Guest

Cisco Catalyst 3550 Series Switches

Release Notes for the Catalyst 3550 Multilayer Switch, Cisco IOS Release 12.1(22)EA7

  • Viewing Options

  • PDF (1.1 MB)
  • Feedback
Release Notes for the Catalyst 3550 Multilayer Switch, Cisco IOS Release 12.1(22)EA7

Table Of Contents

Release Notes for the
Catalyst 3550 Multilayer Switch,
Cisco IOS Release 12.1(22)EA7

Contents

System Requirements

Hardware Supported

Device Manager System Requirements

Hardware Requirements

Software Requirements

Cluster Compatibility

CNA Compatibility

Upgrading the Switch Software

Finding the Software Version and Feature Set Running on the Switch

Deciding Which Files to Download from Cisco.com

Archiving Software Images

Upgrading a Switch by Using the Device Manager or Network Assistant

Upgrading a Switch by Using the CLI

Upgrading with a Nondefault System MTU Setting

Recovering from a Software Failure

Installation Notes

New Features

Limitations and Restrictions

Cisco IOS Limitations and Restrictions

Device Manager Limitations and Restrictions

Important Notes

Cisco IOS Notes

Device Manager Notes

Open Caveats

Resolved Caveats

Documentation Updates

Documentation Updates in Cisco IOS Release 12.1(22)EA7

Software Configuration Guides

Command References

Documentation Updates in Cisco IOS Release 12.1(22)EA6

Software Configuration Guides

Command References

System Message Guides

Regulatory Compliance and Safety Information for the Catalyst 3550 Multilayer Switch

Documentation Updates in Cisco IOS Release 12.1(22)EA5

Software Configuration Guides

Command References

show inventory

System Message Guides

Documentation Updates in Cisco IOS Release 12.1(22)EA4

Software Configuration Guide

Command Reference

Documentation Updates in Cisco IOS Release 12.1(22)EA3

Deleting SVIs

Configuring Router ACLs

Unsupported CLI Commands in Cisco IOS Release 12.1(22)EA3

Documentation Updates in Cisco IOS Release 12.1(22)EA2

Getting Started Guide

Regulatory Compliance and Safety Information Guide

Documentation Flyer

Hardware Installation Guide

Software Configuration Guide

Command Reference

Documentation Updates in Cisco IOS Release 12.1(22)EA1

Software Configuration Guide

Command Reference

System Message Guide

Documentation Updates for All Releases

Administering the Switch

Configuring QoS

Related Documentation

Obtaining Documentation

Cisco.com

Product Documentation DVD

Ordering Documentation

Documentation Feedback

Cisco Product Security Overview

Reporting Security Problems in Cisco Products

Obtaining Technical Assistance

Cisco Technical Support & Documentation Website

Submitting a Service Request

Definitions of Service Request Severity

Obtaining Additional Publications and Information


Release Notes for the
Catalyst 3550 Multilayer Switch,
Cisco IOS Release 12.1(22)EA7


February 2, 2006

Cisco IOS Release 12.1(22)EA7 runs on all Catalyst 3550 multilayer switches.

These release notes include important information about this Cisco IOS release and any limitations, restrictions, and caveats that apply to it. Verify that these are the correct release notes for your switch:

If you are installing a new switch, see the Cisco IOS release label on the rear panel of your switch.

If your switch is on, use the show version privileged EXEC command. See the "Finding the Software Version and Feature Set Running on the Switch" section on page 5.

If you are upgrading to a new release, see the software upgrade filename for the Cisco IOS version. See the "Deciding Which Files to Download from Cisco.com" section on page 5.

For the complete list of Catalyst 3550 switch documentation, see the "Related Documentation" section on page 69.

You can download the switch software from this site (for registered Cisco.com users with a login password):

http://www.cisco.com/kobayashi/sw-center/sw-lan.shtml

This Cisco IOS release is part of a special release of Cisco IOS software that is not released on the same 8-week maintenance cycle that is used for other platforms. As maintenance releases and future Cisco IOS releases become available, they will be posted to Cisco.com in the Cisco IOS software area.

Cisco IOS Release 12.1(22)EA7 is based on Cisco IOS Release 12.1(22)E7. Open caveats in Cisco IOS Release 12.1(22)E7 also affect Cisco IOS Release 12.1(22)EA7 unless they are listed in the Cisco IOS Release 12.1(22)EA7 resolved caveats list. The list of open caveats in Cisco IOS Release 12.1(22)E6 is available at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/12_1e/ol_2310.htm#wp1560107

Contents

This information is in the release notes:

"System Requirements" section on page 2

"Upgrading the Switch Software" section on page 4

"Installation Notes" section on page 9

"New Features" section on page 9

"Limitations and Restrictions" section on page 9

"Important Notes" section on page 23

"Open Caveats" section on page 26

"Resolved Caveats" section on page 27

"Documentation Updates" section on page 27

"Related Documentation" section on page 69

"Obtaining Documentation" section on page 70

"Documentation Feedback" section on page 71

"Cisco Product Security Overview" section on page 71

"Obtaining Technical Assistance" section on page 72

"Obtaining Additional Publications and Information" section on page 74

System Requirements

The system requirements for this release are described in these sections:

"Hardware Supported" section on page 2

"Device Manager System Requirements" section on page 3

"Cluster Compatibility" section on page 4

"CNA Compatibility" section

Hardware Supported

Table 1 lists the hardware supported by this release.

Table 1 Supported Hardware 

Switch
Description

Catalyst 3550-12G

10 GBIC-based Gigabit Ethernet slots and 2 Gigabit Ethernet 10/100/1000BASE-T ports

Catalyst 3550-12T

10 Gigabit Ethernet 10/100/1000BASE-T ports and 2 GBIC1 -based Gigabit Ethernet slots

Catalyst 3550-24

24 autosensing 10/100 Ethernet ports and 2 GBIC-based Gigabit Ethernet slots

Catalyst 3550-24-DC

24 autosensing 10/100 Ethernet ports, 2 GBIC-based Gigabit Ethernet slots, and an on-board DC-power converter

Catalyst 3550-24-FX

24 100BASE-FX ports and 2 GBIC-based Gigabit Ethernet slots

Catalyst 3550-24PWR

24 autosensing 10/100 Ethernet ports, 2 GBIC-based Gigabit Ethernet slots, ability to provide power for Cisco IP Phones and Cisco Aironet Access Points from all 10/100 Ethernet ports, auto-detection and control of inline power on a per-port basis on all 10/100 ports

Catalyst 3550-48

48 autosensing 10/100 Ethernet ports and 2 GBIC-based Gigabit Ethernet slots

GBIC modules

1000BASE-SX GBIC

1000BASE-LX/LH GBIC

1000BASE-ZX GBIC

1000BASE-T GBIC

GigaStack GBIC

CWDM2 fiber-optic GBIC

DWDM3 fiber-optic GBIC

Redundant power system

Cisco RPS 300 redundant power system4

Cisco RPS 675 redundant power system5

1 GBIC = Gigabit Interface Converter

2 CWDM = coarse wavelength-division multiplexing

3 DWDM = dense wavelength-division multiplexing

4 The Cisco RPS 300 does not support the Catalyst 3550-24-DC or 3550-24PWR switch.

5 The Cisco RPS 675 does not support the Catalyst 3550-24-DC switch.


Device Manager System Requirements

These sections describe the hardware and software requirements for using the device manager:

"Hardware Requirements" section on page 3

"Software Requirements" section on page 4

Hardware Requirements

Table 2 lists the minimum hardware requirements for running the device manager.

Table 2 Minimum Hardware Requirements 

Processor Speed
DRAM
Number of Colors
Resolution
Font Size

Intel Pentium II1

64 MB2

256

1024 x 768

Small

1 We recommend Intel Pentium 4.

2 We recommend 256-MB DRAM.


Software Requirements

Table 3 lists the supported operating systems and browsers for using the device manager. The device manager verifies the browser version when starting a session to ensure that the browser is supported.


Note The device manager does not require a plug-in.


Table 3 Supported Operating Systems and Browsers 

Operating System
Minimum Service Pack or Patch
Microsoft Internet Explorer 1
Netscape Navigator

Windows 98

None

5.5 or 6.0

7.1

Windows NT 4.0

Service Pack 6 or later

5.5 or 6.0

7.1

Windows 2000

None

5.5 or 6.0

7.1

Windows XP

None

5.5 or 6.0

7.1

1 Service Pack 1 or higher is required for Internet Explorer 5.5.


Cluster Compatibility

You cannot create and manage switch clusters through the device manager. Instead, use the command-line interface (CLI) or the Network Assistant application.

When creating a switch cluster or adding a switch to a cluster, follow these guidelines:

When you create a switch cluster, we recommend that you configure the highest-end switch in your cluster as the command switch.

If you are managing the cluster through Network Assistant, the switch with the latest software should be the command switch, unless your command switch is running Cisco IOS Release 12.1(19)EA1 or later.

The standby command switch must be the same type as the command switch. For example, if the command switch is a Catalyst 3750 switch, all standby command switches must be Catalyst 3750 switches.

For additional information about clustering, see the Getting Started with Cisco Network Assistant and the Release Notes for Cisco Network Assistant (not orderable but available on Cisco.com), the software configuration guide, and the command reference.

CNA Compatibility

Cisco IOS 12.1(22)EA7 and later are only compatible with Cisco Network Assistant (CNA) 3.1 and later. You can download CNA 3.1 from this URL:

http://www.cisco.com/pcgi-bin/tablebuild.pl/NetworkAssistant

For more information about Cisco Network Assistant, see the Release Notes for Cisco Network Assistant on Cisco.com.

Upgrading the Switch Software

Before downloading software from Cisco.com to upgrade the switch software, read this section for important information:

"Finding the Software Version and Feature Set Running on the Switch" section on page 5

"Deciding Which Files to Download from Cisco.com" section on page 5

"Archiving Software Images" section on page 6

"Upgrading a Switch by Using the Device Manager or Network Assistant" section on page 7

"Upgrading a Switch by Using the CLI" section on page 7

"Recovering from a Software Failure" section on page 8


Caution When you first upgrade the switch from a Cisco IOS noncryptographic image to a cryptographic image, the bootloader automatically upgrades. The new bootloader upgrade can take up to 30 seconds.

Do not power cycle the switch the first time that you are upgrading the switch to a cryptographic Cisco IOS image. If a power failure occurs when you are copying this image to the switch, call Cisco Systems immediately.

When you upgrade a switch, the switch continues to operate while the new software is copied to flash memory. If flash memory has enough space, the new image is copied to the selected switch but does not replace the running image until you reboot the switch. If a failure occurs during the copy process, you can still reboot your switch by using the old image. If flash memory does not have enough space for two images, the new image is copied over the existing one. Features provided by the new software are not available until you reload the switch.

If a failure occurs while copying a new image to the switch, and the old image has already been deleted, see the "Recovering from Corrupted Software" section in the "Troubleshooting" chapter of the software configuration guide.

Finding the Software Version and Feature Set Running on the Switch

The Cisco IOS image is stored as a bin file in a directory that is named with the Cisco IOS release. A subdirectory contains the files needed for web management. The image is stored on the system board flash device (flash:).

You can use the show version privileged EXEC command to see the software version that is running on your switch. The second line displays C3550-I5Q3L2 for the EMI or C3550-I9Q3L2 for the SMI.


Note Although the show version output always shows the software image running on the switch (Layer 2 only or Layer 2 and Layer 3), the model name shown at the end of this display is the factory configuration (SMI or EMI) and does not change if you upgrade the software image.


You can also use the dir filesystem: privileged EXEC command to see the directory names of other software images that you might have stored in flash memory.

Deciding Which Files to Download from Cisco.com

The upgrade procedures in these release notes describe how to perform the upgrade by using a combined tar file. This file contains both the Cisco IOS image file and the files needed for the embedded device manager. To upgrade the switch through the CLI, use the tar file and the archive download-sw privileged EXEC command.

Table 4 lists the software filenames for this release. These files are posted on Cisco.com.

Table 4 Cisco IOS Software Files for Catalyst 3550 Switches 

Filename

Description

c3550-i9q3l2-tar.121-22.EA7.tar

Cisco IOS SMI1 image file and device manager files.
This image has Layer 2+ and basic Layer 3 routing features.

c3550-i5q3l2-tar.121-22.EA7.tar

Cisco IOS EMI2 image file and device manager files.
This image has Layer 2+ and full Layer 3 features.

c3550-i9k2l2q3-tar.121-22.EA7.tar

Cisco IOS SMI cryptographic image file and device manager files. This image has the Kerberos, Secure Shell (SSH), Layer 2+, and basic Layer 3 routing features.

c3550-i5k2l2q3-tar.121-22.EA7.tar

Cisco IOS EMI cryptographic image file and device manager files. This image has the Kerberos, SSH, Layer 2, and full Layer 3 features.

1 SMI = standard multilayer image

2 EMI = enhanced multilayer image


The Catalyst 3550 switch is supported by either the SMI, which provides Layer 2+ features and basic Layer 3 routing, or the EMI, which provides Layer 2+ features, full Layer 3 routing, and advanced services. All Catalyst 3550 Gigabit Ethernet switches are shipped with the EMI installed. Catalyst 3550 Fast Ethernet switches are shipped with either the SMI or the EMI installed. After initial deployment, you can order the Enhanced Multilayer Software Image Upgrade kit to upgrade the Catalyst 3550 Fast Ethernet switches from the SMI to the EMI.

Archiving Software Images

Before upgrading your switch software, make sure that you have archived copies of the current Cisco IOS release and the Cisco IOS release to which you are upgrading. You should keep these archived images until you have upgraded all devices in the network to the new Cisco IOS image and until you have verified that the new Cisco IOS image works properly in your network.

Cisco routinely removes old Cisco IOS versions from Cisco.com. See Product Bulletin 2863 for more information:

http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps5187/prod_bulletin0900aecd80281c0e.
Html

You can copy the bin software image file on the flash memory to the appropriate TFTP directory on a host by using the copy flash: tftp: privileged EXEC command.


Note Although you can copy any file on the flash memory to the TFTP server, it is time-consuming to copy all of the HTML files in the tar file. We recommend that you download the tar file from Cisco.com and archive it on an internal host in your network.


You can also configure the switch as a TFTP server to copy files from one switch to another without using an external TFTP server by using the tftp-server global configuration command. For more information about the tftp-server command, see the "Additional File Transfer Commands" section of the Cisco IOS Configuration Fundamentals Command Reference, Release 12.1 at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/fun_r/frprt2/frd2006.htm#1018426

Upgrading a Switch by Using the Device Manager or Network Assistant

You can upgrade switch software by using the device manager or Network Assistant. From the feature bar, choose Administration > Software Upgrade. For detailed instructions, click Help.


Note When using the device manager to upgrade your switch, do not use or close your browser session after the upgrade process begins. Wait until after the upgrade process completes.


Upgrading a Switch by Using the CLI

This procedure is for copying the combined tar file to the Catalyst 3550 switch. You copy the file to the switch from a TFTP server and extract the files. You can download an image file and replace or keep the current image. This procedure requires a configured TFTP server.


Caution When you first upgrade the switch from a Cisco IOS noncryptographic image to a cryptographic image, the bootloader automatically upgrades. The new bootloader upgrade can take up to 30 seconds.

Do not power cycle the switch the first time that you are upgrading the switch to a cryptographic Cisco IOS image. If a power failure occurs when you are copying this image to the switch, call Cisco Systems immediately.

To download software, follow these steps:


Step 1 Use Table 4 on page 6 to identify the file that you want to download.

Step 2 Download the software image file.If you have a SmartNet support contract, go to this URL, and log in to download the appropriate files:

http://www.cisco.com/kobayashi/sw-center/sw-lan.shtml

To download the SMI and EMI files, select Catalyst 3550 software.

To get authorization and to download the cryptographic software files, select Catalyst 3550 3DES Cryptographic Software.

Step 3 Copy the image to the appropriate TFTP directory on the workstation, and make sure that the TFTP server is properly configured.

For more information, see Appendix B in the Catalyst 3550 Multilayer Switch Software Configuration Guide.

Step 4 Log in to the switch through the console port, a Telnet session, or an SSH session.

Step 5 Verify that you can access the TFTP server from the switch by attempting to ping the TFTP server.

Step 6 Download the image file from the TFTP server to the switch. If you are installing the same version of software that is currently on the switch, overwrite the current image by using this privileged EXEC command:

archive download-sw /overwrite /reload tftp:[[//location]/directory]/image-name.tar

The /overwrite option overwrites the software image in flash memory with the downloaded one.

The /reload option reloads the system after downloading the image unless the configuration has been changed and not been saved.

For //location, specify the IP address of the TFTP server.

For /directory/image-name.tar, specify the directory (optional) and the image to download. Directory and image names are case sensitive.


This example shows how to download an image from a TFTP server at 198.30.20.19 and to overwrite the image on the switch:

Switch# archive download-sw /overwrite tftp://198.30.20.19/c3550-i5q3l2-tar.121-22.EA3.tar

You can also download the image file from the TFTP server to the switch and keep the current image by replacing the /overwrite option with the /leave-old-sw option.

Upgrading with a Nondefault System MTU Setting

If the switch was running Cisco IOS Release 12.1(8)EA1c or earlier and you had used the system mtu global configuration command to configure a nondefault system maximum transmission unit (MTU) size on your switch, follow these steps to upgrade your switch to Cisco IOS Release 12.1(11)EA1 or later:


Step 1 Upgrade the Cisco IOS software to Cisco IOS Release 12.1(11)EA1 or later.

Step 2 If a system MTU size of greater than 2000 is configured on a Gigabit Ethernet switch (Catalyst 3550-12T or Catalyst 3550-12G), use the system mtu global configuration command to set it to the maximum supported MTU size. The maximum allowable system MTU for Gigabit Ethernet switches is 2000 bytes.

Step 3 Save the running configuration by entering the copy running-config startup-config privileged EXEC command.

Step 4 Reload the switch with the new Cisco IOS software.

Step 5 When the switch comes back up with Cisco IOS Release 12.1(11)EA1 or later, reload the switch a second time by using the reload privileged EXEC command so that the system mtu command takes effect.


Recovering from a Software Failure

If the software fails, you can reload the software. For detailed recovery procedures, see the "Troubleshooting" chapter in the software configuration guide.

Installation Notes

You can assign IP information to your switch by using one of these methods:

Express Setup program, as described in the switch getting started guide. For information about this guide, see the "Getting Started Guide" section on page 49.

CLI-based setup program, as described in the switch hardware installation guide.

DHCP-based autoconfiguration, as described in the switch software configuration guide.

Manually assigned IP address, as described in the switch software configuration guide.

New Features

This release contains these new switch features or enhancements (available in all software images unless otherwise noted):

IEEE 802.1x authentication with restricted VLAN to provide limited services to users who are IEEE 802.1x compliant, but do not have the credentials to authenticate via the standard IEEE 802.1x authentication processes.

Limitations and Restrictions

You should review this section before you begin working with the switches. These are known Cisco IOS limitations that will not be fixed, and there is not always a workaround. Some features might not work as documented, and some features could be affected by recent changes to the switch hardware or software.

These sections describe the limitations and restrictions:

"Cisco IOS Limitations and Restrictions" section on page 9

"Device Manager Limitations and Restrictions" section on page 22

Cisco IOS Limitations and Restrictions

These limitations and restrictions apply to Cisco IOS configuration:

Modifying a multicast boundary access list does not prevent packets from being forwarded by any multicast routes that were in existence before the access list was modified if the packets arriving on the input interface do not violate the boundary. However, no new multicast routes that violate the updated version of the multicast boundary access list are learned, and any multicast routes that are in violation of the updated access list are not relearned if they age out.

After updating a multicast boundary, the workaround is to use the clear ip mroute privileged EXEC command to delete any existing multicast routes that violate the updated boundary. (CSCdr79083)

When an IP packet with a cyclic redundancy check (CRC) error is received, the per-packet per-Differentiated Services Code Point (DSCP) counter (for DSCP 0) is incremented. Normal networks should not have packets with CRC errors.

There is no workaround. (CSCdr85898)

If you configure the DHCP server to allocate addresses from a pool to the switch, two devices on the network might have the same IP address. Pooled addresses are temporarily allocated to a device and are returned to the pool when not in use. If you save the configuration file after the switch receives such an address, the pooled address is saved, and the switch does not attempt to access the DHCP server after a reboot to receive a new IP address. As a result, two devices might have the same IP address.

The workaround is to make sure that you configure the DHCP server with reserved leases that are bound to each switch by the switch hardware address. (CSCds55220)

The show ip mroute count privileged EXEC command might display incorrect packet counts. In certain transient states (for example, when a multicast stream is forwarded only to the CPU during the route-learning process and the CPU is programming this route into the hardware), a multicast stream packet count might be counted twice.

The workaround is to not trust the counter during this transient state. (CSCds61396)

When changing the link speed of a Gigabit Ethernet port from 1000 Mbps to 100 Mbps, there is a slight chance that the port will stop forwarding packets.

The workaround is to shut down the port, and to re-enable it by using the shutdown and no shutdown interface configuration commands. (CSCds84279)

In IP multicast routing and fallback bridging, certain hardware features are used to replicate packets for the different VLANs of an outgoing trunk port. If the incoming speed is line rate, the outgoing interface cannot duplicate that speed (because of the replication of the packets). As a result, certain replicated packets are dropped.

There is no workaround. (CSCdt06418)

When you use the no interface port-channel global configuration command to remove an EtherChannel group, the ports in the port group change to the administratively down state.

The workaround, when you remove an EtherChannel group, is to enter the no shutdown interface configuration command on the interfaces that belonged to the port group to bring them back on line. (CSCdt10825)

In the show interface interface-id privileged EXEC command output, the output buffer failures field shows the number of packets lost before replication. The packets output field shows the successfully sent packets after replication. To determine actual discarded frames, multiply the output buffer failures by the number of VLANs on which the multicast data is replicated.

There is no workaround. (CSCdt26928)

Internet Group Management Protocol (IGMP) packets classified by quality of service (QoS) to map the DSCP value and the class of service (CoS) value in a QoS policy map might modify only the DSCP property and leave the CoS value at zero.

There is no workaround. (CSCdt27705)

If you assign both tail-drop threshold percentages to 100 percent by using the wrr-queue threshold interface configuration command and display QoS information for this interface by using the show mls qos interface statistics privileged command, the drop-count statistics are always zero even if the thresholds were exceeded.

The workaround is to enter the show controllers ethernet-controllers interface-id privileged EXEC command. In the display, the number of discarded frames includes the frames that were dropped when the tail-drop thresholds were exceeded. (CSCdt29703)

Open Shortest Path First (OSPF) path costs and Interior Gateway Routing Protocol (IGRP) metrics are incorrect for switch virtual interface (SVI) ports. Changing the bandwidth of the interface changes the routing metric for the routes when the SVI is used as an outgoing interface.

The workaround is to manually configure the bandwidth of the switch virtual interface (SVI) by using the bandwidth interface configuration command. Changing the bandwidth of the interface changes the routing metric for the routes when the SVI is used as an outgoing interface. (CSCdt29806)

Remote Monitoring (RMON) collection functions on physical interfaces, but it is not supported on EtherChannels and switch virtual interfaces (SVIs).

There is no workaround. (CSCdt36101)

Multicast router information appears in the show ip igmp snooping mrouter privileged EXEC command output when IGMP snooping is disabled. Multicast VLAN Registration (MVR) and IGMP snooping use the same commands to display multicast router information. In this case, MVR is enabled, and IGMP snooping is disabled.

There is no workaround. (CSCdt48002)

When a VLAN interface has been disabled and restarted multiple times by using the shutdown and no shutdown interface configuration commands, the interface might not restart following a no shutdown command.

The workaround is to re-enter the shutdown and no shutdown interface configuration commands to restart the interface. (CSCdt54435)

When you use the ip pim spt-threshold infinity interface configuration command, you want all sources for the specified group to use the shared tree and not use the source tree. However, the switch does not automatically start to use the shared tree. No connectivity problem occurs, but the switch continues to use the shortest path tree for multicast group entries already installed in the multicast routing table.

The workaround is to enter the clear ip mroute privileged EXEC command to force the change to the shared tree. (CSCdt60412)

Configuring too many multicast groups might result in an extremely low memory condition and cause the software control data structure to go out of sync, causing unpredictable forwarding behavior. The memory resources can only be recovered by entering the clear ip mroute privileged EXEC command.

The workaround is to not configure more than the recommended number of multicast routes on the switch. (CSCdt63480)

The dec keyword is not supported in the bridge bridge-group protocol global configuration command. If two Catalyst 3550 switches are connected to each other through an interface that is configured for IP routing and fallback bridging, and the bridge group is configured with the bridge bridge-group protocol dec command, both switches act as if they were the spanning-tree root. Therefore, spanning-tree loops might be undetected.

There is no workaround. (CSCdt63589)

If the number of multicast routes configured on the switch is greater than the switch can support, it might run out of available memory, which can cause it to reboot. This is a limitation in the platform-independent code.

The workaround is to not configure the switch to operate with more than the maximum number of supported multicast routes. You can use the show sdm prefer and show sdm prefer routing privileged EXEC commands to view approximate maximum configuration guidelines for the current SDM template and the routing template. (CSCdt63354)

When you configure an EtherChannel between a Catalyst 3550 switch and a Catalyst 1900 switch, some of the Catalyst 3550 links in the EtherChannel might go down, but one link in the channel remains up, and connectivity is maintained.

The workaround is to disable the Port Aggregation Protocol (PAgP) on both devices by using the channel-group channel-group-number mode on interface configuration command. PAgP negotiation between these two devices is not reliable. (CSCdt78727)

When the switch is operating with equal-cost routes and it is required to learn more unicast routes than it can support, the CPU might run out of memory, and the switch might fail.

The workaround is to remain within the documented recommended and supported limits. (CSCdt79172)

The behavior of a software access control list (ACL) with QoS is different from a hardware ACL with QoS. On the Catalyst 3550 switch, when the QoS hardware rewrites the DSCP of a packet, the rewriting of this field happens before software running on the CPU examines the packet, and the CPU sees only the new value and not the original DSCP value.

When the security hardware ACL matches a packet on input, the match uses the original DSCP value. For output security ACLs, the security ACL hardware should match against the final, possibly changed, DSCP value as set by the QoS hardware. Under some circumstances, a match to a security ACL in hardware prevents the QoS hardware from rewriting the DSCP and causes the CPU to use the original DSCP.

If a security ACL is applied in software (because the ACL did not fit into hardware, and packets were sent to the CPU for examination), the match probably uses the new DSCP value as determined by the QoS hardware, whether or not the ACL is applied at the receiving interface or at the sending interface. When packets are logged by the ACL, this problem can also affect whether or not a match is logged by the CPU, even if the ACL fits into hardware and the permit or deny filtering was completed in hardware.

To avoid these issues, whenever the switch rewrites the DSCP of any packet to a value different from the original DSCP, security access control elements (ACEs) should not contain DSCP-match conditions, whether or not the ACL is being applied to an IP access group or to a VLAN map. This restriction does not apply to ACLs used in QoS class maps.

If the switch is not configured to rewrite the DSCP value of any packet, it is safe to match against DSCP in ACLs used for IP access groups or for VLAN maps because the DSCP does not change as the packet is processed by the switch.

The DSCP field of an IP packet encompasses the two fields that were originally designated precedence and type of service (ToS). Statements relating to DSCP apply equally to either IP precedence or IP ToS.

The workaround is to not match on IP precedence, ToS, or DSCP in a receive ACL (RACL), PACL, or VLAN map unless there is no Qos configuration that causes the DSCP to be rewritten. (CSCdt94355)

When IGMP filtering is enabled and you use the ip igmp profile global configuration command to create an IGMP filter, reserved multicast addresses cannot be filtered. Because IGMP filtering uses only Layer 3 addresses to filter IGMP reports and due to mapping between Layer 3 multicast addresses and Ethernet multicast addresses, reserved groups (224.0.0.x) are always allowed through the switch. Aliased groups can also leak through the switch. For example, if a user is allowed to receive reports from group 225.1.2.3, but not from group 230.1.2.3, aliasing causes the user to receive reports from 230.1.2.3. Aliasing of reserved addresses means that all groups of the form y.0.0.x are allowed through.

There is no workaround. (CSCdv73626)

If a switch stack contains both Catalyst 3550 switches and Catalyst 2900 XL or Catalyst 3500 XL switches, cross-stack UplinkFast (CSUF) is not enabled if the management VLAN on the Catalyst 2900 XL or 3500 XL switches is changed to a VLAN other than VLAN 1 (the default).

The workaround is to make sure that the management VLAN of all Catalyst 2900 XL or 3500 XL switches in the stack is set to VLAN 1. (CSCdv79737)

If you use the ip igmp max-groups interface configuration command to set the maximum number of IGMP groups for an interface to 0, the port still receives group reports from reserved multicast groups (224.0.0.x) and their Layer 2 aliases (y.0.0.x).

There is no workaround. (CSCdv79832)

If a port is configured as a secure port with the violation mode as restrict, the secure ports might process packets even after maximum limit of MAC addresses is reached, but those packets are not forwarded to other ports.

There is no workaround. (CSCdw02638)

Multicast traffic can be temporarily lost when a link comes up in a redundant network and causes the reverse path forwarding (RPF) to change. This only occurs when there are multiple paths between the rendezvous point (RP) and the multicast source.

There is no workaround. (CSCdw27519)

The switch might reload when it is executing the no snmp-server host global configuration command. This is a rare condition that can happen if SNMP traps or informs are enabled and the SNMP agent attempts to send a trap to the host just as it is being removed from the configuration and if the IP address of the host (or the gateway to reach the host) has not been resolved by Address Resolution Protocol (ARP).

The workaround is to ensure that the target host or the next-hop gateway to that host is in the ARP cache (for example, by using a ping command) before removing it from the SNMP configuration. Alternatively, disable all SNMP traps and informs before removing any hosts from the SNMP configuration. (CSCdw44266)

When you access the CISCO-STACK-MIB portTable, the mapping might be off by one from the mapping given by the switch. The objects in this table are indexed by two numbers: portModuleIndex and portIndex. The allowable values for portModuleIndex are 1 through 16. Because 0 is not an allowable value, the value 1 represents module 0.

The workaround is to use the value 1 to represent module 0. (CSCdw71848)

If a port on the Catalyst 3550 switch that is running the Multiple Spanning Tree Protocol (MSTP) is connected to another switch that belongs to a different multiple spanning-tree (MST) region, the Catalyst 3550 port is not recognized as a boundary port when you start the protocol migration process by using the clear spanning-tree detected-protocols interface interface-id privileged EXEC command. This problem occurs only on the root bridge, and when the root bridge is cleared, the boundary ports are not shown because the designated ports do not receive any bridge protocol data units (BPDUs) unless a topology change occurs. This is the intended behavior.

The workaround is to configure the Catalyst 3550 switch for per-VLAN spanning-tree plus (PVST+) by using the spanning-tree mode pvst global configuration command bridge, and then change it to MSTP by using the spanning-tree mode mst global configuration command. (CSCdx10808)

When a large number of VLANs and a large number of trunk ports with allowed VLAN lists are configured on the switch, if you enter the no switchport trunk allowed vlan interface-range command to remove the allowed list for all the trunk ports, the SYS-3-CPUHOG system message might appear.

The workaround is to use the no switchport trunk allowed vlan interface configuration command on each trunk port to remove the allowed list for all the trunk ports. (CSCdx17189)

When 1000 VLANs and more than 40 trunk ports are configured, and the spanning-tree mode changes from MSTP to PVST+ or the reverse, this message appears on the console:

%ETHCNTR-3-RA_ALLOC_ERROR: RAM Access write pool I/O memory allocation failure

There is no workaround. However, we recommend that you reload the switch by using the reload privileged EXEC command. To avoid this problem, configure the system with fewer VLANs and fewer trunk ports, or use the switchport trunk allowed vlan interface configuration command to reduce the number of active VLANs on each trunk port. (CSCdx20106)

Ternary content addressable memory (TCAM) generation might fail when there are multiple ACLs in a policy-map. If you add an entry that checks TCP flags to an access list that is used for QoS classification, the system might report that a hardware limitation has been reached for the policy map. This can occur when the policy map already contains several other access list entries that check different TCP flags or that check TCP or User Datagram Protocol (UDP) port numbers by using an operation different from equal (eq), such as not equal (ne), less than (lt), greater than (gt), or range. When the hardware limitation is reached, the service-policy input policy-map-name interface configuration command is removed from the running configuration of the interface.

Checking for TCP flags and TCP/UDP port numbers using operators other than eq share some of the same hardware resources. The switch supports no more than six checks within a single policy map. An identical check repeated in multiple entries in the same policy map counts as a single instance. If this limit is reached during a TCP or an UDP port number check, the software can often work around the problem by allocating extra entries in the TCAM. There is no workaround if the limit is reached during a check against the TCP flags in the packet. Similar checks in a port ACL applied to the same physical interface as the policy map also count toward the limit.

Because these resources are allocated on a first-come, first-serve basis, rearranging the order of ACLs within a policy map or the order of entries within a single ACL, placing the TCP flags checks as early as possible, might enable the policy map to be loaded into the hardware.

Similar limits apply for any combination of input VLAN maps, input router ACLs, output VLAN maps, and output router ACLs that share the same VLAN label. The switch supports eight checks for all features on the same VLAN label. When the limit is reached, the system might forward packets by using the CPU rather than through hardware, greatly reducing system performance. To determine the VLAN label assigned to a VLAN or interface on input or output, use the show fm vlan or show fm interface privileged EXEC commands. Then use the show fm vlan-label privileged EXEC command to determine which set of features (input VLAN map, input router ACL, output VLAN map, or output router ACL) share this label.

These are the workarounds:

Re-arrange the order of classes within the policy map and the order of entries within the individual access lists in the policy map or within any IP port ACL applied to the interface so that checks for TCP flags are made as early as possible within the policy map. You can also re-arrange the order of the individual ACLs within a VLAN map and the order of the individual entries in a security ACL.

Add an extra entry to the front of an ACL that checks for the same TCP flags that are checked later on in the ACL. If the first entry of the ACL already matches only the TCP protocol, you can duplicate the entry and add a check for the appropriate TCP flags.

Reduce the number of different combinations of TCP flags being tested.

If the other workarounds fail, avoid combining any check against the TCP flags with gt, lt, ne, or range checks within the policy map and port ACL configured on the interface or within the VLAN maps and router ACLs that share the same VLAN label. (CSCdx24363)

If you apply an ACL to an interface that has a QoS policy map attached and the ACL is configured so that the packet should be forwarded by the CPU or if the configured ACL cannot fit into the TCAM, all packets received from this interface are forwarded to the CPU. Because traffic forwarded to the CPU cannot be policed by the policer configured on the interface, this traffic is not accurately rate-limited to the configured police rate.

The workaround, when QoS rate limiting is configured on an interface, is to configure applied ACLs so that packets are not forwarded by the CPU or to reduce the number of ACEs in the ACL so that it can fit into the TCAM. (CSCdx30485)

When you reboot a Catalyst 3550-24-FX switch, it might loop back packets received on a 100BASE-FX port to its link partner. This can occur before the software takes control of the system and lasts for about 200 milliseconds.

As a result, the link partner might shut down the port when it detects loopback packets, or MAC addresses might be learned on the wrong ports on upstream switches. The network might be unable to deliver packets to a few devices for up to 5 minutes after rebooting the Catalyst 3550-24-FX switch when:

The Catalyst 3550-24-FX switch is connected to one or more switches in the network.

Spanning tree is disabled in the network or the Port Fast feature is enabled on the ports connected to the Catalyst 3550-24-FX switch.

The Catalyst 3550-24-FX switch is powered cycled or reloaded from the CLI.

One or more devices in the network transmit a broadcast or multicast packet during the 200-millisecond timing window while the Catalyst 3550-24-FX switch is booting.

This problem corrects itself after 5 minutes or when these devices transmit a broadcast or multicast packet, whichever comes first.

The workaround is to enable spanning tree in the network and to make sure that the Port Fast feature is disabled on all ports connected to the Catalyst 3550-24-FX switch. (CSCdx45558)

If the switch fails for any reason while you are exiting VLAN configuration mode (accessed by entering the vlan database privileged EXEC command), there is a slight chance that the VLAN database might get corrupted. After resetting from the switch, you might see these messages on the console:

%SW_VLAN-4-VTP_INVALID_DATABASE_DATA: VLAN manager received bad data of type device 
type: value 0 from vtp database 

$SW_VLAN-3-VTP_PROTOCOL_ERROR: VTP protocol code internal error 

The workaround is to use the delete flash:vlan.dat privileged EXEC command to delete the corrupted VLAN database. Then reload the switch by using the reload privileged EXEC command. (CSCdx19540)

If you apply a large access control list (ACL) and it fills the entire TCAM, the MVR IP multicast data packets are sent to the switch CPU and are not forwarded to the MVR receiver ports.

There is no workaround. (CSCdx80751)

If you create a policy map by using the policy-map policy-map-name global configuration command, enter the class class-map-name policy-map configuration command, and then immediately exit from the policy-map class configuration mode, the policy map does not show its class-map association.

The workaround is to enter another command (such as the police, trust, or set policy-map class configuration commands) after entering the class class-map-name policy-map configuration command. (CSCdx81650)

If a switch and a Cisco redundant power system (RPS) 300 or 675 are connected to different power sources and the switch power supply fails, the Cisco RPS supplies power to the switch. However, after the switch power supply is restored, the Cisco RPS continues providing power to the switch.

When the switch stops receiving power from the Cisco RPS and uses its own power supply to power the switch, pressing the Standby/Active button on the Cisco RPS might cause the switch to reload.


Note We recommend that you connect the switch and the Cisco RPS to the same power source. For more information, see the Cisco RPS installation guide.


There is no workaround. (CSCdx81023)

When you insert a GigaStack GBIC in a GBIC module slot, the CPU utilization might increase by as much as 6 percent. This increase occurs for each GigaStack GBIC added to the switch. Other types of GBICs do not cause additional CPU utilization.

There is no workaround. (CSCdx90515)

When a community string is assigned by the cluster command switch, you cannot get any dot1dBridge MIB objects by using a community string with a VLAN entity from a cluster member switch.

The workaround is to manually add the cluster community string with the VLAN entity on the member switches for all active VLANs shown in the show spanning-tree summary display. This is an example of such a change, where cluster member 3 has spanning tree on vlan 1-3, and the cluster commander community string is public@es3.

Switch(config)# snmp community public@es3@1 RO
Switch(config)# snmp community public@es3@2 RO
Switch(config)# snmp community public@es3@3 RO

There is no workaround. (CSCdx95501)

A Remote Switched Port Analyzer (RSPAN) source session does not forward monitored traffic to the RSPAN destination session if there is an egress SPAN source port in the session with port security or IEEE 802.1x authentication enabled.

There is no workaround. (CSCdy21035)

Not all traffic is properly mirrored by RSPAN when a port is monitored for egress traffic and the RSPAN VLAN is carried through a Layer 2 protocol tunnel to the RSPAN destination switch.

This happens because the MAC addresses for the original packets as well as the mirrored RSPAN packets are all learned on the tunnel VLAN, so the RSPAN traffic is no longer properly segregated on the tunneling switches.

The workaround is to not include any RSPAN VLANs in any Layer 2 protocol tunnels unless the tunnel is dedicated to a single RSPAN VLAN. (CSCdy37188)

Ingress forwarding on a SPAN destination port does not work if there is an egress SPAN source port in the session with port security or IEEE 802.1x authentication enabled.

There is no workaround. (CSCdy44646)

When the switch receives multicast traffic and IGMP join for requests a multicast group at the same time and it begins to forward the multicast packets, some of the packets might be dropped.

There is no workaround. (CSCdy80326)

If a Catalyst 3550 switch is connected to two routers (Router 1 and Router 2) in this topology:

The link between Router 1 and the switch is a bridge virtual interface (BVI) that belongs to two VLANs (VLAN 100 and VLAN 110) and uses one IP address. The IP subnet for the BVI is the same for both VLANs. The ports in both VLANs operate as Layer 2 interfaces. An SVI with an IP address is configured only on VLAN 100.

The link between Router 2 and the switch is an IP interface that only belongs to VLAN 110.

IP connectivity then exists between Router 1 and the switch. There is no IP connectivity between Router 2 and the switch.

The workaround is to configure another SVI with an IP address on the Catalyst 3550 switch that would be reachable from Router 2. (CSCdy82042)

The 5 minute input rate and 5 minute output rate fields in the output of the show interfaces privileged EXEC command show both rates as 0 bits/sec. If you enter the show interfaces command more than once, these fields might show values greater than 0 bits/sec.

There is no workaround. (CSCdz06305)

When the link between a device with an AC power supply and a Catalyst 3550-24PWR switch is 10 Mbps and half duplex, and the AC power supply is turned off, the switch is in the error-disabled state.

The workaround is remove the AC power supply, disconnect the Ethernet cable, and then reconnect the Ethernet cable. This ensures that the switch uses inline power. (CSCdz16265)

When you perform a ping from a VLAN to another VLAN on the same switch, the VLAN counter does not change.

There is no workaround. (CSCdz17863)

When you configure a dynamic switchport by using the switchport access vlan dynamic interface configuration command, the port might allow unauthorized users to access network resources if the interface changes from access mode to trunk mode through Dynamic Trunking Protocol (DTP) negotiation.

The workaround is to configure the port as a static access port. (CSCdz32330)

A Catalyst 3550 switch does not adjust the power allocation based on the IEEE class of the powered device. When an IEEE-compliant powered device is connected to a switch, it allocates 15 W (the default) to the port.

There is no workaround. (CSCdz37516)

When an IEEE 802.1x-authenticated client is disconnected from an IP phone, hub, or switch and does not send an EAPOL-Logoff message, the switch interface does not transition to the unauthorized state. If this happens, it can take up to 60 minutes for the interface to transition to the unauthorized state when the re-authentication time is the default value (3600 seconds).

The workaround is to change the number of seconds between re-authentication attempts by using the dot1x timeout re-authperiod seconds global configuration command. (CSCdz38483)

If a spanning-tree loop occurs, this message might appear:

MALLOCFAIL, alignment 0. -Process=Syslog Traps -Traceback= 1A3740

This message appears because the switch has run out of I/O memory and is unable to allocate a packet buffer to report the error. You can also verify if the switch runs out of I/O memory by using the show memory privileged EXEC command.

The workaround is to reconfigure the spanning tree to remove the loop. (CSCdz51522)

When a switch receives a bridge STP BPDU from an access port and the egress port is a trunk port, the switch assigns the BPDU a CoS value of 0 instead of 7.

There is no workaround. (CSCdz54043)

After a MAC address is relearned on a new interface, traffic might not be immediately forwarded to the MAC addresses.

There is no workaround. (CSCdz75459)

If a switch configuration contains a large ACL and a per-port per-VLAN policy map and both are attached to two interfaces, when you are copying it to the running configuration, this process might fail because the switch runs out of memory.

These are the workarounds:

Copy the new configuration file to the config.txt file, and reboot the switch.

Save the configuration file as two files: one containing only the ACL configuration and one containing the rest of the configuration (including the QoS and interface configuration). Add the first configuration file to the running-configuration file, and then add the second file to the running-configuration file. (CSCdz54115)

After the no interface tunnel0 global configuration command is entered to remove the tunnel interface, the output from the show running-config privileged EXEC command still shows the tunnel interface that was removed.

This can occur if HSRP interface tracking is configured on another interface to track a tunnel interface, if the no interface command was entered before the HSRP tracking configuration was removed, or if the no standby tunnel0 global configuration command was entered on the other interface to disable tracking.

These are the workarounds:

Before removing the tunnel interface from the configuration, remove the HSRP interface tracking commands in the configuration that specify the tunnel interface.

Use the no standby track global configuration command without specifying an interface to disable HSRP tracking. (CSCdz66450)

Beginning in Cisco IOS Release 12.1(13)EA1, these are the default settings for an IP phone connected to a switch:

The port trust state is to not trust the priority of frames arriving on the IP phone port from connected devices.

The CoS value of incoming traffic is overwritten and set to zero. (CSCdz76948)

The Catalyst 3550 switch only supports the read operation in the sysClearPortTime MIB object (.1.3.6.1.4.1.9.5.1.1.13) in the CISCO-STACK-MIB. Use the clear counters privileged EXEC command to clear the counters.

There is no workaround. (CSCdz87897)

When a Catalyst 3550 switch is connected to a three-port Gigabit Ethernet module in a Cisco 12000 Gigabit Switch Router (GSR) that is configured for Ethernet over Multiprotocol Label Switching (EoMPLS), the switch does not reliably send frames to the GSR.

The workaround is to configure the Catalyst 3550 Gigabit Ethernet interface with the spanning-tree portfast interface configuration command. (CSCea04746)

On a switch running Cisco IOS Release 12.1(12c)EA1 or later, if the switch MTU value is set to a value greater than 1500 and the authentication server and the intermediate devices are not configured with a compatible MTU value, IEEE 802.1x authentication with EAP-Transparent LAN Services (TLS) might fail.

The workaround is to reset the switch MTU value to the default value or to configure the same MTU value on the switch, the authentication server, and the intermediate devices. (CSCea05682)

If a cable on an ingress interface is disconnected, an Alteon A184 cannot detect when a 1000BASE-X link between two Catalyst 3550 switches is down.

There is no workaround. (CSCea09786)

Performing an extended ping from one interface to another interface on the same switch can cause high CPU utilization. This can occur when a large number of ping packets are sent and received and is the expected behavior.

The workaround is to not perform a ping from one interface to another on the same switch. (CSCea19301)

The switch does not create an adjacency table entry when the ARP timeout value is 15 seconds and the ARP request times out.

The workaround is to not set an ARP timeout value lower than 120 seconds. (CSCea21674)

If the output from the show tcam inacl 1 statistics privileged EXEC command shows that the Ternary content addressable memory (TCAM) is not full and you are applying an ACL, this system message might appear:

%FM-3-UNLOADING: Unloading input vlan label 1 feature from all TCAMs

There is no workaround. (CSCea25658)

If you are configuring a policy map on an interface by using named ACLs and the policy map has 13 named ACLs that include explicit deny statements, these messages might appear when you add an ACL:

QoS: Programming TCAM failed: Unsuccessful ACL merge
 Service Policy attachment failed
 Service Policy xxxx not attached
QM-4-HARDWARE_NOT_SUPPORTED: Hardware limitation has reached for policymap xxxx

These are the workarounds. Only one of these is necessary:

Use numbered ACLs.

Do not use explicit deny statements because the end of an ACL has an implicit deny statement. (CSCec46594)

When three or more Catalyst 3550-24PWR switches are connected through GigaStack GBICs, you can access all the VLANs on the uplink switch, but you can only access VLAN 1 on the other switches.

The workaround is to enter the switchport mode trunk interface configuration command on all of the GigaStack interfaces and to do one of these:

Use the shutdown and then the no shutdown interface configuration commands on the ports.

Save the switch configuration by using the copy running-config startup-config privileged EXEC command, and reload all the switches. (CSCec86258)

The switch uses the same MAC address for all VLAN interfaces. If the destination MAC address in a packet is the same as the MAC address of the VLAN interface, and the VLAN interface for that VLAN is shut down or does not exist, the switch drops the packet.

There is no workaround. (CSCed12004)

When the switch has many routes that use loadsharing among multiple next hops, some of the routes might not loadshare but instead pick only one of the next hops for forwarding all packets on that route. This happens when the portion of the adjacency RAM that has been allotted for multipath routes has been used up.

There is no workaround. (CSCed22152)

The DHCP option-82 format on the Catalyst 3550 switch is inconsistent with other Cisco switches. When the Catalyst 3550 switch is used as the relay agent with DHCP snooping and the option-82 feature using the VLAN-module-port (vlan-mod-port) format, the switch does not assign the correct value to the port identifier (circuit ID suboption). The value is offset by 1 from the actual interface module- and port-number values. The circuitID/port-identifier for Fast Ethernet and Gigabit Ethernet interfaces also have the same module-number but different port-number values. For example, on a Catalyst 3550-24 switch, fastethernet0/1 is reported as module 0/port 0, and gigabitethernet0/1 is reported as module 0/port 24.

There is no workaround. (CSCed29525)

When connected to some third-party devices that send early preambles, a switch port operating at 100 Mbps full duplex or 100 Mbps half duplex might bounce the line protocol up and down. The problem is seen only when the switch is receiving frames.

The workaround is to configure the port for 10 Mbps and half duplex or to connect a hub or a nonaffected device to the switch. (CSCed39091)

Packets received from media types that require SNAP encapsulation of IPv4 packets require the switch to forward SNAP-encapsulated packets. Layer 2 forwarding of IPv4 in SNAP encapsulation ordinarily takes place in hardware (unless a VLAN map or port ACL contains an IP ACL). However, on the Catalyst 3550 switch, Layer 3 forwarding of IPv4 in SNAP can only be done in software. SNAP-encapsulated IPv4 packets that are directed to the router MAC address or the HSRP group MAC address (if this device is the active router in the HSRP group) are forwarded to the switch CPU, potentially causing high CPU utilization levels.

This is a hardware limitation, and there is no workaround. (CSCed59864)

The undersize error counter is incrementing when no undersize packets are present. This condition occurs on IEEE 802.1Q tunnel ports connected to a Nortel or an Alteon Load Balancer.

There is no workaround. (CSCed73388)

When multi-VRF-CE is enabled on the switch, the switch does not support the ip directed-broadcast interface configuration command used to enable forwarding of IP-directed broadcasts on an interface.

There is no workaround. (CSCee05670)

When IGMP snooping is disabled and you enter the switchport block multicast interface configuration command, IP multicast traffic is not blocked. The switchport block multicast interface configuration command is only applicable to non-IP multicast traffic.

There is no workaround. (CSCee16865)

When one Fast Ethernet port on a switch (Switch A) is connected to a packet generator, and another Fast Ethernet port on the switch is connected to a Gigabit Ethernet interface on another switch (Switch B), multicast traffic sent from Switch A to Switch B is incorrectly counted. The output from the show mls qos interface interface-id statistics command for the Gigabit Ethernet interface is incorrect.

There is no workaround. (CSCee19574)

You cannot modify the reAuthMax parameter (defined in the IEEE 802.1x specification), which is set to 2. There is no switch command to address this function. Do not use the dot1x max-req interface configuration command for this function.

There is no workaround. (CSCee80587)

When port security is enabled on an interface in restricted mode and the switchport block unicast interface command has been entered on that interface, MAC addresses are incorrectly forwarded when they should be blocked.

The workaround is to enter the no switchport block unicast interface configuration command on that specific interface. (CSCee93822)

If packets with a bad cyclic redundancy check (CRC) are received on a port, the switch might learn the source MAC address of the bad packet.

There is no workaround. (CSCef15178)

If four switches are connected in a cascaded stack through the GigaStack GBICs, the link between the second and third switches goes down, and is then reconnected, the GBIC LEDs blink amber. The GBIC ports take approximately 1 minute to come up.

There is no workaround. (CSCef17198)

Cross-stack UplinkFast (CSUF) convergence might be slow when the root port goes down in a switch stack that is connected through Gigastack GBICs.

There is no workaround. (CSCef18020)

Whenever a single frame is subject to both ingress and egress SPAN, and both the ingress and the egress SPAN are sent to the same SPAN destination port, the egress copy of the frame is sent out the SPAN destination port before the ingress copy of the frame.

There is no workaround. (CSCef97043)

SNMP get for CiscoEnvMonSupplyStatusDescr, which gives power supply status, does not supply accurate information.

There is no workaround. (CSCeg08870)

The Cisco redundant power system (RPS) 300 supports the Catalyst 3550 multilayer switch and provides redundancy for up to six connected devices until one of these devices requires backup power. If a connected device has a power failure, the Cisco RPS 300 immediately begins supplying power to that device and sends status information to other connected devices that it is no longer available as a backup power source. As described in the device documentation, when the RPS LED on the switch is amber, the Cisco RPS is connected but down. However, this might merely mean that the Cisco RPS is in standby mode. Press the Standby/Active button on the Cisco RPS to put it into active mode. You can view Cisco RPS status through the CLI by using the show rps privileged EXEC command. For more information, see the Cisco RPS documentation.

Storm control or traffic suppression (configured by using the storm-control {broadcast | multicast | unicast} interface configuration command) is supported only on physical interfaces. It is not supported on EtherChannel port channels even though you can enter these commands through the CLI.

Catalyst 3550 switches do not take into account the Preamble and IFG when rate-limiting traffic, which could result in a slightly inaccurate policing rate on a long burst of small frames, where the ratio of the Preamble and IFG to frame size is more significant. This should not be an issue in an environment where the frames are a mix of different sizes.

The Smartports macro to connect the switch and a wireless access point is not supported on Cisco IOS Release 12.1(22)EA3 and later. This feature is only supported only on Catalyst 3550 switches running Cisco IOS Release 12.2(25)SEA and later. For more information, see the Release Notes for the Catalyst 3550 Switches, Cisco IOS Release 12.2(25)SEA.

Certain combinations of features create conflicts with the port security feature. In Table 5, No means that port security cannot be enabled on a port if the referenced feature is also running on the same port. Yes means that both port security and the referenced feature can be enabled on the same port at the same time. A dash means not applicable.

Table 5 Port Security Compatibility with Other Features 

Type of Port
Compatible with Port Security

DTP1 port2

No

Trunk port

Yes

Dynamic-access port3

No

Routed port

No

SPAN source port

Yes

SPAN destination port

No

EtherChannel

No

Tunneling port

Yes

Protected port

Yes

IEEE 802.1x port

Yes

Voice VLAN port4

Yes

1 DTP = Dynamic Trunking Protocol

2 A port configured with the switchport mode dynamic interface configuration command

3 A VLAN Query Protocol (VQP) port configured with the switchport access vlan dynamic interface configuration command

4 You must set the maximum allowed secure addresses on the port to two plus the maximum number of secure addresses allowed on the access VLAN


Device Manager Limitations and Restrictions

This limitation and restriction applies to the device manager:

This release supports the same switch cluster compatibilities supported in Cisco IOS Release 12.1(22)EA1. However, you cannot create and manage switch clusters through the device manager. To create and manage switch clusters, use the CLI or the Cisco Network Assistant application. For information about Network Assistant, see the "New Features" section on page 9.

When you are prompted to accept the security certificate and you click No, you see only a blank screen, and the device manager does not launch.

The workaround is to click Yes when you are prompted to accept the certificate. (CSCef45718)

Important Notes

These sections describe the important notes related to this software release:

"Cisco IOS Notes" section on page 23

"Device Manager Notes" section on page 24

Cisco IOS Notes

These are the important Cisco IOS configuration notes related to this release:

Catalyst 3550-24-FX switches support both full- and half-duplex modes, and the default duplex mode is half duplex. Autonegotiation of the duplex mode is not supported.

When you upgrade a Catalyst 3550-24-FX switch to Cisco IOS Release 12.1(13)EA1 or later, all ports are reset to half-duplex mode. This causes a duplex setting mismatch if the switch is connected to another device operating in full-duplex mode. After upgrading to Cisco IOS Release 12.1(13)EA1 or later, configure the Catalyst 3550-24-FX switch to operate in full-duplex mode, if necessary. (CSCdz29482)

The transmit-interface type number interface configuration command is not supported on Catalyst 3550 switches.

In Cisco IOS Release 12.1(19)EA1, the implementation for the option-82 subscriber identification changed from the previous release. The new option-82 format uses a different circuit ID and remote ID suboption, vlan-mod-port. The previous version uses the snmp-ifindex circuit ID and the remote ID suboption.

If you have option 82 configured on the switch and you upgrade to Cisco IOS Release 12.1(19)EA1 or later, the option-82 configuration is not affected. However, when you globally enable DHCP snooping on the switch by using the ip dhcp snooping global configuration command, the previous option-82 configuration is suspended, and the new option-82 format is applied. When you globally disable DHCP snooping on the switch, the previous option-82 configuration is re-enabled.

To provide for backward compatibility, you can select the previous option-82 format by using the ip dhcp snooping information option format snmp-ifindex global configuration command when you enable DHCP snooping. When DHCP snooping is globally enabled, option-82 information (in the selected format) is only inserted on snooped VLANs.

For more information about using the previous version of option 82 without enabling DHCP snooping, see the software configuration guide for this release.

In Cisco IOS Release 12.1(14)EA1, the implementation for IEEE 802.1x authentication changed from the previous release. Some global configuration commands became interface configuration commands, and new commands were added.

If you have IEEE 802.1x authentication configured on the switch and you upgrade to Cisco IOS Release 12.1(14)EA1 or later, the configuration file does not contain the new commands, and IEEE 802.1x authentication does not operate. After the upgrade is complete, make sure to globally enable IEEE 802.1x authentication by using the dot1x system-auth-control global configuration command. For more information, see the software configuration guide for this release.

When you enable port security on an interface that is also configured with a voice VLAN, you must set the maximum allowed secure addresses on the port to 2 plus the maximum number of secure addresses allowed on the access VLAN. When the port is connected to a Cisco IP Phone, the telephone requires up to two MAC addresses. The address of the Cisco IP Phone is learned on the voice VLAN, and it might or might not be learned on the access VLAN. Connecting a PC to the Cisco IP Phone requires additional MAC addresses.

If you configure a port ACL on a physical interface on a switch that has VLAN maps or input router ACLs configured, or if you configure a VLAN map or input router ACL on a switch that has port ACLs configured, a CONFLICT message appears, but the configuration is accepted. The port ACL action has priority on that port over actions in a router ACL or VLAN map applied to the VLAN to which the port belongs.

The result is that packets received on that physical port are permitted or denied based on the port ACL action, without regard to any permit or deny statements in any router ACL or VLAN map. Packets received on other physical ports in the VLAN are still permitted or denied based on any router ACLs or VLAN maps applied to the VLAN. If the port ACL is applied to a trunk port, it overrides any other input ACLs applied to all VLANs on the trunk port.

The default system MTU for traffic on the Catalyst 3550 switch is 1500 bytes. The IEEE 802.1Q tunneling feature increases the frame size by 4 bytes. Therefore, when you configure IEEE 802.1Q tunneling, you must configure all switches in the IEEE 802.1Q network to be able to process maximum frames by increasing the switch system MTU size to at least 1504 bytes. You configure the system MTU size by using the system mtu global configuration command.

When you are configuring a cascaded stack of Catalyst 3550 switches by using the GigaStack GBIC module and want to include more than one VLAN in the stack, be sure to configure all the GigaStack GBIC interfaces as trunk ports by using the switchport mode trunk interface configuration command and to use the same encapsulation method by using the switchport encapsulation {isl | dot1q} interface configuration command. For more information about these commands, see the switch command reference for this release.

If the 1000BASE-T GBIC (WS-G5482) module is not securely inserted, the switch might fail to recognize it or might display an incorrect media type following a show interface privileged EXEC command entry. If this happens, remove and reinsert the GBIC module.

If the switch requests information from the Cisco Secure Access Control Server (ACS) and the message exchange times out because the server does not respond, a message similar to this appears:

00:02:57: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.20.246.206:1645,1646 is not 
responding.

If this message appears, check that there is network connectivity between the switch and the ACS. You should also check that the switch has been properly configured as an AAA client on the ACS.

Device Manager Notes

These notes apply to the device manager:

We recommend this browser setting to speed up the time to display the device manager from Microsoft Internet Explorer.

From Microsoft Internet Explorer:

1. Choose Tools > Internet Options.

2. Click Settings in the "Temporary Internet files" area.

3. From the Settings window, choose Automatically.

4. Click OK.

5. Click OK to exit the Internet Options window.

The HTTP server interface must be enabled to display the device manager. By default, the HTTP server is enabled on the switch. Use the show running-config privileged EXEC command to see if the HTTP server is enabled or disabled.

Beginning in privileged EXEC mode, follow these steps to configure the HTTP server interface:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

ip http authentication {enable | local | tacacs}

Configure the HTTP server interface for the type of authentication that you want to use.

enable—Enable password, the default method of HTTP server user authentication.

local—Local user database, as defined on the Cisco router or access server.

tacacs—TACACS server.

Step 3 

end

Return to privileged EXEC mode.

Step 4 

show running-config

Verify your entries.

The device manager uses the HTTP protocol (the default is port 80) and the default method of authentication (the enable password) to communicate with the switch through any of its Ethernet ports and to allow switch management from a standard web browser.

If you change the HTTP port, you must include the new port number when you enter the IP address in the browser Location or Address field (for example, http://10.1.126.45:184, where 184 is the new HTTP port number). You should write down the port number through which you are connected. Use care when changing the switch IP information.

If you are not using the default method of authentication (the enable password), configure the HTTP server interface with the method of authentication used on the switch.

Beginning in privileged EXEC mode, follow these steps to configure the HTTP server interface:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

ip http authentication {enable | local | tacacs}

Configure the HTTP server interface for the type of authentication that you want to use.

enable—Enable password, which is the default method of HTTP server user authentication, is used.

local—Local user database, as defined on the Cisco router or access server, is used.

tacacs—TACACS server is used.

Step 3 

end

Return to privileged EXEC mode.

Step 4 

show running-config

Verify your entries.

If you use Internet Explorer Version 5.5 and select a URL with a nonstandard port at the end of the address (for example, www.cisco.com:84), you must enter http:// as the URL prefix. Otherwise, you cannot launch the device manager.

Open Caveats

This section describes the open caveats with possible unexpected activity in this software release.

CSCeg35537 (Catalyst 3550-24PWR switches only)

A Catalyst 3550-24PWR switch running Cisco IOS version 12.1(22)EA1 or later with an interface configured as a routed port, full duplex, and connected to another interface configured as a routed port comes up as half duplex when the software on the switch is reloaded.

The workaround is to enter the power inline never, the speed auto, and the duplex auto interface configuration commands or downgrade to Cisco IOS version 12.1(20)EA2 or earlier.


Note If you reload the Catalyst 3550 switches, the system messages about relearned MAC addresses are now logged.


CSCei03743

If you use the no snmp-server enable traps stpx command, BRIDGE-MIB traps are disabled because BRIDGE-MIB traps are enabled when using the stpxNotification Enable object in the CISCO-STP-EXTENSIONS-MIB.

The workaround is to re-enable the BRIDGE-MIB traps by using the snmp-server enable traps stpx command.

CSCei40022

When a large access control list (ACL) has been configured, a %QATM-4-TCAM_LOW: TCAM resource running low message might appear.

The message is only informational, and this condition has no effect on the functioning of the switch.

CSCsb79318

If the re-authentication timer and re-authentication action is downloaded from the RADIUS server using the Session-Timeout and Termination-Action RADIUS attributes, the switch performs the termination action even when the port is not configured with the dot1x timeout reauth server global configuration command and uses the Termination-Action downloaded from a RADIUS server as part of IEEE 802.1x authorization.

The workaround is to remove the Termination-Action attribute from the IEEE 802.1x policy on the RADIUS server if dot1x timeout reauth server is not configured on the port.

CSCsb82422

The switch does not forward an IEEE802.1x request that has null credentials.

There is no workaround.

CSCsb93563

When a Cisco IP phone is connected to the switch, the port VLAN ID (PVID) and the voice VLAN ID (VVID) both learn its MAC address. However, after dynamic MAC addresses are deleted, only VVID relearns the IP phone MAC address. MAC addresses are deleted manually or automatically for a topology change or when port security or an IEEE 802.1x feature is enabled or disabled.

There is no workaround.

Resolved Caveats

These caveats have been resolved in this release:

CSCeg50665

Security violations on the switch no longer occur when phantom (fictitious) MAC addresses are added to the MAC address table.

CSCei62600

A Catalyst 3550 no longer restarts unexpectedly, sending this message:

CPU Interface NETWORK error in received packet.

CSCin33082

Configuring static IP routes with new distance values no longer removes routes from the routing table.

CSCsb53477

When using Simple Network Management Protocol to disable the IEEE 802.1x guest VLAN feature, the SNMP client no longer receives an error message.

Documentation Updates

This section provides updates to the product documentation. These changes will be included in the next revision of the Catalyst 3550 switch documentation for Cisco IOS Release 12.1.


Note You can access all Catalyst 3550 documentation at this URL:
http://www.cisco.com/en/US/products/hw/switches/ps646/tsd_products_support_series_home.html


"Documentation Updates in Cisco IOS Release 12.1(22)EA7" section on page 28

"Documentation Updates in Cisco IOS Release 12.1(22)EA6" section on page 37

"Documentation Updates in Cisco IOS Release 12.1(22)EA5" section on page 40

"Documentation Updates in Cisco IOS Release 12.1(22)EA4" section on page 45

"Documentation Updates in Cisco IOS Release 12.1(22)EA3" section on page 47

"Documentation Updates in Cisco IOS Release 12.1(22)EA2" section on page 49

"Documentation Updates in Cisco IOS Release 12.1(22)EA1" section on page 57

"Documentation Updates for All Releases" section on page 69

Documentation Updates in Cisco IOS Release 12.1(22)EA7

These are the updates to the product documentation that occurred in Cisco IOS Release 12.1(22)EA7:

Software Configuration Guides, page 28

Command References, page 33

Software Configuration Guides

This information was added or corrected in the Catalyst 3550 Multilayer Switch Software Configuration Guide, Cisco IOS Release 12.1(20)EA2:

IEEE 802.1x Authentication with Restricted VLAN, page 28

Network Admission Control Layer 2 IEEE 802.1x Validation, page 30

Configuring Network Security with ACLs Chapter, page 32

Configuring Fallback Bridging Chapter Correction, page 33

Configuring Network Security with ACLs Chapter, page 32

Configuring Port-Based Traffic Control Chapter, page 32

IEEE 802.1x Authentication with Restricted VLAN

This information was added to the "Configuring IEEE 802.1x Port-Based Authentication" chapter of the software configuration guide:

Using IEEE 802.1x Authentication with Restricted VLAN

Configuring a Restricted VLAN

Using IEEE 802.1x Authentication with Restricted VLAN

You can configure a restricted VLAN for each IEEE 802.1x port on a switch to provide limited services to clients that cannot access the guest VLAN. These clients are IEEE 802.1x compliant and cannot access another VLAN because they fail the authentication process. A restricted VLAN allows users without valid credentials in an authentication server (typically, visitors to an enterprise) to access a limited set of services. The administrator can control the services available to the restricted VLAN.


Note You can configure a VLAN to be both the guest VLAN and the restricted VLAN if you want to provide the same services to both types of users.


Without this feature, the client attempts and fails authentication indefinitely, and the switch port remains in the spanning-tree blocking state. With this feature, the administrator can configure the switch port to be in the restricted VLAN after a specified number of authentication attempts (the default value is 3 attempts).

The authenticator keeps a count of failed authentication attempts for the client. When this count exceeds the configured maximum number of authentication attempts, the port moves to the restricted VLAN. The failed attempt count is incremented when RADIUS replies with either an EAP failure or an empty response that contains no EAP packet. When the port moves into the restricted VLAN, the failed attempt counter is reset.

Users who fail authentication remain in the restricted VLAN until the next re-authentication attempt. A port in the restricted VLAN tries to re-authenticate at configured intervals (the default is 60 seconds). If re-authentication fails, the port remains in the restricted VLAN. If re-authentication is successful, the port moves to either the configured VLAN or a VLAN sent by the RADIUS server. You can disable re-authentication. If you do this, the only way to start the authentication process again is for the port to receive a link down or EAP logoff event. We recommend that you keep re-authentication enabled if a client might connect through a hub. When a client disconnects from the hub, the port might not receive the link down or EAP logoff event.

After a port moves to the restricted VLAN, it sends a simulated EAP success message to the client, instead of an EAP failure message. This is done to prevent clients from attempting authentication indefinitely. Some clients (for example, devices running Windows XP) cannot implement DHCP without EAP success.

Restricted VLANs are supported only on IEEE 802.1x ports in single-host mode and on Layer 2 ports.

You can configure any active VLAN except an RSPAN VLAN or a voice VLAN as an IEEE 802.1x restricted VLAN. The restricted VLAN feature is not supported on trunk ports; it is supported only on access ports.

This feature works with port security. As soon as the port is authorized, a MAC address is provided to port security. If port security does not permit the MAC address or if the maximum secure address count is reached, the port becomes unauthorized and error disabled.

Other port security features such as Dynamic ARP Inspection, DHCP snooping, and IP source guard can be configured independently on a restricted VLAN.

Configuring a Restricted VLAN

When you configure a restricted VLAN on a switch, clients that are IEEE 802.1x-compliant are moved into the restricted VLAN when the authentication server does not receive a valid username and password. The switch supports restricted VLANs only in single-host mode.

Beginning in privileged EXEC mode, follow these steps to configure a restricted VLAN. This procedure is optional.

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

interface interface-id

Specify the port to be configured, and enter interface configuration mode. For the supported port types, see the "IEEE 802.1x Authentication Configuration Guidelines" section.

Step 3 

switchport mode access

Set the port to access mode.

Step 4 

dot1x port-control auto

Enable IEEE 802.1x authentication on the port.

Step 5 

dot1x auth-fail vlan vlan-id

Specify an active VLAN as an IEEE 802.1x restricted VLAN. The range is 1 to 4094.

You can configure any active VLAN except an RSPAN VLAN or a voice VLAN as an IEEE 802.1x restricted VLAN.

Step 6 

end

Return to privileged EXEC mode.

Step 7 

show dot1x interface interface-id

(Optional) Verify your entries.

Step 8 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To disable and remove the restricted VLAN, use the no dot1x auth-fail vlan interface configuration command. The port returns to the unauthorized state.

This example shows how to enable VLAN 2 as an IEEE 802.1x restricted VLAN:

Switch(config)# interface gigabitethernet0/1
Switch(config-if)# dot1x auth-fail vlan 2

You can configure the maximum number of authentication attempts allowed before a user is assigned to the restricted VLAN by using the dot1x auth-fail max-attempts interface configuration command. The range of allowable authentication attempts is 1 to 3. The default is 3 attempts.

Beginning in privileged EXEC mode, follow these steps to configure the maximum number of allowed authentication attempts. This procedure is optional.

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

interface interface-id

Specify the port to be configured, and enter interface configuration mode. For the supported port types, see the "IEEE 802.1x Authentication Configuration Guidelines" section in the "Configuring IEEE 802.1x Port-Based Authentication" chapter in the software configuration guide.

Step 3 

switchport mode access

or

switchport mode private-vlan host

Set the port to access mode,

or

Configure the port as a private-VLAN host port.

Step 4 

dot1x port-control auto

Enable IEEE 802.1x authentication on the port.

Step 5 

dot1x auth-fail vlan vlan-id

Specify an active VLAN as an IEEE 802.1x restricted VLAN. The range is 1 to 4094.

You can configure any active VLAN except an RSPAN VLAN or a voice VLAN as an IEEE 802.1x restricted VLAN.

Step 6 

dot1x auth-fail max-attempts max attempts

Specify a number of authentication attempts to allow before a port moves to the restricted VLAN. The range is 1 to 3, and the default is 3.

Step 7 

end

Return to privileged EXEC mode.

Step 8 

show dot1x interface interface-id

(Optional) Verify your entries.

Step 9 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To return to the default value, use the no dot1x auth-fail max-attempts interface configuration command.

This example shows how to set 2 as the number of authentication attempts allowed before the port moves to the restricted VLAN:

Switch(config-if)# dot1x auth-fail max-attempts 2

Network Admission Control Layer 2 IEEE 802.1x Validation

This information about the Nework Admission Control (NAC) Layer 2 IEEE 802.1x validation feature was added.

This was added to the "Overview" chapter of the switch software configuration guide:

Security Features

NAC Layer 2 IEEE 802.1x validation of the antivirus condition or posture of endpoint systems or clients before granting the devices network access

This information was added to the "Configuring IEEE 802.1x Port-Based Authentication" chapter of the Catalyst 3550 Multilayer Switch Software Configuration Guide, Cisco IOS Release 12.1(20)EA2:

Network Admission Control Layer 2 IEEE 802.1x Validation

In Cisco IOS Release 12.1(22)EA6 and later, the switch supports the NAC Layer 2 IEEE 802.1x validation, which checks the antivirus condition or posture of endpoint systems or clients before granting the devices network access. With NAC Layer 2 IEEE 802.1x validation, you can do these tasks:

Download the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action RADIUS attribute (Attribute[29]) from the authentication server.

Set the number of seconds between re-authentication attempts as the value of the Session-Timeout RADIUS attribute (Attribute[27]) and get an access policy against the client from the RADIUS server.

Set the action to be taken when the switch tries to re-authenticate the client by using the Termination-Action RADIUS attribute (Attribute[29]). If the value is the DEFAULT or is not set, the session ends. If the value is RADIUS-Request, the re-authentication process starts.

View the NAC posture token, which shows the posture of the client, by using the show dot1x privileged EXEC command.

Configuring NAC Layer 2 IEEE 802.1x validation is similar to configuring IEEE 802.1x port-based authentication except that you must configure a posture token on the RADIUS server. For information about configuring NAC Layer 2 IEEE 802.1x validation, see the "Configuring NAC Layer 2 IEEE 802.1x Validation" section in this release note and the "Configuring Periodic Re-Authentication" section in the "Configuring IEEE 802.1x Port-Based Authentication" chapter in the software configuration guide.

For more information about NAC, see the Network Admission Control Software Configuration Guide.

Configuring NAC Layer 2 IEEE 802.1x Validation

In Cisco IOS Release 12.1(22)EA6 or later, you can configure NAC Layer 2 IEEE 802.1x validation, which is also referred to as IEEE 802.1x authentication with a RADIUS server.

Beginning in privileged EXEC mode, follow these steps to configure NAC Layer 2 IEEE 802.1x validation. The procedure is optional.

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

interface interface-id

Specify the port to be configured, and enter interface configuration mode.

Step 3 

dot1x guest-vlan vlan-id

Specify an active VLAN as an IEEE 802.1x guest VLAN. The range is 1 to 4094.

You can configure any active VLAN except an RSPAN VLAN or a voice VLAN as an IEEE 802.1x guest VLAN.

Step 4 

dot1x reauthentication

Enable periodic re-authentication of the client, which is disabled by default.

Step 5 

dot1x timeout reauth-period {seconds | server}

Set the number of seconds between re-authentication attempts.

The keywords have these meanings:

seconds—Sets the number of seconds from 1 to 65535; the default is 3600 seconds.

server—Sets the number of seconds based on the value of the Session-Timeout RADIUS attribute (Attribute[27]) and Termination-Action RADIUS attribute (Attribute [29]).

This command affects the behavior of the switch only if periodic re-authentication is enabled.

Step 6 

end

Return to privileged EXEC mode.

Step 7 

show dot1x interface interface-id

Verify your IEEE 802.1x authentication configuration.

Step 8 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

This example shows how to configure NAC Layer 2 IEEE 802.1x validation:

Switch# configure terminal
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# dot1x reauthentication
Switch(config-if)# dot1x timeout reauth-period server

Configuring Network Security with ACLs Chapter

This information is added to the "Applying a MAC ACL to a Layer 2 Interface" section of the "Configuring Network Security with ACLs" chapter of the software configuration guide:

When a MAC ACL or VLAN filter is configured to permit MAC addresses, all control traffic, including bridge protocol data units (BPDUs) and Cisco Discovery Protocol (CDP) packets, is denied.

Configuring Port-Based Traffic Control Chapter

This information is added to the "Configuration Guidelines" section of the "Configuring Port-Based Traffic Control Chapter" of the software configuration guide:

When you enable port security on an interface that is also configured with a voice VLAN, set the maximum allowed secure addresses on the port to two. When the port is connected to a Cisco IP phone, the IP phone requires one MAC address. The Cisco IP phone address is learned on the voice VLAN, but is not learned on the access VLAN. If you connect a single PC to the Cisco IP phone, no additional MAC addresses are required. If you connect more than one PC to the Cisco IP phone, you must configure enough secure addresses to allow one for each PC and one for the phone.

This information is added to the "Enabling and Configuring Port Security" section of the "Configuring Port-Based Traffic Control Chapter" of the software configuration guide:

(Optional) Set the maximum number of secure MAC addresses for the interface. If an interface is configured for voice VLAN, configure a maximum of two secure MAC addresses.

Configuring Network Security with ACLs Chapter

This information is added to the "Applying a MAC ACL to a Layer 2 Interface" section of the "Configuring Network Security with ACLs Chapter" of the software configuration guide:

When a MAC ACL or VLAN filter is configured to permit MAC addresses, all control traffic, including bridge protocol data units (BPDUs) and Cisco Discovery Protocol (CDP) packets, is denied.

Configuring Fallback Bridging Chapter Correction

This information is a correction to the "Configuring Fallback Bridging" chapter of the Catalyst 3550 Multilayer Switch Software Configuration Guide, Cisco IOS Release 12.1(20)EA2:

This example shows how to create bridge group 10 and to specify that the VLAN-bridge STP runs in the bridge group. It defines an SVI for VLAN 2 and assigns it to the bridge group:

Switch(config)# bridge 10 protocol vlan-bridge
Switch(config)# vlan 2
Switch(config-vlan)# exit
Switch(config)# interface vlan2
Switch(config-if)# bridge-group 10
Switch(config-if)# exit

Command References

These commands were added to the Catalyst 3550 Multilayer Switch Command Reference, Cisco IOS Release 12.1(20)EA2:

dot1x auth-fail max-attempts, page 33

dot1x auth-fail vlan, page 34

These commands were updated:

show dot1x, page 36

show interfaces accounting

dot1x auth-fail max-attempts

Use the dot1x auth-fail max-attempts interface configuration command to configure the maximum number of authentication attempts allowed before a port is moved to the restricted VLAN. To return to the default setting, use the no form of this command.

dot1x auth-fail max-attempts max-attempts

no dot1x auth-fail max-attempts

Syntax Description

max-attempts

Specify a maximum number of authentication attempts allowed before a port is moved to the restricted VLAN. The range is 1 to 3, the default value is 3.


Defaults

The default is 3 attempts.

Command Modes

Interface configuration

Command History

Release
Modification

12.1(22)EA7

This command was introduced.


Usage Guidelines

If you reconfigure the maximum number of authentication failures allowed by the VLAN, the change takes effect after the re-authentication timer expires.

Examples

This example shows how to set 2 as the maximum number of authentication attempts allowed before the port is moved to the restricted VLAN on Gigabit Ethernet interface 1:

Switch# configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# dot1x auth-fail max-attempts 2
Switch(config-if)# end
Switch(config)# end
Switch#

You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.

Related Commands

Command
Description

dot1x auth-fail vlan [vlan id]

Enables the optional restricted VLAN feature.

dot1x max-reauth-req [count]

Sets the maximum number of times that the switch restarts the authentication process before a port changes to the unauthorized state.

show dot1x [interface interface-id]

Displays IEEE 802.1x status for the specified port.


dot1x auth-fail vlan

Use the dot1x auth-fail vlan interface configuration command to enable the restricted VLAN on a port. To return to the default setting, use the no form of this command.

dot1x auth-fail vlan vlan-id

no dot1x auth-fail vlan vlan-id

Syntax Description

vlan-id

Specify a VLAN in the range of 1 to 4094.


Defaults

No restricted VLAN is configured.

Command Modes

Interface configuration

Command History

Release
Modification

12.1(22)EA7

This command was introduced.


Usage Guidelines

You can configure a restricted VLAN on ports configured as follows:

single-host (default) mode only

auto mode for authorization

You should enable re-authentication. The ports in restricted VLANs do not receive re-authentication requests if re-authentication is disabled. To start the re-authentication process, the restricted VLAN must receive a link down event or an Extensible Authentication Protocol (EAP) logoff event from the port. If the host is connected through a hub, the port might never receive a link down event and might not detect the new host until the next re-authentication attempt occurs. Therefore, re-authentication should be enabled.

If the user fails authentication, the port is moved to a restricted VLAN, and an EAP success message is sent to the user. Because the user is not notified of the authentication failure, there might be confusion as to why there is restricted access to the network. An EAP success message is sent for these reasons:

If the EAP success message is not sent, the user tries to authenticate every 60 seconds (the default) by sending an EAP-start message.

Some hosts (for example, devices running Windows XP) cannot implement DHCP until they receive an EAP success message.

A user might cache an incorrect username and password combination after receiving an EAP success message from the authenticator and re-use that information in every re-authentication. Until the user passes the correct username and password combination, the port remains in the restricted VLAN.

Internal VLANs that are used for Layer 3 ports cannot be configured as a restricted VLAN.

You cannot configure a VLAN to be both a restricted VLAN and a voice VLAN. If you do this, a syslog message is generated.

When a restricted VLAN port is moved to an unauthorized state, the authentication process is restarted. If the user fails the authentication process again, the authenticator waits in the held state. After the user has correctly re-authenticated, all IEEE 802.1x ports are re-initialized and treated as normal IEEE 802.1x ports.

When you reconfigure a restricted VLAN to a different VLAN, any ports in the restricted VLAN are also moved and the ports stay in their current authorized state.

When you shut down or remove a restricted VLAN from the VLAN database, any ports in the restricted VLAN are immediately moved to an unauthorized state and the authentication process is restarted. The authenticator does not wait in a held state because the restricted VLAN configuration still exists. While the restricted VLAN is inactive, all authentication attempts are counted. As soon as the restricted VLAN becomes active, the port is placed in the restricted VLAN.

The restricted VLAN is supported only in single-host mode (the default port mode).

When a port is placed in a restricted VLAN, the user's MAC address is added to the MAC address table. If a new MAC address appears on the port, it is treated as a security violation.

Examples

This example shows how to configure a restricted VLAN on Gigabit Ethernet interface 1:

Switch# configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# dot1x auth-fail vlan 40
Switch(config-if)# end
Switch(config)# end
Switch#

You can verify your configuration by entering the show dot1x [interface interface-id] privileged EXEC command.

Related Commands

Command
Description

dot1x auth-fail max-attempts [max-attempts]

Configures the number of authentication attempts allowed before assigning a user to the restricted VLAN.

show dot1x [interface interface-id]

Displays IEEE 802.1x status for the specified port.


show dot1x

The output for these commands changed:

This is an example of output from the show dot1x all privileged EXEC command when a restricted VLAN is configured:

Switch# show dot1x all
Dot1x Info for interface GigabitEthernet0/1 
----------------------------------------------------
Supplicant MAC 0002.b3eb.0df6
AuthSM State          = AUTHENTICATED(AUTH-FAIL-VLAN)
BendSM State          = IDLE
Posture               = N/A
PortStatus            = AUTHORIZED(AUTH-FAIL-VLAN)
MaxReq                = 2 
MaxAuthReq            = 2 
HostMode              = Single 
PortControl           = Auto
ControlDirection      = Both
QuietPeriod           = 10 Seconds 
Re-authentication     = Disabled 
ReAuthPeriod          = 3600 Seconds
ServerTimeout         = 30 Seconds 
SuppTimeout           = 30 Seconds 
TxPeriod              = 10 Seconds 
Guest-Vlan            = 3 
AuthFail-Vlan         = 4 
AuthFail-Max-Attempts = 3 

This is an example of output from the show dot1x interface fastethernet0/3 privileged EXEC command:

Switch# show dot1x interface fastethernet0/3
Supplicant MAC 00d0.b71b.35de
   AuthSM State      = AUTHENTICATED (AUTH-FAIL-VLAN)
   BendSM State      = IDLE
ReAuthPeriod = 4000 Seconds { (From Authentication Server) | (Locally Configured) }
ReAuthAction = { Terminate | Reauthenticate }
TimeToNextReauth = 1453 Seconds
PortStatus        = AUTHORIZED
MaxReq            = 2 
HostMode          = Single (AUTH-FAIL-VLAN) 
Port Control      = Auto
QuietPeriod       = 60 Seconds 
Re-authentication = Disabled 
ReAuthPeriod      = 3600 Seconds
ServerTimeout     = 30 Seconds 
SuppTimeout       = 30 Seconds 
TxPeriod          = 30 Seconds 
Guest-Vlan        = 0 

show interfaces accounting

This note was added to the Syntax Description section:


Note The display shows only packets processed in software; hardware-switched packets cannot be displayed.


Documentation Updates in Cisco IOS Release 12.1(22)EA6

These are the updates to the product documentation that occurred in Cisco IOS Release 12.1(22)EA6:

"Software Configuration Guides" section on page 37

"Command References" section on page 37

"System Message Guides" section on page 38

"Regulatory Compliance and Safety Information for the Catalyst 3550 Multilayer Switch" section on page 38

Software Configuration Guides

You can enable IEEE 802.1x authentication on an RSPAN destination or an RSPAN reflector port but not on a SPAN destination port.

This is the update for the "Using IEEE 802.1x Authentication with Guest VLAN" section in the "Configuring IEEE 802.1x Port-Based Authentication" chapter of the software configuration guides for this release:

You can enable optional guest VLAN behavior by using the dot1x guest-vlan supplicant global configuration command. When enabled, the switch does not maintain the EAPOL packet history and allows clients that fail authentication to access the guest VLAN, regardless of whether EAPOL packets had been detected on the interface. Clients that fail authentication can access the guest VLAN.


Note Depending on the switch configuration, this process can take up to several minutes.


The set up default next-hop route-map configuration command is not supported.

The class class-default policy-map configuration command, where class-default is the class-map-name, is not supported.

Command References

For the errdisable detect cause global configuration command, the loopback keyword was added in Cisco IOS Release 12.2(13)EA1.

System Message Guides

This system message was added:

Error Message    DOT1X-5-ERR_SPANDST: Dot1x can not be enabled on [chars].  It is 
configured as a SPAN Dest port. 

Explanation    This message means that IEEE 802.1x authentication and SPAN destination ports are mutually exclusive features. [chars] is a port.

Recommended Action    Disable the SPAN destination port configuration before reconfiguring IEEE 802.1x on the port.

Regulatory Compliance and Safety Information for the Catalyst 3550 Multilayer Switch

This information was added:

Statement 361—VoIP and Emergency Calling Services do not Function if Power Fails

Warning


Voice over IP (VoIP) service and the emergency calling service do not function if power fails or is disrupted. After power is restored, you might have to reset or reconfigure equipment to regain access to VoIP and the emergency calling service. In the USA, this emergency number is 911. You need to be aware of the emergency number in your country. Statement 361

Waarschuwing

Voice over IP (VoIP)-service en de service voor noodoproepen werken niet indien er een stroomstoring is. Nadat de stroomtoevoer is hersteld, dient u wellicht de configuratie van uw apparatuur opnieuw in te stellen om opnieuw toegang te krijgen tot VoIP en de noodoproepen. In de VS is het nummer voor noodoproepen 911. U dient u zelf op de hoogte te stellen van het nummer voor noodoproepen in uw land.

Varoitus

Voice over IP (VoIP) -palvelu ja hätäpuhelupalvelu eivät toimi, jos virta katkeaa tai sen syötössä esiintyy häiriöitä. Kun virransyöttö on taas normaali, sinun täytyy mahdollisesti asettaa tai määrittää laitteisto uudelleen, jotta voisit jälleen käyttää VoIP-palvelua ja hätäpuhelupalvelua. Yhdysvalloissa hätänumero on 911. Selvitä, mikä on omassa kotimaassasi käytössä oleva hätänumero.

Attention

Le service Voice over IP (VoIP) et le service d'appels d'urgence ne fonctionnent pas en cas de panne de courant. Une fois que le courant est rétabli, vous devrez peut-être réinitialiser ou reconfigurer le système pour accéder de nouveau au service VoIP et à celui des appels d'urgence. Aux États-Unis, le numéro des services d'urgence est le 911. Vous devez connaître le numéro d'appel d'urgence en vigueur dans votre pays.

Warnung

Bei einem Stromausfall oder eingeschränkter Stromversorgung funktionieren VoIP-Dienst und Notruf nicht. Sobald die Stromversorgung wieder hergestellt ist, müssen Sie möglicherweise die Geräte zurücksetzen oder neu konfigurieren, um den Zugang zu VoIP und Notruf wieder herzustellen. Die Notrufnummer in den USA lautet 911. Wählen Sie im Notfall die für Ihr Land vorgesehene Notrufnummer.

Avvertenza

Il servizio Voice over IP (VoIP) e il servizio per le chiamate di emergenza non funzionano in caso di interruzione dell'alimentazione. Ristabilita l'alimentazione, potrebbe essere necessario reimpostare o riconfigurare l'attrezzatura per ottenere nuovamente l'accesso al servizio VoIP e al servizio per le chiamate di emergenza. Negli Stati Uniti, il numero di emergenza è 911. Si consiglia di individuare il numero di emergenza del proprio Paese.

Advarsel

Tjenesten Voice over IP (VoIP) og nødanropstjenesten fungerer ikke ved strømbrudd. Etter at strømmen har kommet tilbake, må du kanskje nullstille eller konfigurere utstyret på nytt for å få tilgang til VoIP og nødanropstjenesten. I USA er dette nødnummeret 911. Du må vite hva nødnummeret er i ditt land.

Aviso

O serviço Voice over IP (VoIP) e o serviço de chamadas de emergência não funcionam se houver um corte de energia. Depois do fornecimento de energia ser restabelecido, poderá ser necessário reiniciar ou reconfigurar o equipamento para voltar a utilizar os serviços VoIP ou chamadas de emergência. Nos EUA, o número de emergência é o 911. É importante que saiba qual o número de emergência no seu país.

¡Advertencia!

El servicio de voz sobre IP (VoIP) y el de llamadas de emergencia no funcionan si se interrumpe el suministro de energía. Tras recuperar el suministro es posible que deba que restablecer o volver a configurar el equipo para tener acceso a los servicios de VoIP y de llamadas de emergencia. En Estados Unidos el número de emergencia es el 911. Asegúrese de obtener el número de emergencia en su país.

Varning!

Tjänsten Voice over IP (VoIP) och larmnummertjänsten fungerar inte vid strömavbrott. Efter att strömmen kommit tillbaka måste du kanske återställa eller konfigurera om utrustningen för att få tillgång till VoIP och larmnummertjänsten. I USA är det här larmnumret 911. Du bör ta reda på det larmnummer som gäller i ditt land.

 


Documentation Updates in Cisco IOS Release 12.1(22)EA5

These are the updates to the product documentation that occurred in Cisco IOS Release 12.1(22)EA5:

"Software Configuration Guides" section on page 41

"System Message Guides" section on page 44

Software Configuration Guides

This information was added to the "IEEE 802.1x Authentication Configuration Guidelines" section in the "Configuring IEEE 802.1x Port-Based Authentication" chapter of the software configuration guide:

When a PC is attached to a switch through a hub, is authenticated on an IEEE 802.1x multiple-hosts port, is moved to another port, and is then attached through another hub, the switch does not authenticate the PC. The workaround is to decrease the number of seconds between re-authentication attempts by entering the dot1x timeout reauth-period seconds interface configuration command.

This information was added to the "Configuring IEEE 802.1x Port-Based Authentication" chapter of the software configuration guide:

Using IEEE 802.1x Authentication with Wake-on-LAN

The IEEE 802.1x authentication with wake-on-LAN (WoL) feature allows dormant PCs to be powered when the switch receives a specific Ethernet frame, known as the magic packet. You can use this feature in environments where administrators need to connect to systems that have been powered down.

When a host that uses WoL are attached through an IEEE 802.1x port and the host powers off, the IEEE 802.1x port becomes unauthorized. The port can only receive and send EAPOL packets, and WoL magic packets cannot reach the host. When the PC is powered off, it is not authorized, and the switch port is not opened.

When the switch uses IEEE 802.1x authentication with WoL, the switch forwards traffic to unauthorized IEEE 802.1x ports, including magic packets. While the port is unauthorized, the switch continues to block ingress traffic other than EAPOL packets. The host can receive packets but cannot send packets to other devices in the network.


Note If PortFast is not enabled on the port, the port is forced to the bidirectional state.


When you configure a port as unidirectional by using the dot1x control-direction in interface configuration command, the port changes to the spanning-tree forwarding state. The port can send packets to the host but cannot receive packets from the host.

When you configure a port as bidirectional by using the dot1x control-direction both interface configuration command, the port is access-controlled in both directions. The port does not receive packets from or send packets to the host.

show dot1x all Command Output

The show dot1x all privileged EXEC command output is the same for all switches except for the port names and the state of the port. If a host is attached to the port but is not yet authenticated, a display similar to this appears:

Supplicant MAC 0002.b39a.9275
AuthSM State = CONNECTING
BendSM State = IDLE
PortStatus = UNAUTHORIZED

If you enter the dot1x control-direction in interface configuration command to enable unidirectional control, this appears in the show dot1x all command output:

ControlDirection  = In

If you enter the dot1x control-direction in interface configuration command and the port cannot support this mode due to a configuration conflict, this appears in the show dot1x all command output:

ControlDirection  = In (Disabled due to port settings)

These are the updates for the "Using IEEE 802.1x Authentication with Guest VLAN" section in the "Configuring IEEE 802.1x Port-Based Authentication" chapter of the software configuration guides for this release:

With Cisco IOS Release 12.1(22)E A5and later, the switch maintains the EAPOL packet history. If an EAPOL packet is detected on the interface during the lifetime of the link, the switch determines that the device connected is interface to be an 802.1x-capable supplicant, and the interface does not transition to the guest VLAN state. EAPOL history is cleared if the interface link status goes down. If no EAPOL packet is detected on the interface, it is transitioned to the guest VLAN state.


Note If an EAPOL packet is detected on the wire after the interface has transitioned to the guest VLAN, the interface reverts to an unauthorized state, and 802.1x authentication restarts.


These are updates for the "Configuring IEEE 802.3z Flow Control" section in the "Configuring Interface Characteristics" chapter of the software configuration guides for this release:

The section should be called "Configuring IEEE 802.3x Flow Control" and references to IEEE 802.3z flow control should be IEEE 802.3x flow control.

Command References

This command was added in Cisco IOS Release 12.1(22)EA5:

dot1x control-direction

Use the dot1x control-direction interface configuration command to enable the IEEE 802.1x authentication with wake-on-LAN (WoL) feature and to configure the port control as unidirectional or bidirectional. Use the no form of this command to return to the default setting.

dot1x control-direction {in | both}

no dot1x control-direction

Syntax Description

in

Enable bidirectional control on port. The port cannot receive packets from or send packets to the host.

both

Enable unidirectional control on port. The port can send packets to the host but cannot receive packets from the host.


Defaults

The port is set to bidirectional mode.

Command Modes

Interface configuration

Command History

Release
Modification

12.1(22)EA5

This command was introduced.


Usage Guidelines

Using the keyword both or using the no form of this command are the same command.

The keyword both and the no form of this command change the port to its bidirectional default setting.

Examples

This example shows how to enable unidirectional control:

Switch(config-if)# dot1x control-direction in

These examples show how to enable bidirectional control:

Switch(config-if)# dot1x control-direction both
Switch(config-if)# no dot1x control-direction 

You can verify your settings by entering the show dot1x all privileged EXEC command.

The show dot1x all privileged EXEC command output is the same for all switches except for the port names and the state of the port. If a host is attached to the port but is not yet authenticated, a display similar to this appears:

Supplicant MAC 0002.b39a.9275
AuthSM State = CONNECTING
BendSM State = IDLE
PortStatus = UNAUTHORIZED

If you enter the dot1x control-direction in interface configuration command to enable unidirectional control, this appears in the show dot1x all command output:

ControlDirection  = In

If you enter the dot1x control-direction in interface configuration command and the port cannot support this mode due to a configuration conflict, this appears in the show dot1x all command output:

ControlDirection  = In (Disabled due to port settings)

Related Commands

Command
Description

show dot1x all [interface interface-id]

Displays control-direction port setting status for the specified interface.


These are updates to the command references for this release:

In the Catalyst 3550 Multilayer Switch Command Reference, the show inventory user EXEC command was added.

show inventory

Use the show inventory user EXEC command to display product identification (PID) information for the hardware.

show inventory [entity-name | raw] [ | {begin | exclude | include} expression]

Syntax Description

entity-name

(Optional) Display the specified entity. For example, enter the interface (such as gigabitethernet1/0/1) into which a small form-factor pluggable (SFP) module is installed.

raw

(Optional) Display every entity in the device.

| begin

(Optional) Display begins with the line that matches the expression.

| exclude

(Optional) Display excludes lines that match the expression.

| include

(Optional) Display includes lines that match the specified expression.

expression

Expression in the output to use as a reference point.


Command Modes

User EXEC

Command History

Release
Modification

12.1(22)EA5

This command was introduced.


Usage Guidelines

The command is case sensitive. With no arguments, the show inventory command produces a compact dump of all identifiable entities that have a product identifier. The compact dump displays the entity location (slot identity), entity description, and the unique device identifier (UDI) (PID, VID, and SN) of that entity.


Note If there is no PID, no output appears when you enter the show inventory command.


Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output are not displayed, but the lines that contain Output are displayed.

Examples

This is example output from the show inventory command:

Switch> show inventory
NAME: "sw-1-3-f48", DESCR: "Cisco Catalyst 3550 48 10/100 baseT ports + 2 Gig uplinks 
fixed configuration Layer 2/3 Ethernet Switch"
PID: WS-C3550-48       , VID: C0 , SN: CHK0614V09S

System Message Guides

This is the new system message for Cisco IOS Release 12.1(22)EA5:

Error Message    DHCP_SNOOPING-3-DHCP_SNOOPING_INTERNAL_ERROR: DHCP Snooping internal 
error, [chars].

Explanation    This message means that a software sanity check failed in the DHCP snooping process. [chars] is the error message.

Recommended Action    Copy the message exactly as it appears on the console or in the system log. Research and attempt to resolve the error by using the Output Interpreter. Use the Bug Toolkit to look for similar reported problems. If you still require assistance, open a case with the TAC, or contact your Cisco technical support representative, and provide the representative with the gathered information. For more information about these online tools and about contacting Cisco, see the "Error Message Traceback Reports" section on page 7 of the system message guide for this release.

Error Message    DHCP_SNOOPING-4-DHCP_SNOOPING_PVLAN_WARNING: DHCP Snooping 
configuration may not take effect on secondary vlan [dec]. [chars].

Explanation    This message means that if private VLANs are configured, the DHCP Snooping configuration on the primary VLAN automatically propagates to all the secondary VLANs. [dec] is the VLAN IDs of the secondary VLANs, and [chars] is the warning.

Recommended Action    No action is required.

Error Message    DOT1X-5-NO_UNIDIR_EDGE: Unidirectional port-control is configured on 
interface [chars], but will not be activated.  Port is not configured for portfast. 

Explanation    This message means that the unidirectional port-control feature is configured but not activated because the specified interface is not configured as a PortFast port. [chars] is the interface.

Recommended Action    To activate the unidirectional port-control feature, enter the spanning-tree portfast interface configuration command.

Documentation Updates in Cisco IOS Release 12.1(22)EA4

These are the updates to the product documentation that occurred in Cisco IOS Release 12.1(22)EA4:

"Software Configuration Guide" section on page 45

"Command Reference" section on page 47

Software Configuration Guide

These features were updated in Cisco IOS Release 12.1(22)EA4.

"IEEE 802.1x Accounting Attribute-Value Pairs" section on page 45

"Supported MIBs" section on page 47

"Unsupported CLI Commands" section on page 47

IEEE 802.1x Accounting Attribute-Value Pairs

This information was added to the "Configuring IEEE 802.1x Port-Based Authentication" chapter of the software configuration guides:

The information sent to the RADIUS server is represented in the form of Attribute-Value (AV) pairs. These AV pairs provide data for different applications. (For example, a billing application might require information that is in the Acct-Input-Octets or the Acct-Output-Octets attributes of a RADIUS packet.)

AV pairs are automatically sent by a switch that is configured for IEEE 802.1x accounting. Three types of RADIUS accounting packets are sent by a switch:

START-sent when a new user session starts

INTERIM-sent during an existing session for updates

STOP-sent when a session terminates

Table 6 lists the AV pairs and when they are sent are sent by the switch:

Table 6 Accounting AV Pairs 

Attribute Number
AV Pair Name
START
INTERIM
STOP

Attribute[1]

User-Name

Always

Always

Always

Attribute[4]

NAS-IP-Address

Always

Always

Always

Attribute[5]

NAS-Port

Always

Always

Always

Attribute[8]

Framed-IP-Address

Never

Sometimes1

Sometimes1

Attribute[25]

Class

Always

Always

Always

Attribute[30]

Called-Station-ID

Always

Always

Always

Attribute[31]

Calling-Station-ID

Always

Always

Always

Attribute[40]

Acct-Status-Type

Always

Always

Always

Attribute[41]

Acct-Delay-Time

Always

Always

Always

Attribute[42]

Acct-Input-Octets

Never

Never

Always

Attribute[43]

Acct-Output-Octets

Never

Never

Always

Attribute[44]

Acct-Session-ID

Always

Always

Always

Attribute[45]

Acct-Authentic

Always

Always

Always

Attribute[46]

Acct-Session-Time

Never

Never

Always

Attribute[49]

Acct-Terminate-Cause

Never

Never

Always

Attribute[61]

NAS-Port-Type

Always

Always

Always

1 The Framed-IP-Address AV pair is sent only if a valid Dynamic Host Control Protocol (DHCP) binding exists for the host in the DHCP snooping bindings table.

1 You can view the AV pairs that are being sent by the switch by entering the debug radius accounting privileged EXEC command. For more information about these commands, see the Cisco IOS Debug Command Reference, Release 12.2 at this URL:

1 http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122sup/122debug

1 See RFC 3580, "IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines," for more information about AV pairs.


Supported MIBs

In Appendix A, "Supported MIBs" chapter, the "Using FTP to Access the MIB Files" section was revised. This is the correct procedure.

You can get each MIB file by using this procedure:


Step 1 Make sure that your FTP client is in passive mode.


Note Some FTP clients do not support passive mode.


Step 2 Use FTP to access the server ftp.cisco.com.

Step 3 Log in with the username anonymous.

Step 4 Enter your e-mail username when prompted for the password.

Step 5 At the ftp> prompt, change directories to /pub/mibs/v1 and /pub/mibs/v2.

Step 6 Use the get MIB_filename command to get a copy of the MIB file.


Unsupported CLI Commands

In Cisco IOS Release 12.1(22)EA3 or later, the ip pim register-rate-limit global configuration mode command is not supported.

Command Reference

This section contains the new or changed commands in Cisco IOS Release 12.1(22)EA4.

show version

This note was added to the show version user EXEC command in the switch command reference:


Note Though visible in the show version output, the configuration register information is not supported on the switch.


Documentation Updates in Cisco IOS Release 12.1(22)EA3

These sections describe the software configuration guide updates Cisco IOS Release 12.1(22)EA3:

"Deleting SVIs" section on page 48

"Configuring Router ACLs" section on page 48

"Unsupported CLI Commands in Cisco IOS Release 12.1(22)EA3" section on page 48

Deleting SVIs

In Chapter 10, "Configuring Interface Characteristics." this new information applies:

You cannot delete interface VLAN 1.

In previous releases, deleting the switch virtual interface (SVI) for VLAN 1 was allowed, but the interface would reappear by default after the switch was reloaded.

Configuring Router ACLs

In Chapter 27, "Configuring Network Security with ACLs," additional configuration guidelines apply for configuring input router ACLs. These ACLs can create a larger expansion in the number of TCAM entries when applied. If the number of TCAM entries exceeds the allocated resources, ACL filtering is done in software instead of hardware, which can have a negative impact on performance.

There are several ways to prevent excessive TCAM usage:

Use the sdm prefer access global configuration command to change the switch database management (SDM) template to allow more access lists.

Use output router ACLs instead of input router ACLs.

Minimize the TCAM usage of input router ACLs by configuring explicit permits or denies.

When an input router ACL is applied, it is automatically merged with an implicit ACL that matches against routing protocol packets and sends them to the protocol queue. This merge results in additional TCAM entries. To minimize the number of entries, you can configure router ACLs to explicitly permit or deny protocols, such as RIP, EIGRP, OSPF, BGP, and PIM, by configuring permit or deny ACEs at the beginning of the ACL.

This is an example of how to configure an input router ACL to minimize TCAM usage:

Switch(config)# access-list 100 [permit|deny] tcp any any eq bgp
Switch(config)# access-list 100 [permit|deny] eigrp any any
Switch(config)# access-list 100 [permit|deny] pim any any
Switch(config)# access-list 100 [permit|deny] ospf any any
Switch(config)# access-list 100 [permit|deny] udp any any eq rip
Switch(config)# access-list 100 ...... ACL 100's ACE(s)
Switch(config)# exit

Unsupported CLI Commands in Cisco IOS Release 12.1(22)EA3

In Appendix C, "Unsupported CLI Commands in Cisco IOS Release 12.1(22)EA3," this fallback bridging privileged EXEC command is not supported:

bridge bridge-group acquire

Documentation Updates in Cisco IOS Release 12.1(22)EA2

These are the updates to the product documentation that occurred in Cisco IOS Release 12.1(22)EA2:

"Getting Started Guide" section on page 49

"Regulatory Compliance and Safety Information Guide" section on page 49

"Documentation Flyer" section on page 49

"Hardware Installation Guide" section on page 49

"Software Configuration Guide" section on page 50

"Command Reference" section on page 53

Getting Started Guide

The getting started guide is new to the documentation set. It provides instructions for configuring the switch through the Express Setup program and for displaying or accessing the switch management interfaces, including the device manager. Also covered are switch management options, basic rack-mounting procedures, port and module connections, power-connection procedures, and troubleshooting help.

This guide ships with the switch. It is also orderable from Cisco.com and is available on the Catalyst 3550 documentation site on Cisco.com.


Note This guide replaces the information previously contained in the "Quick Setup" chapter in the switch hardware installation guide.


Regulatory Compliance and Safety Information Guide

The regulatory compliance and safety information guide is new to the documentation set. It contains agency approvals, compliance information, and translated warning statements.

This guide ships with the switch. It is also orderable from Cisco.com and is available on the Catalyst 3550 documentation site on Cisco.com.


Note This guide replaces the information previously contained in the "Translated Safety Warnings" appendix in the switch hardware installation guide.


Documentation Flyer

The documentation flyer, which described where to find the Catalyst 3550 documentation on Cisco.com, no longer ships with the switch. This information is now available in the new switch getting started guide (see the "Getting Started Guide" section on page 49).

Hardware Installation Guide

These changes have been made to the switch hardware installation guide:

The switch hardware installation guide no longer ships with the switch. It available on the Catalyst 3550 documentation site on Cisco.com.

The "Quick Setup" chapter has been removed from this guide. Quick setup information, such as how to use the Express Setup program and how to display the device manager, is now available in the new switch getting started guide (see the "Getting Started Guide" section on page 49).

The "Translated Safety Warnings" appendix has been removed from this guide. The translated safety warnings are now in the new regulatory compliance and safety information guide (see the "Regulatory Compliance and Safety Information Guide" section on page 49).

Software Configuration Guide

These features were added to Cisco IOS Release 12.1(22)EA2.

Getting Started with CMS and Clustering Switches

In Cisco IOS Release 12.1(22)EA2 and later, Cluster Management Suite (CMS) is no longer available with the switch software. Disregard the CMS information in the Catalyst 3550 documentation, including the "Getting Started with CMS" chapter and the CMS instructions in the "Clustering Switches" chapter in the switch software configuration guide.

You can use the embedded device manager to configure or manage a single switch. You can use the standalone Network Assistant application to configure or manage one or more switches:

The device manager is included in the switch image and provides simplified management for a single switch. Its features, such as Smartports and color-coded graphs, make it easier to configure and monitor the switch. No special installation is required. After the switch is configured through the Express Setup program or through the CLI-based setup program, the device manager is accessible through a Microsoft Internet Explorer or Netscape Navigator browser session. For more information, refer to the device manager online help. For information on how to display the device manager, refer to the switch getting started guide.

Network Assistant provides a comprehensive set of features for managing single and multiple devices, including switch clusters, through a GUI. This application must be downloaded from Cisco.com and be installed on your PC. You can learn more about Network Assistant at this URL:

http://www.cisco.com/go/NetworkAssistant

Clustering Switches

You cannot create and manage switch clusters through the device manager. To create and manage switch clusters, use the CLI or the Cisco Network Assistant application. Disregard the CMS information in the "Clustering Switches" chapter in the switch software configuration guide.

Using IEEE 802.1x Authentication with Guest VLAN


Note This information replaces the information in the software configuration guide for Cisco IOS Release 12.1(20)EA2.


You can configure a guest VLAN for each IEEE 802.1x port on the switch to provide limited services to clients, such as downloading the IEEE 802.1x client. These clients might be upgrading their system for IEEE 802.1x authentication, and some hosts, such as Windows 98 systems, might not be IEEE 802.1x-capable.

When you enable a guest VLAN on an IEEE 802.1x port, the switch assigns clients to a guest VLAN when the authentication server does not receive a response to its EAPOL request/identity frame or when EAPOL packets are not sent by the client.

Before Cisco IOS Release 12.1(22)EA2, the switch did not maintain the EAPOL packet history and allowed clients that failed authentication access to the guest VLAN, regardless of whether EAPOL packets had been detected on the interface. You can enable this optional behavior by using the dot1x guest-vlan supplicant global configuration command.

With Cisco IOS Release 12.1(22)EA2 and later, the switch maintains the EAPOL packet history. If another EAPOL packet is detected on the interface during the lifetime of the link, network access is denied. The EAPOL history is reset upon loss of the link.

Any number of IEEE 802.1x-incapable clients are allowed access when the switch port is moved to the guest VLAN. If an IEEE 802.1x-capable client joins the same port on which the guest VLAN is configured, the port is put into the unauthorized state in the user-configured access VLAN, and authentication is restarted.

Guest VLANs are supported on IEEE 802.1x ports in single-host or multiple-hosts mode.

You can configure any active VLAN except an RSPAN VLAN or a voice VLAN as an IEEE 802.1x guest VLAN. The guest VLAN feature is not supported on internal VLANs (routed ports) or trunk ports; it is supported only on access ports.

For configuration steps, see the "Configuring a Guest VLAN" section on page 51.

Configuring a Guest VLAN

When you configure a guest VLAN, clients that are not IEEE 802.1x-capable are put into the guest VLAN when the server does not receive a response to its EAPOL request/identity frame. Clients that are IEEE 802.1x-capable but fail authentication are not granted access to the network. The switch supports guest VLANs in single-host or multiple-hosts mode.

Beginning in privileged EXEC mode, follow these steps to configure a guest VLAN:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

interface interface-id

Specify the interface to be configured, and enter interface configuration mode.

Step 3 

dot1x guest-vlan vlan-id

Specify an active VLAN as an IEEE 802.1x guest VLAN. The range is 1 to 4094.

You can configure any active VLAN except an internal VLAN (routed port), an RSPAN VLAN, or a voice VLAN as an IEEE 802.1x guest VLAN.

Step 4 

end

Return to privileged EXEC mode.

Step 5 

show dot1x interface interface-id

Verify your entries.

Step 6 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To disable and remove the guest VLAN, use the no dot1x guest-vlan interface configuration command. The port returns to the unauthorized state.

This example shows how to enable VLAN 9 as an IEEE 802.1x guest VLAN on a port:

Switch(config)# interface fastethernet0/1
Switch(config-if)# dot1x guest-vlan 9

This example shows how to set 3 as the quiet time on the switch, to set 15 as the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before resending the request, and to enable VLAN 2 as an IEEE 802.1x guest VLAN when an IEEE 802.1x port is connected to a DHCP client:

Switch(config-if)# dot1x timeout quiet-period 3
Switch(config-if)# dot1x timeout tx-period 15
Switch(config-if)# dot1x guest-vlan 2

You can enable optional guest VLAN behavior by using the dot1x guest-vlan supplicant global configuration command. When enabled, the switch does not maintain the EAPOL packet history and allows clients that fail authentication access to the guest VLAN, regardless of whether EAPOL packets had been detected on the interface.

Beginning in privileged EXEC mode, follow these steps to enable the optional guest VLAN behavior and to configure a guest VLAN. This procedure is optional.

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

dot1x guest-vlan supplicant

Enable the optional guest VLAN behavior globally on the switch.

Step 3 

interface interface-id

Specify the port to be configured, and enter interface configuration mode.

Step 4 

dot1x guest-vlan vlan-id

Specify an active VLAN as an IEEE 802.1x guest VLAN. The range is 1 to 4094.

You can configure any active VLAN except an internal VLAN (routed port), an RSPAN VLAN or a voice VLAN as an IEEE 802.1x guest VLAN.

Step 5 

end

Return to privileged EXEC mode.

Step 6 

show dot1x interface interface-id

Verify your entries.

Step 7 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To disable the optional guest VLAN behavior, use the no dot1x guest-vlan supplicant global configuration command. To remove the guest VLAN, use the no dot1x guest-vlan interface configuration command. The port returns to the unauthorized state.

This example shows how enable the optional guest VLAN behavior and to specify VLAN 5 as an IEEE 802.1x guest VLAN:

Switch(config)# dot1x guest-vlan supplicant
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# dot1x guest-vlan 5

Command Reference

This section contains the new or changed commands in Cisco IOS Release 12.1(22)EA2.

dot1x

Use the dot1x global configuration command to enable IEEE 802.1x authentication globally. Use the no form of this command to return to the default setting.

dot1x {system-auth-control} | {guest-vlan supplicant}

no dot1x {system-auth-control} | {guest-vlan supplicant}

Syntax Description

system-auth-control

Enable IEEE 802.1x authentication globally on the switch.

guest-vlan supplicant

Enable optional guest VLAN behavior globally on the switch.


Defaults

IEEE 802.1x authentication is disabled, and the optional guest VLAN behavior is disabled.

Command Modes

Global configuration

Command History

Release
Modification

12.1(14)EA1

This command was introduced.

12.1(22)EA2

The guest-vlan supplicant keywords were added.


Usage Guidelines

You must enable authentication, authorization, and accounting (AAA) and specify the authentication method list before enabling IEEE 802.1x authentication globally. A method list describes the sequence and authentication methods to be queried to authenticate a user.

Before globally enabling IEEE 802.1x authentication on a switch, remove the EtherChannel configuration from the interfaces on which IEEE 802.1x authentication and EtherChannel are configured.

If you are using a device running the Cisco Access Control Server (ACS) application for IEEE 802.1x authentication with EAP-Transparent LAN Services (TLS) and with EAP-MD5 and your switch is running Cisco IOS Release 12.1(14)EA1, make sure that the device is running ACS Version 3.2.1 or later.

You can use the guest-vlan supplicant keywords to enable the optional IEEE 802.1x guest VLAN behavior globally on the switch. For more information, see the dot1x guest-vlan command.

Examples

This example shows how to enable IEEE 802.1x authentication globally on a switch:

Switch(config)# dot1x system-auth-control

This example shows how to globally enable the optional guest VLAN behavior on a switch:

Switch(config)# dot1x guest-vlan supplicant

You can verify your settings by entering the show dot1x privileged EXEC command.

Related Commands

Command
Description

dot1x guest-vlan

Enables and specifies an active VLAN as an IEEE 802.1x guest VLAN.

dot1x port-control

Enables manual control of the authorization state of the port.

show dot1x

Displays IEEE 802.1x statistics, administrative status, and operational status for the switch or for the specified interface.


dot1x guest-vlan

Use the dot1x guest-vlan interface configuration command to specify an active VLAN as an IEEE 802.1x guest VLAN. Use the no form of this command to return to the default setting.

dot1x guest-vlan vlan-id

no dot1x guest-vlan

Syntax Description

vlan-id

Specify an active VLAN as an IEEE 802.1x guest VLAN. The range is 1 to 4094.


Defaults

No guest VLAN is configured.

Command Modes

Interface configuration

Command History

Release
Modification

12.1(14)EA1

This command was introduced.

12.1(22)EA2

The default behavior of this command changed.


Usage Guidelines

You can configure a guest VLAN for each IEEE 802.1x port on the switch to provide limited services to clients (a device or workstation connected to the switch), such as downloading the IEEE 802.1x client software. These users might be upgrading their system for IEEE 802.1x authentication, and some hosts, such as Windows 98 systems, might not be IEEE 802.1x-capable.

When you enable a guest VLAN on an IEEE 802.1x port, the switch assigns clients to a guest VLAN when the authentication server does not receive a response to its Extensible Authentication Protocol over LAN (EAPOL) request/identity frame or when EAPOL packets are not sent by the client.

Before Cisco IOS Release 12.1(22)EA, the switch did not maintain the EAPOL packet history and allowed clients that failed authentication access to the guest VLAN, regardless of whether EAPOL packets had been detected on the interface. You can use the dot1x guest-vlan supplicant global configuration command to enable this optional behavior.

With Cisco IOS Release 12.1(22)EA1 and later, the switch maintains the EAPOL packet history. If another EAPOL packet is detected on the interface during the lifetime of the link, network access is denied. The EAPOL history is reset upon loss of link.

Any number of non-IEEE 802.1x-capable clients are allowed access when the switch port is moved to the guest VLAN. If an IEEE 802.1x-capable client joins the same port on which the guest VLAN is configured, the port is put into the unauthorized state in the user-configured access VLAN, and authentication is restarted.

Guest VLANs are supported on IEEE 802.1x ports in single-host or multiple-hosts mode.

You can configure any active VLAN except an RSPAN VLAN or a voice VLAN as an IEEE 802.1x guest VLAN. The guest VLAN feature is not supported on internal VLANs (routed ports) or trunk ports; it is supported only on access ports.

After you configure a guest VLAN for an IEEE 802.1x port to which a DHCP client is connected, you might need to get a host IP address from a DHCP server. You can also change the settings for restarting the IEEE 802.1x authentication process on the switch before the DHCP process on the client times out and tries to get a host IP address from the DHCP server. Decrease the settings for the IEEE 802.1x authentication process (IEEE 802.1x quiet period and switch-to-client transmission time).

Examples

This example shows how to specify VLAN 5 as an IEEE 802.1x guest VLAN:

Switch(config-if)# dot1x guest-vlan 5

This example shows how to enable the optional guest VLAN behavior and to specify VLAN 5 as an IEEE 802.1x guest VLAN:

Switch(config)# dot1x guest-vlan supplicant
Switch(config)# interface FastEthernet0/1
Switch(config-if)# dot1x guest-vlan 5

You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.

Related Commands

Command
Description

dot1x

Enables the optional guest VLAN supplicant feature.

show dot1x [interface interface-id]

Displays IEEE 802.1x status for the specified interface.


show controllers utilization

Use the show controllers utilization user EXEC command to display bandwidth utilization on the switch or specific ports.

show controllers [interface-id] utilization [ | {begin | exclude | include} expression]

Syntax Description

interface-id

(Optional) ID of the switch interface.

| begin

(Optional) Display begins with the line that matches the specified expression.

| exclude

(Optional) Display excludes lines that match the specified expression.

| include

(Optional) Display includes lines that match the specified expression.

expression

Expression in the output to use as a reference point.


Command Modes

User EXEC

Command History

Release
Modification

12.1(22)EA2

This command was introduced.


Usage Guidelines

Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.

Examples

This is an example of output from the show controllers utilization command.

Switch> show controllers utilization
Port       Receive Utilization  Transmit Utilization
Fa0/1              0                    0
Fa0/2              0                    0

<output truncated>

Total Ports : 12 
Switch Receive Bandwidth Percentage Utilization  : 0
Switch Transmit Bandwidth Percentage Utilization : 0

Switch Fabric Percentage Utilization : 0

This is an example of output from the show controllers utilization command on a specific port:

Switch> show controllers fastethernet0/1 utilization
Receive Bandwidth Percentage Utilization   : 0
Transmit Bandwidth Percentage Utilization  : 0

Table 7 show controllers utilization Field Descriptions

Field
Description

Receive Bandwidth Percentage Utilization

Displays the received bandwidth usage of the switch, which is the sum of the received traffic on all the ports divided by the switch receive capacity.

Transmit Bandwidth Percentage Utilization

Displays the transmitted bandwidth usage of the switch, which is the sum of the transmitted traffic on all the ports divided it by the switch transmit capacity.

Fabric Percentage Utilization

Displays the average of the transmitted and received bandwidth usage of the switch.


Related Commands

Command
Description

show controllers ethernet-controller

Displays the interface internal registers.


Documentation Updates in Cisco IOS Release 12.1(22)EA1

These are the updates to the product documentation that occurred in Cisco IOS Release 12.1(22)EA1:

"Software Configuration Guide" section on page 57

"Command Reference" section on page 60

"System Message Guide" section on page 67

Software Configuration Guide

This section includes Cisco IOS Release 12.1(22)EA1 feature enhancement descriptions for these chapters:

"Configuring Port-Based Traffic Control" (see the "Configuring Storm Control" section on page 57)

"Troubleshooting" (see the "Troubleshooting Power over Ethernet Switch Ports" section on page 59)

Configuring Storm Control

The "Configuring Port-Based Traffic Control" chapter was changed to describe packet-based storm control.


Note This information replaces the information in the software configuration guide for Cisco IOS Release 12.1(20)EA2.


These sections include storm control configuration information and procedures:

Understanding Storm Control, page 57

Default Storm Control Configuration, page 58

Configuring Storm Control and Threshold Levels, page 58

Understanding Storm Control

Storm control prevents traffic on a LAN from being disrupted by a broadcast, a multicast, or a unicast storm on one of the physical interfaces. A LAN storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance. Errors in the protocol-stack implementation or in the network configuration can cause a storm.

Storm control (or traffic suppression) monitors packets passing from an interface to the switching bus and determines if the packet is unicast, multicast, or broadcast. The switch counts the number of packets of a specified type received within the 1-second time interval and compares the measurement with a predefined suppression-level threshold.

Storm control uses one of these methods to measure traffic activity:

Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic

Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received (Cisco IOS Release 12.1(22)EA1 or later)

With either method, the port blocks traffic when the rising threshold is reached. The port remains blocked until the traffic rate drops below the falling threshold (if one is specified) and then resumes normal forwarding. If the falling suppression level is not specified, the switch blocks all traffic until the traffic rate drops below the rising suppression level. In general, the higher the level, the less effective the protection against broadcast storms.


Note When the rate of multicast traffic exceeds a set threshold, all incoming traffic (broadcast, multicast, and unicast) is dropped until the level drops below the threshold level. Only spanning-tree packets are forwarded. When broadcast and unicast thresholds are exceeded, traffic is blocked for only the type of traffic that exceeded the threshold.


You use the storm-control interface configuration commands to set the threshold value for each traffic type.


Note Before Cisco IOS Release 12.1(8)EA1, you set up storm control threshold values by using the switchport broadcast, switchport multicast, and switchport unicast interface configuration commands. These commands are now obsolete, replaced by the storm-control interface configuration commands.


Default Storm Control Configuration

By default, unicast, broadcast, and multicast storm control is disabled on the switch: that is, the suppression level is 100 percent (no limit is placed on the traffic).

Configuring Storm Control and Threshold Levels

You configure storm control on a port and enter the threshold level that you want to be used by a particular type of traffic.

However, because of hardware limitations and the way in which packets of different sizes are counted, threshold percentages are approximations. Depending on the sizes of the packets making up the incoming traffic, the actual enforced threshold might differ from the configured level by several percentage points.


Note Storm control is supported only on physical interfaces; it is not supported on EtherChannel port channels even though the command is available in the CLI.


Beginning in privileged EXEC mode, follow these steps to configure storm control and threshold levels:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

interface interface-id

Specify the physical interface to configure and enter interface configuration mode.

Step 3 

storm-control {broadcast | multicast | unicast} level {level [level-low] | pps pps pps-low}

Configure broadcast, multicast, or unicast storm control. By default, storm control is disabled.

The keywords have these meanings:

For level, specify the rising threshold level for broadcast, multicast, or unicast traffic as a percentage (up to two decimal places) of the bandwidth. The port blocks traffic when the rising threshold is reached. The range is 0 to 100.

(Optional) For level-low, specify the falling threshold level as a percentage (up to two decimal places) of the bandwidth. This value must be less than or equal to the rising suppression value. The port forwards traffic when traffic drops below this level. If you do not configure a falling suppression level, it is set to the rising suppression level. The range is 0 to 100.

For pps pps, specify the rising threshold level for broadcast, multicast, or unicast traffic in packets per second. The port blocks traffic when the rising threshold is reached. The range is 0 to 4294967295.

For pps-low, specify the falling threshold level in packets per second. It can be less than or equal to the rising threshold level. The port forwards traffic when traffic drops below this level. The range is 0 to 4294967295.

Note If you set the threshold to the maximum value (100 percent or 4294967295), no limit is placed on the traffic. If you set the threshold to 0 0, all broadcast, multicast, and unicast traffic on that port is blocked.

Step 4 

end

Return to privileged EXEC mode.

Step 5 

show storm-control [interface-id] [broadcast | multicast | unicast]

Verify the storm control suppression levels set on the interface for the specified traffic type. If you do not enter a traffic type, broadcast storm control settings appear.

Step 6 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To disable storm control, use the no storm-control {broadcast | multicast | unicast} level interface configuration command.

This example shows how to enable unicast storm control on a port with an 87-percent rising suppression level and a 65-percent falling suppression level:

Switch# configure terminal
Switch(config)# interface fastethernet0/1
Switch(config-if)# storm-control unicast level 87 65

Troubleshooting Power over Ethernet Switch Ports

The "Troubleshooting" chapter was changed to describe troubleshooting Power over Ethernet (PoE) switch ports.

This information was added:

"Disabled Port Caused by Power Loss" section on page 60

"Disabled Port Caused by False Link-Up" section on page 60

Disabled Port Caused by Power Loss

If a powered device (such as a Cisco IP Phone 7910) that is connected to a PoE switch port and is powered by an AC power source loses power from the AC power source, the device might enter an error-disabled state. To recover from an error-disabled state, enter the shutdown interface configuration command, and then enter the no shutdown interface command. You can also configure automatic recovery on the switch to recover from the error-disabled state. The errdisable recovery cause loopback and the errdisable recovery interval seconds global configuration commands automatically take the interface out of the error-disabled state after the specified period of time.

Use these commands, described in the command reference for this release, to monitor the PoE port status:

show controllers power inline privileged EXEC command

show power inline privileged EXEC command

debug ilpower privileged EXEC command

Disabled Port Caused by False Link-Up

If a Cisco powered device is connected to a port and you configure the port by using the power inline never interface configuration command, a false link-up can occur on the port, placing it into an error-disabled state. To take the port out of the error-disabled state, enter the shutdown and the no shutdown interface configuration commands.

You should not connect a Cisco powered device to a port that has been configured with the power inline never command.

Command Reference

These commands were changed in Cisco IOS Release 12.1(22)EA1:

duplex interface configuration command was changed to support the duplex setting configuration when the speed is set to auto. See the "duplex" section on page 61.

power inline interface configuration command was changed to support duplex and speed interactions. See the "power inline" section on page 61.

show interfaces privileged EXEC command was changed to display speed, duplex, and inline power settings. See the "show interfaces" section on page 61.

show storm-control user EXEC command display was changed for packet-based storm-control settings. See the "show storm-control" section on page 62.

speed interface configuration command was changed to support using the 10, 100, and 1000 keywords with the auto keyword. See the "speed" section on page 63.

storm-control interface configuration command was changed for packet-based storm control. See the "storm-control" section on page 65.

duplex


Note This usage guideline is added to the ones in the Catalyst 3550 Multilayer Switch Command Reference, Cisco IOS Release 12.1(20)EA2.


Beginning with Cisco IOS Release 12.1(22)EA1, you can configure the duplex setting when the speed is set to auto.

power inline


Note This usage guideline is added to the ones in the Catalyst 3550 Multilayer Switch Command Reference, Cisco IOS Release 12.1(20)EA2.


When you configure a port by using the power inline auto interface configuration command, the port autonegotiates by using the configured speed and duplex settings to determine the power requirements of the connected device (whether or not it is a powered device. After the power requirements are determined, the switch hardcodes the interface by using the configured speed and duplex settings without resetting the interface.

When you configure a port by using the power inline never command, the command disables the detection and power for the inline-power-capable port, the port reverts to the configured speed and duplex settings.

show interfaces


Note The information in this section is added to the show interfaces command in the Catalyst 3550 Multilayer Switch Command Reference, Cisco IOS Release 12.1(20)EA2.


Use the show interfaces privileged EXEC command to display the administrative and operational status of all interfaces or a specified interface.

show interfaces [interface-id | vlan vlan-id] [accounting | capabilities [module {module-number}] description | etherchannel | flowcontrol | pruning | stats | status [err-disabled] | switchport | trunk] | [transceiver properties] | [| {begin | exclude | include} expression]

Syntax Description

transceiver properties

(Optional) Display speed, duplex, and inline power settings of an interface.


Command History

Release
Modification

12.1(4)EA1

This command was introduced.

12.1(12c)EA1

The capabilities keyword was added.

12.1(22)EA1

The transceiver and properties keywords were added.


Examples

This is an example of output from the show interfaces transceiver properties command. If you do not specify an interface, the output of the command shows the status on all switch ports:

Switch# show interfaces transceiver properties
Name: Fa0/1
Administrative Speed: auto 10 100
Administrative Duplex: auto
Administrative Auto-MDIX: N/A 
Administrative Power Inline: enable
Operational Speed: 100
Operational Duplex: full
Operational Auto-MDIX: N/A 

Name: Fa0/2
Administrative Speed: auto 10 
Administrative Duplex: auto
Administrative Auto-MDIX: N/A 
Administrative Power Inline: enable
Operational Speed: auto
Operational Duplex: auto
Operational Auto-MDIX: N/A 

Name: Fa0/3
Administrative Speed: auto
Administrative Duplex: auto
Administrative Auto-MDIX: N/A 
Administrative Power Inline: enable
Operational Speed: 100
Operational Duplex: auto
Operational Auto-MDIX: auto

<output truncated> 

This is an example of output from the show interfaces module number transceiver properties command for a specific interface:

Switch# show interfaces fastethernet0/1 transceiver properties
Name: Fa0/1
Administrative Speed: auto
Administrative Duplex: auto
Administrative Auto-MDIX: N/A
Administrative Power Inline: disable
Operational Speed: 100
Operational Duplex: full

Operational Auto-MDIX: N/A

show storm-control


Note These examples replace the ones in the Catalyst 3550 Multilayer Switch Command Reference, Cisco IOS Release 12.1(20)EA2.


Examples

This is an example of output from the show storm-control command. Because no traffic type keyword was entered, the broadcast storm control settings appear.

Switch> show storm-control
Interface  Filter State   Upper       Lower      Current
---------  -------------  ----------  ---------  ---------
Fa0/1      Forwarding     20 pps      10 pps     5 pps
Fa0/2      Forwarding     50.00%      40.00%     0.00%
<output truncated>

This is an example of output from the show storm-control command for a specified interface. Because no traffic type keyword was entered, the broadcast storm control settings appear.

Switch> show storm-control fastethernet0/1
Interface  Filter State   Upper       Lower      Current
---------  -------------  ----------  ---------  ---------
Fa0/1      Forwarding     20 pps      10 pps     5 pps

This is an example of output from the show storm-control command for a specified interface and traffic type when no storm control threshold has been set for that traffic type on the specified interface:

Switch> show storm-control fastethernet0/1 multicast
Interface  Filter State   Upper       Lower      Current
---------  -------------  ----------  ---------  ---------
Fa0/1      inactive       100.00%     100.00%    N/A

speed


Note This command replaces the one in the Catalyst 3550 Multilayer Switch Command Reference, Cisco IOS Release 12.1(20)EA2.


Use the speed interface configuration command to specify the speed of a 10/100 Mbps or 10/100/1000 Mbps port. Use the no or default form of this command to return the port to its default value.

speed {10 | 100 | 1000 | auto [10 | 100 | 1000] | nonegotiate}

no speed


Note You cannot configure speed or duplex mode on Gigabit Interface Converter (GBIC) ports, but for certain types of GBICs, you can configure speed to not negotiate (nonegotiate) if they are connected to a device that does not support autonegotiation.


Syntax Description

10

Port runs at 10 Mbps.

100

Port runs at 100 Mbps.

1000

Port runs at 1000 Mbps. This option is valid and visible only on Gigabit Ethernet (Tx) ports.

auto

Port automatically detects the speed it should run at based on the port at the other end of the link. If you use the 10, 100, or 1000 keywords with the auto keyword, the port only autonegotiates at the specified speeds.

nonegotiate

Autonegotiation is disabled and the port runs at 1000 Mbps. This option is valid and visible only on 1000BASE-SX, -LX, and -ZX GBIC ports. Gigastack GBICs and 1000BASE-T GBICs do not support disabling of autonegotiation.


Defaults

The default is auto.

Command Modes

Interface configuration

Command History

Release
Modification

12.1(4)EA1

This command was introduced.

12.1(6)EA1

The 1000 and nonegotiate keywords were added.

12.1(22)EA1

Support for the 10, 100, and 1000 keywords with the auto keyword was added.


Usage Guidelines

You can configure Fast Ethernet port speed to either 10 or 100 Mbps. You can configure Gigabit Ethernet port speed to 10, 100, or 1000 Mbps. You cannot configure speed on Gigabit Interface Converter (GBIC) interfaces, but for 1000BASE-SX, -LX, or -ZX GBICs, you can configure speed to not negotiate (nonegotiate) if connected to a device that does not support autonegotiation.

If the speed is set to auto, the switch negotiates with the device at the other end of the link for the speed setting and then forces the speed setting to the negotiated value. The duplex setting remains as configured on each end of the link, which could result in a duplex setting mismatch.

If the speed is set to auto and the 10, 100, or 1000 keywords are also used, the port only autonegotiates at the specified speeds.

If both ends of the line support autonegotiation, we highly recommend the default autonegotiation settings. If one interface supports autonegotiation and the other end does not, configure duplex and speed on both interfaces; do use the auto setting on the supported side.

If both the speed and duplex are set to specific values, autonegotiation is disabled.


Caution Changing the interface speed and duplex mode configuration might shut down and re-enable the interface during the reconfiguration.


Note For guidelines on setting the switch speed and duplex parameters, see the software configuration guide for this release.


Examples

This example shows how to set the specified interface to 100 Mbps:

Switch(config)# interface fastethernet0/1
Switch(config-if)# speed 100

This example shows how to set a port to autonegotiate at only 10 Mbps:

Switch(config)# interface fastethernet0/1
Switch(config-if)# speed auto 10

This example shows how to set a port to autonegotiate at only 10 or 100 Mbps:

Switch(config)# interface fastethernet0/1
Switch(config-if)# speed auto 10 100

You can verify your settings by entering the show interfaces transceiver properties or the show running-config privileged EXEC command.


You can verify your settings by entering the show interfaces privileged EXEC command.

Related Commands

Command
Description

duplex

Specifies the duplex mode of operation for Fast Ethernet and Gigabit Ethernet ports.

show interfaces

Displays the statistical information specific to all interfaces or to a specific interface


storm-control


Note This command replaces the one in the Catalyst 3550 Multilayer Switch Command Reference, Cisco IOS Release 12.1(20)EA2.


Use the storm-control interface configuration command to configure broadcast, multicast, or unicast storm control with a specific suppression-level threshold on an interface. Use the no form of this command to return to the default setting.

storm-control {broadcast | multicast | unicast} level {level [level-low] | pps pps pps-low}

no storm-control {broadcast | multicast | unicast} level

Syntax Description

broadcast

Enable broadcast storm control on the interface.

multicast

Enable multicast storm control on the interface.

unicast

Enable unicast storm control on the interface.

level level [level-low]

Specify the rising and falling suppression levels as a percentage of total bandwidth of the port.

level—Rising suppression level, up to two decimal places. The range is 0 to 100 percent. Block the flooding of storm packets when the value specified for level is reached.

level-low—(Optional) Falling suppression level, up to two decimal places. The range is 0 to 100. This value must be less than or equal to the rising suppression value. If you do not configure a falling suppression level, it is set to the rising suppression level.

level pps pps pps-low

Specify the rising and falling suppression levels as a rate in packets per second at which traffic is received on the port.

pps—Rising suppression level in packets per second. The range is 0 to 4294967295. Block the flooding of storm packets when the value specified for pps is reached.

pps-low—Falling suppression level in packets per second. The range is 0 to 4294967295. This value must be equal to or less than the rising suppression value.


Defaults

Broadcast, multicast, and unicast storm control are disabled.

Command Modes

Interface configuration

Command History

Release
Modification

12.1(8)EA1

This command was introduced. It replaces the switchport broadcast, switchport multicast, and switchport unicast interface configuration commands.

12.1(22)EA1

The level level [.level] option was replaced with the level level [level-low] option. The pps pps pps-low options were added.


Usage Guidelines

Storm control is supported only on physical interfaces; it is not supported on EtherChannel port channels, even though it is available in the CLI.

The storm-control suppression level can be entered as a percentage of total bandwidth or as a rate in packets per second at which traffic is received.

When specified as a percentage of total bandwidth, a suppression value of 100 percent means that no limit is placed on the specified traffic type. A value of level 0 0 means that all broadcast, multicast, or unicast traffic on that port is blocked. Storm control is enabled only when the rising suppression level is less than 100 percent.

When specified in packets per second, a suppression value of 4294967295 packets per second means that no limit is placed on the specified traffic type. This feature is enabled only when the rising suppression level is less than 4294967295 packets per second.

If the falling suppression level is not specified, the port blocks all traffic until the traffic rate drops below the rising suppression level. If the falling suppression level is specified, the port blocks traffic until the traffic rate drops below this level.


Note If a multicast storm control suppression level is exceeded on a switch, all traffic (multicast, unicast, and broadcast) is blocked until the multicast traffic rate drops below the threshold. Only spanning-tree packets are passed. If the broadcast or the unicast storm control suppression level is exceeded, only that type of traffic is blocked until the rate drops below the threshold.


For more information about storm-control suppression levels, see the software configuration guide for this release.

Examples

This example shows how to enable broadcast storm control with a 75.5-percent rising suppression level:

Switch(config-if)# storm-control broadcast level 75.5

This example shows how to enable unicast storm control on a port with a 87 percent rising suppression level and a 65-percent falling suppression level:

Switch(config-if)# storm-control unicast level 87 65

This example shows how to enable multicast storm control on a port with a 2000-packets-per-second rising suppression level and a 1000-packets-per-second falling suppression level:

Switch(config-if)# storm-control multicast level pps 2000 1000

You can verify your settings by entering the show storm-control privileged EXEC command.

Related Commands

Command
Description

show storm-control

Displays broadcast, multicast, or unicast storm-control settings on all interfaces or on a specified interface.


System Message Guide

These messages were added to Release 12.1(22)EA1:

Error Message    DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation on port 
[chars] because of VTP domain mismatch. 

Explanation    This message means that the two ports involved in trunk negotiation belong to different VTP domains. Trunking is possible only when the ports involved belong to the same VTP domain. [chars] is the name of the interface.

Recommended Action    Ensure that the two ports that are involved in trunk negotiation belong to the same VTP domain.

Error Message    ETHCNTR-3-HALF_DUX_COLISION_EXCEED_THRESHOLD: Collision at [chars] 
exceed threshold. Consider as loop-back.

Explanation    This message means that the collision at a half-duplex port exceeded the threshold, and the port is considered to be in the loop-back state. On switches that support Power over Ethernet (PoE), this message might appear when a device that can be powered by either a PoE switch port or by AC power is not being powered by an external AC power source and is connected to a port that has been configured with the power inline never interface configuration command. [chars] is the port where the threshold was exceeded.

Recommended Action    On switches that support PoE, remove the device or configure the port by entering the power inline auto, the shutdown, and the no shutdown interface configuration commands. No action is required on non-PoE switches. The port goes into error-disabled mode until the problem is resolved.

Error Message    ETHCNTR-3-LOOP_BACK_DETECTED:, Loop-back detected on [chars]. The port 
is forced to linkdown.

Explanation    This message means that a loopback condition might be the result of a balun cable incorrectly connected into a port. On PoE switches, this message might appear when a device that can be powered by either a PoE switch port or by AC power is not being powered by an external AC power source and is connected to a port that has been configured with the power inline never interface configuration command. [chars] is the port.

Recommended Action    On non-PoE switches, check the cables. If a balun cable is connected and the loopback condition is desired, no action is required. Otherwise, connect the correct cable, and then enable the port up by entering the no shutdown interface configuration command. On PoE switches, remove the device or configure the port by entering the power inline auto, the shutdown, and the no shutdown interface configuration commands.

Error Message    PM-4-ERR_DISABLE: [chars] error detected on [chars], putting [chars] 
in err-disable state.

Explanation    This message means that the port manager detected a misconfiguration or misbehavior and placed the interface in an error-disabled state. A recovery is attempted after the configured retry time (the default is 5 minutes). On PoE switches, this message might appear when a device that can be powered by either a PoE switch port or by AC power is not being powered by an external AC power source and is connected to a port that has been configured with the power inline never interface configuration command. [chars] is the port where the threshold was exceeded. The first [chars] is the error, and the second and third [chars] are the affected interfaces.

Recommended Action    On non-PoE switches, copy the error message exactly as it appears on the console or in the system log. Research and attempt to resolve the error by using the Output Interpreter. Enter the show tech-support user EXEC command to gather data that might help identify the nature of the error. Use the Bug Toolkit to look for similar reported problems. On PoE switches, remove the device or configure the port by entering the power inline auto, the shutdown, and the no shutdown interface configuration commands. If you still require assistance, open a case with the TAC, or contact your Cisco technical support representative, and provide the representative with the gathered information. For more information about the online tools and about contacting Cisco, see the "Error Message Traceback Reports" section in Chapter 1 of the system message guide.

Error Message    SW_VLAN-4-VTP_SEM_BUSY: VTP semaphore is unavailable for function 
[chars]. Semaphore locked by [chars].

Explanation    This message means that the VTP database is currently locked by another task and is not available. Retry the operation later. [chars] is the name of the function that has locked the VTP database.

Recommended Action    Find out more about the error by using the show tech-support privileged EXEC command and by copying the error message exactly as it appears on the console or system log and entering it in the Output Interpreter tool. Use the Bug Toolkit to look for similar reported problems. For more information about these online tools and about contacting Cisco, see the "Error Message Traceback Reports" section in Chapter 1 of the Catalyst 3550 Multilayer Switch System Message Guide.

Documentation Updates for All Releases

These corrections apply to printed copies of the software configuration guide in the indicated chapters.

Administering the Switch

The "Configuring a System Name and Prompt" section and the "Configuring a System Prompt" section incorrectly state that you can manually configure the prompt global configuration command. The switch does not support this command. You should ignore this information in printed and online copies of the software configuration guide.

Configuring QoS

In the "Classifying Traffic by Using ACLs" section, this information in Step 3 to create a Layer 2 MAC ACL is incorrect:

For src-MAC-addr, enter the MAC address of the host from which the packet is being sent. You specify this by using the hexadecimal format (H.H.H), by using the any keyword as an abbreviation for source 0.0.0, source-wildcard 255.255.255, or by using the host keyword for source 0.0.0.

For dst-MAC-addr, enter the MAC address of the host to which the packet is being sent. You specify this by using the hexadecimal format (H.H.H), by using the any keyword as an abbreviation for source 0.0.0, source-wildcard 255.255.255, or by using the host keyword for source 0.0.0.

This is the correct information:

For src-MAC-addr, enter the MAC address of the host from which the packet is being sent. You specify this by using the hexadecimal format (H.H.H), by using the any keyword as an abbreviation for source 0.0.0, source-wildcard ffff.ffff.ffff, or by using the host keyword for source 0.0.0.

For dst-MAC-addr, enter the MAC address of the host to which the packet is being sent. You specify this by using the hexadecimal format (H.H.H), by using the any keyword as an abbreviation for source 0.0.0, source-wildcard ffff.ffff.ffff, or by using the host keyword for source 0.0.0.

Related Documentation

These documents provide complete information about the switch and are available from this Cisco.com site:

http://www.cisco.com/en/US/products/hw/switches/ps646/tsd_products_support_series_home.html

You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.com sites and from the telephone numbers listed in the "Obtaining Documentation" section on page 70.

Catalyst 3550 Multilayer Switch Software Configuration Guide (order number DOC-7811194=)

Catalyst 3550 Multilayer Switch Command Reference (order number DOC-7811195=)

Catalyst 3550 Multilayer Switch System Message Guide (order number DOC-7811196=)

Catalyst 3550 Multilayer Switch Hardware Installation Guide (not orderable but available on Cisco.com)

Catalyst 3550 Switch Getting Started Guide (order number DOC-7816575=)

Regulatory Compliance and Safety Information for the Catalyst 3550 Switch (order number DOC-7816655=)

For information about other related products, see these documents:

Getting Started with Cisco Network Assistant (not orderable but available on Cisco.com)

Release Notes for Cisco Network Assistant (not orderable but available on Cisco.com)

1000BASE-T Gigabit Interface Converter Installation Note (not orderable but is available on Cisco.com)

Catalyst GigaStack Gigabit Interface Converter Hardware Installation Guide (order number DOC-786460=)

Network Admission Control Software Configuration Guide (not orderable but is available on Cisco.com)

Obtaining Documentation

Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation at this URL:

http://www.cisco.com/techsupport

You can access the Cisco website at this URL:

http://www.cisco.com

You can access international Cisco websites at this URL:

http://www.cisco.com/public/countries_languages.shtml

Product Documentation DVD

The Product Documentation DVD is a comprehensive library of technical product documentation on a portable medium. The DVD enables you to access multiple versions of installation, configuration, and command guides for Cisco hardware and software products. With the DVD, you have access to the same HTML documentation that is found on the Cisco website without being connected to the Internet. Certain products also have .PDF versions of the documentation available.

The Product Documentation DVD is available as a single unit or as a subscription. Registered Cisco.com users (Cisco direct customers) can order a Product Documentation DVD (product number DOC-DOCDVD= or DOC-DOCDVD=SUB) from Cisco Marketplace at this URL:

http://www.cisco.com/go/marketplace/

Ordering Documentation

Registered Cisco.com users may order Cisco documentation at the Product Documentation Store in the Cisco Marketplace at this URL:

http://www.cisco.com/go/marketplace/

Nonregistered Cisco.com users can order technical documentation from 8:00 a.m. to 5:00 p.m. (0800 to 1700) PDT by calling 1 866 463-3487 in the United States and Canada, or elsewhere by calling 011 408 519-5055. You can also order documentation by e-mail at tech-doc-store-mkpl@external.cisco.com or by fax at 1 408 519-5001 in the United States and Canada, or elsewhere at 011 408 519-5001.

Documentation Feedback

You can rate and provide feedback about Cisco technical documents by completing the online feedback form that appears with the technical documents on Cisco.com.

You can submit comments about Cisco documentation by using the response card (if present) behind the front cover of your document or by writing to the following address:

Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Cisco Product Security Overview

Cisco provides a free online Security Vulnerability Policy portal at this URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

From this site, you will find information about how to:

Report security vulnerabilities in Cisco products.

Obtain assistance with security incidents that involve Cisco products.

Register to receive security information from Cisco.

A current list of security advisories, security notices, and security responses for Cisco products is available at this URL:

http://www.cisco.com/go/psirt

To see security advisories, security notices, and security responses as they are updated in real time, you can subscribe to the Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed. Information about how to subscribe to the PSIRT RSS feed is found at this URL:

http://www.cisco.com/en/US/products/products_psirt_rss_feed.html

Reporting Security Problems in Cisco Products

Cisco is committed to delivering secure products. We test our products internally before we release them, and we strive to correct all vulnerabilities quickly. If you think that you have identified a vulnerability in a Cisco product, contact PSIRT:

For Emergencies only — security-alert@cisco.com

An emergency is either a condition in which a system is under active attack or a condition for which a severe and urgent security vulnerability should be reported. All other conditions are considered nonemergencies.

For Nonemergencies — psirt@cisco.com

In an emergency, you can also reach PSIRT by telephone:

1 877 228-7302

1 408 525-6532


Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product (for example, GnuPG) to encrypt any sensitive information that you send to Cisco. PSIRT can work with information that has been encrypted with PGP versions 2.x through 9.x.

Never use a revoked or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one linked in the Contact Summary section of the Security Vulnerability Policy page at this URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

The link on this page has the current PGP key ID in use.

If you do not have or use PGP, contact PSIRT at the aforementioned e-mail addresses or phone numbers before sending any sensitive material to find other means of encrypting the data.


Obtaining Technical Assistance

Cisco Technical Support provides 24-hour-a-day award-winning technical assistance. The Cisco Technical Support & Documentation website on Cisco.com features extensive online support resources. In addition, if you have a valid Cisco service contract, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not have a valid Cisco service contract, contact your reseller.

Cisco Technical Support & Documentation Website

The Cisco Technical Support & Documentation website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, at this URL:

http://www.cisco.com/techsupport

Access to all tools on the Cisco Technical Support & Documentation website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:

http://tools.cisco.com/RPF/register/register.do


Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting a web or phone request for service. You can access the CPI tool from the Cisco Technical Support & Documentation website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by product ID or model name; by tree view; or for certain products, by copying and pasting show command output. Search results show an illustration of your product with the serial number label location highlighted. Locate the serial number label on your product and record the information before placing a service call.


Submitting a Service Request

Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco engineer. The TAC Service Request Tool is located at this URL:

http://www.cisco.com/techsupport/servicerequest

For S1 or S2 service requests, or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.

To open a service request by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447

For a complete list of Cisco TAC contacts, go to this URL:

http://www.cisco.com/techsupport/contacts

Definitions of Service Request Severity

To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.

Severity 1 (S1)—An existing network is down, or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operations are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

Severity 3 (S3)—Operational performance of the network is impaired, while most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

The Cisco Product Quick Reference Guide is a handy, compact reference tool that includes brief product overviews, key features, sample part numbers, and abbreviated technical specifications for many Cisco products that are sold through channel partners. It is updated twice a year and includes the latest Cisco offerings. To order and find out more about the Cisco Product Quick Reference Guide, go to this URL:

http://www.cisco.com/go/guide

Cisco Marketplace provides a variety of Cisco books, reference guides, documentation, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL:

http://www.cisco.com/go/marketplace/

Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL:

http://www.ciscopress.com

Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and networking investments. Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources. You can access Packet magazine at this URL:

http://www.cisco.com/packet

iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies learn how they can use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions. You can access iQ Magazine at this URL:

http://www.cisco.com/go/iqmagazine

or view the digital edition at this URL:

http://ciscoiq.texterity.com/ciscoiq/sample/

Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/ipj

Networking products offered by Cisco Systems, as well as customer support services, can be obtained at this URL:

http://www.cisco.com/en/US/products/index.html

Networking Professionals Connection is an interactive website for networking professionals to share questions, suggestions, and information about networking products and technologies with Cisco experts and other networking professionals. Join a discussion at this URL:

http://www.cisco.com/discuss/networking

World-class networking training is available from Cisco. You can view current offerings at this URL:

http://www.cisco.com/en/US/learning/index.html