 2847 S2, 4248-6XL, 4272, 4432, and 4540, choose:
iss-update-img-BCM-release-iss-12.4.0.bin
For 3299 and 3299-TT, choose:
firmware-MVL-ARM-release-iss-12.4.0.img
For 3808 and 3808E, choose:
iss-update-img-MVL-release-iss-12.4.0.bin

7. Wait for the image update to complete, which may take a few minutes. When
complete, a message displays prompting you to reboot the device.
You may also need to clear the browser cache before accessing the system after the
upgrade completes.

v12.4 Release Published: 01/07/2022 Page 118 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

8. Log in to the FabricFlow GUI.

The Configuration Maps page displays.

9. Access the System > System Information page to verify the system was
successfully updated.
10. If your system configuration file was saved to flash memory, the system restores
the system files automatically after reboot. If your configuration file was stored in a
different location, access System > Remote Restore to restore system settings.

v12.4 Release Published: 01/07/2022 Page 119 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Appendix F. Possible Error Messages During

Upgrade
The following list shows the possible error messages that may display during upgrade:

Note: Message are displayed in the format: Installation Failure - <specific_error_message>

• Firmware upgrade failed.
• Invalid path. Image file does not exist.
• Failed to extract image file.
• Invalid arguments.
• The fix-iss-updater package with the same version is already installed.
• There is no free partition available for ISS firmware upgrade.
• Unable to create temporary directory.
• Image file has invalid structure.
• Selected package could not be installed on current Debian version.
• Image file is not signed or has invalid signature.
• Unknown image type.
• Wrong partclone image checksum.

Need Assistance? Contact the support team if you see any of the above errors during the
upgrade process. http://support.niagaranetworks.com

v12.4 Release Published: 01/07/2022 Page 120 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Appendix G. Feature Compatibility Matrix

The following matrix shows the FabricFlow features that are generally supported for each Niagara Packet Broker platform.

Important! This matrix does not show in which firmware versions a specific feature is available. See the FabricFlow (Packet
Master) Release Notes to learn when new features are introduced for each release version.

Feature Compatibility for Niagara Networks Platforms

FabricFlow Features 2825 2845 S2 2847 S2 3299 3299-TT 3808 3808E 4248-6C 4248-6XL 4272 4432 4540

Configuration Maps —           

L2 Filters (Src Mac / Dst MAC

/ Ethertype / Vlan / Vlan —           
Priority)

IPv4 Filters (Src-IP / Dst-IP /

—           
protocol / TOS)

IPv4 Fragmented Packets

(non-fragmented | first-
fragment | non-or-first- —   — — — —     
fragment | not-first-
fragment | any-fragment)

IPv6 Filters (Src-IPv6/ Dst-

—           
IPv6/ Next hop)

IPv6 Flow Label — — — — — — —     

TCP Filters (Control Flags,

—           
Ports)

UDP Filters —           

v12.4 Release Published: 01/07/2022 Page 121 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Feature Compatibility for Niagara Networks Platforms

FabricFlow Features 2825 2845 S2 2847 S2 3299 3299-TT 3808 3808E 4248-6C 4248-6XL 4272 4432 4540

ICMP Filters (message type

—           
and code)

Layer 4 Port Range for IPv4

—           
Filters

Layer 4 Port Range for IPv6

—     No No     
Filters

SCTP Filters —   — — — —     

GTP Filtering —   — — — —     

MPLS Filtering —   — — — —     

User Defined Bytes Filters —           

Add Vlan Tags —           

Strip Vlan Tags —           

Configuration Map-Level
—       —    —
MPLS label Stripping

Modify Vlan —           

Change Source MAC —   — — — —     

Change Destination MAC —   — — — —     

Filter Statistics —           

Configuration Map Statistics —           

v12.4 Release Published: 01/07/2022 Page 122 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Feature Compatibility for Niagara Networks Platforms

FabricFlow Features 2825 2845 S2 2847 S2 3299 3299-TT 3808 3808E 4248-6C 4248-6XL 4272 4432 4540

Bypass Segments

Tap-Bypass            

Critical Appliance            

LFD            

Heart-Beat for Appliance

           
Monitoring

Traffic Mode for Segments

(Load-balance / Toolchain /
           
User-Specific / Active-
Bypass)

Traffic Mode for Segments

           
(Tap-Split / Tap-Aggregation)

Passive-Bypass         — — — 

Non-revertive Bypass        —    —

Segment Synchronization
           
within Devices

Segment Synchronization
   — — — —     
across Devices

v12.4 Release Published: 01/07/2022 Page 123 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Feature Compatibility for Niagara Networks Platforms

FabricFlow Features 2825 2845 S2 2847 S2 3299 3299-TT 3808 3808E 4248-6C 4248-6XL 4272 4432 4540

Segment Synchronization in
   — — — —     
Active-Active mode

Secondary Appliance            

Appliance Sharing —           

Split Segments —   — — — —     

Virtual Segments    — — — — —    —

Redundancy    — —       

Port Groups

Port Channel —           

Virtual Trunk —           

Port Channel Failover

—   — — — —     
Modes

Port Channel Backup Ports —   — — — —     

Individual Port-Channel
—   — — — —     
Hash Policy

Enhanced Hash Policy —           

GTP TEID Hash Policy —   — — — —     

MPLS Label Hash Policy — — —     — — — — —

v12.4 Release Published: 01/07/2022 Page 124 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Feature Compatibility for Niagara Networks Platforms

FabricFlow Features 2825 2845 S2 2847 S2 3299 3299-TT 3808 3808E 4248-6C 4248-6XL 4272 4432 4540

Dynamic Load Balancing —   — — — —    — 

CRC Hash Policy — — — — —   — — — — —

Ports

Reserved Ports —   — — — —     

Monitoring Heart-Beats —   — — — —     

Statistics            

Traffic Rate            

L1 Statistics and L1
           
Traffic Rate

MicroBurst Detection    — — — — —    —

Split Ports (fanout or

—   — — — —  —  
breakout)

Port-Level MPLS Label

— — — — — — —  — — — 
Stripping

Port Egress Filters

IPv4 —           

IPv6 —           

v12.4 Release Published: 01/07/2022 Page 125 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Feature Compatibility for Niagara Networks Platforms

FabricFlow Features 2825 2845 S2 2847 S2 3299 3299-TT 3808 3808E 4248-6C 4248-6XL 4272 4432 4540

L2 Filters (Src Mac / Dst MAC

—           
/ Ethertype / Vlan Priority)

L2 Filters (VLAN) —   — — — —     

Filter Templates —           

Tunnelling

GRE Initiation —           

GRE Termination —   — —       

VXLAN Initiation —   — — — —     

VXLAN Termination —   — — — —     

Packetron

Packet Slicing —   — — — —  — — — 

Deduplication —   — — — —  — — — 

NetFlow —   — — — —  — — — 

RegEx —   — — — —  — — — 

Data Masking —   — — — —  — — — 

Application Filtering —   — — — —  — — — 

ERSPAN Termination —   — — — —  — — — 

v12.4 Release Published: 01/07/2022 Page 126 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Feature Compatibility for Niagara Networks Platforms

FabricFlow Features 2825 2845 S2 2847 S2 3299 3299-TT 3808 3808E 4248-6C 4248-6XL 4272 4432 4540

GTP Termination —   — — — —  — — — 

Mobile Visibility Correlation

—   — — — —  — — — 
and Load Balancing

Mobile Visibility Whitelist —   — — — —  — — — 

Mobile Visibility Sampling —   — — — —  — — — 

Passive TLS Decryption —   — — — —  — — — 

Inline Decryption —   — — — —  — — — 

Virtualization Mode —   — — — —  — — — 

Flow Slicing —   — — — —  — — — 

User/Groups/Privileges            

Updating Statistics to NVC

through Web Socket            
Support

Management Features

Management Interface            

Serial Console            

IPv4 Management            

IPv6 Management            

v12.4 Release Published: 01/07/2022 Page 127 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Feature Compatibility for Niagara Networks Platforms

FabricFlow Features 2825 2845 S2 2847 S2 3299 3299-TT 3808 3808E 4248-6C 4248-6XL 4272 4432 4540

DHCP (v4 and v6)            

SLAAC for IPv6            

Static IP address allocation            

IPv4 and IPv6

SSH (IPV4 and IPv6)            

Web UI (https)            
IPv4 and IPv6

Radius remote            
authentication
(IPv4 and IPv6)

TACACS remote            
authentication
(IPv4 and IPv6)

Whitelist of IP address            
(remote managers)
IPV4 and IPv6

SNMP (IPv4 and IPv6)            

SNTP (IPv4 and IPv6)            

Certificate Upload            

License Upload            

Syslog            

v12.4 Release Published: 01/07/2022 Page 128 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

Feature Compatibility for Niagara Networks Platforms

FabricFlow Features 2825 2845 S2 2847 S2 3299 3299-TT 3808 3808E 4248-6C 4248-6XL 4272 4432 4540

PSU Monitoring            

Fan Monitoring            

CPU and RAM Monitoring            

Temperature Monitoring            

Configuration save and            

restore

Configuration backup            

Remote save and            

restoration of configuration

Download of Support logs            

Download of Tech Support            

logs

REST API            

Auto Discovery by NVC    — — — —     

Display CPLD, PTP and TPM

information when            
applicable

v12.4 Release Published: 01/07/2022 Page 129 of 130

FabricFlow v12.x.x.x Release Notes Rev 09

About Niagara Networks

Niagara Networks provides high performance network visibility solutions for seamless administration of
security solutions, performance management and network monitoring. Niagara Networks products
provide advantages in terms of network operation expenses, downtime, and total cost of ownership. A
former division of Interface Masters, Niagara Networks provides all the building blocks for an advanced
Visibility Adaptation Layer at all data rates up to 100Gb, including TAPs, bypass elements, packet brokers
and a unified management layer. Thanks to its integrated in-house capabilities and tailor-made
development cycle, Niagara Networks is agile in responding to market trends and in meeting the
customized needs of service providers, enterprises, data centers, and government agencies. For more
information, please visit us at www.niagaranetworks.com.

Nmap Commands
No ratings yet
Nmap Commands
21 pages
Joshua Castromayor-6.4.8-Lab-View-Captured-Traffic-in-Wireshark
No ratings yet
Joshua Castromayor-6.4.8-Lab-View-Captured-Traffic-in-Wireshark
8 pages
Advanced Multiplayer Game Development with Ureal Engine 5: A Comprehensive Guide to C++ Scripting
From Everand
Advanced Multiplayer Game Development with Ureal Engine 5: A Comprehensive Guide to C++ Scripting
Vladimir Kiselev
No ratings yet
Content Creation Revolution with chatGPT
From Everand
Content Creation Revolution with chatGPT
Maria Cowen
No ratings yet
PPRN0523-079 Payshield 9000 Base Software v3.5b Release Notes
No ratings yet
PPRN0523-079 Payshield 9000 Base Software v3.5b Release Notes
103 pages
800 GigaCenter Release Notes R12.2.7
No ratings yet
800 GigaCenter Release Notes R12.2.7
26 pages
Brocade Fabric OS v7.4.1d Release Notes v3.0: Document History
No ratings yet
Brocade Fabric OS v7.4.1d Release Notes v3.0: Document History
167 pages
Plain JavaScript: Learning the Front-End
From Everand
Plain JavaScript: Learning the Front-End
Roger Beans-Rivet
No ratings yet
Securing ChatGPT: Best Practices for Protecting Sensitive Data in AI Language Models
From Everand
Securing ChatGPT: Best Practices for Protecting Sensitive Data in AI Language Models
Matthew C. Smith
No ratings yet
Prod Presentation 12-4-24 T
No ratings yet
Prod Presentation 12-4-24 T
47 pages
BRKARC-2000
No ratings yet
BRKARC-2000
280 pages
Product Highlights 32 Ports of 40/100Gb Nonblocking Switching Fabric
No ratings yet
Product Highlights 32 Ports of 40/100Gb Nonblocking Switching Fabric
3 pages
v9.2.0_releasenotes_digest_edition_v3.0
No ratings yet
v9.2.0_releasenotes_digest_edition_v3.0
81 pages
Software Patterns Made Easy
From Everand
Software Patterns Made Easy
Justice Nanhou
No ratings yet
Customer Release Notes: C-Series C2
No ratings yet
Customer Release Notes: C-Series C2
34 pages
Gray Hat Hacking the Ethical Hacker's
From Everand
Gray Hat Hacking the Ethical Hacker's
Çağatay Şanlı
5/5 (1)
ChatGPT for Business: Strategies for Success
From Everand
ChatGPT for Business: Strategies for Success
Matthew C. Smith
No ratings yet
V9.2.0a Releasenotes v2.0
100% (1)
V9.2.0a Releasenotes v2.0
146 pages
Cisco Nexus 9000 Series Nx Os Ip Fabric for Media Solution Guide Release 104x
No ratings yet
Cisco Nexus 9000 Series Nx Os Ip Fabric for Media Solution Guide Release 104x
176 pages
B-Series FC Switch Connectivity Stream
No ratings yet
B-Series FC Switch Connectivity Stream
25 pages
v8.2.2c ReleaseNotes v1.0
No ratings yet
v8.2.2c ReleaseNotes v1.0
102 pages
v9.0.0a_releasenotes_v1.0
No ratings yet
v9.0.0a_releasenotes_v1.0
232 pages
v7.4.2 Releasenotes v2.0
No ratings yet
v7.4.2 Releasenotes v2.0
227 pages
Eos Eol Notice c51 744423
No ratings yet
Eos Eol Notice c51 744423
8 pages
HPE_a00050829en_us_Recommended & Minimum Software Versions for HPE FlexFabric Switch Products
No ratings yet
HPE_a00050829en_us_Recommended & Minimum Software Versions for HPE FlexFabric Switch Products
9 pages
D-Series_Firmware_RN_6.03.14.0004
No ratings yet
D-Series_Firmware_RN_6.03.14.0004
23 pages
v9.2.1a_releasenotes_v3
No ratings yet
v9.2.1a_releasenotes_v3
72 pages
Packet Journey Inside ASR 9000
No ratings yet
Packet Journey Inside ASR 9000
207 pages
Customer Release Notes: ES4612-38 Firmware Version 1.0.6.9
No ratings yet
Customer Release Notes: ES4612-38 Firmware Version 1.0.6.9
8 pages
Software Version 2.9.1
No ratings yet
Software Version 2.9.1
286 pages
rn_8198-14
No ratings yet
rn_8198-14
31 pages
Mastering Windows Automation with AHK 2.0
From Everand
Mastering Windows Automation with AHK 2.0
John Nunez
No ratings yet
FOS 8.2.2b ReleaseNotes 03082023041114
No ratings yet
FOS 8.2.2b ReleaseNotes 03082023041114
66 pages
v8.2.3c1_releasenotes_digest_edition_v3.0
No ratings yet
v8.2.3c1_releasenotes_digest_edition_v3.0
64 pages
v9.1.0_releasenotes_v2.0
No ratings yet
v9.1.0_releasenotes_v2.0
154 pages
v8.2.2d_releasenotes_v1.0
No ratings yet
v8.2.2d_releasenotes_v1.0
115 pages
Release Notes For The Catalyst 4900 Series Switch, Cisco IOS Release 12.2 (54) SG
No ratings yet
Release Notes For The Catalyst 4900 Series Switch, Cisco IOS Release 12.2 (54) SG
278 pages
EOC5611P Release Note v.1.3.3
No ratings yet
EOC5611P Release Note v.1.3.3
4 pages
NB 06 Cat9200 Ser Data Sheet Cte en
No ratings yet
NB 06 Cat9200 Ser Data Sheet Cte en
42 pages
End-of-Sale and End-of-Life Announcement For The Cisco Catalyst C2960L Series Switches
No ratings yet
End-of-Sale and End-of-Life Announcement For The Cisco Catalyst C2960L Series Switches
7 pages
800 GigaFamily ReleaseNotes R12.2.5
No ratings yet
800 GigaFamily ReleaseNotes R12.2.5
26 pages
CAN Bus for Beginners: A Practical Guide to Automotive Networking
From Everand
CAN Bus for Beginners: A Practical Guide to Automotive Networking
Mohamad Charara
No ratings yet
SD-WAN Software Feature Cheat Sheet
No ratings yet
SD-WAN Software Feature Cheat Sheet
5 pages
TSSN1 - Switching Update AOS 8.8 v3
No ratings yet
TSSN1 - Switching Update AOS 8.8 v3
32 pages
NB 06 Cat9200 Ser Data Sheet Cte en
No ratings yet
NB 06 Cat9200 Ser Data Sheet Cte en
54 pages
Storageworks 48 San Switch
No ratings yet
Storageworks 48 San Switch
42 pages
HPE - c04588381 - Brocade Fabric OS v7.3.0b Release Notes v4.0
No ratings yet
HPE - c04588381 - Brocade Fabric OS v7.3.0b Release Notes v4.0
63 pages
v8.2.1_releasenotes_v3.0
No ratings yet
v8.2.1_releasenotes_v3.0
92 pages
Catalyst 2960-S Series
No ratings yet
Catalyst 2960-S Series
4 pages
End-of-Sale and End-of-Life Announcement For The Cisco Catalyst 2960-S Series and 2960-SF Series Switches
No ratings yet
End-of-Sale and End-of-Life Announcement For The Cisco Catalyst 2960-S Series and 2960-SF Series Switches
4 pages
Brocade Fabric OS 8.2.2 Release Notes
No ratings yet
Brocade Fabric OS 8.2.2 Release Notes
46 pages
FOS_v8.2.3e_releasenotes_v7.0
No ratings yet
FOS_v8.2.3e_releasenotes_v7.0
155 pages
Mastering Python Advanced Concepts and Practical Applications
From Everand
Mastering Python Advanced Concepts and Practical Applications
Aissa Younes
No ratings yet
Web Video Business
From Everand
Web Video Business
MUHAMMAD NUR WAHID ANUAR
No ratings yet
V8.2.1a ReleaseNotes v1.0
No ratings yet
V8.2.1a ReleaseNotes v1.0
96 pages
A To Z of Internet: Everything You Wanted to Know
From Everand
A To Z of Internet: Everything You Wanted to Know
Bittu Kumar
No ratings yet
Cisco IOS Wide-Area Networking Configuration Guide, Release 12.3
No ratings yet
Cisco IOS Wide-Area Networking Configuration Guide, Release 12.3
3 pages
NB 06 Cat9200 Ser Data Sheet Cte en
No ratings yet
NB 06 Cat9200 Ser Data Sheet Cte en
54 pages
Cisco 9200
No ratings yet
Cisco 9200
54 pages
Cisco 9200
No ratings yet
Cisco 9200
146 pages
FSP 3000R7 Release Note 7 1 5
No ratings yet
FSP 3000R7 Release Note 7 1 5
40 pages
Cloud Computing : Beginners And Intermediate User Guide
From Everand
Cloud Computing : Beginners And Intermediate User Guide
David comer
No ratings yet
CNSL Assignments
No ratings yet
CNSL Assignments
3 pages
Practical 3
No ratings yet
Practical 3
9 pages
Protocolo RIP y OSPF
No ratings yet
Protocolo RIP y OSPF
78 pages
Collision Detection in 802
No ratings yet
Collision Detection in 802
2 pages
RS485-to-eth-b-user-manual-EN-v1.33
No ratings yet
RS485-to-eth-b-user-manual-EN-v1.33
52 pages
Module 5: Network Fundamentals: Devnet Associate V1.0
No ratings yet
Module 5: Network Fundamentals: Devnet Associate V1.0
104 pages
2.3.2.6 Packet Tracer - Configuring PAP and CHAP Authentication
No ratings yet
2.3.2.6 Packet Tracer - Configuring PAP and CHAP Authentication
3 pages
static lab
No ratings yet
static lab
6 pages
Handout 6 - TCP-IP
No ratings yet
Handout 6 - TCP-IP
18 pages
TL sg2428p Datasheet
No ratings yet
TL sg2428p Datasheet
12 pages
ASREC (Gramshakti) - Daily MIS Report
No ratings yet
ASREC (Gramshakti) - Daily MIS Report
25 pages
DWC_usb3_databook_2.50a
No ratings yet
DWC_usb3_databook_2.50a
926 pages
T48 - Panel Wise IO Summary - 9.11.23
No ratings yet
T48 - Panel Wise IO Summary - 9.11.23
6 pages
Computer Networking A Top-Down Approach 7th Edition Kurose Solutions Manualinstant download
100% (5)
Computer Networking A Top-Down Approach 7th Edition Kurose Solutions Manualinstant download
47 pages
Igate GW040-H
No ratings yet
Igate GW040-H
1 page
HCIP-Transmission V2.0 Mock Exam
100% (2)
HCIP-Transmission V2.0 Mock Exam
4 pages
Aruba CX 8320 Switch Series Data Sheet-A00036440enw
No ratings yet
Aruba CX 8320 Switch Series Data Sheet-A00036440enw
12 pages
BGP Configuration For CCNP Students by Eng. Abeer Hosni
No ratings yet
BGP Configuration For CCNP Students by Eng. Abeer Hosni
37 pages
Notes - 1052 - UNIT-I - Lesson 2 - Network Architecture & Design Issues
No ratings yet
Notes - 1052 - UNIT-I - Lesson 2 - Network Architecture & Design Issues
37 pages
CNET324 Lab 7-Exploring WLAN Security With Wireshark
No ratings yet
CNET324 Lab 7-Exploring WLAN Security With Wireshark
9 pages
troubleshooting-tcp-unidir-wireshark-perf
No ratings yet
troubleshooting-tcp-unidir-wireshark-perf
27 pages
BPDU GUARD, FILTER & RootGuard
No ratings yet
BPDU GUARD, FILTER & RootGuard
7 pages
UNIT 1 CN by Adarsh
No ratings yet
UNIT 1 CN by Adarsh
18 pages
INWPASRTG04 Listening Port Details
No ratings yet
INWPASRTG04 Listening Port Details
5 pages
Chapter 4 TCP IP Reference Model
No ratings yet
Chapter 4 TCP IP Reference Model
43 pages
SPC Event Reporting Spec-1.6
No ratings yet
SPC Event Reporting Spec-1.6
64 pages
CATÁLOGO LDNIO
No ratings yet
CATÁLOGO LDNIO
32 pages
MMT Lab3a
No ratings yet
MMT Lab3a
4 pages