Catalyst Switches and 7600 Devices
This chapter contains the following topics:
FAQs about Catalyst Switches and 7600 Devices
This section answers the following questions about Catalyst Switches and 7600 devices:
Q. Which VTP modes are supported by Security Manager?
Before 3.2, Security Manager supported only VTP transparent mode for Catalyst switches and 7600 devices. Security Manager 3.2 and higher can now also manage switches configured in the VTP client/server mode. Security Manager manages switches configured in client/server mode by bypassing VLAN database management on the device (including VLAN creation, deletion, and monitoring VLANs in the VLAN database on switches).
Q. How do I add a Catalyst 6503-E switch to Security Manager? The device does not appear in the list of supported devices in the New Device wizard.
The Catalyst 6503-E switch shares the same System Object ID as the Catalyst 6503; therefore, only the 6503 appears in the list of devices. Both devices, however, are supported. The same holds true for the Catalyst 6506-E and the Catalyst 6509-E.
Q. What kinds of matching ACLs are supported by VLAN ACLs (VACLs) configured on Catalyst Switches and 7600 devices?
Security Manager supports the use of standard and extended ACLs as matching criteria for VACLs on Catalyst switches and 7600 devices. MAC-layer ACLs are not supported.
Q. What are the limitations in support for IDSM settings in Security Manager?
Security Manager supports a subset of IDSM settings on chassis running IOS 12.2(18)SXF4 or later. Trunk (IPS) and Capture (IDS) modes are supported; inline mode is not supported. Security Manager cannot manage IDSM data ports that are part of a spanning tree or access VLAN.
Q. Can I reference an undefined VLAN in Security Manager?
Yes, you can reference an undefined VLAN in VLAN group, VACL, and IDSM definitions. However, when you submit your changes, a warning message is displayed that recommends you either define the VLAN or delete it, as the configuration might interfere with device operation. Bear in mind that deleting a VLAN does not delete its references. Therefore, if you have defined a VACL that references an undefined VLAN, deleting the VLAN does not remove the reference in the VACL.
Discovering Failover Pairs
Only one device of a failover pair should be managed by Security Manager. During discovery, use the wizard to set the discovery mode of the second device to Do Not Discover Module. Security Manager always manages the active admin context, regardless of whether you added the primary or secondary failover service module.
Deployment Fails for Interface Settings
Problem Deployment fails for interface settings on a Catalyst 6550/7600 device.
Solution Certain interface settings (such as speed, duplex, and MTU settings) are specific to particular card types and are not validated prior to deployment. Make sure to enter the correct values for your specific card type to ensure successful deployment.
Deployment Fails for Internal VLANs
Problem Deployment fails when Security Manager tries to create a VLAN with an ID that is within the range of the device’s internal VLAN list.
Solution Security Manager cannot detect internal VLANs. Therefore, you must define a VLAN ID that falls outside of the device’s internal VLAN list. Use the show vlan internal usage command to view the list of internal VLANs.
Deployment Fails When Changing the Running Mode of an ISDM Data Port VLAN
Problem Deployment fails when you attempt to change the running mode of the data port VLAN from Trunk (IPS) to Capture (IDS) from the IDSM Data Port VLANs dialog box and the following error message is displayed:
Command Rejected: Remove trunk allowed vlan configuration from data port 2 before configuring capture allowed-vlans
Solution On some software releases such as 12.2(18)SFX4, there is a bug that prevents the change from occurring correctly. Reload the device to overcome the problem.