Skip to content

IP Fabric v5.0

v5.0.2 (Sep 13th, 2022)

# ipfabric-5-0-2+5.ova
QCOW SHA256: ebe63a21be1a1a8d0bf5897f8c8887b732505f2c4a1afc94fc779752f4c968b0
QCOW MD5: c151ad5e9b028c29c88fc67b7007bdaa
# ipfabric-5-0-2+5.qcow2
TAR SHA256: 7ccd1e349ec8a77680db95637abc1699dfd1755a63d8075d37baece5cac9eb50
TAR MD5: 65f2602ddbf5a8dc56d67eab430f13b1
# ipfabric-update-5_0_2+5.tar.gz.sig
TAR SHA256: 1dc0a59e2ec0993b9af2f7e26547caa791114ce5d49da32387effa00f11bbc95
TAR MD5: 62518242728b95c08f5362ebcddec140

Read All Upgrade Notices

Please read all v5.0.0 UPGRADE NOTICES, WARNINGS, and IMPORTANT messages prior to beginning installation. This upgrade requires IP Fabric to be on 4.4.3 or greater prior to upgrading to 5.0.2.

Bug Fixes

  • Juniper – Device info task failed to read inventory data
  • Jumphost settings – removing the username restriction
  • Vendors API – Updated resources management when reading Versa SD-WAN
  • Configuration backup – File download failed with large configuration files
  • Intent Calculation failed for complex ZoneFW policies

Features

  • FabricPath – Add feature-set support for Cisco Nexus

v5.0.1 (Aug 08th, 2022)

# ipfabric-5-0-1+10.ova
OVA SHA256: 6ec97dde3bc7b4eae424799838a99453d759adf14ef42f20039fc89cd0c2eb49
OVA MD5: 4624340f1f6c515db0946b859944558e
# ipfabric-5-0-1+10.qcow2
QCOW SHA256: 7539bbaf7eb6c8f7c5e0c72517210e49feec0bb2ae9cca68bb900321d56d2996
QCOW MD5: 04fed50a120a49bf1b610b39096b1051
# ipfabric-update-5_0_1+10.tar.gz.sig
TAR SHA256: edbf3cfa8c0628b39682a952f61d62ba7b3ea9176c5f36edd1b93decee501047
TAR MD5: 0f79000974e0e5c60590e161785a1067

Read All Upgrade Notices

Please read all v5.0.0 UPGRADE NOTICES, WARNINGS, and IMPORTANT messages prior to beginning installation. This upgrade requires IP Fabric to be on 4.4.3 or greater prior to upgrading to 5.0.1.

Bug Fixes

  • 5.0.0 was unpublished as a race condition in Palo Alto discovery was reported; this has been fixed in 5.0.1.

Features

  • Check Point Management Data Plane Separation (MDPS) if enabled is now supported in IP Fabric for discovery

v5.0.0 (Jul 19th, 2022)

OVA SHA256: ac8a7e68f97b53e299ce3eecac6bd4ddc56c2c025b1ae48d95fbad925213a7bd
OVA MD5: 65e979f0ea93ba77c9731cfcc0008fa5
QCOW SHA256: 1e681e249d69d21feb83cbc62f5e3d2bb80db76d22a3acfd90c840c30506748c
QCOW MD5: 0204de624001d1dfe8067e68f11ef3c5

Read All Upgrade Notices

Please read all UPGRADE NOTICES, WARNINGS, and IMPORTANT messages prior to beginning installation. This upgrade requires IP Fabric to be on 4.4.3 prior to upgrading to 5.0.0.

API Versioning

API versioning has been introduced in v5.0.0. API endpoint URLs will now contain api/v5.0 rather than api/v1. If you are scripting against the API or using it to integrate into other systems, you must change the URL to the new format. For more information on this please visit the API Documentation page.

ipfabric and ipfabric-diagrams Python SDK’s have been updated to support the new changes. Please visit python-ipfabric and python-ipfabric-diagrams for more information.

SSO and API versioning

Upgrade to 5.0.0 will break custom SSO integrations and will require changes to your files prior to re-enabling. Before upgrading and if you have SSO deployed, please contact your Solution Architect to copy your custom settings and and re-deploy them after the update.

Input validation

String input validation has been improved in features such as FTP/SFTP backup, Jumphost, SNMP, and certificate settings and will only accept the following characters: A-Za-z0-9.,/-_@%^:=+ -.

Previously set strings may no longer work. For example, an SNMP community string previously set with an invalid character (i.e. IPFabric&123) would cause SNMP queries not to work until the string is updated with only valid characters

RBAC phase 1

The first phase of a new implementation of Role-Based Access Control is included in 5.0.0. There is a known caveat where generation of API tokens does not consider the new RBAC roles – this will be remedied in 5.0.0. If you are planning on using Roles and API Tokens, it is recommended to wait for the fix before assigning any user to the custom roles. If a user is in a custom Role, they will not be able to create an API token until the next patch release.

Extreme Family Rename

Extreme XOS family has been correctly renamed to EXOS.

IPv6 Support

IPv6 support has been significantly enhanced in 5.0.0 with new tables and a new underlying network model. As a result, IPv6 data in older snapshots may not display correctly in 5.0.0. We have made all efforts possible to migrate data between versions, but if you do have issues in 5.0.0, please run a new snapshot and check the data again. Please raise a support ticket if you still experience problems.

Path Lookup API Change

A new required parameter enableRegions has been added to the Path Lookup API for Unicast and Multicast. If set to false it will ignore the values in the srcRegions and dstRegions parameters.

enableRegions [mandatory] - boolean - (default false)

UPGRADE NOTICES

  • This upgrade requires IP Fabric to be on 4.4.3 prior to upgrade to 5.0.0. IP Fabric 4.4.2 or lower will not work – please upgrade to 4.4.3 using the normal method before carrying out the 5.0.0 upgrade process.
  • Due to the major changes stated above, automatic updates will be disabled for this release and will require manual upgrade.
  • Prior to update, please ensure you perform a backup of your system or it is highly recommended to create a VM snapshot.
  • It is recommended (for all updates) to unload all snapshots prior to performing the upgrade.
  • Requires 10GB of free disk space.
  • Estimated upgrade time is around 20 minutes however depending on the resources of your VM it could take longer than an hour.
  • During update to 5.0.0 no message about the update being finished is shown and a refresh of the Admin page is required to check if the API and services are back online.
  • After approximately 5-10 minutes after the update file has finished uploading to the server you should be able to log in to the IPF CLI as osadmin and run the following command to track installation progress
    • tail -f /var/log/nimpee/dist_upgrade.log
    • If the tail command is not found, wait a few minutes and log out and back in to the CLI.
  • Once upgrade has finished the system will reboot (see below the example output of the dist_upgrade.log file).
  • After all updates, please Clear Browser Cache.
  • Not all new features will be available until a new snapshot is created on the updated version.
  • If after the upgrade you experience issues with AQL: internal error, Dashboards, or Topology, please first try restarting the ArangoDB service from the System Administration page prior to contacting support.
    • Log in to the System Administration page located on port 8443.
    • In the System Status page under System Services, you will find ArangoDB.
    • Next to the status color is a restart button which will restart the service.
  • If you run into any other issues during or after the upgrade, please open a support ticket.

Example output of successful /var/log/nimpee/dist_upgrade.log log file:

osadmin@ipfabric:~$ tail -f /var/log/nimpee/dist_upgrade.log
+ echo --- exit_code: 0, cleaning up ---
--- exit_code: 0, cleaning up ---
+ delete_if_exists /etc/apt/sources.list.d/ipf-update.list /etc/apt/sources.list.d/ipf-update.list.tmp /etc/apt/sources.list.tmp
+ [ -e /etc/apt/sources.list.d/ipf-update.list ]
+ [ -L /etc/apt/sources.list.d/ipf-update.list ]
+ [ -e /etc/apt/sources.list.d/ipf-update.list.tmp ]
+ [ -L /etc/apt/sources.list.d/ipf-update.list.tmp ]
+ [ -e /etc/apt/sources.list.tmp ]
+ [ -L /etc/apt/sources.list.tmp ]
+ return 0

New Vendor Support

  • Cisco APIC discovery
    • Cisco ACI - contracts, tenants, applications, zone filtering
  • Aruba Instant APs
  • Ruckus Wireless controller
  • Dell SmartFabric OS10 Basic Discovery
  • Cisco Meraki has been migrated from API v0 to API v1
    • Following the announcement of Meraki’s addition of Cisco Catalyst switches, we have ensured that these will be only discoverable via CLI at this time and excluded in the Meraki discovery.

Features – Protocol and Technology Support

  • IPv6
    • Dual-Stack Basic Discovery
    • Technology Tables (Routing, managed IP, hosts, interfaces)
  • DNS
    • DNS Basic configuration
    • DNS Resolver configuration
  • DHCP servers and relays
  • Extreme ACL support
  • RSVP neighbors & interfaces
  • IPv4 and IPv6 Tunnels Table
  • Juniper MIST Improvements
  • Azure Security Groups
  • AWS Network ACLs & Security Groups
  • VMware NSX-T - Add support for VRF OSPF and BGP
  • HP Aruba CX Dot1x
  • Cisco ASA Interface Aliases

Role-Based Access Control Phase 1

IP Fabric 5.0.0 includes Phase 1 of RBAC. The most significant change is that Users are now assigned to a Role(s) and not given specific permissions. During the upgrade process your users will be migrated to the appropriate roles. For more information see the documentation at the links below.

  • Policies
    • This is where you define the endpoints users have access to.
    • There are 5 built-in Policies in 5.0.0
      • settings: Access to snapshot and product settings endpoints
      • discovery: Access to discovery endpoints
      • team: Access to user management endpoints
      • tables: Access to table endpoints
      • others: Migrated read scope - to be deprecated in 5.1
  • Roles
    • A Role can consist of one or more policies
    • admin role cannot be changed or deleted
  • Users
    • A User can also consist of one or more roles

IP Fabric VM OS-Level Changes

  • The OS has been updated to Debian 11 “bullseye”
    • openvpn version has been updated to 2.5.1
      • This version drops older ciphers, and could have an impact on users utilizing those ciphers
    • sshuttle version has been updated to 1.0.5
      • This upgrade could potentially impact jumphost connectivity
  • removed jailkit for osadmin user
    • There is still the limitation for changing the osadmin account password only via running nimpee-net-config -t
    • CLI users logging in as osadmin now have sudo access

Warning

Any action on the command-line interface (CLI) using the root, osadmin, or autoboss account may cause irreversible detrimental changes to the product. Actions taken without direct communication with the IP Fabric Support or Solution Architect teams can render the system unusable.

  • All TLS versions older than 1.3 have been deprecated.
    • Some older browsers, proxies, or systems may have issues connecting to IP Fabric after this change.
    • To re-enable an older version please see Custom TLS Settings or contact your Solution Architect.
  • Boot Wizard Changes
    • For VM initial deployments where console access is not possible, it’s now possible to run the boot wizard via SSH
      • Boot the VM, determine the IP address assigned to it from DHCP, and SSH to the VM: ssh osadmin@<dhcp-learned-ip-address>
      • Once logged in, run nimpee-net-config -a
  • cloud-init preliminary support
    • For users wanting to automate VM installations, cloud-init can be used for initial VM provisioning
    • IP address assignment to the VM is supported via cloud-init
    • Any other changes via cloud-init (users, ssh keys, resizing) may work, but are untested and unsupported
    • Changing the password for osadmin through cloud-init is discouraged as it has some implications, use nimpee-net-config -t instead
    • If you are using auto cloud-init via certain cloud providers, note the OpenSSH server will regenerate new public/private keys
  • Added qemu-guest-agent for easier monitoring in environments such as OpenStack
  • Entry input validation has been improved in features such as backup, jumphosts, SNMP and certificates
    • Strings should only accept the following characters: A-Za-z0-9.,/-_@%^:=+ -
    • Previously set strings may no longer work. For example, an SNMP community string previously set with an invalid character (i.e. IPFabric&123) would cause SNMP queries not to work until the string is updated with only valid characters