Guest

Cisco Catalyst 4500 Series Switches

Cisco IOS XE Software Release 3.4.0SG and Cisco IOS Software Release 15.1(2)SG for Cisco Catalyst 4500E, 4500-X, and 4900 Series Switches

  • Viewing Options

  • PDF (557.6 KB)
  • Feedback

PB723408

Overview

This product bulletin describes the primary hardware and software features supported by Cisco IOS ® Software Release XE3.4.0SG/15.1(2)SG for the following products:

• Cisco® Catalyst® 4500 Series Supervisor Engine 7-E and Supervisor Engine 7L-E running Cisco IOS XE Software Release 3.4.0SG

• Cisco Catalyst 4500-X Series Switch running Cisco IOS XE Software Release 3.4.0SG

• Cisco Catalyst 4500 Series Supervisor Engine 6-E and Supervisor Engine 6L-E running Cisco IOS Software Release 15.1(2)SG

• Cisco Catalyst 4900M, 4948E, and 4948E-F Switches running Cisco IOS Software Release 15.1(2)SG

Cisco IOS XE Software Release 3.2.0SG and Cisco IOS Software Release 15.0(2)SG are the base releases for new extended maintenance on Cisco Catalyst 4500E, 4500-X and Cisco Catalyst 4900M and 4948E/E-F Series Switches.
For detailed information about the features and hardware supported in Extended Maintenance Release Cisco IOS XE Software Release 3.4.0SG and Cisco IOS Software Release 15.1(2)SG, refer to the release notes and support documentation at:

• Cisco IOS XE Software 3.40SG release notes for:

– Cisco Catalyst 4500E (with Supervisor Engine 7-E/7L-E)

– Cisco Catalyst 4500-X

• Cisco IOS Software 15.1(2)SG release notes for:

– Cisco Catalyst 4500E (with Supervisor Engine 6-E/6L-E)

– 4900M, 4948E and 4948E-F

Primary Hardware and Software Service Innovations Delivered in Cisco IOS XE Software Release 3.4.0SG and Cisco IOS Software Release 15.1(2)SG

Cisco IOS Software Release XE3.4.0SG/15.1(2)SG is part of the new software releases on Cisco Catalyst 4500E and 4500-X Series Switches and Cisco Catalyst 4900M and 4948E/E-F Switches. These releases deliver new software and hardware innovations in campus access and aggregation deployments that span across many technologies, including security, high availability, and IP multicast. Each technology is covered in more detail in this product bulletin.

Software Features

Cisco Virtual Switching System (VSS) for Cisco Catalyst 4500E (Supervisor Engine 7-E and 7L-E) and 4500X Series Switches

Cisco VSS on the Cisco Catalyst 4500E and Cisco Catalyst 4500-X provides the following benefits:

• Simplified network operations:

– Providing a single point of management (with single IP address), it allows any updates, policy changes and configurations to be synchronized between the two switches, eliminating error-prone manual synchronization.

– Forming Multichassis EtherChannel (MEC) to the logical switch, Cisco VSS provides a loop-free topology, no longer needing to rely on Spanning Tree Protocol.

– A single routing instance on the virtual switch eliminates the issues of managing, tuning, and troubleshooting first hop routing protocols such as Hot Standby Router Protocol (HSRP) and Virtual Router Redundancy Protocol (VRRP).

– Cisco Prime 4.2.2 now enables one to centrally manage the pair of switches as a single virtual chassis.

• Resiliency:

– Stateful failover between the supervisor engines on the two chassis provides subsecond failover and transparent failover even to delay-sensitive applications such as voice and video.

– With EtherChannels extended across two physical chassis, it provides for increased resiliency. These links are configured as MEC, minimizing traffic disruption from switch or uplink failure.

• Increased system bandwidth:

– The active-active MEC extended across two physical chassis provides for dual bandwidth utilization, increasing return on investment (ROI) and reducing additional capital expenditures (CapEx) to add capacity.

For Cisco Catalyst 4500E, VSS is supported in IP base and Enterprise services on Supervisor Engine 7-E and in Enterprise services only on Supervisor Engine 7L-E. On Cisco Catalyst 4500-X, VSS is supported in IP base and enterprise services. All 1 Gigabit Ethernet (GE) and 10GE links may be configured for virtual switch links (VSL).
The physical and logical views of VSS are represented in Figures 1 and 2.

Figure 1. VSS Physical View Showing the Physical Connectivity

Figure 2. VSS Physical View Showing the Physical and Logical View

The following are the primary VSS features supported in Release 3.4.0SG:

• Layer 2 MEC

• Enhanced Port Aggregation Protocol (ePAgP) split brain detection method

• Cross-chassis Nonstop Forwarding with Stateful Switchover (NSF/SSO)

• Cross-chassis in-service software upgrade (ISSU)

• Support for Power over Ethernet (PoE) line card

• Support for virtual switch link (VSL) on 1 Gigabit and 10 Gigabit links

• All four ports on quad supervisor engine scenario may be used for uplink

The following features are available in standalone mode only and not available in VSS mode:

• VLAN Management Policy Server (VMPS) client

• Unidirectional Ethernet (UDE)

• CFM draft 8.1

• Resilient Ethernet Protocol (REP)

• Flexlinks

• Per-VLAN MAC learning (PVL)

• Fast unidirectional link detection (UDLD)

• Web Cache Communication Protocol (WCCP)

• dot1Q tunnel and VLAN translation (1:1, 2:1, and 802.1Q tunneling [QinQ])

• Mediatrace and metadata

• Cisco EnergyWise

Multicast HA (NSF/SSO and ISSU) for IPv4 and IPv6 on Cisco Catalyst 4500E (Supervisor Engines 7E, 7L-E, 6E, and 6L-E) and 4500-X

Releases XE 3.4.0SG and 15.1(2)SG provide IPv4 and IPv6 multicast high-availability (HA) support on the Cisco Catalyst 4500E and 4500-X. These multicast HA capabilities enable Cisco NSF/SSO and ISSU support for IPv4 and IPv6 multicast. When the supervisor engine switchover happens, this facility reduces the reconvergence time of the multicast control plane to a level that is transparent to most multicast-based applications and ISSU support for protocol-independent multicast (PIM).
Figure 3 shows the different components involved in the multicast high availability and the different states through which multicast HA goes in combination with ISSU.

Figure 3. Multicast HA with NSF/SSO

Security

IPv6 First Hop Security (FHS)

With enterprises moving to larger Layer 2 domains and IPv4 addresses running out, IPv6 has been gaining momentum. Cisco has been providing integrated security features for Layer 2 networks. A similar set of characteristics has now been added to address similar characteristics of the IPv6 protocol at the immediate switch (first hop) that connects to the host.
IPv6 FHS provides effective countermeasures for the following types of attacks or misconfiguration errors that could result in denial of service (DoS) or information theft:

• Router impersonation (man-in-the-middle attacks)

• Address theft

• Address spoofing

• Remote address resolution cache exhaustion (DoS attacks)

These attacks can come from malicious or misconfigured users and could result in severe disruption to users of the Layer 2 domain and to the network in general. Many of the possible attack vectors are now known, with public tools readily available to exploit these vulnerabilities.
Cisco IOS XE Software Releases 3.4.0SG and 15.1(2)SG provide a combination of "snoop-and-guard" IPv6 FHS features on Cisco Catalyst 4500E, 4500-X, 4900M, 4948E, and 4948E-F *, where the switch can inspect (snoop) and block (guard) against undesired traffic. The feature is provided on both generations of supervisor engines: Supervisor Engines 6-E and 6L-E and Supervisor Engines 7-E and 7L-E. (See Figure 4.)

Figure 4. An Illustration of RA Guard

The following set of IPv6 FHS features is included:

RA Guard: Rogue router advertisements (RAs) can result in host misconfiguration and traffic black holes. RA Guard snoops, validates, and propagates the RA in its network.

IPv6 Snooping

– Neighbor discovery (ND) inspection: ND cache maintains the binding between an IPv6 address and a link-layer address. This cache is susceptible to ND cache poisoning (NDP). NDP inspection helps to verify Layer 3 and Layer 2 binding before the entry makes it to the ND cache.

– IP device tracking: This feature tracks host liveliness and updates a neighbor table when an IPv6 host disappears or its network access privileges of inactive hosts gets revoked in short interval.

– Address glean: The switch looks at ND and DHCP messages as well as data traffic to learn addresses and to add them to a binding table.

– Per port address limit: Helps enable customers to specify a maximum number of IPv6 addresses allowed on a port of the switch.

Per ND cache limit: An ND cache that maintains the Layer 3 and Layer 2 binding goes through many stages before it is deemed to be complete and useful. When an ND packet is handled, the datagram is delivered only after the address resolution. This can cause flooding by an attacker. Per ND interface cache limit protects the Cisco Catalyst switch by rate-limiting the number of address resolutions.

DHCPv6 Guard: Prevents attacks from bogus hosts acting as a DHCP server or relay agents by blocking DHCP replies or advertisements from such hosts based on the device role configured.

Duplicate Address Detection (DAD) Proxy: Isolated hosts (for example, private VLANs) in a Layer 2 domain can cause address duplication. The switch can act as a proxy for DAD because it is aware of link local address.

Destination Guard: The switch maintains "incomplete" entries for unresolved addresses in its binding table. Excessive scanning for large address resolution can cause denial of service, leading to binding table exhaustion. Destination guard prevents against this.

DHCPv6 LDRA1: LDRA helps protect the switch against attacks such as spoofing (forging) of addresses and MAC addresses and address starvation.

*Not all features are supported by all devices. For more information on IPv6 FHS, refer to the Cisco IOS Software configuration guide for this release.

SXP support extended from IP Base to LAN Base

The Security Group Tag (SGT) Exchange Protocol (SXP) is a control protocol for propagating IP-to-SGT binding information across network devices that do not have the capability to tag packets. Starting with Cisco IOS Release 3.4.0SG and 15.1(2)SG, support for SXP has been extended from IP Base to LAN Base feature set.

Lower Total Cost of Ownership and Ease of Use

Smart Install Director Support

Smart Install Director helps simplify management of images and configurations for enterprise switches and stacks in campus and branch networks. The Cisco Catalyst 4500E, 4500X, 4900M, 4948E, and 4948E-F can now act as Smart Install Director, providing a single management point for images and configuration of client switches. It provides for:

• Plug and play in switch deployment

• Zero-touch replacement of switches with the same configuration and image as the switch it is replacing

• Single point of image and configuration management, in which configuration and image management is centralized

• On-demand image and configuration updates using specific CLIs

Smart Install Director (see Figure 5) can reduce a customer's TCO and operational expense, while providing ease of use to the user.

Figure 5. Smart Install Director

Routing and Multicast Enhancements

Policy-Based Routing (PBR) Recursive Next Hop

PBR Recursive Next Hop enhances the ability of route maps to set a next hop that is not directly connected to enable load balancing when PBR is used. With this feature enabled, the routing table will be examined recursively to find the directly connected next hop when PBR is used to set an indirect next hop. If the recursive next-hop IP address is not available, packets are routed using a default route.
The feature includes the new keyword recursive in the currently available set ip next-hop command in the route-map submode.

IPv6 Bootstrap Router (BSR): Scoped Zone Support

PIM routers in a domain must be able to map each multicast group to the correct rendezvous point (RP) address. The BSR protocol for PIM sparse mode (PIM SM) provides a dynamic, adaptive mechanism to distribute group-to-RP mapping information rapidly throughout a domain. With the IPv6 BSR feature, if an RP becomes unreachable, it will be detected, and the mapping tables will be modified so that the unreachable RP is no longer used and new tables will be rapidly distributed throughout the domain.
The BSR Scoped Zone Support feature enhances IPv6 BSR, allowing for distributing group to RP mappings in networks using administratively scoped multicast. It allows the operator to configure candidate BSRs and a set of candidate RPs for each administratively scoped region in a domain.

IPv6 Access Control

IPv6 Virtual LAN Access Control List (VACL) and Switched Port Analyzer (SPAN) ACL Filtering for IPv6

VACL controls access to the VLAN for all packets: bridged and routed. Currently, VACL can be configured to filter traffic based on Layer 3 addresses for IPv4. With the prevalence of IPv6, this release adds the capability to filter traffic based on IPv6 addresses to the VACL. This release also extends the IPv6 access filtering support to local SPAN sessions.
For a complete list of new software and hardware features supported with Cisco IOS XE Software 3.4.0SG/Cisco IOS Software 15.1(2)SG, refer to the release notes at:

• Cisco IOS XE Software 3.40SG release notes for:

– Cisco Catalyst 4500E (with Supervisor Engine 7-E/7L-E)

– Cisco Catalyst 4500-X

• Cisco IOS Software 15.1(2)SG release notes for:

– Cisco Catalyst 4500E (with Supervisor Engine 6-E/6L-E)

– 4900M, 4948E and 4948E-F

Hardware Features

Support for Cisco 10GBASE-T X2 Pluggable Module for Cisco Catalyst 4500E and 4900M

The release enables software support for the Cisco 10GBASE-T module, which supports link lengths of up to 100m on CAT6A or CAT7 copper cable on the Cisco Catalyst 4500E with Supervisor Engine 6E or 6L-E as also on the WS-X4606-X2-E module. It is also with the Cisco Catalyst 4900M.
Table1 offers a matrix of supported features.

Table 1. Matrix of Supported Features

Feature

Platform

 

Cisco Catalyst 4500E (Supervisor Engine 6E and 6L-E)

Cisco Catalyst 4500E (Supervisor Engine 7E and 7L-E)

Cisco Catalyst 4500-X

Cisco Catalyst 4948E

Cisco Catalyst 4948E-F

Cisco Catalyst 4900M

Cisco VSS

 

IP Base (7E)

Enterprise (7L-E)

IP Base

     

IPV6 First Hop Security

LAN Base

LAN Base

IP Base

LAN Base

LAN Base

LAN Base

Smart Install Director

LAN Base

LAN Base

IP Base

LAN Base

LAN Base

LAN Base

Multicast High Availability (NSF/SSO) for IPv4 and IPv6

IP Base

IP Base

IP Base

     

IPv6 VACL (SPAN) and SPAN ACL Filtering for IPv6

LAN Base

LAN Base

IP Base

LAN Base

LAN Base

LAN Base

Support for X2-10G Base T

Support for Sup 6E/6L-E and WS-X4606-X2-E

       

LAN Base

PBR Next Hop Support

Enterprise Services

Enterprise Services

Enterprise Services

Enterprise Services

Enterprise Services

Enterprise Services

BSR Scoped Zone Support

Enterprise Services

Enterprise Services

Enterprise Services

Enterprise Services

Enterprise Services

Enterprise Services

Cisco TrustSec SGT Exchange Protocol (SXP)

LAN Base

LAN Base

IP Base

LAN Base

LAN Base

LAN Base

Cisco IOS Software Release Trains for the Cisco Catalyst 4500 Series Switches

Cisco IOS Software Release 15.1(2)SG and Cisco IOS XE Software Release 3.4.0SG are part of a scheduled time-based release containing new hardware and software features as shown in Figures 6 and 7.

Figure 6. Cisco IOS Software Release Trains for Cisco IOS Software Release 15.1(2)SG

Figure 7. Cisco IOS Software Release Trains for Cisco IOS XE Software Release 3.4.0SG

For configuration details and information about the new features in Cisco IOS XE Software Release 3.4.0SG and Cisco IOS Software Release 15.1(2)SG, refer to the release notes at:

• Cisco IOS XE Software 3.40SG release notes for:

– Cisco Catalyst 4500E (with Supervisor Engine 7-E/7L-E)

– Cisco Catalyst 4500-X

• Cisco IOS Software 15.1(2)SG release notes for:

– Cisco Catalyst 4500E (with Supervisor Engine 6-E/6L-E)

– 4900M, 4948E and 4948E-F

Support

Support for Cisco IOS XE Software Release 3.4.0SG and Cisco IOS Software Release 15.1(2)SG follows the standard Cisco support policy, available at http://www.cisco.com/en/US/products/products_end-of-life_policy.html
For more information about the Cisco Catalyst 4500E Series, visit http://www.cisco.com/en/US/products/hw/switches/ps4324/index.html.
For more information about the Cisco Catalyst 4500-X Series, visit http://www.cisco.com/en/US/products/ps12332/index.html.
For more information about the Cisco Catalyst 4900M Series, visit http://www.cisco.com/en/US/products/ps9310/index.html.

Ordering Information

Tables 2, 3, 4, and 5 provide product numbers and ordering information for Cisco IOS XE Software Release 3.4.0SG and Cisco IOS Software Release 15.1(2)SG on Cisco Catalyst 4500E, 4500-X, and 4900 Series Switches.

Table 2. Cisco IOS XE Software Release 3.4.0SG Product Numbers and Images for Cisco Catalyst 4500E Series Switches with Supervisor Engine 7-E/7L-E

Product Number

Description

Image

S45EU-34-1512SG

Cisco Catalyst 4500 E Supervisor Engine 7-E and Supervisor Engine 7L-E universal image

cat4500e- universalk.SPA.03.04.00.SG.151-2.SG.bin

S45EUK9-34-1512SG

Cisco Catalyst 4500 E Supervisor Engine 7-E and Supervisor Engine 7L-E universal crypto image

cat4500e- universalk9.SPA.03.04.00.SG.151-2.SG.bin

S45EUN-34-1512SG

Cisco Catalyst 4500 E Supervisor Engine 7-E and Supervisor Engine 7L-E universal no MACsec image

cat4500e- universalk9npe.SPA.03.04.00.SG.151-2.SG.bin

Table 3. Cisco IOS Software Release 15.1(2)SG Product Numbers and Images for Cisco Catalyst 4500E Series Switches with Supervisor Engine 6E/6L-E

Product Number

Description

Image

S45ELB-15102SG(=)

Cisco IOS Software for the Cisco Catalyst 4500 Supervisor Engine 6-E and Supervisor Engine 6L-E (LAN Base image)

cat4500e-lanbase-mz

S45ELBK9-15102SG(=)

Cisco IOS Software for the Cisco Catalyst 4500 Supervisor Engine 6-E and Supervisor Engine 6L-E (LAN Base image with 3DES)

cat4500e-lanbasek9-mz

S45EIPB-15102SG(=)

Cisco IOS Software for the Cisco Catalyst 4500 Supervisor Engine 6-E and Supervisor Engine 6L-E (IP Base image)

Cat4500e-ipbase-mz

S45EIPBK9-15102SG(=)

Cisco IOS Software for the Cisco Catalyst 4500E Supervisor Engine 6-E and Supervisor Engine 6L-E (IP Base image with 3DES)

Cat4500e-ipbasek9-mz

S45EES-15102SG(=)

Cisco IOS Software for the Cisco Catalyst 4500E Supervisor Engine 6-E and Supervisor Engine 6L-E (Enterprise Services image)

Cat4500e-entservices-mz

S45EESK9-15102SG(=)

Cisco IOS Software for the Cisco Catalyst 4500E Supervisor Engine 6-E and Supervisor Engine 6L-E (Enterprise Services image with 3DES)

Cat4500e-entservicesk9-mz

S45EESU-15102SG(=)

Cisco IOS Software Enterprise image upgrade from LAN Base for the Supervisor Engine 6-E and Supervisor Engine 6L-E

Cat4500e-entservices-mz

S45EESUK9-15102SG(=)

Cisco IOS Software Enterprise with 3DES upgrade from LAN Base for the Supervisor Engine 6-E and Supervisor Engine 6L-E

Cat4500e-entservicesk9-mz

S45EIPBU-15102SG(=)

Cisco IOS Software for the Cisco Catalyst 4500E Series Supervisor Engine 6-E and Supervisor Engine 6L-E, Cisco Catalyst 4948E Cisco IOS Software IP Base upgrade

Cat4500e-ipbase-mz

S45EIBUK9-15102SG(=)

Cisco IOS Software for the Cisco Catalyst 4500E Series Supervisor Engine 6-E and Supervisor Engine 6L-E, Cisco Catalyst 4948E Cisco IOS Software IP Base upgrade SSH

Cat4500e-ipbasek9-mz

Table 4. Cisco IOS XE Software Release 3.4.0SG Product Numbers and Images for Cisco Catalyst 4500-X Series Switches

Product Number

Description

Image

S45XU-34-1512SG

Cisco Catalyst 4500-X universal image

cat4500e- universal.SPA.03.04.00.SG.151-2.SG.bin

S45XUK9-34-1512SG

Cisco Catalyst 4500-X universal crypto image

cat4500e- universalk9.SPA.03.04.00.SG.151-2.SG.bin

Table 5. Cisco IOS XE Software Release 3.4.0SG Product Numbers and Images for Cisco Catalyst 4900 Series Switches

Product Number

Description

Image

S49EES-15102SG

Cisco Catalyst 4900 Cisco IOS Software Enterprise Services without Crypto

cat4500e-entservices-mz

S49MES-15102SG

Cisco Catalyst 4900M Cisco IOS Software Enterprise Services without Crypto

cat4500e-entservices-mz

S49EESK9-15102SG

Cisco Catalyst 4900 Cisco IOS Software Enterprise Services Secure Shell Protocol (SSH)

cat4500e-entservicesk9-mz

S49MESK9-15102SG

Cisco Catalyst 4900M Cisco IOS Software Enterprise Services SSH

cat4500e-entservicesk9-mz

S49EIPB-15102SG

Cisco Catalyst 4900 Cisco IOS Software IP Base without Crypto

cat4500e-ipbase-mz

S49MIPB-15102SG

Cisco Catalyst 4900M Cisco IOS Software IP Base without Crypto

cat4500e-ipbase-mz

S49EIPBK9-15102SG

Cisco Catalyst 4900 Cisco IOS Software IP Base SSH

cat4500e-ipbasek9-mz

S49MIPBK9-15102SG

Cisco Catalyst 4900M Cisco IOS Software IP Base SSH

cat4500e-ipbasek9-mz

S49ELB-15102SG

Cisco Catalyst 4900 Cisco IOS Software LAN Base without Crypto

cat4500e-lanbase-mz

S49ELBK9-15102SG

Cisco Catalyst 4900 Cisco IOS Software LAN Base SSH

cat4500e-lanbasek9-mz

1LDRA: Lightweight DHCPv6 Relay Agent