This product bulletin describes the hardware and software features supported by Cisco IOS® Software Release 12.2(44)SG for the Cisco® Catalyst® 4500 Series Supervisor Engine II-Plus, Cisco Catalyst 4500 Series Supervisor Engine II-Plus-TS, Cisco Catalyst 4500 Series Supervisor II-Plus-10GE, Cisco Catalyst 4000/4500 Supervisor Engine IV, Cisco Catalyst 4000/4500 Supervisor Engine V, Cisco Catalyst 4500 Series Supervisor Engine V-10GE, and Cisco Catalyst 4500 Supervisor Engine 6-E.
Primary Release Message
Cisco announces Cisco IOS Software Release 12.2(44)SG for all shipping Cisco Catalyst 4500 Series supervisor engines. This release extends several features such as In-Service Software Upgrade (ISSU) and Border Gateway Protocol (BGP) to the Cisco Catalyst 4500 Supervisor Engine 6-E as well as introduces new features in the areas of manageability, high availability, and Power over Ethernet (PoE). Another primary feature is the Enhanced PoE support (20W) on the WS-X4648-RJ45V+E and WS-X4648-RJ45V-E line cards.
Note: This release does not support the Cisco Catalyst 4900 Switch 4900M series switches.
Software Feature Highlights
Table 1. Software Features
• IP service level agreement (SLA) (applicable to Cisco Catalyst 4900 Series Switches as well)
• 802.1ab Link Layer Discovery Protocol (LLDP) and partial Link Layer Discovery Protocol-Media Endpoint Discovery (LLDP-MED)
Network Management Services features
• IPv6 host features such as Simple Network Management Protocol (SNMP), syslog, HTTP
• Configuration enhancements: replace and rollback, change notification and logging, and configuration diff utility
• Embedded Syslog Manager (ESM)
• Resilient Ethernet Protocol (REP) (applicable to Cisco Catalyst 4900 Series Switches as well)
Specific to Cisco Catalyst 4500 Supervisor Engine 6-E
• 2+2 10 Gigabit Ethernet or 4+4 Gigabit Ethernet active uplinks on dual Cisco Catalyst 4500 Supervisor Engine 6-E
• 802.1x features
• 20W PoE support
• MAC notify MIB
• BGP support
The following new features of Cisco IOS Software Release 12.2(44)SG are applicable to all supervisor engines and 49xx fixed-configuration systems, unless otherwise stated.
X2 Link Debounce
10GBase links on supervisor engines go down if a link error as short as 3 msec occurs. In noisy networks, such errors can cause link flaps. Link Debounce avoids these flaps on 10GBase interfaces by ignoring link errors shorter than a configurable value.
IP SLA is embedded in Cisco IOS Software for active monitoring. IP SLA generates and analyzes the traffic to measure performance between Cisco IOS Software devices or between Cisco IOS Software devices and network application servers. IP SLA offers a unique set of performance measurements, typically for voice-over-IP (VoIP) deployment: network delay or latency, packet loss, network delay variation (jitter), availability, one-way latency, Website download time, as well as other network statistics. IP SLA can be used to measure network health, verify service level agreements, assist with network troubleshooting, and plan network infrastructure. IP SLA provides a scalable and cost-effective solution for IP service level monitoring and eliminates the deployment of dedicated active monitoring devices by including the "probe" capabilities within Cisco IOS Software.
Note: The IP SLA feature is only present in the entservices image.
LLDP is a link-layer protocol. Unlike the Cisco proprietary Cisco Discovery Protocol, LLDP is a multivendor standardized protocol based on IEEE 802.1ab standard. LLDP utilizes a defined Multicast MAC address (01-80-C2-00-00-0E) as destination address. The ethertype is 88-CC. Information about the endpoints is sent as type length values (TLVs). LLDP packets are sent to the neighbors periodically. LLDP can operate in transmit only or receive only mode. The receiving of LLDP packets is implemented by capturing the packet in hardware, using the L2 destination ACL and forwarding it to the CPU.
802.1ab Partial LLDP-MED
LLDP-MED extends the standard to specifically focus on the needs of VoIP to allow simplified provisioning, ease of administration, and several valuable new discovery capabilities. The new LLDP-MED standard enables the following primary values:
• Auto-discovery of quality of service LAN policies (such as VLAN, Layer 2 priority, and diffserv settings), leading to "plug and play" VoIP networking
• Device location discovery, critical to reporting location of the end user in emergency calling and other location-dependant applications, as well as maintaining integrity of the location database
• Extended and automated power management of PoE endpoints, including fine-grained power budgeting and priority settings
• Inventory management, allowing network administrators to track their VoIP devices and determine their characteristics (manufacturer, software and hardware versions, serial/asset number)
HTTPS: HTTP with Secure Sockets Layer(SSL) 3.0
HTTPS infrastructure for Cisco IOS Software applications.
Embedded Syslog Manager (ESM)
The ESM provides enhanced system message logging (syslog) services for Cisco IOS Software, including device-level syslog message filtering, and reliable delivery of syslog messages to the syslog message receiving server. The ESM includes a programmable framework that allows customization of messages and delivery options using Tool Command Language (TCL) scripts.
Configuration Replace and Rollback, Including Configuration Versioning (Archive) and Timed Rollback
Provides mechanism to roll back configuration changes or replace the current running configuration with any stored configuration. Rollback capability is also a prerequisite for transactional handling of configuration changes by the Cisco IOS Software programmatic interface.
Configuration Change Notification and Logging
Provides a way to track configuration changes made by users, on a per-session and per- user basis. System logging notifications can be enabled [(config-archive-log-config) # logging enable] for when changes are made, and the log files (record of changes) can be sent to a remote syslog server [(config-archive-log- config)# notify syslog].
Contextual Configuration Diff Utility
This utility will allow users to view the differences between any two Cisco IOS Software configuration files, located locally or remotely, including the startup or running configs. The output includes the sub mode information to provide the context for the command differences.
Cisco IOS Software Scripting with TCL
This feature provides the ability to run TCL Version 8.3.4 commands from the Cisco IOS Software command-line interface (CLI). TCL 8.3.4 provides scripting capability in Cisco IOS Software. TCL is used by Voice's Interactive Voice Response, Test Tools, Embedded Event Manager, and Embedded Syslog manager, and is also exposed via TCL.sh at the Cisco IOS Software CLI.
Support in Cisco IOS Software for managing Cisco Express Forwarding using SNMP. Introduces the Cisco CEF-MIB, CEF-TC-MIB , and CEF-PROVISION-MIB.
The IP Unicast Reverse Path Forwarding (uRPF) feature is used to avert security attacks. uRPF is a security feature that verifies the validity of the source IP of an incoming packet. When enabled on an interface, uRPF drops packets received on an interface if the source IP is unknown in the routing table or if it is a known bad source address. This is done to detect and remedy denial-of-service (DoS)attacks by making some attempt to detect problems with the packets. This (uRPF) feature is operationally challenging to deploy without some automated monitoring capability.
Cisco IOS Software supports monitoring IP uRPF using SNMP. Also includes an SNMP notification for when URPF drop rate for IPv4 packets on the interface exceeds the drop-rate threshold.
IP Tunnel MIB per RFC 4087
Support for IP-TUNNEL-MIB as per RFC4087.
Enables SNMP configuration of periodic MIB data collection and transfer mechanism.
Resilient Ethernet Protocol
Resilient Ethernet Protocol (REP) is a Cisco proprietary protocol that allows fast and predictable convergence in ring topologies. REP allows ring topologies without active Spanning Tree Protocol and provides a loop-free topology with faster convergence and restoration time. The REP can run either on Gigabit Ethernet or 10 Gigabit Ethernet rings, and multiple Cisco switches can participate on the same REP ring/segment.
In current deployment models Spanning Tree Protocol is used as the loop-prevention and convergence scheme in these networks. As the service providers scale their services and network and add voice and video services over test networks, the convergence time and predictability of spanning tree cannot satisfy the SLA parameters. The Spanning Tree Protocol-based network topology can be constrained by the number of switches in the network; convergence time can become more nondeterministic. The typical Spanning Tree Protocol convergence time can range from couple of hundred milliseconds to a few seconds. During the Spanning Tree Protocol convergence significant packet loss is unavoidable, which can cause service disruption or session resets in the network.
The REP will allow the providers to build more scalable ring topologies, with predictable convergence time, and maintain less than a few hundred milliseconds of disruption during ring convergence and restoration.
New Features on Cisco Catalyst 4500 Supervisor Engine 6-E
2+2 10 Gigabit Ethernet or 4+4 Gigabit Ethernet Active Uplinks on Dual Cisco Catalyst 4500 Supervisor Engine 6-Es
• Provides a configuration option to choose between 2+2 10 Gigabit Ethernet or 4+4 Gigabit Ethernet uplink options.
• With the TwinGig modules, each Cisco Catalyst 4500 Supervisor Engine 6-E X2 uplink port could be configured with 2 wire-speed Gigabit Ethernet Small Form-Factor Pluggable (SFP) ports.
• 2+2 10 Gigabit Ethernet or 4+4 Gigabit Ethernet active uplinks for dual Cisco Catalyst 4500 Supervisor Engine 6-Es enable customers to concurrently activate all 4 X2 uplink ports in a 2:1 oversubscribed mode or all 8 wire-speed Gigabit Ethernet SFP uplink ports in TwinGig modules.
• Total uplink bandwidth for dual Cisco Catalyst 4500 Supervisor Engine 6-Es will remain as 20G when all 4 X2 uplink ports are enabled in this mode.
The following 802.1x features that are currently supported on classic supervisor engines only will now be supported on the Cisco Catalyst 4500 Supervisor Engine 6-E platform. There is no functional change from classic supervisor engine platforms.
• 802.1x VLAN assignment: Dynamic VLAN can be used to limit network access for certain users. With the VLAN assignment, 802.1X-authenticated ports are assigned to a VLAN based on the username of the client connected to that port. The RADIUS server database maintains the username-to-VLAN mappings. After successful 802.1X authentication of the port, the RADIUS server sends the VLAN assignment to the switch. The VLAN can be a "standard" VLAN or a PVLAN.
• 802.1x with VVID/PVID: A voice VLAN port is a special access port associated with two VLAN identifiers:
– Voice VLAN ID (VVID) to carry voice traffic to and from the IP phone. The VVID is used to configure the IP phone connected to the port.
– Port VLAN ID (PVID) to carry the data traffic to and from the workstation connected to the switch through the IP phone. The PVID is the native VLAN of the port.
Each port that is configured for a voice VLAN is associated with a VVID and a PVID. This configuration allows voice traffic and data traffic to be separated onto different VLANs. A voice VLAN port becomes active when there is a link whether or not the port is AUTHORIZED or UNAUTHORIZED. All traffic coming through the voice VLAN is learned correctly and appears in the MAC-address-table. Cisco IP phones do not relay Cisco Discovery Protocol messages from other devices. As a result, if several Cisco IP phones are connected in series, the switch recognizes only the one directly connected to it. When 802.1X is enabled on a voice VLAN port, the switch drops packets from unrecognized Cisco IP phones more than one hop away.
When 802.1X is enabled on a port, you cannot configure a PVID that is equal to a VVID.
• 802.1x MAC Auth Bypass (Including MAB with voice VLAN): The 802.1x protocol has three entities: client (supplicant), authenticator, and authentication server. Typically, the host PC runs the supplicant software and tries to authenticate itself by sending its credentials to the authenticator, which in turn relays that information to the authentication server for authentication.
However, not all hosts may have supplicant functionality. Devices that cannot authenticate themselves using 802.1X, which still should have network access, can use MAC Authentication Bypass (MAB), which uses the connecting device's MAC address to grant/deny network access. Typically, you would use this feature on ports where devices such as printers are connected. Such devices do not have 802.1X supplicant functionality.
In a typical deployment, the RADIUS server maintains a database of MAC addresses that require access. When this feature detects a new MAC address on a port, it generates a RADIUS request with both username and password as the device's MAC address. After authorization succeeds, the port is accessible to the particular device through the same code path that 802.1X authentication would take when processing an 802.1X supplicant. If authentication fails, the port moves to the guest VLAN if configured, or it remains unauthorized.
• 802.1x Multidomain Authentication (MDA): The MDA feature enables Cisco Catalyst 4500 Supervisor Engine 6-E switches to support IP phones (Cisco and third party) with or without an 802.1x supplicant. To allow phones without 802.1x supplicant to be connected to the switch, MDA falls back onto MAB (MAC Authentication Bypass) after 802.1x authentication attempt timeout.
20 watts per port PoE support is required for the Cisco Aironet 1250 Series Access Point. The configuration calls for dual radios with 802.11n.
Greater than the standard PoE support is not required for classic supervisor engine line cards.
The following configuration is supported on the Cisco Catalyst 4500 Supervisor Engine 6-E line cards:
• WS-X4648-RJ45V-E and WS-X4648-RJ45V+E
– Additional support for up to 20W per port, optimized for Cisco only devices that require greater than PoE support such as the Cisco Aironet 1250 Series Access Point.
– The port should not negotiate any more than 20W.
– Support for per port power monitoring and policing.
Border Gateway Protocol (BGP)
The Border Gateway Protocol (BGP) is an interautonomous system routing protocol. An autonomous system is a network or group of networks under a common administration and with common routing policies. BGP is used to exchange routing information for the Internet and is the protocol used between Internet service providers (ISPs). When BGP is used between autonomous systems, the protocol is referred to as External BGP (EBGP). If a service provider is using BGP to exchange routes within an autonomous system, then the protocol is referred to as Interior BGP (IBGP). BGP neighbors exchange full routing information when the TCP connection between neighbors is first established. When changes to the routing table are detected, the BGP routers send to their neighbors only those routes that have changed. BGP routers do not send periodic routing updates, and BGP routing updates advertise only the optimal path to a destination network.
This feature also encompasses BGP4. BGP4 provides a new set of mechanisms for supporting classless interdomain routing. These mechanisms include support for advertising an IP prefix and eliminate the concept of network "class" within BGP. BGP4 introduces mechanisms that allow aggregation of routes, including aggregation of autonomous system paths.
Note: The BGP feature is only present in the ent-services image.
IPv6 Host Features
SNMP over IPv6 (Cisco Catalyst 4500 Supervisor Engine 6-E Only)
Support SNMP proxy over IPv6 transport and enhancements to MIB objects to represent IPv6. In order for IPv6 management hosts to be able to manage a Cisco IOS Software device using SNMP, the SNMP protocol must be supported over IPv6 transport. This allows an IPv6 host to perform SNMP queries and receive SNMP notifications from an IPv6 Cisco IOS Software device.
Syslog over IPv6 (Cisco Catalyst 4500 Supervisor Engine 6-E Only)
Configuration and delivery of syslog messages over IPv6 transport.
HTTP over IPv6 (Cisco Catalyst 4500 Supervisor Engine 6-E Only)
Enhance the HTTP(S) client and server to support IPv6 addresses.
Configurable Queues per Port
Support of eight queues per port with configurable queue depth for Cisco Catalyst 4500 Supervisor Engine 6-E within Modular QoS CLI (MQC) framework.
MAC Notify MIB
MAC notification is a mechanism to inform monitoring devices when MAC addresses are learned or removed from the forwarding database of the monitored devices.