Guest

Cisco Catalyst 3550 Series Switches

Release Notes for the Catalyst 3550 Multilayer Switch, Cisco IOS Release 12.1(20)EA1

  • Viewing Options

  • PDF (635.9 KB)
  • Feedback
Release Notes for the Catalyst 3550 Multilayer Switch Cisco IOS Release 12.1(20)EA1

Table Of Contents

Release Notes for the
Catalyst 3550 Multilayer Switch
Cisco IOS Release 12.1(20)EA1

Contents

System Requirements

Hardware Supported

Software Compatibility

Windows

Solaris

Cluster Compatibility

Downloading Software

Finding the Software Version and Feature Set

Deciding Which Files to Use

Upgrading a Switch by Using CMS

Upgrading a Switch by Using the CLI

Upgrading with a Nondefault System MTU Setting

Recovering from Software Failure

Installation Notes

New Features

New Hardware Features

New Software Features

Limitations and Restrictions

Cisco IOS Limitations and Restrictions

Cluster Limitations and Restrictions

CMS Limitations and Restrictions

Important Notes

Cisco IOS Notes

Cluster Notes

CMS Notes

Open Caveats

Open Cisco IOS Caveats

Open CMS Caveats

Resolved Caveats

Cisco IOS Caveats Resolved in Cisco IOS Release 12.1(20)EA1

CMS Caveats Resolved in Cisco IOS Release 12.1(20)EA1

Documentation Updates

References to the Cisco Documentation CD-ROM

Software Configuration Guide Corrections and Additions

Getting Started with CMS Chapter

Clustering Switches Chapter

Administering the Switch Chapter

Configuring 802.1x Port-Based Authentication Chapter

Configuring SmartPort Macros Chapter

Configuring DHCP Features Chapter

Configuring Port-Based Traffic Control Chapter

Configuring QoS Chapter

Command Reference Corrections and Additions

macro apply

show flowcontrol

switchport host

Hardware Installation Guide Addition

Using Express Setup Chapter

Related Documentation

Obtaining Documentation

Cisco.com

Ordering Documentation

Documentation Feedback

Obtaining Technical Assistance

Cisco TAC Website

Opening a TAC Case

TAC Case Priority Definitions

Obtaining Additional Publications and Information


Release Notes for the
Catalyst 3550 Multilayer Switch
Cisco IOS Release 12.1(20)EA1


February 2004

The Cisco IOS Release 12.1(20)EA1 runs on all Catalyst 3550 multilayer switches.

These release notes include important information about this Cisco IOS release and any limitations, restrictions, and caveats that apply to it. Verify that these are the correct release notes for your switch:

If you are installing a new switch, refer to the Cisco IOS release label on the rear panel of your switch.

If your switch is on, use the show version privileged EXEC command. See the "Finding the Software Version and Feature Set" section.

If you are upgrading to a new release, refer to the software upgrade filename for the Cisco IOS version.

For the complete list of Catalyst 3550 switch documentation, see the "Related Documentation" section.

You can download the switch software from these sites:

http://www.cisco.com/kobayashi/sw-center/sw-lan.shtml

(for registered Cisco.com users with a login password)

http://www.cisco.com/public/sw-center/sw-lan.shtml

(for nonregistered Cisco.com users)

This Cisco IOS release is part of a special release of Cisco IOS software that is not released on the same 8-week maintenance cycle that is used for other platforms. As maintenance releases and future Cisco IOS releases become available, they will be posted to Cisco.com (previously Cisco Connection Online [CCO]) in the Cisco IOS software area.

Contents

This information is in the release notes:

"System Requirements" section

"Downloading Software" section

"Installation Notes" section

"New Features" section

"Limitations and Restrictions" section

"Important Notes" section

"Open Caveats" section

"Resolved Caveats" section

"Documentation Updates" section

"Related Documentation" section

"Obtaining Documentation" section

"Documentation Feedback" section

"Obtaining Technical Assistance" section

"Obtaining Additional Publications and Information" section

System Requirements

The system requirements for this release are described in these sections:

"Hardware Supported" section

"Software Compatibility" section

"Cluster Compatibility" section

Hardware Supported

Table 1 lists the hardware supported by this Cisco IOS release.

Table 1 Supported Hardware 

Switch
Description

Catalyst 3550-12G

10 GBIC-based Gigabit Ethernet slots and 2 Gigabit Ethernet 10/100/1000BASE-T ports

Catalyst 3550-12T

10 Gigabit Ethernet 10/100/1000BASE-T ports and 2 GBIC1 -based Gigabit Ethernet slots

Catalyst 3550-24

24 autosensing 10/100 Ethernet ports and 2 GBIC-based Gigabit
Ethernet slots

Catalyst 3550-24-DC

24 autosensing 10/100 Ethernet ports, 2 GBIC-based Gigabit Ethernet slots, and an on-board DC2 power converter

Catalyst 3550-24-FX

24 100BASE-FX ports and 2 GBIC-based Gigabit Ethernet slots

Catalyst 3550-24PWR

24 autosensing 10/100 Ethernet ports, 2 GBIC-based Gigabit Ethernet slots, ability to provide power for Cisco IP Phones and Cisco Aironet Access Points from all 10/100 Ethernet ports, auto-detection and control of inline power on a per-port basis on all 10/100 ports

Catalyst 3550-48

48 autosensing 10/100 Ethernet ports and 2 GBIC-based Gigabit
Ethernet slots

GBIC modules

1000BASE-SX GBIC

1000BASE-LX/LH GBIC

1000BASE-ZX GBIC

1000BASE-T GBIC

GigaStack GBIC

CWDM3 fiber-optic GBIC

Redundant power system

Cisco RPS 300 Redundant Power System4

Cisco RPS 675 Redundant Power System5

1 GBIC = Gigabit Interface Converter

2 DC = direct current

3 CWDM = Course Wave Division Multiplexer

4 The Cisco RPS 300 does not support the Catalyst 3550-24-DC or 3550-24PWR switch.

5 The Cisco RPS 675 does not support the Catalyst 3550-24-DC switch.


Software Compatibility

For information about the recommended platforms for web-based management, operating systems and browser support, the CMS plug-in guidelines, and installation procedures, refer to the "Getting Started with CMS" chapter of the software configuration guide.

Windows

This release uses a CMS plug-in (Windows only) to run CMS. You can download the latest CMS plug-in for Windows from this URL:

http://www.cisco.com/pcgi-bin/Support/ClusterMgmtSuite/cms_plugin_redirect.cgi?platform=windows&version=1.1

Solaris

This release uses a CMS plug-in (Solaris only) that replaces the Java plug-in. You must download the CMS plug-in to run CMS. You can download the latest CMS plug-in for Solaris from this URL:

http://www.cisco.com/pcgi-bin/Support/ClusterMgmtSuite/cms_plugin_redirect.cgi?platform=solaris&version=1.1

Cluster Compatibility

This section describes how to choose command and standby command switches when a cluster consists of a mixture of Catalyst switches. When creating a switch cluster or adding a switch to a cluster, follow these guidelines:

When you create a switch cluster, we recommend configuring the highest-end switch in your cluster as the command switch. Table 2 lists the cluster capabilities and Cisco IOS releases for the switches. The switches are listed from highest- to lowest-end switch.

If you are managing the cluster through CMS, the switch that has the latest software should be the command switch, unless your command switch is running Cisco IOS Release 12.1(19)EA1 or later.

The standby command switch must be the same type as the command switch. For example, if the command switch is a Catalyst 3750 switch, all standby command switches must be Catalyst 3750 switches.

Table 2 Switch Software and Cluster Capability 

Switch
Cisco IOS Release
Cluster Capability

Catalyst 3750

12.1(11)AX or later

Member or command switch

Catalyst 3560

12.1(19)EA1b

Member or command switch

Catalyst 3550

12.1(4)EA1 or later

Member or command switch

Catalyst 2970

12.1(11)AX or later

Member or command switch

Catalyst 2955

12.1(12c)EA1 or later

Member or command switch

Catalyst 2950

12.1(5.2)WC(1) or later

Member or command switch

Catalyst 2950 LRE

12.1(11)JY or later

Member or command switch

Catalyst 2940

12.1(13)AY or later

Member or command switch

Catalyst 3500 XL

12.0(5.1)XU or later

Member or command switch

Catalyst 2900 XL (8-MB switches)

12.0(5.1)XU or later

Member or command switch

Catalyst 2900 XL (4-MB switches)

11.2(8.5)SA6 (recommended)

Member switch only1

Catalyst 1900 and 2820

9.00(-A or -EN) or later

Member switch only

1 Catalyst 2900 XL (4-MB) switches appear in the front-panel and topology views of the Cluster Management Suite (CMS). However, CMS does not support configuration or monitoring of these switches.


CMS is not forward-compatible on command switches running Cisco IOS 12.1(14)EA1 and earlier. This means that if a member switch is running a release that is earlier than the release running on the command switch, the new features are not available on the member switch. If the member switch is a new device running a release that is later than the release on the command switch, the command switch cannot recognize the member switch, and the Front Panel view displays it as an unknown device. You cannot configure any parameters or generate a report through CMS for that member; instead, you must launch the Device Manager application to configure and to obtain reports for that member.

Some versions of the Catalyst 2900 XL software do not support clustering, and if you have a cluster with switches that are running different versions of Cisco IOS software, software features added on the latest release might not be reflected on switches running the older releases. For example, if you start CMS on a Catalyst 2900 XL switch running Release 11.2(8)SA6, the windows and functionality can be different from a switch running Release 12.0(5)WC(1) or later.

Downloading Software

Before downloading software, read this section for important information. These are the procedures for downloading software:

"Finding the Software Version and Feature Set" section

"Deciding Which Files to Use" section

"Upgrading a Switch by Using CMS" section

"Upgrading a Switch by Using the CLI" section

"Recovering from Software Failure" section


Caution A bootloader upgrade occurs if you are upgrading the switch from a noncryptographic image to cryptographic image, regardless of the current noncryptographic Cisco IOS Release that is running on the switch. The bootloader can take up to 30 seconds to upgrade. Do not power cycle the switch while you are copying this image to the switch. If a power failure occurs when you are copying this image to the switch, call Cisco Systems immediately.

When you upgrade a switch, the switch continues to operate while the new software is copied to flash memory. If flash memory has enough space, the new image is copied to the selected switch but does not replace the running image until you reboot the switch. If a failure occurs during the copy process, you can still reboot your switch by using the old image. If flash memory does not have enough space for two images, the new image is copied over the existing one. Features provided by the new software are not available until you reload the switch.

If a failure occurs while copying a new image to the switch, and the old image has already been deleted, refer to the "Recovering from Corrupted Software" section in the "Troubleshooting" chapter of the software configuration guide.

Finding the Software Version and Feature Set

The Cisco IOS image is stored as a bin file in a directory that is named with the Cisco IOS release. A subdirectory contains the files needed for web management. The image is stored on the system board flash device (flash:).

You can use the show version privileged EXEC command to see the software version that is running on your switch. The second line displays C3550-I5Q3L2 for the enhanced multilayer software image (EMI) or C3550-I9Q3L2 for the standard multilayer software image (SMI).


Note Although the show version output always shows the software image running on the switch (Layer 2 only or Layer 2 and Layer 3), the model name shown at the end of this display is the factory configuration (SMI or EMI) and does not change if you upgrade the software image.


You can also use the dir filesystem: privileged EXEC command to see the directory names of other software images that you might have stored in flash memory.

Deciding Which Files to Use

The upgrade procedures in these release notes describe how to perform the upgrade by using a combined tar file. This file contains both the Cisco IOS image file and the CMS files. You must use the combined tar file to upgrade the switch through CMS.

The tar file is an archive file from which you can extract files by using the tar command. You also use the tar file to upgrade the system by using the archive download-sw privileged EXEC command.

Table 3 lists the software filenames for this Cisco IOS release.

Table 3 Cisco IOS Software Files for Catalyst 3550 Switches 

Filename

Description

c3550-i9q3l2-tar.121-20.EA1.tar

Cisco IOS SMI image file and the CMS files.
This image has Layer 2+ and basic Layer 3 routing features.

c3550-i5q3l2-tar.121-20.EA1.tar

Cisco IOS EMI image file and the CMS files.
This image has both Layer 2+ and full Layer 3 features.

c3550-i9k2l2q3-tar.121-20.EA1.tar

Cisco IOS SMI cryptographic image file and the CMS files. This image has the Kerberos, Secure Shell (SSH), Layer 2+, and basic Layer 3 routing features.

c3550-i5k2l2q3-tar.121-20.EA1.tar

Cisco IOS EMI cryptographic image file and the CMS files. This image has the Kerberos, SSH, Layer 2, and full Layer 3 features.


The Catalyst 3550 switch is supported by either the SMI, which provides Layer 2+ features and basic Layer 3 routing, or the EMI, which provides Layer 2+ features, full Layer 3 routing, and advanced services. All Catalyst 3550 Gigabit Ethernet switches are shipped with the EMI installed. Catalyst 3550 Fast Ethernet switches are shipped with either the SMI or the EMI installed. After initial deployment, you can order the Enhanced Multilayer Software Image Upgrade kit to upgrade the Catalyst 3550 Fast Ethernet switches from the SMI to the EMI.

Upgrading a Switch by Using CMS

You can upgrade switch software by using CMS. From the menu bar, select Administration > Software Upgrade. For detailed instructions, click Help.


Caution A bootloader upgrade occurs if you are upgrading the switch from a noncryptographic image to cryptographic image, regardless of the current noncryptographic Cisco IOS release that is running on the switch. The bootloader can take up to 30 seconds to upgrade. Do not power cycle the switch while you are copying this image to the switch. If a power failure occurs when you are copying this image to the switch, call Cisco Systems immediately.

Upgrading a Switch by Using the CLI

This procedure is for copying the combined tar file to the Catalyst 3550 switch. You copy the file to the switch from a TFTP server and extract the files. You can download an image file and replace or keep the current image. This procedure requires a configured TFTP server.


Caution A bootloader upgrade occurs if you are upgrading the switch from a noncryptographic image to cryptographic image, regardless of the current noncryptographic Cisco IOS Release that is running on the switch. The bootloader can take up to 30 seconds to upgrade. Do not power cycle the switch while you are copying this image to the switch. If a power failure occurs when you are copying this image to the switch, call Cisco Systems immediately.

To download software, follow these steps:


Step 1 Use Table 3 to identify the file that you want to download.

Step 2 Download the software image file.

If you have a SmartNet support contract, go to this URL and log in to download the appropriate files:

http://www.cisco.com/kobayashi/sw-center/sw-lan.shtml

If you do not have a SmartNet contract, go to this URL and follow the instructions to register on Cisco.com and download the appropriate files:

http://www.cisco.com/public/sw-center/sw-lan.shtml

To download the SMI and EMI files, select Catalyst 3550 software.

To obtain authorization and to download the cryptographic software files, select Catalyst 3550 3DES Cryptographic Software.

Step 3 Copy the image to the appropriate TFTP directory on the workstation, and make sure the TFTP server is properly configured.

For more information, refer to Appendix B in the Catalyst 3550 Multilayer Switch Software Configuration Guide.

Step 4 Log in to the switch through the console port or a Telnet session.

Step 5 Check your VLAN 1 configuration by using the show interfaces vlan 1 privileged EXEC command, and verify that VLAN 1 is part of the same network as the TFTP server. (Check the Internet address is line near the top of the display.)

Step 6 Download the image file from the TFTP server to the switch. If you are installing the same version of software that is currently on the switch, overwrite the current image by using this privileged EXEC command:

archive download-sw /overwrite /reload tftp:[[//location]/directory]/image-name.tar

The /overwrite option overwrites the software image in flash memory with the downloaded one.

The /reload option reloads the system after downloading the image unless the configuration has been changed and not been saved.

For //location, specify the IP address of the TFTP server.

For /directory/image-name.tar, specify the directory (optional) and the image to download. Directory and image names are case sensitive.


This example shows how to download an image from a TFTP server at 198.30.20.19 and to overwrite the image on the switch:

Switch# archive download-sw /overwrite tftp://198.30.20.19/c3550-i5q3l2-tar.121-13.EA1.tar

You can also download the image file from the TFTP server to the switch and keep the current image by replacing the /overwrite option with the /leave-old-sw option.

Upgrading with a Nondefault System MTU Setting

If the switch was running Cisco IOS Release 12.1(8)EA1c or earlier and you had used the system mtu global configuration command to configure a nondefault system maximum transmission unit (MTU) size on your switch, follow these steps to upgrade your switch to Cisco IOS Release 12.1(11)EA1 or later:


Step 1 Upgrade the Cisco IOS software to Cisco IOS Release 12.1(11)EA1 or later.

Step 2 If a system MTU size of greater than 2000 is configured on the Catalyst 3550-12T or Catalyst 3550-12G, use the system mtu global configuration command to set it to the maximum supported MTU size.


Note The maximum allowable system MTU for Catalyst 3550 Gigabit Ethernet switches
is 2000 bytes; the maximum system MTU for Fast Ethernet switches is 1546 bytes.


Step 3 Save the running configuration by entering the copy running-config startup-config privileged EXEC command.

Step 4 Reload the switch by using the new Cisco IOS software.

Step 5 When the switch comes back up with Cisco IOS Release 12.1(11)EA1 or later, reload the switch a second time by using the reload privileged EXEC command so that the system mtu command takes effect.


Recovering from Software Failure

If the software fails, you can reload the software. For detailed recovery procedures, refer to the "Troubleshooting" chapter in the software configuration guide.

Installation Notes

You can assign IP information to your switch by using these methods:

The Express Setup program described in the hardware installation guide.

The CLI-based setup program described in the hardware installation guide.

The Dynamic Host Configuration Protocol (DHCP)-based autoconfiguration described in the software configuration guide.

Manually assigning an IP address described in the software configuration guide.

New Features

These are the new supported hardware and the new software features provided in this release.

New Hardware Features

For a complete list of supported hardware, see the "Hardware Supported" section.

New Software Features

Cisco IOS Release 12.1(20)EA1 contains this new enhancement:

User-defined and Cisco-default Smartports macros for creating custom switch configurations for simplified deployment across the network.

Limitations and Restrictions

You should review this section before you begin working with the switches. These are known limitations that will not be fixed, and there is not always a workaround. Some features might not work as documented, and some features could be affected by recent changes to the switch hardware or software.

These are the limitations and restrictions:

"Cisco IOS Limitations and Restrictions" section

"Cluster Limitations and Restrictions" section

"CMS Limitations and Restrictions" section

Cisco IOS Limitations and Restrictions

These limitations apply to Cisco IOS configuration:

Modifying a multicast boundary access list does not prevent packets from being forwarded by any multicast routes that were in existence before the access list was modified if the packets arriving on the input interface do not violate the boundary. However, no new multicast routes that violate the updated version of the multicast boundary access list are learned, and any multicast routes that are in violation of the updated access list are not relearned if they age out.

After updating a multicast boundary, the workaround is to use the clear ip mroute privileged EXEC command to delete any existing multicast routes that violate the updated boundary. (CSCdr79083)

When an IP packet with a cyclic redundancy check (CRC) error is received, the per-packet per-Differentiated Service Code Point (DSCP) counter (for DSCP 0) is incremented. Normal networks should not have packets with CRC errors. (CSCdr85898)

If you configure the DHCP server to allocate addresses from a pool to the switch, two devices on the network might have the same IP address. Pooled addresses are temporarily allocated to a device and are returned to the pool when not in use. If you save the configuration file after the switch receives such an address, the pooled address is saved, and the switch does not attempt to access the DHCP server after a reboot to receive a new IP address. As a result, two devices might have the same IP address.

The workaround is to make sure that you configure the DHCP server with reserved leases that are bound to each switch by the switch hardware address. (CSCds55220)

The show ip mroute count privileged EXEC command might display incorrect packet counts. In certain transient states (for example, when a multicast stream is forwarded only to the CPU during the route-learning process and the CPU is programming this route into the hardware), a multicast stream packet count might be counted twice. Do not trust the counter during this transient state. (CSCds61396)

When changing the link speed of a Gigabit Ethernet port from 1000 Mbps to 100 Mbps, there is a slight chance that the port will stop forwarding packets. If this occurs, shut down the port, and re-enable it by using the shutdown and no shutdown interface configuration commands. (CSCds84279)

In IP multicast routing and fallback bridging, certain hardware features are used to replicate packets for the different VLANs of an outgoing trunk port. If the incoming speed is line rate, the outgoing interface cannot duplicate that speed (because of the replication of the packets). As a result, certain replicated packets are dropped. (CSCdt06418)

When you use the no interface port-channel global configuration command to remove an EtherChannel group, the ports in the port group change to the administratively down state.

When you remove an EtherChannel group, enter the no shutdown interface configuration command on the interfaces that belonged to the port group to bring them back on line. (CSCdt10825)

In the show interface interface-id privileged EXEC command output, the output buffer failures field shows the number of packets lost before replication, whereas the packets output field shows the successful transmitted packets after replication. To determine actual discarded frames, multiply the output buffer failures by the number of VLANs on which the multicast data is replicated. (CSCdt26928)

Internet Group Management Protocol (IGMP) packets classified by QoS to map the DSCP value and the class of service (CoS) value in a QoS policy map might only modify the DSCP property and leave the CoS value at zero. (CSCdt27705)

If you assign both tail-drop threshold percentages to 100 percent by using the wrr-queue threshold interface configuration command and display QoS information for this interface by using the show mls qos interface statistics privileged command, the drop-count statistics are always zero even if the thresholds were exceeded. To display the total number of discarded packets, use the show controllers ethernet-controllers interface-id privileged EXEC command. In the display, the number of discarded frames includes the frames that were dropped when the tail-drop thresholds were exceeded. (CSCdt29703)

Open Shortest Path First (OSPF) path costs and Interior Gateway Routing Protocol (IGRP) metrics are incorrect for switch virtual interface (SVI) ports. You can manually configure the bandwidth of the SVI by using the bandwidth interface configuration command. Changing the bandwidth of the interface changes the routing metric for the routes when the SVI is used as an outgoing interface. (CSCdt29806)

Remote Monitoring (RMON) collection functions on physical interfaces, but it is not supported on EtherChannels and SVIs. (CSCdt36101)

Multicast router information is displayed in the show ip igmp snooping mrouter privileged EXEC command output when IGMP snooping is disabled. Multicast VLAN Registration (MVR) and IGMP snooping use the same commands to display multicast router information. In this case, MVR is enabled, and IGMP snooping is disabled. (CSCdt48002)

When a VLAN interface has been disabled and restarted multiple times by using the shutdown and no shutdown interface configuration commands, the interface might not restart following a no shutdown command. To restart the interface, re-enter a shutdown and no shutdown command sequence. (CSCdt54435)

When you use the ip pim spt-threshold infinity interface configuration command, you want all sources for the specified group to use the shared tree and not use the source tree. However, the switch does not automatically start to use the shared tree. No connectivity problem occurs, but the switch continues to use the shortest path tree for multicast group entries already installed in the multicast routing table. You can enter the clear ip mroute * privileged EXEC command to force the change to the shared tree. (CSCdt60412)

Configuring too many multicast groups might result in an extremely low memory condition and cause the software control data structure to go out of sync, causing unpredictable forwarding behavior. The memory resources can only be recovered by entering the clear ip mroute privileged EXEC command. To prevent this situation, do not configure more than the recommended multicast routes on the switch. (CSCdt63480)

The dec keyword is not supported in the bridge bridge-group protocol global configuration command. If two Catalyst 3550 switches are connected to each other through an interface that is configured for IP routing and fallback bridging, and the bridge group is configured with the bridge bridge-group protocol dec command, both switches act as if they were the spanning-tree root. Therefore, spanning-tree loops might be undetected. (CSCdt63589)

If the number of multicast routes configured on the switch is greater than the switch can support, it might run out of available memory, which can cause it to reboot. This is a limitation in the platform-independent code.

The workaround is to not configure the switch to operate with more than the maximum number of supported multicast routes. You can use the show sdm prefer and show sdm prefer routing privileged EXEC commands to view approximate maximum configuration guidelines for the current SDM template and the routing template. (CSCdt63354)

The workaround is to disable the Port Aggregation Protocol (PAgP) on both devices by using the channel-group channel-group-number mode on interface configuration command. PAgP negotiation between these two devices is not reliable. (CSCdt78727)

When the switch is operating with equal-cost routes and it is required to learn more unicast routes than it can support, the CPU might run out of memory, and the switch might fail.

The workaround is to remain within the documented recommended and supported limits. (CSCdt79172)

The behavior of a software access control list (ACL) with QoS is different from a hardware ACL with QoS. On the Catalyst 3550 switch, when the QoS hardware rewrites the DSCP of a packet, the rewriting of this field happens before software running on the CPU examines the packet, and the CPU sees only the new value and not the original DSCP value.

When the security hardware ACL matches a packet on input, the match uses the original DSCP value. For output security ACLs, the security ACL hardware should match against the final, possibly changed, DSCP value as set by the QoS hardware. Under some circumstances, a match to a security ACL in hardware prevents the QoS hardware from rewriting the DSCP and causes the CPU to use the original DSCP.

If a security ACL is applied in software (because the ACL did not fit into hardware, and packets were sent to the CPU for examination), the match probably uses the new DSCP value as determined by the QoS hardware, regardless of whether the ACL is applied at the input or at the output. When packets are logged by the ACL, this problem can also affect whether or not a match is logged by the CPU even if the ACL fits into hardware and the permit or deny filtering was completed in hardware.

To avoid these issues, whenever the switch rewrites the DSCP of any packet to a value different from the original DSCP, security ACLs should not test against DSCP values in any of their access control elements (ACEs), regardless of whether the ACL is being applied to an IP access group or to a VLAN map. This restriction does not apply to ACLs used in QoS class maps.

If the switch is not configured to rewrite the DSCP value of any packet, it is safe to match against DSCP in ACLs used for IP access groups or for VLAN maps because the DSCP does not change as the packet is processed by the switch.

The DSCP field of an IP packet encompasses the two fields that were originally designated precedence and type of service (TOS). Statements relating to DSCP apply equally to either IP precedence or IP TOS. (CSCdt94355)

On earlier versions of Catalyst 3550-24 switches, if a 10/100BASE-TX port on the switch is connected to a Catalyst 2820 or Catalyst 1900 switch through an Inter-Switch Link (ISL) trunk at 100 Mbps, bidirectional communication cannot be established. The Catalyst 2820 or Catalyst 1900 switch identifies the Catalyst 3550-24 switch as a CDP neighbor, but the Catalyst 3550-24 switch does not recognize the Catalyst 2820 or Catalyst 1900 switch. On these switches, you should not use ISL trunks between the Catalyst 3550-24 and a Catalyst 2820 or Catalyst 1900 switch. Configure the link as an access link instead of a trunk link.

This problem has been fixed in hardware on Catalyst 3550-24 switches with motherboard assembly number 73-5700-08 or later. To determine the board level on your switch, enter the show version privileged EXEC. Motherboard information appears toward the end of the output display. (CSCdv68158)

When IGMP filtering is enabled and you use the ip igmp profile global configuration command to create an IGMP filter, reserved multicast addresses cannot be filtered. Because IGMP filtering uses only Layer 3 addresses to filter IGMP reports and due to mapping between Layer 3 multicast addresses and Ethernet multicast addresses, reserved groups (224.0.0.x) are always allowed through the switch. In addition, aliased groups can leak through the switch. For example, if a user is allowed to receive reports from group 225.1.2.3, but not from group 230.1.2.3, aliasing will cause the user to receive reports from 230.1.2.3. Aliasing of reserved addresses means that all groups of the form y.0.0.x are allowed through. (CSCdv73626)

If a switch stack contains both Catalyst 3550 switches and Catalyst 2900 XL or Catalyst 3500 XL switches, Cross-Stack UplinkFast (CSUF) is not enabled if the management VLAN on the Catalyst 2900 XL or 3500 XL switches is changed to a VLAN other than VLAN 1 (the default).

The workaround is to make sure that the management VLAN of all Catalyst 2900 XL or 3500 XL switches in the stack is set to VLAN 1. (CSCdv79737)

If you use the ip igmp max-groups interface configuration command to set the maximum number of IGMP groups for an interface to 0, the port still receives group reports from reserved multicast groups (224.0.0.x) and their Layer 2 aliases (y.0.0.x). (CSCdv79832)

Multicast traffic can be temporarily lost when a link comes up in a redundant network and causes the reverse path forwarding (RPF) to change. This only occurs when there are multiple paths between the rendezvous point (RP) and the multicast source. (CSCdw27519)

The switch might reload when it is executing the no snmp-server host global configuration command. This is a rare condition that can happen if SNMP traps or informs are enabled and the SNMP agent attempts to send a trap to the host just as it is being removed from the configuration and if the IP address of the host (or the gateway to reach the host) has not been resolved by Address Resolution Protocol (ARP).

The workaround is to ensure that the target host or the next-hop gateway to that host is in the ARP cache (for example, by using a ping command) before removing it from the SNMP configuration. Alternatively, disable all SNMP traps and informs before removing any hosts from the SNMP configuration. (CSCdw44266)

When you access CISCO-STACK-MIB portTable, the mapping might be off by one from the mapping given by the switch. The objects in this table are indexed by two numbers: portModuleIndex and portIndex. The allowable values for portModuleIndex are 1 through 16. Because 0 is not an allowable value, the value 1 represents module 0.

The workaround is to use the value 1 to represent module 0. (CSCdw71848)

If a port on the Catalyst 3550 switch that is running the Multiple Spanning Tree Protocol (MSTP) is connected to another switch that belongs to a different multiple spanning tree (MST) region, the Catalyst 3550 port is not recognized as a boundary port when you start the protocol migration process by using the clear spanning-tree detected-protocols interface interface-id privileged EXEC command. This problem occurs only on the root bridge, and when the root bridge is cleared, the boundary ports are not shown because the designated ports do not receive any bridge protocol data units (BPDUs) unless a topology change occurs. This is the intended behavior.

The workaround is to configure the Catalyst 3550 switch for Per-VLAN spanning-tree plus (PVST+) by using the spanning-tree mode pvst global configuration command bridge, and then change it to MSTP by using the spanning-tree mode mst global configuration command. (CSCdx10808)

When a large number of VLANs and a large number of trunk ports with allowed VLAN lists are configured on the switch, if you enter the no switchport trunk allowed vlan interface-range command to remove the allowed list for all the trunk ports, the SYS-3-CPUHOG system message might appear.

The workaround is to use the no switchport trunk allowed vlan interface configuration command on each trunk port to remove the allowed list for all the trunk ports. (CSCdx17189)

When 1000 VLANs and more than 40 trunk ports are configured, and the spanning-tree mode changes from MSTP to PVST+ or vice versa, this message appears on the console:

%ETHCNTR-3-RA_ALLOC_ERROR: RAM Access write pool I/O memory allocation failure

There is no workaround. However, we recommend that you reload the switch by using the reload privileged EXEC command. To avoid this problem, configure the system with fewer VLANs and fewer trunk ports, or use the switchport trunk allowed vlan interface configuration command to reduce the number of active VLANs on each trunk port. (CSCdx20106)

Ternary content addressable memory (TCAM) generation might fail when there are multiple ACLs in a policy-map. If you add an entry that checks TCP flags to an access list that is used for QoS classification, the system might report that a hardware limitation has been reached for the policy map. This can occur when the policy map already contains several other access list entries that check different TCP flags, or that check TCP or User Datagram Protocol (UDP) port numbers using an operation different from equal (eq), such as not equal (ne), less than (lt), greater than (gt), or range. When the hardware limitation is reached, the service-policy input policy-map-name interface configuration command is removed from the running configuration of the interface.

Checking for TCP flags and TCP/UDP port numbers using operators other than eq share some of the same hardware resources. The switch supports no more than six checks within a single policy map. An identical check repeated in multiple entries in the same policy map counts as a single instance. If this limit is reached during a TCP or UDP port number check, the software can often work around the problem by allocating extra entries in the TCAM. There is no workaround if the limit is reached during a check against the TCP flags in the packet. Similar checks in a port ACL applied to the same physical interface as the policy map also count toward the limit.

Because these resources are allocated on a first-come, first-serve basis, rearranging the order of ACLs within a policy map or the order of entries within a single ACL, placing the TCP flags checks as early as possible, might enable the policy map to be loaded into the hardware.

Similar limits apply for any combination of input VLAN maps, input router ACLs, output VLAN maps, and output router ACLs that share the same VLAN label. The switch supports eight checks for all features on the same VLAN label. When the limit is reached, the system might forward packets by using the CPU rather than through hardware, greatly reducing system performance. To determine the VLAN label assigned to a VLAN or interface on input or output, use the show fm vlan or show fm interface privileged EXEC commands. Then use the show fm vlan-label privileged EXEC command to determine which set of features (input VLAN map, input router ACL, output VLAN map, or output router ACL) share this label.

These are the workarounds:

Re-arrange the order of classes within the policy map and the order of entries within the individual access lists in the policy map or within any IP port ACL applied to the interface so that checks for TCP flags are made as early as possible within the policy map. You can also re-arrange the order of the individual ACLs within a VLAN map and the order of the individual entries in a security ACL.

Add an extra entry to the front of an ACL that checks for the same TCP flags that are checked later on in the ACL. If the first entry of the ACL already matches only the TCP protocol, you can duplicate the entry and add a check for the appropriate TCP flags.

Reduce the number of different combinations of TCP flags being tested.

If the other workarounds fail, avoid combining any check against the TCP flags with gt, lt, ne, or range checks within the policy map and port ACL configured on the interface or within the VLAN maps and router ACLs that share the same VLAN label. (CSCdx24363)

If you apply an ACL to an interface that has a QoS policy map attached and the ACL is configured so that the packet should be forwarded by the CPU or if the configured ACL cannot fit into the ternary content addressable memory (TCAM), all packets received from this interface are forwarded to the CPU. Because traffic forwarded to the CPU cannot be policed by the policer configured on the interface, this traffic is not accurately rate-limited to the configured police rate.

The workaround, when QoS rate limiting is configured on an interface, is to configure applied ACLs so that packets are not forwarded by the CPU or reduce the number of ACEs in the ACL so that it can fit into the TCAM. (CSCdx30485)

When you reboot a Catalyst 3550-24-FX switch, it might loop back packets received on a 100BASE-FX port to its link partner. This can occur before the Cisco IOS software takes control of the system and lasts for about 200 milliseconds.

As a result, the link partner might shut down the port when it detects loopback packets, or MAC addresses might be learned on the wrong ports on upstream switches. The network might be unable to deliver packets to a few devices for up to 5 minutes after rebooting the Catalyst 3550-24-FX switch when:

The Catalyst 3550-24-FX switch is connected to one or more switches in the network.

Spanning tree is disabled in the network or the Port Fast feature is enabled on the ports connected to the Catalyst 3550-24-FX switch.

The Catalyst 3550-24-FX switch is powered cycled or reloaded from CLI.

One or more devices in the network transmit a broadcast or multicast packet during the 200-millisecond timing window while the Catalyst 3550-24-FX switch is booting.

This problem corrects itself after five minutes or when these devices transmit a broadcast or multicast packet, whichever comes first.

The workaround is to enable spanning tree in the network and to make sure that the Port Fast feature is disabled on all ports connected to the Catalyst 3550-24-FX switch. (CSCdx45558)

If the switch fails for any reason while you are exiting VLAN configuration mode (accessed by entering the vlan database privileged EXEC command), there is a slight chance that the VLAN database might get corrupted. After resetting from the switch, you might see these messages on the console:

%SW_VLAN-4-VTP_INVALID_DATABASE_DATA: VLAN manager received bad data of type device 
type: value 0 from vtp database 

$SW_VLAN-3-VTP_PROTOCOL_ERROR: VTP protocol code internal error 

The workaround is to use the delete flash:vlan.dat privileged EXEC command to delete the corrupted VLAN database. Then reload the switch by using the reload privileged EXEC command. (CSCdx19540)

On a Catalyst 3550-24 switch, the switch drops frames received on the 10/100 ports with a destination MAC address of 5xxx.xxxx.xxxx because of frame-check-sequence (FCS) errors. (CSCdx74914)

If you apply a large ACL and it fills the entire TCAM, the MVR IP multicast data packets are sent to the switch CPU and are not forwarded to the MVR receiver ports. (CSCdx80751)

When a Cisco RPS 300 Redundant Power System provides power to a switch, after the switch power supply is restored, the RPS 300 continues to provide power until the RPS mode button is pressed. At this point, some switches restart, depending on how quickly the switch internal power supply resumes operation. (CSCdx81023)

If you create a policy map by using the policy-map policy-map-name global configuration command, enter the class class-map-name policy-map configuration command, and then immediately exit from the policy-map class configuration mode, the policy map does not show its class-map association.

The workaround is to enter another command (such as the police, trust, or set policy-map class configuration command) after entering the class class-map-name policy-map configuration command. (CSCdx81650)

When you insert a GigaStack GBIC in a GBIC module slot, the CPU utilization increases by six percent. This increase occurs for each GigaStack GBIC added to the switch. Other types of GBICs do not cause additional CPU utilization. (CSCdx90515)

An RSPAN source session does not forward monitored traffic to the RSPAN destination session if there is an egress SPAN source port in the session with port security or 802.1x enabled. (CSCdy21035)

Not all traffic is properly mirrored by RSPAN when a port is monitored for egress traffic and the RSPAN VLAN is carried through a Layer 2 Protocol Tunnel to the RSPAN destination switch.

This happens because the MAC addresses for the original packets as well as the mirrored RSPAN packets are all learned on the tunnel VLAN, so the RSPAN traffic is no longer properly segregated on the tunneling switches.

The workaround is to not include any RSPAN VLANs in any Layer 2 Protocol tunnels unless the tunnel is dedicated to a single RSPAN VLAN. (CSCdy37188)

Ingress forwarding on a SPAN destination port does not work if there is an egress SPAN source port in the session with port security or 802.1x enabled. (CSCdy44646)

When the switch receives multicast traffic and IGMP join for requests a multicast group at the same time and it begins to forward the multicast packets, some of the packets might be dropped. (CSCdy80326)

If a Catalyst 3550 switch is connected to two routers (Router 1 and Router 2) in this topology:

The link between Router 1 and the switch is a BVI (bridge virtual interface) that belongs to two VLANs (VLAN 100 and VLAN 110) and uses one IP address. The IP subnet for the BVI is the same for both VLANs. The ports in both VLANs operate as Layer 2 interfaces. An SVI with an IP address is configured only on VLAN 100.

The link between Router 2 and the switch is an IP interface that only belongs to VLAN 110.

IP connectivity then exists between Router 1 and the switch. There is no IP connectivity between Router 2 and the switch.

The workaround is to configure another SVI with an IP address on the Catalyst 3550 switch that would be reachable from Router 2. (CSCdy82042)

The 5 minute input rate and 5 minutes output rate fields in the output of the show interfaces privileged EXEC command show both rates as 0 bits/sec. If you enter the show interfaces command more than once, these fields might show values greater than 0 bits/sec. (CSCdz06305)

When the link between a device with an AC power supply and a Catalyst 3550-24PWR switch is 10 Mbps and half duplex, and the AC power supply is turned off, the switch is in the error-disabled state.

The workaround is remove the AC power supply, disconnect the Ethernet cable, and then reconnect the Ethernet cable. This ensures that the switch uses inline power. (CSCdz16265)

When you perform a ping from a VLAN to another VLAN on the same switch, the VLAN counter does not change. (CSCdz17863)

The Catalyst 3550 switch does not adjust the power allocation based on IEEE class of the power device (PD) When an IEEE PD-compliant device is connected to a switch, it allocates 15 W (the default) to the port. (CSCdz37516)

When an 802.1x-authenticated client is disconnected from an IP phone, hub, or switch and does not send an EAPOL-Logoff message, the switch interface does not transition to the unauthorized state. If this happens, it can take up to 60 minutes for the interface to transition to the unauthorized state when the re-authentication time is the default value (3600 seconds).

The workaround is to change the number of seconds between re-authentication attempts by using the dot1x timeout re-authperiod seconds global configuration command. (CSCdz38483)

When the link between two switches is a Ethernet cable to an E3 converter, if MST is enabled on an 802.1Q trunk, traffic is not forwarded or sent for 60 seconds after the shutdown and no shutdown interface configuration commands are entered. (CSCdz45037)

When a switch receives a bridge STP bridge protocol data unit (BPDU) from an access port and the egress port is a trunk port, the switch assigns the BPDU a CoS value of 0 instead of 7.

There is no workaround. (CSCdz54043)

If a switch configuration contains a large ACL and a per-port per-VLAN policy map that both are attached to two interfaces, when you are copying it to the running configuration, this process might fail because the switch runs out of memory. (CSCdz54115)

These are the workarounds:

Copy the new configuration file to the config.txt file, and reboot the switch.

Save the configuration file as two files: one containing only the ACL configuration and one containing the rest of the configuration (including the QoS and interface configuration). Add the first configuration file to the running-configuration file, and then add the second file to the running-configuration file.

After the no interface tunnel0 global configuration command is entered to remove the tunnel interface, the output from the show running-config privileged EXEC command still shows the tunnel interface that was removed. (CSCdz66450)

This can occur if HSRP interface tracking is configured on another interface to track a tunnel interface, if the no interface command was entered before the HSRP tracking configuration was removed, or if the no standby tunnel0 global configuration command was entered on the other interface to disable tracking.

These are the workarounds:

Before removing the tunnel interface from the configuration, remove the HSRP interface tracking commands in the configuration that specify the tunnel interface.

Use the no standby track global configuration command without specifying an interface to disable HSRP tracking.

After a MAC address is relearned on a new interface, traffic might not be immediately forwarded to the MAC addresses. (CSCdz75459)

The Catalyst 3550 switch only supports the read operation in the sysClearPortTime MIB object (.1.3.6.1.4.1.9.5.1.1.13) in the CISCO-STACK-MIB. Use the clear counters privileged EXEC command to clear the counters. (CSCdz87897)

When a Catalyst 3550 switch is connected to a 3-port Gigabit Ethernet module in a Cisco 12000 Gigabit Switch Router (GSR) that is configured for Ethernet over Multiprotocol Label Switching (EoMPLS), the switch does not reliably send frames to the GSR.

The workaround is to configure the Catalyst 3550 Gigabit Ethernet interface with the spanning-tree portfast interface configuration command. (CSCea04746)

On a switch running Cisco IOS Release 12.1(12c)EA1 or later, if the switch MTU value is set to a value greater than 1500 and the authentication server and the intermediate devices are not configured with a compatible MTU value, 802.1x authentication with EAP-Transparent LAN Services (TLS) might fail.

The workaround is to reset the switch MTU value to the default value or to configure the same MTU value on the switch, the authentication server, and the intermediate devices. (CSCea05682)

If a cable on an ingress interface is disconnected, an Alteon A184 cannot detect when a 1000BASE-X link between two Catalyst 3550 switches is down.

There is no workaround. (CSCea09786)

Performing an extended ping from one interface to another interface on the same switch can cause high CPU utilization. This can occur when a large number of ping packets are sent and received and is the expected behavior.

The workaround is to not perform a ping from one interface to another on the same switch. (CSCea19301)

The switch does not create an adjacency table entry when the ARP timeout value is 15 seconds and the ARP request times out.

The workaround is to not set an ARP timeout value lower than 120 seconds. (CSCea21674)

If the output from the show tcam inacl 1 statistics privileged EXEC command shows that the TCAM is not full and you are applying an ACL, this system message might appear:

%FM-3-UNLOADING: Unloading input vlan label 1 feature from all TCAMs

There is no workaround. (CSCea25658)

The switch uses the same MAC address for all VLAN interfaces. If the destination MAC address in a packet is the same as the MAC address of the VLAN interface, and the VLAN interface for that VLAN is shut down or does not exist, the switch drops the packet. There is no workaround. (CSCed12004)

Storm control or traffic suppression (configured by using the storm-control {broadcast | multicast | unicast} level level [.level] interface configuration command) is supported only on physical interfaces; it is not supported on EtherChannel port channels even though you can enter these commands through the CLI.

The Cisco RPS 300 Redundant Power System supports the Catalyst 3550 multilayer switch and provides redundancy for up to six connected devices until one of these devices requires backup power. If a connected device has a power failure, the RPS immediately begins supplying power to that device and sends status information to other connected devices that it is no longer available as a backup power source. As described in the device documentation, when the RPS LED is amber, the RPS is connected but down. However, this might merely mean that the RPS is in standby mode. Press the Standby/Active button on the RPS to put it into active mode. You can view RPS status through the CLI by using the show rps privileged EXEC command. For more information, refer to the RPS documentation.

When you configure an EtherChannel between a Catalyst 3550 and a Catalyst 1900 switch, some of Catalyst 3550 links in the EtherChannel might go down, but one link in the channel remains up, and connectivity is maintained.

Catalyst 3550 switches do not take into account the Preamble and Inter Frame Gap (IFG) when rate limiting traffic, which could result in a slightly inaccurate policing rate on a long burst of small-sized frames, where the ratio of the Preamble and IFG to frame size is more significant. This should not be an issue in an environment where the frames are a mix of different sizes.

Certain combinations of features and switches create conflicts with the port security feature. In Table 4, No means that port security cannot be enabled on a port on the referenced switch if the referenced feature is also running on the same port. Yes means that both port security and the referenced feature can be enabled on the same port on a switch at the same time. A dash means not applicable.

Table 4 Port Security Incompatibility with Other Switch Features 

 
Catalyst 2940
Catalyst 2950 and Catalyst 2955
Catalyst 2970
Catalyst 3550
Catalyst 3750

DTP1 port2

No

No

No

No

No

Trunk port

No

No

Yes

Yes

Yes

Dynamic-access port3

No

No

No

No

No

Routed port

No

No

SPAN source port

Yes

Yes

Yes

Yes

Yes

SPAN destination port

No

No

No

No

No

EtherChannel

No

No

No

No

No

Tunneling port

Yes

Protected port

Yes

Yes

Yes

Yes

Yes

802.1x port

Yes4

Yes

Yes

Yes

1 DTP = Dynamic Trunking Protocol

2 A port configured with the switchport mode dynamic interface configuration command.

3 A VLAN Query Protocol (VQP) port configured with the switchport access vlan dynamic interface configuration command.

4 The switch must be running the enhanced software image (EI).


Cluster Limitations and Restrictions

These limitations apply to cluster configuration:

When there is a transition from the cluster active command switch to the standby command switch, Catalyst 1900, Catalyst 2820, and Catalyst 2900 4-MB switches that are cluster members might lose their cluster configuration. You must manually add these switches back to the cluster.
(CSCds32517, CSCds55711)

When a Catalyst 2900 XL or Catalyst 3500 XL cluster command switch is connected to a Catalyst 3550 switch, the command switch does not find any cluster candidates beyond the Catalyst 3550 switch if it is not a member of the cluster. You must add the Catalyst 3550 switch to the cluster. You can then see any cluster candidates connected to it. (CSCdt09918)

If both the active command switch and the standby command switch fail at the same time, the cluster is not automatically recreated. Even if there is a third passive command switch, it might not recreate all cluster members because it might not have all the latest cluster configuration information. You must manually recreate the cluster if both the active and standby command switches simultaneously fail. (CSCdt43501)

When the active switch fails in a switch cluster that uses Hot Standby Routing Protocol (HSRP) redundancy, the new active switch might not contain a full cluster member list.

The workaround is to ensure that the ports on the standby cluster members are not in the STP blocking state. Refer to the "Configuring STP" chapter in the software configuration guide for more information about verifying port status. (CSCec31495)

CMS Limitations and Restrictions

These limitations apply to CMS configuration:

CMS performance degrades if the Topology View is open for several hours on a Solaris machine. The cause might be a memory leak.

The workaround is to close the browser, reopen it, and launch CMS again. (CSCds29230)

If you are printing a Topology View or Front Panel View that contains many devices and are running Solaris 2.6 with JDK1.2.2, you might get an Out of Memory error message.

The workaround is to close the browser, re-open it, and launch CMS again. Before you perform any other task, open the view that you want to print, and click Print in the CMS menu. (CSCds80920)

A red border appears around the text-entering area of some CMS dialogs. The color of the border changes to green when text is entered. This is only a cosmetic error. The colored border does not prevent you from entering text. (CSCdv82352)

You cannot switch modes (for example, from Guide Mode to Expert Mode) for an open CMS window.

The workaround is to close the open window, select the mode that you want, and then reopen the CMS window. For the mode change to take effect on any other CMS window that is open, you need to close that window and then reopen it after you select the new mode. (CSCdw87550)

If you open a window in which you can enter text, open another window, and return to the first window, right-clicking in the text field might make the cursor in this field disappear. You can still enter text in the field. (CSCdy44189)

CMS fails when a switch is running the cryptographic software image and the vty lines have been configured to use only secure shell (SSH) using the transport input ssh and line vty 0 15 global configuration commands.

The workaround is to allow SSH and Telnet access through the vty lines by using the transport input ssh telnet and line vty 0 15 global configuration command. (CSCdz01037)

When you add a new member with a username and password that is different from the existing cluster member usernames and passwords, CMS produces an exception error because of an authentication failure.

The workaround is to add the new member without any username and password. When the new member is added to the cluster, remove the existing username and password from the Username and Password fields, enter a new username and password, and then apply it to all cluster members. (CSCdz07957)

When the Link Graphs application has run for hours displaying packet drop and error information, sometimes the X-axis crosses the Y-axis at a negative y value instead of at y = 0. This condition occurs with all supported operating systems, browsers, and Java plug-ins. There is no workaround. (CSCdz32584)

After you click Apply or Refresh in the SNMP window, the window size changes. (CSCdz75666, CSCdz84255)

When you enable log scaling for Link Graphs, the Y-axis scale becomes illegible. There is no workaround. (CSCdz81086)

The CMS window does not return to full size after resizing the NE or IE when using Netscape version 6.xx on Solaris and Linux. This is a Netscape browser problem. There is no workaround. (CSCea01179)

CMS sometimes halts after you click Apply when using Netscape 4.7 on the Japanese version of Windows 98 or Windows ME.

The workaround is to use Microsoft Internet Explorer or Netscape 6.0 or later. (CSCea27408)

Changing the password or current authentication while CMS is running causes HTTP requests to fail.

The workaround is to close all browser sessions and then relaunch CMS. (CSCeb33995)

When TACACS authentication is only enabled on a command switch, member switches cannot be configured.

The workaround is to enable TACACS authentication on the member switches. (CSCed27723)

Host names and Domain Name System (DNS) server names that contain commas on a cluster command switch, member switch, or candidate switch can cause CMS to behave unexpectedly. You can avoid this instability in the interface by not using commas in host names or DNS names. Do not enter commas when also entering multiple DNS names in the IP Configuration tab of the IP Management window in CMS.

ACEs that contain the host keyword precede all other access control entries (ACEs) in standard ACLs. You can reposition the ACEs in a standard ACL with one restriction: No ACE with the any keyword or a wildcard mask can precede an ACE with the host keyword.

Important Notes

These are the important notes related to this Cisco IOS release:

"Cisco IOS Notes" section

"Cluster Notes" section

"CMS Notes" section

Cisco IOS Notes

These notes apply to Cisco IOS configuration:

In Cisco IOS Release 12.1(19)EA1, the implementation for the Option-82 Subscriber Identification changed from the previous release. The new option-82 format uses a different circuit ID and remote ID suboption, vlan-mod-port. The previous version uses the snmp-ifindex circuit ID and remote ID suboption.

If you have option-82 configured on the switch and you upgrade to Cisco IOS Release 12.1(19)EA1 or later, the option-82 configuration is not affected. However, when you globally enable DHCP snooping on the switch by using the ip dhcp snooping global configuration command, the previous option-82 configuration is suspended, and the new option-82 format is applied. When you globally disable DHCP snooping on the switch, the previous option-82 configuration is re-enabled.

To provide for backward compatibility, you can select the previous option-82 format by using the ip dhcp snooping information option format snmp-ifindex global configuration command when you enable DHCP snooping. When DHCP snooping is globally enabled, option-82 information (in the selected format) is only inserted on snooped VLANs.

For more information about using the previous version of option-82 without enabling DHCP snooping, see the software configuration guide for this release.

In Cisco IOS Release 12.1(14)EA1, the implementation for 802.1x changed from the previous release. Some global configuration commands became interface configuration commands, and new commands were added.

If you have 802.1x configured on the switch and you upgrade to Cisco IOS Release 12.1(14)EA1 or later, the configuration file will not contain the new commands, and 802.1x will not operate. After the upgrade is complete, make sure to globally enable 802.1x by using the dot1x system-auth-control global configuration command. For more information, refer to the software configuration guide for this release.

When you enable port security on an interface that is also configured with a voice VLAN, you must set the maximum allowed secure addresses on the port to 2 plus the maximum number of secure addresses allowed on the access VLAN. When the port is connected to a Cisco IP phone, the IP phone requires up to two MAC addresses. The address of the IP phone is learned on the voice VLAN, and it might or might not be learned on the access VLAN. Connecting a PC to the IP phone requires additional MAC addresses.

If you configure a port ACL on a physical interface on a switch that has VLAN maps or input router ACLs configured, or if you configure a VLAN map or input router ACL on a switch that has port ACLs configured, a CONFLICT message is generated but the configuration is accepted. The port ACL action has priority on that port over actions in a router ACL or VLAN map applied to the VLAN to which the port belongs.

The result is that packets received on that physical port will be permitted or denied based on the port ACL action without regard to any permit or deny statements in any router ACL or VLAN map, while packets received on other physical ports in the VLAN will still be permitted or denied based on any router ACLs or VLAN maps applied to the VLAN. If the port ACL is applied to a trunk port, it overrides any other input ACLs applied to all VLANs on the trunk port.

The default system MTU for traffic on the Catalyst 3550 switch is 1500 bytes. The 802.1Q tunneling feature increases the frame size by 4 bytes. Therefore, when you configure 802.1Q tunneling, you must configure all switches in the 802.1Q network to be able to process maximum frames by increasing the switch system MTU size to at least 1504 bytes. You configure the system MTU size by using the system mtu global configuration command.

Beginning with Cisco IOS Release 12.1(8)EA1, to configure traffic suppression (previously configured by using the switchport broadcast, switchport multicast, and switchport unicast interface configuration commands), you use the storm-control {broadcast | multicast | unicast} level level [.level] interface configuration commands. For more information about these commands, refer to the command reference.

When you are configuring a cascaded stack of Catalyst 3550 switches by using the GigaStack GBIC module and want to include more than one VLAN in the stack, be sure to configure all the GigaStack GBIC interfaces as trunk ports by using the switchport mode trunk interface configuration command and to use the same encapsulation method by using the switchport encapsulation {isl | dot1q} interface configuration command. For more information about these commands, refer to the command reference.

If the 1000BASE-T GBIC (WS-G5482) module is not securely inserted, the switch might fail to recognize it or might display an incorrect media type following a show interface privileged EXEC command entry. If this happens, remove and reinsert the GBIC module.

Beginning with Cisco IOS Release 12.1(11)EA1, the mac address-table aging-time command replaces the mac-address-table aging-time command (with the hyphen). The mac-address-table aging-time command (with the hyphen) will become obsolete in a future release.

Beginning with Cisco IOS Release 12.1(11)EA1, the vtp privileged EXEC command keywords are available in the vtp global configuration command. The vtp privileged EXEC command will become obsolete in a future release.

Beginning with Cisco IOS Release 12.1(12c)EA1, the ip igmp query-interval seconds interface configuration command range is 1 to 18000 seconds. If your existing configuration includes a value larger than 18000, the command has no effect, and the switch returns a warning message the first time you restart the switch with the upgraded software. Enter a new value by using the ip igmp query-interval seconds interface configuration command, and then save your configuration.

If the switch has insufficient Layer 4 resources, this message might appear when configuring port ACLs:

%Error: cannot create VMR data structures.
%FM-2-NOVMR: Cannot create VMR data structures for access list 131

If this message appears, the switch did not apply the ACL to the port. (CSCdx42414)

Beginning with Cisco IOS Release 12.1(12c)EA1, you can set the CoS value of incoming traffic in a policy map that includes the trust dscp policy-map class configuration command. To do this, follow the steps described in the "Classifying, Policing, and Marking Traffic by Using Policy Maps" section in the "Configuring QoS" chapter of the software configuration guide for this release. (CSCdy45670)

In releases prior to 12.1(12c)EA1, the HTTP server used an AAA (authentication, authorization, and accounting) server for authentication by default, even when not explicitly configured with ip http authentication aaa, if aaa new-model was present in the configuration. Beginning with Release 12.1(12c)EA1, you must explicitly configure ip http authentication aaa to have the HTTP server use an AAA server for authentication. (CSCdz28658, CSCdv00656)

When you configure a dynamic switchport by using the switchport access vlan dynamic interface configuration command, the port might allow unauthorized users to access network resources if the interface changes from access mode to trunk mode through Dynamic Trunking Protocol (DTP) negotiation.

The workaround is to configure the port as a static access port. (CSCdz32330)

If a spanning-tree loop occurs, this message might appear:

MALLOCFAIL, alignment 0. -Process=Syslog Traps -Traceback= 1A3740

This message appears because the switch has run out of I/O memory and is unable to allocate a packet buffer to report the error. You can also verify if the switch runs out of I/O memory by using the show memory privileged EXEC command.

The workaround is to reconfigure the spanning tree to remove the loop. (CSCdz51522)

Beginning in Cisco IOS Release 12.1(13)EA1, these are the default settings for a IP Phone connected to a switch (CSCdz76948):

The port trust state is to not trust the priority of frames arriving on the IP Phone port from connected devices.

The CoS value of incoming traffic is overwritten and set to zero.

Catalyst 3550-24-FX switches support both full- and half-duplex mode, and the default duplex mode is half duplex. Autonegotiation of the duplex mode is not supported.

On a Catalyst 3550-24-FX switch, when you upgrade to Cisco IOS Release 12.1(13)EA1 or later, all ports are reset to half-duplex mode. This will cause a duplex setting mismatch if the switch is connected to another device operating in full-duplex mode. After upgrading to Cisco IOS Release 12.1(13)EA1 or later, you should configure the Catalyst 3550-24-FX switch to operate in full-duplex mode, if necessary. (CSCdz29482)

Cluster Notes

This note applies to cluster configuration:

The cluster setup privileged EXEC command and the standby mac-address interface configuration command have been removed from the CLI and the documentation because they did not function correctly.

CMS Notes

These notes apply to CMS configuration:

If you use CMS on Windows 2000, it might not apply configuration changes if the enable password is changed from the CLI during your CMS session. You have to restart CMS and enter the new password when prompted. Platforms other than Windows 2000 prompt you for the new enable password when it is changed.

CMS does not display QoS classes that are created through the CLI if these classes have multiple match statements. When using CMS, you cannot create classes that match more than one match statement. CMS does not display policies that have such classes.

If you use Internet Explorer Version 5.5 and select a URL with a nonstandard port at the end of the address (for example, www.cisco.com), you must enter http:// as the URL prefix. Otherwise, you cannot launch CMS.

Within an ACL, you can change the sequence of ACEs that have the host keyword. However, because such ACEs are independent of each other, the change has no effect on the way the ACL filters traffic.

If you have a proxy server configured on your web browser, CMS can run slowly and take 2 to 3 minutes to process each command that is entered.

If you use the Netscape browser to view the CMS GUI and you resize the browser window while CMS is initializing, CMS does not resize to fit the window.

The workaround is to resize the browser window again when CMS is not busy.

In the Front Panel view or Topology view, CMS does not display error messages in read-only mode for these switches:

Catalyst 2900 XL or Catalyst 3500 XL member switches running Cisco IOS Release 12.0(5)WC2 or earlier

Catalyst 2950 member switches running Cisco IOS Release 12.0(5)WC2 or earlier

Catalyst 3550 member switches running Cisco IOS Release 12.1(6)EA1 or earlier

In the Front Panel view, if the switch is running one of the software releases listed previously, the device LEDs do not appear. In Topology view, if the member is an LRE switch, the CPE devices that are connected to the switch do not appear. The Bandwidth and Link graphs also do not appear in these views.

Open Caveats

These are the open caveats with possible unexpected activity in this Cisco IOS release:

"Open Cisco IOS Caveats" section

"Open CMS Caveats" section

Open Cisco IOS Caveats

These are the severity 3 Cisco IOS configuration caveats:

CSCdx95501

When a community string is assigned by the cluster command switch, you cannot get any dot1dBridge MIB objects by using a community string with a VLAN entity from a cluster member switch.

The workaround is to manually add the cluster community string with the VLAN entity on the member switches for all active VLANs shown in the show spanning-tree summary display. This is an example of such a change, where cluster member 3 has spanning-tree on vlan 1-3 and the cluster commander community string is public@es3.

Mbr3(config)#snmp community public@es3@1 RO
Mbr3(config)#snmp community public@es3@2 RO
Mbr3(config)#snmp community public@es3@3 RO

CSCeb83424

If you use the no network router configuration command to remove a network from an EIGRP configuration, the switch might not remove all of the subnetworks that are related to the specified network from the running EIGRP routing process. You cannot remove the remaining subnetworks by using the clear ip eigrp neighbors privileged EXEC command.

These are the workarounds:

Remove the EIGRP configuration, and then reconfigure the EIGRP parameters.

Reload the switch.

CSCec27355

If a policy map with more than 75 class statements and class maps is configured on an interface and you add a class map to this policy map, the switch might reload.

The workaround is to:

End all Telnet sessions other than the one that you are using.

Remove the policy map from the interface, add the class map, and re-attach the policy map to the interface.

CSCec43569

If more than two switches are connected in a GigaStack loop and one of the switches reloads, the GigaStack loop might not be detected, and a broadcast storm might occur.

There is no workaround.

CSCec46594

If you are configuring a policy map on an interface by using named ACLs and the policy map has 13 named ACLs that include deny statements, these messages might appear when you add an ACL:

QoS: Programming TCAM failed: Unsuccessful ACL merge
 Service Policy attachment failed
 Service Policy xxxx not attached
QM-4-HARDWARE_NOT_SUPPORTED: Hardware limitation has reached for policymap xxxx

Use one of these workarounds:

Use numbered ACLs.

Do not use deny statements because the end of ACL has an implicit deny statement.

CSCec86258

When three or more Catalyst 3550-24PWR switches are connected through GigaStack GBICs, you can access all the VLANs on the uplink switch, but you can only access VLAN 1 on the other switches.

These are the workarounds:

Use the shutdown and then the no shutdown interface configuration commands on the ports.

Save the switch configuration, and reload all the switches.

CSCec86385

When you enter the radius-server attribute nas-port format format global configuration command, the configured format does not take effect. The switch does not send the correct values for NAS-Port-Type and NAS-Port formats. The switch sends 0 as the NAS-Port-Type value (asynchronous). It does not send an NAS-Port value (attribute 5).

There is no workaround.

CSCed10401

On a Catalyst 3550 switch, these MIB entries contain invalid characters:

entPhysicalHardwareRev
entPhysicalSerialNum

The switch cannot be added to the CiscoWorks Resource Manager Essentials (RME) database because the structured query language (SQL) insert statement fails due to the invalid characters.

The workaround is to use these global configuration commands to configure the switch to exclude these variables while responding to a snmpget message:

Switch(config)# snmp-server view test iso included
Switch(config)# snmp-server view test entPhysicalEntry.8 excluded
Switch(config)# snmp-server view test entPhysicalEntry.11 excluded
Switch(config)# snmp-server community public view test RO
Switch(config)# snmp-server community private view test RW

CSCed11578

If an HSRP standby group is configured, you cannot ping to VLAN interfaces.

The workaround is to disable the standby group.

CSCed16439

Service Assurance Agent (SAA) does not run properly when 100 or more probes are configured that continuously send packets at 1-second intervals.

There is no workaround.

CSCed18377

If the switchport nonegotiate interface configuration command is entered on an interface that is connected to a Catalyst 3550 switch, UniDirectional Link Detection (UDLD) does not run properly when the link goes down and then comes up quickly or when a neighbor restarts.

Use one of these workarounds:

Enter the no switchport nonegotiate interface configuration command.

Enter the shutdown and then the no shutdown interface configuration commands.

CSCed29525

On switches running a release later than Cisco IOS Release 12.1(19)EA1, the switch does not assign the correct value to the port identifier (circuit ID suboption). The value is offset by 1 from the interface module- and port-number values. If a Fast Ethernet interface and a Gigabit Ethernet interface have the same module- and port-number values, such as fastethernet0/1 and gigabitethernet0/1, the switch assigns the same value to both interfaces.

There is no workaround.

CSCin65981

If a switch is running CDP Version 1, the inline-power port on a Catalyst 3550-24PWR switch provides 6.3 W instead of 15 W.

There is no workaround.

CSCeb08719

The dot1dTpAgingTime MIB object shows a random value for the VLANs that are not running the spanning tree protocol.

There is no workaround.

CSCec67273

When you put an interface that is in Layer 2 mode into Layer 3 mode by using the no switchport interface configuration command, this traceback message might appear:

    00:05:14: %BIT-4-OUTOFRANGE: bit 128 is not in the expected range of 0 to 127
    -Traceback= 1F861C 1F86DC 3F1648 2E039C 2DF658 181CA8 24B170 249DE4 24A238 260464
    23B8B0 23BCA4 
    23BEA8 1DBD24

There is no workaround.

CSCec69647

When a switch reloads and a GigaStack GBIC module port is connected to an interface on another device, the output from the show interfaces privileged EXEC command shows the port status as down.

The workaround is to use the shutdown and then the no shutdown interface configuration commands.

CSCec77810

After a switch restarts and the link between a GigaStack GBIC interface and another interface is up, the GigaStack GBIC interface receives traffic but might not be able to forward traffic.

The workaround is to use the shutdown and then the no shutdown interface configuration commands.

CSCed01591

You cannot obtain VLAN statistics information from clustered switches.

There is no workaround.

CSCed02043

After all the static MAC addresses for a VLAN are removed from the MAC address table, the output from the show mac address-table vlan privileged EXEC command might show the CPU static addresses for the VLAN. This can occur if the MAC address table parameters for the VLAN have changed from the default values.

There is no workaround. This does not affect the functionality of the switch.

CSCed02730

When policy-based routing (PBR) is enabled on an ingress Layer 3 interface that receives routed packets, the default gateway might not send IP Control Message Protocol (ICMP) redirect messages to a host. This might occur when:

The default gateway is defined but does not generate an ICMP redirect message. This occurs when the routing table has a packet route that specifies a host on another subnet instead of the next hop specified by PBR.

The default gateway sends an ICMP redirect message, but the local router specified in the ICMP redirect message is the next hop in the routing table instead of the next hop specified by PBR.

The workaround is use the no ip redirects interface configuration command to not send ICMP redirect messages to the interface on which PBR is enabled. Using this command disables all ICMP redirect messages sent to or from the interface.

CSCed05042

In the output from the debug mac-manager privileged EXEC command, the messages are not preceded by a time stamp.

There is no workaround.

CSCed15006

When a Type-1 Token Ring patch cable is connected to an inline power port on a Catalyst 3550-24PWR switch, the switch detects an error, but does not put the port into an err-disabled state.

There is no workaround. However, when a valid link partner is connected to the inline power port, it operates normally and without user intervention.

CSCed25122

The output from the show interfaces interface-id privileged EXEC command does not show the correct media types for the SFP modules.

The workaround is to use the show interfaces status privileged EXEC command.

CSCed54175

The switch does not accept duplicate remark statements in named ACLs.

There is no workaround.

Open CMS Caveats

These are the severity 3 CMS configuration caveats:

CSCec18805

When you launch the IP Multicast wizard, multicast-enabled devices do not appear in the list of multicast-enabled devices.

There is no workaround. The wizard does not display multicast-enabled devices.

CSCec61919

The Topology View does not show unknown devices or devices that are down.

There is no workaround.

CSCed21655

The CMS plug-in is not supported in Netscape 4.7x.

The workaround is to use a supported browser, such as Netscape 7.1 or Internet Explorer 5.5 or 6.0.

CSCed34582

The Front Panel View sometimes does not show the port LED status.

The workaround is to refresh the Front Panel View.

CSCed39693

When there are Catalyst 2950 and 2955 devices in a cluster, if you launch the QoS Queue Window to configure the devices and then try to view the settings for other devices by using the device selection menu, CMS halts after 20 to 30 selections.

The workaround is to close CMS and then restart CMS.

CSCed40866

If an ACL is deleted from a device, all QoS classes that use this ACL for traffic classification become unusable (only on Catalyst 2970 and 3750 switches). The modification of these classes to use any other traffic classification (match statement) fails.

The workaround is to delete the QoS class that uses the undefined ACL and then recreate it with the intended traffic classification (match statement).

Resolved Caveats

These are the caveats that have been resolved in this release.

"Cisco IOS Caveats Resolved in Cisco IOS Release 12.1(20)EA1" section

"CMS Caveats Resolved in Cisco IOS Release 12.1(20)EA1" section

Cisco IOS Caveats Resolved in Cisco IOS Release 12.1(20)EA1

These Cisco IOS caveats were resolved in Cisco IOS Release 12.1(20)EA1:

CSCeb55548

A Catalyst 3550 switch running the SMI now correctly routes IP multicast traffic.

CSCeb66556

When DHCP snooping is enabled on the switch, if the lease time granted by a server to a client is set to infinite, tracebacks are no longer generated.

CSCeb71937

A port channel that is configured as untrusted for DHCP snooping has a set rate limit. If snooping is configured on one of its VLANs, the rate limit is now applied to the DHCP traffic that arrives on the port channel.

CSCec27049

When DHCP packets are unicast from a DHCP server to a DHCP client through the switch DHCP relay agent, the switch no longer drops the packets, and duplicate DHCP snooping bindings are no longer created for the client.

CSCec49525

Information is now correctly logged when the access-control list (ACL) logging option is enabled.

CSCec52012

The switch no longer experiences high CPU utilization at process TTY Background when the logging synchronous global configuration command is configured under line con 0.

CSCec68631

Inbound multicast traffic no longer fails on Gigabit Ethernet interfaces.

CSCec71554

Non-IP traffic is now forwarded correctly when fallback bridging is used with VLANs on which the UplinkFast feature has been enabled.

CSCed00396

Received BPDUs are no longer dropped on ports configured for 802.1Q trunking with a nonexistent native VLAN.

CSCed00408

When you enter the logging event spanning-tree status global configuration command the switch now logs messages about STP state changes.

CSCed02857

Non-reverse path forwarding (RPF) traffic no longer causes high CPU utilization in certain topologies.

CSCed29169

The IGMP maximum query response time is no longer set to 1 second. You can configure this value by using the ip igmp query-max-response-time seconds interface configuration command.

CSCed33625

When multiple static MAC addresses are configured and then modified, the modified addresses are now associated with the correct destination port in hardware. Packets destined for the modified static MAC addresses are now forwarded to the correct port.

CMS Caveats Resolved in Cisco IOS Release 12.1(20)EA1

These CMS caveats were resolved in Cisco IOS Release 12.1(20)EA1:

CSCeb23334

CMS now recognizes 802.1t spanning-tree extensions and port-priority configuration values under the STP Port Parameters tab, and they are now validated before they are added to the switch.

CSCeb23416

CMS now validates STP path-cost configuration values against the valid value ranges before they are added to the switch.

CSCeb23592

CMS now recognizes 802.1t spanning-tree extensions and bridge-priority configuration values under the STP Bridge Parameters tab and are now validated before they are added to the switch.

CSCeb40625

Shaped bandwidth weights are invalid if either the sum of their reciprocals is greater than one, or if the sum of their reciprocals is equal to one and the shaped weight of the queue is zero. CMS now detects these invalid bandwidth weights.

CSCec08618

CMS now recognizes 802.1t spanning-tree extensions and port-priority configuration values under the STP Port Parameters tab, and they are now validated before they are added to the switch.

CSCec08662

If UplinkFast is enabled and you enter a value in the Path Cost field in the STP Modify Port Parameters window, 3000 is automatically added to the configured-STP cost value. For example, if the path cost is 10, the actual value becomes 3010. If you disable UplinkFast, the path-cost value changes to its originally configured value of 10.

CSCec09433

You can now attach or remove an access control list (ACL) to or from an interface when you are in Guide Mode.

CSCec16057

CMS now recognizes the Coarse Wave Division Multiplexer (CWDM) small form-factor pluggable (SFP) module on Catalyst 2940 switches.

CSCec34831

When you click the Highlight VLAN Port Membership Modes button in the VLAN window of a switch, and that switch front panel is not displayed in Front Panel View, CMS brings the Front Panel View to the foreground. The front panel view of the switch is now displayed, and you can see the highlighted ports.

CSCec45975

In an AVVID wizard Save Configuration window step, an error message no longer appears if you click the Previous button.

CSCec47247

The IGMP Report Window now lists all the entries in the table.

Documentation Updates

This section provides updates to the product documentation. These changes will be included in the next revision of the documentation.

"References to the Cisco Documentation CD-ROM" section

"Software Configuration Guide Corrections and Additions" section

"Command Reference Corrections and Additions" section

"Hardware Installation Guide Addition" section

References to the Cisco Documentation CD-ROM

The documentation for the Catalyst 3550 switches incorrectly refers to the Cisco Documentation CD-ROM. The Catalyst 3550 switches no longer ship with this CD-ROM.

Software Configuration Guide Corrections and Additions

This section has the software configuration guide corrections and additions.

Getting Started with CMS Chapter

This is a correction to the "Browser Plug-In Requirements" section:

The chapter incorrectly states that Java plug-in 1.4.1 is required for Solaris. In this release, the CMS plug-in replaces the Java plug-in. You can download the latest CMS plug-in for Solaris from this URL:

http://www.cisco.com/pcgi-bin/Support/ClusterMgmtSuite/cms_plugin_redirect.cgi?platform=solaris&version=1.1

These are additions to the "Configuring CMS" section:

The CMS plug-in includes a console window that you can use to troubleshoot CMS or to view the CLI commands from CMS. When CMS is running, press F2 to display or to hide the CMS console. Press F3 to display or to hide the CLI commands that CMS is sending.

You must have privilege level 15 when accessing CMS through a TACACS+ or RADIUS server.

Clustering Switches Chapter

This is an addition to the "Planning a Switch Cluster" section:

We do not recommend using the ip http access-class global configuration command to limit access to specific hosts or networks. Access should be controlled through the cluster command switch or by applying access control lists (ACLs) on interfaces that are configured with an IP address.

Administering the Switch Chapter

This is an addition to the "Adding and Removing Static Address Entries" section:

A static address also has these characteristics:

A static unicast MAC address can be assigned to only one interface.

A static multicast MAC address can be assigned to only one interface.

Configuring 802.1x Port-Based Authentication Chapter

These are corrections to the "802.1x Configuration Guidelines" section:

The 802.1x protocol is not supported on EtherChannel ports. Do not configure a port that is an active or a not-yet-active member of an EtherChannel as an 802.1x port. If you try to enable 802.1x on an EtherChannel port, an error message appears, and 802.1x is not enabled.

Before globally enabling 802.1x on a switch by entering the dot1x system-auth-control global configuration command, remove the EtherChannel configuration from the interfaces on which 802.1x and EtherChannel are configured.

If you are using a device running the Cisco Access Control Server (ACS) application for 802.1x authentication with EAP-Transparent LAN Services (TLS) and EAP-MD5 and your switch is running Cisco IOS Release 12.1(14)EA1, make sure that the device is running ACS Version 3.2.1 or later.

This is an addition to the "802.1x Configuration Guidelines" section:

After you configure a guest VLAN for an 802.1x port to which a DHCP client is connected, you might need to get a host IP address from a DHCP server. You can also change the settings for restarting the 802.1x authentication process on the switch before the DHCP process on the client times out and tries to get a host IP address from the DHCP server. Decrease these settings for the 802.1x authentication process: the 802.1x quiet period and switch-to-client transmission time.

This is an addition to the "Configuring a Guest VLAN" section:

This example shows how to set 3 as the quiet time on the switch, to set 15 as the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before resending the request, and to enable VLAN 2 as an 802.1x guest VLAN when an 802.1x port is connected to a DHCP client:

Switch(config-if)# dot1x timeout quiet-period 3
Switch(config-if)# dot1x timeout tx-period 15
Switch(config-if)# dot1x guest-vlan 2

Configuring SmartPort Macros Chapter

This is a change to the chapter:

SmartPort macros are now referred to as Smartports macros.

Configuring DHCP Features Chapter

This is an addition to the "Option-82 Data Insertion" section:

Figure 1 shows the packet formats for the remote ID suboption and the circuit ID suboption. For the circuit ID suboption, the module number corresponds to the switch number in the stack.

Figure 1 Suboption Packet Formats

1

The switch uses these packet formats when DHCP snooping is globally enabled, and ip dhcp relay information option and the ip dhcp snooping information option format snmp-ifindex global configuration commands are entered.

2

The switch uses these packet formats when DHCP snooping is globally enabled, the ip dhcp snooping information option global configuration command is entered, and the snmp ifIndex format is not configured.


These are additions to the "Configuring DHCP Features" section:

When you use DHCP snooping in a service-provider environment, an untrusted message is sent from a device that is not in the service-provider network, such as a customer's switch. Messages from unknown devices are untrusted because they can be sources of traffic attacks. A trusted interface is connected to a port on a device in the same network. An untrusted interface is connected to an untrusted interface in the network or to a interface on a device that is not in the network.

For DHCP snooping to function properly, all DHCP servers must be connected to the switch through trusted interfaces. When a switch receives a packet on an untrusted interface and the interface belongs to a VLAN in which DHCP snooping is enabled, it verifies that the source MAC address and the DHCP client hardware address match (the default). If the addresses match, the switch forwards the packet. If the addresses do not match, the switch drops the packet.

This is an addition to the "Default DHCP Configuration" section:

Table 5 shows the default DHCP configuration.

Table 5 Default DHCP Configuration

Feature
Default Setting

DHCP server

Enabled1

DHCP relay agent

Enabled2

DHCP packet forwarding address

None configured

Checking the relay agent information

Enabled (invalid messages are dropped)2

DHCP relay agent forwarding policy

Replace the existing relay agent information2

1 The switch responds to DHCP requests only if it is configured as a DHCP server.

2 The switch relays DHCP packets only if IP address of the DHCP server is configured on the SVI of the DHCP client.


For procedures to configure the DHCP server, relay agent and its features, refer to the "Configuring DHCP" section of the "IP Addressing and Services" section of the Cisco IOS IP Configuration Guide, Release 12.2.

This is an addition to the "DHCP Snooping Configuration Guidelines" section:

Before globally enabling DHCP snooping on the switch, make sure that the devices acting as the DHCP server and the DHCP relay agent are configured and enabled.

Before configuring the DHCP snooping information option on your switch, be sure to configure the device that is acting as the DHCP server. For example, you must specify the IP addresses that the DHCP server can assign or exclude, or you must configure DHCP options for devices.

If the DHCP relay agent is enabled but DHCP snooping is disabled, the DHCP option-82 data insertion feature is not supported.

If a switch port is connected to a DHCP server, configure a port as trusted by entering the ip dhcp snooping trust interface configuration command.

If a switch port is connected to a DHCP client, configure a port as untrusted by entering the no ip dhcp snooping trust interface configuration command.

Configuring Port-Based Traffic Control Chapter

This is a correction to the "Configuring Protected Ports" section:

A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port. Data traffic cannot be forwarded between protected ports at Layer 2; only control traffic, such as PIM packets, is forwarded because these packets are processed by the CPU and forwarded in software. All data traffic passing between protected ports must be forwarded through a Layer 3 device.

Configuring QoS Chapter

This is a correction to the "Classification Based on Class Maps and Policy Maps" section:


Note When you apply a policy map defined by the policy-map command to the output of an interface or remove the policy map and interface association, the interface goes down. To re-enable the interface, use the shutdown and then the no shutdown interface configuration commands.


Command Reference Corrections and Additions

These are the new and changed commands for this software release:

dot1x system-auth-control

macro apply

show flowcontrol

spanning-tree portfast

switchport host

This is a correction to the "Usage Guidelines" section of the dot1x system-auth-control global configuration command:

If you are using a device running the Cisco Access Control Server (ACS) application for 802.1x authentication with EAP-Transparent LAN Services (TLS) and EAP-MD5 and your switch is running Cisco IOS Release 12.1(14)EA1, make sure that the device is running ACS Version 3.2.1 or later.

This is an addition to the "Usage Guidelines" section of the spanning-tree portfast interface configuration command:

To enable Port Fast on trunk ports, you must use the spanning-tree portfast trunk interface configuration command. The spanning-tree portfast command is not supported on trunk ports.

macro apply

Use the macro apply interface configuration command to apply a macro to an interface or to apply and trace a macro configuration on an interface.

macro {apply | trace} macro-name [parameter {value}] [parameter {value}]
[
parameter {value}]

Syntax Description

apply

Apply a macro to the specified interface.

trace

Use the trace keyword to apply a macro to an interface and to debug the macro.

macro-name

Specify the name of the macro.

parameter value

(Optional) Specify unique parameter values that are specific to the interface. You can enter up to three keyword-value pairs. Parameter keyword matching is case sensitive. All matching occurrences of the keyword are replaced with the corresponding value.


Defaults

This command has no default setting.

Command Modes

Interface configuration

Command History

Release
Modification

12.1(19)EA1

This command was introduced.

12.1(20)EA1

The parameter value keywords were added.


Usage Guidelines

You can use the macro trace macro-name interface configuration command to apply and show the macros running on an interface or to debug the macro to find any syntax or configuration errors.

If a command fails because of a syntax error or a configuration error when you apply a macro, the macro continues to apply the remaining commands to the interface.

When creating a macro that requires the assignment of unique values, use the parameter value keywords to designate values specific to the interface.

Keyword matching is case sensitive. All matching occurrences of the keyword are replaced with the corresponding value. Any full match of a keyword, even if it is part of a larger string, is considered a match and is replaced by the corresponding value.

There are Cisco-default Smartports macros embedded in the switch software. You can view these macros and the commands they contain by using the show parser macro user EXEC command.

Follow these guidelines when you apply a Cisco-default Smartports macro on an interface:

View all macros on the switch by using the show parser macro user EXEC command. View the contents of a specific macro by using the show parser macro macro-name user EXEC command.

Keywords that begin with $ mean that a unique parameter value is required. Append the Cisco-default macro with the required values by using the parameter value keywords.

When you apply a macro to an interface, the macro name is automatically added to the interface. You can view the applied commands and macro names by using the show running-config interface interface-id user EXEC command.

A macro applied to an interface range behaves the same way as a macro applied to a single interface. When you use an interface range, the macro is applied sequentially to each interface within the range. If a macro command fails on one interface, it is still applied to the remaining interfaces.

You can delete a macro-applied configuration on an interface by entering the default interface interface-id interface configuration command.

Examples

After you have created a macro by using the macro name global configuration command, you can apply it to an interface. This example shows how to apply a user-created macro called duplex to an interface:

Switch(config-if)# macro apply duplex

To debug a macro, use the macro trace interface configuration command to find any syntax or configuration errors in the macro as it is applied to an interface. This example shows how troubleshoot the user-created macro called duplex on an interface:

Switch(config-if)# macro trace duplex
Applying command...`duplex auto'
%Error Unknown error.
Applying command...`speed nonegotiate'

This example shows how to view the Cisco-default cisco-desktop macro and how to apply the macro and set the access VLAN ID to 25 on an interface:

Switch# show parser macro cisco-desktop
--------------------------------------------------------------
Macro name : cisco-desktop
Macro type : default

# Basic interface - Enable data VLAN only
# Recommended value for access vlan (AVID) should not be 1
switchport access vlan $AVID
switchport mode access

# Enable port security limiting port to a single
# MAC address -- that of desktop
switchport port-security
switchport port-security maximum 1

# Ensure port-security age is greater than one minute
# and use inactivity timer
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity

# Configure port as an edge network port
spanning-tree portfast
spanning-tree bpduguard enable
--------------------------------------------------------------
Switch#
Switch# configure terminal
Switch(config)# interface gigabitethernet0/4
Switch(config-if)# macro apply cisco-desktop $AVID 25

Related Commands

Command
Description

macro description

Adds a description about the macros that are applied to an interface.

macro name

Creates a macro.

show parser macro

Displays the macro definition for all macros or for the specified macro.

show running-config

Displays the configuration information currently running on the switch. For syntax information, select Cisco IOS Configuration Fundamentals Command Reference for Release 12.1 > Cisco IOS File Management Commands > Configuration File Commands.


show flowcontrol

Use the show flowcontrol user EXEC command to display the flow control status and statistics.

show flowcontrol [interface interface-id | module module-slot] [ | {begin | exclude | include} expression]

Syntax Description

inteface interface-id

(Optional) Display the flow control status and statistics for a specific interface.

module module-slot

(Optional) Display the flow control status and statistics for all Gigabit Ethernet interfaces. The only valid module-slot value is 0.

| begin

(Optional) Display begins with the line that matches the expression.

| exclude

(Optional) Display excludes lines that match the expression.

| include

(Optional) Display includes lines that match the specified expression.

expression

Expression in the output to use as a reference point.


Command Modes

User EXEC

Command History

Release
Modification

12.1(14)EA1

This command was introduced.


Usage Guidelines

Use this command to display the flow control status and statistics on the switch or about a specific interface.

Use the show flowcontrol command to display information about all the switch interfaces. The output from the show flowcontrol command is the same as the output from the show flowcontrol module module-slot command.

Use the show flowcontrol interface interface-id command to display information about the Gigabit Ethernet interfaces on the switch.

Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.

Examples

This is an example of output from the show flowcontrol command:

Switch> show flowcontrol
Port       Send FlowControl  Receive FlowControl  RxPause TxPause
           admin    oper     admin    oper
---------  -------- -------- -------- --------    ------- -------
Gi0/1      Unsupp.  Unsupp.  off      off         0       0
Gi0/2      desired  off      off      off         0       0
<output truncated>

This is an example of output from the show flowcontrol interface interface-id command:

Switch> show flowcontrol gigabitethernet0/2
Port       Send FlowControl  Receive FlowControl  RxPause TxPause
           admin    oper     admin    oper
---------  -------- -------- -------- --------    ------- -------
Gi0/2      desired  off      off      off         0       0

Related Commands

Command
Description

flowcontrol

Sets the receive flow-control state for an interface.


switchport host

Use the switchport host interface configuration command on the switch to optimize a Layer 2 port for a host connection. The no form of this command has no affect on the system.

switchport host

Syntax Description

This command has no arguments or keywords.

Defaults

The default is for the port to not be optimized for a host connection.

Command Modes

Interface configuration

Command History

Release
Modification

12.1(20)EA1

This command was introduced.


Usage Guidelines

To optimize the port for a host connection, the switchport host command sets the switch port mode to access, enables spanning tree Port Fast, and disables channel grouping. Only an end station can accept this configuration.

Because spanning tree Port Fast is enabled, you should enter the switchport host command only on ports that are connected to a single host. Connecting other switches, hubs, concentrators, or bridges to a fast-start port can cause temporary spanning-tree loops.

Enable the switchport host command to decrease the time to start packet forwarding.

Examples

This example shows how to optimize the port configuration for a host connection:

Switch(config-if)# switchport host 
switchport mode will be set to access 
spanning-tree portfast will be enabled 
channel group will be disabled 
Switch(config-if)# 

You can verify your setting by entering the show interfaces interface-id switchport privileged EXEC command.

Related Commands

Command
Description

show interfaces switchport

Displays the administrative and operational status of a switching (nonrouting) port, including switchport mode.


Hardware Installation Guide Addition

This chapter has new information.

Using Express Setup Chapter

This is a new step in the "Configuring the Switch Settings" section:

Step 2

Enter a VLAN ID in the Management Interface (VLAN ID) field. This is the management interface through which you manage the switch and to which you assign IP information. The Management Interface field displays 1 by default. The VLAN ID range for this field is 1 to 1001.

Related Documentation

These documents provide complete information about the switch and are available from this Cisco.com site:

http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/index.htm

You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.com sites and from the telephone numbers listed in the "Obtaining Documentation" section.

Catalyst 3550 Multilayer Switch Software Configuration Guide (order number DOC-7811194=)

Catalyst 3550 Multilayer Switch Command Reference (order number DOC-7811195=)

Catalyst 3550 Multilayer Switch System Message Guide (order number DOC-7811196=)

Cluster Management Suite (CMS) online help (available only from the switch CMS software)

Catalyst 3550 Multilayer Switch Hardware Installation Guide (order number DOC-7811358=)

1000BASE-T Gigabit Interface Converter Installation Note (not orderable but is available on Cisco.com)

Catalyst GigaStack Gigabit Interface Converter Hardware Installation Guide (order number DOC-786460=)

Obtaining Documentation

Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation on the World Wide Web at this URL:

http://www.cisco.com/univercd/home/home.htm

You can access the Cisco website at this URL:

http://www.cisco.com

International Cisco websites can be accessed from this URL:

http://www.cisco.com/public/countries_languages.shtml

Ordering Documentation

You can find instructions for ordering documentation at this URL:

http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm

You can order Cisco documentation in these ways:

Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Ordering tool:

http://www.cisco.com/en/US/partner/ordering/index.shtml

Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

Documentation Feedback

You can submit e-mail comments about technical documentation to bug-doc@cisco.com.

You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:

Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, the Cisco Technical Assistance Center (TAC) provides 24-hour-a-day, award-winning technical support services, online and over the phone. Cisco.com features the Cisco TAC website as an online starting point for technical assistance. If you do not hold a valid Cisco service contract, please contact your reseller.

Cisco TAC Website

The Cisco TAC website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The Cisco TAC website is available 24 hours a day, 365 days a year. The Cisco TAC website is located at this URL:

http://www.cisco.com/tac

Accessing all the tools on the Cisco TAC website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a login ID or password, register at this URL:

http://tools.cisco.com/RPF/register/register.do

Opening a TAC Case

Using the online TAC Case Open Tool is the fastest way to open P3 and P4 cases. (P3 and P4 cases are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Case Open Tool automatically recommends resources for an immediate solution. If your issue is not resolved using the recommended resources, your case will be assigned to a Cisco TAC engineer. The online TAC Case Open Tool is located at this URL:

http://www.cisco.com/tac/caseopen

For P1 or P2 cases (P1 and P2 cases are those in which your production network is down or severely degraded) or if you do not have Internet access, contact Cisco TAC by telephone. Cisco TAC engineers are assigned immediately to P1 and P2 cases to help keep your business operations running smoothly.

To open a case by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447

For a complete listing of Cisco TAC contacts, go to this URL:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

TAC Case Priority Definitions

To ensure that all cases are reported in a standard format, Cisco has established case priority definitions.

Priority 1 (P1)—Your network is "down" or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Priority 2 (P2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

Priority 3 (P3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

Priority 4 (P4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Go to this URL to visit the company store:

http://www.cisco.com/go/marketplace/

The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:

http://cisco.com/univercd/cc/td/doc/pcat/

Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press online at this URL:

http://www.ciscopress.com

Packet magazine is the Cisco quarterly publication that provides the latest networking trends, technology breakthroughs, and Cisco products and solutions to help industry professionals get the most from their networking investment. Included are networking deployment and troubleshooting tips, configuration examples, customer case studies, tutorials and training, certification information, and links to numerous in-depth online resources. You can access Packet magazine at this URL:

http://www.cisco.com/packet

iQ Magazine is the Cisco bimonthly publication that delivers the latest information about Internet business strategies for executives. You can access iQ Magazine at this URL:

http://www.cisco.com/go/iqmagazine

Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/ipj

Training—Cisco offers world-class networking training. Current offerings in network training are listed at this URL:

http://www.cisco.com/en/US/learning/index.html