Guest

Cisco Catalyst 3550 Series Switches

Release Notes for the Catalyst 3550 Multilayer Switch, 12.1(12c)EA1a

  • Viewing Options

  • PDF (678.8 KB)
  • Feedback
Release Notes for the Catalyst 3550 Multilayer Switch Cisco IOS Release 12.1(12c)EA1

Table Of Contents

Release Notes for the
Catalyst 3550 Multilayer Switch
Cisco IOS Release 12.1(12c)EA1

Contents

System Requirements

Hardware Supported

Software Compatibility

Recommended Platform Configuration for Web-Based Management

Operating System and Browser Support

Guidelines for Installing and Enabling the Java Plug-In

Installing the Required Plug-In

Creating Clusters with Different Releases of IOS Software

Downloading Software

Determining the Software Version and Feature Set

Which Files to Use

Upgrading a Switch by Using CMS

Upgrading a Switch by Using the CLI

Upgrading with a Nondefault System MTU Setting

Recovering from Software Failure

Installation Notes

Setting Up the Catalyst 3550 Initial Configuration

Accessing CMS

Configuring the HTTP Server

Displaying CMS

New Features

New Hardware Features

New Software Features

Limitations and Restrictions

IOS Limitations and Restrictions

Cluster Limitations and Restrictions

CMS Limitations and Restrictions

Important Notes

IOS Notes

Cluster Notes

CMS Notes

Read-Only Mode in CMS

Open Caveats

Open IOS Caveats

Open CMS Caveats

Resolved Caveats

IOS Caveat Resolved in Release 12.1(12c)EA1a

IOS Caveats Resolved in Release 12.1(12c)EA1

Cluster Caveats Resolved in Release 12.1(12c)EA1

Documentation Updates

References to the Cisco Documentation CD-ROM

Corrections to the Software Configuration Guide

Corrections to the Hardware Installation Guide

Lightning Activity Warning

Related Documentation

Obtaining Documentation

World Wide Web

Documentation CD-ROM

Ordering Documentation

Documentation Feedback

Obtaining Technical Assistance

Cisco.com

Technical Assistance Center

Cisco TAC Web Site

Cisco TAC Escalation Center


Release Notes for the
Catalyst 3550 Multilayer Switch
Cisco IOS Release 12.1(12c)EA1


January 2002

The Cisco IOS Release 12.1(12c)EA1 runs on all Catalyst 3550 multilayer switches.

These release notes include important information about this IOS release and any limitations, restrictions, and caveats that apply to it. Verify that these are the correct release notes for your switch:

If you are installing a new switch, refer to the IOS release label on the rear panel of your switch.

If your switch is on, use the show version privileged EXEC command. See the "Determining the Software Version and Feature Set" section.

If you are upgrading to a new release, refer to the software upgrade filename for the IOS version.

For the complete list of Catalyst 3550 switch documentation, see the "Related Documentation" section.

You can download the switch software from these sites:

http://www.cisco.com/kobayashi/sw-center/sw-lan.shtml

(for registered Cisco.com users with a login password)

http://www.cisco.com/public/sw-center/sw-lan.shtml

(for nonregistered Cisco.com users)

This IOS release is part of a special release of Cisco IOS software that is not released on the same 8-week maintenance cycle that is used for other platforms. As maintenance releases and future IOS releases become available, they will be posted to Cisco.com (previously Cisco Connection Online [CCO]) in the Cisco IOS software area.

Contents

This information is in the release notes:

"System Requirements" section

"Downloading Software" section

"Installation Notes" section

"New Features" section

"Limitations and Restrictions" section

"Important Notes" section

"Open Caveats" section

"Resolved Caveats" section

"Documentation Updates" section

"Related Documentation" section

"Obtaining Documentation" section

"Obtaining Technical Assistance" section

System Requirements

These are the system requirements for this IOS release:

"Hardware Supported" section

"Software Compatibility" section

Hardware Supported

Table 1 lists the hardware supported by this IOS release.

Table 1 Supported Hardware 

Switch
Description

Catalyst 3550-12T

10 Gigabit Ethernet 10/100/1000BASE-T ports and 2 GBIC1 -based Gigabit Ethernet slots

Catalyst 3550-12G

10 GBIC-based Gigabit Ethernet slots and 2 Gigabit Ethernet 10/100/1000BASE-T ports

Catalyst 3550-24

24 autosensing 10/100 Ethernet ports and 2 GBIC-based Gigabit Ethernet slots

Catalyst 3550-48

48 autosensing 10/100 Ethernet ports and 2 GBIC-based Gigabit Ethernet slots

Catalyst 3550-24-FX

24 100BASE-FX ports and 2 GBIC-based Gigabit Ethernet slots

Catalyst 3550-24-DC

24 autosensing 10/100 Ethernet ports, 2 GBIC-based Gigabit Ethernet slots, and an on-board DC2 power converter

Catalyst 3550-24PWR

24 autosensing 10/100 Ethernet ports, 2 GBIC-based Gigabit Ethernet slots, ability to provide power for Cisco IP Phones and Cisco Aironet Access Points from all 10/100 Ethernet ports, auto-detection and control of inline power on a per-port basis on all 10/100 ports

GBIC modules

1000BASE-SX GBIC

1000BASE-LX/LH GBIC

1000BASE-ZX GBIC

1000BASE-T GBIC

GigaStack GBIC

Course Wave Division Multiplexer (CWDM) fiber-optic GBIC

Redundant power system

Cisco RPS 300 Redundant Power System

1 GBIC = Gigabit Interface Converter

2 DC = direct current


Software Compatibility

These are the software compatibility requirements for this IOS release:

"Recommended Platform Configuration for Web-Based Management" section

"Operating System and Browser Support" section

"Installing the Required Plug-In" section

"Creating Clusters with Different Releases of IOS Software" section

Recommended Platform Configuration for Web-Based Management

Table 2 lists the recommended platforms for Web-based management.

Table 2 Recommended Platform Configuration for Web-Based Management

OS
Processor Speed
DRAM
Number of Colors
Resolution
Font Size

Windows NT 4.01

Pentium 300 MHz

128 MB

65,536

1024 x 768

Small

Solaris 2.5.1 or higher

SPARC 333 MHz

128 MB

Most colors for applications

Small (3)

1 Service Pack 3 or higher is required.


The minimum PC requirement is a Pentium processor running at 233 MHz with 64 MB of DRAM. The minimum UNIX workstation requirement is a Sun Ultra 1 running at 143 MHz with 64 MB of DRAM.

For information about supported operating systems, see the next section.

Operating System and Browser Support

You can access the web-based interfaces by using the operating systems and browsers listed in Table 3. The switch checks the browser version when starting a session to ensure that the browser is supported. If the browser is not supported, the switch displays an error message, and the session does not start.

Table 3 Supported Operating Systems and Browsers

Operating System
Minimum Service Pack or Patch
Netscape Communicator 1
Microsoft Internet Explorer 2

Windows 95

Service Pack 1

4.75 or 6.2

5.5 or 6.0

Windows 98

Second Edition

4.75 or 6.2

5.5 or 6.0

Windows NT 4.0

Service Pack 3 or later

4.75 or 6.2

5.5 or 6.0

Windows 2000

None

4.75 or 6.2

5.5 or 6.0

Windows XP

None

4.75 or 6.2

5.5 or 6.0

Solaris 2.5.1 or later

Sun-recommended patch cluster for the OS and Motif library patch 103461-24

4.75 or 6.2

Not supported

1 Netscape Communicator version 6.0 is not supported.

2 Service Pack 1 or higher is required for Internet Explorer 5.5.



Note If your browser is Internet Explorer and you receive an error message stating that the page might not display correctly because your security settings prohibit running activeX controls, this might mean that your security settings are set too high. To lower security settings, go to Tools > Internet Options, and select the Security tab. Select the indicated Zone, and move the Security Level for this Zone slider from High to Medium (the default).



Note In Cluster Management displays, Internet Explorer versions 4.01 and 5.0 might not display edge devices that are not connected to the command switch. Other functionality is similar to that of Netscape Communicator.


Guidelines for Installing and Enabling the Java Plug-In

If CMS does not launch automatically, you might not have a supported Java Plug-In installed, or the Java Plug-In might not be enabled. CMS does not automatically detect if a supported Java plug-in is installed. If you start CMS without the required Java plug-in installed, you remain on the CMS splash screen, and CMS will not launch.

To make sure that a supported Java Plug-In is correctly installed and enabled, follow these guidelines:

If you are using a supported browser and are connected to the Internet, click the Java Plug-In link to download and install a supported Java Plug-In.

If you have installed the Java plug-in but CMS still does not launch, make sure that the plug-in is enabled by clicking Start > Settings > Control Panel > Java Plug-in. Click the Basic tab, select Enable Java Plug-in, and click Apply.

To verify that a supported version of the Java Plug-In is installed, click Start > Settings > Control Panel. The Java Plug-In is listed with the version number in the Control Panel menu.

Installing the Required Plug-In

A Java plug-in is required for the browser to access and run the Java-based Cluster Management Suite (CMS). Download and install the plug-in before you start CMS. Each platform, Windows and Solaris, supports three plug-in versions. For information on the supported plug-ins, see the "Windows XP, Windows 2000, Windows 95, Windows 98, and Windows NT 4.0 Plug-Ins" section and the "Solaris Platforms" section.

You can download the recommended plug-ins from this URL: http://www.cisco.com/pcgi-bin/tablebuild.pl/java


Note Uninstall older versions of the Java plug-ins before installing the Java plug-in.


If the Java applet does not initialize after you have installed the plug-in, open the Java Plug-in Control Panel (Start > Programs > Java Plug-in Control Panel), and verify these settings:

In the Proxies tab, verify that Use browser settings is checked and that no proxies are enabled.


Note If you are running an Internet virus checker on Windows 2000 and the plug-in takes a long time to load, you can speed up CMS operation by disabling the virus checker filter option or download option or both.

On McAfee VirusScan, from the Start menu, to disable the VirusScan Internet Filter option, the Download Scan option, or both, select Start > Programs > Network Associates > Virus Scan Console > Configure.

or

From the taskbar, right-click the Virus Shield icon and in the Quick Enable menu, disable the options by deselecting Internet Filter or Download Scan.


Windows XP, Windows 2000, Windows 95, Windows 98, and Windows NT 4.0 Plug-Ins

These Java plug-ins are supported in Windows environments:

Java plug-in 1.4

Java plug-in 1.3.1

Java plug-in 1.3.0

You can download these plug-ins from this URL:

http://www.cisco.com/pcgi-bin/tablebuild.pl/java

Solaris Platforms

These Java plug-ins are supported on the Solaris platform:

Java plug-in 1.4

Java plug-in 1.3.1

Java plug-in 1.3.0

You can download these plug-ins and instructions from this URL:

http://www.cisco.com/pcgi-bin/tablebuild.pl/java

To install the Java plug-in, follow the instructions in the README_FIRST.txt file.

Creating Clusters with Different Releases of IOS Software

When a cluster consists of a mixture of other Catalyst switches, we strongly recommend using only the Catalyst 3550 switches as the command and standby command switches. When the command switch is a Catalyst 3550 switch, all standby command switches must also be Catalyst 3550 switches. The Catalyst 3550 switch that has the latest software should be the command switch. If the command switch is a Catalyst 3550 Gigabit Ethernet switch and the standby command switch is a Catalyst 3550 Fast Ethernet switch, command switch port speeds are reduced if the standby command switch takes over.

If your cluster has Catalyst 2950, Catalyst 2900 XL, and Catalyst 3500 XL switches, the Catalyst 2950 switch (with the latest software release) should be the command switch. The Catalyst 2950 switch that has the latest software should be the command switch.

If your switch cluster has Catalyst 1900, Catalyst 2820, Catalyst 2900 XL, and Catalyst 3500 XL switches, either the Catalyst 2900 XL or Catalyst 3500 XL (whichever has the latest software release) should be the command switch.

Table 4 lists the cluster capabilities and software versions for the switches.

Table 4 Switch Software and Cluster Capability

Switch
IOS Release
Cluster Capability

Catalyst 3550

Release 12.1(4)EA1 or later

Member or command switch

Catalyst 3500 XL

Release 12.0(5.1)XU or later

Member or command switch

Catalyst 2950

Release 12.0(5.2)WC(1) or later

Member or command switch

Catalyst 2900 XL (8-MB switches)

Release 12.0(5.1)XU or later

Member or command switch

Catalyst 2900 XL (4-MB switches)

Release 11.2(8.5)SA6 (recommended)

Member switch only1

Catalyst 1900 and 2820

Release 9.00(-A or -EN) or later

Member switch only

1 Catalyst 2900 XL (4-MB) switches appear in the front-panel and topology views of CMS. However, CMS does not support configuration or monitoring of these switches.


Some versions of the Catalyst 2900 XL software do not support clustering and if you have a cluster with switches that are running different versions of IOS software, software features added on the latest release might not be reflected on switches running the older versions. For example, if you start Visual Switch Manager (VSM) on a Catalyst 2900 XL switch running Release 11.2(8)SA6, the windows and functionality can be different from a switch running Release 12.0(5)WC(1) or later.


Note The CMS is not forward-compatible, which means that if a member switch is running a software version that is newer than the release running on the command switch, the new features are not available on the member switch. If the member switch is a new device supported by a software release that is later than the software release on the command switch, the command switch cannot recognize the member switch and it is displayed as an unknown device in the Front Panel view. You cannot configure any parameters or generate a report through CMS for that member; instead, you must launch the Device Manager application to perform configuration and obtain reports for that member.


Downloading Software

These are the procedures for downloading software:

"Determining the Software Version and Feature Set" section

"Which Files to Use" section

"Upgrading a Switch by Using CMS" section

"Upgrading a Switch by Using the CLI" section


Note Before downloading software, read this section for important information.



Caution The crypto image includes a bootloader upgrade. Do not power cycle the switch while you are copying this image to the switch. If a power failure occurs when you are copying this image to the switch, call Cisco Systems immediately.

Determining the Software Version and Feature Set

The IOS image is stored as a .bin file in a directory that is named with the IOS release. A subdirectory contains the HTML files needed for web management. The image is stored on the system board Flash device (flash:).

You can use the show version privileged EXEC command to see the software version that is running on your switch. The second line displays C3550-I5Q3L2 for the enhanced multilayer software image (EMI) or C3550-I9Q3L2 for the standard multilayer software image (SMI).


Note Although the show version output always shows the software image running on the switch (Layer 2 or Layer 2/3), the model name shown at the end of this display is the factory configuration (SMI or EMI) and does not change if you upgrade the software image.


You can also use the dir filesystem: privileged EXEC command to see the directory names of other software images that you might have stored in Flash memory.

Which Files to Use

The upgrade procedures in these release notes describe how to perform the upgrade by using a combined .tar file. This file contains both the IOS image file and the HTML files (needed for the CMS). You must use the combined .tar file to upgrade the switch through the CMS.

The .tar file is an archive file from which you can extract files by using the tar command. You also use the .tar file to upgrade the system by using the archive download-sw privileged EXEC command.

Table 5 lists the software filenames for this IOS release.

Table 5 Cisco IOS Software Files for Catalyst 3550 Switches 

Filename

Description

c3550-i9q3l2-mz.121-12c.EA1.bin

IOS SMI image file.
This image has Layer 2+ and basic Layer 3 routing features.

c3550-i9q312-tar.121-12c.EA1.tar

IOS SMI image file and CMS files.
This image has Layer 2+ and basic Layer 3 routing features.

c3550-i5q3l2-mz.121-12c.EA1.bin

IOS EMI image file.
This image has both Layer 2+ and full Layer 3 features.

c3550-i5q3l2-tar.121-12c.EA1.tar

IOS EMI image file and CMS files.
This image has both Layer 2+ and full Layer 3 features.

c3550-i9k2l2q3-mz.121-12c.EA1a.bin

IOS SMI crypto image file.
This image has the Secure Shell (SSH) and Layer 2+ features.

c3550-i9k2l2q3-tar.121-12c.EA1a.tar

IOS SMI crypto image file and CMS files.
This image has the SSH and Layer 2+ features.

c3550-i5k2l2q3-mz.121-12c.EA1a.bin

IOS EMI crypto image file.
This image has the SSH, Layer 2, and Layer 3 features.

c3550-i5k2l2q3-tar.121-12c.EA1a.tar

IOS EMI crypto image file and CMS files.
This image has the SSH, Layer 2, and Layer 3 features.


The Catalyst 3550 switch is supported by either the SMI, which provides Layer 2+ features and basic Layer 3 routing, or the EMI, which provides Layer 2+ features, full Layer 3 routing, and advanced services. All Catalyst 3550 Gigabit Ethernet switches are shipped with the EMI installed. Catalyst 3550 Fast Ethernet switches are shipped with either the SMI or the EMI installed. After initial deployment, you can order the Enhanced Multilayer Software Image Upgrade kit to upgrade the Catalyst 3550 Fast Ethernet switches from the SMI to the EMI.

Upgrading a Switch by Using CMS

You can upgrade switch software by using CMS. From the menu bar, select Administration > Software Upgrade. For detailed instructions, click Help.


Caution If you are copying the crypto image to the switch, the bootloader can take up to 30 seconds to upgrade. Do not power cycle the switch while you are copying the image to the switch. If a power failure occurs when you are copying the image, call Cisco Systems immediately.

Upgrading a Switch by Using the CLI

This procedure is for copying the combined .tar file to the Catalyst 3550 switch. You copy the file to the switch from a TFTP server and extract the files. You can download an image file and replace or keep the current image.


Caution If you are copying the crypto image to the switch, the bootloader can take up to 30  seconds to upgrade. Do not power cycle the switch while you are copying the image to the switch. If a power failure occurs when you are copying the image, call Cisco Systems immediately.

To download software, and if necessary, the TFTP server application, follow these steps:


Step 1 Use Table 5 to identify the file that you want to download.

Step 2 Download the software image file.

If you have a SmartNet support contract, go to this URL and log in to download the appropriate files:

http://www.cisco.com/kobayashi/sw-center/sw-lan.shtml

If you do not have a SmartNet contract, go to this URL and follow the instructions to register on Cisco.com and download the appropriate files:

http://www.cisco.com/public/sw-center/sw-lan.shtml

To download the SMI and EMI files, select Catalyst 3550 software.

To obtain authorization and to download the crypto software files, select Catalyst 3550 3DES Cryptographic Software.

Step 3 Download the Cisco TFTP server from the URL link from Step 2, if necessary. The information on this page describes how to download and configure the TFTP server.

Step 4 Copy the image to the appropriate TFTP directory on the workstation, and make sure the TFTP server is properly configured.

For more information, refer to Appendix B in the Catalyst 3550 Multilayer Switch Software Configuration Guide.

Step 5 Log in to the switch through the console port or a Telnet session.

Step 6 Check your VLAN 1 configuration by using the show interfaces vlan 1 privileged EXEC command, and verify that VLAN 1 is part of the same network as the TFTP server. (Check the Internet address is line near the top of the display.)

Step 7 Download the image file from the TFTP server to the switch. If you are installing the same version of software that is currently on the switch, overwrite the current image by using this privileged EXEC command:

archive download-sw /overwrite /reload tftp:[[//location]/directory]/image-name.tar

The /overwrite option overwrites the software image in Flash memory with the downloaded one.

The /reload option reloads the system after downloading the image unless the configuration has been changed and not been saved.

For //location, specify the IP address of the TFTP server.

For /directory/image-name.tar, specify the directory (optional) and the image to download. Directory and image names are case sensitive.

This example shows how to download an image from a TFTP server at 198.30.20.19 and to overwrite the image on the switch:

Switch# archive download-sw /overwrite 
tftp://198.30.20.19/c3550-i5q3l2-tar.121-12c.EA1.tar

You can also download the image file from the TFTP server to the switch and keep the current image by replacing the /overwrite option with the /leave-old-sw option.


Upgrading with a Nondefault System MTU Setting

If the switch was running Release 12.1(8)EA1c or earlier and you had used the system mtu global configuration command to configure a nondefault system maximum transmission unit (MTU) size on your switch, follow these steps to upgrade your switch to Release 12.1(11)EA1 or later:


Step 1 Upgrade the IOS software to Release 12.1(11)EA1 or later.

Step 2 If a system MTU size of greater than 2000 is configured on the Catalyst 3550-12T or Catalyst 3550-12G, use the system mtu global configuration command to set it to the maximum supported MTU size.


Note The maximum allowable system MTU for Catalyst 3550 Gigabit Ethernet switches
is 2000 bytes; the maximum system MTU for Fast Ethernet switches is 1546 bytes.


Step 3 Save the running configuration by entering the copy running-config startup-config privileged EXEC command.

Step 4 Reload the switch by using the new IOS software.

Step 5 When the switch comes back up with Release 12.1(11)EA1 or later, reload the switch a second time by using the reload privileged EXEC command so that the system mtu command takes effect.


Recovering from Software Failure

If the software fails, you can reload the software. For detailed recovery procedures, refer to the "Troubleshooting" chapter in the Catalyst 3550 Multilayer Switch Software Configuration Guide.

Installation Notes

You can assign IP information to your switch by using the setup program, the Dynamic Host Configuration Protocol (DHCP)-based autoconfiguration (refer to the Catalyst 3550 Multilayer Switch Software Configuration Guide), or by manually assigning an IP address (refer to the Catalyst 3550 Multilayer Switch Software Configuration Guide).

These are the installation procedures:

"Setting Up the Catalyst 3550 Initial Configuration" section

"Accessing CMS" section

Setting Up the Catalyst 3550 Initial Configuration

The first time that you access the switch, it runs a setup program that prompts you for an IP address and other configuration information necessary for the switch to communicate with the local routers and the Internet. This information is also required if you plan to use the CMS to configure and manage the switch.


Note If the switch will be a cluster member managed through the IP address of the command switch, it is not necessary to assign IP information or a password. If you are configuring the switch as a standalone switch or as a command switch, you must assign IP information.


Follow these steps to create an initial configuration for the switch:


Step 1 Enter Yes at the first two prompts.

Would you like to enter the initial configuration dialog? [yes/no]: yes

At any point you may enter a question mark '?' for help.
Use ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.

Basic management setup configures only enough connectivity
for management of the system, extended setup will ask you
to configure each interface on the system.

Would you like to enter basic management setup? [yes/no]: yes

Step 2 Enter a host name for the switch, and press Return.

On a command switch, the host name is limited to 28 characters; on a member switch to 31 characters. Do not use -n, where n is a number, as the last character in a host name for any switch.

Enter host name [Switch]: host_name

Step 3 Enter a secret password, and press Return.

The password can be from 1 to 25 alphanumeric characters, can start with a number, is case sensitive, allows spaces, but ignores leading spaces.

Enter enable secret: secret_password

Step 4 Enter an enable password, and press Return.

Enter enable password: enable_password

Step 5 Enter a virtual terminal (Telnet) password, and press Return.

The password can be from 1 to 25 alphanumeric characters, is case sensitive, allows spaces, but ignores leading spaces.

Enter virtual terminal password: terminal-password

Step 6 (Optional) Configure Simple Network Management Protocol (SNMP) by responding to the prompts.

Step 7 Enter the interface name (physical interface or VLAN name) of the interface that connects to the management network, and press Return. For this release, always use vlan 1 as that interface.

Enter interface name used to connect to the
management network from the above interface summary: vlan 1

Step 8 Configure the interface by entering the switch IP address and subnet mask and pressing Return:

Configuring interface vlan 1:
Configure IP on this interface? [yes]: yes 
IP address for this interface: 10.4.120.106
Subnet mask for this interface [255.0.0.0]: 255.255.255.0

Step 9 Enter Y to configure the switch as the cluster command switch. Enter N to configure it as a member switch or as a standalone switch.

If you enter N, the switch appears as a candidate switch in the CMS. In this case, the message in Step 10 is not displayed.

Would you like to enable as a cluster command switch? [yes/no]: yes

Step 10 Assign a name to the cluster, and press Return.

Enter cluster name: cluster_name

The cluster name can be 1 to 31 alphanumeric characters, dashes, or underscores.

The initial configuration appears:

The following configuration command script was created:

hostname host-name
enable secret 5 $1$LiBw$0Xc1wyT.PXPkuhFwqyhVi0
enable password enable-password
line vty 0 15
password terminal-password
snmp-server community public
!
no ip routing
!
interface vlan 1
no shutdown
ip address 10.4.120.106 255.255.255.0

interface GigabitEthernet0/1
no ip address
!
interface GigabitEthernet0/2
no ip address
!         
...<output abbreviated>
!
interface GigabitEthernet0/12
no ip address

cluster enable cluster-name
!
end

Step 11 These choices are displayed:

[0] Go to the IOS command prompt without saving this config.

[1] Return back to the setup without saving this config.

[2] Save this configuration to nvram and exit.

Enter your selection [2]:2

Make your selection, and press Return.


After you complete the setup program, the switch can run the created default configuration. If you want to change this configuration or want to perform other management tasks, use one of these tools:

Command-line interface (CLI)

Cluster Management Suite (CMS) from your browser

Accessing CMS

Before using the web-based CMS tools, see the "Software Compatibility" section and the "Installing the Required Plug-In" section to set up the appropriate browser options. After you have assigned an IP address to the switch and installed the plug-in, you can access the switch from your browser and use the CMS to configure other switches.


Note If you have downloaded a new version of the CMS, you must clear your browser cache before launching the new CMS version.


The browser prompts for a username and password when you access CMS:

If no username is configured on your switch (the default), you only need to enter the enable password in the appropriate field. For more information, see the "Displaying CMS" section.

If you are not using the default method of authentication (the enable password), you need to configure the HTTP server interface with the method of authentication used on the switch. For more information, see the "Configuring the HTTP Server" section.

Configuring the HTTP Server

Beginning in privileged EXEC mode, follow these steps to configure the HTTP server interface:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

ip http authentication {aaa | enable | local | tacacs}

Configure the HTTP server interface for the type of authentication you want to use.

aaa—Indicates that the AAA facility is used for authentication.

enable—Indicates that the enable password, which is the default method of HTTP server user authentication, is being used.

local—Indicates that the local user database as defined on the Cisco router or access server is used for authentication.

tacacs—Indicates that the TACACS server is used for authentication.

Step 3 

end

Return to privileged EXEC mode.

Step 4 

show running-config

Verify your entries.

After you have configured the HTTP server interface, display the CMS access page as described in the "Displaying CMS" section.

Displaying CMS

To display the CMS access page, follow these steps:


Step 1 Enter the switch IP address in the browser Location field (Netscape Communicator) or Address field (Internet Explorer), and press Return.

Step 2 Enter your username and password when prompted.

The Cisco Systems Access page appears. For more information on setting passwords and privilege levels, refer to the Catalyst 3550 Multilayer Switch Software Configuration Guide.

Step 3 Click Web Console to launch the CMS applet.

When you access CMS from a standalone or a cluster-member switch, Device Manager appears.


New Features

These are the new supported hardware and the new software features provided in IOS Release 12.1(12c)EA1:

"New Hardware Features" section

"New Software Features" section

New Hardware Features

Cisco IOS Release 12.1(12c)EA1 supports the Catalyst 3550-24PWR switch.

For a list of all supported hardware, see the "Hardware Supported" section.

New Software Features

Cisco IOS Release 12.1(12c)EA1 contains these new features or enhancements:

Kerberos security system to authenticate requests for network resources by using a trusted third party

Automatic QoS (auto-QoS) to simplify the deployment of existing QoS features by classifying traffic and configuring egress queues (Voice over IP only)

Layer 2 traceroute to identify the physical path that a packet takes from a source device to a destination device

Support for Link Aggregation Control Protocol (LACP) to facilitate the automatic creation of EtherChannels by exchanging packets between Ethernet interfaces. LACP is defined in IEEE 802.3AD

Switched Port Analyzer (SPAN) and remote SPAN (RSPAN) support of Intrusion Detection Systems (IDSs) to monitor, repel, and report network security violations

Support for the capabilities keyword with the show interfaces privileged EXEC command

Support for these new security features:

802.1X with per-user access control lists for providing different levels of network access and service to an 802.1X-authenticated user

802.1X with VLAN assignment for restricting 802.1X-authenticated users to a specified VLAN

802.1X with port security for controlling access to 802.1X multiple-host ports

802.1X with voice VLAN to permit an IP phone access to the voice VLAN irrespective of the authorized or unauthorized state of the port

CMS support for these features:

Ping and Trace—Perform a ping, Layer 2 traceroute, or Layer 3 traceroute operation on or to a specific address.

Front Panel View Enhancements—Choose the switches in a cluster that are displayed in the Front Panel view window.

Limitations and Restrictions

You should review this section before you begin working with the switches. These are known limitations that will not be fixed, and there is not always a workaround. Some features might not work as documented, and some features could be affected by recent changes to the switch hardware or software.

These are the limitations and restrictions:

"IOS Limitations and Restrictions" section

"Cluster Limitations and Restrictions" section

"CMS Limitations and Restrictions" section

IOS Limitations and Restrictions

These limitations apply to IOS configuration:

Modifying a multicast boundary access list does not prevent packets from being forwarded by any multicast routes that were in existence before the access list was modified if the packets arriving on the input interface do not violate the boundary. However, no new multicast routes that violate the updated version of the multicast boundary access list are learned, and any multicast routes that are in violation of the updated access list are not relearned if they age out.

After updating a multicast boundary, the workaround is to use the clear ip mroute privileged EXEC command to delete any existing multicast routes that violate the updated boundary. (CSCdr79083)

When an IP packet with a cyclic redundancy check (CRC) error is received, the per-packet per-Differentiated Service Code Point (DSCP) counter (for DSCP 0) is incremented. Normal networks should not have packets with CRC errors. (CSCdr85898)

The mac-address interface configuration command does not properly assign a MAC address to an interface. This command is not supported on Catalyst 3550 switches. (CSCds11328)

If you configure the DHCP server to allocate addresses from a pool to the switch, two devices on the network might have the same IP address. Pooled addresses are temporarily allocated to a device and are returned to the pool when not in use. If you save the configuration file after the switch receives such an address, the pooled address is saved, and the switch does not attempt to access the DHCP server after a reboot to receive a new IP address. As a result, two devices might have the same IP address.

The workaround is to make sure that you configure the DHCP server with reserved leases that are bound to each switch by the switch hardware address. (CSCds55220)

The show ip mroute count privileged EXEC command might display incorrect packet counts. In certain transient states (for example, when a multicast stream is forwarded only to the CPU during the route-learning process and the CPU is programming this route into the hardware), a multicast stream packet count might be counted twice. Do not trust the counter during this transient state. (CSCds61396)

When changing the link speed of a Gigabit Ethernet port from 1000 Mbps to 100 Mbps, there is a slight chance that the port will stop transmitting packets. If this occurs, shut down the port, and re-enable it by using the shutdown and no shutdown interface configuration commands. (CSCds84279)

In IP multicast routing and fallback bridging, certain hardware features are used to replicate packets for the different VLANs of an outgoing trunk port. If the incoming speed is line rate, the outgoing interface cannot duplicate that speed (because of the replication of the packets). As a result, certain replicated packets are dropped. (CSCdt06418)

When you use the no interface port-channel global configuration command to remove an EtherChannel group, the ports in the port group change to the administratively down state.

When you remove an EtherChannel group, enter the no shutdown interface configuration command on the interfaces that belonged to the port group to bring them back on line. (CSCdt10825)

In the output displayed after a show interface interface-id privileged EXEC command, the output buffer failures field shows the number of packets lost before replication, whereas the packets output field shows the successful transmitted packets after replication. To determine actual discarded frames, multiply the output buffer failures by the number of VLANs on which the multicast data is replicated. (CSCdt26928)

Internet Group Management Protocol (IGMP) packets classified by QoS to map the DSCP value and the class of service (CoS) value in a QoS policy map might only modify the DSCP property and leave the CoS value at zero. (CSCdt27705)

If you assign both tail-drop threshold percentages to 100 percent by using the wrr-queue threshold interface configuration command and display QoS information for this interface by using the show mls qos interface statistics privileged command, the drop-count statistics are always zero even if the thresholds were exceeded. To display the total number of discarded packets, use the show controllers ethernet-controllers interface-id privileged EXEC command. In the display, the number of discarded frames includes the frames that were dropped when the tail-drop thresholds were exceeded. (CSCdt29703)

Open Shortest Path First (OSPF) path costs and Interior Gateway Routing Protocol (IGRP) metrics are incorrect for switch virtual interface (SVI) ports. You can manually configure the bandwidth of the SVI by using the bandwidth interface configuration command. Changing the bandwidth of the interface changes the routing metric for the routes when the SVI is used as an outgoing interface. (CSCdt29806)

On the Catalyst 3550 switch, coldStart and warmStart traps are not consistently sent. (CSCdt33779)

Remote Monitoring (RMON) collection functions on physical interfaces, but it is not supported on EtherChannels and SVIs. (CSCdt36101)

Multicast router information is displayed in the show ip igmp snooping mrouter privileged EXEC command when IGMP snooping is disabled. Multicast VLAN Registration (MVR) and IGMP snooping use the same commands to display multicast router information. In this case, MVR is enabled, and IGMP snooping is disabled. (CSCdt48002)

When a VLAN interface has been disabled and restarted multiple times by using the shutdown and no shutdown interface configuration commands, the interface might not restart following a no shutdown command. To restart the interface, re-enter a shutdown and no shutdown command sequence. (CSCdt54435)

When you configure the ip pim spt-threshold infinity interface configuration command, you want all sources for the specified group to use the shared tree and not use the source tree. However, the switch does not automatically start to use the shared tree. No connectivity problem occurs, but the switch continues to use the shortest path tree for multicast group entries already installed in the multicast routing table. You can enter the clear ip mroute * privileged EXEC command to force the change to the shared tree. (CSCdt60412)

If the number of multicast routes configured on the switch is greater than the switch can support, it might run out of available memory, which can cause it to reboot. This is a limitation in the platform-independent code.

The workaround is to not configure the switch to operate with more than the maximum number of supported multicast routes. You can use the show sdm prefer and show sdm prefer routing privileged EXEC commands to view approximate maximum configuration guidelines for the current SDM template and the routing template. (CSCdt63354)

Configuring too many multicast groups might result in an extremely low memory condition and cause the software control data structure to go out of sync, causing unpredictable forwarding behavior. The memory resources can only be recovered by entering the clear ip mroute privileged EXEC command. To prevent this situation, do not configure more than the recommended multicast routes on the switch. (CSCdt63480)

The dec keyword is not supported in the bridge bridge-group protocol global configuration command. If two Catalyst 3550 switches are connected to each other through an interface that is configured for IP routing and fallback bridging, and the bridge group is configured with the bridge bridge-group protocol dec command, both switches act as if they were the spanning tree root. Therefore, spanning-tree loops might be undetected. (CSCdt63589)

When you configure an EtherChannel between a Catalyst 3550 and a Catalyst 1900 switch, some of Catalyst 3550 links in the EtherChannel might go down, but one link in the channel remains up, and connectivity is maintained.

The workaround is to disable the Port Aggregation Protocol (PAgP) on both devices by using the channel-group channel-group-number mode on interface configuration command. PAgP negotiation between these two devices is not reliable. (CSCdt78727)

When the switch is operating with equal-cost routes and it is required to learn more unicast routes than it can support, the CPU might run out of memory, and the switch might fail.

The workaround is to remain within the documented recommended and supported limits. (CSCdt79172)

The behavior of a software access control list (ACL) with QoS is different from a hardware ACL with QoS. On the Catalyst 3550 switch, when the QoS hardware rewrites the DSCP of a packet, the rewriting of this field happens before software running on the CPU examines the packet, and the CPU sees only the new value and not the original DSCP value.

When the security hardware ACL matches a packet on input, the match uses the original DSCP value. For output security ACLs, the security ACL hardware should match against the final, possibly changed, DSCP value as set by the QoS hardware. Under some circumstances, a match to a security ACL in hardware prevents the QoS hardware from rewriting the DSCP and causes the CPU to use the original DSCP.

If a security ACL is applied in software (because the ACL did not fit into hardware, and packets were sent to the CPU for examination), the match probably uses the new DSCP value as determined by the QoS hardware, regardless of whether the ACL is applied at the input or at the output. When packets are logged by the ACL, this problem can also affect whether or not a match is logged by the CPU even if the ACL fits into hardware and the permit or deny filtering was completed in hardware.

To avoid these issues, whenever the switch rewrites the DSCP of any packet to a value different from the original DSCP, security ACLs should not test against DSCP values in any of their access control elements (ACEs), regardless of whether the ACL is being applied to an IP access group or to a VLAN map. This restriction does not apply to ACLs used in QoS class maps.

If the switch is not configured to rewrite the DSCP value of any packet, it is safe to match against DSCP in ACLs used for IP access groups or for VLAN maps because the DSCP does not change as the packet is processed by the switch.

The DSCP field of an IP packet encompasses the two fields that were originally designated precedence and TOS (type of service). Statements relating to DSCP apply equally to either IP precedence or IP TOS. (CSCdt94355)

If you configure a trunk port for Dynamic Trunking Protocol (DTP) nonegotiate mode and change the encapsulation type from ISL to 802.1Q by using the switchport trunk encapsulation interface configuration command, the port becomes an access port and is no longer trunking. (CSCdv46715)

On earlier versions of Catalyst 3550-24 switches, if a 10/100BASE-TX port on the switch is connected to a Catalyst 2820 or Catalyst 1900 switch through an ISL trunk at 100 Mbps, bidirectional communication cannot be established. The Catalyst 2820 or Catalyst 1900 switch identifies the Catalyst 3550-24 switch as a CDP neighbor, but the Catalyst 3550-24 switch does not recognize the Catalyst 2820 or Catalyst 1900 switch. On these switches, you should not use ISL trunks between the Catalyst 3550-24 and a Catalyst 2820 or Catalyst 1900 switch. Configure the link as an access link instead of a trunk link.

This problem has been fixed in hardware on Catalyst 3550-24 switches with motherboard assembly number 73-5700-08 or later. To determine the board level on your switch, enter the show version privileged EXEC. Motherboard information appears toward the end of the output display. (CSCdv68158)

When IGMP filtering is enabled and you use the ip igmp profile global configuration command to create an IGMP filter, reserved multicast addresses cannot be filtered. Because IGMP filtering uses only Layer 3 addresses to filter IGMP reports and due to mapping between Layer 3 multicast addresses and Ethernet multicast addresses, reserved groups (224.0.0.x) are always allowed through the switch. In addition, aliased groups can leak through the switch. For example, if a user is allowed to receive reports from group 225.1.2.3, but not from group 230.1.2.3, aliasing will cause the user to receive reports from 230.1.2.3. Aliasing of reserved addresses means that all groups of the form y.0.0.x are allowed through. (CSCdv73626)

If you use the ip igmp max-groups interface configuration command to set the maximum number of IGMP groups for an interface to 0, the port still receives group reports from reserved multicast groups (224.0.0.x) and their Layer 2 aliases (y.0.0.x). (CSCdv79832)

The switch might reload when it is executing the no snmp-server host global configuration command. This is a rare condition that can happen if SNMP traps or informs are enabled and the SNMP agent attempts to send a trap to the host just as it is being removed from the configuration and if the IP address of the host (or the gateway to reach the host) has not been resolved by Address Resolution Protocol (ARP).

The workaround is to ensure that the target host or the next-hop gateway to that host is in the ARP cache (for example, by using a ping command) before removing it from the SNMP configuration. Alternatively, disable all SNMP traps and informs before removing any hosts from the SNMP configuration. (CSCdw44266)

When you access CISCO-STACK-MIB portTable, the mapping might be off by one from the mapping given by the switch. The objects in this table are indexed by two numbers: portModuleIndex and portIndex. The allowable values for portModuleIndex are 1 through 16. Because 0 is not an allowable value, the value 1 represents module 0.

The workaround is to use the value 1 to represent module 0. (CSCdw71848)

Multicast traffic can be temporarily lost when a link comes up in a redundant network and causes the reverse path forwarding (RPF) to change. This only occurs when there are multiple paths between the rendezvous point (RP) and the multicast source.

There is no workaround. (CSCdw27519)

If a port on the Catalyst 3550 switch that is running the Multiple Spanning Tree Protocol (MSTP) is connected to another switch that belongs to a different multiple spanning tree (MST) region, the Catalyst 3550 port is not recognized as a boundary port when you start the protocol migration process by using the clear spanning-tree detected-protocols interface interface-id privileged EXEC command. This problem occurs only on the root bridge, and when the root bridge is cleared, the boundary ports are not shown because the designated ports do not receive any bridge protocol data units (BPDUs) unless a topology change occurs. This is the intended behavior.

The workaround is to configure the Catalyst 3550 switch for PVST by using the spanning-tree mode pvst global configuration command bridge, and then change it to MSTP by using the spanning-tree mode mst global configuration command. (CSCdx10808)

When 1000 VLANs and more than 40 trunk ports are configured, and the spanning-tree mode changes from MSTP to PVST or vice versa, this message appears on the console:

%ETHCNTR-3-RA_ALLOC_ERROR: RAM Access write pool I/O memory allocation failure

There is no workaround. However, we recommend that you reload the switch by using the reload privileged EXEC command. To avoid this problem, configure the system with fewer VLANs and fewer trunk ports, or use the switchport trunk allowed vlan interface configuration command to reduce the number of active VLANs on each trunk port. (CSCdx20106)

If you apply an ACL to an interface that has a QoS policy map attached and the ACL is configured so that the packet should be forwarded by the CPU or if the configured ACL cannot fit into the ternary content addressable memory (TCAM), all packets received from this interface are forwarded to the CPU. Because traffic forwarded to the CPU cannot be policed by the policer configured on the interface, this traffic is not accurately rate-limited to the configured police rate.

The workaround, when QoS rate limiting is configured on an interface, is to configure applied ACLs so that packets are not forwarded by the CPU or reduce the number of ACEs in the ACL so that it can fit into the TCAM. (CSCdx30485)

When you reboot a Catalyst 3550-24-FX switch, it might loop back packets received on a 1000BASE-FX port to its link partner. This can occur before the IOS software takes control of the system and lasts for about 200 milliseconds.

As a result, the link partner might shut down the port when it detects loopback packets, or MAC addresses might be learned on the wrong ports on upstream switches. The network might be unable to deliver packets to a few devices for up to 5 minutes after rebooting the Catalyst 3550-24-FX switch when:

The Catalyst 3550-24-FX switch is connected to one or more switches in the network.

Spanning tree is disabled in the network or the Port Fast feature is enabled on the ports connected to the Catalyst 3550-24-FX switch.

The Catalyst 3550-24-FX switch is powered cycled or reloaded from CLI.

One or more devices in the network transmit a broadcast or multicast packet during the 200-millisecond timing window while the Catalyst 3550-24-FX switch is booting.

This problem corrects itself after five minutes or when these devices transmit a broadcast or multicast packet, whichever comes first.

The workaround is to enable spanning tree in the network and to make sure that the Port Fast feature is disabled on all ports connected to the Catalyst 3550-24-FX switch. (CSCdx45558)

Catalyst 3550 switches do not take into account the Preamble and Inter Frame Gap (IFG) when rate limiting traffic, which could result in a slightly inaccurate policing rate on a long burst of small-sized frames, where the ratio of the Preamble and IFG to frame size is more significant. This should not be an issue in an environment where the frames are a mix of different sizes.

If the switch fails for any reason while you are exiting VLAN configuration mode (accessed by entering the vlan database privileged EXEC command), there is a slight chance that the VLAN database might get corrupted. After resetting from the switch, you might see these messages on the console:

%SW_VLAN-4-VTP_INVALID_DATABASE_DATA: VLAN manager received bad data of type device 
type: value 0 from vtp database 

$SW_VLAN-3-VTP_PROTOCOL_ERROR: VTP protocol code internal error 

The workaround is to use the delete flash:vlan.dat privileged EXEC command to delete the corrupted VLAN database. Then reload the switch by using the reload privileged EXC command. (CSCdx19540)

When a Cisco RPS 300 Redundant Power System provides power to a switch, after the switch power supply is restored the RPS 300 continues to provide power until the RPS mode button is pressed. At this point, some switches restart, depending on how quickly the switch internal power supply resumes operation. (CSCdx81023)

Inserting GigaStack Gigabit Interface Converter (GBIC) modules in the switch cause an increase in the CPU usage. (CSCdx90515)

If you apply a large ACL and it fills the entire ternary content addressable memory (TCAM), the multicast VLAN registration (MVR) IP multicast data packets are sent to the switch CPU and are not forwarded to the MVR receiver ports.

There is no workaround. (CSCdx80751)

When you insert a GigaStack GBIC in a GBIC module slot, the CPU utilization increases by six percent. This increase occurs for each GigaStack GBIC added to the switch. Other types of GBICs do not cause additional CPU utilization.

There is no workaround. (CSCdx90515)

An RSPAN source session does not forward monitored traffic to the RSPAN destination session if there is an egress SPAN source port in the session with port security or 802.1X enabled. (CSCdy21035)

Not all traffic is properly mirrored by RSPAN when a port is monitored for egress traffic and the RSPAN VLAN is carried through a Layer 2 Protocol Tunnel to the RSPAN destination switch.

This happens because the MAC addresses for the original packets as well as the mirrored RSPAN packets are all learned on the tunnel VLAN, so the RSPAN traffic is no longer properly segregated on the tunneling switches.

The workaround is to not include any RSPAN VLANs in any Layer 2 Protocol tunnels unless the tunnel is dedicated to a single RSPAN VLAN. (CSCdy37188)

Ingress forwarding on a SPAN destination port does not work if there is an egress SPAN source port in the session with port security or 802.1X enabled. (CSCdy44646)

Storm control or traffic suppression (configured by using the storm-control {broadcast | multicast | unicast} level level [.level] interface configuration command) is supported only on physical interfaces; it is not supported on EtherChannel port channels even though you can enter these commands through the CLI.

The Cisco RPS 300 Redundant Power System supports the Catalyst 3550 multilayer switch and provides redundancy for up to six connected devices until one of these devices requires backup power. If a connected device has a power failure, the RPS immediately begins supplying power to that device and sends status information to other connected devices that it is no longer available as a backup power source. As described in the device documentation, when the RPS LED is amber, the RPS is connected but down. However, this might merely mean that the RPS is in standby mode. Press the Standby/Active button on the RPS to put it into active mode. You can view RPS status through the CLI by using the show rps privileged EXEC command. For more information, refer to the RPS 300 Hardware Installation Guide.


Note The Cisco RPS 300 does not support the Catalyst 3550-24PWR switch.


Hot Standby Routing Protocol (HSRP) does not support configuration of overlapping addresses in different VPN routing and forwarding (VRF) tables. (CSCdy14520)

You can connect the switch to a PC by using the switch console port and the supplied rollover cable and the DB-9 adapter. You need to provide a RJ-45-to-DB-25 female DTE adapter if you want to connect the switch console port to a terminal. You can order a kit (part number ACS-DSBUASYN=) with this RJ-45-to-DB-25 female DTE adapter from Cisco.

Cluster Limitations and Restrictions

These limitations apply to cluster configuration:

When there is a transition from the cluster active command switch to the standby command switch, Catalyst 1900, Catalyst 2820, and Catalyst 2900 4-MB switches that are cluster members might lose their cluster configuration. You must manually add these switches back to the cluster.
(CSCds32517, CSCds44529, CSCds55711, CSCds55787, CSCdt70872)

When a Catalyst 2900 XL or Catalyst 3500 XL cluster command switch is connected to a Catalyst 3550 switch, the command switch does not find any cluster candidates beyond the Catalyst 3550 switch if it is not a member of the cluster. You must add the Catalyst 3550 switch to the cluster. You can then see any cluster candidates connected to it. (CSCdt09918)

If both the active command-switch and the standby command switch fail at the same time, the cluster is not automatically recreated. Even if there is a third passive command switch, it might not recreate all cluster members because it might not have all the latest cluster configuration information. You must manually recreate the cluster if both the active and standby command switches simultaneously fail. (CSCdt43501)

CMS Limitations and Restrictions

These limitations apply to CMS configuration:

Host names and Domain Name System (DNS) server names that contain commas on a cluster command switch, member switch, or candidate switch can cause CMS to behave unexpectedly. You can avoid this instability in the interface by not using commas in host names or DNS names. Do not enter commas when also entering multiple DNS names in the IP Configuration tab of the IP Management window in CMS.

ACEs that contain the host keyword precede all other access control entries (ACEs) in standard ACLs. You can reposition the ACEs in a standard ACL with one restriction: No ACE with the any keyword or a wildcard mask can precede an ACE with the host keyword.

CMS performance degrades if the Topology View is open for several hours on a Solaris machine. The cause might be a memory leak.

The workaround is to close the browser, reopen it, and launch CMS again. (CSCds29230)

If you are printing a Topology View or Front Panel View that contains many devices and are running Solaris 2.6 with JDK1.2.2, you might get an Out of Memory error message.

The workaround is to close the browser, re-open it, and launch CMS again. Before you perform any other task, bring up the view that you want to print, and click Print in the CMS menu.(CSCds80920)

If a PC running CMS has low memory and CMS is running continuously for two to three days, the PC runs out of memory.

The workaround is to relaunch CMS. (CSCdv88724)

When a VLAN or a range of VLANs is already configured and you specify VLAN filter for a SPAN session, the current configuration for that session is overwritten with the new entry. Although the CLI appends new entries after the existing ones, CMS recreates the whole session, overwrites the current entry, and provides only a single VLAN filter per entry.

The workaround is to use the CLI. It is the only method for specifying multiple VLANs for filtering in a SPAN session. (CSCdw93904)

Important Notes

These are the important notes related to this IOS release:

"IOS Notes" section

"Cluster Notes" section

"CMS Notes" section

"Read-Only Mode in CMS" section

IOS Notes

These notes apply to IOS configuration:

When an 802.1X-authenticated client is disconnected from an IP phone, hub, or switch and does not send an EAPOL-Logoff message, the switch interface does not transition to the unauthorized state. If this happens, it can take up to 60 minutes for the interface to transition to the unauthorized state when the re-authentication time is the default value (3600 seconds).

The workaround is to change the number of seconds between re-authentication attempts by using the dot1x timeout re-authperiod seconds global configuration command. (CSCdz38483)

Beginning with Release 12.1(12c)EA1, the ip igmp query-interval seconds interface configuration command range is 1 to 18000 seconds. If your existing configuration includes a value larger than 18000, the command has no effect, and the switch returns a warning message the first time you restart the switch with the upgraded software. Enter a new value by using the ip igmp query-interval seconds interface configuration command, and then save your configuration.

Beginning with Release 12.1(12c)EA1, you can set the class of service (CoS) value of incoming traffic in a policy map that includes the trust dscp policy-map class configuration command. To do this, follow the steps described in the "Classifying, Policing, and Marking Traffic by Using Policy Maps" section in the "Configuring QoS" chapter of the software configuration guide for this release. (CSCdy45670)

If VLAN 1 or VLANs 1002 to 1005 are removed from a trunk port, the switch no longer receives CDP or VTP frames. VLAN 1 minimization is not supported on the Catalyst 3550 switch. You cannot remove VLAN 1 or VLANs 1002 to 1005 from the allowed VLAN list. (CSCdz22629)

When you configure a dynamic switchport by using the switchport access vlan dynamic interface configuration command, the port might allow unauthorized users to access network resources if the interface changes from access mode to trunk mode through Dynamic Trunking Protocol (DTP) negotiation.

The workaround is to configure the port as a static access port. (CSCdz32330)

In releases prior to 12.1(12c)EA1, the HTTP server used an AAA (authentication, authorization, and accounting) server for authentication by default, even when not explicitly configured with ip http authentication aaa, if aaa new-model was present in the configuration. Beginning with Release 12.1(12c)EA1, you must explicitly configure ip http authentication aaa to have the HTTP server use an AAA server for authentication. (CSCdz28658, CSCdv00656)

802.1X security with EAP-TLS authentication is now supported. (CSCdy64148)

If you configure a port ACL on a physical interface on a switch that has VLAN maps or input router ACLs configured, or if you configure a VLAN map or input router ACL on a switch that has port ACLs configured, a CONFLICT message is generated but the configuration is accepted. The port ACL action has priority on that port over actions in a router ACL or VLAN map applied to the VLAN to which the port belongs.

The result is that packets received on that physical port will be permitted or denied based on the port ACL action without regard to any permit or deny statements in any router ACL or VLAN map, while packets received on other physical ports in the VLAN will still be permitted or denied based on any router ACLs or VLAN maps applied to the VLAN. If the port ACL is applied to a trunk port, it overrides any other input ACLs applied to all VLANs on the trunk port.

The default system MTU for traffic on the Catalyst 3550 switch is 1500 bytes. The 802.1Q tunneling feature increases the frame size by 4 bytes. Therefore, when you configure 802.1Q tunneling, you must configure all switches in the 802.1Q network to be able to process maximum frames by increasing the switch system MTU size to at least 1504 bytes. You configure the system MTU size by using the system mtu global configuration command.

Beginning with Release 12.1(8)EA1, to configure traffic suppression (previously configured by using the switchport broadcast, switchport multicast, and switchport unicast interface configuration commands), you use the storm-control {broadcast | multicast | unicast} level level [.level] interface configuration commands. For more information about these commands, refer to the Catalyst 3550 Multilayer Switch Command Reference.

When you are configuring a cascaded stack of Catalyst 3550 switches by using the GigaStack GBIC module and want to include more than one VLAN in the stack, be sure to configure all the GigaStack GBIC interfaces as trunk ports by using the switchport mode trunk interface configuration command and to use the same encapsulation method by using the switchport encapsulation {isl | dot1q} interface configuration command. For more information about these commands, refer to the Catalyst 3550 Multilayer Switch Command Reference.

If the 1000BASE-T GBIC (WS-G5482) module is not securely inserted, the switch might fail to recognize it or might display an incorrect media type following a show interface privileged EXEC command entry. If this happens, remove and reinsert the GBIC module.

Beginning with Release 12.1(11)EA1, the mac address-table aging-time command replaces the mac-address-table aging-time command (with the hyphen). The mac-address-table aging-time command (with the hyphen) will become obsolete in a future release.

Beginning with Release 12.1(11)EA1, the vtp privileged EXEC command keywords are available in the vtp global configuration command. The vtp privileged EXEC command will become obsolete in a future release.

Cluster Notes

This note applies to cluster configuration:

The cluster setup privileged EXEC command and the standby mac-address interface configuration command have been removed from the CLI and the documentation because they did not function correctly.

CMS Notes

These notes apply to CMS configuration:

If you use CMS on Windows 2000, it might not apply configuration changes if the enable password is changed from the CLI during your CMS session. You have to restart CMS and enter the new password when prompted. Platforms other than Windows 2000 prompt you for the new enable password when it is changed.

CMS does not display QoS classes that are created through the CLI if these classes have multiple match statements. When using CMS, you cannot create classes that match more than one match statement. CMS does not display policies that have such classes.

If you use Internet Explorer Version 5.5 and select a URL with a nonstandard port at the end of the address (for example, www.add.com:84), you must enter http:// as the URL prefix. Otherwise, you cannot launch CMS.

Within an ACL, you can change the sequence of ACEs that have the host keyword. However, because such ACEs are independent of each other, the change has no effect on the way the ACL filters traffic.

If you use the Netscape browser to view the CMS GUI and you resize the browser window while CMS is initializing, CMS does not resize to fit the window.

Resize the browser window again when CMS is not busy.

CMS does not start if the temporary directory on your computer runs out of memory. This problem can occur because of a bug in the 1.2.2 version of the Java plug-in. The plug-in creates temporary files in the directory whenever it runs CMS, and the directory eventually runs out of plug-in space.

The workaround is to remove all the jar_cache*.tmp files from the temporary directory. The path to the directory is different for different operating systems:

Solaris: /var/tmp
Windows NT and Windows 2000: \TEMP
Windows 95 and 98: \Windows\Temp

Read-Only Mode in CMS

CMS provides two levels of access to the configuration options. If your privilege level is 15, you have read-write access to CMS. If your privilege level is from 1 to 14, you have read-only access to CMS. In the read-only mode, some data is not displayed, and an error message appears when these switches are running these software releases:

Catalyst 2900 XL or Catalyst 3500 XL member switches running Release 12.0(5)WC2 or earlier

Catalyst 2950 member switches running Release 12.0(5)WC2 or earlier

Catalyst 3550 member switches running Release 12.1(6)EA1 or earlier

In the Front Panel view or Topology view, CMS does not display error messages. In the Front Panel view, if the switch is running one of the software releases listed previously, the device LEDs do not appear. In Topology view, if the member is a Long-Reach Ethernet (LRE) switch, the customer premises equipment (CPEs) connected to the switch do not appear. The Bandwidth and Link graphs also do not appear in these views.

To view switch information, you need to upgrade the member switch software. For information about upgrading switch software, see the "Downloading Software" section.

Open Caveats

These are the open caveats with possible unexpected activity in this IOS release:

"Open IOS Caveats" section

"Open CMS Caveats" section

Open IOS Caveats

These are the severity 3 IOS configuration caveats:

CSCin21484

SNMP queries that are run on the ciscoFLASHPartitionTable do not show all the attributes defined by the MIB.

There is no workaround.

CSCdw76340

When a Catalyst 6000 SSH client connects to a Catalyst 3550 SSH server, the Catalyst 6000 switch halts at the enable-password prompt from which to enter privileged EXEC mode. This problem occurs when the Catalyst 6000 switch is running the c6sup1_rp-JK2SV-M crypto-image as a client and the Catalyst 3550 switch is running the crypto-image as the SSH server.

There is no workaround.

CSCdx06694

The VLAN Query Protocol (VQP) might not work correctly when the switch has multiple switch virtual interfaces (SVIs) configured with IP addresses. If the VLAN Membership Policy Server (VMPS) does not have routes configured to reach all subnets on the Catalyst 3550 switch, it might not assign dynamic access ports on the switch to a VLAN. This is because the switch randomly selects one of the configured SVI IP addresses (instead of the IP address configured on the VLAN interface used to reach the VMPS) when it sends VQP requests to the VMPS server. The server responds with the VLAN assignment only if the IP address used in the VQP request is in the VMPS database.

The workaround is to configure the VMPS server to have routes to reach all subnets on the Catalyst 3550 switch.

CSCdx24363

Ternary content addressable memory (TCAM) generation might fail when there are multiple ACLs in a policy-map. If you add an entry that checks Transmission Control Protocol (TCP) flags to an access list that is used for QoS classification, the system might report that a hardware limitation has been reached for the policy map. This can occur when the policy map already contains several other access list entries that check different TCP flags, or that check TCP or User Datagram Protocol (UDP) port numbers using an operation different from equal (eq), such as not equal (ne), less than (lt), greater than (gt), or range. When the hardware limitation is reached, the service-policy input policy-map-name interface configuration command is removed from the running configuration of the interface.

Checking for TCP flags and TCP/UDP port numbers using operators other than eq share some of the same hardware resources. The switch supports no more than six checks within a single policy map. An identical check repeated in multiple entries in the same policy map counts as a single instance. If this limit is reached during a TCP or UDP port number check, the software can often work around the problem by allocating extra entries in the TCAM, but there is no workaround if the limit is reached during a check against the TCP flags in the packet. Similar checks in a port ACL applied to the same physical interface as the policy map also count toward the limit.

Because these resources are allocated on a first-come, first-serve basis, rearranging the order of ACLs within a policy map or the order of entries within a single ACL, placing the TCP flags checks as early as possible, might enable the policy map to be loaded into the hardware.

Similar limits apply for any combination of input VLAN maps, input router ACLs, output VLAN maps, and output router ACLs that share the same VLAN label. The switch supports eight checks for all features on the same VLAN label. When the limit is reached, the system might forward packets by using the CPU rather than through hardware, greatly reducing system performance. To determine the VLAN label assigned to a VLAN or interface on input or output, use the show fm vlan or show fm interface privileged EXEC commands. Then use the show fm vlan-label privileged EXEC command to determine which set of features (input VLAN map, input router ACL, output VLAN map, or output router ACL) share this label.

These are the workarounds:

Re-arrange the order of classes within the policy map and the order of entries within the individual access lists in the policy map or within any IP port ACL applied to the interface so that checks for TCP flags are made as early as possible within the policy map. This also applies to the order of the individual ACLs within a VLAN map and the order of the individual entries in a security ACL.

Add an extra entry to the front of an ACL that checks for the same TCP flags that are checked later on in the ACL. If the first entry of the ACL already matches only the TCP protocol, you can duplicate the entry and add a check for the appropriate TCP flags.

Reduce the number of different combinations of TCP flags being tested.

If the other workarounds fail, avoid combining any check against the TCP flags with gt, lt, ne, or range checks within the policy map and port ACL configured on the interface or within the VLAN maps and router ACLs that share the same VLAN label.

CSCdx68750

On an interface with excessive traffic, if one of the queue sizes is set to 0 or if the queue sizes are set to high values such as 1, 100, 100, and 100 by using the wrr-queue queue-limit 1 100 100 100 interface configuration command, the switch might reset.

The workaround is to change the queue size from 0 to a nonzero value or to follow these steps:

a. Enter the shutdown interface configuration command to shut down the interface.

b. Enter the wrr-queue queue-limit weight1 weight2 weight3 weight4 interface configuration command.

CSCdx81650

If you create a policy map by using the policy-map policy-map-name global configuration command, enter the class class-map-name policy-map configuration command and then you immediately exit from the policy-map class configuration mode, the policy map does not show its class-map association.

The workaround is to configure another command (such as the police, trust, or set policy-map class configuration command) after entering the class class-map-name policy-map configuration command.

CSCdx86800

When the switch runs out Layer 4 operation (L4op) resources, the ACL that you are configuring or modified is not applied.

There is no workaround.

CSCdy06998

If you try to attach a a large per-port per-VLAN QoS policy map with many classes to an interface, the Catalyst 3550 switch might generate this syslog message:

%SYS-3-CPUHOG: Task ran for xxxx msec (4/4), process = Exec, PC = yyyy. -Traceback=... 

This can occur when the policy map has more than 128 classes and the VLANs in the classes overlap.

The workaround is to modify the policy map so that there are fewer classes or so that fewer classes have overlapping VLANs.

CSCdy09085

The switch utilization might be unusually high when you try to remove a match criteria common to per-port per-VLAN QoS policy-maps that are already attached to interfaces. These policy-maps have a large number of VLANs specified in the match clauses.

The workaround is to detach the policy-maps from the interfaces, change the match clause, and then re-attach the policy-map to the interfaces.

CSCdy12414

When a community string is assigned by the cluster command switch, you cannot get any dot1dBridge MIB objects using a community string with a VLAN entity from a cluster member switch.

The workaround is to manually add the cluster community string with the VLAN entity on the member switches for all active VLANs shown in the show spanning-tree summary display. This is an example of such a change, where cluster member 3 has spanning-tree on vlan 1-3 and the cluster commander community string is public@es3.

Mbr3(config)#snmp community public@es3@1 RO
Mbr3(config)#snmp community public@es3@2 RO
Mbr3(config)#snmp community public@es3@3 RO

CSCdy30413

When you enter an snmp-server host global configuration command with a non-existent community-string value, the Community Strings tag shows a non-existent community string. This creates a community with only notification-view access.


Note When you remove the command, the configuration needs to be checked for any other instances of snmp-server host for a given community. If there are none, the community (view) should be deleted.


The workaround is to:

a. Remove the command.

b. Configure the community as read-write.

c. Remove the community as read-write.

d. Configure the community as read-only.

e. Remove the community as read-only.

CSCdy40861

An assertion error message occurs when you apply a VLAN map to a list of VLANs after entering the service-policy interface configuration command for a per-port, per-VLAN quality of service (QoS) policy. This error message occurs only if the list of VLANs in the QoS policy overlaps with list in the VLAN map.

There is no workaround.

CSCdy46825

The switch LEDs on a Catalyst 3550-24PWR switch do not function correctly during POST.

The workaround is to view the POST results from the console.

CSCdy61530

The IEEE8023-LAG-MIB is not supported by Release 12.1(12c)EA1.

There is no workaround.

CSCdy72174

When SNMP traps are enabled and a switch runs out of I/O memory, a software-forced reload can occur on a switch, and this message is displayed:

-Process= "Pool Manager", ipl= 0, pid= 6
-Traceback= 19727C 198774 156364 1566A0 156C80 5E5FBC 9189C 10311C 19727C 198774 
156364 1A44D0 1B7470
%SYS-2-WATCHDOG: Process aborted on watchdog timeout, process = Pool Manager.
-Traceback= 1B6B8C 1BA184 1B452C

There is no workaround.

CSCdz03887

If two switch ports in two different VLANs are connected to each other, both switch ports continue forwarding. This is the expected behavior. However, if two additional ports in the two different VLANs are connected together, a loop is formed.

The workaround is to remove the loop from the switch.

CSCdz04323

When a port channel becomes active between two Catalyst 3550 switches, these messages might be displayed:

01:36:56: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up
01:37:00: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/2, changed 
state to up
01:37:00: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed 
state to up
01:37:01: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up
01:37:01: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 1 on 
Port-channel1 VLAN71.
01:37:01: %SPANTREE-2-BLOCK_PVID_PEER: Blocking Port-channel1 on VLAN0001. 
Inconsistent peer vlan.
01:37:01: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking Port-channel1 on VLAN0071. 
Inconsistent local vlan.
01:37:02: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed state 
to up
01:37:16: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking Port-channel1 on VLAN0001. Port 
consistency restored.
01:37:16: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking Port-channel1 on VLAN0071. Port 
consistency restored.

These messages cause traffic-forwarding delays when the port-channel link becomes active or inactive.

There is no workaround.

CSCdz15247

When you use the VLAN database configuration mode, pressing Ctrl-Z might not return you to privileged EXEC mode.

The workaround is to use the abort VLAN configuration command to abort the pending VLAN database changes and to return you to privileged EXEC mode.

CSCdz31076

When configuring 802.1X with dynamic VLAN assignment on a switch, the Tunnel-Private-Group-ID field in the Radius server must be configured with a VLAN number.

The Catalyst 3550 switch does not support the Tunnel-Private-Group-ID field when it is configured as a VLAN name.

There is no workaround.

CSCdz32177

When you remove a port ACL from an interface to which a per-port per-VLAN policy map is attached, if that policy map is already attached to other interfaces, the switch fails.

The workaround is to follow these steps:

a. Remove the policy map from the interface to which the port ACL is applied and the policy map is attached by using the no service-policy input policy-map-name interface configuration command.

b. Remove the port ACL from the interface by using the no ip access-group {access-list-number | name} in or the no mac access-group [name] interface configuration command.

c. Re-apply the policy map to the interface to which the policy map was previously attached.

CSCdz32213

When RSPAN is configured to use a Fast Ethernet port as the reflector port, traffic from the SPAN session might not be forwarded to the RSPAN VLAN.

The workaround is to set the reflector port to 100 Mbps, full duplex, by using the speed 100 and duplex full interface configuration commands prior to configuring it as a reflector port.

CSCdz37719

When a neighboring switch directly connected to a Fast Ethernet port of a Catalyst 3550-24-FX switch reboots, that port might be place in an administratively down state, and this error message might appear:

NETWORK_PORT_SATELLITE-3-PHY_LOCKUP: Repeated phy lockup seen on FastEthernet0/24.  
Interface will be shut down. %LINK-5-CHANGED: Interface FastEthernet0/24, changed 
state to administratively down

The workaround is to shut down the port and re-enable it by using the shutdown and no shutdown interface configuration commands.

CSCdz38423

When you change a dynamic-access port to a static-access port, the switch port might still operate as a dynamic-access port.

The workaround is to shut down the port and re-enable it by using the shutdown and no shutdown interface configuration commands.

CSCdz44520

When a Catalyst 3550-24PWR switch is connected to a 10/100/1000 port on another switch that has the speed and duplex modes set to auto, the link between the switches might be down.

The workaround is to set the speed and the duplex mode to auto on the Catalyst 3550-24PWR port and to manually set the speed to 10 or 100 Mbps and the duplex mode to auto on the 10/100/1000 port of the other switch.

Open CMS Caveats

These are the severity 3 CMS configuration caveats:

CSCdu79932

If you try to enable Port Fast on an interface that does not accept it—a trunk port, for example—no message warns you that Port Fast was not enabled.

CSCdx88968

In read-only mode, time ranges are not displayed. See the "Read-Only Mode in CMS" section for more information about CMS modes.

There is no workaround.

CSCdy36769

A red border appears around the text-entering area of some CMS dialogs. The color of the border changes to green when text is entered. This is only a cosmetic error. The colored border does not prevent you from entering text.

There is no workaround.


Note This error only occurs with Java plug-in 1.4.0.


CSCdy44189

If you open a window in which you can enter text, open another window, and return to the first window, right-clicking in the text field might make the cursor in this field disappear. You can still enter text in the field.

There is no workaround.

CSCdy80283

After you configure a cluster standby group, the configured standby command switches appear in the Current Candidates list.

The workaround is to refresh the Standby Command Switches window. The configured standby command switches now appear in the Standby Command Group list.

CSCdz00591

If you remove a police that is applied to both the ingress and egress directions on an interface, an error message appears.

There is no workaround.

CSCdz04884

When you remove a policy that is applied to both the ingress and egress directions on multiple interfaces, the policy is only removed from the first interface. An error message also appears.

There is no workaround.

CSCdz05775

If you open the QoS Policies window and specify a policy name that is already configured, the Add Class to QoS Policy window that defines a traffic classification opens.

The workaround is to not specify a policy name that is already configured.

CSCdz07515

CMS does not work when a switch is running the crypto software image and the vty lines are configured to use only SSH by using the transport input ssh line vty 0 15 interface configuration command.

The workaround is to allow SSH and Telnet access through the vty lines by using the transport input ssh telnet interface configuration command.

CSCdz11346

In the QoS Trust Settings window, when selecting multiple interfaces in a child window, you cannot disable the interface to override the CoS value of the incoming packets.

The workaround is to use the QoS Trust Settings window instead of the child window to reconfigure the CoS value for an interface.

CSCdz12848

The switch does not show link reports between Catalyst 2900 XL switches and Catalyst 2820 switches.

There is no workaround.

CSCdz12893

When you select an ATM interface on a Catalyst 2924-LRE-XL switch and open the Link Reports window, a read-only error message appears and the MAC address field is red because the Catalyst 2924-LRE-XL switch does not show the MAC addresses on ATM links.

There is no workaround.

CSCdz14712

When you create a policy by configuring a policer, if unsupported values for the average traffic rate and normal size burst are entered, an error message appears.

The workaround is to use the supported values for the average traffic rate and the normal burst size. For the supported values, refer to the software configuration guide for this release.

CSCdz15092

In the QoS Maps window, in read-only mode, details of the DSCP mutation table are not available.

There is no workaround.

CSCdz16877

In the Ping and Trace window, when you ping another device or use traceroute to identify a Layer 2 or Layer 3 path that packets take through a network, these actions occur:

After you select Layer 3 Trace or Layer 2 Trace, a green border appears.

CMS does not display the intermediate results.

There are no workarounds.

After you select Layer 3 Trace or Layer 2 Trace, ignore the green border.

While the switch tests the connectivity to a remote device or identifies the path between two devices, a message appears in the Results window, and the Stop button appears in the Ping and Trace window.

CSCdz17101

You cannot create bridge groups on switches that are running the SMI.


Note In Releases 12.1(12c)EA1 and earlier, the CMS Fallback Bridging window lists all Layer 3 devices that are running both the SMI and EMI, even though Fallback Bridging is not supported on the SMI.


The workaround is to not choose or configure fallback bridging in the Fallback Bridging window on switches that are running the SMI.

CSCdz17260

When an ACL is defined in a class map, if the ACL is deleted and then you open QoS Class Modify window, it shows an ACL that is not defined in the class map.

There is no workaround.

CSCdz21175

If you create a time-range entry that is active only on specific days, it might not work if you modify it later.

The workaround is to delete that time-range entry and create it again.

CSCdz21296

When you assign routed ports to a fallback bridge group, CMS does not add the routed ports to the bridge group, and an error message does not appear.

The workaround is to use the CLI to add routed ports to a fallback bridge group.

CSCdz21476

When you select and delete multiple time ranges from the ACL window, not all of the time ranges are deleted.

This is an intermittent problem. The workaround is to reselect the time ranges and try to delete them again.

CSCdz22666

If you open the Standby Command Switches window when other windows, such as the SNMP Management window and the Cisco Group Management Protocol (CGMP) window are open, a NullPointerException message might appear.

The workaround is to refresh the Standby Command Switches window. If the NullPointerException message still appears, close the others windows, re-open the Standby Command Switches window, and then re-open the other windows.

CSCdz22900

If a policer configuration that exceeds the policy-map hardware limitation is applied to a policy map, CMS shows that the policer is applied to the policy map, but the policer is not applied.

The workaround is to refresh the QoS Policies window, select the policy map that was previously configured, and click the Details button to see policy-map details.

CSCdz23637

In Runtime Status tab of the Port Settings window, if you configure an interface description by using one of these words:

connected

disabled

down

err-disabled

monitoring

notconnect

CMS does not display the correct port settings in the Configuration Settings and the Runtime Status tabs of the Port Settings window. The duplex and speed settings might appear as NA.

There is no workaround.

CSCdz26492

You cannot use CMS to disable port security on cluster members.

The workaround is to use the no port security interface configuration command to disable port security on each cluster member.

CSCdz26592

In the Front Panel View, when you select a connected port other than the port that was first connected and open the Link Graph window, the graph for another port appears.

The workaround is to open the Link Graph window and select the port for which you want to see in the link graph.

CSCdz26631

When you run a link graph report on a connected port selected from the Front Panel view, the graph displays data for the first connected port, regardless of which port you select.

The workaround is to select a port from the Link Graph window instead of the Front Panel view.

CSCdz26865

When you enable UplinkFast, the maximum-update-rate field does not contain the default value.

There is no workaround.

CSCdz26881

In the UplinkFast tab of the STP window, CMS incorrectly shows the maximum update range as 0 to 1000. The correct range is 0 to 65535.

There is no workaround.

CSCdz29469

After you create a class and apply an ACL to that class, if you delete this ACL and attempt to modify the class by applying another ACL to it, the ACL is not applied to the class.

The workaround is to delete and recreate the class.

CSCdz29617

When one of two switches in a link is down, the link might appear green. This could happen when you are using any of the supported operating systems, browsers, or java plug-ins.

There is no workaround.

CSCdz29950

If an internal power supply of a cluster member switch fails and the switch is using a redundant power system, such as the RPS 300, CMS fails.

The workaround is to fix the internal power supply of the member switch or to replace the switch.

CSCdz31324

Log scaling does not appear in a link graph until the first data values appear in the graph. This happens when you are using any of the supported operating systems, browsers, or java plug-ins.

There is no workaround.

Resolved Caveats

These are the caveats that have been resolved in this release.

"IOS Caveat Resolved in Release 12.1(12c)EA1a" section

"IOS Caveats Resolved in Release 12.1(12c)EA1" section

"Cluster Caveats Resolved in Release 12.1(12c)EA1" section

IOS Caveat Resolved in Release 12.1(12c)EA1a

This IOS caveat was resolved in Release 12.1(12c)EA1a:

CSCdz60229

A security fix prevents incorrectly-formed Secure Shell (SSH) packets from halting a switch.

For more information, refer to this URL:

http://www.cisco.com/warp/public/707/ssh-packet-suite-vuln.shtml

IOS Caveats Resolved in Release 12.1(12c)EA1

These IOS caveats were resolved in Release 12.1(12c)EA1:

CSCdv29722

When you disable autonegotiation on a GBIC interface by using the speed nonegotiate interface configuration command, the interface no longer indicates that the link is up, even when the link is no longer connected.

CSCdx78094

After you enter the no mls qos interface configuration command, the quality of service (QoS) counters now work correctly.

CSCdx84613

When you change the class action of an existing per-port per-VLAN QoS policy map that is already attached to an interface, the per-port per-VLAN QoS hardware entries on the switch are now modified correctly.

CSCdy12450

The Catalyst 3550 Multilayer Switch Software Configuration Guide now describes when a switch can automatically obtain an IP address from a Dynamic Host Configuration Protocol (DHCP) server and when you must manually assign an IP address to the switch.

CSCdy31376

A switch now provides fail-over protection when up to 16 Hot Standby Router Protocol (HSRP) groups are configured or active.

CSCdy38425

You can create an extended VLAN after rebooting a switch. Previously, creation of an extended VLAN failed after rebooting.

CSCdy64148

802.1X security with Extensible Authentication Protocol Transport Layer Security (EAP-TLS) authentication is now supported.

CSCdy76475

If a policy map has a class map with the match vlan vlan-list criterion, when you apply that policy map to an interface, remove it, and then reapply it to that interface, this error message no longer appears:

%FM-3-WRONGLABEL

CSCdy73308

When a port channel member is added or removed from a port channel interface, path cost on the port channel interface reverts to a non-uplinkfast path cost.

CSCdy79678

After the link status and line protocol of a Gigabit Ethernet port are up, the speed and the duplex settings displayed by the show interfaces user EXEC command change to unknown.

CSCdy51753

The switch no longer reloads during repeated interface flapping of a routed EtherChannel.

CSCdy63107

After interface-range parser debugging global configuration command is enabled by using the debug parser interface-range privileged EXEC command, if the interface range global configuration command is entered multiple times, the switch no longer reloads.

CSCdz02595

When classification occurs on a per-port per-VLAN basis by using class maps, if one of the class maps has an ACL with a permit any condition and if some of the VLANs in the VLAN list for that class map are in the VLAN list for another class map, the class map with the permit any condition no longer fails.

CSCdz03864

A switch running Release 12.1(12c)EA1 or later no longer loses the config.text file after these commands are entered:

copy startup-config flash:testfile
wr erase
copy flash:testfile startup-config
reload

CSCdz04336

If the aging time for dynamic MAC addresses is greater than 255 seconds, the addresses that were learned on the affected VLAN now age out at the appropriate time.

CSCdz05184

Downloading a software image by using the archive download-sw privileged EXEC command no longer causes this error message:

Not enough free space to download w/o first
deleting existing and/or current version(s)...
ERROR: Problems deleting existing version.
ERROR: Partial copy may still exist.

CSCdz12040

Entering the no snmp-server global configuration command no longer causes a switch to fail.

CSCdz17954

When you are applying a per-port per-VLAN policy map to an interface, if the match-VLAN clause in one of the classes applies to a VLAN list from VLAN 1 to VLAN 4094 and if other policy maps apply to VLANs that are already in the previous list, the switch no longer reloads.

CSCdz32390

Dynamic access ports that are also configured to carry Voice-over-IP (VoIP) traffic now send VLAN Query Protocol (VQP) requests.

Cluster Caveats Resolved in Release 12.1(12c)EA1

These cluster caveats were resolved in Release 12.1(12c)EA1:

CSCdw38507

When you enter a remote command on a Catalyst 3550 member switch from a command switch that is not a Catalyst 3550 switch, communication between the switches no longer halts.

CSCdw91356

When Catalyst 1900, 2820, or 2900 XL 4 MB series switches are participating in a cluster and the active command switch fails and then is restored after the standby command switch has updated the members, these legacy switches no longer miss the restoration and correctly retain the standby command switch MAC address.

CSCdy19282

When you start a switch that has a configured SPAN or RSPAN session configured to filter VLANs on source trunk ports, the VLAN filtering now works correctly.

Documentation Updates

You can access all Catalyst 3550 documentation at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/index.htm

This section provides these updates to the product documentation:

"References to the Cisco Documentation CD-ROM" section

"Corrections to the Software Configuration Guide" section

"Corrections to the Hardware Installation Guide" section

These changes will be included in the next version of the documentation.

References to the Cisco Documentation CD-ROM

The documentation for the Catalyst 2950 switches incorrectly refers to the Cisco Documentation CD-ROM. The Catalyst 2950 switches no longer ship with this CD-ROM.

Corrections to the Software Configuration Guide

These are corrections for the Catalyst 3550 Multilayer Switch Software Configuration Guide:

In the "Using 802.1X with VLAN Assignment" section on page 9-7, the information about assigning vendor-specific attributes in the RADIUS server is incorrect. This is the correct information:

Assign vendor-specific tunnel attributes in the RADIUS server. The RADIUS server must return these attributes to the switch:

[64] Tunnel-Type = VLAN

[65] Tunnel-Medium-Type = 802

[81] Tunnel-Private-Group-ID = VLAN NUMBER

Attribute [64] must contain the value VLAN (type 13). Attribute [65] must contain the value 802 (type 6). Attribute [81] specifies the VLAN number assigned to the 802.1X-authenticated user.


Note You can assign only one VLAN number to the 802.1X-authenticated user.


The Catalyst 3550 switch does not support the Tunnel-Private-Group-ID field when it is configured as a VLAN name. (CSCdz31076)

In the section "Standard QoS Configuration Guidelines" on page 27-19, this information was omitted:

Do not use the show policy-map interface privileged EXEC command to display classification information for incoming traffic. The interface keyword is not supported, and the statistics shown in the display should be ignored. Instead, you should specify the DSCPs to be monitored by using the mls qos monitor dscp dscp1 ... dscp8 interface configuration command, and then you should use the show mls qos interface interface-id statistics privileged EXEC command. For more information about these commands, refer to the Catalyst 3550 Multilayer Switch Command Reference.

In the section "Classifying Traffic on a Per-Port Per-VLAN Basis By Using Class Maps" on page 27-34, this information was omitted:

With per-port per-VLAN classification, unmatched VLANs are treated similarly to the default class, which means that the unmatched VLANs share the remaining bandwidth. You cannot modify this default-class behavior. If necessary, you can use VLAN map filters to block these VLANs.

Corrections to the Hardware Installation Guide

These are corrections for the Catalyst 3550 Multilayer Switch Hardware Installation Guide:

This information corrects an error in the Catalyst 3550 Multilayer Switch Hardware Installation Guide. These are the correct translations for the Lightning Activity Warning:

Lightning Activity Warning

Warning


Do not work on the system or connect or disconnect cables during periods of lightning activity.

Waarschuwing

Tijdens onweer dat gepaard gaat met bliksem, dient u niet aan het systeem te werken of kabels aan te sluiten of te ontkoppelen.

Varoitus

Älä työskentele järjestelmän parissa äläkä yhdistä tai irrota kaapeleita ukkosilmalla.

Attention

Ne pas travailler sur le système ni brancher ou débrancher les câbles pendant un orage.

Warnung

Arbeiten Sie nicht am System und schließen Sie keine Kabel an bzw. trennen Sie keine ab, wenn es gewittert.

Figyelem!

Villámlás közben ne dolgozzon a rendszeren, valamint ne csatlakoztasson és ne húzzon ki kábeleket!

Avvertenza

Non lavorare sul sistema o collegare oppure scollegare i cavi durante un temporale con fulmini.

Advarsel

Utfør aldri arbeid på systemet, eller koble kabler til eller fra systemet når det tordner eller lyner.

Aviso

Não trabalhe no sistema ou ligue e desligue cabos durante períodos de mau tempo (trovoada).

¡Advertencia!

No operar el sistema ni conectar o desconectar cables durante el transcurso de descargas eléctricas en la atmósfera.

Varning!

Vid åska skall du aldrig utföra arbete på systemet eller ansluta eller koppla loss kablar.


Related Documentation

These documents provide complete information about the switch and are available from this Cisco.com site:

http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/index.htm

You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.com sites and from the telephone numbers listed in the "Ordering Documentation" section.

Catalyst 3550 Multilayer Switch Software Configuration Guide (order number DOC-7811194=)

Catalyst 3550 Multilayer Switch Command Reference (order number DOC-7811195=)

Catalyst 3550 Multilayer Switch System Message Guide (order number DOC-7811196=)

Cluster Management Suite (CMS) online help (available only from the switch CMS software)

Catalyst 3550 Multilayer Switch Hardware Installation Guide (order number DOC-7811358=)

1000BASE-T Gigabit Interface Converter Installation Note (not orderable but is available on Cisco.com)

Catalyst GigaStack Gigabit Interface Converter Hardware Installation Guide (order number DOC-786460=)

Obtaining Documentation

These sections explain how to obtain documentation from Cisco Systems.

World Wide Web

You can access the most current Cisco documentation on the World Wide Web at this URL:

http://www.cisco.com

Translated documentation is available at this URL:

http://www.cisco.com/public/countries_languages.shtml

Documentation CD-ROM

Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which is shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription.

Ordering Documentation

You can order Cisco documentation in these ways:

Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Networking Products MarketPlace:

http://www.cisco.com/cgi-bin/order/order_root.pl

Registered Cisco.com users can order the Documentation CD-ROM through the online Subscription Store:

http://www.cisco.com/go/subscription

Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, U.S.A.) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

Documentation Feedback

You can submit comments electronically on Cisco.com. In the Cisco Documentation home page, click the Fax or Email option in the "Leave Feedback" section at the bottom of the page.

You can e-mail your comments to bug-doc@cisco.com.

You can submit your comments by mail by using the response card behind the front cover of your document or by writing to the following address:

Cisco Systems
Attn: Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain online documentation, troubleshooting tips, and sample configurations from online tools by using the Cisco Technical Assistance Center (TAC) Web Site. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC Web Site.

Cisco.com

Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.

Cisco.com is a highly integrated Internet application and a powerful, easy-to-use tool that provides a broad range of features and services to help you with these tasks:

Streamline business processes and improve productivity

Resolve technical issues with online support

Download and test software packages

Order Cisco learning materials and merchandise

Register for online skill assessment, training, and certification programs

If you want to obtain customized information and service, you can self-register on Cisco.com. To access Cisco.com, go to this URL:

http://www.cisco.com

Technical Assistance Center

The Cisco Technical Assistance Center (TAC) is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two levels of support are available: the Cisco TAC Web Site and the Cisco TAC Escalation Center.

Cisco TAC inquiries are categorized according to the urgency of the issue:

Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities, product installation, or basic product configuration.

Priority level 3 (P3)—Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue.

Priority level 2 (P2)—Your production network is severely degraded, affecting significant aspects of business operations. No workaround is available.

Priority level 1 (P1)—Your production network is down, and a critical impact to business operations will occur if service is not restored quickly. No workaround is available.

The Cisco TAC resource that you choose is based on the priority of the problem and the conditions of service contracts, when applicable.

Cisco TAC Web Site

You can use the Cisco TAC Web Site to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC Web Site, go to this URL:

http://www.cisco.com/tac

All customers, partners, and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC Web Site. The Cisco TAC Web Site requires a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to this URL to register:

http://www.cisco.com/register/

If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco TAC Web Site, you can open a case online by using the TAC Case Open tool at this URL:

http://www.cisco.com/tac/caseopen

If you have Internet access, we recommend that you open P3 and P4 cases through the Cisco TAC Web Site.

Cisco TAC Escalation Center

The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues. These classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer automatically opens a case.

To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to this URL:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

Before calling, please check with your network operations center to determine the level of Cisco support services to which your company is entitled: for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). When you call the center, please have available your service agreement number and your product serial number.