Guest

Cisco Catalyst 2940 Series Switches

Release Notes for the Catalyst 2940 Switches, Release 12.1(13)AY

  • Viewing Options

  • PDF (439.8 KB)
  • Feedback
Release Notes for the Catalyst 2940 Switches, Release 12.1(13)AY

Table Of Contents

Release Notes for the Catalyst 2940 Switches, Release 12.1(13)AY

Contents

System Requirements

Hardware Supported

Software Compatibility

Cluster Capability

Downloading Software

Determining the Software Version and Feature Set

Determining Which Files to Use

Upgrading a Switch by Using CMS

Upgrading a Switch by Using the CLI

Downloading the Software and TFTP Server Application

Copying the Current Startup Configuration from the Switch to a PC or Server

Using the CLI to Upgrade a Catalyst 2940 Switch

Recovering from Software Failure

Installation Notes

New Features

New Hardware Features

New Software Features

Limitations and Restrictions

Cisco IOS Limitations and Restrictions

CMS Limitations and Restrictions

Port Configuration Conflicts

Important Notes

Cisco IOS Notes

CMS Notes

Open Caveats

Open Cisco IOS Caveats

Open CMS Caveats

Resolved Caveats

Documentation Updates

Corrections to the Software Configuration Guide

Disabling Password Recovery

Corrections to Command Reference

service password-recovery

Corrections to System MessagLe Guide

Related Documentation

Obtaining Documentation

Cisco.com

Documentation CD-ROM

Ordering Documentation

Documentation Feedback

Obtaining Technical Assistance

Cisco.com

Technical Assistance Center

Cisco TAC Website

Cisco TAC Escalation Center

Obtaining Additional Publications and Information


Release Notes for the Catalyst 2940 Switches, Release 12.1(13)AY


July 2003

The Cisco IOS Release 12.1(13)AY runs on Catalyst 2940 switches.

These release notes include important information about this Cisco IOS release and any limitations, restrictions, and caveats that apply to it. To verify that these are the correct release notes for your switch:

If you are installing a new switch, refer to the Cisco IOS release label on the rear panel of your switch.

If your switch is running, you can use the show version user EXEC command. See the "Determining the Software Version and Feature Set" section.

If you are upgrading to a new release, refer to the software upgrade filename for the Cisco IOS version.

For the complete list of Catalyst 2940 switch documentation, see the "Obtaining Documentation" section.

You can download the switch software from these sites:

http://www.cisco.com/kobayashi/sw-center/sw-lan.shtml

(for registered Cisco.com users with a login password)

http://www.cisco.com/public/sw-center/sw-lan.shtml

(for nonregistered Cisco.com users)

This Cisco IOS release is part of a special release of Cisco IOS software that is not released on the same 8-week maintenance cycle that is used for other platforms. As maintenance releases and future Cisco IOS releases become available, they will be posted to Cisco.com (previously Cisco Connection Online [CCO]) in the Cisco IOS software area.

Contents

This information is in the release notes:

"System Requirements" section

"Downloading Software" section

"Installation Notes" section

"New Features" section

"Limitations and Restrictions" section

"Important Notes" section

"Open Caveats" section

"Resolved Caveats" section

"Documentation Updates" section

"Related Documentation" section

"Obtaining Documentation" section

"Obtaining Technical Assistance" section

System Requirements

The system requirements for this Cisco IOS release are described in these sections:

"Hardware Supported" section

"Software Compatibility" section

"Cluster Capability" section

Hardware Supported

Table 1 lists the hardware supported by this software release.

Table 1 Supported Hardware 

Switch
Description

Catalyst 2940-8TT-S

8 10/100 Ethernet ports and 1 10/100/1000 Ethernet port

Catalyst 2940-8TF-S

8 10/100 Ethernet ports, 1 small form-factor pluggable (SFP) module slot, and 1 100BASE-FX port

SFP modules1

1000Base-SX and 1000Base-LX

1 Use only Cisco SFP modules. Each SFP module has an internal serial EEPROM that is encoded with security information. This encoding provides a way for Cisco to identify and validate that the SFP module meets the requirements for the switch.


Software Compatibility

For information about the recommended platforms for web-based management, operating systems and browser support, Java plug-in guidelines and installation procedures, refer to the Catalyst 2940 Switch Hardware Installation Guide.

Cluster Capability

When creating a switch cluster, we recommend configuring the highest-end switch in your cluster as the command switch.

A Catalyst 2940 switch can be the command switch or the member switch of a switch cluster.

If your switch cluster has Catalyst 2940, Catalyst 1900, Catalyst 2820, Catalyst 2900 or 3500 XL switches, the Catalyst 2940 switch should be the command switch.

Table 2 lists the cluster capabilities and minimum software versions for the switches. The switches are listed in the order of highest to lowest end switch. A lower-end switch cannot be the command switch of a switch listed above it in the table (for example, a Catalyst 2940 switch cannot be the command switch of a cluster that has Catalyst 2950 or Catalyst 3550 switches.)

Table 2 Switch Software and Cluster Capability 

Switch
Cisco IOS Release
Cluster Capability

Catalyst 3750

Release 12.1(11)AX

Member or command switch

Catalyst 3550

Release 12.1(4)EA1 or later

Member or command switch

Catalyst 2970

Release 12.1(11)AX

Member or command switch

Catalyst 2950

Release 12.0(5.2)WC(1) or later

Member or command switch

Catalyst 2950-LRE

Release 12.1(11)YJ

Member or command switch

Catalyst 2955

Release 12.1(12c)EA1 or later

Member or command switch

Catalyst 2940

Release 12.1(13)AY

Member or command switch

Catalyst 3500 XL

Release 12.0(5.1)XU or later

Member or command switch

Catalyst 2900 XL (8-MB switches)

Release 12.0(5.1)XU or later

Member or command switch

Catalyst 2900 LRE XL (16-MB switches)

Release 12.0(5.1)WC1 or later

Member or command switch

Catalyst 2900 XL (4-MB switches)

Release 11.2(8.5)SA6 (recommended)

Member switch only1

Catalyst 1900 and 2820

Release 9.00(-A or -EN)

Member switch only

1 Catalyst 2900 XL (4-MB) switches appear in the front-panel and topology views of CMS. However, CMS does not support configuration or monitoring of these switches.


Some versions of the Catalyst 2900 XL software do not support clustering, and if you have a cluster with switches that are running different versions of Cisco IOS software, software features added on the latest release might not be reflected on switches running the older versions. For example, if you start Visual Switch Manager (VSM) on a Catalyst 2900 XL switch running Release 11.2(8)SA6, the windows and functionality can be different from a switch running Release 12.0(5)WC(1) or later.


Note The Cluster Management Suite (CMS) is not forward-compatible, which means that if a member switch is running a software version that is newer than the release running on the command switch, the new features are not available on the member switch. If the member switch is a new device supported by a software release that is later than the software release on the command switch, the command switch cannot recognize the member switch and it is displayed as an unknown device in the Front Panel view. You cannot configure any parameters or generate a report through CMS for that member; instead, you must launch the Device Manager application to perform configuration and obtain reports for that member.


Downloading Software

This section describes these procedures for downloading software:

"Determining the Software Version and Feature Set" section

"Determining Which Files to Use" section

"Upgrading a Switch by Using the CLI" section

"Recovering from Software Failure" section

For information about the software releases that support the Catalyst 2940 switches, see the "Limitations and Restrictions" section.


Note Before downloading software, read this section for important information.


When you upgrade a switch, the switch continues to operate while the new software is copied to Flash memory. If Flash memory has enough space, the new image is copied to the selected switch but does not replace the running image until you reboot the switch. If a failure occurs during the copy process, you can still reboot your switch by using the old image.

If Flash memory does not have enough space for two images, the new image is copied onto the switch, over the existing one. Features provided by the new software are not available until you reload the switch.

If a failure occurs while copying a new image to the switch, and the old image has already been deleted, refer to the "Recovering from Corrupted Software" section in the "Troubleshooting" chapter of the Catalyst 2940 Switch Software Configuration Guide.


Caution Do not power cycle the switch while you are copying an image to the switch. If a power failure occurs while you are copying the software image to the switch, call Cisco Systems immediately.

Determining the Software Version and Feature Set

The Cisco IOS image is stored as a .bin file in a directory that is named with the Cisco IOS release. A subdirectory contains the CMS files needed for web management. The image is stored on the system board Flash device (flash:).

You can use the show version user EXEC command to see the software version that is running on your switch. In the display, check the line that begins with System image file is. This line shows the directory name in Flash memory where the image is stored.

Although the show version output always shows the software image running on the switch, the model name shown at the end of this display is the factory configuration and does not change if you upgrade the software image.

You can also use the dir filesystem: privileged EXEC command to see the directory names of other software images that you might have stored in Flash memory.

Determining Which Files to Use

The upgrade procedures in these release notes describe how to perform the upgrade by using a combined .tar file. This file contains both the Cisco IOS image file and the CMS files. You must use the combined .tar file to upgrade the switch through the CMS.

Table 3 list the software filenames for this Cisco IOS release.

Table 3 Catalyst 2940 Cisco IOS Software File

Filename
Description

c2940-i6q4l2-tar.121-13.AY.tar

IOS image, Express Setup, and CMS files


Upgrading a Switch by Using CMS

You can upgrade switch software by using CMS. From the CMS menu bar, select Administration > Software Upgrade. For detailed instructions, click Help.

Upgrading a Switch by Using the CLI

To download switch software by using the CLI, follow these procedures in this order:

Decide which software files to download from Cisco.com (see the "Determining the Software Version and Feature Set" section).

Download the .tar file from Cisco.com (see the "Downloading the Software and TFTP Server Application" section).

Copy the current startup configuration file (see the "Copying the Current Startup Configuration from the Switch to a PC or Server" section).

Downloading the Software and TFTP Server Application

This procedure is for copying the combined .tar file to the Catalyst 2940 switch. You copy the file to the switch from a TFTP server and extract the files. You can download an image file and replace or keep the current image.


Note For information about downloading a TFTP server, refer to the URLs in Step 2.


Follow these steps to download the software and, if necessary, the TFTP server application, from Cisco.com to your management station:


Step 1 Use Table 3 to identify the files that you want to download.

Step 2 Download the files from one of these locations:

If you have a SmartNet support contract, go to this URL, and log in to download the appropriate files:

http://www.cisco.com/kobayashi/sw-center/sw-lan.shtml

If you do not have a SmartNet contract, go to this URL, follow the instructions to register on Cisco.com, and download the appropriate files:

http://www.cisco.com/public/sw-center/sw-lan.shtml

To download the files, select Catalyst 2940 Software.

Step 3 Use the CLI or web-based interface to perform a TFTP transfer of the file or files to the switch after you have downloaded them to your PC or workstation.

The readme.txt file describes how to download the TFTP server application. New features provided by the software are not available until you reload the software.


Copying the Current Startup Configuration from the Switch to a PC or Server

When you make changes to a switch configuration, your changes become part of the running configuration. When you enter the command to save those changes to the startup configuration, the switch copies the configuration to the config.text file in Flash memory. To ensure that you can recreate the configuration if a switch fails, you might want to copy the config.text file from the switch to a PC or server.

This procedure requires a configured TFTP server such as the Cisco TFTP server available on Cisco.com.

Beginning in privileged EXEC mode, follow these steps to copy a switch configuration file to the PC or server that has the TFTP server application:


Step 1 Copy the file in Flash memory to the root directory of the TFTP server:

switch# copy flash:config.text tftp

Step 2 Enter the IP address of the device where the TFTP server resides:

Address or name of remote host []? ip_address

Step 3 Enter the name of the destination file (for example, config.text):

Destination filename [config.text]? yes/no

Step 4 Verify the copy by displaying the contents of the root directory on the PC or server.


Using the CLI to Upgrade a Catalyst 2940 Switch

Use this procedure for upgrading a Catalyst 2940 switch by copying the .tar file to the switch. You copy the files to the switch from a TFTP server and extract the files by entering the archive download command, with these results:

Changes the name of the current image file to the name of the new file that you are copying and replaces the old image file with the new one. Perform this step only if you have space available on your switch.

Disables access to the CMS pages and deletes the existing CMS files before the software upgrade to avoid a conflict if users access the web pages during the software upgrade.

Reenables access to the CMS pages after the upgrade is complete.


Caution Do not power cycle the switch while you are copying an image to the switch. If a power failure occurs when you are copying the software image to the switch, call Cisco Systems immediately.

Follow these steps to upgrade the switch software by using a TFTP transfer:


Step 1 If your PC or workstation cannot act as a TFTP server, copy the file to a TFTP server to which you have access.

Step 2 Access the CLI by starting a Telnet session or by connecting to the switch console port through the RS-232 connector.

To start a Telnet session on your PC or workstation, enter this command:

server% telnet switch_ip_address

Enter the Telnet password if you are prompted to do so.

Step 3 Enter privileged EXEC mode:

switch> enable 
switch#

Enter the password if you are prompted to do so.

Step 4 Remove the CMS files:

switch# delete flash:html/* 

Press Enter to confirm the deletion of each file. Do not press any other keys during this process.

Step 5 Enter this command to download and copy the new image and CMS files to Flash memory:

switch# archive download-sw /overwrite tftp://server_ip_address/path/filename.tar 
examining image...
Loading filename.tar from server_ip_address (via Vlan1):!
extracting info (255 
bytes)!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!
[OK - 5232128 bytes]

Depending on the TFTP server being used, you might need to enter only one slash (/) after the server_ip_address in the archive download command.

Step 6 Display the name of the running (default) image file (BOOT path-list). This example shows the name in italic:

switch# show boot 
BOOT path-list:    flash:current_image 
Config file:       flash:config.text 
Enable Break:      1 
Manual Boot:       no 
HELPER path-list:  
NVRAM/Config file 
buffer size: 32768


Step 7 Reload the new software with this command:

switch# reload 
System configuration has been modified. Save? [yes/no]:y
Building configuration... 
Proceed with reload? [confirm]

Step 8 Press Return to confirm the reload.

Your Telnet session ends when the switch resets.

After the switch reboots, use Telnet to return to the switch, and enter the show version user EXEC command to verify the upgrade procedure. If you have a previously opened browser session to the upgraded switch, close the browser, and start it again to ensure that you are using the latest CMS files.


Recovering from Software Failure

If the software fails, you can reload the software. For detailed recovery procedures, refer to the "Troubleshooting" chapter in the Catalyst 2940 Switch Software Configuration Guide.


Installation Notes

You can assign IP information to your switch by using the setup program, the Dynamic Host Configuration Protocol (DHCP)-based autoconfiguration (refer to the Catalyst 2940 Switch Software Configuration Guide), or by manually assigning an IP address (refer to the Catalyst 2940 Switch Software Configuration Guide).

New Features

These are the new supported hardware and the new software features provided this release:

"New Hardware Features" section

"New Software Features" section

New Hardware Features

For a list of all supported hardware, see the "Hardware Supported" section.

New Software Features

This release is the first software release for the Catalyst 2940 switch. For a detailed list of key features for this software release, refer to the software configuration guide.

This release includes Express Setup, a web-based switch configuration tool. For more information about Express Setup, refer to the hardware installation guide.

Limitations and Restrictions

You should review this section before you begin working with the switches. These are known limitations that will not be fixed, and there is not always a workaround. Some features might not work as documented, and some features could be affected by recent changes to the switch hardware or software.

These are the limitations and restrictions:

"Cisco IOS Limitations and Restrictions" section

"CMS Limitations and Restrictions" section

"Port Configuration Conflicts" section

Cisco IOS Limitations and Restrictions

These are the Cisco IOS limitations:

When using the SPAN feature, the monitoring port receives copies of sent and received traffic for all monitored ports. If the monitoring port is oversubscribed, it will probably become congested. This might also affect how one or more of the monitored ports forwards traffic.

If the join and leave messages arrive at high rate, the CPU can become busy processing these messages. For example, the CPU usage is approximately 50 percent when 50 pairs of join and leave messages are received each second. Depending on the rate at which join and leave messages are received, the CPU usage can go very high, even up to 100 percent, as the switch continues processing these messages.Root guard is inconsistent when configured on a port that is in the STP blocked state at the time of configuration.

There is no workaround. (CSCdp85954)

Aging of dynamic addresses does not always occur exactly after the specified aging time elapses. It might take up to three times this time period before the entries are removed from the table.

There is no workaround. (CSCdr96565)

If the switch gets configured from the dynamic IP pool, a duplicate or different IP address might be assigned.

The workaround is to make sure that the DHCP server contains reserved addresses that are bound to each switch by the switch hardware address so that the switch does not obtain its IP address from the dynamic pool. (CSCds58369)

Internal loopback in half-duplex mode causes input errors. We recommend that you configure the PHY to operate in full duplex before setting the internal loopback.

There is no workaround. (CSCds20365)

A source-based distribution port group does not share the broadcast with all the group members. When the destination of the packets is a broadcast or unknown unicast or multicast, the packets are forwarded only on one port member of a port group, instead of being shared among all members of the port group.

There is no workaround. (CSCdt24814, formerly CSCdt2481)

When you enter the show controllers ethernet-controller interface-id or show interfaces interface-id counters privileged EXEC command, if a large number of erroneous frames are received on an interface, the receive-error counts might be smaller than the actual values, and the receive-unicast frame count might be larger than the actual frame count.

There is no workaround. (CSCdt27223)

Two problems occur when the switch is in transparent mode:

If the switch is a leaf switch, any new VLANs added to it are not propagated upstream through VTP messages. As a result, the switch does not receive flooded traffic for that VLAN.

If the switch is connected to two VTP servers, it forwards their pruning messages. If the switch has a port on a VLAN that is not requested by other servers through their pruning messages, it does not receive flooded traffic for that VLAN.

There is no workaround. (CSCdt48011)

The receive count output for the show controllers ethernet-controller interface-id privileged EXEC command shows the incoming packets count before the ASIC makes a decision of whether to drop the packet or not. Therefore, for ports in the STP blocking states, even though the receive count shows incoming frames, the packet is not forwarded to the other port.

There is no workaround. (CSCdu83640)

In some network topologies, when UplinkFast is enabled on all switches and BackboneFast is not enabled on all switches, a temporary loop might be caused when the STP root switch is changed.

The workaround is to enable BackboneFast on all switches. (CSCdv02941)

At times, the Window XP pop-up window might not appear while authenticating a client (supplicant) because the user information is already stored in Windows XP. However, the Extensible Authentication Protocol over LAN (EAPOL) response to the switch (authenticator) might have an empty user ID that causes the 802.1X port to be de-authenticated.

The workaround is to manually re-initiate authentication by either logging off or detaching the link and then re-connecting it. (CSCdv19671)

A command switch might not show the Catalyst 1900, Catalyst 2820, and Catalyst 2900 XL 4-MB (models C2908-XL, C2916M-XL, C2924C-XL, and C2924-XL) switches as candidates even though their management VLAN is the same as the command switch. This occurs only when their management VLAN is not VLAN 1.

There is no workaround. (CSCdv34505)

You can configure up to 256 Multicast VLAN Registration (MVR) groups by using the mvr vlan group interface configuration command, but only 255 groups are supported on a Catalyst 2950 switch at one time. If you statically add a 256th group, and 255 groups are already configured on the switch, it continues trying (and failing) to add the new group.

The workaround is to set the mode to dynamic for Catalyst 2950 switches that are connected to IGMP-capable devices. The new group can join the multicast stream if another stream is dynamically removed from the group. (CSCdv45190)

There might be a link on the Fast Ethernet port of the switch when it is forced to 10 Mbps and full-duplex mode and its link partner is forced to 100 Mbps and forced duplex mode. The LED on the Catalyst 2950 switch might display the link, and the error counters might increment.

The workaround is to configure both sides of a link to the same speed or use auto-negotiation. (CSCdv62271)

The ip http authentication enable global configuration command is not saved to the configuration file because this is the default configuration. Therefore, this configuration is lost after a reboot.

The workaround is to manually enter the command again after a reboot. (CSCdv67047)

If a port is configured as a secure port with the violation mode as restrict, the secure ports might process packets even after maximum limit of MAC addresses is reached, but those packets are not forwarded to other ports.

There is no workaround. (CSCdw02638)

When the Internet Group Management Protocol (IGMP) Immediate-Leave is configured, new ports are added to the group membership each time a join message is received, and ports are pruned (removed) each time a leave message is received.

If the join and leave messages arrive at high rate, the CPU can become busy processing these messages. For example, the CPU usage is approximately 50 percent when 50 pairs of join and leave messages are received each second. Depending on the rate at which join and leave messages are received, the CPU usage can go very high, even up to 100 percent, as the switch continues processing these messages.

The workaround is to only use the Immediate-Leave processing feature on VLANs where a single host is connected to each port. (CSCdx95638)

A switch does not use the default gateway address in the DHCP offer packet from the server during automatic-install process.

The workaround is to manually assign an IP address to the switch. (CSCdy08716)

In a Remote Switched Port Analyzer (RSPAN) session, if at least one switch is used as an intermediate or destination switch and if traffic for a port is monitored in both directions, traffic does not reach the destination switch.

These are the workarounds:

Use a Catalyst 3550, Catalyst 4000, Catalyst 5000, or Catalyst 6000 switch as an intermediate or destination switch.

Monitor traffic in only one direction if a Catalyst 2950 switch is used as an intermediate or destination switch. (CSCdy38476)

If you assign a nonexistent VLAN ID to a static-access EtherChannel by setting the ciscoVlanMembershipMIB:vmVlan object, the switch does not create the VLAN in the VLAN database.


Note The Catalyst 2940 switch supports up to 4 EtherChannels that are only supported on the 10/100 switch Ethernet ports.


There is no workaround. (CSCdy65850)

When you configure a dynamic switch port by using the switchport access vlan dynamic interface configuration command, the port might allow unauthorized users to access network resources if the interface changes from access mode to trunk mode through Dynamic Trunking Protocol (DTP) negotiation.

The workaround is to configure the port as a static access port. (CSCdz32556)

The output from the show stack privileged EXEC command might show a large number of false interrupts.

There is no workaround. The number of interrupts does not affect the switch functionality. (CSCdz34545)

When a cluster of switches have NTP (Network Time Protocol) configured, the command switch is not synchronized with the rest of the switches.

There is no workaround. (CSCdz88305)

If you press and hold the spacebar while the output of any show user EXEC command is being displayed, the Telnet session is stopped, and you can no longer communicate with the management VLAN.

These are the workarounds:

Enter the show commands from privileged EXEC mode, and use this command to set the terminal length to zero:

switch# terminal length 0

Telnet directly from a PC or workstation to the switch.

Do not hold down the spacebar while scrolling through the output of a show user EXEC command. Instead, slowly press and release the spacebar. (CSCea12888)

When you enable Port Fast on a static-access port and then change the port to dynamic, Port Fast remains enabled. However, if you change the port back to static, Port Fast is disabled.

The workaround is to configure Port Fast globally by using the spanning-tree portfast global configuration command. (CSCea24969)

CMS Limitations and Restrictions

These limitations apply to CMS configuration:

Host names and Domain Name System (DNS) server names that contain commas on a cluster command switch, member switch, or candidate switch can cause CMS to behave unexpectedly. You can avoid this instability in the interface by not using commas in host names or DNS names. Do not enter commas when also entering multiple DNS names in the IP Configuration tab of the IP Management window in CMS.

Access control entries (ACEs) that contain the host keyword precede all other ACEs in standard ACLs. You can reposition the ACEs in a standard ACL with one restriction: No ACE with the any keyword or a wildcard mask can precede an ACE with the host keyword. If you launch CMS by using Netscape 4.75 and Java Runtime Environment (JRE) 1.3.1 or 1.4.0 on Windows 98 or by using Netscape 6.2 and JRE 1.3.1 on Windows 98, CMS stops running while it determines the network information.

The workaround is to click once outside the CMS window. (CSCea25913)

On the Japanese versions of Windows 98 and Windows ME, if you launch CMS by using the Netscape 4.7 browser, CMS might stop running after you click the Apply button.

The workaround is to use Netscape 6.0 or later or use Internet Explorer to launch CMS on Windows 98 and Windows ME. (CSCea27408)

You cannot switch modes (for example, from Guide Mode to Expert Mode) for an open CMS window.

The workaround is to close the open window, select the mode that you want, and then reopen the CMS window. (CSCdw87550)


Note For the mode change to take effect on any other CMS window that is open, you need to close that window and then reopen it after you select the new mode.


CSCdz75666

After you click Apply or Refresh in the SNMP window, the window size changes.

There is no workaround.

CSCea27601

The CMS files that are downloaded from the switch to your PC or terminal are not cached on the PC or terminal. The files are then downloaded again when CMS is relaunched.

There is no workaround.

Port Configuration Conflicts

Certain combinations of port features create configuration conflicts (see Table 4). If you try to enable incompatible features, CMS issues a warning message, and you cannot make the change. Reload the page to refresh CMS.

In Table 4, No means that the two referenced features are incompatible, and both should not be enabled; Yes means that both can be enabled at the same time and do not cause an incompatibility conflict. A dash means not applicable.

Table 4 Conflicting Features 

 
Port Group
Port Security
SPAN Source Port
SPAN Destination Port
Connect to Cluster?
Protected Port
802.1X Port
Port Group

-

No

Yes

No

Yes

Yes

No

Port Security

No

-

Yes

No

Yes

Yes

Yes

SPAN Source Port

Yes

Yes

-

No

Yes

Yes

Yes

SPAN Destination Port

No

No

No

-

Yes

Yes

No

Connect to Cluster

Yes

Yes

Yes

Yes

-

Yes

-

Protected Port

Yes

Yes

Yes

Yes

Yes

-

-

802.1X Port

No

Yes

Yes

No

-

-

-


Important Notes

This section describes important information related to this Cisco IOS release. These sections are included:

"Cisco IOS Notes" section

"CMS Notes" section

Cisco IOS Notes

These notes applies to Cisco IOS configuration:

IGMP filtering controls only group specific query and membership reports, including join and leave reports. It does not control general IGMP queries.

If VLAN 1 or VLANs 1002 to 1005 are removed from a trunk port, the switch no longer receives CDP or VTP frames. VLAN minimization is not supported on the switch. You cannot remove VLAN 1 or VLANs 1002 to 1005 from the allowed VLAN list. (CSCdz22629)

When an 802.1X-authenticated client is disconnected from an IP phone, hub, or switch and does not send an EAPOL-Logoff message, the switch interface does not transition to the unauthorized state. If this happens, it can take up to 60 minutes for the interface to transition to the unauthorized state when the re-authentication time is the default value (3600 seconds).

The workaround is to change the number of seconds between re-authentication attempts by using the dot1x timeout re-authperiod seconds global configuration command. (CSCdz38483)

If you configure a static secure MAC address on an interface before enabling port security on the interface, the same MAC address is allowed on multiple interfaces. If the same MAC address is added on multiple ports before enabling port security and port security is later enabled on those ports, only the first MAC address can be added to the hardware database. If port security is first enabled on the interface, the same static MAC address is not allowed on multiple interfaces.

There is no workaround. (CSCdz74685)

When you connect a switch to another switch through a trunk port and the number of VLANs on the first switch is lower than the number on the connected switch, interface errors are received on the management VLAN of the first switch.

The workaround is to match the configured VLANs on each side of the trunk port. (CSCea23138)

CMS Notes

These notes apply to the CMS configuration:

If you use CMS on Windows 2000, it might not apply configuration changes if the enable password is changed from the CLI during your CMS session. You have to restart CMS and enter the new password when prompted. Platforms other than Windows 2000 prompt you for the new enable password when it is changed.

If you have a proxy server configured on your web browser, CMS can run slowly and take 2 to 3 minutes to process each command that is entered.

The workaround, if you do not want to disable the proxy server settings on the browser, is to download a browser from a different vendor and use it without the proxy server settings configured to access the CMS.

If you use Internet Explorer Version 5.5 and select a URL with a nonstandard port at the end of the address (for example, www.add.com:84), you must enter http:// as the URL prefix. Otherwise, you cannot launch CMS.

In the Front Panel view or the Topology view, CMS does not display error messages in read-only mode for these switches:

Catalyst 2900 XL or Catalyst 3500 XL member switches running Release 12.0(5)WC2 or earlier

Catalyst 2950 member switches running Release 12.0(5)WC2 or earlier

Catalyst 3550 member switches running Release 12.1(6)EA1 or earlier

In the Front Panel view, if the switch is running one of the previously listed software releases, the device LEDs do not appear. In the Topology view, if the member is a Long-Reach Ethernet (LRE) switch, the customer premises equipment (CPE) device connected to the switch does not appear. The Bandwidth and Link graphs also do not appear in these views.

To view switch information, you need to upgrade the member switch software. For information about upgrading witch software, see the "Downloading Software" section.

Open Caveats

Open caveats in this release are described in these sections:

"Open Cisco IOS Caveats" section

"Open CMS Caveats" section

Open Cisco IOS Caveats

These are the severity 3 Cisco IOS configuration caveats:

CSCdx47532

A switch can log this error message:

Apr 30 18:26:20 AEST: %SCHED-3-STUCKMTMR: Sleep with expired managed timer 80D9F 210, 
time 0x4F29560 (00:00:00 ago).
-Process= "L2MM", ipl= 7, pid= 39
-Traceback= 801C5B14 801C5E78 803F50C0 801B1A8C 801B1A78

There is no workaround. This does not affect switch functionality.

CSCdz07948

When a switch is connected through redundant EtherChannels to another switch, and that switch is the SpanningTree Protocol (STP) root switch, a loop can occur when that root switch is rebooted.


Note The Catalyst 2940 switch supports up to 4 EtherChannels that are only supported on the 10/100 switch Ethernet ports.


The workaround is to shut down the EtherChannel. If this does not correct the problem, remove the redundant physical connection between the switches.

CSCdz61363

When a host leaves a multicast group by sending an Internet Group Management Protocol (IGMP) leave or does not send an IGMP report in response to a General Query within the maximum IGMP response-time window (10 seconds by default), the IGMP snooping code removes the port. If this is the last receiver in the group, the switch generates a leave to the router to quickly prune the multicast router.

There is no workaround.

CSCea05146

When using an SNMP query on ciscoFLASHPartitionTable some attributes defined by the MIB are not displayed. For example, Size, FreeSpace, and FileCount are defined by the MIB but are not shown in the query result.

There is no workaround.

CSCea05157

These variables in c2900PortTable MIB return a value of zero:

c2900PortStatus

c2900PortViolationAction

c2900PortMayLearnAddress

c2900PortMayForwardFrames

c2900PortBufferCongestionControl

There is no workaround

CSCea34287

If you change the access VLAN ID of a port channel by using the switchport access vlan interface configuration command, the changes are propagated to the port-channel members but are not added to the running configuration of the member switches. After the switch reloads, the VLAN IDs of the port channel and its candidate member ports do not match, and the candidate ports cannot join the port channel.


Note The Catalyst 2940 switch supports up to 4 EtherChannels that are only supported on the 10/100 switch Ethernet ports.


The workaround is to manually change the access VLAN ID on each of the port-channel members when you change the access VLAN ID of the port channel.

CSCin26670

The vtpVlanApplyStatus MIB object does not return value 2 when the apply operation is successful after creating or deleting a VLAN.

There is no workaround.

Open CMS Caveats

These are the severity 3 CMS configuration caveats:

CSCdx88994

In read-only mode, time ranges are not displayed unless you are logged in with read-write access (privilege level 15). See the "CMS Notes" section for more information about CMS modes.

There is no workaround.

CSCdz23548

When you use Visual Switch Manager (VSM) to configure Catalyst 2900 XL and Catalyst 3500 XL switches, the configuration is not saved if you save it in VSM.

The workaround is to save the configuration by using the CLI.

CSCdz71493

In the Trap Manager tab of the SNMP window, CMS does not show the VLAN Create/Delete traps option as enabled. This occurs after you create a trap manager, select the Create VLAN and Delete VLAN traps with other trap types, apply all the traps, and then select a new trap manager entry in the Current Managers list.

There is no workaround.

CSCea25787

If a port does not meet these conditions, it cannot join the port group of an EtherChannel:

Port group members must belong to the same VLANs and must all be static-access, multi-VLAN, or trunk ports.

The native VLAN ID, allowed VLANs, and pruning-eligible VLANs must be same for the trunk ports.

SPAN, port security, and 802.1X must not be enabled on port.


Note The Catalyst 2940 switch supports up to four EtherChannels that are only supported on the 10/100 switch Ethernet ports.


The workaround is to ensure that the port meets these conditions.


Note Dynamic-access ports cannot belong to a channel group.


Resolved Caveats

This caveat has been resolved in this release.

CSCea02355

Cisco routers and switches running Cisco IOS software and configured to process Internet Protocol version 4 (IPv4) packets are vulnerable to a Denial of Service (DoS) attack. A rare sequence of crafted IPv4 packets sent directly to the device may cause the input interface to stop processing traffic once the input queue is full. No authentication is required to process the inbound packet. Processing of IPv4 packets is enabled by default. Devices running only IP version 6 (IPv6) are not affected. A workaround is available.

Cisco has made software available, free of charge, to correct the problem.

This advisory is available at

http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml

Documentation Updates

This section provides updates to the product documentation:

"Corrections to the Software Configuration Guide" section

"Corrections to Command Reference" section

"Corrections to System MessagLe Guide" section

These changes will be included in the next version of the documentation.

Corrections to the Software Configuration Guide

These are corrections for the printed version of the software configuration guide:

The Catalyst 2940 switch does not support access control lists (ACLs) on physical interfaces as described in Chapter 23, "Configuring Network Security with ACLs."

For information about configuring ACLs on management interfaces, refer to "Configuring IP Services" section of the Cisco IOS IP and IP Routing Configuration Guide, Release 12.1, and the Cisco IOS IP and IP Routing Command Reference, Release 12.1. You can apply these ACLs only to management interfaces.

The software configuration guide contains incorrect information about configuring quality of service (QoS) in Chapter 24, "Configuring QoS." For the correct information, refer to the online version at:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2940/12113ay/2940scg/swqos.htm

This section was not included in Chapter 7, "Configuring Switch-Based Authentication" in the Catalyst 2940 Switch Software Configuration Guide, Release 12.1(13)AY:

Disabling Password Recovery

By default, any end user with physical access to the switch can recover from a lost password by interrupting the boot process while the switch is powering on and then by entering a new password.

The password-recovery disable feature protects access to the switch password by disabling part of this functionality. When this feature is enabled, the end user can interrupt the boot process only by agreeing to set the system back to the default configuration. With password recovery disabled, you can still interrupt the boot process and change the password, but the configuration file (config.text) and the VLAN database file (vlan.dat) are deleted.


Note If you disable password recovery, we recommend that you keep a backup copy of the configuration file on a secure server in case the end user interrupts the boot process and sets the system back to default values. Do not keep a backup copy of the configuration file on the switch. If the switch is operating in VTP transparent mode, we recommend that you also keep a backup copy of the VLAN database file on a secure server. When the switch is returned to the default system configuration, you can download the saved files to the switch by using the XMODEM protocol. For more information, see the software configuration guide.


Beginning in privileged EXEC mode, follow these steps to disable password recovery:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

no service password-recovery

Disable password recovery.

This setting is saved in an area of the Flash memory that is accessible by the boot loader and the Cisco IOS image, but it is not part of the file system and is not accessible by any user.

Step 3 

end

Return to privileged EXEC mode.

Step 4 

show version

Verify the configuration by checking the last few lines of the display.

To re-enable password recovery, use the service password-recovery global configuration command.


Note Disabling password recovery does not work if you have set the switch to boot manually by using the boot manual global configuration command. This command produces the boot loader prompt (switch:) after the switch is power cycled.


Corrections to Command Reference

These are corrections for the printed version of the command reference:

The printed version of the command reference states that the show access-lists and show ip access-lists privileged EXEC commands are supported on the Catalyst 2940 switch. These commands are removed in the online version of the command reference at:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2940/12113ay/2940cr/index.htm

The service password-recovery global configuration command was not included in the Catalyst 2940 Command Reference, Release 12.1(13)AY:

service password-recovery

Use the service password-recovery global configuration command to enable the password-recovery mechanism (the default). This mechanism allows an end user with physical access to the switch to hold down the Mode button and interrupt the boot process while the switch is powering up and to assign a new password. Use the no form of this command to disable part of the password-recovery functionality. When the password-recovery mechanism is disabled, interrupting the boot process is allowed only if the user agrees to set the system back to the default configuration.

service password-recovery

no service password-recovery

Syntax Description

This command has no arguments or keywords.

Defaults

The password-recovery mechanism is enabled.

Command Modes

Global configuration

Command History

Release
Modification

12.1(13)AY

This command was first introduced.

Usage Guidelines

As a system administrator, you can use the no service password-recovery command to disable some of the functionality of the password recovery feature by allowing an end user to reset a password only by agreeing to return to the default configuration.

To use the password-recovery procedure, a user with physical access to the switch holds down the Mode button while the unit powers on and for a second or two after the LED above port 1X goes off. When the button is released, the system continues with initialization. If the password-recovery mechanism is disabled, this message appears:

The password-recovery mechanism has been triggered, but
is currently disabled.  Access to the boot loader prompt
through the password-recovery mechanism is disallowed at
this point.  However, if you agree to let the system be
reset back to the default system configuration, access
to the boot loader prompt can still be allowed.

Would you like to reset the system back to the default configuration (y/n)?

If the user chooses not to reset the system back to the default configuration, the normal boot process continues, as if the Mode button had not been pressed. If you choose to reset the system back to the default configuration, the configuration file in Flash memory is deleted, and the VLAN database file, flash:vlan.dat (if present), is deleted.


Note If you use the no service password-recovery command to control end-user access to passwords, we recommend that you save a copy of the config file in a location away from the switch in case the end user uses the password recovery procedure and sets the system back to default values. Do not keep a backup copy of the config file on the switch.

If the switch is operating in VTP transparent mode, we recommend that you also save a copy of the vlan.dat file in a location away from the switch.


You can verify if password recovery is enabled or disabled by entering the show version privileged EXEC command.

Examples

This is an example of the output from the show version privileged EXEC command when password-recovery is disabled.

Switch# show version
Cisco Internetwork Operating System Software 
IOS (tm) C2940 Software (C2940-I6Q4L2-M), Experimental Version 12.1(20030620:203818) 
[raje-mred 120]
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Tue 24-Jun-03 14:51 by raje
Image text-base:0x80010000, data-base:0x805BA000

ROM:Bootstrap program is C2940 boot loader

Switch uptime is 1 minute
System returned to ROM by power-on
System image file is "flash:boot"

cisco WS-C2940-8TF-S (RC32300) processor with 20778K bytes of memory.
Last reset from system-reset
Running Standard Image
Target IOS Version 12.1(13)EA1
9 FastEthernet/IEEE 802.3 interface(s)
1 Gigabit Ethernet/IEEE 802.3 interface(s)
The password-recovery mechanism is disabled.

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address:00:0C:CE:DF:E0:80

Related CommandsConfiguration register is 0xF

Command
Description

show version

Displays version information for the hardware and firmware.

Corrections to System MessagLe Guide

These system messages were not included in the system message guide:

Error Message    	EXPRESS_SETUP-3-UNABLE_TO_RESET_CONFIG<EMB_ErrMsgBody>:[chars]

Explanation    This message means that the system is unable to reset the configuration. [chars] is a text string that explains why the reset failed, For example, error renaming config file, error removing config file, or error removing private config file.

Recommended Action    Copy the error message exactly as it appears on the console or in the system log, call your Cisco technical support representative, and provide the representative with the gathered information.

Error Message    EXPRESS_SETUP-6-CONFIG_IS_RESET:[chars]

Explanation    This message means that the configuration is reset. [chars] is a text message that clarifies the reset event, such as The configuration is reset and the system will now reboot.

Recommended Action    No action is required.

Error Message    EXPRESS_SETUP-6-MODE_ENTERED.

Explanation    This message means that Express Setup mode is now active.

Recommended Action    No action is required.

Error Message    EXPRESS_SETUP-6-MODE_EXITED

Explanation    This message means that Express Setup mode is not active.

Recommended Action    No action is required.

Related Documentation

These documents provide complete information about the switch and are available from the Cisco.com site:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2940/index.htm

You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.com sites and from the telephone numbers listed in the "Obtaining Documentation" section.

Catalyst 2940 Switch Software Configuration Guide (order number DOC-7815507=)

Catalyst 2940 Switch Command Reference (order number DOC-7815505=)

Catalyst 2940 Switch System Message Guide (order number DOC-7815524=)

Cluster Management Suite (CMS) online help (available only from the switch CMS software)

Catalyst 2940 Switch Hardware Installation Guide (order number DOC-7815435=)

Installation Notes for the Catalyst Family Small Form-Factor Pluggable Modules (not orderable but is available on Cisco.com)

Obtaining Documentation

Cisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation on the World Wide Web at this URL:

http://www.cisco.com/univercd/home/home.htm

You can access the Cisco website at this URL:

http://www.cisco.com

International Cisco web sites can be accessed from this URL:

http://www.cisco.com/public/countries_languages.shtml

Documentation CD-ROM

Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which may have shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription.

Registered Cisco.com users can order the Documentation CD-ROM (product number DOC-CONDOCCD=) through the online Subscription Store:

http://www.cisco.com/go/subscription

Ordering Documentation

You can find instructions for ordering documentation at this URL:

http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm

You can order Cisco documentation in these ways:

Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Networking Products MarketPlace:

http://www.cisco.com/en/US/partner/ordering/index.shtml

Registered Cisco.com users can order the Documentation CD-ROM (Customer Order Number DOC-CONDOCCD=) through the online Subscription Store:

http://www.cisco.com/go/subscription

Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, U.S.A.) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

Documentation Feedback

You can submit comments electronically on Cisco.com. On the Cisco Documentation home page, click Feedback at the top of the page.

You can e-mail your comments to bug-doc@cisco.com.

You can submit your comments by mail by using the response card behind the front cover of your document or by writing to the following address:

Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

Cisco provides Cisco.com, which includes the Cisco Technical Assistance Center (TAC) Website, as a starting point for all technical assistance. Customers and partners can obtain online documentation, troubleshooting tips, and sample configurations from the Cisco TAC website. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC website, including TAC tools and utilities.

Cisco.com

Cisco.com offers a suite of interactive, networked services that let you access Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.

Cisco.com provides a broad range of features and services to help you with these tasks:

Streamline business processes and improve productivity

Resolve technical issues with online support

Download and test software packages

Order Cisco learning materials and merchandise

Register for online skill assessment, training, and certification programs

To obtain customized information and service, you can self-register on Cisco.com at this URL:

http://www.cisco.com

Technical Assistance Center

The Cisco TAC is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two levels of support are available: the Cisco TAC website and the Cisco TAC Escalation Center. The avenue of support that you choose depends on the priority of the problem and the conditions stated in service contracts, when applicable.

We categorize Cisco TAC inquiries according to urgency:

Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities, product installation, or basic product configuration.

Priority level 3 (P3)—Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue.

Priority level 2 (P2)—Your production network is severely degraded, affecting significant aspects of business operations. No workaround is available.

Priority level 1 (P1)—Your production network is down, and a critical impact to business operations will occur if service is not restored quickly. No workaround is available.

Cisco TAC Website

You can use the Cisco TAC website to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC website, go to this URL:

http://www.cisco.com/tac

All customers, partners, and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC website. Some services on the Cisco TAC website require a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to this URL to register:

http://tools.cisco.com/RPF/register/register.do

If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco TAC website, you can open a case online at this URL:

http://www.cisco.com/en/US/support/index.html

If you have Internet access, we recommend that you open P3 and P4 cases through the Cisco TAC website so that you can describe the situation in your own words and attach any necessary files.

Cisco TAC Escalation Center

The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues. These classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer automatically opens a case.

To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to this URL:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

Before calling, please check with your network operations center to determine the level of Cisco support services to which your company is entitled: for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). When you call the center, please have available your service agreement number and your product serial number.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

The Cisco Product Catalog describes the networking products offered by Cisco Systems as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:

http://www.cisco.com/en/US/products/index.html

Cisco Press publishes a wide range of networking publications. Cisco suggests these titles for new and experienced users: Internetworking Terms and Acronyms Dictionary, Internetworking Technology Handbook, Internetworking Troubleshooting Guide, and the Internetworking Design Guide. For current Cisco Press titles and other information, go to Cisco Press online at this URL:

http://www.ciscopress.com

Packet magazine is the Cisco monthly periodical that provides industry professionals with the latest information about the field of networking. You can access Packet magazine at this URL:

http://www.cisco.com/en/US/about/ac123/ac114/about_cisco_packet_magazine.html

Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in the design, development, and operation of public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.html

Training—Cisco offers world-class networking training, with current offerings in network training listed at this URL:

http://www.cisco.com/en/US/learning/le31/learning_recommended_training_list.html