Isilon: Dell switch Certificate expiration on Dell Z9100-ON switches used for Isilon Backend Ethernet

Leaf and Spine configured switches of the Z9100-ON models encounter issues if the links flap, switch configuration changes are made, or the switches are rebooting requiring verification of the certificate.

Z9100-ON switches in a Leaf and Spine configuration are at risk to the Certificate expiration date of July 27, 2021. After the x.509 certificate expires, traffic reachability issues may occur when one of these switches has: a subsequent switch reboot, site power loss, link flap, operator-triggered configuration change, cable disconnect, or other network event. There is no risk posed to "Flat switch, Top of Rack, single switch" configurations due to certificate expiration.

X.509 Certificate that expires on July 27, 2021 for DNOS versions before 10.5.0.6C1.

The risk is identified and categorized below based on switch model, deployed configuration, and DNOS version currently installed on the switches. In the example below, it shows three leaf switches and one spine switch for internal network a and the same for internal network b. If your results only show leaf switches and no spine switch is present in the results, your configuration is not affected. 

To verify the version of DNOS installed on the switches, from a cluster node, run the following commands:     

NODE-1# isi_dump_fabric int-a | grep -E "Spine|Leaf" |grep -v leaf |cut -d: -f1
"Dell Z9100-ON - v10.5.0.6 (Spine) (D3J00Q2)  (CN07MF5PCES0091M0123) [Online]" 
"Dell Z9100-ON - v10.5.0.6 (Leaf) (D5Q00Q2) (CN07MF5PCES0091N0097) [Online]"
"Dell Z9100-ON - v10.5.0.6 [MASTER] (Leaf) (4ZND9Z2) (CN07MF5PCES009BU0131) [Online]" 
"Dell Z9100-ON - v10.5.0.6 (Leaf) (D4G00Q2) (CN07MF5PCES0091M0025) [Online]"

NODE-1# isi_dump_fabric int-b | grep -E "Spine|Leaf" |grep -v leaf |cut -d: -f1
"Dell Z9100-ON - v10.5.0.6 (Spine) (D4700Q2) (CN07MF5PCES0091M0004) [Online]"
"Dell Z9100-ON - v10.5.0.6 [MASTER] (Leaf) (D4HZZP2) (CN07MF5PCES0091M0028) [Online]" 
"Dell Z9100-ON - v10.5.0.6 (Leaf) (D1CZZP2)  (CN07MF5PCES0091L0038) [Online]"
"Dell Z9100-ON - v10.5.0.6 (Leaf) (D3500Q2) (CN07MF5PCES0091M0111) [Online]

• If the above commands do not return an output, open a Support Case with Isilon Support for further assistance.
• If it is determined your system is not currently a Leaf and Spine configuration, but you plan to convert to Leaf and Spine in the future, it is recommended to upgrade to DNOS 0.5.0.6C2. Open a Support Case with Isilon Support for further assistance on upgrading.

Risk and Resolution for Dell Switches in the Isilon backend configuration:    

• Z9100-ON

  • Deployed Configuration: Leaf and Spine Configuration
    • Risk: HIGH – Leaf and Spine may encounter issues, on or after July 27, 2021.
    • Resolution for installed DNOS version:      
      1. 10.5.0.6 – remote procedure to upgrade DNOS to 10.5.0.6C2 before July 27, 2021.
      2. All versions of DNOS before 10.5.0.6 – procedure to install DNOS 10.5.0.6C2 requires a CE on site with image on a USB and console access to the switch.
  • Deployed Configuration: Flat Top of Rack single switch per backend network
    • Risk: Medium – Certificate expiration does not affect a running switch, but does pose a risk if upgraded to a Leaf and Spine configuration.
    • Resolution for installed DNOS version:      
      1. 10.5.0.6 – remote procedure to upgrade DNOS to 10.5.0.6C2.
      2. All versions of DNOS before 10.5.0.6 – procedure to install DNOS 10.5.0.6C2 requires a CE on site with image on a USB and console access to the switch.
      3. Do NOT upgrade to Leaf and Spine configuration until DNOS version is upgraded to 10.5.0.6C2.