Documente Academic
Documente Profesional
Documente Cultură
AOS-W 5.0.2.1
Copyright
2010 Alcatel-Lucent. All rights reserved.
Specifications in this manual are subject to change without notice.
Originated in the USA.
AOS-W, Alcatel 4308, Alcatel 4324, Alcatel 6000, Alcatel 41, Alcatel 60/61/65, Alcatel 70, and Alcatel 80 are trademarks of AlcatelLucent in the United States and certain other countries.
Any other trademarks appearing in this manual are the property of their respective companies.
Legal Notice
The use of Alcatel-Lucent switching platforms and software, by all individuals or corporations, to terminate Cisco or Nortel VPN client
devices constitutes complete acceptance of liability by that individual or corporation for this action and indemnifies, in full, AlcatelLucent from any and all legal actions that might be taken against it with respect to infringement of copyright on behalf of Cisco Systems
or Nortel Networks."
www.alcatel-lucent.com
26801 West Agoura Road
Calabasas, CA 91301
Contents
Chapter 1
Chapter 2
Chapter 3
Known Issues......................................................................................... 15
Chapter 4
| 3
4 |
Chapter 1
Whats New in this Release
AOS-W 5.0.2.1 is a patch release that addresses and provides solutions for a number of known issues. For
more information about AOS-W, refer to the AOS-W 5.0 User Guide or Command Line Reference. See the
Upgrade Procedures on page21 for instructions on how to upgrade your switch to this release.
OAW-AP175
This patch introduces support for the Alcatel-Lucent OAW-AP175. The Alcatel-Lucent OAW-AP175 is a
resilient, environmentally hardened, outdoor rated, dual-radio, dual-band IEEE 802.11 a/b/g/n wireless
access point. This outdoor access point is part of Alcatel-Lucents comprehensive wireless network
solution. The OAW-AP175 works only in conjunction with an Alcatel-Lucent switch and each AP can be
centrally managed, configured, and upgraded through the switch.
Command Syntax
usb_modeswitch "-v <vendor_ID> -p <product_ID> -V <target_vendor_ID> -P
<target_product_ID> -M <message_content_in_Hex>"
Parameter Description
Table 1 USB Modeswitch Parameter Description
Parameter
Description
-v
-p
-V
-P
-M
Example
(host) (AP Provisioning) #usb_modeswitch "-v 0x106c -p 0x3b06 -V 0x106c -P 0x3717 -M
5534243b82e238c24000000800008ff020000000000000000000000000000"
NOTE
It is, however, recommend that you can confirm these values with your service provider or contact the hardware
manufacturer.
Model Name
ATT
USBConnect 881
(Sierra 881U)
ATT
Mercury (Sierra
Compass 885/
N7NC885)
Vendor
ID
Product
ID
0x1199
6856
usb_type=sierra-gsm
0x1199
6880
z
z
usb_type=sierra-gsm
usb_tty=ttyUSB4
Model Name
ATT
Quicksilver
(Globetrotter ICON
322)
Vendor
ID
0x0af0
Product
ID
d033
z
z
z
z
z
ATT
"Huawei E272,E170,
E220"
0x12d1
1003
usb_type=hso
usb_init=AT+CGDCONT=1,'IP','wap.cingu
lar'
usb_dial=ATDT*99***1#
usb_user=internet
usb_passwd=internet
usb_type=option
usb_init=AT+CGDCONT=1,'IP','wap.cingu
lar'
usb_dial=ATDT*99***1#
ATT
USBConnect 881
(Sierra 881U)
0x1199
6856
usb_type=sierra-gsm
ATT
USBConnect
Lightning
0x1199
68a3
usb_type=sierra-gsm
usb_dev=0x119968a3
UM100C (UTstarcom)
0x0d08
Cricket
0300
z
z
z
Cincinnati
Bell
Icon 452
0x0af0
Sprint
0x1199
Sprint
Sprint
7901
usb_type=acm
usb_user=internet
usb_passwd=internet
usb_type=hso
usb_init=at+cgdcont=1,?ap??ocbw?usb_d
ial=*99#
0023
usb_type=sierra-evdo
0x1199
0025
usb_type=sierra-evdo
Ovation U727
(Novatel)
0x1410
4100
usb_type=option
Sprint
U300 (Franklin
wireless)
0x16d8
6002
usb_type=option
Sprint
U301
(Franklin wireless)
0x16d8
6008
z
z
usb_type=option
usb_dev=0x16d86008
usb_tty=ttyUSB1
usb_type=option
Sprint
USB U760(Novatel)
0x1410
6000
Verizon
USB1000 (Novatel)
0x1410
a008
Verizon
0x1410
4100
usb_type=option
Verizon
0x1410
2110
usb_type=option
Verizon
0x1410
6000
usb_type=option
Verizon
UM175 (Pantech)
0x106c
3714
usb_type=acm
Verizon
UM150 (Pantech)
0x106c
3711
usb_type=acm
0x106c
3716
usb_type=acm
U597 (Sierra)
0x1199
0023
usb_type=sierra-evdo
Telecom
(New
Zealand)
Tstick C597
(Sierra)
0x1199
0023
usb_type=sierra-evdo
usb_user=mobile@jamamobile
usb_passwd=telecom
TataIndico
m (india)
SXC-1080
(Qualcomm)
ISP
Model Name
Verizon
UMW190(Pantech)
Verizon
Vendor
ID
z
z
0x1b7d
070a
z
z
z
z
Telenor
(sweden)
6971
z
z
z
z
z
Vodafone/
SmarTone
(HK)
Vodafone
(UK)
Huawei
E169
z E180
z E220
z E272
0x12d1
Huawei K4505
0x12d1
1003
z
z
z
1464
z
z
z
z
z
O2 in the
UK
Huawei E160
0x12d1
1003
z
z
z
z
z
z
SFR in
France
Huawei E160
0x12d1
1003
z
z
z
z
NZ and JP
Huawei E220
0x12d1
1003
z
z
z
T-Mobile
UMG181
0x12d1
1414
z
z
z
z
usb_type=acm
usb_init=ATQ0V1E1S0=0&C1&D2
usb_user=internet
usb_passwd=internet
usb_type=hso
usb_init=AT+CGDCONT=1,'IP','telenor'
usb_dial=ATDT*99***1#
usb_user=internet
usb_passwd=internet
usb_type=option
usb_init=AT+CGDCONT=1,'IP','internet'
usb_dial=ATDT*99#
usb_type=option
usb_dev=0x12d11464
usb_dial=ATDT*99***1#
usb_user=web
usb_passwd=web
usb_user=O2web
usb_passwd=password
usb_type=option
usb_dev=0x12d11003
usb_dial=ATDT*99***1#
usb_init=AT+CGDCONT=1,'IP','mobile.o2
.co.uk'
usb_type=option
usb_dev=0x12d11003
usb_dial=ATDT*99***1#
usb_init=AT+CGDCONT=1,'IP','websfr'
usb_type=option
usb_init=AT+CGDCONT=1,'IP','internet'
usb_dial=ATDT*99***1#
usb_type=option
usb_dev=0x12d11414
usb_init=AT+CGDCONT=1,'IP','epc.tmobi
le.com'
usb_dial=ATDT*99***1#
Model Name
HK CSL/
1010
ZTE MF636
Vendor
ID
0x19d2
Product
ID
0031
z
z
z
z
Orange in
Israel
ZTE MF 637
0x19d2
0031
z
z
z
z
Sierra USB-306
0x1199
68a3
z
z
z
z
NTT
Premodeswit
ch:
0x1004
Post
modeswit
ch:
0x1004
NTT
0x1004
Premodeswit
ch:613a
Post
modeswit
ch:6124
6109
z
z
z
z
z
z
Telstra
(Aus)
Sierra 885
(Turbo 7+)
0x1199
6880
z
z
z
z
Telstra
(Aus)
Sierra 306
0x1199
68a3
z
z
z
z
z
Telstra
(Aus)
Huawei E176G
0x12d1
1003
z
z
z
z
usb_tty=ttyUSB2
usb_init=AT+COPS=0,0,0
usb_dial=ATDT*99#
usb_type=2 (option)"
usb_tty=ttyUSB3
usb_init=AT+COPS=0,0,0
usb_dial=ATDT*99#
usb_type=2 (option)"
usb_type=4
usb_tty=ttyUSB6
usb_dev=0x119968a3
usb_init=AT+CFUN=1;+CGDCONT=1,'IP','A
PN_Name'
usb_dial=ATDT*99***1#
usb_init=AT+CGDCONT=1,'IP','mopera.fl
at.foma.ne.jp'
usb_type=3
usb_dev=0x10046124"
usb_init=AT+CGDCONT=4,'IP','mopera.fl
at.foma.ne.jp'
usb_dev=0x10046109
usb_type=3
usb_dial=ATDT*99***4#
usb_dial=ATDT*99***1#
usb_init=AT+CGDCONT=1,'IP','telstra.w
ap'
usb_tty=ttyUSB4
usb_type=4 (sierra-gsm)
usb_dev=0x119968a3
usb_dial=ATDT*99***1#
usb_init=AT+CGDCONT=1,'IP','telstra.w
ap'
usb_tty=ttyUSB6
usb_type=4 (sierra-gsm)
usb_type=2(option)
usb_dial=ATDT*99#
usb_tty=ttyUSB0
usb_init=AT+CGDCONT=1,'IP','telstra.w
ap'
Model Name
3/HUTCH
(Aus)
Huawei
z E1553
z E176
Vendor
ID
0x12d1
Product
ID
1003
z
z
z
z
Optus
(Aus)
Huawei E180
0x12d1
140c
z
z
z
z
z
usb_type=2(option)
usb_dial=ATDT*99#
usb_tty=ttyUSB0
usb_init=AT+CGDCONT=1,'IP','3netacces
s'
usb_dev=0x12d1140c
usb_type=2(option)
usb_dial=ATDT*99#
usb_tty=ttyUSB0
usb_init=AT+CGDCONT=1,'IP','connect'
Chapter 2
Fixed Issues
This release contains all fixes up to and including those in AOS-W 5.0.1.0. The following issues and
limitations have been fixed in the AOS-W 5.0.2.1 release:
Table 3 Fixed in AOS-W 5.0.2.1
Bug ID
Description
30797,
41895
An issue in which user entries stuck in the datapath (meaning there is no corresponding auth entry)
are being forcibly deleted, requiring the user to reauthenticate, has been fixed.
36767
The issue with the user derivation rule encryption-type equals static-tkip not matching
wpa2-psk-tkip has been fixed.
37445,
38506,
35705,
44018
LAN ports on Remote APs (RAP) some up and pass traffic even if the RAP is unable to get an IP
address from the DHCP server.
38151
AOS-W now supports a maximum of 54 TKIP clients on 11n-capable APs and 27 TKIP clients on
legacy (non-11n) APs.
40605
41919,
41922,
39594
Buffer Alloc Failure caused by a buffer leak, which causes a switch to become unresponsive, has
been fixed.
42414
An issue in which an OAW-AP105 on 2.4 GHz receive rate falls to 6 Mbps when interference is
present has been fixed.
42660,
43075
DSCP is now set correctly for RTP frames, even when traffic is hitting tos ACL.
43055
The issue with the 4306 WLAN Series switch not relaying DHCP when VLAN1 was configured has
been fixed.
43064
An issue with the VIA connection not establishing when the switch had a direct route to the client
has been fixed.
43163
OSPF can now push more the 117 routes to its neighbors.
43577
AOS-W now correctly adds the QoS control field to EAP frames in bridge mode.
43588
A fix has been added to prevent the OAW-AP105 from crashing when it reads some bad calibration
values from the radio chip after IQ calibration.
43625
Broadcast packets were being flooded into bridge/split tunnels and consuming bandwidth. A fix
has been added to drop non-EAPOL packets on bridge/split dot1x tunnel for wired and wireless
traffic.
43659
There is no longer a small memory leak when the command show global-user-table list is
issued.
Fixed Issues | 11
Description
43825
The CSQ option has been removed from the PPP connection script because it does not interact
well with certain types of modems. This option is no longer needed since signal is now received
from a different script.
43829
User VLANs are only advertised when its operstate is up; similarly, the VLAN route is withdrawn
when the operstate goes down.
43971,
45184,
44452
Traffic is no longer dropped by the switch in the direction in which a bandwidth contract has been
applied. A fix has been added to correct queing the user/role based bandwidth contracts to the
right SOS CPU on the switch.
44049
44478
An issue with the switch not responding to the DHCP discovery when the relay agent sends DHCP
packet to an IP address other than the incoming VLAN interface has been fixed.
44794
An issue which many bridge mode users were listed with a 0.0.0.0 IP address and many users
could be seen in the datapath user table but not in the user-table has been fixed.
12 | Fixed Issues
Bug ID
Description
35300
When a mgmt-user is logged with network-operator permissions, mesh node information is now
correctly displayed Monitoring > All Mesh Nodes.
35308
Additional files for analyzing an HTTPD core dump will be collected and will be included in the file
generated by the tar crash command.
36679
38410
The output of the show inventory command displays the correct line card values.
39604
File names cannot be created, exported, or imported with any of the following special characters:
~@#$%^&*()+={}[]<>/\|
This restriction applies to the following CLI commands:
wms export-db
wms export-class
local-userdb export
local-userdb import
40174
40240
40554
Users can now poll the wlsxSwitchUserTable MIB to view the list of users connected to a switch.
40555
APs will successfully transmit unicast frames to a user on a static WEP VAP when assigned to a
derivated VLAN.
40942,
41813,
41819
The DBSYNC code was updated to prevent a number of issues including the switch running out of
memory when queuing files for send, re-entrant PAPI ACKs corrupting the largePapi buffer, and
simplifying the state of the switch in general.
Description
41094
The command show references user-role <user-role-name> now correctly displays the
profiles in which the queried user-role has been configured.
41189
An issue in which a MobileIP proxy state machine is unable to get L3 connectivity when inter-process
(such as auth to mobility) messages are dropped has been fixed.
41248
41714
In the WebUI, under Security > Access Control > Firewall Policies > Policies, the list of roles will now
wrap when it reaches the edge of the browser window instead of deforming the UI.
41716
41769
Idle timeout for IPv6 users is now supported on OmniAccess 6000 Series, OmniAccess 4504/4604/
4704, and 4306 WLAN Series switches.
41848
Mobility no longer deletes the user state when standalone AP is enabled and the client is doing DHCP.
41915
42012,
34041
The issue with APs rebooting continuously after upgrade to 3.4.2.3 has been fixed.
42126,
41913,
36281
The issue with multicast traffic flooding all APs (with IGMP snooping enabled) has been fixed.
42132
When ip local-proxy-arp on interface vlan is enabled, ARP for wireless clients are no longer
broadcast to all APs that share the same user VLAN.
Instead switch does proxy-arp for the wireless client.
42221
The command show poe no longer impacts VRRP heartbeat processing on VRRP back up and master
switches.
42254
When a client is brought up over an RSTP-alternate port-channel, the client no longer begins flooding
out traffic.
42278
Clients on multiple VLANs no longer experience degraded video quality when receiving a multicast
video.
42290
After a reboot, wired clients are now able to successfully receive an IP address from the DHCP server.
42325
42329
VLANs used for Local IP pools can now successfully be deleted without returning the error messages
L2/L3 module busy.
42510
The log level for SNMP timed out messages sent to other applications has been changed to Notification.
Additionally, the SNMO client source IP address has been added to the log message.
43558,
38833
A .1x WPA retry timer in bridge mode issue has been fixed.
43034
RAPs in tunnel mode will not incorrectly respond to http get requests to their outer IP.
43093
Legacy switches no longer incorrectly require RAP license. The license is included in the base AOS-W
for these switches.
Fixed Issues | 13
14 | Fixed Issues
Bug ID
Description
43096
LDAP-S from a switch to an IBM Tivoli Directory server now works correctly.
43201
43236
Unexpected AP reboots caused by a problem in the SAPD process has been fixed.
43373
AOS-W now tells sos to create a station entry during station start if the forward-mode is bridge or split
tunnel, that way it does not depend on station to send a eapol-start message
43548
43558,
42940
Fixed a timer issue which prevented some wireless device from successfully connecting to bridge mode
PSK SSIDs.
43654
IPSec VPN tunnels terminating on an Alcatel-Lucent switch are properly reestablished after the switch
reboots.
43861
44017
With external Captive Portal enabled, after authentication, the switch will correctly http redirect to the
original FQDN.
44089
An issue in which some APs were being duplicated and their MAC addresses were being changed after
an upgrade has been fixed.
Chapter 3
Known Issues
The following are known issues and limitations for this release of AOS-W. Applicable bug IDs or
workarounds are included:
Table 5 Known Issues and Limitations
Bug ID
Description
44208,
40777
AP is refusing call admission although the configured Call Admission Control (CAC) limit has not been
reached. For example, if the call count based CAC is set to n, only n-1 calls will be allowed on that AP.
Workaround:
For call count based CAC: Set the call-capacity to (n + 1) to ensure that n calls are allowed.
For bandwidth based CAC: Set the bandwidth capacity to that required by (n+1) calls to ensure that n
calls are allowed.
45382
In-call roaming for multiple switch CAC deployments does not work.
Workaround:
None.
43798
When a DHCP helper IP is configured, it is internally maintained as 2 separate entries for the vlan. Now if
you try to delete the helper IP or change it to another helper IP, one incarnation of the same old helper IP
is retained. So DHCP requests from a client on the vlan, the request will still get relayed to the old helper
IP.
Workaround:
If you want to change/delete the DHCP helper IP, first delete the helper IP, do a write mem and reboot
the box. This will remove the helper IP completely from the vlan after the box boots up again. Now you
can assign a new helper IP if required.
44240
In the Alcatel-Lucent version, under Startup Wizard > VLAN and IP Interface > VLAN, when the user
attempts to select a VLAN from the drop-down menu, the user will receive a Java script error and be
unable to configure a VLAN pool.
Workaround:
Use the WebUI instead of the startup wizard.
40800
On some occasions, Remote AP stops responding to association messages for clients connecting to
split-tunnel SSIDs when the AP is also advertising a backup/always mode bridge SSID.
Workaround:
Reboot the RAP. However, this may only be a temporary solution since the issue may return. Another
option is to disable always/backup VAPs if the problem is severe.
40835
After a VIA session is timed out, VIA is unable to make a new connection and shows the VIA Peer not
responding message. This could happen if you have configured more than 10 tunnel IP addresses in VIA
connection profile. VIA supports only 10 user configurable tunnel addresses and one for internally
assigned IP address.
Workaround: On the controller update the VIA connection profile to have only 10 tunnel address.
On the client do the following:
1. Navigate to the Setting > Connection Profile and click the Clear Profile button.
2. In the Status tab, click the Download Profile button. Enter your domain credentials and the VIA
controller IP address and download new profiles.
Known Issues | 15
Description
40995
If the DNS IP address is not configured on the controller for VPN remote clients then the client fails to set
the IP address on the Windows Vista and Windows 7 systems. To verify if it is related to DNS entry or
not, start wireshark on Virtual adapter and check the DHCP (bootp) protocol packets.
Workaround:
Using CLI :(host)(config)# vpdn group l2tp client configuration dns <dns-ip1> <dns-ip2>
(host)(config)# Write mem
Using the WebUI:
1. Navigate to Configuration > Advanced Services > VPN Services IPSEC and set the Primary DNS
Server under L2TP and XAUTH Parameters.
2. save configuration.
18286
16 | Known Issues
20441
After the STM module is respawned (i.e. after a crash), the show voice commands will not display any
information because the memory that stores the data is cleared after STM restarts.
Workaround:
None.
26699
Due to the use of different methods to setup an IPSec policy filter between the Alcatel-Lucent dialer and
the Microsoft native dialer, the Alcatel-Lucent dialer will break the Microsoft native dialer for IPSec
L2TP.
Workaround:
None.
28608,
28939
The show datapath command does not return any output for RAPs connected to high latency 3G/
EVDO links.
Workaround:
None.
30592
Bulk RAP provisioning for multiple AP groups does not support triangulation, since bulk provisioned APs
are not assigned unique locations.
Workaround:
If you require your RAPs to have unique locations, do not use Bulk Provision. Instead, provision them
individually.
31388
Description
31601
When a user changes VLANs, the SSID user entry for both VLANs will be updated.
Workaround:
None. However, this is a very minor issue since the old entry will eventually age out.
32076
Unicast and multicast key rotation does not work for split-tunnel 802.1x authentication.
Workaround:
None.
32320
Hitachi wireless IP 5000 phone with firmware version 2.5.2 LA1 cannot associate with an AP in WPA2PSK-AES mode when the SSID has both WPA-PSK-TKIP and WPA2-PSK-AES enabled on it. This is
because the STA is sending AES CCMP as the multicast cipher, instead of TKIP.
Workaround:
To avoid this issue, do not use mixed authentication modes with this phone.
32503
NTP must be run on the switch before VRRP. If this is not done, the system clocks between switches in a
master-backup setup will not be synced correctly.
Workaround:
Run NTP first before enabling VRRP.
32619
OSPF does not advertise all the VLANs to the neighbor if there are more than 102 user VLANs.
Workaround:
None.
32650
Campus APs reboot if their associated whitelist entries in the local-userdb-ap is removed.
Workaround:
Ensure that the local-userdb-ap entry is not configured for Campus AP as local-userdb-ap only
applies to the Remote AP.
32896
An Air Monitor will not process Ethernet frames on the 'eth1' interface, except in cases where eth0 and
eth1 are deployed in a standby configuration for an AP-70. In this scenario, if eth1 is active, the Air
Monitor will receive the ethernet frames on this interface. This issue will affect rogue AP classification for
devices on the eth1 interface.
Workaround:
None.
33541
The traceroute command does not work when the internal IPs are used for RAP pool.
Workaround:
None.
33829
In the WebUI, under Monitoring > Access Points > USB, the serial number of the USB device is
displayed.
Workaround:
None.
34148
Double encryption does not work for tunnel SSIDs on AP-120 series and RAP-5s connected to an M3
switch. Clients will not be able to authenticate with this configuration and hardware combination.
Workaround:
Do not use double encryption with this hardware combination.
34202
All client associations will be cleared for an AP terminated to local switch when the master switch is
rebooted.
Workaround:
None
Known Issues | 17
18 | Known Issues
Bug ID
Description
34238
Load balancing over equally costed routes does not work because AOS-W does not support equal-cost
multiple path (ECMP) routes. Only single path route is supported.
Workaround:
None.
34635
Deny Time Range in virtual AP with forwarding mode set to split-tunnel or bridge mode does not work.
The clients are able to connect during the deny time range.
Workaround:
To use Deny Time Range, the forwarding mode must be set to tunnel-mode.
35088
35231,
30257
Max-retries cannot be configured in an SSID profile. For example, if you configure the max retries to 5,
the client will continue to try to connect after 5 times.
Workaround:
None.
35463
A RAP with more than one ethernet port does not come up if the uplink is connected to any other port
other than enet0.
Workaround:
None.
35605
After provisioning the RAP at home the local debugging (LD) page is not accessible if the user is in the
tunnel mode.
Workaround:
None.
35674
Dynamic pullout or plug-in of the Huawei E272 EVDO modem on a RAP does not work.
Workaround:
None.
36117
RFProtect shielding fails if the AP has reached is maximum (32) pending shielding jobs and is, therefore,
taking no new jobs.
Workaround:
None. However, in a typical Alcatel-Lucent deployment, this maximum number of shielding jobs will not
be reached.
36291
36601
The rf (Radio Frequency) band defined in the mesh cluster takes precedence over the rf band defined in
the AP system profile while configuring the RMP.
Workaround:
Use all as the Allowed band in the dummy-split-vap parameter.
36891
RAPs cannot be provisioned when using D-Link DIR-100 NAT device due to decryption failures.
Workaround:
None.
36923
Description
37443
Uplink Manager functionalities appear on non-600 series platforms but cannot be used.
Workaround:
None. The uplink options that appear on non-600 series switch platforms should not be enabled.
37700
When a clients ethernet port is connected, the client fails wireless 802.1x authentication if the case
sensitive username does not match the user in the Active Directory.
Workaround:
The clients username must be an exact, case-sensitive match of the username stored in the Active
Directory.
37774
37858
The switch fails to process OSPF link state update (LSU) packet if the packet is fragmented.
Workaround:
Ensure that the neighbor does not advertise more than 116 subnets.
37905
MTU size is not displayed in an ap bss-table for RAP bridge port because there is no data-pkt tunnel
between RAP and controller for bridge mode. Therefore, no MTU discovery happens.
Workaround:
None.
38398
38403,
38404,
40238
38571
The spectrum load balancing requires scanning to be enabled in the ARM profile.
Workaround:
None.
38602
The dummy-split-vap should not be configured with a dot1x based AAA profile in RMP.
Workaround:
Ensure not to configure the dummy-split-vap with dot1x based AAA profile.
38782
A mgmt-user with a username of l, s, or w cannot be created since they are the starting character of
keywords under the mgmt-user command.
Workaround:
Do not create management usernames that begin with l, s, or w.
38850
A mgmt-user username cannot exceed more than 16 characters, however local-userdb username can
exceed 16 characters.
Workaround:
None.
39149
Known Issues | 19
20 | Known Issues
Bug ID
Description
39356
39364
39417
The limit for static routes is 128, not 256. In versions of AOS-W prior to 3.4.x, this limit was not strictly
enforced and, therefore, more than 128 static routes could be configured.
Workaround:
None. This is the defined behavior.
39614
39664
The tunnel mode users are not displayed on the RAP console.
Workaround:
None.
39666
When a split-tunneled wired client is disconnected from a RAP, the client is immediately removed from
the user table. This cause the wired port statistics for the client to display incorrect information under
Monitoring > Controller > Clients > Client Activity in the WebUI.
Workaround:
None.
39668
Saving the 3G/EVDO values for the provisioning at home feature can take up to 30 seconds. When the
save is complete, the page will refresh automatically.
Workaround:
None.
39849
After downgrading the image from AOS-W 5.0 to AOS-W 3.3.2.8 the local-userdb import cannot
retrieve the entries from the user database.
Workaround:
None.
39906
In AOS-W 5.0 and later, the aaa authentication vpn default profile cannot be modified without
the PEFV license. Pre-5.0, you could modify the profile but could not use the profile without a valid VPN
license.
Workaround:
None. This change does not substantially effect the functionality of the switch.
40076
40611
Only four CNAME entries are supported in a returned DNS response from the DNS server.
Workaround:
None.
45190
The switch floods the broadcast and multicast packets to bridge virtual AP and wired ports if a splittunnel VAP belongs to the same VLAN. The packets ultimately gets dropped on the AP.
Workaround:
Use different VLANs for split-tunnel and bridge virtual AP or wired port.
Chapter 4
Upgrade Procedures
This chapter details software and hardware upgrade procedures. Alcatel-Lucent best practices recommend
that you schedule a maintenance window when upgrading your switchs.
Read all the information in this chapter before upgrading your switches.
CAUTION
NOTE
All versions assume that you have upgraded to the most recent version as posted on the Alcatel-Lucent
download site. For instance, 3.3.x assumes you have upgraded to the most recent version of 3.3.
Best practices recommends upgrading during a maintenance window. This will limit the troubleshooting
variables.
Verify your current AOS-W version (execute the show version or the show image version command).
Verify which services you are using for each switch (for example, Employee Wireless, Guest Access,
Remote AP, Wireless Voice).
Verify the exact number of access points (APs) you have assigned to each switch.
List which method each AP uses to discover each switch (DNS, DHCP Option, broadcast), and verify
that those methods are operating as expected.
List the devices in your infrastructure that are used to provide your wireless users with connectivity
(Core switches, radius servers, DHCP servers, firewall, for example).
Upgrade Procedures | 21
Know your topology. The most important path is the connectivity between your APs and their switches.
Connectivity issues will interfere with a successful upgrade. You must have the ability to test and make
connectivity changes (routing, switching, DHCP, authentication) to ensure your traffic path is
functioning.
Avoid combining a software upgrade with other upgrades; this will limit your troubleshooting variables.
Verify that all of your switches are running the same software version in a master-local relationship. The
same software version assures consistent behavior in a multi-switch environment.
Use FTP to upload software images to the switch. FTP is much faster then TFTP and also offers more
resilience over slower links.
If you must use TFTP, ensure that your TFTP servers can send more then 30 MB of data.
NOTE
Always upgrade the non-boot partition first. If something happens during upgrade, you can restore the
flash, and switch back to the boot partition. Upgrading the non-boot partition gives you a smoother
downgrade path should it be required.
NOTE
If you manage your switches via the AirWave Wireless Management Suite, the AirWave upgrade process
automates most of these steps.
1. Upload the same version of the new software image onto all switches.
2. Reboot all switches simultaneously.
3. Execute the ping -t command to verify all your switches are up after the reboot.
4. Open a Secure Shell session (SSH) on your Master Switch.
5. Execute the show ap database command to determine if your APs are up and ready to accept clients.
6. Execute the show ap active to view the up and running APs.
7. Cycle between step5 and step6 until a sufficient amount of APs are confirmed up and running.
The show ap database command displays all of the APs, up or down. If some access points are down,
execute the show datapath session table <access point ip address> command and verify traffic is
passing. If not, attempt to ping them. If they still do not respond, execute a show ap database long
command to view the wired mac address of the AP; locate it in your infrastructure.
8. Verify that the number of access points and clients are what you would expect.
9. Test a different type of client for each access method (802.1x, VPN, Remote AP, Captive Portal, Voice)
and in different locations when possible.
22 | Upgrade Procedures
Do not exceed the size of the flash file system. For example, loading multiple large building JPEGs for
RF Plan can consume flash space quickly.
Warning messages alert you that the file system is running out of space if there is a write attempt to flash
and 5 Mbytes or less of space remains.
Other tasks which are sensitive to insufficient flash file system space include:
DHCP lease and renew information is stored in flash. If the file system is full, DHCP addresses can not
be distributed or renewed.
If a switch encounters a problem and it needs to write a log file, it will not be able to do so if the file
system is full and critical troubleshooting information will be lost
In certain situations, a reboot or a shutdown could cause the switch to lose the information stored in its compact
flash card. To avoid such issues, it is recommended that you issue the halt command before rebooting.
CAUTION
Make sure you have at least 10 MB of free compact flash space (show storage command).
Run the tar crash command to ensure there are no process died files clogging up memory and FTP/
TFTP the files to another storage device.
Remove all unnecessary saved files from flash (delete filename command).
Configuration data
WMS database
Licensing database
Upgrade Procedures | 23
You can later copy the backup file from the external server to the Compact Flash file system by
navigating to the Maintenance > File > Copy Files page.
4. To restore the backup file to the Compact Flash file system, navigate to the Maintenance > File >
Restore Flash page. Click Restore.
2. Use the copy command to transfer the backup flash file to an external server:
(host) copy flash: flashbackup.tar.gz ftp: <ftphost> <ftpusername> <ftpuserpassword>
<remote directory>
You can later transfer the backup flash file from the external server to the Compact Flash file system
with the copy command:
(host) # copy tftp: <tftphost> <filename> flash: flashbackup.tar.gz
3. Use the restore command to untar and extract the flashbackup.tar.gz file to the Compact Flash file
system:
(host) # restore flash
License Mapping
License consolidation and even renaming of licenses occur over time. Figure 1 is an up-to-date illustration
of the consolidated licenses effective with this release.
AOS-W 5.0
z
PEF (user basis) was converted to PEFNG (AP basis) with AOS-W 5.0
AOS-W 3.4.1
z
VOC was merged into PEF. This merge happened with AOS-W 3.4.1
AOS-W 3.4.0
z
24 | Upgrade Procedures
AAA was merged into ESI with the release of AOS-W 2.5.3.
CIM is End-of-life
AOS
VPN
IMP
MAP
(indoor)
(outdoor)
AP Capacity
Licensed by
# APs
CAP
RAP
PEFNG - Wired,
WLAN Licensed
by # APs
PEFV VPN/VIA
Controller Box
License
PEF
VSM
WIP
ESI
AAA
(2.5 legacy)
License_Conversion
Base AOS
Caveats on page25
Caveats
Before upgrading to AOS-W 5.0 take note of these known upgrade caveats.
z
If you have occasion to downgrade to a prior version, and your current AOS-W 5.0 configuration has
CPSec enabled, you must disable CPSec before you downgrade.
For more information on configuring control plane security and auto-certificate provisioning, refer to
the AOS-W 5.0 User Guide.
Upgrade Procedures | 25
NOTE
If you need to downgrade to AOS-W 3.4.x, the previous licenses will be restored. However, once you upgrade
again to AOS-W 5.0 the licenses will no longer revert should you need to downgrade again.
!
CAUTION
When upgrading the software in a multi-switch network (one that uses two or more Alcatel-Lucent switchs),
special care must be taken to upgrade all the switchs in the network and to upgrade them in the proper
sequence. (See Upgrading in a Multi-Switch Network on page29.)
8. When the boot process is complete, log in to the WebUI and navigate to the Monitoring > Switch >
Switch Summary page to verify the upgrade, including country code. The Country field displays the
country code configured on the switch.
NOTE
A valid IP route must exist between the FTP/TFTP server and the switch. A placeholder file with the destination
filename and proper write permissions must exist on the FTP/TFTP server prior to executing the copy command.
3. Determine which partition d to load the new software image. Use the following command to check the
partitions:
#show image version
---------------------------------Partition
: 0:0 (/dev/hda1) **Default boot**
Software Version
: AOS-W 3.3.1.23 (Digitally Signed - Production Build)
Build number
: 20219
Label
: 20219
Built on
: 2009-05-11 20:51:46 PST
---------------------------------Partition
: 0:1 (/dev/hda2)
/dev/hda2: Image not present
Best practices is to load the new image onto the backup partition (the non-boot partition). In the above
example, partition 0 is the boot partition. Partition 1 is empty (image not present) and can be used to
load the new software.
4. Use the copy command to load the new image onto the switch:
(host) # copy ftp: <ftphost> <ftpusername> <image filename> system: partition 1
or
host) # copy tftp: <tftphost> <image filename> system: partition 1
NOTE
When using the copy command to load a software image, the specified partition automatically becomes active
(default boot partition) the next time the switch is rebooted. There is no need to manually select the partition.
5. Execute the show image version command to verify the new image is loaded:
(host) #show image version
---------------------------------Partition
: 0:0 (/dev/hda1) **Default boot**
Software Version
: AOS-W 4.3.0.0 (Digitally Signed - Production Build)
Build number
: 23623
Label
: 23623
Built on
: Wed Mar 10 09:11:59 PST 2009
---------------------------------Partition
: 0:1 (/dev/hda2)
Software Version
: AOS-W 5.0.0.0 (Digitally Signed - Production Build)
Build number
: 23711
Label
: 23711
Built on
: Wed Mar 24 09:11:59 PST 2010
Upgrade Procedures | 27
7. Execute the show version command to verify the reload and upgrade is complete.
or
(host) # ping <tftphost>
NOTE
A valid IP route must exist between the FTP/TFTP server and the switch. A placeholder file with the destination
filename and proper write permissions must exist on the FTP/TFTP server prior to executing the copy command.
3. Determine which partition to load the new software image. Best practices are to load the new image
onto the backup partition (the non-boot partition). In the above example, partition 0 is the boot
partition. Partition 1 is empty (image not present) and can be used to load the new software.
4. Use the copy command to load the new image onto the switch:
(host) # copy ftp: <ftphost> <ftpusername> <image filename> system: partition 1
or
28 | Upgrade Procedures
NOTE
When using the copy command to load a software image, the specified partition automatically becomes active
(default boot partition) the next time the switch is rebooted. There is no need to manually select the partition.
7. When the boot process is complete, use the show version command to verify the upgrade.
NOTE
Once you have completed the upgrade to the latest version of 3.3.x, then follow the steps in Upgrading from
3.3.x to 5.0 on page 28 to complete your last upgrade hop.
NOTE
For proper operation, all switchs in the network must be upgraded with the same version of AOS-W software.
For redundant (VRRP) environments, the switchs should be the same model.
NOTE
An inter-switch IPSec tunnel can be used to route data between networks attached to the switches. To route
traffic, configure a static route on each switch specifying the destination network and the name of the IPSec
tunnel.
Upgrade Procedures | 29
There is a default PSK to allow inter-switch communications, however, for security you need to configure a
a unique PSK for each switch pair. You can use either the WebUI or CLI to configure a 6-64 character PSK
on master and local switches.
!
CAUTION
Do not use the default global PSK on a master or standalone switch. If you have a multi-switch network then
configure the local switches to match the new IPSec PSK key on the master switch. Leaving the PSK set to the
default value exposes the IPSec channel to serious risk, therefore you should always configure a unique PSK for
each switch pair.
WARNING
If you upgraded from 3.3.x to 5.0, the upgrade script encrypts the internal database. Any new entries that were
created in AOS-W 5.0.2.1 will be lost after downgrade (this warning does not apply to upgrades from 3.4.x to
5.0),
Before you reboot the switch with the pre-upgrade software version, you must perform the following steps:
1. Verify that Disable Control Plane Security (CPSec) is disabled.
2. Set the switch to boot with the previously-saved pre-upgrade configuration file.
3. Set the switch to boot from the system partition that contains the pre-upgrade image file.
NOTE
When you specify a boot partition (or copy an image file to a system partition), the software checks to ensure
that the image is compatible with the configuration file that will be used on the next switch reload. An error
message displays if a system boot parameters are set for incompatible image and configuration files.
Restore your configuration from your pre-upgrade configuration back up stored on your flash file. Do
not restore the flash file system from a AOS-W 5.0.2.1 backup file.
You do not need to re-import the WMS database or RF Plan data. However, if you have added changes to
RF Plan in AOS-W 5.0.2.1, the changes will not appear in RF Plan in the downgraded AOS-W version.
If you installed any certificates while running AOS-W 5.0.2.1, you need to reinstall the certificates in the
downgraded AOS-W version.
The following sections describe how to use the WebUI or CLI to downgrade the software on the switch.
Be sure to back up your switch before reverting the OS.
!
CAUTION
When reverting the switch software, whenever possible use the previous version of software known to be used
on the system. Loading a release not previously confirmed to operate in your environment could result in an
improper configuration.
30 | Upgrade Procedures
2. Set the switch to boot with your pre-upgrade configuration file by navigating to the Maintenance >
Switch > Boot Parameters page.
a. Select the saved pre-upgrade configuration file from the Configuration File menu.
b. Click Apply.
3. Determine the partition on which your previous software image is stored by navigating to the
Maintenance > Switch > Image Management page. If there is no previous software image stored on
your system partition, load it into the backup system partition (you cannot load a new image into the
active system partition):
a. Enter the FTP/TFTP server address and image file name.
b. Select the backup system partition.
c. Click Upgrade.
4. Navigate to the Maintenance > Switch > Boot Parameters page.
a. Select the system partition that contains the pre-upgrade image file as the boot partition.
b. Click Apply.
5. Navigate to the Maintenance > Switch > Reboot Switch page. Click Continue. The switch reboots
after the countdown period.
6. When the boot process is complete, verify that the switch is using the correct software by navigating to
the Maintenance > Switch > Image Management page.
3. Execute the show image version command to view the partition on which your previous software
image is stored.
In the following example, partition 0, the backup system partition, contains the backup release 3.4.1.23.
Partition 1, the default boot partition, contains the AOS-W 5.0.2.1 image:
#show image version
---------------------------------Partition
: 0:0 (/dev/hda1)
Software Version
: AOS-W 3.4.1.23 (Digitally Signed - Production Build)
Build number
: 20219
Label
: 20219
Built on
: 2009-12-11 20:51:46 PST
---------------------------------Partition
: 0:1 (/dev/hda2) **Default boot**
Software Version
: AOS-W 5.0.0.0 (Digitally Signed - Production Build)
Build number
: 23711
Label
: 23711
Built on
: 2010-03-25 01:59:13 PDT
You cannot load a new image into the active system partition (the default boot).
NOTE
Upgrade Procedures | 31
6. When the boot process is complete, verify that the switch is using the correct software:
# show image version
Switch Migration
This section outlines the steps involved in migrating from an Alcatel-Lucent PPC switch environment to
MIPS switch environment. These steps takes into consideration the common Alcatel-Lucent WLAN switch
environment. You must have an operational PPC switch in the environment when migrating to a new
switch. The switches are classified as:
NOTE
Use this procedure to upgrade from one Alcatel-Lucent switch model to another. Take care to ensure that the
new switch has equal or greater capacity than the switch you are replacing.
32 | Upgrade Procedures
Upgrade Procedures | 33
5. Let the support person know if there are any recent changes in your network (external to the AlcatelLucent switch) or any recent changes to your switch and/or AP configuration.
6. If there was a configuration change, list the exact configuration steps and commands used.
7. Provide the date and time (if possible) when the problem first occurred.
8. If the problem is reproducible, list the exact steps taken to recreate the problem.
9. Provide any wired or wireless sniffer traces taken during the time of the problem.
10. Provide the wireless device's make and model number, OS version (including any service packs or
patches), wireless NIC make and model number, wireless NIC's driver date and version, and the wireless
NIC's configuration.
11. Provide the switch site access information, if possible.
Contacting Support
Table 6 Alcatel-Lucent Contacts
Contact Center Online
z
Main Site
http://www.alcatel-lucent.com/enterprise
Support Site
https://service.esd.alcatel-lucent.com
support@ind.alcatel.com
North America
1-800-995-2696
Latin America
1-877-919-9526
Europe
Asia Pacific
Worldwide
1-818-878-4507
34 | Upgrade Procedures