Guest

Cisco Catalyst 3550 Series Switches

Release Notes for the Catalyst 3550 Switch, Cisco IOS Release 12.2(40)SE

  • Viewing Options

  • PDF (1.0 MB)
  • Feedback
Release Notes for the Catalyst 3550 Multilayer Switch, Cisco IOS Release 12.2(40)SE

Table Of Contents

Release Notes for the Catalyst 3550 Multilayer Switch, Cisco IOS Release 12.2(40)SE

Contents

System Requirements

Hardware Supported

Device Manager System Requirements

Hardware Requirements

Software Requirements

Cluster Compatibility

CNA Compatibility

Upgrading the Switch Software

Finding the Software Version and Feature Set Running on the Switch

Deciding Which Files to Download from Cisco.com

Archiving Software Images

Upgrading a Switch by Using Device Manager or Network Assistant

Upgrading a Switch by Using the CLI

Upgrading with a Nondefault System MTU Setting

Recovering from a Software Failure

Installation Notes

New Features

New Hardware Features

New Software Features

Limitations and Restrictions

Cisco IOS Limitations and Restrictions

IEEE 802.1x

ACLs

Connected Devices

Configuration

DHCP

HSRP

IGMP

IP

MAC Addressing

MIBs

Multicasting

Port Security

QoS

Routing

SNMP

SPAN and RSPAN

Spanning Tree

VLAN

Important Notes

Cisco IOS Notes

Device Manager Notes

Open Caveats

Resolved Caveats

Documentation Updates

Updates for the Software Configuration Guide

Updates for Cisco IOS Release 12.2(40)SE

Understanding IP Unicast Routing Chapter, EIGRP Routing Note

Understanding Flex Links and the MAC Address-Table Move Update Chapter

Configuring IEEE 802.1x Port-Based Authentication Chapter

Working with the Cisco IOS File System, Configuration Files, and Software Images Appendix

Configuring System Message Logging Chapter

Configuring Cisco IOS IP SLAs Operations (New Chapter)

Updates for Cisco IOS Release 12.2(37)SE

Updates for Cisco IOS Release 12.2(35)SE

Updates for Cisco IOS Release 12.2(25)SEE1

Updates for Cisco IOS Release 12.2(25)SEE

Updates for the Command Reference

Updates for Cisco IOS Release 12.2(40)SE

Updates for Cisco IOS Release 12.2(37)SE

Updates for Cisco IOS Release 12.2(35)SE

Updates for Cisco IOS Release 12.2(25)SEE2

logging event

Updates for Cisco IOS Release 12.2(25)SEE1

Updates for the Regulatory Compliance and Safety Information for the Catalyst 3550 Multilayer Switch

Update to the Hardware Installation Guide

Update to the System Message Guide

New System Messages

Changed System Messages

Related Documentation

Obtaining Documentation, Obtaining Support, and Security Guidelines


Release Notes for the Catalyst 3550 Multilayer Switch, Cisco IOS Release 12.2(40)SE


August 28, 2007

Cisco IOS Release 12.2(40)SE runs on all Catalyst 3550 multilayer switches.

These release notes include important information about Cisco IOS Release 12.2(40)SE and any limitations, restrictions, and caveats that apply to them. Verify that these are the correct release notes for your switch:

If you are installing a new switch, refer to the Cisco IOS release label on the rear panel of your switch.

If your switch is on, use the show version privileged EXEC command. See the "Finding the Software Version and Feature Set Running on the Switch" section.

If you are upgrading to a new release, refer to the software upgrade filename for the Cisco IOS version. See the "Deciding Which Files to Download from Cisco.com" section.

For the complete list of Catalyst 3550 switch documentation, see the "Related Documentation" section.

You can download the switch software from this site (registered Cisco.com users with a login password):

http://tools.cisco.com/support/downloads/go/MDFTree.x?butype=switches

This Cisco IOS release is part of a special release of Cisco IOS software that is not released on the same 8-week maintenance cycle that is used for other platforms. As maintenance releases and future Cisco IOS releases become available, they will be posted to Cisco.com in the Cisco IOS software area.

Contents

This information is in the release notes:

"System Requirements" section

"Upgrading the Switch Software" section

"Installation Notes" section

"New Features" section

"Limitations and Restrictions" section

"Important Notes" section

"Open Caveats" section

"Resolved Caveats" section

"Documentation Updates" section

"Related Documentation" section

"Obtaining Documentation, Obtaining Support, and Security Guidelines" section

System Requirements

The system requirements for this release are described in these sections:

"Hardware Supported" section

"Device Manager System Requirements" section

"Cluster Compatibility" section

"CNA Compatibility" section

Hardware Supported

Table 1 lists the hardware supported by this release.

Table 1 Supported Hardware 

Switch
Description

Catalyst 3550-12G

10 GBIC1 -based Gigabit Ethernet slots and 2 Gigabit Ethernet 10/100/1000BASE-T ports

Catalyst 3550-12T

10 Gigabit Ethernet 10/100/1000BASE-T ports and 2 GBIC-based Gigabit Ethernet slots

Catalyst 3550-24

24 autosensing 10/100 Ethernet ports and 2 GBIC-based Gigabit Ethernet slots

Catalyst 3550-24-DC

24 autosensing 10/100 Ethernet ports, 2 GBIC-based Gigabit Ethernet slots, and an on-board DC power converter

Catalyst 3550-24-FX

24 100BASE-FX ports and 2 GBIC-based Gigabit Ethernet slots

Catalyst 3550-24PWR

24 autosensing 10/100 Ethernet ports, 2 GBIC-based Gigabit Ethernet slots, ability to provide power for Cisco IP Phones and Cisco Aironet Access Points from all 10/100 Ethernet ports, auto-detection and control of inline power on a per-port basis on all 10/100 ports

Catalyst 3550-48

48 autosensing 10/100 Ethernet ports and 2 GBIC-based Gigabit Ethernet slots

GBIC modules

1000BASE-SX GBIC

1000BASE-LX/LH GBIC

1000BASE-ZX GBIC

1000BASE-T GBIC

GigaStack GBIC

CWDM2 fiber-optic GBIC

DWDM3 fiber-optic GBIC

Redundant power system

Cisco RPS 300 redundant power system4

Cisco RPS 675 redundant power system5

Cisco RPS 2300 redundant power system6

1 GBIC = Gigabit Interface Converter

2 CWDM = coarse wavelength-division multiplexing

3 DWDM = dense wavelength-division multiplexing

4 The Cisco RPS 300 does not support the Catalyst 3550-24-DC or 3550-24PWR switch.

5 The Cisco RPS 675 does not support the Catalyst 3550-24-DC switch.

6 The Cisco RPS 2300 does not support the Catalyst 3550-24-DC switch.


Device Manager System Requirements

These sections describe the hardware and software requirements for using the device manager:

"Hardware Requirements" section

"Software Requirements" section

Hardware Requirements

Table 2 lists the minimum hardware requirements for running the device manager.

Table 2 Minimum Hardware Requirements 

Processor Speed
DRAM
Number of Colors
Resolution
Font Size

Intel Pentium II1

64 MB2

256

1024 x 768

Small

1 We recommend Intel Pentium 4.

2 We recommend 256-MB DRAM.


Software Requirements

Table 3 lists the supported operating systems and browsers for using the device manager. The device manager verifies the browser version when starting a session to ensure that the browser is supported.


Note The device manager does not require a plug-in.


Table 3 Supported Operating Systems and Browsers 

Operating System
Minimum Service Pack or Patch
Microsoft Internet Explorer 1
Netscape Navigator

Windows 2000

None

5.5 or 6.0

7.1

Windows XP

None

5.5 or 6.0

7.1

1 Service Pack 1 or higher is required for Internet Explorer 5.5.


Cluster Compatibility

You cannot create and manage switch clusters through the device manager. To create and manage switch clusters, use the command-line interface (CLI) or the Network Assistant application.

When creating a switch cluster or adding a switch to a cluster, follow these guidelines:

When you create a switch cluster, we recommend configuring the highest-end switch in your cluster as the command switch.

If you are managing the cluster through Network Assistant, the switch with the latest software should be the command switch.

The standby command switch must be the same type as the command switch. For example, if the command switch is a Catalyst 3750 switch, all standby command switches must be Catalyst 3750 switches.

For additional information about clustering, see the Getting Started with Cisco Network Assistant and the Release Notes for Cisco Network Assistant (not orderable but available on Cisco.com), the software configuration guide, and the command reference.

CNA Compatibility

Cisco IOS 12.2(40)SE and later is only compatible with Cisco Network Assistant (CNA) 5.0 and later. You can download Cisco Network Assistant from this URL:

http://www.cisco.com/pcgi-bin/tablebuild.pl/NetworkAssistant

For more information about Cisco Network Assistant, see the Release Notes for Cisco Network Assistant on Cisco.com.

Upgrading the Switch Software

Before downloading software from Cisco.com to upgrade the switch software, read this section for important information:

"Finding the Software Version and Feature Set Running on the Switch" section

"Deciding Which Files to Download from Cisco.com" section

"Upgrading a Switch by Using Device Manager or Network Assistant" section

"Upgrading a Switch by Using the CLI" section

"Recovering from a Software Failure" section


Caution A bootloader upgrade occurs if you are upgrading the switch from a noncryptographic image to cryptographic image, regardless of the current noncryptographic Cisco IOS Release that is running on the switch. The bootloader can take up to 30 seconds to upgrade. Do not power cycle the switch while you are copying this image to the switch. If a power failure occurs when you are copying this image to the switch, call Cisco Systems immediately.

When you upgrade a switch, the switch continues to operate while the new software is copied to flash memory. If flash memory has enough space, the new image is copied to the selected switch but does not replace the running image until you reboot the switch. If a failure occurs during the copy process, you can still reboot your switch by using the old image. If flash memory does not have enough space for two images, the new image is copied over the existing one. Features provided by the new software are not available until you reload the switch.

If a failure occurs while copying a new image to the switch, and the old image has already been deleted, see the "Recovering from Corrupted Software" section in the "Troubleshooting" chapter of the software configuration guide.

Finding the Software Version and Feature Set Running on the Switch

The Cisco IOS image is stored as a bin file in a directory that is named with the Cisco IOS release. A subdirectory contains the files needed for web management. The image is stored on the system board flash device (flash:).

You can use the show version privileged EXEC command to see the software version that is running on your switch. The second line displays C3550-ipbase9-mz for the IP services image (formerly known as the EMI) or C3550-ipbase-mz for the IP base image (formerly known as the SMI).


Note Although the show version output always shows the software image running on the switch (Layer 2 only or Layer 2 and Layer 3), the model name shown at the end of this display is the factory configuration (SMI or EMI) and does not change if you upgrade the software image.


You can also use the dir filesystem: privileged EXEC command to see the directory names of other software images that you might have stored in flash memory.

Deciding Which Files to Download from Cisco.com

Cisco IOS Release 12.2(25)SEA and earlier referred to the image that provides Layer 2+ features and basic Layer 3 routing features as the standard multilayer image (SMI). The image that provides full Layer 3 routing features and advanced features was referred to as the enhanced multilayer image (EMI).

Cisco IOS Release 12.2(25)SEB and later refers to the SMI as the IP base image and the EMI as the IP services image. Table 4 lists the different file-naming conventions before and after Cisco IOS Release 12.2(25)SEB.

Table 4 Cisco IOS Image File Naming Convention

Cisco IOS 12.2(25)SEA and earlier
Cisco IOS 12.2(25)SEB and later

c3550-i9q3l2 (SMI)

c3550-ipbase-mz

c3550-i5q3l2-tar (EMI)

c3550-ipservices-mz

c3550-i9k91l2q3-tar (SMI)

c3550-ipbasek9-mz

c3550-i5k91l2q3-tar (EMI)

c3550-ipservicesk9-mz


The upgrade procedures in these release notes describe how to perform the upgrade by using a combined tar file. This file contains both the Cisco IOS image file and the files needed for the embedded device manager. To upgrade the switch through the command-line interface (CLI), use the tar file and the archive download-sw privileged EXEC command.

Table 5 lists the software filenames for this release. These files are posted on Cisco.com.

Table 5 Cisco IOS Software Files for Catalyst 3550 Switches 

Filename

Description

c3550-ipbase-tar.122-40. SE.tar

Cisco IOS IP base image and device manager files.
This image has Layer 2+ and basic Layer 3 routing features.

c3550-ipservices-tar.122-40. SE.tar

Cisco IOS IP services image and device manager files.
This image has Layer 2+ and full Layer 3 features.

c3550-ipbasek9-tar.122-40. SE.tar

Cisco IOS IP base cryptographic image and device manager files.
This image has the Kerberos, Secure Shell (SSH), Layer 2+, and basic Layer 3 routing features.

c3550-ipservicesk9-tar.122-40. SE.tar

Cisco IOS IP services cryptographic image and device manager files.
This image has the Kerberos, SSH, Layer 2+, and full Layer 3 features.


Catalyst 3550 switches are supported by either the IP base image or the IP services image. All Catalyst 3550 Gigabit Ethernet switches are shipped with the IP services image installed. Catalyst 3550 Fast Ethernet switches are shipped with either the IP base image or the IP services image installed. After initial deployment, you can order the IP services Image Upgrade kit to upgrade the Catalyst 3550 Fast Ethernet switches from the IP base image to the IP services image.

Archiving Software Images

Before upgrading your switch software, make sure that you have archived copies of the current Cisco IOS release and the Cisco IOS release to which you are upgrading. You should keep these archived images until you have upgraded all devices in the network to the new Cisco IOS image and until you have verified that the new Cisco IOS image works properly in your network.

Cisco routinely removes old Cisco IOS versions from Cisco.com. See Product Bulletin 2863 for more information:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/prod_bulletin0900aecd80281c0e.html

You can copy the bin software image file on the flash memory to the appropriate TFTP directory on a host by using the copy flash: tftp: privileged EXEC command.


Note Although you can copy any file on the flash memory to the TFTP server, it is time consuming to copy all of the HTML files in the tar file. We recommend that you download the tar file from Cisco.com and archive it on an internal host in your network.


You can also configure the switch as a TFTP server to copy files from one switch to another without using an external TFTP server by using the tftp-server global configuration command. For more information about the tftp-server command, see the "Basic File Transfer Services Commands" section of the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 at this URL:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_book09186a00800811e0.html

Upgrading a Switch by Using Device Manager or Network Assistant

You can upgrade switch software by using the device manager or Network Assistant. From the feature bar, choose Administration > Software Upgrade. For detailed instructions, click Help.


Note When using the device manager to upgrade your switch, do not use or close your browser session after the upgrade process begins. Wait until after the upgrade process completes.


Upgrading a Switch by Using the CLI

This procedure is for copying the combined tar file to the Catalyst 3550 switch. You copy the file to the switch from a TFTP server and extract the files. You can download an image file and replace or keep the current image. This procedure requires a configured TFTP server.


Caution A bootloader upgrade occurs if you are upgrading the switch from a noncryptographic image to a cryptographic image, regardless of the current noncryptographic Cisco IOS release that is running on the switch. The bootloader can take up to 30 seconds to upgrade. Do not power cycle the switch while you are copying this image to the switch. If a power failure occurs when you are copying this image to the switch, call Cisco Systems immediately.

To download software, follow these steps:


Step 1 Use Table 5 to identify the file that you want to download.

Step 2 Download the software image file.

Go to this URL, and follow the instructions to register on Cisco.com and download the appropriate files:

http://www.cisco.com/public/sw-center/sw-lan.shtml

To download the IP base image (formerly known as the SMI) and IP services image (formerly known as the EMI) files, select Catalyst 3550 software.

To obtain authorization and to download the cryptographic software files, select Catalyst 3550 3DES Cryptographic Software.

Step 3 Copy the image to the appropriate TFTP directory on the workstation, and make sure that the TFTP server is properly configured. (For more information, see Appendix B in the Catalyst 3550 Multilayer Switch Software Configuration Guide.)

Step 4 Log in to the switch through the console port or a Telnet session.

Step 5 Verify your VLAN 1 configuration by using the show interfaces vlan 1 privileged EXEC command, and verify that VLAN 1 is part of the same network as the TFTP server. (See the Internet address is line near the top of the display.)

Step 6 Download the image file from the TFTP server to the switch. If you are installing the same version of software that is currently on the switch, overwrite the current image by using this privileged EXEC command:

archive download-sw /overwrite /reload tftp:[[//location]/directory]/image-name.tar

The /overwrite option overwrites the software image in flash memory with the downloaded one.

The /reload option reloads the system after downloading the image unless the configuration has been changed and not been saved.

For //location, specify the IP address of the TFTP server.

For /directory/image-name.tar, specify the directory (optional) and the image to download. Directory and image names are case sensitive.


This example shows how to download an image from a TFTP server at 198.30.20.19 and to overwrite the image on the switch:

Switch# archive download-sw /overwrite tftp://198.30.20.19/c3550-i5q3l2-tar.122-35.SE1.tar

You can also download the image file from the TFTP server to the switch and keep the current image by replacing the /overwrite option with the /leave-old-sw option.

Upgrading with a Nondefault System MTU Setting

If the switch was running Cisco IOS Release 12.1(8)EA1c or earlier and you had used the system mtu global configuration command to configure a nondefault system maximum transmission unit (MTU) size on your switch, follow these steps to upgrade your switch to Cisco IOS Release 12.1(11)EA1 or later:


Step 1 Upgrade the Cisco IOS software to Cisco IOS Release 12.1(11)EA1 or later.

Step 2 If a system MTU size of greater than 2000 is configured on a Gigabit Ethernet switch (Catalyst 3550-12T or Catalyst 3550-12G) use the system mtu global configuration command to set it to the maximum supported MTU size. The maximum allowable system MTU for Catalyst 3550 Gigabit Ethernet switches
is 2000 bytes.

Step 3 Save the running configuration by entering the copy running-config startup-config privileged EXEC command.

Step 4 Reload the switch with the new Cisco IOS software.

Step 5 When the switch comes back up with Cisco IOS Release 12.1(11)EA1 or later, reload the switch a second time by using the reload privileged EXEC command so that the system mtu command takes effect.


Recovering from a Software Failure

If the software fails, you can reload the software. For detailed recovery procedures, see the "Troubleshooting" chapter in the software configuration guide.

Installation Notes

You can assign IP information to your switch by using one of these methods:

Express Setup program, as described in the switch getting started guide.

CLI-based setup program, as described in the switch hardware installation guide.

DHCP-based autoconfiguration, as described in the switch software configuration guide.

Manually assigned IP address, as described in the switch software configuration guide.

New Features

These sections describe the new supported hardware and the new software features provided in this release:

"New Hardware Features" section

"New Software Features" section

New Hardware Features

For a list of supported hardware, see the "Hardware Supported" section.

New Software Features

This is the new software features in this release:

IP Service Level Agreements (IP SLAs) support to measure network performance by using active traffic monitoring.

Limitations and Restrictions

You should review this section before you begin working with the switches. These are known Cisco IOS limitations that will not be fixed, and there is not always a workaround. Some features might not work as documented, and some features could be affected by recent changes to the switch hardware or software.

Cisco IOS Limitations and Restrictions

These sections describe the Cisco IOS limitations for features on the switch:

"IEEE 802.1x" section

"ACLs" section

"Connected Devices" section

"Configuration" section

"DHCP" section

"HSRP" section

"IGMP" section

"IP" section

"MAC Addressing" section

"MIBs" section

"Multicasting" section

"Port Security" section

"QoS" section

"Routing" section

"SNMP" section

"SPAN and RSPAN" section

"Spanning Tree" section

"VLAN" section

IEEE 802.1x

These are IEEE 802.1x limitations:

When an IEEE 802.1x-authenticated client is disconnected from an IP phone, hub, or switch and does not send an EAPOL-Logoff message, the switch interface does not transition to the unauthorized state. If this happens, it can take up to 60 minutes for the interface to transition to the unauthorized state when the re-authentication time is the default value (3600 seconds).

The workaround is to change the number of seconds between re-authentication attempts by using the dot1x timeout re-authperiod seconds global configuration command. (CSCdz38483)

On a switch running Cisco IOS Release 12.1(12c)EA1 or later, if the switch MTU value is set to a value greater than 1500 and the authentication server and the intermediate devices are not configured with a compatible MTU value, IEEE 802.1x authentication with EAP-Transparent LAN Services (TLS) might fail.

The workaround is to reset the switch MTU value to the default value or to configure the same MTU value on the switch, the authentication server, and the intermediate devices. (CSCea05682)

ACLs

These are access control list (ACL) limitations. For ACL limitations with quality of service (QoS), see the "QoS" section.

If you apply a large ACL and it fills the entire ternary content addressable memory (TCAM), the MVR IP multicast data packets are sent to the switch CPU and are not forwarded to the MVR receiver ports.

There is no workaround. (CSCdx80751)

If the output from the show tcam inacl 1 statistics privileged EXEC command shows that the TCAM is not full and you are applying an ACL, this system message might appear:

%FM-3-UNLOADING: Unloading input vlan label 1 feature from all TCAMs

There is no workaround. (CSCea25658)

Connected Devices

These are limitations related to connections with specific devices:

When you configure an EtherChannel between a Catalyst 3550 switch and a Catalyst 1900 switch, some of the Catalyst 3550 links in the EtherChannel might go down, but one link in the channel remains up, and connectivity is maintained.

The workaround is to disable the Port Aggregation Protocol (PAgP) on both devices by using the channel-group channel-group-number mode on interface configuration command. PAgP negotiation between these two devices is not reliable. (CSCdt78727)

If a switch and a Cisco redundant power system (RPS) 300 or 675 are connected to different power sources and the switch power supply fails, the Cisco RPS supplies power to the switch. However, after the switch power supply is restored, the Cisco RPS continues providing power to the switch.

When the switch stops receiving power from the Cisco RPS and uses its own power supply to power the switch, pressing the Standby/Active button on the Cisco RPS might cause the switch to reload.


Note We recommend that you connect the switch and the Cisco RPS to the same power source. For more information, see the Cisco RPS installation guide.


There is no workaround. (CSCdx81023)

When you insert a GigaStack GBIC in a GBIC module slot, the CPU utilization increases by 6 percent. This increase occurs for each GigaStack GBIC added to the switch. Other types of GBICs do not cause additional CPU utilization.

There is no workaround. (CSCdx90515)

When the link between a device with an AC power supply and a Catalyst 3550-24PWR switch is 10 Mb/s and half duplex, and the AC power supply is turned off, the switch is in the error-disabled state.

The workaround is remove the AC power supply, disconnect the Ethernet cable, and then reconnect the Ethernet cable. This ensures that the switch uses inline power. (CSCdz16265)

The Catalyst 3550 switch does not adjust the power allocation based on the IEEE class of the power device. When an IEEE powered-compliant device is connected to a switch, it allocates 15 W (the default) to the port.

There is no workaround. (CSCdz37516)

When a Catalyst 3550 switch is connected to a three-port Gigabit Ethernet module in a Cisco 12000 Gigabit Switch Router (GSR) that is configured for Ethernet over Multiprotocol Label Switching (EoMPLS), the switch does not reliably send frames to the GSR.

The workaround is to configure the Catalyst 3550 Gigabit Ethernet interface with the spanning-tree portfast interface configuration command. (CSCea04746)

If a cable on an ingress interface is disconnected, an Alteon A184 cannot detect when a 1000BASE-X link between two Catalyst 3550 switches is down.

There is no workaround. (CSCea09786)

When three or more Catalyst 3550-24PWR switches are connected through GigaStack GBICs, you can access all the VLANs on the uplink switch, but you can only access VLAN 1 on the other switches.

The workaround is to enter the switchport mode trunk interface configuration command on all of the GigaStack interfaces and to do one of these:

Use the shutdown and then the no shutdown interface configuration commands on the ports.

Save the switch configuration by using the copy running-config startup-config privileged EXEC command, and reload all the switches. (CSCec86258)

The undersize error counter is incrementing when no undersize packets are present. This condition occurs on IEEE 802.1Q tunnel ports connected to a Nortel or an Alteon Load Balancer.

There is no known workaround. (CSCed73388)

If four switches are connected in a cascaded stack through the GigaStack GBICs, the link between the second and third switches goes down, and then the GBICs on the second and third switches are reconnected, the GBIC LEDs flash amber, and the ports take approximately 1 minute to come up. Some of the GBIC ports might not come up.

There is no workaround. (CSCef17198)

The Cisco RPS 300 redundant power system supports the Catalyst 3550 multilayer switch and provides redundancy for up to six connected devices until one of these devices requires backup power. If a connected device has a power failure, the Cisco RPS 300 immediately begins supplying power to that device and sends status information to other connected devices that it is no longer available as a backup power source. As described in the device documentation, when the RPS LED on the switch is amber, the Cisco RPS 300 is connected but down. However, this might merely mean that the Cisco RPS 300 is in standby mode. Press the Standby/Active button on the Cisco RPS 300 to put it into active mode. You can view the Cisco RPS 300 status through the CLI by using the show rps privileged EXEC command. For more information, see the Cisco RPS 300 documentation.

Configuration

These are configuration limitations:

When changing the link speed of a Gigabit Ethernet port from 1000 to 100 Mb/s, there is a slight chance that the port will stop forwarding packets.

The workaround is to shut down the port, and to re-enable it by using the shutdown and no shutdown interface configuration commands. (CSCds84279)

When you use the no interface port-channel global configuration command to remove an EtherChannel group, the ports in the port group change to the administratively down state.

The workaround, when you remove an EtherChannel group, is to enter the no shutdown interface configuration command on the interfaces that belonged to the port group to bring them back on line. (CSCdt10825)

In the show interface interface-id privileged EXEC command output, the output buffer failures field shows the number of packets lost before replication, whereas the packets output field shows the successfully transmitted packets after replication. To determine actual discarded frames, multiply the output buffer failures by the number of VLANs on which the multicast data is replicated.

There is no workaround. (CSCdt26928)

Remote Monitoring (RMON) collection functions on physical interfaces, but it is not supported on EtherChannels and Switched Virtual Interfaces (SVIs). (CSCdt36101)

If a switch stack contains both Catalyst 3550 switches and Catalyst 2900 XL or Catalyst 3500 XL switches, Cross-Stack UplinkFast (CSUF) is not enabled if the management VLAN on the Catalyst 2900 XL or 3500 XL switches is changed to a VLAN other than VLAN 1 (the default).

The workaround is to make sure that the management VLAN of all Catalyst 2900 XL or 3500 XL switches in the stack is set to VLAN 1. (CSCdv79737)

The 5 minute input rate and 5 minute output rate fields in the output of the show interfaces privileged EXEC command show both rates as 0 bits/sec. If you enter the show interfaces command more than once, these fields might show values greater than 0 bits/sec.

There is no workaround. (CSCdz06305)

Performing an extended ping from one interface to another interface on the same switch can cause high CPU utilization. This can occur when a large number of ping packets are sent and received and is the expected behavior.

The workaround is to not perform a ping from one interface to another on the same switch. (CSCea19301)

When port security is enabled on an interface in restricted mode and the switchport block unicast interface command has been entered on that interface, MAC addresses are incorrectly forwarded when they should be blocked.

The workaround is to enter the no switchport block unicast interface configuration command on that specific interface. (CSCee93822)

When connected to some third-party devices that send early preambles, a switch port operating at 100 Mb/s full duplex or 100 Mb/s half duplex might bounce the line protocol up and down. The problem occurs only when the switch is receiving frames.

The workaround is to configure the port for 10 Mb/s and half duplex or to connect a hub or a nonaffected device to the switch. (CSCed39091)

Storm control or traffic suppression (configured by using the storm-control {broadcast | multicast | unicast} interface configuration command) is supported only on physical interfaces. It is not supported on EtherChannel port channels, even though you can enter these commands through the CLI.

When system jumbo MTU size is configured on a switch and the egress ports can support jumbo frames, the egress SPAN jumbo frames are not forwarded to the SPAN destination ports.

There is no workaround. (CSCsj21718)

DHCP

These are DHCP limitations:

The DHCP option-82 format on the Catalyst 3550 switch is inconsistent with other Cisco switches. When the Catalyst 3550 switch is used as the relay agent with DHCP snooping and the option-82 feature using the VLAN-module-port (vlan-mod-port) format, the switch does not assign the correct value to the port identifier (circuit ID suboption). The value is offset by 1 from the actual interface module- and port-number values. The circuitID/port-identifier for Fast Ethernet and Gigabit Ethernet interfaces also have the same module-number but different port-number values. For example, on a Catalyst 3550-24 switch, fastethernet0/1 is reported as module 0/port 0 and gigabitethernet0/1 is reported as module 0/port 24.

There is no workaround. (CSCed29525)

HSRP

This is the Hot Standby Router Protocol (HSRP) limitation:

After the no interface tunnel0 global configuration command is entered to remove the tunnel interface, the output from the show running-config privileged EXEC command still shows the tunnel interface that was removed.

This can occur if HSRP interface tracking is configured on another interface to track a tunnel interface, if the no interface command was entered before the HSRP tracking configuration was removed, or if the no standby tunnel0 global configuration command was entered on the other interface to disable tracking.

These are the workarounds:

Before removing the tunnel interface from the configuration, remove the HSRP interface tracking commands in the configuration that specify the tunnel interface.

Use the no standby track global configuration command without specifying an interface to disable HSRP tracking. (CSCdz66450)

IGMP

These are IGMP limitations:

Internet Group Management Protocol (IGMP) packets classified by QoS to map the DSCP value and the class of service (CoS) value in a QoS policy map might modify only the DSCP property and leave the CoS value at zero.

There is no workaround. (CSCdt27705)

When IGMP filtering is enabled and you use the ip igmp profile global configuration command to create an IGMP filter, reserved multicast addresses cannot be filtered. Because IGMP filtering uses only Layer 3 addresses to filter IGMP reports and due to mapping between Layer 3 multicast addresses and Ethernet multicast addresses, reserved groups (224.0.0.x) are always allowed through the switch. Aliased groups can also leak through the switch. For example, if a user is allowed to receive reports from group 225.1.2.3, but not from group 230.1.2.3, aliasing causes the user to receive reports from 230.1.2.3. Aliasing of reserved addresses means that all groups of the form y.0.0.x are allowed through.

There is no workaround. (CSCdv73626)

If you use the ip igmp max-groups interface configuration command to set the maximum number of IGMP groups for an interface to 0, the port still receives group reports from reserved multicast groups (224.0.0.x) and their Layer 2 aliases (y.0.0.x).

There is no workaround. (CSCdv79832)

When IGMP snooping is disabled and you enter the switchport block multicast interface configuration command, IP multicast traffic is not blocked. The switchport block multicast command is only applicable to non-IP multicast traffic.

There is no workaround. (CSCee16865)

After you configure a switch to join a multicast group by entering the ip igmp join-group group-address interface configuration command, the igmp join sent by the client might be suppressed. If this happens, the switch port where the client is connected might be removed from the IGMP snooping forwarding table.

Use one of these workarounds:

Cancel membership in the multicast group by using the no ip igmp join-group group-address interface configuration command on an SVI.

Disable IGMP snooping on the VLAN interface by using the no ip igmp snooping vlan vlan-id global configuration command. (CSCeh90425)

IP

This is the IP limitation:

The switch does not create an adjacent table entry when the ARP timeout value is 15 seconds and the ARP request times out.

The workaround is to not set an ARP timeout value lower than 120 seconds. (CSCea21674)

MAC Addressing

These are MAC address limitations:

After a MAC address is relearned on a new interface, traffic might not be immediately forwarded to the MAC addresses.

There is no workaround. (CSCdz75459)

The switch uses the same MAC address for all VLAN interfaces. If the destination MAC address in a packet is the same as the MAC address of the VLAN interface, and the VLAN interface for that VLAN is shut down or does not exist, the switch drops the packet.

There is no workaround. (CSCed12004)

If packets with a bad cyclic redundancy check (CRC) are received on a port, the switch might learn the source MAC address of the bad packet.

There is no workaround. (CSCef15178)

MIBs

These are MIB limitations:

When you access the CISCO-STACK-MIB portTable, the mapping might be off by one from the mapping given by the switch. The objects in this table are indexed by two numbers: portModuleIndex and portIndex. The allowable values for portModuleIndex are 1 through 16. Because 0 is not an allowable value, the value 1 represents module 0.

The workaround is to use the value 1 to represent module 0. (CSCdw71848)

The Catalyst 3550 switch only supports the read operation in the sysClearPortTime MIB object (.1.3.6.1.4.1.9.5.1.1.13) in the CISCO-STACK-MIB. Use the clear counters privileged EXEC command to clear the counters.

There is no workaround. (CSCdz87897)

Multicasting

These are the multicasting limitations:

Modifying a multicast boundary access list does not prevent packets from being forwarded by any multicast routes that were in existence before the access list was modified if the packets arriving on the input interface do not violate the boundary. However, no new multicast routes that violate the updated version of the multicast boundary access list are learned, and any multicast routes that are in violation of the updated access list are not relearned if they age out.

After updating a multicast boundary, the workaround is to use the clear ip mroute privileged EXEC command to delete any existing multicast routes that violate the updated boundary. (CSCdr79083)

The show ip mroute count privileged EXEC command might display incorrect packet counts. In certain transient states (for example, when a multicast stream is forwarded only to the CPU during the route-learning process and the CPU is programming this route into the hardware), a multicast stream packet count might be counted twice.

The workaround is to not trust the counter during this transient state. (CSCds61396)

In IP multicast routing and fallback bridging, certain hardware features are used to replicate packets for the different VLANs of an outgoing trunk port. If the incoming speed is line rate, the outgoing interface cannot duplicate that speed (because of the replication of the packets). As a result, certain replicated packets are dropped.

There is no workaround. (CSCdt06418)

Multicast router information appears in the show ip igmp snooping mrouter privileged EXEC command output when IGMP snooping is disabled. Multicast VLAN Registration (MVR) and IGMP snooping use the same commands to display multicast router information. In this case, MVR is enabled, and IGMP snooping is disabled.

There is no workaround. (CSCdt48002)

When you use the ip pim spt-threshold infinity interface configuration command, you want all sources for the specified group to use the shared tree and not use the source tree. However, the switch does not automatically start to use the shared tree. No connectivity problem occurs, but the switch continues to use the shortest path tree for multicast group entries already installed in the multicast routing table.

The workaround is to enter the clear ip mroute privileged EXEC command to force the change to the shared tree. (CSCdt60412)

Configuring too many multicast groups might result in an extremely low memory condition and cause the software control data structure to go out of sync, causing unpredictable forwarding behavior. The memory resources can only be recovered by entering the clear ip mroute privileged EXEC command.

The workaround is to not configure more than the recommended number of multicast routes on the switch. (CSCdt63480)

If the number of multicast routes configured on the switch is greater than the switch can support, it might run out of available memory, which can cause it to reboot. This is a limitation in the platform-independent code.

The workaround is to not configure the switch to operate with more than the maximum number of supported multicast routes. You can use the show sdm prefer and show sdm prefer routing privileged EXEC commands to view approximate maximum configuration guidelines for the current SDM template and the routing template. (CSCdt63354)

Multicast traffic can be temporarily lost when a link comes up in a redundant network and causes the reverse path forwarding (RPF) to change. This only occurs when there are multiple paths between the rendezvous point (RP) and the multicast source.

There is no workaround. (CSCdw27519)

When the switch receives multicast traffic and IGMP join for requests a multicast group at the same time and it begins to forward the multicast packets, some of the packets might be dropped.

There is no workaround. (CSCdy80326)

When one Fast Ethernet port on a switch (Switch A) is connected to a packet generator, and another Fast Ethernet port on the switch is connected to a Gigabit Ethernet interface on another switch (Switch B), multicast traffic sent from Switch A to Switch B is incorrectly counted. The output from the show mls qos interface interface-id statistics command for the Gigabit Ethernet interface is incorrect.

There is no workaround. (CSCee19574)

Port Security

These are port security limitations:

If IP source guard and port security are both enabled on a port, and the port is flooded with a large number of unknown MAC addresses, the CPU utilization becomes very high. (CSCeg53423)

If a port is configured as a secure port with the violation mode as restrict, the secure ports might process packets even after maximum limit of MAC addresses is reached, but those packets are not forwarded to other ports.

There is no workaround. (CSCdw02638)

Certain combinations of features create conflicts with the port security feature. In Table 6, No means that port security cannot be enabled on a port if the referenced feature is also running on the same port. Yes means that both port security and the referenced feature can be enabled on the same port at the same time. A dash means not applicable.

Table 6 Port Security Compatibility with Other Features 

Type of Port
Compatible with Port Security

DTP1 port2

No

Trunk port

Yes

Dynamic-access port3

No

Routed port

No

SPAN source port

Yes

SPAN destination port

No

EtherChannel

No

Tunneling port

Yes

Protected port

Yes

IEEE 802.1x port

Yes

Voice VLAN port4

Yes

1 DTP = Dynamic Trunking Protocol

2 A port configured with the switchport mode dynamic interface configuration command

3 A VLAN Query Protocol (VQP) port configured with the switchport access vlan dynamic interface configuration command

4 You must set the maximum allowed secure addresses on the port to two plus the maximum number of secure addresses allowed on the access VLAN.


QoS

These are QoS limitations:

If you assign both tail-drop threshold percentages to 100 percent by using the wrr-queue threshold interface configuration command and display QoS information for this interface by using the show mls qos interface statistics privileged command, the drop-count statistics are always zero even if the thresholds were exceeded. To display the total number of discarded packets, use the show controllers ethernet-controllers interface-id privileged EXEC command. In the display, the number of discarded frames includes the frames that were dropped when the tail-drop thresholds were exceeded.

The behavior of a software access control list (ACL) with QoS is different from a hardware ACL with QoS. On the Catalyst 3550 switch, when the QoS hardware rewrites the DSCP of a packet, the rewriting of this field happens before software running on the CPU examines the packet, and the CPU sees only the new value and not the original DSCP value.

When the security hardware ACL matches a packet on input, the match uses the original DSCP value. For output security ACLs, the security ACL hardware should match against the final, possibly changed, DSCP value as set by the QoS hardware. Under some circumstances, a match to a security ACL in hardware prevents the QoS hardware from rewriting the DSCP and causes the CPU to use the original DSCP.

If a security ACL is applied in software (because the ACL did not fit into hardware, and packets were sent to the CPU for examination), the match probably uses the new DSCP value as determined by the QoS hardware, whether or not the ACL is applied at the receiving or sending interface. When packets are logged by the ACL, this problem can also affect whether or not a match is logged by the CPU, even if the ACL fits into hardware and the permit or deny filtering was completed in hardware.

To avoid these issues, whenever the switch rewrites the DSCP of any packet to a value different from the original DSCP, security ACLs should not test against DSCP values in any of their access control elements (ACEs), whether or not the ACL is being applied to an IP access group or to a VLAN map. This restriction does not apply to ACLs used in QoS class maps.

If the switch is not configured to rewrite the DSCP value of any packet, it is safe to match against DSCP in ACLs used for IP access groups or for VLAN maps because the DSCP does not change as the packet is processed by the switch.

The DSCP field of an IP packet encompasses the two fields that were originally designated precedence and type of service (ToS). Statements relating to DSCP apply equally to either IP precedence or IP ToS. (CSCdt94355)

Ternary content addressable memory (TCAM) generation might fail when there are multiple ACLs in a policy-map. If you add an entry that checks TCP flags to an access list that is used for QoS classification, the system might report that a hardware limitation has been reached for the policy map. This can occur when the policy map already contains several other access list entries that check different TCP flags or that check TCP or User Datagram Protocol (UDP) port numbers by using an operation different from equal (eq), such as not equal (ne), less than (lt), greater than (gt), or range. When the hardware limitation is reached, the service-policy input policy-map-name interface configuration command is removed from the running configuration of the interface.

Checking for TCP flags and TCP/UDP port numbers using operators other than eq share some of the same hardware resources. The switch supports no more than six checks within a single policy map. An identical check repeated in multiple entries in the same policy map counts as a single instance. If this limit is reached during a TCP or a UDP port number check, the software can often work around the problem by allocating extra entries in the TCAM. There is no workaround if the limit is reached during a check against the TCP flags in the packet. Similar checks in a port ACL applied to the same physical interface as the policy map also count toward the limit.

Because these resources are allocated on a first-come, first-serve basis, rearranging the order of ACLs within a policy map or the order of entries within a single ACL, placing the TCP flags checks as early as possible, might enable the policy map to be loaded into the hardware.

Similar limits apply for any combination of input VLAN maps, input router ACLs, output VLAN maps, and output router ACLs that share the same VLAN label. The switch supports eight checks for all features on the same VLAN label. When the limit is reached, the system might forward packets by using the CPU rather than through hardware, greatly reducing system performance. To determine the VLAN label assigned to a VLAN or interface on input or output, use the show fm vlan or show fm interface privileged EXEC commands. Then use the show fm vlan-label privileged EXEC command to determine which set of features (input VLAN map, input router ACL, output VLAN map, or output router ACL) share this label.

These are the workarounds:

Re-arrange the order of classes within the policy map and the order of entries within the individual access lists in the policy map or within any IP port ACL applied to the interface so that checks for TCP flags are made as early as possible within the policy map. You can also re-arrange the order of the individual ACLs within a VLAN map and the order of the individual entries in a security ACL.

Add an extra entry to the front of an ACL that checks for the same TCP flags that are checked later on in the ACL. If the first entry of the ACL already matches only the TCP protocol, you can duplicate the entry and add a check for the appropriate TCP flags.

Reduce the number of different combinations of TCP flags being tested.

If the other workarounds fail, avoid combining any check against the TCP flags with gt, lt, ne, or range checks within the policy map and port ACL configured on the interface or within the VLAN maps and router ACLs that share the same VLAN label. (CSCdx24363)

If you apply an ACL to an interface that has a QoS policy map attached and the ACL is configured so that the packet should be forwarded by the CPU or if the configured ACL cannot fit into the ternary content addressable memory (TCAM), all packets received from this interface are forwarded to the CPU. Because traffic forwarded to the CPU cannot be policed by the policer configured on the interface, this traffic is not accurately rate-limited to the configured police rate.

The workaround, when QoS rate limiting is configured on an interface, is to configure applied ACLs so that packets are not forwarded by the CPU or reduce the number of ACEs in the ACL so that it can fit into the TCAM. (CSCdx30485)

If you create a policy map by using the policy-map policy-map-name global configuration command, enter the class class-map-name policy-map configuration command, and then immediately exit from the policy-map class configuration mode, the policy map does not show its class-map association.

The workaround is to enter another command (such as the police, trust, or set policy-map class configuration commands) after entering the class class-map-name policy-map configuration command. (CSCdx81650)

If a switch configuration contains a large ACL and a per-port per-VLAN policy map and both are attached to two interfaces, when you are copying it to the running configuration, this process might fail because the switch runs out of memory.

These are the workarounds:

Copy the new configuration file to the config.txt file, and reboot the switch.

Save the configuration file as two files: one containing only the ACL configuration and one containing the rest of the configuration (including the QoS and interface configuration). Add the first configuration file to the running-configuration file, and then add the second file to the running-configuration file. (CSCdz54115)

If you are configuring a policy map on an interface by using named ACLs and the policy map has 13 named ACLs that include deny statements, these messages might appear when you add an ACL:

QoS: Programming TCAM failed: Unsuccessful ACL merge
 Service Policy attachment failed
 Service Policy xxxx not attached
QM-4-HARDWARE_NOT_SUPPORTED: Hardware limitation has reached for policymap xxxx

Use one of these workarounds:

Use numbered ACLs.

Do not use deny statements because the end of an ACL has an implicit deny statement. (CSCec46594)

Catalyst 3550 switches do not take into account the Preamble and IFG when rate limiting traffic, which could result in a slightly inaccurate policing rate on a long burst of small frames, where the ratio of the Preamble and IFG to frame size is more significant. This should not be an issue in an environment where the frames are a mix of different sizes.

Certain combinations of features create conflicts with the port security feature. In Table 6, No means that port security cannot be enabled on a port if the referenced feature is also running on the same port. Yes means that both port security and the referenced feature can be enabled on the same port at the same time. A dash means not applicable.

Routing

These are routing limitations:

Open Shortest Path First (OSPF) path costs and Interior Gateway Routing Protocol (IGRP) metrics are incorrect for switch virtual interface (SVI) ports.

The workaround is to configure the bandwidth of the SVI manually by using the bandwidth interface configuration command. Changing the bandwidth of the interface changes the routing metric for the routes when the SVI is used as an sending interface. (CSCdt29806)

The dec keyword is not supported in the bridge bridge-group protocol global configuration command. If two Catalyst 3550 switches are connected to each other through an interface that is configured for IP routing and fallback bridging, and the bridge group is configured with the bridge bridge-group protocol dec command, both switches act as if they were the spanning-tree root. Therefore, spanning-tree loops might be undetected.

There is no workaround. (CSCdt63589)

When the switch is operating with equal-cost routes and it is required to learn more unicast routes than it can support, the CPU might run out of memory, and the switch might fail.

The workaround is to remain within the documented recommended and supported limits. (CSCdt79172)

If a Catalyst 3550 switch is connected to two routers (Router 1 and Router 2) in this topology:

The link between Router 1 and the switch is a BVI (bridge virtual interface) that belongs to two VLANs (VLAN 100 and VLAN 110) and uses one IP address. The IP subnet for the BVI is the same for both VLANs. The ports in both VLANs operate as Layer 2 interfaces. An SVI with an IP address is configured only on VLAN 100.

The link between Router 2 and the switch is an IP interface that only belongs to VLAN 110.

IP connectivity then exists between Router 1 and the switch. There is no IP connectivity between Router 2 and the switch.

The workaround is to configure another SVI with an IP address on the Catalyst 3550 switch that would be reachable from Router 2. (CSCdy82042)

When the switch has many routes that use loadsharing among multiple next hops, some of the routes might not loadshare but instead pick only one of the next hops for forwarding all packets on that route. This happens when the portion of the adjacency RAM that has been allotted for multipath routes has been used up.

There is no workaround. (CSCed22152)

Packets received from media types that require SNAP encapsulation of IPv4 packets require the switch to forward SNAP-encapsulated packets. Layer 2 forwarding of IPv4 in SNAP encapsulation ordinarily takes place in hardware (unless a VLAN map or port ACL contains an IP ACL). However, on the Catalyst 3550 switch, Layer 3 forwarding of IPv4 in SNAP can only be done in software. SNAP-encapsulated IPv4 packets that are directed to the router MAC address or the HSRP group MAC address (if this device is the active router in the HSRP group) are forwarded to the switch CPU, potentially causing high CPU utilization levels.

This is a hardware limitation, and there is no workaround. (CSCed59864)

When multi-VRF-CE is enabled on the switch, the switch does not support the ip directed-broadcast interface configuration command used to enable forwarding of IP-directed broadcasts on an interface.

There is no workaround. (CSCee05670)

When an IP packet with a cyclic redundancy check (CRC) error is received, the per-packet per-Differentiated Service Code Point (DSCP) counter (for DSCP 0) is incremented. Normal networks should not have packets with CRC errors.

There is no workaround. (CSCdr85898)

SNMP

This is the SNMP limitation:

The switch might reload when it is executing the no snmp-server host global configuration command. This is a rare condition that can happen if SNMP traps or informs are enabled and the SNMP agent attempts to send a trap to the host just as it is being removed from the configuration and if the IP address of the host (or the gateway to reach the host) has not been resolved by Address Resolution Protocol (ARP).

The workaround is to ensure that the target host or the next-hop gateway to that host is in the ARP cache (for example, by using a ping command) before removing it from the SNMP configuration. Alternatively, disable all SNMP traps and informs before removing any hosts from the SNMP configuration. (CSCdw44266)

SPAN and RSPAN

These are SPAN and RSPAN limitations:

A Remote Switched Port Analyzer (RSPAN) source session does not forward monitored traffic to the RSPAN destination session if there is an egress SPAN source port in the session with port security or IEEE 802.1x enabled.

There is no workaround. (CSCdy21035)

Not all traffic is properly mirrored by RSPAN when a port is monitored for egress traffic and the RSPAN VLAN is carried through a Layer 2 protocol tunnel to the RSPAN destination switch.

This happens because the MAC addresses for the original packets as well as the mirrored RSPAN packets are all learned on the tunnel VLAN, so the RSPAN traffic is no longer properly segregated on the tunneling switches.

The workaround is to not include any RSPAN VLANs in any Layer 2 protocol tunnels unless the tunnel is dedicated to a single RSPAN VLAN. (CSCdy37188)

Ingress forwarding on a SPAN destination port does not work if there is an egress SPAN source port in the session with port security or IEEE 802.1x enabled.

There is no workaround. (CSCdy44646)

Whenever a single frame is subject to both ingress and egress SPAN, and both the ingress and the egress SPAN are sent to the same SPAN destination port, the egress copy of the spanned frame is sent out the SPAN destination port before the ingress copy of the spanned frame is sent out the SPAN destination port.

There is no workaround. (CSCef97043)

RSPAN does not work when the RSPAN source session and the RSPAN destination session are on the same switch. If an RSPAN source session is configured with a particular RSPAN VLAN and an RSPAN destination session for that RSPAN VLAN is configured on the same switch, then the RSPAN destination session's destination port will not transmit captured packets from the RSPAN source session.

The workaround is to use SPAN instead of RSPAN.(CSCeg08870)

Spanning Tree

These are spanning tree limitations:

When the logging event-spanning-tree interface configuration command is configured and logging to the console is enabled, a topology change might generate a large number of logging messages, causing high CPU utilization. CPU utilization can increase with the number of spanning-tree instances and the number of interfaces configured with the logging event-spanning-tree interface configuration command. This condition adversely affects how the switch operates and could cause problems such as STP convergence delay.

High CPU utilization can also occur with other conditions, such as when debug messages are logged at a high rate to the console.

Use one of these workarounds:

Disable logging to the console.

Rate-limit logging messages to the console. (CSCsg91027)

Remove the logging event spanning-tree interface configuration command from the interfaces.

If a port on the Catalyst 3550 switch that is running the Multiple Spanning Tree Protocol (MSTP) is connected to another switch that belongs to a different multiple spanning tree (MST) region, the Catalyst 3550 port is not recognized as a boundary port when you start the protocol migration process by using the clear spanning-tree detected-protocols interface interface-id privileged EXEC command. This problem occurs only on the root bridge, and when the root bridge is cleared, the boundary ports are not shown because the designated ports do not receive any bridge protocol data units (BPDUs) unless a topology change occurs. This is the intended behavior.

The workaround is to configure the Catalyst 3550 switch for Per-VLAN spanning-tree plus (PVST+) by using the spanning-tree mode pvst global configuration command bridge, and then change it to MSTP by using the spanning-tree mode mst global configuration command. (CSCdx10808)

When you reboot a Catalyst 3550-24-FX switch, it might loop back packets received on a 100BASE-FX port to its link partner. This can occur before the Cisco IOS software takes control of the system and lasts for about 200 milliseconds.

As a result, the link partner might shut down the port when it detects loopback packets, or MAC addresses might be learned on the wrong ports on upstream switches. The network might be unable to deliver packets to a few devices for up to 5 minutes after rebooting the Catalyst 3550-24-FX switch when:

The Catalyst 3550-24-FX switch is connected to one or more switches in the network.

Spanning tree is disabled in the network or the Port Fast feature is enabled on the ports connected to the Catalyst 3550-24-FX switch.

The Catalyst 3550-24-FX switch is powered cycled or reloaded from the CLI.

One or more devices in the network transmit a broadcast or multicast packet during the 200-millisecond timing window while the Catalyst 3550-24-FX switch is booting up.

This problem corrects itself after five minutes or when these devices transmit a broadcast or multicast packet, whichever comes first.

The workaround is to enable spanning tree in the network and to make sure that the Port Fast feature is disabled on all ports connected to the Catalyst 3550-24-FX switch. (CSCdx45558)

When a switch receives a bridge STP bridge protocol data unit (BPDU) from an access port and the egress port is a trunk port, the switch assigns the BPDU a CoS value of 0 instead of 7.

There is no workaround. (CSCdz54043)

CSCef18020

In a switch stack with GigaStack GBICs, cross-stack UplinkFast (CSUF) convergence might be slow when the root port fails.

There is no workaround.

VLAN

These are VLAN limitations:

When a VLAN interface has been disabled and restarted multiple times by using the shutdown and no shutdown interface configuration commands, the interface might not restart following a no shutdown command.

The workaround is to re-enter the shutdown and no shutdown interface configuration commands to restart the interface. (CSCdt54435)

When a large number of VLANs and a large number of trunk ports with allowed VLAN lists are configured on the switch, if you enter the no switchport trunk allowed vlan interface-range command to remove the allowed list for all the trunk ports, the SYS-3-CPUHOG system message might appear.

The workaround is to use the no switchport trunk allowed vlan interface configuration command on each trunk port to remove the allowed list for all the trunk ports. (CSCdx17189)

When 1000 VLANs and more than 40 trunk ports are configured, and the spanning-tree mode changes from MSTP to PVST+ or the reverse, this message appears on the console:

%ETHCNTR-3-RA_ALLOC_ERROR: RAM Access write pool I/O memory allocation failure

There is no workaround. However, we recommend that you reload the switch by using the reload privileged EXEC command. To avoid this problem, configure the system with fewer VLANs and fewer trunk ports, or use the switchport trunk allowed vlan interface configuration command to reduce the number of active VLANs on each trunk port. (CSCdx20106)

If the switch fails for any reason while you are exiting VLAN database configuration mode (accessed by entering the vlan database privileged EXEC command), there is a slight chance that the VLAN database might get corrupted. After resetting from the switch, you might see these messages on the console:

%SW_VLAN-4-VTP_INVALID_DATABASE_DATA: VLAN manager received bad data of type device 
type: value 0 from vtp database 

$SW_VLAN-3-VTP_PROTOCOL_ERROR: VTP protocol code internal error 

The workaround is to use the delete flash:vlan.dat privileged EXEC command to delete the corrupted VLAN database. Then reload the switch by using the reload privileged EXEC command. (CSCdx19540)

When you perform a ping from a VLAN to another VLAN on the same switch, the VLAN counter does not change.

There is no workaround. (CSCdz17863)

Important Notes

These sections describe the important notes related to this software release:

"Cisco IOS Notes" section

"Device Manager Notes" section

Cisco IOS Notes

These are the important Cisco IOS configuration notes related to this release:

In Cisco IOS Release 12.2(40)SE and later, if the switch has interfaces with automatic QoS for voice over IP (VoIP) configured and you upgrade the switch software to Cisco IOS Release 12.2(40)SE (or later), when you enter the auto qos voip cisco-phone interface configuration command on another interface, you might see this message:

AutoQoS Error: ciscophone input service policy was not properly applied
policy map AutoQoS-Police-CiscoPhone not configured

If this happens, enter the no auto qos voip cisco-phone interface command on all interface with this configuration to delete it. Then enter the auto qos voip cisco-phone command on each of these interfaces to reapply the configuration. In Cisco IOS Release 12.2(25)SEC, the implementation for multiple spanning tree (MST) changed from the previous release. Multiple STP (MSTP) is now compliant with the IEEE 802.1s standard. Previous MSTP implementations were based on a draft of the IEEE 802.1s standard.

In Cisco IOS Release 12.1(19)EA1, the implementation for the option-82 subscriber identification changed from the previous release. The new option-82 format uses a different circuit ID and remote ID suboption, vlan-mod-port. The previous version uses the snmp-ifindex circuit ID and the remote ID suboption.

If you have option-82 configured on the switch and you upgrade to Cisco IOS Release 12.1(19)EA1 or later, the option-82 configuration is not affected. However, when you globally enable DHCP snooping on the switch by using the ip dhcp snooping global configuration command, the previous option-82 configuration is suspended, and the new option-82 format is applied. When you globally disable DHCP snooping on the switch, the previous option-82 configuration is re-enabled.

To provide for backward compatibility, you can select the previous option-82 format by using the ip dhcp snooping information option format snmp-ifindex global configuration command when you enable DHCP snooping. When DHCP snooping is globally enabled, option-82 information (in the selected format) is only inserted on snooped VLANs.

For more information about using the previous version of option 82 without enabling DHCP snooping, see the software configuration guide for this release.

In Cisco IOS Release 12.1(14)EA1, the implementation for IEEE 802.1x changed from the previous release. Some global configuration commands became interface configuration commands, and new commands were added.

If you have IEEE 802.1x configured on the switch and you upgrade to Cisco IOS
Release 12.1(14)EA1 or later, the configuration file does not contain the new commands, and
IEEE 802.1x does not operate. After the upgrade is complete, make sure to globally enable
IEEE 802.1x by using the dot1x system-auth-control global configuration command. For more information, see the software configuration guide for this release.

When you enable port security on an interface that is also configured with a voice VLAN, you must set the maximum allowed secure addresses on the port to 2 plus the maximum number of secure addresses allowed on the access VLAN. When the port is connected to a Cisco IP Phone, the telephone requires up to two MAC addresses. The address of the Cisco IP Phone is learned on the voice VLAN, and it might or might not be learned on the access VLAN. Connecting a PC to the Cisco IP Phone requires additional MAC addresses.

If you configure a port ACL on a physical interface on a switch that has VLAN maps or input router ACLs configured, or if you configure a VLAN map or input router ACL on a switch that has port ACLs configured, a CONFLICT message is generated, but the configuration is accepted. The port ACL action has priority on that port over actions in a router ACL or VLAN map applied to the VLAN to which the port belongs.

The result is that packets received on that physical port are permitted or denied based on the port ACL action, without regard to any permit or deny statements in any router ACL or VLAN map. Packets received on other physical ports in the VLAN are still permitted or denied based on any router ACLs or VLAN maps applied to the VLAN. If the port ACL is applied to a trunk port, it overrides any other input ACLs applied to all VLANs on the trunk port.

The default system MTU for traffic on the Catalyst 3550 switch is 1500 bytes. The IEEE 802.1Q tunneling feature increases the frame size by 4 bytes. Therefore, when you configure IEEE 802.1Q tunneling, you must configure all switches in the IEEE 802.1Q network to be able to process maximum frames by increasing the switch system MTU size to at least 1504 bytes. You configure the system MTU size by using the system mtu global configuration command.

When you are configuring a cascaded stack of Catalyst 3550 switches by using the GigaStack GBIC module and want to include more than one VLAN in the stack, be sure to configure all the GigaStack GBIC interfaces as trunk ports by using the switchport mode trunk interface configuration command and to use the same encapsulation method by using the switchport encapsulation {isl | dot1q} interface configuration command. For more information about these commands, refer to the switch command reference for this Cisco IOS release.

If the 1000BASE-T GBIC (WS-G5482) module is not securely inserted, the switch might fail to recognize it or might display an incorrect media type following a show interface privileged EXEC command entry. If this happens, remove and reinsert the GBIC module.

When you configure a dynamic switchport by using the switchport access vlan dynamic interface configuration command, the port might allow unauthorized users to access network resources if the port mode changes from access to trunk through Dynamic Trunking Protocol (DTP) negotiation.

The workaround is to configure the port as a static access port. (CSCdz32330)

Beginning in Cisco IOS Release 12.1(13)EA1, these are the default settings for an IP phone connected to a switch:

The port trust state is to not trust the priority of frames arriving on the IP phone port from connected devices.

The CoS value of incoming traffic is overwritten and set to zero. (CSCdz76948).

If the switch requests information from the Cisco Secure Access Control Server (ACS) and the message exchange times out because the server does not respond, a message similar to this appears:

00:02:57: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.20.246.206:1645,1646 is not 
responding.

If this message appears, check that there is network connectivity between the switch and the ACS. You should also check that the switch has been properly configured as an AAA client on the ACS.

Device Manager Notes

These notes apply to the device manager:

This release supports the same switch cluster compatibilities supported in Cisco IOS Release 12.1(22)EA1. However, you cannot create and manage switch clusters through the device manager. To create and manage switch clusters, use the CLI or Cisco Network Assistant.

When you are prompted to accept the security certificate and you click No, you see only a blank screen, and the device manager does not launch.

The workaround is to click Yes when you are prompted to accept the certificate. (CSCef45718)

We recommend this browser setting to speed up the time to display the device manager from Microsoft Internet Explorer.

From Microsoft Internet Explorer:

1. Choose Tools > Internet Options.

2. Click Settings in the "Temporary Internet files" area.

3. From the Settings window, choose Automatically.

4. Click OK.

5. Click OK to exit the Internet Options window.

The HTTP server interface must be enabled to display the device manager. By default, the HTTP server is enabled on the switch. Use the show running-config privileged EXEC command to see if the HTTP server is enabled or disabled.

Beginning in privileged EXEC mode, follow these steps to configure the HTTP server interface:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

ip http authentication {aaa | enable | local}

Configure the HTTP server interface for the type of authentication that you want to use.

aaa—Enable the authentication, authorization, and accounting feature. You must enter the aaa new-model interface configuration command for the aaa keyword to appear.

enable—Enable password, the default method of HTTP server user authentication.

local—Local user database, as defined on the Cisco router or access server.

Step 3 

end

Return to privileged EXEC mode.

Step 4 

show running-config

Verify your entries.

The device manager uses the HTTP protocol (the default is port 80) and the default method of authentication (the enable password) to communicate with the switch through any of its Ethernet ports and to allow switch management from a standard web browser.

If you change the HTTP port, you must include the new port number when you enter the IP address in the browser Location or Address field (for example, http://10.1.126.45:184, where 184 is the new HTTP port number). You should write down the port number through which you are connected. Use care when changing the switch IP information.

If you are not using the default method of authentication (the enable password), configure the HTTP server interface with the method of authentication used on the switch.

Beginning in privileged EXEC mode, follow these steps to configure the HTTP server interface:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

ip http authentication {enable | local | tacacs}

Configure the HTTP server interface for the type of authentication that you want to use.

enable—Enable password, the default method of HTTP server user authentication.

local—Local user database, as defined on the Cisco router or access server.

tacacs—TACACS server.

Step 3 

end

Return to privileged EXEC mode.

Step 4 

show running-config

Verify your entries.

If you use Internet Explorer Version 5.5 and select a URL with a nonstandard port at the end of the address (for example, www.cisco.com:84), you must enter http:// as the URL prefix. Otherwise, you cannot launch the device manager.

Open Caveats

These are the Cisco IOS severity-3 open configuration caveats with possible unexpected activity in this software release:

CSCdx95501

When a community string is assigned by the cluster command switch, you cannot get any dot1dBridge MIB objects by using a community string with a VLAN entity from a cluster member switch.

The workaround is to manually add the cluster community string with the VLAN entity on the member switches for all active VLANs shown in the show spanning-tree summary display. This is an example of such a change, where cluster member 3 has spanning tree on vlan 1-3, and the cluster commander community string is public@es3.

Mbr3(config)# snmp community public@es3@1 RO
Mbr3(config)# snmp community public@es3@2 RO
Mbr3(config)# snmp community public@es3@3 RO

CSCsc96474

The switch might display tracebacks similar to these examples when a large number of IEEE 802.1x supplicants try to repeatedly log in and log out.

Examples:

Jan 3 17:54:32 L3A3 307: Jan 3 18:04:13.459: %SM-4-BADEVENT: Event 'eapReq' is invalid for the current state 'auth_bend_idle': dot1x_auth_bend Fa9

Jan 3 17:54:32 L3A3 308: -Traceback= B37A84 18DAB0 2FF6C0 2FF260 8F2B64 8E912C Jan 3 19:06:13 L3A3 309: Jan 3 19:15:54.720: %SM-4-BADEVENT: Event 'eapReq_no_reAuthMax' is invalid for the current ate 'auth_restart': dot1x_auth Fa4

Jan 3 19:06:13 L3A3 310: -Traceback= B37A84 18DAB0 3046F4 302C80 303228 8F2B64 8E912C Jan 3 20:41:44 L3A3 315: .Jan 3 20:51:26.249: %SM-4-BADEVENT: Event 'eapSuccess' is invalid for the current state 'auth_restart': dot1x_auth Fa9

Jan 3 20:41:44 L3A3 316: -Traceback= B37A84 18DAB0 304648 302C80 303228 8F2B64 8E912C

There is no workaround.

CSCsc97569

On a switch running Cisco IOS Release 12.2(25)SEC or later with active EAPoUDP sessions on an interface, entering the no ip admission interface configuration command or the default interface [interface-id] global configuration command can cause the switch to unexpectedly reload with a message similar to this:

Unexpected exception to CPUvector 1100, PC = CC74C -Traceback= CC74C 9E2D38 9ECBAC 
9ED4E4 9E9728 9E9848 9E991C 9EB978 8C50D0 8C5D9C 8C5258 8C53B8 90CA44 90300C 

The workaround is to clear the EAPoUDP sessions with the clear eou privileged EXEC command, or to shut down the interface before removing the IP admission configuration.

CSCsd03580

When IEEE 802.1x is globally disabled on the switch by using the no dot1x system-auth-control global configuration command, some interface level configuration commands, including the dot1x timeout and dot1x mac-auth-bypass commands, become unavailable.

The workaround is to enable the dot1x system-auth-control global configuration command before attempting to configure interface level IEEE 802.1x parameters.

CSCsd46343

A Power over Ethernet (PoE) port stops providing power under these conditions:

A 10 Mb/s PoE device is connected to the port.

That device is removed.

A 10/100-capable PoE device is connected to the same port.

These are the workarounds. You only need to do one of these:

Enter the shut and no shut interface configuration commands on the port.

Connect a PC to the port. Remove the PC from the port, and then connect the 10/100 Mb/s PoE device to the port.

Change the speed on port to 10 Mb/s.

CSCsd97177

When the primary FlexLinks interface fails, any dynamic MAC address learned from that port is not cleared.

These are the workarounds. You only need to do one of these:

Wait for the dynamic entry to age out in the CAM table

Force the end device to initiate traffic so that its MAC address is be dynamically learned on the secondary (now active) FlexLinks interface.

CSCsg19355

On a Catalyst 3550 switch, if you use the command-line interface to repeatedly add and delete a VLAN by entering the vlan vlan-id and no vlan vlan-id global configuration command and the VLAN has secured IEEE 802.1x addresses associated with it and traffic flowing from the secured addresses, the switch might fail.

The workaround is to shut down all ports in the VLAN or to remove the IEEE 802.1x and port-security configurations from all ports in the VLAN before deleting it.

CSCsg74598

When a routing table contains multiple next hops for some destinations, and a destination is reached through multiple next-hops, if one of these next-hops is no longer used after a topology change, a Catalyst 3550 switch might log an error message similar to this one and send packets for this destination network to the wrong next-hop:

Nov 15 10:35:43.300 CET: Assert failure in ../src-vegas/vur_drv.c line 2439 
Nov 15 10:35:43.300 CET: Assert failure in ../src-vegas/vur_drv.c line 2439 

The workaround is to enter the maximum-paths 1 router configuration command to force only one next-hop to be installed in the routing table for the given destination and to avoid the error message

CSCsh12472

The switch might display tracebacks similar to this example when an EtherChannel interface port-channel type changes from Layer 2 to Layer 3 or the reverse:

15:50:11: %COMMON_FIB-4-FIBNULLHWIDB: Missing hwidb for fibhwidb Port-channel1 (ifindex 1632) -Traceback= A585C B881B8 B891CC 2F4F70 5550E8 564EAC 851338 84AF0C 4CEB50 859DF4 A7BF28 A98260 882658 879A58

There is no workaround.

CSCsh74176

When using the ip source binding global configuration command to associate a static IP source binding with a non existent VLAN that has an ID greater than 1025, this message appears:

%DHCP_SNOOPING-4-IP_SOURCE_BINDING_NON_EXISTING_VLAN_WARNING: IP source binding is configured on non existing vlan 100.

The workaround is to enter the show vlan user EXEC command to verify that the VLAN exists.

CSCsi01526

Traceback messages appear if you enter the no switchport interface configuration command to change a Layer 2 interface that belongs to a port channel to a routed port.

There is no workaround.

CSCsi06399

When a RIP network and IP address are configured on an interface, a traceback error occurs after you enter the shutdown, no shutdown, switchport and no switchport interface configuration commands.

The workaround is to configure the RIP network and the IP address after you configure the interface.

CSCsi63999

Changing the spanning tree mode from rapid STP to MSTP can cause tracebacks when the virtual port error-disable feature is enabled when the STP mode is changed.

There is no workaround.

CSCsi70454

The configuration file used for the configuration replacement feature requires the character string end\n at the end of the file. The Windows Notepad text editor does not add the end\n string, and the configuration rollback does not work.

These are the workarounds. (You only need to do one of these.)

Do not use a configuration file that is stored by or edited with Windows Notepad.

Manually add the character string end\n to the end of the file.

Resolved Caveats

These caveats are resolved in Cisco IOS Release 12.2.(40)SE:

CSCsg81334

If IEEE 802.1x critical authentication is not enabled and the RADIUS authentication server is unavailable during MAC authentication bypass (MAB) reauthentication, when the RADIUS server comes back up, MAB now correctly authenticates previously authenticated clients.

CSCsi10584

Multiple Spanning-Tree Protocol (MSTP) convergence time has been improved for Cisco IOS Release 12.2.

CSCsi43375

When access control lists (ACLs) and policy-based routing (PBR) is configured on the switch, the switch no longer fails.

CSCsi66554

The SNMP bridge object dot1dStpRootPort now shows the stack switch root port number instead of the stack port ID of the member switch.

Documentation Updates

This section provides updates to the product documentation:

"Updates for the Software Configuration Guide" section

"Updates for the Command Reference" section

"Updates for the Regulatory Compliance and Safety Information for the Catalyst 3550 Multilayer Switch" section

"Update to the Hardware Installation Guide" section

"Update to the System Message Guide" section

Updates for the Software Configuration Guide

These are the documentation updates for the software configuration guide:

Updates for Cisco IOS Release 12.2(40)SE

Updates for Cisco IOS Release 12.2(37)SE

Updates for Cisco IOS Release 12.2(35)SE

Updates for Cisco IOS Release 12.2(25)SEE1

Updates for Cisco IOS Release 12.2(25)SEE

Updates for Cisco IOS Release 12.2(40)SE

These chapters have been added or revised:

"Understanding IP Unicast Routing Chapter, EIGRP Routing Note" section

"Understanding Flex Links and the MAC Address-Table Move Update Chapter" section

"Configuring IEEE 802.1x Port-Based Authentication Chapter" section

"Working with the Cisco IOS File System, Configuration Files, and Software Images Appendix" section

"Configuring System Message Logging Chapter" section

"Configuring Cisco IOS IP SLAs Operations (New Chapter)" section

Understanding IP Unicast Routing Chapter, EIGRP Routing Note

If the switch is running the IP base feature set, you can configure complete EIGRP routing. However, the configuration is not implemented because the IP base feature set supports only EIGRP stub routing, as described in the "Configuring IP Unicast Routing" chapter of the software configuration guide.

After you have entered the eigrp stub router configuration command, only the eigrp stub connected summary command takes effect. Although the CLI help might show the receive-only and static keywords and you can enter these keywords, the switch running the IP base image always behaves as if the connected and summary keywords were configured.

Understanding Flex Links and the MAC Address-Table Move Update Chapter

This information in the "MAC Address-Table Move Update" section is incorrect:

The switch then starts forwarding traffic from the server to the PC through port 4, which reduces the loss of traffic from the server to the PC.

This is the correct information:

Switch A does not need to wait for the MAC address-table update. The switch detects a failure on port 1 and immediately starts forwarding server traffic from port 2, the new forwarding port. This change occurs in 100 milliseconds (ms). The PC is directly connected to switch A, and the connection status does not change. Switch A does not need to update the PC entry in the MAC address table.

Configuring IEEE 802.1x Port-Based Authentication Chapter

This information about the dot1x timeout tx-period seconds interface configuration command is incorrect:

The range for seconds is from 5 to 65535.

The correct range is from 1 to 65535 seconds.

Working with the Cisco IOS File System, Configuration Files, and Software Images Appendix

The "Extracting a tar File" section has this correction:

Switch# archive tar /xtract tftp://172.20.10.30/saved.tar flash:/new-configs

Configuring System Message Logging Chapter

This caution was added to this chapter.


Caution Logging messages to the console at a high rate can cause high CPU utilization and adversely affect how the switch operates.

Configuring Cisco IOS IP SLAs Operations (New Chapter)

This chapter describes how to use Cisco IOS IP Service Level Agreements (SLAs) on your Catalyst 3550 switch. Cisco IP SLAs is a part of Cisco IOS software that allows Cisco customers to analyze IP service levels for IP applications and services by using active traffic monitoring—the generation of traffic in a continuous, reliable, and predictable manner—for measuring network performance. With Cisco IOS IP SLAs, service provider customers can measure and provide service level agreements, and enterprise customers can verify service levels, verify outsourced service level agreements, and understand network performance. Cisco IOS IP SLAs can perform network assessments, verify quality of service (QoS), ease the deployment of new services, and assist with network troubleshooting.


Note For more information about IP SLAs, see the Cisco IOS IP SLAs Configuration Guide, Release 12.4T at this URL:
http://www.cisco.com/en/US/products/ps6441/products_configuration_guide_book09186a0080707055.html
For command syntax information, see the command reference at this URL:
http://www.cisco.com/en/US/products/ps6441/products_command_reference_book09186a008049739b.html


This chapter consists of these sections:

Understanding Cisco IOS IP SLAs  

Configuring IP SLAs Operations

Monitoring IP SLAs Operations

Understanding Cisco IOS IP SLAs

Cisco IOS IP SLAs sends data across the network to measure performance between multiple network locations or across multiple network paths. It simulates network data and IP services and collects network performance information in real time. Cisco IOS IP SLAs generates and analyzes traffic either between Cisco IOS devices or from a Cisco IOS device to a remote IP device such as a network application server. Measurements provided by the various Cisco IOS IP SLAs operations can be used for troubleshooting, for problem analysis, and for designing network topologies.

Depending on the specific Cisco IOS IP SLAs operation, various network performance statistics are monitored within the Cisco device and stored in both command-line interface (CLI) and Simple Network Management Protocol (SNMP) MIBs. IP SLAs packets have configurable IP and application layer options such as source and destination IP address, User Datagram Protocol (UDP)/TCP port numbers, a type of service (ToS) byte (including Differentiated Services Code Point [DSCP] and IP Prefix bits), Virtual Private Network (VPN) routing/forwarding instance (VRF), and URL web address.

Because Cisco IP SLAs is Layer 2 transport independent, you can configure end-to-end operations over disparate networks to best reflect the metrics that an end user is likely to experience. IP SLAs collects a unique subset of these performance metrics:

Delay (both round-trip and one-way)

Jitter (directional)

Packet loss (directional)

Packet sequencing (packet ordering)

Path (per hop)

Connectivity (directional)

Server or website download time

Because Cisco IOS IP SLAs is SNMP-accessible, it can also be used by performance-monitoring applications like CiscoWorks Internetwork Performance Monitor (IPM) and other third-party Cisco partner performance management products. You can find more details about network management products that use Cisco IOS IP SLAs at this URL:

http://www.cisco.com/go/ipsla

Using IP SLAs can provide these benefits:

Service-level agreement monitoring, measurement, and verification.

Network performance monitoring

Measures the jitter, latency, or packet loss in the network.

Provides continuous, reliable, and predictable measurements.

IP service network health assessment to verify that the existing QoS is sufficient for new IP services.

Edge-to-edge network availability monitoring for proactive verification and connectivity testing of network resources (for example, shows the network availability of an NFS server used to store business critical data from a remote site).

Troubleshooting of network operation by providing consistent, reliable measurement that immediately identifies problems and saves troubleshooting time.

Multiprotocol Label Switching (MPLS) performance monitoring and network verification (if the switch supports MPLS)

This information is included in this section:

Using Cisco IOS IP SLAs to Measure Network Performance

IP SLAs Responder and IP SLAs Control Protocol

Response Time Computation for IP SLAs

IP SLAs Operation Scheduling

IP SLAs Operation Threshold Monitoring

Using Cisco IOS IP SLAs to Measure Network Performance

You can use IP SLAs to monitor the performance between any area in the network—core, distribution, and edge—without deploying a physical probe. It uses generated traffic to measure network performance between two networking devices. Figure 1 shows how IP SLAs begins when the source device sends a generated packet to the destination device. After the destination device receives the packet, depending on the type of IP SLAs operation, it responds with time-stamp information for the source to make the calculation on performance metrics. An IP SLAs operation performs a network measurement from the source device to a destination in the network using a specific protocol such as UDP.

Figure 1 Cisco IOS IP SLAs Operation

To implement IP SLAs network performance measurement, you need to perform these tasks:

1. Enable the IP SLAs responder, if required.

2. Configure the required IP SLAs operation type.

3. Configure any options available for the specified operation type.

4. Configure threshold conditions, if required.

5. Schedule the operation to run, then let the operation run for a period of time to gather statistics.

6. Display and interpret the results of the operation using the Cisco IOS CLI or a network management system (NMS) system with SNMP.

For more information about IP SLAs operations, see the operation-specific chapters in the Cisco IOS IP SLAs Configuration Guide at this URL:
http://www.cisco.com/en/US/products/ps6441/products_configuration_guide_book09186a0080707055.html


Note The switch does not support Voice over IP (VoIP) service level analysis or IP service level analysis using DLSw+ operation. Before configuring any IP SLAs application, you can use the show ip sla application privileged EXEC command to verify that the operation type is supported on your software image.


IP SLAs Responder and IP SLAs Control Protocol

The IP SLAs responder is a component embedded in the destination Cisco device that allows the system to anticipate and respond to IP SLAs request packets. The responder provides accurate measurements without the need for dedicated probes. The responder uses the Cisco IOS IP SLAs Control Protocol to provide a mechanism through which it can be notified on which port it should listen and respond. Only a Cisco IOS device can be a source for a destination IP SLAs Responder.


Note The IP SLAs responder can be a Cisco IOS Layer 2, responder-configurable switch, such as a Catalyst 2960 or Cisco ME 2400 switch. The responder does not need to support full IP SLAs functionality.


Figure 1 shows where the Cisco IOS IP SLAs responder fits in the IP network. The responder listens on a specific port for control protocol messages sent by an IP SLAs operation. Upon receipt of the control message, it enables the specified UDP or TCP port for the specified duration. During this time, the responder accepts the requests and responds to them. It disables the port after it responds to the IP SLAs packet, or when the specified time expires. MD5 authentication for control messages is available for added security.

You do not need to enable the responder on the destination device for all IP SLAs operations. For example, a responder is not required for services that are already provided by the destination router (such as Telnet or HTTP). You cannot configure the IP SLAs responder on non-Cisco devices and Cisco IOS IP SLAs can send operational packets only to services native to those devices.

Response Time Computation for IP SLAs

Switches and routers can take tens of milliseconds to process incoming packets due to other high priority processes. This delay affects the response times because the test-packet reply might be in a queue while waiting to be processed. In this situation, the response times would not accurately represent true network delays. IP SLAs minimizes these processing delays on the source device as well as on the target device (if the responder is being used) to determine true round-trip times. IP SLAs test packets use time stamping to minimize the processing delays.

When the IP SLAs responder is enabled, it allows the target device to take time stamps when the packet arrives on the interface at interrupt level and again just as it is leaving, eliminating the processing time. This time stamping is made with a granularity of sub-milliseconds (ms).

Figure 2 demonstrates how the responder works. Four time stamps are taken to make the calculation for round-trip time. At the target router, with the responder functionality enabled, time stamp 2 (TS2) is subtracted from time stamp 3 (TS3) to produce the time spent processing the test packet as represented by delta. This delta value is then subtracted from the overall round-trip time. Notice that the same principle is applied by IP SLAs on the source router where the incoming time stamp 4 (TS4) is also taken at the interrupt level to allow for greater accuracy.

Figure 2 Cisco IOS IP SLAs Responder Time Stamping

An additional benefit of the two time stamps at the target device is the ability to track one-way delay, jitter, and directional packet loss. Because much network behavior is asynchronous, it is critical to have these statistics. However, to capture one-way delay measurements, you must configure both the source router and target router with Network Time Protocol (NTP) so that the source and target are synchronized to the same clock source. One-way jitter measurements do not require clock synchronization.

IP SLAs Operation Scheduling

When you configure an IP SLAs operation, you must schedule the operation to begin capturing statistics and collecting error information. You can schedule an operation to start immediately or to start at a certain month, day, and hour. You can use the pending option to set the operation to start at a later time. The pending option is an internal state of the operation that is visible through SNMP. The pending state is also used when an operation is a reaction (threshold) operation waiting to be triggered. You can schedule a single IP SLAs operation or a group of operations at one time.

You can schedule several IP SLAs operations by using a single command through the Cisco IOS CLI or the CISCO RTTMON-MIB. Scheduling the operations to run at evenly distributed times allows you to control the amount of IP SLAs monitoring traffic. This distribution of IP SLAs operations helps minimize the CPU utilization and thus improves network scalability.

For more details about the IP SLAs multioperations scheduling functionality, see the "IP SLAs—Multiple Operation Scheduling" chapter of the Cisco IOS IP SLAs Configuration Guide at this URL:
http://www.cisco.com/en/US/products/ps6441/products_configuration_guide_book09186a0080707055.html

IP SLAs Operation Threshold Monitoring

To support successful service level agreement monitoring, you must have mechanisms that notify you immediately of any possible violation. IP SLAs can send SNMP traps that are triggered by events such as these:

Connection loss

Timeout

Round-trip time threshold

Average jitter threshold

One-way packet loss

One-way jitter

One-way mean opinion score (MOS)

One-way latency

An IP SLAs threshold violation can also trigger another IP SLAs operation for further analysis. For example, the frequency could be increased or an ICMP path echo or ICMP path jitter operation could be initiated for troubleshooting.

Determining the type of threshold and the level to set can be complex, and depends on the type of IP service being used in the network. For more details on using thresholds with Cisco IOS IP SLAs operations, see the "IP SLAs—Proactive Threshold Monitoring" chapter of the Cisco IOS IP SLAs Configuration Guide at this URL:
http://www.cisco.com/en/US/products/ps6441/products_configuration_guide_book09186a0080707055.html

Configuring IP SLAs Operations

This section does not include configuration information for all available operations as the configuration information details are included in the Cisco IOS IP SLAs Configuration Guide. It does include several operations as examples, including configuring the responder, configuring UDP jitter operation, which requires a responder, and configuring ICMP echo operation, which does not require a responder. For details about configuring other operations, see he Cisco IOS IP SLAs Configuration Guide at this URL:
http://www.cisco.com/en/US/products/ps6441/products_configuration_guide_book09186a0080707055.html

This section includes this information:

Default Configuration

Configuration Guidelines

Configuring the IP SLAs Responder

Analyzing IP Service Levels by Using the UDP Jitter Operation

Analyzing IP Service Levels by Using the ICMP Echo Operation

Default Configuration

No IP SLAs operations are configured.

Configuration Guidelines

For information on the IP SLAs commands, see the Cisco IOS IP SLAs Command Reference, Release 12.4T command reference at this URL:
http://www.cisco.com/en/US/products/ps6441/products_command_reference_book09186a008049739b.html

For detailed descriptions and configuration procedures, see the Cisco IOS IP SLAs Configuration Guide, Release 12.4T at this URL:
http://www.cisco.com/en/US/products/ps6441/products_configuration_guide_book09186a0080707055.html

Note that not all of the IP SLAs commands or operations described in this guide are supported on the switch. The switch supports IP service level analysis by using UDP jitter, UDP echo, HTTP, TCP connect, ICMP echo, ICMP path echo, ICMP path jitter, FTP, DNS, and DHCP, as well as multiple operation scheduling and proactive threshold monitoring. It does not support VoIP service analysis or IP service level analysis by using DLSw+ operation.

Before configuring any IP SLAs application, you can use the show ip sla application privileged EXEC command to verify that the operation type is supported on your software image. This is an example of the output from the command:

Switch# show ip sla application
        IP SLAs
Version: 2.2.0 Round Trip Time MIB, Infrastructure Engine-II
Time of last change in whole IP SLAs: 22:17:39.117 UTC Fri Jun
Estimated system max number of entries: 15801

Estimated number of configurable operations: 15801
Number of Entries configured  : 0
Number of active Entries      : 0
Number of pending Entries     : 0
Number of inactive Entries    : 0

        Supported Operation Types
Type of Operation to Perform: 802.1agEcho
Type of Operation to Perform: 802.1agJitter
Type of Operation to Perform: dhcp
Type of Operation to Perform: dns
Type of Operation to Perform: echo
Type of Operation to Perform: ftp
Type of Operation to Perform: http
Type of Operation to Perform: jitter
Type of Operation to Perform: pathEcho
Type of Operation to Perform: pathJitter
Type of Operation to Perform: tcpConnect
Type of Operation to Perform: udpEcho

IP SLAs low memory water mark: 21741224

Configuring the IP SLAs Responder

The IP SLAs responder is available only on Cisco IOS software-based devices, including some Layer 2 switches that do not support full IP SLAs functionality, such as the Catalyst 2960 or the Cisco ME 2400 switch. Beginning in privileged EXEC mode, follow these steps to configure the IP SLAs responder on the target device (the operational target):

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

ip sla responder {tcp-connect | udp-echo} ipaddress ip-address port port-number

Configure the switch as an IP SLAs responder.

The keywords have these meanings:

tcp-connect—Enable the responder for TCP connect operations.

udp-echo—Enable the responder for User Datagram Protocol (UDP) echo or jitter operations.

ipaddress ip-address—Enter the destination IP address.

port port-number—Enter the destination port number.

Note The IP address and port number must match those configured on the source device for the IP SLAs operation.

Step 3 

end

Return to privileged EXEC mode.

Step 4 

show ip sla responder

Verify the IP SLAs responder configuration on the device.

Step 5 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To disable the IP SLAs responder, enter the no ip sla responder global configuration command. This example shows how to configure the device as a responder for the UDP jitter IP SLAs operation in the next procedure:

Switch(config)# ip sla responder udp-echo 172.29.139.134 5000 

Analyzing IP Service Levels by Using the UDP Jitter Operation

Jitter means interpacket delay variance. When multiple packets are sent consecutively 10 ms apart from source to destination, if the network is behaving correctly, the destination should receive them 10 ms apart. But if there are delays in the network (like queuing, arriving through alternate routes, and so on) the arrival delay between packets might be more than or less than 10 ms with a positive jitter value meaning that the packets arrived more than 10 ms apart. If the packets arrive 12 ms apart, positive jitter is 2 ms; if the packets arrive 8 ms apart, negative jitter is 2 ms. For delay-sensitive networks, positive jitter values are undesirable, and a jitter value of 0 is ideal.

In addition to monitoring jitter, the IP SLAs UDP jitter operation can be used as a multipurpose data gathering operation. The packets IP SLAs generates carry packet sending and receiving sequence information and sending and receiving time stamps from the source and the operational target. Based on these, UDP jitter operations measure this data:

Per-direction jitter (source to destination and destination to source)

Per-direction packet-loss

Per-direction delay (one-way delay)

Round-trip delay (average round-trip time)

Because the paths for the sending and receiving of data can be different (asymmetric), you can use the per-direction data to more readily identify where congestion or other problems are occurring in the network.

The UDP jitter operation generates synthetic (simulated) UDP traffic and sends a number of UDP packets, each of a specified size, sent a specified number of milliseconds apart, from a source router to a target router, at a given frequency. By default, ten packet-frames, each with a payload size of 10 bytes are generated every 10 ms, and the operation is repeated every 60 seconds. You can configure each of these parameters to best simulate the IP service you want to provide.

To provide accurate one-way delay (latency) measurements, time synchronization, such as that provided by NTP, is required between the source and the target device. Time synchronization is not required for the one-way jitter and packet loss measurements. If the time is not synchronized between the source and target devices, one-way jitter and packet loss data is returned, but values of 0 are returned for the one-way delay measurements provided by the UDP jitter operation


Note Before you configure a UDP jitter operation on the source device, you must enable the IP SLAs responder on the target device (the operational target).


Beginning in privileged EXEC mode, follow these steps to configure UDP jitter operation on the source device:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

ip sla operation-number

Create an IP SLAs operation, and enter IP SLAs configuration mode.

Step 3 

udp-jitter {destination-ip-address | destination-hostname} destination-port [source-ip {ip-address | hostname}] [source-port port-number] [control {enable | disable}] [num-packets number-of-packets] [interval interpacket-interval]

Configure the IP SLAs operation as a UDP jitter operation, and enter UDP jitter configuration mode.

destination-ip-address | destination-hostname—Specify the destination IP address or hostname.

destination-port—Specify the destination port number in the range from 1 to 65535.

(Optional) source-ip {ip-address | hostname}Specify the source IP address or hostname. When a source IP address or hostname is not specified, IP SLAs chooses the IP address nearest to the destination

(Optional) source-port port-number—Specify the source port number in the range from 1 to 65535. When a port number is not specified, IP SLAs chooses an available port.

(Optional) control—Enable or disable sending of IP SLAs control messages to the IP SLAs responder. By default, IP SLAs control messages are sent to the destination device to establish a connection with the IP SLAs responder

(Optional) num-packets number-of-packets—Enter the number of packets to be generated. The range is 1 to 6000; the default is 10.

(Optional) interval inter-packet-interval—Enter the interval between sending packets in milliseconds. The range is 1 to 6000; the default value is 20 ms.

Step 4 

frequency seconds

(Optional) Set the rate at which a specified IP SLAs operation repeats. The range is from 1 to 604800 seconds; the default is 60 seconds.

Step 5 

exit

Exit UDP jitter configuration mode, and return to global configuration mode.

Step 6 

ip sla monitor schedule operation-number [life {forever | seconds}] [start-time {hh:mm [:ss] [month day | day month] | pending | now | after hh:mm:ss] [ageout seconds] [recurring]

Configure the scheduling parameters for an individual IP SLAs operation.

operation-number—Enter the RTR entry number.

(Optional) life—Set the operation to run indefinitely (forever) or for a specific number of seconds. The range is from 0 to 2147483647. The default is 3600 seconds (1 hour).

(Optional) start-time—Enter the time for the operation to begin collecting information:

To start at a specific time, enter the hour, minute, second (in 24-hour notation), and day of the month. If no month is entered, the default is the current month.

Enter pending to select no information collection until a start time is selected.

Enter now to start the operation immediately.

Enter after hh:mm:ss to show that the operation should start after the entered time has elapsed.

(Optional) ageout seconds—Enter the number of seconds to keep the operation in memory when it is not actively collecting information. The range is 0 to 2073600 seconds, the default is 0 seconds (never ages out).

(Optional) recurring—Set the operation to automatically run every day.

Step 7 

end

Return to privileged EXEC mode.

Step 8 

show ip sla configuration [operation-number]

(Optional) Display configuration values, including all defaults for all IP SLAs operations or a specified operation.

Step 9 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To disable the IP SLAs operation, enter the no ip sla operation-number global configuration command. This example shows how to configure a UDP jitter IP SLAs operation:

Switch(config)# ip sla 10 
Switch(config-ip-sla)# udp-jitter 172.29.139.134 5000 
Switch(config-ip-sla-jitter)# frequency 30 
Switch(config-ip-sla-jitter)# exit 
Switch(config)# ip sla schedule 5 start-time now life forever 
Switch(config)# end
Switch# show ip sla configuration 10
IP SLAs, Infrastructure Engine-II.

Entry number: 10
Owner:
Tag:
Type of operation to perform: udp-jitter
Target address/Source address: 1.1.1.1/0.0.0.0
Target port/Source port: 2/0
Request size (ARR data portion): 32
Operation timeout (milliseconds): 5000
Packet Interval (milliseconds)/Number of packets: 20/10
Type Of Service parameters: 0x0
Verify data: No
Vrf Name:
Control Packets: enabled
Schedule:
    Operation frequency (seconds): 30
    Next Scheduled Start Time: Pending trigger
    Group Scheduled : FALSE
    Randomly Scheduled : FALSE
    Life (seconds): 3600
    Entry Ageout (seconds): never
    Recurring (Starting Everyday): FALSE
    Status of entry (SNMP RowStatus): notInService
Threshold (milliseconds): 5000
Distribution Statistics:
    Number of statistic hours kept: 2
    Number of statistic distribution buckets kept: 1
    Statistic distribution interval (milliseconds): 20
Enhanced History:

Analyzing IP Service Levels by Using the ICMP Echo Operation

The ICMP echo operation measures end-to-end response time between a Cisco device and any devices using IP. Response time is computed by measuring the time taken between sending an ICMP echo request message to the destination and receiving an ICMP echo reply. Many customers use IP SLAs ICMP-based operations, in-house ping testing, or ping-based dedicated probes for response time measurements between the source IP SLAs device and the destination IP device. The IP SLAs ICMP echo operation conforms to the same specifications as ICMP ping testing, and the two methods result in the same response times.


Note This operation does not require the IP SLAs responder to be enabled.


Beginning in privileged EXEC mode, follow these steps to configure an ICMP echo operation on the source device:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

ip sla operation-number

Create an IP SLAs operation and enter IP SLAs configuration mode.

Step 3 

icmp-echo {destination-ip-address | destination-hostname} [source-ip {ip-address | hostname} | source-interface interface-id]

Configure the IP SLAs operation as an ICMP Echo operation and enter ICMP echo configuration mode.

destination-ip-address | destination-hostname—Specify the destination IP address or hostname.

(Optional) source-ip {ip-address | hostname}Specify the source IP address or hostname. When a source IP address or hostname is not specified, IP SLAs chooses the IP address nearest to the destination

(Optional) source-interface interface-id—Specify the source interface for the operation.

Step 4 

frequency seconds

(Optional) Set the rate at which a specified IP SLAs operation repeats. The range is from 1 to 604800 seconds; the default is 60 seconds.

Step 5 

exit

Exit UDP jitter configuration mode, and return to global configuration mode.

Step 6 

ip sla schedule operation-number [life {forever | seconds}] [start-time {hh:mm [:ss] [month day | day month] | pending | now | after hh:mm:ss] [ageout seconds] [recurring]

Configure the scheduling parameters for an individual IP SLAs operation.

operation-number—Enter the RTR entry number.

(Optional) life—Set the operation to run indefinitely (forever) or for a specific number of seconds. The range is from 0 to 2147483647. The default is 3600 seconds (1 hour)

(Optional) start-time—Enter the time for the operation to begin collecting information:

To start at a specific time, enter the hour, minute, second (in 24-hour notation), and day of the month. If no month is entered, the default is the current month.

Enter pending to select no information collection until a start time is selected.

Enter now to start the operation immediately.

Enter after hh:mm:ss to indicate that the operation should start after the entered time has elapsed.

(Optional) ageout seconds—Enter the number of seconds to keep the operation in memory when it is not actively collecting information. The range is 0 to 2073600 seconds; the default is 0 seconds (never ages out).

(Optional) recurring—Set the operation to automatically run every day.

Step 7 

end

Return to privileged EXEC mode.

Step 8 

show ip sla configuration [operation-number]

(Optional) Display configuration values including all defaults for all IP SLAs operations or a specified operation.

Step 9 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To disable the IP SLAs operation, enter the no ip sla operation-number global configuration command. This example shows how to configure an ICMP echo IP SLAs operation:

Switch(config)# ip sla 12 
Switch(config-ip-sla)# icmp-echo 172.29.139.134 
Switch(config-ip-sla-echo)# frequency 30 
Switch(config-ip-sla-echo)# exit 
Switch(config)# ip sla schedule 5 start-time now life forever 
Switch(config)# end
Switch# show ip sla configuration 22
IP SLAs, Infrastructure Engine-II.

Entry number: 12
Owner:
Tag:
Type of operation to perform: echo
Target address: 2.2.2.2
Source address: 0.0.0.0
Request size (ARR data portion): 28
Operation timeout (milliseconds): 5000
Type Of Service parameters: 0x0
Verify data: No
Vrf Name:
Schedule:
    Operation frequency (seconds): 60
    Next Scheduled Start Time: Pending trigger
    Group Scheduled : FALSE
    Randomly Scheduled : FALSE
    Life (seconds): 3600
    Entry Ageout (seconds): never
    Recurring (Starting Everyday): FALSE
    Status of entry (SNMP RowStatus): notInService
Threshold (milliseconds): 5000
Distribution Statistics:
    Number of statistic hours kept: 2
    Number of statistic distribution buckets kept: 1
    Statistic distribution interval (milliseconds): 20
History Statistics:
    Number of history Lives kept: 0
    Number of history Buckets kept: 15
    History Filter Type: None
Enhanced History:

Monitoring IP SLAs Operations

Use the User EXEC or Privileged EXEC commands in Table 0-7 to display IP SLAs operations configuration and results.

Table 0-7 Monitoring IP SLAs Operations

Command
Purpose

show ip sla application

Display global information about Cisco IOS IP SLAs.

show ip sla authentication

Display IP SLAs authentication information.

show ip sla configuration [entry-number]

Display configuration values including all defaults for all IP SLAs operations or a specific operation.

show ip sla enhanced-history {collection-statistics | distribution statistics} [entry-number]

Display enhanced history statistics for collected history buckets or distribution statistics for all IP SLAs operations or a specific operation.

show ip sla ethernet-monitor configuration [entry-number]

Display IP SLAs automatic Ethernet configuration.

show ip sla group schedule [schedule-entry-number]

Display IP SLAs group scheduling configuration and details.

show ip sla history [entry-number | full | tabular]

Display history collected for all IP SLAs operations

show ip sla mpls-lsp-monitor {collection-statistics | configuration | ldp operational-state | scan-queue | summary [entry-number] | neighbors}

Display MPLS label switched path (LSP) Health Monitor operations,

show ip sla reaction-configuration [entry-number]

Display the configured proactive threshold monitoring settings for all IP SLAs operations or a specific operation.

show ip sla reaction-trigger [entry-number]

Display the reaction trigger information for all IP SLAs operations or a specific operation.

show ip sla responder

Display information about the IP SLAs responder.

show ip sla statistics [entry-number | aggregated | details]

Display current or aggregated operational status and statistics.


Updates for Cisco IOS Release 12.2(37)SE

These chapters have updates in Cisco IOS Release 12.2(37)SE:

Configuring IEEE 802.1x Port-Based Authentication Chapter

Configuring DHCP Features Chapter

Configuring Network Security with ACLs Chapter

Configuring IP Routing Chapter

Unsupported CLI Commands in Cisco IOS Appendix

Configuring IEEE 802.1x Port-Based Authentication Chapter

Web Authentication with Automatic MAC Check Section

You can use web authentication with automatic MAC check to authenticate a client that does not support IEEE 802.1x or web browser functionality. This allows end hosts, such as printers, to automatically authenticate by using the MAC address without any additional required configuration.

Webauthentication with automatic MAC check only works in web authentication standalone mode. You cannot use this if web authentication is configured as a fallback to IEEE 802.1x authentication.

The MAC address of the device must be configured in the Access Control Server (ACS) for the automatic MAC check to succeed. The automatic MAC check allows managed devices, such as printers, to skip web authentication.


Note The interoperability of web authentication (with automatic MAC check) and IEEE 802.1x MAC authentication configured on different ports of the same switch is not supported.


Configuring DHCP Features Chapter

This information was added to the "Configuring DHCP Features" chapter in the "DHCP Snooping Configuration Guidelines" section:

Starting with Cisco IOS Release 12.2(37)SE, you can display DHCP snooping statistics by entering the show ip dhcp snooping statistics user EXEC command, and you can clear the snooping statistics counters by entering the clear ip dhcp snooping statistics privileged EXEC command.

The show ip dhcp snooping statistics privileged EXEC command was added to the "Commands for Displaying DHCP Snooping Information" table:

Command

Purpose

show ip dhcp snooping

Displays the DHCP snooping configuration for a switch

show ip dhcp snooping binding

Displays only the dynamically configured bindings in the DHCP snooping binding database, also referred to as a binding table.

show ip dhcp snooping database

Displays the DHCP snooping binding database status and statistics.

show ip dhcp snooping statistics

Displays the DHCP snooping statistics in summary or detail form.

show ip source binding

Display the dynamically and statically configured bindings.


Configuring Network Security with ACLs Chapter

This information was added to the "Creating Standard and Extended IP ACLs: Creating a Numbered Extended ACL" section in the chapter:

When configuring extended ACLs for the IGMP protocol using the command access-list access-list-number {permit} igmp, IGMP Version 1 and Version 2 are supported. IGMP Version 3 is not supported.

When filtering IGMP Version 1 and Version 2 protocol packets with extended ACLs, you can configure the following IGMP type values:

1—IGMP query

2—IGMP Version 1 report

3—IGMP DVMRP packets

4—IGMP PIM Version1 packets

6—IGMP Version 2 report

7—IGMP leave

e—IGMP MTRACE response packets

f—IGMP MTRACE request packets

Configuring IP Routing Chapter

The "EIGRP Stub Routing" section was removed from the chapter. EIGRP stub routing is not supported on the switch.

Unsupported CLI Commands in Cisco IOS Appendix

The Cisco IOS command file verify auto is not supported on the Catalyst 3550 switch and has been added to the "Miscellaneous: Unsupported Privileged EXEC Commands" section. The Cisco IOS commands aaa authentication feature default enable and aaa authentication feature default line are not supported on the Catalyst 3550 switch and have been added to the "RADIUS: Unsupported Global Configuration Commands" section.

Updates for Cisco IOS Release 12.2(35)SE

These chapters have updates in Cisco IOS Release 12.2(35)SE:

Configuring IP Routing Chapter

Troubleshooting Chapter

Configuring IEEE 802.1x Chapter

Configuring IP Routing Chapter

This information was added to the "Configuring IP Routing" chapter:

VRF Lite (multi-VRF-CE) is not supported in the IP base image. Beginning with Cisco IOS Release 12.2(35)SE, you will receive an error message if you configure the feature on the IP base image.

Troubleshooting Chapter

This information was added to the "Troubleshooting" chapter:

Using the crashinfo File

The crashinfo file saves information that helps Cisco technical support representatives to debug problems that caused the software image to fail (crash). The switch writes the crash information to the console at the time of the failure, and the file is created the next time you boot up the image after the failure (instead of while the system is failing).

The switch creates two types of crashinfo files:

Basic crashinfo file—The switch automatically creates this file the next time you boot up the Cisco IOS image after the failure.

Extended crashinfo file—In Cisco IOS Release 12.2(35)SE or later, the switch automatically creates this file when the system is failing.

Basic crashinfo Files

The information in the basic file includes the Cisco IOS image name and version that failed, a list of the processor registers, and a stack trace. You can provide this information to the Cisco technical support representative by using the show tech-support privileged EXEC command.

Basic crashinfo files are kept in this directory on the flash file system:

flash:/crashinfo/.

The filenames are crashinfo_n where n is a sequence number.

Each new crashinfo file that is created uses a sequence number that is larger than any previously existing sequence number, so the file with the largest sequence number describes the most recent failure. Version numbers are used instead of a timestamp because the switches do not include a real-time clock. You cannot change the name of the file that the system will use when it creates the file. However, after the file is created, you can use the rename privileged EXEC command to rename it, but the contents of the renamed file will not be displayed by the show tech-support privileged EXEC command. You can delete crashinfo files by using the delete privileged EXEC command.

You can display the most recent basic crashinfo file (that is, the file with the highest sequence number at the end of its filename) by entering the show tech-support privileged EXEC command. You also can access the file by using any command that can copy or display files, such as the more or the copy privileged EXEC command.

Extended crashinfo Files

In Cisco IOS Release 12.2(35)SE or later, the switch creates the extended crashinfo file when the system is failing. The information in the extended file includes additional information that can help determine the cause of the switch failure. You provide this information to the Cisco technical support representative by manually accessing the file and using the more or the copy privileged EXEC command.

Extended crashinfo files are kept in this directory on the flash file system:

flash:/crashinfo_ext/.

The filenames are crashinfo_ext_n where n is a sequence number.

You can configure the switch to not create the extended creashinfo file by using the no exception crashinfo global configuration command.

Configuring IEEE 802.1x Chapter

This information was added to the "Configuring IEEE 802.1x" chapter:

Using Web Authentication

You can use a web browser to authenticate a client that does not support IEEE 802.1x functionality.

You can configure a port to use only web authentication. You can also configure the port to first try and use IEEE 802.1x authentication and then to use web authorization if the client does not support IEEE 802.1x authentication.

Web authentication requires two Cisco Attribute-Value (AV) pair attributes:

The first attribute, priv-lvl=15, must always be set to 15. This sets the privilege level of the user who is logging into the switch.

The second attribute is an access list to be applied for web authenticated hosts. The syntax is similar to IEEE 802.1X per-user ACLs. However, instead of ip:inacl, this attribute must begin with proxyacl, and the source field in each entry must be any. (After authentication, the client IP address replaces the any field when the ACL is applied.)

For example:

proxyacl# 10=permit ip any 10.0.0.0 255.0.0.0
proxyacl# 20=permit ip any 11.1.0.0 255.255.0.0
proxyacl# 30=permit udp any any eq syslog
proxyacl# 40=permit udp any any eq tftp

Note The proxyacl entry determines the type of allowed network access.


For more information, see the "Configuring Web Authentication" section.

Configuring Web Authentication

Beginning in privileged EXEC mode, follow these steps to configure authentication, authorization, accounting (AAA) and RADIUS on a switch before configuring web authentication. The steps enable AAA by using RADIUS authentication and enable device tracking.

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

aaa new-model

Enable AAA.

Step 3 

aaa authentication login default group radius

Use RADIUS authentication. Before you can use this authentication method, you must configure the RADIUS server.

The console prompts you for a username and password on future attempts to access the switch console after entering the aaa authentication login command. If you do not want to be prompted for a username and password, configure a second login authentication list:

Switch# config t
Switch(config)# aaa authentication login line-console none
Switch(config)# line console 0
Switch(config-line)# login authentication line-console
Switch(config-line)# end

Step 4 

aaa authorization auth-proxy default group radius

Use RADIUS for authentication-proxy (auth-proxy) authorization.

Step 5 

radius-server host key radius-key

Specify the authentication and encryption key for RADIUS communication between the switch and the RADIUS daemon.

Step 6 

radius-server attribute 8 include-in-access-req

Configure the switch to send the Framed-IP-Address RADIUS attribute (Attribute[8]) in access-request or accounting-request packets.

Step 7 

radius-server vsa send authentication

Configure the network access server to recognize and use vendor-specific attributes (VSAs).

Step 8 

ip device tracking

Enable the IP device tracking table.

To disable the IP device tracking table, use the no ip device tracking global configuration commands.

Step 9 

end

Return to privileged EXEC mode.

This example shows how to enable AAA, use RADIUS authentication and enable device tracking:

Switch(config) configure terminal
Switch(config)# aaa new-model
Switch(config)# aaa authentication login default group radius 
Switch(config)# aaa authorization auth-proxy default group radius 
Switch(config)# radius-server host key key1
Switch(config)# radius-server attribute 8 include-in-access-req 
Switch(config)# radius-server vsa send authentication 
Switch(config)# ip device tracking 
Switch(config) end

Beginning in privileged EXEC mode, follow these steps to configure a port to use web authentication:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

ip admission name rule proxy http

Define a web authentication rule.

Note The same rule cannot be used for both web authentication and NAC Layer 2 IP validation.

Step 3 

interface interface-id

Specify the port to be configured, and enter interface configuration mode.

Step 4 

switchport mode access

Set the port to access mode.

Step 5 

ip access-group access-list in

Specify the default access control list to be applied to network traffic before web authentication.

Step 6 

ip admission rule

Apply an IP admission rule to the interface.

Step 7 

end

Return to privileged EXEC mode.

Step 8 

show running-config interface interface-id

Verify your configuration.

Step 9 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

This example shows how to configure only web authentication on a switch port:

Switch# configure terminal
Switch(config)# ip admission name rule1 proxy http
Switch(config)# interface gigabit1/0/1
Switch(config-if)# switchport mode access 
Switch(config-if)# ip access-group policy1 in 
Switch(config-if)# ip admission rule1 
Switch(config-if)# end

Beginning in privileged EXEC mode, follow these steps to configure a switch port for IEEE 802.1x authentication with web authentication as a fallback method:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

ip admission name rule proxy http

Define a web authentication rule.

Step 3 

fallback profile fallback-profile

Define a fallback profile to allow an IEEE 802.1x port to authenticate a client by using web authentication.

Step 4 

ip access-group policy in

Specify the default access control list to apply to network traffic before web authentication.

Step 5 

ip admission rule

Associate an IP admission rule with the profile, and specify that a client connecting by web authentication uses this rule.

Step 6 

end

Return to privileged EXEC mode.

Step 7 

interface interface-id

Specify the port to be configured, and enter interface configuration mode.

Step 8 

switchport mode access

Set the port to access mode.

Step 9 

dot1x port-control auto

Enable IEEE 802.1x authentication on the interface.

Step 10 

dot1x fallback fallback-profile

Configure the port to authenticate a client by using web authentication when no IEEE 802.1x supplicant is detected on the port.

Note Web authorization cannot be used as a fallback method for IEEE 802.1x if the port is configured for multidomain authentication.

Step 11 

exit

Return to privileged EXEC mode.

Step 12 

show dot1x interface interface-id

Verify your configuration.

Step 13 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

This example shows how to configure IEEE 802.1x authentication with web authentication as a fallback method.

Switch(config) configure terminal
Switch(config)# ip admission name rule1 proxy http
Switch(config)# fallback profile fallback1
Switch(config-fallback-profile)# ip access-group default-policy in 
Switch(config-fallback-profile)# ip admission rule1 
Switch(config-fallback-profile)# exit
Switch(config)# interface gigabit1/0/1
Switch(config-if)# switchport mode access 
Switch(config-if)# dot1x port-control auto 
Switch(config-if)# dot1x fallback fallback1 
Switch(config-if)# end

For more information about the ip admission name and dot1x fallback commands, see the command reference for this release.

Updates for Cisco IOS Release 12.2(25)SEE1

These are the updates for Cisco IOS Release 12.2(25)SEE1:

In the "Unsupported Commands" appendix, the set ip next-hop verify-availability route-map configuration command, the ip accounting precedence {input | output} interface configuration command, and the boot buffersize global configuration command are not supported.

Updates for Cisco IOS Release 12.2(25)SEE

These are the updates for Cisco IOS Release 12.2(25)SEE.

In the "Configuring Network Security with ACLs" chapter, the note in Step 3 of the "Configuring VLAN Maps" section is inaccurate. The correct text is:

If the VLAN map is configured with a match clause for a type of packet (IP or MAC) and the map action is drop, all packets that match the type are dropped. If the VLAN map has no match clause, and the configured action is drop, then all IP and Layer 2 packets are dropped.

Updates for the Command Reference

These are the documentation updates for the command reference:

Updates for Cisco IOS Release 12.2(40)SE

Updates for Cisco IOS Release 12.2(37)SE

Updates for Cisco IOS Release 12.2(35)SE

Updates for Cisco IOS Release 12.2(25)SEE2

Updates for Cisco IOS Release 12.2(25)SEE1

Updates for Cisco IOS Release 12.2(40)SE

The usage guidelines for the set and unset bootloader commands in the command reference are incorrect.

These are the correct usage guidelines for the set command:

Environment variables are case sensitive and must be entered as documented.

Environment variables that have values are stored in flash memory outside of the flash file system.

Under normal circumstances, it is not necessary to alter the setting of the environment variables.

The MANUAL_BOOT environment variable can also be set by using the boot manual global configuration command.

The BOOT environment variable can also be set by using the boot system filesystem:/file-url global configuration command.

The ENABLE_BREAK environment variable can also be set by using the boot enable-break global configuration command.

The HELPER environment variable can also be set by using the boot helper filesystem:/file-url global configuration command.

The CONFIG_FILE environment variable can also be set by using the boot config-file flash:/file-url global configuration command.

The HELPER_CONFIG_FILE environment variable can also be set by using the boot helper-config-file filesystem:/file-url global configuration command.

The HELPER_CONFIG_FILE environment variable can also be set by using the boot helper-config-file filesystem:/file-url global configuration command.

These are the correct guidelines for the unset command:

Under normal circumstances, it is not necessary to alter the setting of the environment variables.

The MANUAL_BOOT environment variable can also be reset by using the no boot manual global configuration command.

The BOOT environment variable can also be reset by using the no boot system global configuration command.

The ENABLE_BREAK environment variable can also be reset by using the no boot enable-break global configuration command.

The HELPER environment variable can also be reset by using the no boot helper global configuration command.

The CONFIG_FILE environment variable can also be reset by using the no boot config-file global configuration command.

The HELPER_CONFIG_FILE environment variable can also be reset by using the no boot helper-config-file global configuration command.

This information about the dot1x timeout tx-period seconds interface configuration command is incorrect:

The range for seconds is from 5 to 65535.

The correct range is from 1 to 65535 seconds.

Updates for Cisco IOS Release 12.2(37)SE

These commands were added to the command reference:

clear ip dhcp snooping

show ip dhcp snooping statistics

skip-loopback-test

clear ip dhcp snooping

Use the clear ip dhcp snooping privileged EXEC command on the switch to clear the DHCP snooping binding database, the DHCP snooping binding database agent statistics, or the DHCP snooping statistics counters.

clear ip dhcp snooping {binding | database statistics | statistics}

Syntax Description

binding

Clear the DHCP snooping binding database.

database statistics

Clear the DHCP snooping binding database agent statistics.

statistics

Clear the DHCP snooping statistics counter.


Defaults

No default is defined.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(37)SE

The statistics keyword was introduced.


Usage Guidelines

When you enter the clear ip dhcp snooping database statistics command, the switch does not update the entries in the binding database and in the binding file before clearing the statistics.

Examples

This example shows how to clear the DHCP snooping binding database agent statistics:

Switch# clear ip dhcp snooping database statistics 

You can verify that the statistics were cleared by entering the show ip dhcp snooping database privileged EXEC command.

This example shows how to clear the DHCP snooping statistics counters:

Switch# clear ip dhcp snooping statistics 

You can verify that the statistics were cleared by entering the show ip dhcp snooping statistics user EXEC command.

Related Commands

Command
Description

ip dhcp snooping

Enables DHCP snooping on a VLAN.

ip dhcp snooping database

Configures the DHCP snooping binding database agent or the binding file.

show ip dhcp snooping binding

Displays the status of DHCP snooping database agent.

show ip dhcp snooping database

Displays the DHCP snooping binding database agent statistics.

show ip dhcp snooping statistics

Displays the DHCP snooping statistics.


show ip dhcp snooping statistics

Use the show ip dhcp snooping statistics user EXEC command to display DHCP snooping statistics in summary or detail form.

show ip dhcp snooping statistics [detail] [ | {begin | exclude | include} expression]

Syntax Description

detail

(Optional) Display detailed statistics information.

| begin

(Optional) Display begins with the line that matches the expression.

| exclude

(Optional) Display excludes lines that match the expression.

| include

(Optional) Display includes lines that match the specified expression.

expression

Expression in the output to use as a reference point.


Command Modes

User EXEC

Command History

Release
Modification

12.2(37)SE

This command was introduced.


Usage Guidelines

Expressions are case sensitive. For example, if you enterexclude output, the lines that contain output do not appear, but the lines that contain Output appear.

In a switch stack, all statistics are generated on the stack master. If a new stack master is elected, the statistics counters reset.

Examples

This is an example of output from the show ip dhcp snooping statistics command:

Switch> show ip dhcp snooping statistics
 Packets Forwarded                                     = 0
 Packets Dropped                                       = 0
 Packets Dropped From untrusted ports                  = 0

This is an example of output from the show ip dhcp snooping statistics detail command:

Switch> show ip dhcp snooping statistics detail
 Packets Processed by DHCP Snooping                    = 0
 Packets Dropped Because
   IDB not known                                       = 0
   Queue full                                          = 0
   Interface is in errdisabled                         = 0
   Rate limit exceeded                                 = 0
   Received on untrusted ports                         = 0
   Nonzero giaddr                                      = 0
   Source mac not equal to chaddr                      = 0
   Binding mismatch                                    = 0
   Insertion of opt82 fail                             = 0
   Interface Down                                      = 0
   Unknown output interface                            = 0
   Reply output port equal to input port               = 0
   Packet denied by platform                           = 0

Table 8 DHCP Snooping Statistics 

DHCP Snooping Statistic
Description

Packets Processed by DHCP Snooping

Total number of packets handled by DHCP snooping, including forwarded and dropped packets.

Packets Dropped Because IDB not known

Number of errors when the input interface of the packet cannot be determined.

Queue full

Number of errors when an internal queue used to process the packets is full. This might happen if DHCP packets are received at an excessively high rate and rate limiting is not enabled on the ingress ports.

Interface is in errdisabled

Number of times a packet was received on a port that has been marked as error disabled. This might happen if packets are in the processing queue when a port is put into the error-disabled state and those packets are subsequently processed.

Rate limit exceeded

Number of times the rate limit configured on the port was exceeded and the interface was put into the error-disabled state.

Received on untrusted ports

Number of times a DHCP server packet (OFFER, ACK, NAK, or LEASEQUERY) was received on an untrusted port and was dropped.

Nonzero giaddr

Number of times the relay agent address field (giaddr) in the DHCP packet received on an untrusted port was not zero, or the no ip dhcp snooping information option allow-untrusted global configuration command is not configured and a packet received on an untrusted port contained option-82 data.

Source mac not equal to chaddr

Number of times the client MAC address field of the DHCP packet (chaddr) does not match the packet source MAC address and the ip dhcp snooping verify mac-address global configuration command is configured.

Binding mismatch

Number of times a RELEASE or DECLINE packet was received on a port that is different than the port in the binding for that MAC address-VLAN pair. This indicates someone might be trying to spoof the real client, or it could mean that the client has moved to another port on the switch and issued a RELEASE or DECLINE. The MAC address is taken from the chaddr field of the DHCP packet, not the source MAC address in the Ethernet header.

Insertion of opt82 fail

Number of times the option-82 insertion into a packet failed. The insertion might fail if the packet with the option-82 data exceeds the size of a single physical packet on the internet.

Interface Down

Number of times the packet is a reply to the DHCP relay agent, but the SVI interface for the relay agent is down. This is an unlikely error that occurs if the SVI goes down between sending the client request to the DHCP server and receiving the response.

Unknown output interface

Number of times the output interface for a DHCP reply packet cannot be determined by either option-82 data or a lookup in the MAC address table. The packet is dropped. This can happen if option 82 is not used and the client MAC address has aged out. If IPSG is enabled with the port-security option and option 82 is not enabled, the MAC address of the client is not learned, and the reply packets will be dropped.

Reply output port equal to input port

Number of times the output port for a DHCP reply packet is the same as the input port, causing a possible loop. Indicates a possible network misconfiguration or misuse of trust settings on ports.

Packet denied by platform

Number of times the packet has been denied by a platform-specific registry.


Table 8 shows the DHCP snooping statistics and their descriptions:

Related Commands

Command
Description

clear ip dhcp snooping

Clears the DHCP snooping binding database, the DHCP snooping binding database agent statistics, or the DHCP snooping statistics counters.


skip-loopback-test

Use the skip-loopback-test interface configuration command to configure the switch to omit the loopback test on an interface during the switch power-on self-test (POST).

skip-loopback-test

no skip-loopback-test

Syntax Description

This command has no arguments or keywords.

Defaults

A loopback test is performed on all interfaces during POST.

Command Modes

Interface configuration

Command History

Release
Modification

12.2(37)SE

This command was introduced.


Usage Guidelines

Use this command in rare situations when an interface fails POST but the switch hardware is known to be fully functional as is the case when the Gigabit port of a Catalyst 3550 switch with inline power (WS-C3550-25-PWR) is connected to the Gigabit port of a Catalyst 4000 series switch with Supervisor Model WS-X4516 running Cisco IOS release 12.2(18)EW or 12.2(20)EW. This configuration is known to experience lost loopback packets when the switch boots up and entering this command on the interface allows it to remain up.

Updates for Cisco IOS Release 12.2(35)SE

These commands were added to the command reference:

dot1x fallback

fallback profile

ip admission

ip admission name proxy http

show fallback profile

dot1x fallback

Use the dot1xfallback interface configuration command on the switch stack or on a standalone switch to configure a port to use web authentication as a fallback method for clients that do not support IEEE 802.1x authentication. To return to the default setting, use the no form of this command.

dot1x fallback profile

no dot1x fallback

Syntax Description

profile

Specify a fallback profile for clients that do not support IEEE 802.1x authentication.


Defaults

No fallback is enabled.

Command Modes

Interface configuration

Command History

Release
Modification

12.2(35)SE

This command was introduced.


Usage Guidelines

You must enter the dot1x port-control auto interface configuration command on a switch port before entering this command.

Examples

This example shows how to specify a fallback profile to a switch port that has been configured for IEEE 802.1x authentication:

Switch# configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface gigabitethernet1/0/3
Switch(config-if)# dot1x fallback profile1
Switch(config-fallback-profile)# exit
Switch(config)# end

You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.

Related Commands

Command
Description

show dot1x [interface interface-id]

Displays IEEE 802.1x status for the specified port.

fallback profile

Create a web authentication fallback profile.

ip admission

Enable web authentication on a port

ip admission name proxy http

Enable web authentication globally on a switch


fallback profile

Use the fallback profile global configuration command on the switch stack or on a standalone switch to create a fallback profile for web authentication. To return to the default setting, use the no form of this command.

fallback profile profile

no fallback profile

Syntax Description

profile

Specify the fallback profile for clients that do not support IEEE 802.1x authentication.


Defaults

No fallback profile is configured.

Command Modes

Global configuration

Command History

Release
Modification

12.2(35)SE

This command was introduced.


Usage Guidelines

The fallback profile is used to define the IEEE 802.1x fallback behavior for IEEE 802.1x ports that do not have supplicants. The only supported behavior is to fall back to web authentication.

After entering the fallback profile command, you enter profile configuration mode, and these configuration commands are available:

ip: Create an IP configuration.

access-group: Specify access control for packets sent by hosts that have not yet been authenticated.

admission: Apply an IP admission rule.

Examples

This example shows how to create a fallback profile to be used with web authentication:

Switch# configure terminal
Switch(config)# ip admission name rule1 proxy http
Switch(config)# fallback profile profile1
Switch(config-fallback-profile)# ip access-group default-policy in 
Switch(config-fallback-profile)# ip admission rule1
Switch(config-fallback-profile)# exit
Switch(config)# interface gigabitethernet 1/0/1
Switch(config-if)# dot1x fallback profile1 
Switch(config-if)# end

You can verify your settings by entering the show running-configuration [interface interface-id] privileged EXEC command.

Related Commands

Command
Description

dot1x fallback

Configure a port to use web authentication as a fallback method for clients that do not support IEEE 802.1x authentication.

ip admission

Enable web authentication on a switch port

ip admission name proxy http

Enable web authentication globally on a switch

show dot1x [interface interface-id]

Displays IEEE 802.1x status for the specified port.

show fallback profile

Display the configured profiles on a switch.


ip admission

Use the ip admission interface configuration command to enable web authentication. You can also use this command in fallback-profile mode. Use the no form of this command to disable web authentication.

ip admission rule

no ip admission

Syntax Description

rule

Apply an IP admission rule to the interface.


Command Modes

Global configuration

Command History

Release
Modification

12.2(35)SE

This command was introduced.


Usage Guidelines

The ip admission command applies a web authentication rule to a switch port.

Examples

This example shows how to apply a web authentication rule to a switchport:

Switch# configure terminal
Switch(config)# interface gigabitethernet1/0/1
Switch(config-if)# ip admission rule1

This example shows how to apply a web authentication rule to a fallback profile for use on an IEEE 802.1x enabled switch port.

Switch# configure terminal
Switch(config)# fallback profile profile1
Switch(config)# ip admission name rule1
Switch(config)# end

Related Commands

Command
Description

dot1x fallback

Configure a port to use web authentication as a fallback method for clients that do not support IEEE 802.1x authentication.

fallback profile

Enable web authentication on a port

ip admission name proxy http

Enable web authentication globally on a switch

show ip admission

Displays information about NAC cached entries or the NAC configuration. For more information, see the Network Admission Control Software Configuration Guide on Cisco.com.


ip admission name proxy http

Use the ip admission name proxy http global configuration command to enable web authentication. Use the no form of this command to disable web authentication.

ip admission name proxy http

no ip admission name proxy http

Syntax Description

This command has no arguments or keywords.

Defaults

Web authentication is disabled.

Command Modes

Global configuration

Command History

Release
Modification

12.2(35)SE

This command was introduced.


Usage Guidelines

The ip admission name proxy http command globally enables web authentication on a switch.

After you enable web authentication on a switch, use the ip access-group in and ip admission web-rule interface configuration commands to enable web authentication on a specific interface.

Examples

This example shows how to configure only web authentication on a switchport:

Switch# configure terminal
Switch(config) ip admission name http-rule proxy http 
Switch(config)# interface gigabitethernet1/0/1
Switch(config-if)# ip access-group 101 in
Switch(config-if)# ip admission rule
Switch(config-if)# end

This example shows how to configure IEEE 802.1x authentication with web authentication as a fallback mechanism on a switchport.

Switch# configure terminal
Switch(config)# ip admission name rule2 proxy http 
Switch(config)# fallback profile profile1
Switch(config)# ip access group 101 in
Switch(config)# ip admission name rule2
Switch(config)# interface gigabitethernet1/0/1
Switch(config-if)# dot1x port-control auto
Switch(config-if)# dot1x fallback profile1
Switch(config-if)# end

Related Commands

Command
Description

dot1x fallback

Configure a port to use web authentication as a fallback method for clients that do not support IEEE 802.1x authentication.

fallback profile

Create a web authentication fallback profile.

ip admission

Enable web authentication on a port

show ip admission

Displays information about NAC cached entries or the NAC configuration. For more information, see the Network Admission Control Software Configuration Guide on Cisco.com.


show fallback profile

Use the show fallback profile privileged EXEC command to display the fallback profiles that are configured on a switch.

show fallback profile [append | begin | exclude | include | {[redirect | tee] url} expression]

Syntax Description

| append

(Optional) Append redirected output to a specified URL

| begin

(Optional) Display begins with the line that matches the expression.

| exclude

(Optional) Display excludes lines that match the expression.

| include

(Optional) Display includes lines that match the specified expression.

| redirect

(Optional) Copy output to a specified URL.

| tee

(Optional) Copy output to a specified URL.

expression

Expression in the output to use as a reference point.

url

Specified URL where output is directed.


Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(35)SE

This command was introduced.


Usage Guidelines

Use the show fallback profile privileged EXEC command to display profiles that are configured on the switch.

Expressions are case sensitive. For example, if you enterexclude output, the lines that contain output are not displayed, but the lines that contain Output are displayed.

Examples

This is an example of output from the show fallback profile command:

switch# show fall profile 
Profile Name: dot1x-www
------------------------------------
Description       : NONE
IP Admission Rule : webauth-fallback
IP Access-Group IN: default-policy
Profile Name: dot1x-www-lpip
------------------------------------
Description       : NONE
IP Admission Rule : web-lpip
IP Access-Group IN: default-policy
Profile Name: profile1
------------------------------------
Description       : NONE
IP Admission Rule : NONE
IP Access-Group IN: NONE

Related Commands

Command
Description

dot1x fallback

Configure a port to use web authentication as a fallback method for clients that do not support IEEE 802.1x authentication.

fallback profile

Create a web authentication fallback profile.

ip admission

Enable web authentication on a switch port

ip admission name proxy http

Enable web authentication globally on a switch

show dot1x [interface interface-id]

Displays IEEE 802.1x status for the specified port.


Updates for Cisco IOS Release 12.2(25)SEE2

This is the update for Cisco IOS Release 12.2(25)SEE2:

The logging event interface configuration command (previously omitted) was added to the command reference.

logging event

Use the logging event interface configuration command to enable notification of interface link status changes. Use the no form of this command to disable notification.

logging event {bundle-status | link-status | spanning-tree | status | trunk status}

no logging event {bundle-status | link-status | spanning-tree | status | trunk status}

Syntax Description

bundle-status

Enable notification of BUNDLE and UNBUNDLE messages.

link-status

Enable notification of interface data link status changes.

spanning-tree

Enable notification of spanning-tree events.

status

Enable notification of spanning-tree state change messages.

trunk-status

Enable notification of trunk-status messages.


Defaults

Event logging is disabled.

Command Modes

Interface configuration

Command History

Release
Modification

12.2(20)SE

This command was introduced.


Updates for Cisco IOS Release 12.2(25)SEE1

These are the updates for Cisco IOS Release 12.2(25)SEE1:

The usage guidelines for the radius-server dead-criteria global configuration command are incorrect. These are the correct usage guidelines.

We recommend that you configure the seconds and number parameters as follows:

Use the radius-server timeout seconds global configuration command to specify the time in seconds during which the switch waits for a RADIUS server to respond before the IEEE 802.1x authentication times out. The switch dynamically determines the default seconds value that is from 10 to 60 seconds.

Use the radius-server retransmit retries global configuration command to specify the number of times the switch tries to reach the radius servers before considering the servers to be unavailable. The switch dynamically determines the default tries value that is from 10 to 100.

The seconds parameter is less than or equal to the number of retransmission attempts times the time in seconds before the IEEE 802.1x authentication times out.

The tries parameter should be the same as the number of retransmission attempts.

The usage guidelines for the dot1x pae interface configuration command are incorrect. These are the correct guidelines:

When you configure IEEE 802.1x authentication on a port, such as by entering the dot1x port-control interface configuration command, the switch automatically configures the port as an EEE 802.1x authenticator. After the no dot1x pae interface configuration command is entered, the Authenticator PAE operation is disabled.

Updates for the Regulatory Compliance and Safety Information for the Catalyst 3550 Multilayer Switch

This information was added to the Regulatory Compliance and Safety Information for the Catalyst 3550 Multilayer Switch:

Statement 361—VoIP and Emergency Calling Services do not Function if Power Fails

Warning


Voice over IP (VoIP) service and the emergency calling service do not function if power fails or is disrupted. After power is restored, you might have to reset or reconfigure equipment to regain access to VoIP and the emergency calling service. In the USA, this emergency number is 911. You need to be aware of the emergency number in your country. Statement 361

Waarschuwing

Voice over IP (VoIP)-service en de service voor noodoproepen werken niet indien er een stroomstoring is. Nadat de stroomtoevoer is hersteld, dient u wellicht de configuratie van uw apparatuur opnieuw in te stellen om opnieuw toegang te krijgen tot VoIP en de noodoproepen. In de VS is het nummer voor noodoproepen 911. U dient u zelf op de hoogte te stellen van het nummer voor noodoproepen in uw land.

Varoitus

Voice over IP (VoIP) -palvelu ja hätäpuhelupalvelu eivät toimi, jos virta katkeaa tai sen syötössä esiintyy häiriöitä. Kun virransyöttö on taas normaali, sinun täytyy mahdollisesti asettaa tai määrittää laitteisto uudelleen, jotta voisit jälleen käyttää VoIP-palvelua ja hätäpuhelupalvelua. Yhdysvalloissa hätänumero on 911. Selvitä, mikä on omassa kotimaassasi käytössä oleva hätänumero.

Attention

Le service Voice over IP (VoIP) et le service d'appels d'urgence ne fonctionnent pas en cas de panne de courant. Une fois que le courant est rétabli, vous devrez peut-être réinitialiser ou reconfigurer le système pour accéder de nouveau au service VoIP et à celui des appels d'urgence. Aux États-Unis, le numéro des services d'urgence est le 911. Vous devez connaître le numéro d'appel d'urgence en vigueur dans votre pays.

Warnung

Bei einem Stromausfall oder eingeschränkter Stromversorgung funktionieren VoIP-Dienst und Notruf nicht. Sobald die Stromversorgung wieder hergestellt ist, müssen Sie möglicherweise die Geräte zurücksetzen oder neu konfigurieren, um den Zugang zu VoIP und Notruf wieder herzustellen. Die Notrufnummer in den USA lautet 911. Wählen Sie im Notfall die für Ihr Land vorgesehene Notrufnummer.

Avvertenza

Il servizio Voice over IP (VoIP) e il servizio per le chiamate di emergenza non funzionano in caso di interruzione dell'alimentazione. Ristabilita l'alimentazione, potrebbe essere necessario reimpostare o riconfigurare l'attrezzatura per ottenere nuovamente l'accesso al servizio VoIP e al servizio per le chiamate di emergenza. Negli Stati Uniti, il numero di emergenza è 911. Si consiglia di individuare il numero di emergenza del proprio Paese.

Advarsel

Tjenesten Voice over IP (VoIP) og nødanropstjenesten fungerer ikke ved strømbrudd. Etter at strømmen har kommet tilbake, må du kanskje nullstille eller konfigurere utstyret på nytt for å få tilgang til VoIP og nødanropstjenesten. I USA er dette nødnummeret 911. Du må vite hva nødnummeret er i ditt land.

Aviso

O serviço Voice over IP (VoIP) e o serviço de chamadas de emergência não funcionam se houver um corte de energia. Depois do fornecimento de energia ser restabelecido, poderá ser necessário reiniciar ou reconfigurar o equipamento para voltar a utilizar os serviços VoIP ou chamadas de emergência. Nos EUA, o número de emergência é o 911. É importante que saiba qual o número de emergência no seu país.

¡Advertencia!

El servicio de voz sobre IP (VoIP) y el de llamadas de emergencia no funcionan si se interrumpe el suministro de energía. Tras recuperar el suministro es posible que deba que restablecer o volver a configurar el equipo para tener acceso a los servicios de VoIP y de llamadas de emergencia. En Estados Unidos el número de emergencia es el 911. Asegúrese de obtener el número de emergencia en su país.

Varning!

Tjänsten Voice over IP (VoIP) och larmnummertjänsten fungerar inte vid strömavbrott. Efter att strömmen kommit tillbaka måste du kanske återställa eller konfigurera om utrustningen för att få tillgång till VoIP och larmnummertjänsten. I USA är det här larmnumret 911. Du bör ta reda på det larmnummer som gäller i ditt land.

 

 



Update to the Hardware Installation Guide

The "Connectors and Cables" appendix incorrectly refers to a crossover cable as a rollover cable. This is the correct information:

You can identify a crossover cable by comparing the two modular cable ends. Hold the cable ends side-by-side, with the tab at the back, right plug, as shown in Figure 3.

Figure 3 Identifying a Crossover Cable

1

Pin 1

2

Pin 9


On a crossover cable, the wire connected to the pin on the outside of the left plug should be the same color as the wire connected to the pin on the outside of the right plug.

Update to the System Message Guide

These are the documentation updates for the system message guide:

New System Messages

Changed System Messages

New System Messages

These system messages have been added.

Error Message    DOT1X_SWITCH-5-ERR_ADDING_ADDRESS: Unable to add address [enet] on 
[chars]

Explanation    The client MAC address could not be added to the MAC address table because the hardware memory is full or the address is a secure address on another port. [enet] is the supplicant MAC address, and [chars] is the interface. This message might appear if the IEEE 802.1x feature is enabled.

Recommended Action    If the hardware memory is full, remove some of the dynamic MAC addresses. If the client address is on another port, manually remove it from that port.

Error Message    SPANTREE-6-PORTADD_ALL_VLANS: [chars] added to all Vlans 

Explanation    The interface has been added to all VLANs. [chars] is the added interface.

Recommended Action    No action is required.

Error Message    SPANTREE-6-PORTDEL_ALL_VLANS: [chars] deleted from all Vlans 

Explanation    The interface has been deleted from all VLANs. [chars] is the deleted interface.

Recommended Action    No action is required.

Error Message    SW_VLAN-6-VTP_DOMAIN_NAME_CHG: VTP domain name changed to [chars]. 

Explanation    The VLAN Trunking Protocol (VTP) domain name was changed through the configuration to the name specified in the message. [chars] is the changed domain name.

Recommended Action    No action is required.

Changed System Messages

This system message has changed (both explanation and action).

Error Message    EC-5-CANNOT_BUNDLE1: Port-channel [chars] is down, port [chars] will 
remain stand-alone. 

Explanation    The aggregation port is down. The port remains standalone until the aggregation port is up. The first [chars] is the EtherChannel. The second [chars] is the port number.

Recommended Action    Ensure that the other ports in the bundle have the same configuration.

Error Message    ILPOWER-3-CONTROLLER_PORT_ERR:Controller port error, Interface 
Fa0/7:Power given, but link is not up.

Explanation    The inline-power-controller reported an error on an interface.

Recommended Action    Enter the shutdown and no shutdown interface configuration commands on the affected interfaces. Upgrade to Cisco IOS Release12.1(14)EA1 or later, which provides an electrostatic discharge (ESD) recovery mechanism.

Related Documentation

These documents provide complete information about the switch and are available from this Cisco.com site:

http://www.cisco.com/en/US/products/hw/switches/ps646/tsd_products_support_series_home.html

You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.com sites and from the telephone numbers listed in the URL referenced in the "Obtaining Documentation, Obtaining Support, and Security Guidelines" section.

Catalyst 3550 Multilayer Switch Software Configuration Guide (not orderable but available on Cisco.com)

Catalyst 3550 Multilayer Switch Command Reference (not orderable but available on Cisco.com)

Catalyst 3750, 3560, 3550, 2970, and 2960 Switch System Message Guide (not orderable but available on Cisco.com)

Catalyst 3550 Multilayer Switch Hardware Installation Guide (not orderable but available on Cisco.com)

Catalyst 3550 Switch Getting Started Guide (order number DOC-7816575=)

Regulatory Compliance and Safety Information for the Catalyst 3550 Switch (order number DOC-7816655=)

For information about other related products, see these documents:

Getting Started with Cisco Network Assistant (not orderable but available on Cisco.com)

Release Notes for Cisco Network Assistant (not orderable but available on Cisco.com)

1000BASE-T Gigabit Interface Converter Installation Note (not orderable but is available on Cisco.com)

Catalyst GigaStack Gigabit Interface Converter Hardware Installation Guide (order number DOC-786460=)

Network Admission Control Software Configuration Guide (not orderable but is available on Cisco.com)

Obtaining Documentation, Obtaining Support, and Security Guidelines

For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html