Guest

Cisco IOS Software Releases 12.2 SE

Release Notes for the Catalyst 3550-24-DC Switch, Cisco IOS Release 12.2(55)SE and Later

  • Viewing Options

  • PDF (975.6 KB)
  • Feedback

Table of Contents

Release Notes for the Catalyst 3550-24-DC Multilayer Switch, Cisco IOS Release 12.2(55)SE and Later

Contents

System Requirements

Supported Hardware

Device Manager System Requirements

Hardware

Software

Cluster Compatibility

CNA Compatibility

Upgrading the Switch Software

Finding the Software Version and Feature Set Running on the Switch

Deciding Which Files to Download from Cisco.com

Archiving Software Images

Upgrading a Switch by Using Device Manager or Network Assistant

Upgrading a Switch by Using the CLI

Upgrading with a Nondefault System MTU Setting

Recovering from a Software Failure

Installation Notes

New Software Features

Limitations and Restrictions

Cisco IOS Limitations and Restrictions

IEEE 802.1x

ACLs

Connected Devices

Configuration

DHCP

EtherChannel

HSRP

IGMP

IP

MAC Addressing

MIBs

Multicasting

Port Security

QoS

Routing

SNMP

SPAN and RSPAN

Spanning Tree

VLAN

Important Notes

Cisco IOS Notes

Device Manager Notes

Open Caveats

Resolved Caveats

Caveats Resolved in Cisco IOS Release 12.2(55)SE9

Caveats Resolved in Cisco IOS Release 12.2(55)SE8

Caveats Resolved in Cisco IOS Release 12.2(55)SE7

Caveats Resolved in Cisco IOS Release 12.2(55)SE6

Caveats Resolved in Cisco IOS Release 12.2(55)SE5

Caveats Resolved in Cisco IOS Release 12.2(55)SE4

Caveats Resolved in Cisco IOS Release 12.2(55)SE3

Caveats Resolved in Cisco IOS Release 12.2(55)SE

Documentation Updates

Updates for the Software Configuration Guide

Updates for the Command Reference

Updates for the System Message Guide

New Messages

Modified Messages

Updates for the Regulatory Compliance and Safety Information for the Catalyst 3550 Multilayer Switch

Update to the Hardware Installation Guide

Update to the Getting Start Guide

Related Documentation

Obtaining Documentation, Obtaining Support, and Security Guidelines

Release Notes for the Catalyst 3550-24-DC Multilayer Switch, Cisco IOS Release 12.2(55)SE and Later

Revised March 14, 2014

Cisco IOS Release 12.2(55)SE runs only on the Catalyst 3550-24-DC multilayer switch.

These release notes include important information about Cisco IOS Release 12.2(55)SE and higher, and any limitations, restrictions, and caveats that apply to them. Verify that these are the correct release notes for your switch:

You can download the switch software from this site (registered Cisco.com users with a login password):
http://www.cisco.com/cisco/web/download/index.html

System Requirements

Supported Hardware

 

Table 1 Supported Hardware

Switch
Description

Catalyst 3550-24-DC

24 autosensing 10/100 Ethernet ports, 2 GBIC-based Gigabit Ethernet slots, and an on-board DC power converter

GBIC modules

  • 1000BASE-SX GBIC
  • 1000BASE-LX/LH GBIC
  • 1000BASE-ZX GBIC
  • 1000BASE-T GBIC
  • GigaStack GBIC
  • CWDM1 fiber-optic GBIC
  • DWDM2 fiber-optic GBIC

1.CWDM = coarse wavelength-division multiplexing

2.DWDM = dense wavelength-division multiplexing

Device Manager System Requirements

Hardware

 

Table 2 Minimum Hardware Requirements

Processor Speed
DRAM
Number of Colors
Resolution
Font Size

233 MHz minimum3

512 MB4

256

1024 x 768

Small

3.We recommend 1 GHz.

4.We recommend 1 GB DRAM.

Software

  • Windows 2000, XP, Vista, and Windows Server 2003.
  • Internet Explorer 5.5, 6.0, 7.0, Firefox 1.5, 2.0 or later.

The device manager verifies the browser version when starting a session, and it does not require a plug-in.

Cluster Compatibility

You cannot create and manage switch clusters through the device manager. To create and manage switch clusters, use the command-line interface (CLI) or the Network Assistant application.

When creating a switch cluster or adding a switch to a cluster, follow these guidelines:

  • When you create a switch cluster, we recommend configuring the highest-end switch in your cluster as the command switch.
  • If you are managing the cluster through Network Assistant, the switch with the latest software should be the command switch.
  • The standby command switch must be the same type as the command switch. For example, if the command switch is a Catalyst 3750 switch, all standby command switches must be Catalyst 3750 switches.

For additional information about clustering, see the Getting Started with Cisco Network Assistant and the Release Notes for Cisco Network Assistant , the software configuration guide, and the command reference.

CNA Compatibility

Cisco IOS 12.2(46)SE and later is only compatible with Cisco Network Assistant (CNA) 5.0 and later. You can download Cisco Network Assistant:
http://www.cisco.com/pcgi-bin/tablebuild.pl/NetworkAssistant

For more information about Cisco Network Assistant, see the Release Notes for Cisco Network Assistant on Cisco.com.

Upgrading the Switch Software


Caution A bootloader upgrade occurs if you are upgrading the switch from a noncryptographic image to cryptographic image, regardless of the current noncryptographic Cisco IOS Release that is running on the switch. The bootloader can take up to 30 seconds to upgrade. Do not power cycle the switch while you are copying this image to the switch. If a power failure occurs when you are copying this image to the switch, call Cisco Systems immediately.

When you upgrade a switch, the switch continues to operate while the new software is copied to flash memory. If flash memory has enough space, the new image is copied to the selected switch but does not replace the running image until you reboot the switch. If a failure occurs during the copy process, you can still reboot your switch by using the old image. If flash memory does not have enough space for two images, the new image is copied over the existing one. Features provided by the new software are not available until you reload the switch.

If a failure occurs while copying a new image to the switch, and the old image has already been deleted, see the “Recovering from Corrupted Software” section in the “Troubleshooting” chapter of the software configuration guide.

Finding the Software Version and Feature Set Running on the Switch

The Cisco IOS image is stored as a bin file in a directory that is named with the Cisco IOS release. A subdirectory contains the files needed for web management. The image is stored on the system board flash device (flash:).

You can use the show version privileged EXEC command to see the software version that is running on your switch. The second line displays C3550-ipbase9-mz for the IP services image (formerly known as the EMI) or C3550-ipbase-mz for the IP base image (formerly known as the SMI).


Note Although the show version output always shows the software image running on the switch (Layer 2 only or Layer 2 and Layer 3), the model name shown at the end of this display is the factory configuration (SMI or EMI) and does not change if you upgrade the software image.


You can also use the dir filesystem : privileged EXEC command to see the directory names of other software images that you might have stored in flash memory.

Deciding Which Files to Download from Cisco.com

Cisco IOS Release 12.2(25)SEA and earlier referred to the image that provides Layer 2+ features and basic Layer 3 routing features as the standard multilayer image (SMI). The image that provides full Layer 3 routing features and advanced features was referred to as the enhanced multilayer image (EMI).

Cisco IOS Release 12.2(25)SEB and later refers to the SMI as the IP base image and the EMI as the IP services image. Table 3 lists the different file-naming conventions before and after Cisco IOS Release 12.2(25)SEB.

 

Table 3 Cisco IOS Image File Naming Convention

Cisco IOS 12.2(25)SEA and earlier
Cisco IOS 12.2(25)SEB and later

c3550-i9q3l2 (SMI)

c3550-ipbase-mz

c3550-i5q3l2-tar (EMI)

c3550-ipservices-mz

c3550-i9k91l2q3-tar (SMI)

c3550-ipbasek9-mz

c3550-i5k91l2q3-tar (EMI)

c3550-ipservicesk9-mz

The upgrade procedures in these release notes describe how to perform the upgrade by using a combined tar file. This file contains both the Cisco IOS image file and the files needed for the embedded device manager. To upgrade the switch through the command-line interface (CLI), use the tar file and the archive download-sw privileged EXEC command.

Table 4 lists the software filenames for this release. These files are posted on Cisco.com.

 

Table 4 Cisco IOS Software Files for Catalyst 3550 Switches

Filename
Description

c3550-ipbasek9-tar.122-55.SE.tar

Cisco IOS IP base cryptographic image and device manager files.
This image has the Kerberos, Secure Shell (SSH), Layer 2+, and basic Layer 3 routing features.

c3550-ipservicesk9-tar.122-55.SE.tar

Cisco IOS IP services cryptographic image and device manager files.
This image has the Kerberos, SSH, Layer 2+, and full Layer 3 features.

Catalyst 3550 switches are supported by either the IP base image or the IP services image. All Catalyst 3550 Gigabit Ethernet switches are shipped with the IP services image installed. Catalyst 3550 Fast Ethernet switches are shipped with either the IP base image or the IP services image installed. After initial deployment, you can order the IP services Image Upgrade kit to upgrade the Catalyst 3550 Fast Ethernet switches from the IP base image to the IP services image.

Archiving Software Images

Before upgrading your switch software, make sure that you have archived copies of the current Cisco IOS release and the Cisco IOS release to which you are upgrading. You should keep these archived images until you have upgraded all devices in the network to the new Cisco IOS image and until you have verified that the new Cisco IOS image works properly in your network.

Cisco routinely removes old Cisco IOS versions from Cisco.com. See Product Bulletin 2863 for more information:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6969/ps1835/prod_bulletin0900aecd80281c0e.html

You can copy the bin software image file on the flash memory to the appropriate TFTP directory on a host by using the copy flash: tftp: privileged EXEC command.


Note Although you can copy any file on the flash memory to the TFTP server, it is time consuming to copy all of the HTML files in the tar file. We recommend that you download the tar file from Cisco.com and archive it on an internal host in your network.


You can also configure the switch as a TFTP server to copy files from one switch to another without using an external TFTP server by using the tftp-server global configuration command. For more information about the tftp-server command, see the “Basic File Transfer Services Commands” section of the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 :
http://www.cisco.com/en/US/docs/ios/fundamentals/command/reference/cf_t1.html

Upgrading a Switch by Using Device Manager or Network Assistant

You can upgrade switch software by using the device manager or Network Assistant. From the feature bar, choose Administration > Software Upgrade . For detailed instructions, click Help .


Note When using the device manager to upgrade your switch, do not use or close your browser session after the upgrade process begins. Wait until after the upgrade process completes.


Upgrading a Switch by Using the CLI

This procedure is for copying the combined tar file to the Catalyst 3550 switch. You copy the file to the switch from a TFTP server and extract the files. You can download an image file and replace or keep the current image. This procedure requires a configured TFTP server.


Caution A bootloader upgrade occurs if you are upgrading the switch from a noncryptographic image to a cryptographic image, regardless of the current noncryptographic Cisco IOS release that is running on the switch. The bootloader can take up to 30 seconds to upgrade. Do not power cycle the switch while you are copying this image to the switch. If a power failure occurs when you are copying this image to the switch, call Cisco Systems immediately.

To download software, follow these steps:


Step 1 Use Table 4 to identify the file that you want to download.

Step 2 Download the software image file:

a. If you are a registered customer, go to this URL and log in.

http://www.cisco.com/cisco/web/download/index.html

b. Navigate to Switches > LAN Switches - Access .

c. Navigate to your switch model.

d. Click IOS Software , then select the latest IOS release.

Download the image you identified in Step 1.

Step 3 Copy the image to the appropriate TFTP directory on the workstation, and make sure that the TFTP server is properly configured. (For more information, see Appendix B in the Catalyst 3550 Multilayer Switch Software Configuration Guide .)

Step 4 Log in to the switch through the console port or a Telnet session.

Step 5 Verify your VLAN 1 configuration by using the show interfaces vlan 1 privileged EXEC command, and verify that VLAN 1 is part of the same network as the TFTP server. (See the Internet address is line near the top of the display.)

Step 6 Download the image file from the TFTP server to the switch. If you are installing the same version of software that is currently on the switch, overwrite the current image by using this privileged EXEC command:

archive download-sw /overwrite /reload tftp:[[//location]/directory]/image-name.tar
 

The /overwrite option overwrites the software image in flash memory with the downloaded one.

The /reload option reloads the system after downloading the image unless the configuration has been changed and not been saved.

For // location , specify the IP address of the TFTP server.

For / directory / image-name .tar , specify the directory (optional) and the image to download. Directory and image names are case sensitive.


 

This example shows how to download an image from a TFTP server at 198.30.20.19 and to overwrite the image on the switch:

Switch# archive download-sw /overwrite tftp://198.30.20.19/c3550-i5q3l2-tar.122-50.SE1.tar
 

You can also download the image file from the TFTP server to the switch and keep the current image by replacing the /overwrite option with the /leave-old-sw option.

Upgrading with a Nondefault System MTU Setting

If the switch was running Cisco IOS Release 12.1(8)EA1c or earlier and you had used the system mtu global configuration command to configure a nondefault system maximum transmission unit (MTU) size on your switch, follow these steps to upgrade your switch to Cisco IOS Release 12.1(11)EA1 or later:


Step 1 Upgrade the Cisco IOS software to Cisco IOS Release 12.1(11)EA1 or later.

Step 2 If a system MTU size of greater than 2000 is configured on a Gigabit Ethernet switch (Catalyst 3550-12T or Catalyst 3550-12G) use the system mtu global configuration command to set it to the maximum supported MTU size. The maximum allowable system MTU for Catalyst 3550 Gigabit Ethernet switches
is 2000 bytes.

Step 3 Save the running configuration by entering the copy running-config startup-config privileged EXEC command.

Step 4 Reload the switch with the new Cisco IOS software.

Step 5 When the switch comes back up with Cisco IOS Release 12.1(11)EA1 or later, reload the switch a second time by using the reload privileged EXEC command so that the system mtu command takes effect.


 

Recovering from a Software Failure

For recovery procedures, see the “Troubleshooting” chapter in the software configuration guide for this release.

Installation Notes

Use these methods to assign IP information to your switch:

  • Express Setup program, as described in the switch getting started guide.
  • CLI-based setup program, as described in the switch hardware installation guide.
  • DHCP-based autoconfiguration, as described in the switch software configuration guide.
  • Manually assigned IP address, as described in the switch software configuration guide.

New Software Features

There are no new software features in this release.

Limitations and Restrictions

You should review this section before you begin working with the switches. These are known Cisco IOS limitations that will not be fixed, and there is not always a workaround. Some features might not work as documented, and some features could be affected by recent changes to the switch hardware or software.

IEEE 802.1x

  • When an IEEE 802.1x-authenticated client is disconnected from an IP phone, hub, or switch and does not send an EAPOL-Logoff message, the switch interface does not transition to the unauthorized state. If this happens, it can take up to 60 minutes for the interface to transition to the unauthorized state when the re-authentication time is the default value (3600 seconds).

The workaround is to change the number of seconds between re-authentication attempts by using the dot1x timeout re-authperiod seconds global configuration command. (CSCdz38483)

  • On a switch running Cisco IOS Release 12.1(12c)EA1 or later, if the switch MTU value is set to a value greater than 1500 and the authentication server and the intermediate devices are not configured with a compatible MTU value, IEEE 802.1x authentication with EAP-Transparent LAN Services (TLS) might fail.

The workaround is to reset the switch MTU value to the default value or to configure the same MTU value on the switch, the authentication server, and the intermediate devices. (CSCea05682)

  • If the switch sends untagged and non-CDP traffic in the single-host or multiple-hosts mode after the phone configuration is removed and the Cisco Discovery Protcol (CDP) cache on the switch is cleared, the CDP bypass feature does not work.

The work around is to enter the shutdown interface configuration command followed by the no shutdown interface configuration command to restart the interface. (CSCtq07102)

ACLs

  • If you apply a large ACL and it fills the entire ternary content addressable memory (TCAM), the MVR IP multicast data packets are sent to the switch CPU and are not forwarded to the MVR receiver ports.

There is no workaround. (CSCdx80751)

  • If the output from the show tcam inacl 1 statistics privileged EXEC command shows that the TCAM is not full and you are applying an ACL, this system message might appear:
%FM-3-UNLOADING: Unloading input vlan label 1 feature from all TCAMs
 

There is no workaround. (CSCea25658)

Connected Devices

  • When you configure an EtherChannel between a Catalyst 3550 switch and a Catalyst 1900 switch, some of the Catalyst 3550 links in the EtherChannel might go down, but one link in the channel remains up, and connectivity is maintained.

The workaround is to disable the Port Aggregation Protocol (PAgP) on both devices by using the channel-group channel-group-number mode on interface configuration command. PAgP negotiation between these two devices is not reliable. ( CSCdt78727)

  • If a switch and a Cisco redundant power system (RPS) 300 or 675 are connected to different power sources and the switch power supply fails, the Cisco RPS supplies power to the switch. However, after the switch power supply is restored, the Cisco RPS continues providing power to the switch.

When the switch stops receiving power from the Cisco RPS and uses its own power supply to power the switch, pressing the Standby/Active button on the Cisco RPS might cause the switch to reload.


Note We recommend that you connect the switch and the Cisco RPS to the same power source. For more information, see the Cisco RPS installation guide.


There is no workaround. (CSCdx81023)

  • When you insert a GigaStack GBIC in a GBIC module slot, the CPU utilization increases by 6 percent. This increase occurs for each GigaStack GBIC added to the switch. Other types of GBICs do not cause additional CPU utilization.

There is no workaround. (CSCdx90515)

  • When the link between a device with an AC power supply and a Catalyst 3550-24PWR switch is 10 Mb/s and half duplex, and the AC power supply is turned off, the switch is in the error-disabled state.

The workaround is remove the AC power supply, disconnect the Ethernet cable, and then reconnect the Ethernet cable. This ensures that the switch uses inline power. (CSCdz16265)

  • The Catalyst 3550 switch does not adjust the power allocation based on the IEEE class of the power device. When an IEEE powered-compliant device is connected to a switch, it allocates 15 W (the default) to the port.

There is no workaround. (CSCdz37516)

  • When a Catalyst 3550 switch is connected to a three-port Gigabit Ethernet module in a Cisco 12000 Gigabit Switch Router (GSR) that is configured for Ethernet over Multiprotocol Label Switching (EoMPLS), the switch does not reliably send frames to the GSR.

The workaround is to configure the Catalyst 3550 Gigabit Ethernet interface with the spanning-tree portfast interface configuration command. (CSCea04746)

  • If a cable on an ingress interface is disconnected, an Alteon A184 cannot detect when a 1000BASE-X link between two Catalyst 3550 switches is down.

There is no workaround. (CSCea09786)

• When three or more Catalyst 3550-24PWR switches are connected through GigaStack GBICs, you can access all the VLANs on the uplink switch, but you can only access VLAN 1 on the other switches.

The workaround is to enter the switchport mode trunk interface configuration command on all of the GigaStack interfaces and to do one of these:

Use the shutdown and then the no shutdown interface configuration commands on the ports.

Save the switch configuration by using the copy running-config startup-config privileged EXEC command, and reload all the switches. (CSCec86258)

  • The undersize error counter is incrementing when no undersize packets are present. This condition occurs on IEEE 802.1Q tunnel ports connected to a Nortel or an Alteon Load Balancer.

There is no known workaround. (CSCed73388)

  • If four switches are connected in a cascaded stack through the GigaStack GBICs, the link between the second and third switches goes down, and then the GBICs on the second and third switches are reconnected, the GBIC LEDs flash amber, and the ports take approximately 1 minute to come up. Some of the GBIC ports might not come up.

There is no workaround. (CSCef17198)

  • The Cisco RPS 300 redundant power system supports the Catalyst 3550 multilayer switch and provides redundancy for up to six connected devices until one of these devices requires backup power. If a connected device has a power failure, the Cisco RPS 300 immediately begins supplying power to that device and sends status information to other connected devices that it is no longer available as a backup power source. As described in the device documentation, when the RPS LED on the switch is amber, the Cisco RPS 300 is connected but down. However, this might merely mean that the Cisco RPS 300 is in standby mode. Press the Standby/Active button on the Cisco RPS 300 to put it into active mode. You can view the Cisco RPS 300 status through the CLI by using the show rps privileged EXEC command. For more information, see the Cisco RPS 300 documentation.

Configuration

  • When changing the link speed of a Gigabit Ethernet port from 1000 to 100 Mb/s, there is a slight chance that the port will stop forwarding packets.

The workaround is to shut down the port, and to re-enable it by using the shutdown and no shutdown interface configuration commands. (CSCds84279)

  • When you use the no interface port-channel global configuration command to remove an EtherChannel group, the ports in the port group change to the administratively down state.

The workaround, when you remove an EtherChannel group, is to enter the no shutdown interface configuration command on the interfaces that belonged to the port group to bring them back on line. (CSCdt10825)

• In the show interface interface-id privileged EXEC command output, the output buffer failures field shows the number of packets lost before replication, whereas the packets output field shows the successfully transmitted packets after replication. To determine actual discarded frames, multiply the output buffer failures by the number of VLANs on which the multicast data is replicated.

There is no workaround. (CSCdt26928)

  • Remote Monitoring (RMON) collection functions on physical interfaces, but it is not supported on EtherChannels and Switched Virtual Interfaces (SVIs). (CSCdt36101)

• If a switch stack contains both Catalyst 3550 switches and Catalyst 2900 XL or Catalyst 3500 XL switches, Cross-Stack UplinkFast (CSUF) is not enabled if the management VLAN on the Catalyst 2900 XL or 3500 XL switches is changed to a VLAN other than VLAN 1 (the default).

The workaround is to make sure that the management VLAN of all Catalyst 2900 XL or 3500 XL switches in the stack is set to VLAN 1. (CSCdv79737)

  • The 5 minute input rate and 5 minute output rate fields in the output of the show interfaces privileged EXEC command show both rates as 0 bits/sec. If you enter the show interfaces command more than once, these fields might show values greater than 0 bits/sec.

There is no workaround. (CSCdz06305)

  • Performing an extended ping from one interface to another interface on the same switch can cause high CPU utilization. This can occur when a large number of ping packets are sent and received and is the expected behavior.

The workaround is to not perform a ping from one interface to another on the same switch. (CSCea19301)

• When port security is enabled on an interface in restricted mode and the switchport block unicast interface command has been entered on that interface, MAC addresses are incorrectly forwarded when they should be blocked.

The workaround is to enter the no switchport block unicast interface configuration command on that specific interface. (CSCee93822)

• When connected to some third-party devices that send early preambles, a switch port operating at 100 Mb/s full duplex or 100 Mb/s half duplex might bounce the line protocol up and down. The problem occurs only when the switch is receiving frames.

The workaround is to configure the port for 10 Mb/s and half duplex or to connect a hub or a nonaffected device to the switch. (CSCed39091)

  • Storm control or traffic suppression (configured by using the storm-control { broadcast | multicast | unicast } interface configuration command) is supported only on physical interfaces. It is not supported on EtherChannel port channels, even though you can enter these commands through the CLI.
  • When system jumbo MTU size is configured on a switch and the egress ports can support jumbo frames, the egress SPAN jumbo frames are not forwarded to the SPAN destination ports.

There is no workaround. (CSCsj21718)

DHCP

The DHCP option-82 format on the Catalyst 3550 switch is inconsistent with other Cisco switches. When the Catalyst 3550 switch is used as the relay agent with DHCP snooping and the option-82 feature using the VLAN-module-port ( vlan-mod-port ) format, the switch does not assign the correct value to the port identifier (circuit ID suboption). The value is offset by 1 from the actual interface module- and port-number values. The circuitID/port-identifier for Fast Ethernet and Gigabit Ethernet interfaces also have the same module-number but different port-number values. For example, on a Catalyst 3550-24 switch, fastethernet0/1 is reported as module 0/port 0 and gigabitethernet0/1 is reported as module 0/port 24.

There is no workaround. (CSCed29525)

EtherChannel

The switch might display tracebacks similar to this example when an EtherChannel interface port-channel type changes from Layer 2 to Layer 3 or the reverse:

15:50:11: %COMMON_FIB-4-FIBNULLHWIDB: Missing hwidb for fibhwidb Port-channel1 (ifindex 1632) -Traceback= A585C B881B8 B891CC 2F4F70 5550E8 564EAC 851338 84AF0C 4CEB50 859DF4 A7BF28 A98260 882658 879A58
 

There is no workaround. (CSCsh12472)

HSRP

After the no interface tunnel0 global configuration command is entered to remove the tunnel interface, the output from the show running-config privileged EXEC command still shows the tunnel interface that was removed.

This can occur if HSRP interface tracking is configured on another interface to track a tunnel interface, if the no interface command was entered before the HSRP tracking configuration was removed, or if the no standby tunnel0 global configuration command was entered on the other interface to disable tracking.

These are the workarounds:

  • Before removing the tunnel interface from the configuration, remove the HSRP interface tracking commands in the configuration that specify the tunnel interface.
  • Use the no standby track global configuration command without specifying an interface to disable HSRP tracking. (CSCdz66450)

IGMP

  • Internet Group Management Protocol (IGMP) packets classified by QoS to map the DSCP value and the class of service (CoS) value in a QoS policy map might modify only the DSCP property and leave the CoS value at zero.

There is no workaround. (CSCdt27705)

  • When IGMP filtering is enabled and you use the ip igmp profile global configuration command to create an IGMP filter, reserved multicast addresses cannot be filtered. Because IGMP filtering uses only Layer 3 addresses to filter IGMP reports and due to mapping between Layer 3 multicast addresses and Ethernet multicast addresses, reserved groups (224.0.0.x) are always allowed through the switch. Aliased groups can also leak through the switch. For example, if a user is allowed to receive reports from group 225.1.2.3, but not from group 230.1.2.3, aliasing causes the user to receive reports from 230.1.2.3. Aliasing of reserved addresses means that all groups of the form y.0.0.x are allowed through.

There is no workaround. (CSCdv73626)

• If you use the ip igmp max-groups interface configuration command to set the maximum number of IGMP groups for an interface to 0, the port still receives group reports from reserved multicast groups (224.0.0.x) and their Layer 2 aliases (y.0.0.x).

There is no workaround. (CSCdv79832)

  • When IGMP snooping is disabled and you enter the switchport block multicast interface configuration command, IP multicast traffic is not blocked. The switchport block multicast command is only applicable to non-IP multicast traffic.

There is no workaround. (CSCee16865)

  • After you configure a switch to join a multicast group by entering the ip igmp join-group group-address interface configuration command, the igmp join sent by the client might be suppressed. If this happens, the switch port where the client is connected might be removed from the IGMP snooping forwarding table.

Use one of these workarounds:

Cancel membership in the multicast group by using the no ip igmp join-group group-address interface configuration command on an SVI.

Disable IGMP snooping on the VLAN interface by using the no ip igmp snooping vlan vlan-id global configuration command. (CSCeh90425)

IP

• The switch does not create an adjacent table entry when the ARP timeout value is 15 seconds and the ARP request times out.

The workaround is to not set an ARP timeout value lower than 120 seconds. (CSCea21674)

MAC Addressing

• After a MAC address is relearned on a new interface, traffic might not be immediately forwarded to the MAC addresses.

There is no workaround. (CSCdz75459)

  • The switch uses the same MAC address for all VLAN interfaces. If the destination MAC address in a packet is the same as the MAC address of the VLAN interface, and the VLAN interface for that VLAN is shut down or does not exist, the switch drops the packet.

There is no workaround. (CSCed12004)

  • If packets with a bad cyclic redundancy check (CRC) are received on a port, the switch might learn the source MAC address of the bad packet.

There is no workaround. (CSCef15178)

MIBs

  • When you access the CISCO-STACK-MIB portTable, the mapping might be off by one from the mapping given by the switch. The objects in this table are indexed by two numbers: portModuleIndex and portIndex. The allowable values for portModuleIndex are 1 through 16. Because 0 is not an allowable value, the value 1 represents module 0.

The workaround is to use the value 1 to represent module 0. (CSCdw71848)

  • The Catalyst 3550 switch only supports the read operation in the sysClearPortTime MIB object (.1.3.6.1.4.1.9.5.1.1.13) in the CISCO-STACK-MIB. Use the clear counters privileged EXEC command to clear the counters.

There is no workaround. (CSCdz87897)

Multicasting

  • Modifying a multicast boundary access list does not prevent packets from being forwarded by any multicast routes that were in existence before the access list was modified if the packets arriving on the input interface do not violate the boundary. However, no new multicast routes that violate the updated version of the multicast boundary access list are learned, and any multicast routes that are in violation of the updated access list are not relearned if they age out.

After updating a multicast boundary, the workaround is to use the clear ip mroute privileged EXEC command to delete any existing multicast routes that violate the updated boundary. (CSCdr79083)

• The show ip mroute count privileged EXEC command might display incorrect packet counts. In certain transient states (for example, when a multicast stream is forwarded only to the CPU during the route-learning process and the CPU is programming this route into the hardware), a multicast stream packet count might be counted twice.

The workaround is to not trust the counter during this transient state. (CSCds61396)

• In IP multicast routing and fallback bridging, certain hardware features are used to replicate packets for the different VLANs of an outgoing trunk port. If the incoming speed is line rate, the outgoing interface cannot duplicate that speed (because of the replication of the packets). As a result, certain replicated packets are dropped.

There is no workaround. (CSCdt06418)

  • Multicast router information appears in the show ip igmp snooping mrouter privileged EXEC command output when IGMP snooping is disabled. Multicast VLAN Registration (MVR) and IGMP snooping use the same commands to display multicast router information. In this case, MVR is enabled, and IGMP snooping is disabled.

There is no workaround. (CSCdt48002)

  • When you use the ip pim spt-threshold infinity interface configuration command, you want all sources for the specified group to use the shared tree and not use the source tree. However, the switch does not automatically start to use the shared tree. No connectivity problem occurs, but the switch continues to use the shortest path tree for multicast group entries already installed in the multicast routing table.

The workaround is to enter the clear ip mroute privileged EXEC command to force the change to the shared tree. (CSCdt60412)

  • Configuring too many multicast groups might result in an extremely low memory condition and cause the software control data structure to go out of sync, causing unpredictable forwarding behavior. The memory resources can only be recovered by entering the clear ip mroute privileged EXEC command.

The workaround is to not configure more than the recommended number of multicast routes on the switch. ( CSCdt63480)

  • If the number of multicast routes configured on the switch is greater than the switch can support, it might run out of available memory, which can cause it to reboot. This is a limitation in the platform-independent code.

The workaround is to not configure the switch to operate with more than the maximum number of supported multicast routes. You can use the show sdm prefer and show sdm prefer routing privileged EXEC commands to view approximate maximum configuration guidelines for the current SDM template and the routing template. (CSCdt63354)

  • Multicast traffic can be temporarily lost when a link comes up in a redundant network and causes the reverse path forwarding (RPF) to change. This only occurs when there are multiple paths between the rendezvous point (RP) and the multicast source.

There is no workaround. (CSCdw27519)

  • When the switch receives multicast traffic and IGMP join for requests a multicast group at the same time and it begins to forward the multicast packets, some of the packets might be dropped.

There is no workaround. (CSCdy80326)

  • When one Fast Ethernet port on a switch (Switch A) is connected to a packet generator, and another Fast Ethernet port on the switch is connected to a Gigabit Ethernet interface on another switch (Switch B), multicast traffic sent from Switch A to Switch B is incorrectly counted. The output from the show mls qos interface interface-id statistics command for the Gigabit Ethernet interface is incorrect.

There is no workaround. (CSCee19574)

Port Security

  • If IP source guard and port security are both enabled on a port, and the port is flooded with a large number of unknown MAC addresses, the CPU utilization becomes very high. (CSCeg53423)
  • If a port is configured as a secure port with the violation mode as restrict, the secure ports might process packets even after maximum limit of MAC addresses is reached, but those packets are not forwarded to other ports.

There is no workaround. (CSCdw02638)

  • Certain combinations of features create conflicts with the port security feature. In Table 5 , No means that port security cannot be enabled on a port if the referenced feature is also running on the same port. Yes means that both port security and the referenced feature can be enabled on the same port at the same time. A dash means not applicable.

 

Table 5 Port Security Compatibility with Other Features

Type of Port
Compatible with Port Security

DTP5 port6

No

Trunk port

Yes

Dynamic-access port7

No

Routed port

No

SPAN source port

Yes

SPAN destination port

No

EtherChannel

No

Tunneling port

Yes

Protected port

Yes

IEEE 802.1x port

Yes

Voice VLAN port8

Yes

5.DTP = Dynamic Trunking Protocol

6.A port configured with the switchport mode dynamic interface configuration command

7.A VLAN Query Protocol (VQP) port configured with the switchport access vlan dynamic interface configuration command

8.You must set the maximum allowed secure addresses on the port to two plus the maximum number of secure addresses allowed on the access VLAN.

QoS

  • If you assign both tail-drop threshold percentages to 100 percent by using the wrr-queue threshold interface configuration command and display QoS information for this interface by using the show mls qos interface statistics privileged command, the drop-count statistics are always zero even if the thresholds were exceeded. To display the total number of discarded packets, use the show controllers ethernet-controllers interface-id privileged EXEC command. In the display, the number of discarded frames includes the frames that were dropped when the tail-drop thresholds were exceeded.
  • The behavior of a software access control list (ACL) with QoS is different from a hardware ACL with QoS. On the Catalyst 3550 switch, when the QoS hardware rewrites the DSCP of a packet, the rewriting of this field happens before software running on the CPU examines the packet, and the CPU sees only the new value and not the original DSCP value.

When the security hardware ACL matches a packet on input, the match uses the original DSCP value. For output security ACLs, the security ACL hardware should match against the final, possibly changed, DSCP value as set by the QoS hardware. Under some circumstances, a match to a security ACL in hardware prevents the QoS hardware from rewriting the DSCP and causes the CPU to use the original DSCP.

If a security ACL is applied in software (because the ACL did not fit into hardware, and packets were sent to the CPU for examination), the match probably uses the new DSCP value as determined by the QoS hardware, whether or not the ACL is applied at the receiving or sending interface. When packets are logged by the ACL, this problem can also affect whether or not a match is logged by the CPU, even if the ACL fits into hardware and the permit or deny filtering was completed in hardware.

To avoid these issues, whenever the switch rewrites the DSCP of any packet to a value different from the original DSCP, security ACLs should not test against DSCP values in any of their access control elements (ACEs), whether or not the ACL is being applied to an IP access group or to a VLAN map. This restriction does not apply to ACLs used in QoS class maps.

If the switch is not configured to rewrite the DSCP value of any packet, it is safe to match against DSCP in ACLs used for IP access groups or for VLAN maps because the DSCP does not change as the packet is processed by the switch.

The DSCP field of an IP packet encompasses the two fields that were originally designated precedence and type of service (ToS). Statements relating to DSCP apply equally to either IP precedence or IP ToS. (CSCdt94355)

  • Ternary content addressable memory (TCAM) generation might fail when there are multiple ACLs in a policy-map. If you add an entry that checks TCP flags to an access list that is used for QoS classification, the system might report that a hardware limitation has been reached for the policy map. This can occur when the policy map already contains several other access list entries that check different TCP flags or that check TCP or User Datagram Protocol (UDP) port numbers by using an operation different from equal (eq) , such as not equal (ne) , less than (lt) , greater than (gt) , or range . When the hardware limitation is reached, the service-policy input policy-map-name interface configuration command is removed from the running configuration of the interface.

Checking for TCP flags and TCP/UDP port numbers using operators other than eq share some of the same hardware resources. The switch supports no more than six checks within a single policy map. An identical check repeated in multiple entries in the same policy map counts as a single instance. If this limit is reached during a TCP or a UDP port number check, the software can often work around the problem by allocating extra entries in the TCAM. There is no workaround if the limit is reached during a check against the TCP flags in the packet. Similar checks in a port ACL applied to the same physical interface as the policy map also count toward the limit.

Because these resources are allocated on a first-come, first-serve basis, rearranging the order of ACLs within a policy map or the order of entries within a single ACL, placing the TCP flags checks as early as possible, might enable the policy map to be loaded into the hardware.

Similar limits apply for any combination of input VLAN maps, input router ACLs, output VLAN maps, and output router ACLs that share the same VLAN label. The switch supports eight checks for all features on the same VLAN label. When the limit is reached, the system might forward packets by using the CPU rather than through hardware, greatly reducing system performance. To determine the VLAN label assigned to a VLAN or interface on input or output, use the show fm vlan or show fm interface privileged EXEC commands. Then use the show fm vlan-label privileged EXEC command to determine which set of features (input VLAN map, input router ACL, output VLAN map, or output router ACL) share this label.

These are the workarounds:

Re-arrange the order of classes within the policy map and the order of entries within the individual access lists in the policy map or within any IP port ACL applied to the interface so that checks for TCP flags are made as early as possible within the policy map. You can also re-arrange the order of the individual ACLs within a VLAN map and the order of the individual entries in a security ACL.

Add an extra entry to the front of an ACL that checks for the same TCP flags that are checked later on in the ACL. If the first entry of the ACL already matches only the TCP protocol, you can duplicate the entry and add a check for the appropriate TCP flags.

Reduce the number of different combinations of TCP flags being tested.

If the other workarounds fail, avoid combining any check against the TCP flags with gt , lt , ne , or range checks within the policy map and port ACL configured on the interface or within the VLAN maps and router ACLs that share the same VLAN label. (CSCdx24363)

  • If you apply an ACL to an interface that has a QoS policy map attached and the ACL is configured so that the packet should be forwarded by the CPU or if the configured ACL cannot fit into the ternary content addressable memory (TCAM), all packets received from this interface are forwarded to the CPU. Because traffic forwarded to the CPU cannot be policed by the policer configured on the interface, this traffic is not accurately rate-limited to the configured police rate.

The workaround, when QoS rate limiting is configured on an interface, is to configure applied ACLs so that packets are not forwarded by the CPU or reduce the number of ACEs in the ACL so that it can fit into the TCAM. (CSCdx30485)

  • If you create a policy map by using the policy-map policy-map-name global configuration command, enter the class class-map-name policy-map configuration command, and then immediately exit from the policy-map class configuration mode, the policy map does not show its class-map association.

The workaround is to enter another command (such as the police , trust , or set policy-map class configuration commands) after entering the class class-map-name policy-map configuration command. (CSCdx81650)

  • If a switch configuration contains a large ACL and a per-port per-VLAN policy map and both are attached to two interfaces, when you are copying it to the running configuration, this process might fail because the switch runs out of memory.

These are the workarounds:

Copy the new configuration file to the config.txt file, and reboot the switch.

Save the configuration file as two files: one containing only the ACL configuration and one containing the rest of the configuration (including the QoS and interface configuration). Add the first configuration file to the running-configuration file, and then add the second file to the running-configuration file. (CSCdz54115)

• If you are configuring a policy map on an interface by using named ACLs and the policy map has 13 named ACLs that include deny statements, these messages might appear when you add an ACL:

QoS: Programming TCAM failed: Unsuccessful ACL merge
Service Policy attachment failed
Service Policy xxxx not attached
QM-4-HARDWARE_NOT_SUPPORTED: Hardware limitation has reached for policymap xxxx
 

Use one of these workarounds:

Use numbered ACLs.

Do not use deny statements because the end of an ACL has an implicit deny statement. (CSCec46594)

  • Catalyst 3550 switches do not take into account the Preamble and IFG when rate limiting traffic, which could result in a slightly inaccurate policing rate on a long burst of small frames, where the ratio of the Preamble and IFG to frame size is more significant. This should not be an issue in an environment where the frames are a mix of different sizes.
  • Certain combinations of features create conflicts with the port security feature. In Table 5 , No means that port security cannot be enabled on a port if the referenced feature is also running on the same port. Yes means that both port security and the referenced feature can be enabled on the same port at the same time. A dash means not applicable.
  • If you need to modify a class map or policy map of a service policy, first remove that service policy from all physical interfaces, and then modify the class map or policy map. When you have completed the modifications, apply the modified service policy to the physical interfaces. If you do not first remove the service policy from all physical interfaces, the switch can reload unexpectedly while you make modifications to the class map or policy map.
  • If you configure a large number of input interface VLANs in a class map, a traceback message similar to this might appear:
01:01:32: %BIT-4-OUTOFRANGE: bit 1321 is not in the expected range of 0 to 1024
 

There is no impact to switch functionality.

There is no workaround. (CSCtg32101)

Routing

  • Open Shortest Path First (OSPF) path costs and Interior Gateway Routing Protocol (IGRP) metrics are incorrect for switch virtual interface (SVI) ports.

The workaround is to configure the bandwidth of the SVI manually by using the bandwidth interface configuration command. Changing the bandwidth of the interface changes the routing metric for the routes when the SVI is used as an sending interface. (CSCdt29806)

  • The dec keyword is not supported in the bridge bridge-group protocol global configuration command. If two Catalyst 3550 switches are connected to each other through an interface that is configured for IP routing and fallback bridging, and the bridge group is configured with the bridge bridge-group protocol dec command, both switches act as if they were the spanning-tree root. Therefore, spanning-tree loops might be undetected.

There is no workaround. (CSCdt63589)

  • When the switch is operating with equal-cost routes and it is required to learn more unicast routes than it can support, the CPU might run out of memory, and the switch might fail.

The workaround is to remain within the documented recommended and supported limits. (CSCdt79172)

  • If a Catalyst 3550 switch is connected to two routers (Router 1 and Router 2) in this topology:

The link between Router 1 and the switch is a BVI (bridge virtual interface) that belongs to two VLANs (VLAN 100 and VLAN 110) and uses one IP address. The IP subnet for the BVI is the same for both VLANs. The ports in both VLANs operate as Layer 2 interfaces. An SVI with an IP address is configured only on VLAN 100.

The link between Router 2 and the switch is an IP interface that only belongs to VLAN 110.

IP connectivity then exists between Router 1 and the switch. There is no IP connectivity between Router 2 and the switch.

The workaround is to configure another SVI with an IP address on the Catalyst 3550 switch that would be reachable from Router 2. (CSCdy82042)

• When the switch has many routes that use loadsharing among multiple next hops, some of the routes might not loadshare but instead pick only one of the next hops for forwarding all packets on that route. This happens when the portion of the adjacency RAM that has been allotted for multipath routes has been used up.

There is no workaround. (CSCed22152)

• Packets received from media types that require SNAP encapsulation of IPv4 packets require the switch to forward SNAP-encapsulated packets. Layer 2 forwarding of IPv4 in SNAP encapsulation ordinarily takes place in hardware (unless a VLAN map or port ACL contains an IP ACL). However, on the Catalyst 3550 switch, Layer 3 forwarding of IPv4 in SNAP can only be done in software. SNAP-encapsulated IPv4 packets that are directed to the router MAC address or the HSRP group MAC address (if this device is the active router in the HSRP group) are forwarded to the switch CPU, potentially causing high CPU utilization levels.

This is a hardware limitation, and there is no workaround. (CSCed59864)

  • When multi-VRF-CE is enabled on the switch, the switch does not support the ip directed-broadcast interface configuration command used to enable forwarding of IP-directed broadcasts on an interface.

There is no workaround. (CSCee05670)

  • When an IP packet with a cyclic redundancy check (CRC) error is received, the per-packet per-Differentiated Service Code Point (DSCP) counter (for DSCP 0) is incremented. Normal networks should not have packets with CRC errors.

There is no workaround. (CSCdr85898)

SNMP

The switch might reload when it is executing the no snmp-server host global configuration command. This is a rare condition that can happen if SNMP traps or informs are enabled and the SNMP agent attempts to send a trap to the host just as it is being removed from the configuration and if the IP address of the host (or the gateway to reach the host) has not been resolved by Address Resolution Protocol (ARP).

The workaround is to ensure that the target host or the next-hop gateway to that host is in the ARP cache (for example, by using a ping command) before removing it from the SNMP configuration. Alternatively, disable all SNMP traps and informs before removing any hosts from the SNMP configuration. (CSCdw44266)

SPAN and RSPAN

• A Remote Switched Port Analyzer (RSPAN) source session does not forward monitored traffic to the RSPAN destination session if there is an egress SPAN source port in the session with port security or IEEE 802.1x enabled.

There is no workaround. (CSCdy21035)

• Not all traffic is properly mirrored by RSPAN when a port is monitored for egress traffic and the RSPAN VLAN is carried through a Layer 2 protocol tunnel to the RSPAN destination switch.

This happens because the MAC addresses for the original packets as well as the mirrored RSPAN packets are all learned on the tunnel VLAN, so the RSPAN traffic is no longer properly segregated on the tunneling switches.

The workaround is to not include any RSPAN VLANs in any Layer 2 protocol tunnels unless the tunnel is dedicated to a single RSPAN VLAN. (CSCdy37188)

  • Ingress forwarding on a SPAN destination port does not work if there is an egress SPAN source port in the session with port security or IEEE 802.1x enabled.

There is no workaround. (CSCdy44646)

  • Whenever a single frame is subject to both ingress and egress SPAN, and both the ingress and the egress SPAN are sent to the same SPAN destination port, the egress copy of the spanned frame is sent out the SPAN destination port before the ingress copy of the spanned frame is sent out the SPAN destination port.

There is no workaround. (CSCef97043)

• RSPAN does not work when the RSPAN source session and the RSPAN destination session are on the same switch. If an RSPAN source session is configured with a particular RSPAN VLAN and an RSPAN destination session for that RSPAN VLAN is configured on the same switch, then the RSPAN destination session's destination port will not transmit captured packets from the RSPAN source session.

The workaround is to use SPAN instead of RSPAN.(CSCeg08870)

Spanning Tree

  • If a port on the Catalyst 3550 switch that is running the Multiple Spanning Tree Protocol (MSTP) is connected to another switch that belongs to a different multiple spanning tree (MST) region, the Catalyst 3550 port is not recognized as a boundary port when you start the protocol migration process by using the clear spanning-tree detected-protocols interface interface-id privileged EXEC command. This problem occurs only on the root bridge, and when the root bridge is cleared, the boundary ports are not shown because the designated ports do not receive any bridge protocol data units (BPDUs) unless a topology change occurs. This is the intended behavior.

The workaround is to configure the Catalyst 3550 switch for Per-VLAN spanning-tree plus (PVST+) by using the spanning-tree mode pvst global configuration command bridge, and then change it to MSTP by using the spanning-tree mode mst global configuration command. (CSCdx10808)

  • When a switch receives a bridge STP bridge protocol data unit (BPDU) from an access port and the egress port is a trunk port, the switch assigns the BPDU a CoS value of 0 instead of 7.

There is no workaround. (CSCdz54043)

  • In a switch stack with GigaStack GBICs, cross-stack UplinkFast (CSUF) convergence might be slow when the root port fails.

There is no workaround. (CSCef18020)

VLAN

  • When a VLAN interface has been disabled and restarted multiple times by using the shutdown and no shutdown interface configuration commands, the interface might not restart following a no shutdown command.

The workaround is to re-enter the shutdown and no shutdown interface configuration commands to restart the interface. (CSCdt54435)

• When a large number of VLANs and a large number of trunk ports with allowed VLAN lists are configured on the switch, if you enter the no switchport trunk allowed vlan interface-range command to remove the allowed list for all the trunk ports, the SYS-3-CPUHOG system message might appear.

The workaround is to use the no switchport trunk allowed vlan interface configuration command on each trunk port to remove the allowed list for all the trunk ports. (CSCdx17189)

  • When 1000 VLANs and more than 40 trunk ports are configured, and the spanning-tree mode changes from MSTP to PVST+ or the reverse, this message appears on the console:
%ETHCNTR-3-RA_ALLOC_ERROR: RAM Access write pool I/O memory allocation failure
 

There is no workaround. However, we recommend that you reload the switch by using the reload privileged EXEC command. To avoid this problem, configure the system with fewer VLANs and fewer trunk ports, or use the switchport trunk allowed vlan interface configuration command to reduce the number of active VLANs on each trunk port. (CSCdx20106)

• If the switch fails for any reason while you are exiting VLAN database configuration mode (accessed by entering the vlan database privileged EXEC command), there is a slight chance that the VLAN database might get corrupted. After resetting from the switch, you might see these messages on the console:

%SW_VLAN-4-VTP_INVALID_DATABASE_DATA: VLAN manager received bad data of type device type: value 0 from vtp database
 
$SW_VLAN-3-VTP_PROTOCOL_ERROR: VTP protocol code internal error
 

The workaround is to use the delete flash:vlan.dat privileged EXEC command to delete the corrupted VLAN database. Then reload the switch by using the reload privileged EXEC command. (CSCdx19540)

  • When you perform a ping from a VLAN to another VLAN on the same switch, the VLAN counter does not change.

There is no workaround. (CSCdz17863)

• On a Catalyst 3550 switch, if you use the command-line interface to repeatedly add and delete a VLAN by entering the vlan vlan-id and no vlan vlan-id global configuration command and the VLAN has secured IEEE 802.1x addresses associated with it and traffic flowing from the secured addresses, the switch might fail.

The workaround is to shut down all ports in the VLAN or to remove the IEEE 802.1x and port-security configurations from all ports in the VLAN before deleting it. (CSCsg19355)

  • When using the ip source binding global configuration command to associate a static IP source binding with a non existent VLAN that has an ID greater than 1025, this message appears:

%DHCP_SNOOPING-4-IP_SOURCE_BINDING_NON_EXISTING_VLAN_WARNING: IP source binding is configured on non existing vlan 100.

The workaround is to enter the show vlan user EXEC command to verify that the VLAN exists. (CSCsh74176)

Important Notes

Cisco IOS Notes

  • In Cisco IOS Release 12.2(44)SE and later, if the switch has interfaces with automatic QoS for voice over IP (VoIP) configured and you upgrade the switch software to Cisco IOS Release 12.2(44)SE (or later), when you enter the auto qos voip cisco-phone interface configuration command on another interface, you might see this message:
AutoQoS Error: ciscophone input service policy was not properly applied
policy map AutoQoS-Police-CiscoPhone not configured
 

If this happens, enter the no auto qos voip cisco-phone interface command on all interface with this configuration to delete it. Then enter the auto qos voip cisco-phone command on each of these interfaces to reapply the configuration. In Cisco IOS Release 12.2(25)SEC, the implementation for multiple spanning tree (MST) changed from the previous release. Multiple STP (MSTP) is now compliant with the IEEE 802.1s standard. Previous MSTP implementations were based on a draft of the IEEE 802.1s standard.

  • In Cisco IOS Release 12.1(19)EA1, the implementation for the option-82 subscriber identification changed from the previous release. The new option-82 format uses a different circuit ID and remote ID suboption, vlan-mod-port . The previous version uses the snmp-ifindex circuit ID and the remote ID suboption.

If you have option-82 configured on the switch and you upgrade to Cisco IOS Release 12.1(19)EA1 or later, the option-82 configuration is not affected. However, when you globally enable DHCP snooping on the switch by using the ip dhcp snooping global configuration command, the previous option-82 configuration is suspended, and the new option-82 format is applied. When you globally disable DHCP snooping on the switch, the previous option-82 configuration is re-enabled.

To provide for backward compatibility, you can select the previous option-82 format by using the ip dhcp snooping information option format snmp-ifindex global configuration command when you enable DHCP snooping. When DHCP snooping is globally enabled, option-82 information (in the selected format) is only inserted on snooped VLANs.

For more information about using the previous version of option 82 without enabling DHCP snooping, see the software configuration guide for this release.

  • In Cisco IOS Release 12.1(14)EA1, the implementation for IEEE 802.1x changed from the previous release. Some global configuration commands became interface configuration commands, and new commands were added.

If you have IEEE 802.1x configured on the switch and you upgrade to Cisco IOS
Release 12.1(14)EA1 or later, the configuration file does not contain the new commands, and
IEEE 802.1x does not operate. After the upgrade is complete, make sure to globally enable
IEEE 802.1x by using the dot1x system-auth-control global configuration command. For more information, see the software configuration guide for this release.

  • When you enable port security on an interface that is also configured with a voice VLAN, you must set the maximum allowed secure addresses on the port to 2 plus the maximum number of secure addresses allowed on the access VLAN. When the port is connected to a Cisco IP Phone, the telephone requires up to two MAC addresses. The address of the Cisco IP Phone is learned on the voice VLAN, and it might or might not be learned on the access VLAN. Connecting a PC to the Cisco IP Phone requires additional MAC addresses.
  • If you configure a port ACL on a physical interface on a switch that has VLAN maps or input router ACLs configured, or if you configure a VLAN map or input router ACL on a switch that has port ACLs configured, a CONFLICT message is generated, but the configuration is accepted. The port ACL action has priority on that port over actions in a router ACL or VLAN map applied to the VLAN to which the port belongs.

The result is that packets received on that physical port are permitted or denied based on the port ACL action, without regard to any permit or deny statements in any router ACL or VLAN map. Packets received on other physical ports in the VLAN are still permitted or denied based on any router ACLs or VLAN maps applied to the VLAN. If the port ACL is applied to a trunk port, it overrides any other input ACLs applied to all VLANs on the trunk port.

  • The default system MTU for traffic on the Catalyst 3550 switch is 1500 bytes. The IEEE 802.1Q tunneling feature increases the frame size by 4 bytes. Therefore, when you configure IEEE 802.1Q tunneling, you must configure all switches in the IEEE 802.1Q network to be able to process maximum frames by increasing the switch system MTU size to at least 1504 bytes. You configure the system MTU size by using the system mtu global configuration command.
  • When you are configuring a cascaded stack of Catalyst 3550 switches by using the GigaStack GBIC module and want to include more than one VLAN in the stack, be sure to configure all the GigaStack GBIC interfaces as trunk ports by using the switchport mode trunk interface configuration command and to use the same encapsulation method by using the switchport encapsulation { isl | dot1q } interface configuration command. For more information about these commands, refer to the switch command reference for this Cisco IOS release.
  • If the 1000BASE-T GBIC (WS-G5482) module is not securely inserted, the switch might fail to recognize it or might display an incorrect media type following a show interface privileged EXEC command entry. If this happens, remove and reinsert the GBIC module.

• When you configure a dynamic switchport by using the switchport access vlan dynamic interface configuration command, the port might allow unauthorized users to access network resources if the port mode changes from access to trunk through Dynamic Trunking Protocol (DTP) negotiation.

The workaround is to configure the port as a static access port. (CSCdz32330)

  • Beginning in Cisco IOS Release 12.1(13)EA1, these are the default settings for an IP phone connected to a switch:

The port trust state is to not trust the priority of frames arriving on the IP phone port from connected devices.

The CoS value of incoming traffic is overwritten and set to zero. (CSCdz76948).

• If the switch requests information from the Cisco Secure Access Control Server (ACS) and the message exchange times out because the server does not respond, a message similar to this appears:

00:02:57: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.20.246.206:1645,1646 is not responding.
 

If this message appears, check that there is network connectivity between the switch and the ACS. You should also check that the switch has been properly configured as an AAA client on the ACS.

Device Manager Notes

  • This release supports the same switch cluster compatibilities supported in Cisco IOS Release 12.1(22)EA1. However, you cannot create and manage switch clusters through the device manager. To create and manage switch clusters, use the CLI or Cisco Network Assistant.
  • When you are prompted to accept the security certificate and you click No , you see only a blank screen, and the device manager does not launch.

The workaround is to click Yes when you are prompted to accept the certificate. (CSCef45718)

  • We recommend this browser setting to speed up the time to display the device manager from Microsoft Internet Explorer.

From Microsoft Internet Explorer:

1. Choose Tools > Internet Options .

2. Click Settings in the “Temporary Internet files” area.

3. From the Settings window, choose Automatically .

4. Click OK .

5. Click OK to exit the Internet Options window.

  • The HTTP server interface must be enabled to display the device manager. By default, the HTTP server is enabled on the switch. Use the show running-config privileged EXEC command to see if the HTTP server is enabled or disabled.

If you are not using the default method of authentication (the enable password), you need to configure the HTTP server interface with the method of authentication used on the switch

Beginning in privileged EXEC mode, follow these steps to configure the HTTP server interface:

 

Command
Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

ip http authentication { aaa | enable | local}

Configure the HTTP server interface for the type of authentication that you want to use.

  • aaa —Enable the authentication, authorization, and accounting feature. You must enter the aaa new-model interface configuration command for the aaa keyword to appear.
  • enable—Enable password, which is the default method of HTTP server user authentication, is used.
  • local—Local user database, as defined on the Cisco router or access server, is used.

Step 3

end

Return to privileged EXEC mode.

Step 4

show running-config

Verify your entries.

The device manager uses the HTTP protocol (the default is port 80) and the default method of authentication (the enable password) to communicate with the switch through any of its Ethernet ports and to allow switch management from a standard web browser.

If you change the HTTP port, you must include the new port number when you enter the IP address in the browser Location or Address field (for example, http://10.1.126.45:184 where 184 is the new HTTP port number). You should write down the port number through which you are connected. Use care when changing the switch IP information.

  • If you use Internet Explorer Version 5.5 and select a URL with a nonstandard port at the end of the address (for example, www . cisco.com:84 ), you must enter http:// as the URL prefix. Otherwise, you cannot launch the device manager.

Open Caveats

  • CSCtj86299

If a static MAC address entry is configured for an IP address in the global routing table, ping requests are sent through the global context, and replies are sent through Virtual Routing and Forwarding (VRF). This is a VRF leak.

The workaround is to remove the static MAC address entry.

  • CSCto06796

When you disable an interface and configure voice and data on the same VLAN and enable the interface:

It causes a security violation but voice and data is authorized.

The configuration for the data VLAN policy changes after authentication. Use the show run interface configuration command to see this.

When you configure voice and data on the same VLAN on an enabled interface, it causes a security violation and an error message is displayed.

In both cases the workaround is to configure voice and data on separate VLANs.

  • CSCto55124

When a member switch port security is used with port-based dot1x authentication and the switch MAC address is sticky, a connected device authenticates itself. Its MAC address is added as sticky in the switch configuration and in the port security tables of the stack switches. When the switch is shut down, the device MAC address is removed from the master switch, but it is retained in the member switch security tables. When the interface is re-enabled, the device MAC address is restored to the master switch configuration.

The workaround is to use port security without dot1x authentication.

  • CSCto99322

If the switch is in multidomain authorization (MDA) mode and it receives three or more MAC addresses simultaneously or if the switch is in single-host mode and it receives two or more MAC addresses simultaneously, a security violation trap occurs in the shutdown and protect violation modes.

The workaround is to connect one device at a time.

  • CSCtq06316

If you configure multidomain authentication (MDA) with Open1x authentication and the restrict violation mode, a security violation occurs if the MAC address on the voice LAN is the last MAC address that the switch receives. However, the MAC address is added to the table as a dynamic MAC address and the connected data VLANs continue to access the interface.

The workaround is to connect the voice device first.

  • CSCtq06842

In the multidomain authentication (MDA) mode, if you configure the network-policy profile global configuration command and you remove a voice VLAN at the interface level after authentication, tracebacks and error messages are generated.

There is no workaround.

  • CSCtq12146

When MAC authentication bypass (MAB) is configured in single-host mode on the first port and multidomain authentication (MDA) is configured in open authentication mode on the second port, if the MAC Move feature is disabled on the switch, a security violation does not occur when the switch detects the same MAC address on both ports.

The workaround is to manually clear the MAC address table on the second port.

Resolved Caveats

Caveats Resolved in Cisco IOS Release 12.2(55)SE9

  • CSCsh15817

IP Service Level Agreement operations on a router that also has a response time reporter (RTR) enabled on it, fails at the source. This happens because the RTR responder does not receive the UPD socket events when a UDP packet is routed through a VRF.

The workaround is to use IP SLA operations without VRFs.

  • CSCtr38563

Switch fails when a secondary IP address is configured on a VLAN interface.

There is no workaround.

  • CSCuc63146

Port-channel interface flaps while adding or removing a VLAN from the trunk on a port-channel interface if one or more port members are not in P or D states.

The workaround is to shut down the port members which are not in P or D states and make the VLAN changes.

  • CSCuh43252

After upgrading to Cisco IOS Release 15.0(2)SE3, the switch does not authenticate using TACACS. The TPLUS process on the switch pushes the CPU usage up to 99%.

The workaround is to downgrade the switch software to a version prior to Cisco IOS Release 15.0(2)SE3.

  • CSCui65252

When Dynamic ARP Inspection (DAI) is enabled over port channel, it stops processing the Address Resolution Protocol (ARP) packets.

The workaround is to set up a direct link between the access switch and the DHCP server.

  • CSCuj54648

A malformed TCP packet forwarded on a STP blocked port keeps looping in the network even after traffic is stopped, creating CPU hogs on switches.

To stop the loop and flooding in the network use one of these workarounds:

Run the shutdown command followed by the no shutdown command on any port in the topology.

Change the STP priority of any of the switches.

  • CSCtx37546

After stack switchover length 0 automatically gets set to line vty on stack master or member.

There is no workaround.

  • CSCsv29870

When Routing Information Protocol (RIP) is configured and clear ip route* command is run on the switch, the RIP sends multiple requests for each interface instead of one request.

There is no workaround.

  • CSCue94493

When Cisco IP Communicator (CIPC) is turned on and the Cisco Discovery Protocol (CDP) is enabled on the switch, the MAC address of CIPC incorrectly appears in the voice VLAN.

The workaround is to disable CDP on Cisco IP Communicator.

  • CSCuh80308

When Access Control List (ACL) entries are applied to the switch interface using copy tftp: running-config command, it stops forwarding fragmented traffic.

Use one of the following workarounds:

Apply the ACL configuration through CLI.

Remove the ACL from the interface and apply again through the CLI.

In the ACL specify the traffic using IP addresses.

  • CSCsw43080

For Cisco IOS Releases earlier than 12.4(24)T, traceback and %DATACORRUPTION-1-DATAINCONSISTENCY errors are observed in the log.

There is no workaround.

  • CSCuh72558

In a switch stack, if a stack member is connected to a Meru access point that requires 802.3at or 29.5W POE+ inline power, connection over 802.3at POE+ fails.

The workaround is to move all affected POE+ devices to the stack master.

  • CSCui56736

This issue is seen on Cisco IOS Releases 12.2(55)SE and later, 12.2(58)SE and later, and 15.0(2)SE and later. When the switch stack is reloaded, configuration is initialized, the vlan.dat file is deleted, and VTP version 3 is configured, the show vtp status command gives inconsistent results on the stack master and member switches. When the command is run on the stack master, the stack master is shown as server in the VLAN and transparent in the Multiple Spanning Tree (MST) instance. But when the command is run on a member switch, the member switch is shown as the primary server for both the VLAN and the MST instance. When the vtp mode transparent mst command is entered, the Device mode already VTP Transparent for MST message is displayed. Now if the master switch is reloaded, the whole stack is shown as the primary server for both the VLAN and the MST.

The workaround is to change the VTP version to 2 and then change it back again to 3.

  • CSCtd62339

The following error is seen when EIGRP is enabled on the switch: %EIGRP: Failed to get client handle from BFD

There is no workaround.

  • CSCti88809

If Smart Install is enabled and the shutdown command is entered on a range of interfaces followed by the no shutdown command, a traceback is seen due to data corruption.

The workaround is to disable Smart Install by entering the no vstack global configuration command.

  • CSCtr24525

The value of the logmessageperiod command in the Precision Time Protocol (PTP) announce packet shows the erroneous value of 127.

There is no workaround.

Caveats Resolved in Cisco IOS Release 12.2(55)SE8

  • CSCtf23298

When a Terminal Access Controller Access Control System (TACACS) server is configured with a single connection, the CPU usage is high.

The workaround is to remove the single connection option.

  • CSCtt19737

Cisco IOS IP SLAs probes fail because the control message is blocked. The firewalls block the control message when a response packet is not returned to the originating port.

The workaround is to disable IP SLAs control messages for this probe instance.

  • CSCty66157

The snmp-server group command does not associate both IPv6 and IPv4 ACLs simultaneously with an SNMP group.

The workaround is to use the snmp-server user command, which associates both IPv4 and IPv6 ACLs with an SNMP user.

  • CSCud79753

When a switch is configured with Cisco IOS IP SLAs FTP GET operation and if the target file is unavailable, the switch experiences a memory leak and may become unresponsive if it runs out of memory.

The workaround is to configure the Cisco IOS IP SLAs FTP GET operation only after verifying the availability of the remote target file and setting the permissions for the file, as appropriate. This allows the switch to retrieve the file and not experience a memory leak.

  • CSCue07405

When manually running on-demand diagnostic tests on a stack member using the diagnostic start switch number test all interface configuration command, the test TestPortAsicRingLoopback fails arbitrarily.

The workaround is to run only the TestPortAsicRingLoopback test ( diagnostic start switch number test 4 interface configuration command) on the stack member. Isolate the stack member and then run the diagnostic start switch number test all interface configuration command on the rest of the stack.

Caveats Resolved in Cisco IOS Release 12.2(55)SE7

  • CSCtg52885

The Hot Standby Router Protocol (HSRP) on dot1q sub-interfaces remains in INIT state after a physical link flap on the trunk port.

The workaround is to enter the shutdown and no shutdown command on the interface.

  • CSCtz96168

IPv6 packets travel randomly between two isolated ports that are in the same VLAN.

There is no workaround.

  • CSCub92642

If the switch is configured with Multicast Distributed Switching (MDS), memory leaks if the multicast-routing distributed command is toggled repeatedly.

There is no workaround.

  • CSCud17778

Memory leaks (due to SNMP traps) cause the switch to respond slowly to commands; eventually the switch fails. This is observed when more than one SNMP server host is configured, one of the host broadcasts SNMP traps, or the snmp-server enable traps snmp authentication coldstart warmstart command is configured.

The workaround is to disable the snmp-server enable traps snmp authentication coldstart warmstart command and reload the switch.

Caveats Resolved in Cisco IOS Release 12.2(55)SE6

  • CSCef01541

The switch processes data packets that are sent to the network address of an interface if the layer-2 frame encapsulating that packet is specifically crafted to target layer-2 address of the interface or a broadcast layer-2 address.

The workaround is to use Cisco Express Forwarding (CEF).

  • CSCtk18810

High memory usage is seen with the 'Virtual Exec" process.

There is no workaround.

• CSCto57723

Cisco IOS Software and Cisco IOS XE Software contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. An attacker could exploit this vulnerability by sending a crafted request to an affected device that has the DHCP version 6 (DHCPv6) server feature enabled, causing a reload.

Cisco has released free software updates that address this vulnerability. This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120926-dhcpv6

  • CSCtt31901

The sh udld neighbor command does not work.

The workaround is to enable the udld port aggressive command on the interface level once.

  • CSCtw58495

The switch stops working when you enter the show epm session summary privileged EXEC command.

There is no workaround.

  • CSCtx20903

In a single connection-enabled Terminal Access Controller Access Control System (TACACS) server, when the primary TACACS server goes down , the authentication fallback to the secondary server fails.

The workaround is to disable the single connection.

  • CSCtx61557

The switch stops working even after a successful 802.1x authentication of the client.

There is no workaround.

  • CSCtx96491

A port configured and authenticated with 802.1x security may not correctly detect a loop even if the Bridge Protocol Data Unit (BPDU) guard is configured on the interface. This may result in 100 percent CPU utilization because of the Spanning Tree Protocol (STP) process of the switch.

The workaround is to configure the switch with the authentication open or authentication mac-move permit command.

  • CSCtx99483

The switch reloads unexpectedly due to segV exception while making PBR configuration changes.

There is no workaround.

  • CSCty93544

Traffic that should be dropped or denied by an Access Control List (ACL) is permitted by the switch.

The workaround is to remove and reapply the ACL.

  • CSCtz27507

When a switch is configured for SNMP and receives SNMP packets from an authenticated user, a successful exploitation causes the affected device to reload. This vulnerability could be exploited repeatedly to cause an extended Denial of Service (DoS) condition.

There is no workaround.

  • CSCtz92782

Advanced Access Control List (dACL) does not get applied to a switch interface configured for Multi-Domain Authentication (MDA).

The workaround is to modify the dACL name and configuration.

  • CSCua09639

ARP is blocked with open authentication-enabled switchports.

The workaround is to run the command clear authentication session.

Caveats Resolved in Cisco IOS Release 12.2(55)SE5

  • CSCsy43147

During a Telnet session, the router crashes when the TACACS+ server is configured or unconfigured ( tacacs-server host command) using the single-connection keyword.

The workaround is to not use the single-connection keyword.

  • CSCtb35715

When you enter the show running-config interface configuration command, IP Service Level Agreement notifications are shown as enabled even when you have not enabled this configuration using the ip sla enable reaction-alerts interface configuration command.

There is no workaround.

  • CSCtc18841

If local proxy Address Resolution Protocol (ARP) is configured on the VLAN interface, the ARP entry for the Hot Standby Router Protocol (HSRP) enters into an incomplete state.

The workaround is to remove the proxy ARP feature on the VLAN interface (by using the no ip local-proxy-arp interface configuration command) and restart the interface.

  • CSCtg38468

When AAA authorization is used with TACACS+, an error is displayed if the banner message ( banner exec global configuration command) starts with a blank character.

The workaround is to not start the banner message with a blank character.

  • CSCth00398

If the no vtp VLAN configuration command is used on a port that receives VTP updates, the switch does not process Layer 2 control traffic (STP and CDP) after some time.

The workaround is to configure VTP on the port or to not use the no vtp command.

  • CSCtj89743

CPU usage is high when a device connected to the switch is accessed using the https://IP_address command on the router.

The workaround is to reload the device.

  • CSCtj95182

If a network scanner is used to check the network components, a memory leak occurs in the SMI IBC/IBD server process, and the CPU load is unusually high.

There is no workaround.

  • CSCtn10697

The switch crashes when DCHP snooping is enabled with value 125 and an offer packet is received.

There is no workaround.

  • CSCto72927

If a Tcl policy is copied to the router, the router fails when an event manager policy is configured.

There is no workaround.

  • CSCtq09233

If a CLI configuration text file is copied from a Windows system to the switch, a space is appended to the end of the macro description command when the file is read from the flash of the switch. This leads to errors resulting in high CPU utilization on the switch. Another possible issue is that the macro is not removed when the link goes down or the connected device is removed from the switch.

The workaround is to copy the configuration file from a non-Windows system (like UNIX or Linux) or convert the file to an appropriate UNIX format before copying.

  • CSCtq72873

In this race condition, the switch fails when a MAB client fails to authenticate on the switch (possibly caused by the ACS server being unavailable) and the client is simultaneously deleted from the switch (possibly by entering the clear authentication sessions privileged EXEC command).

There is no workaround. The risk of switch failure can be minimized by ensuring that MAB-enabled interfaces are not shut down andthat commands that clear the MAB sessions are avoided.

• CSCtr28857

A vulnerability in the Multicast Source Discovery Protocol (MSDP) implementation of Cisco IOS Software and Cisco IOS XE Software could allow a remote, unauthenticated attacker to cause a reload of an affected device. Repeated attempts to exploit this vulnerability could result in a sustained denial of service (DoS) condition.

Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-msdp

• CSCtr91106

A vulnerability exists in the Cisco IOS Software that may allow a remote application or device to exceed its authorization level when authentication, authorization, and accounting (AAA) authorization is used. This vulnerability requires that the HTTP or HTTPS server is enabled on the Cisco IOS device.

Products that are not running Cisco IOS Software are not vulnerable.

Cisco has released free software updates that address these vulnerabilities.

The HTTP server may be disabled as a workaround for the vulnerability described in this advisory.

This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-pai

  • CSCts34688

The switch crashes due to the "HACL Acl Manager" memory fragmentation when a large access control list (ACL) is modified.

The workaround is add or remove ACE entries in sequential order when the ACL is modified.

  • CSCts56125

When a switch powers on and none of the ports are up, the switch reloads in 15 minutes if it cannot contact the TACACS+ server.

The workaround is to not use the broadcast keyword in the TACACS+ server configuration.

  • CSCts75641

Routing Information Protocol (RIP) Version 2 packets egressing an 801.1Q tunnel interface are triplicated.

There is no workaround.

• CSCtt16051

Cisco IOS Software contains a vulnerability in the Smart Install feature that could allow an unauthenticated, remote attacker to cause a reload of an affected device if the Smart Install feature is enabled. The vulnerability is triggered when an affected device processes a malformed Smart Install message on TCP port 4786.

Cisco has released free software updates that address this vulnerability. There are no workarounds to mitigate this vulnerability.

This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20120328-smartinstall

  • CSCtt37202

If a client switch is authorized using MAC Authentication Bypass (MAB), and then by using the 802.1x standard and dynamic VLAN assignment, the MAC address of the switch is not updated in the MAC address table of slave switches.

The workaround is to not use both the 802.1x and dynamic VLAN assignment configurations for the client switch.

  • CSCtu17483

The switch crashes when an IP phone that uses LLDP and authenticates itself using MAC Authentication Bypass (MAB) or 802.1x is physically disconnected and reconnected to the switch port.

The workaround is to remove the aaa authorization network default group SG-PBA global configuration command.

Caveats Resolved in Cisco IOS Release 12.2(55)SE4

  • CSCta85026

The Dynamic Host Configuration Protocol (DHCP) CLI does not accept white spaces in raw ASCII option in the DHCP pool configuration submode. This issue is seen in Cisco IOS Release 12.4(24)T1 and later.

There is no workaround.

  • CSCtg11547

In a VPN Routing and Forwarding (VRF) aware setup, messages are not sent to the syslog server. This issue applies to Cisco IOS Release 12.2(53)SE and 12.2(53)SE1. This situation does not occur if system logging is configured in the global table.

This problem has been corrected.

  • CSCth87458

A memory leak occurs in the SSH process, and user authentication is required.

The workaround is to allow SSH connections only from trusted hosts.

  • CSCti37197

If a tunnel interface is configured with Cisco Discovery Protocol (CDP), the switch fails when it receives a CDP packet.

The workaround is to disable CDP on the interface by using the no cdp enable interface configuration command.

  • CSCtj56719

The switch fails when the Differentiated Services Code Point (DSCP) mutation name is longer than 25 characters.

The workaround is to configure DSCP mutation names with fewer than 25 characters.

  • CSCtl60151

The switch sometimes reloads after a CPU overload, regardless of the process that is overloading the CPU.

This problem has been corrected.

  • CSCtr79386

The switch fails when DHCP snooping is configured and packet data traffic is excessive. The traffic exhausts the I/O memory and triggers the switch to crash.

There is no workaround.

Caveats Resolved in Cisco IOS Release 12.2(55)SE3

  • CSCto10165

A vulnerability exists in the Smart Install feature of Cisco Catalyst Switches running Cisco IOS Software that could allow an unauthenticated, remote attacker to perform remote code execution on the affected device.

Cisco has released free software updates that address this vulnerability.

There are no workarounds available to mitigate this vulnerability other than disabling the Smart Install feature.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110928-smart-install.shtml .

  • CSCto46868

If you configure multidomain authentication (MDA) with Open1x authentication and the restrict violation mode, only two MAC addresses are allowed to access the interface. A security violation occurs when a third MAC address on a voice VLAN tries to access the interface. The voice VLAN is not authenticated, and a syslog message is generated. However, the MAC address is not removed from the voice VLAN because Open1x authentication is configured. If you have authorized the voice VLAN with a policy, such as a dynamic VLAN, the policy is not applied.

The workaround is to not configure a voice VLAN on the phone.

Caveats Resolved in Cisco IOS Release 12.2(55)SE

  • CSCsz18634

On a switch running Cisco IOS release 12.2(46)SE, the output of the show interfaces privileged EXEC command shows 0 packets for port channel input and output rates.

The workaround is to reload the switch by entering the reload privileged EXEC command.

  • CSCtc02635

On switches running Cisco IOS release 12.2(50)SE3 running MAC authentication bypass with multidomain authentication (MDA, IP phones connected to a port might not be able to regain network connectivity in the VOICE domain if the session times out and all RADIUS servers are unreachable.

There is no workaround.

• CSCte14603

A vulnerability in the Internet Group Management Protocol (IGMP) version 3 implementation of Cisco IOS Software and Cisco IOS XE Software allows a remote unauthenticated attacker to cause a reload of an affected device. Repeated attempts to exploit this vulnerability could result in a sustained denial of service (DoS) condition. Cisco has released free software updates that address this vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100922-igmp.shtml .

Note: The September 22, 2010, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. Five of the advisories address vulnerabilities in Cisco IOS Software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each advisory lists the releases that correct the vulnerability or vulnerabilities detailed in the advisory. The table at the following URL lists releases that correct all Cisco IOS Software vulnerabilities that have been published on September 22, 2010, or earlier:

http://www.cisco.com/warp/public/707/cisco-sa-20100922-bundle.shtml

Individual publication links are in “Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication” at the following link:

http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep10.html

  • CSCte94620

After you apply an ACL, these messages appear:

%IPACCESS-4-INVALIDACL: Invalid ACL field: Acl number is 0
%IPACCESS-4-INVALIDACL: Invalid ACL field: Acl type is 145
 

There is no workaround.

  • CSCtf19991

If the RADIUS authentication server is unavailable and inaccessible authentication bypass is enabled, the switch grants the client access to the network by putting the connected port in the critical-authentication state in the RADIUS-configured or the user-specified access VLAN. After the server is available, the client is not reinitalized and moved out of the critical VLAN.

  • There is no workaround.CSCtf33948

A PC in 802.1x or multidomain authentication (MDA) mode is connected to an IP phone and connected to a MDA-enabled switch port. After the PC and phone are authenticated on the port, the PC is down. The port does not automatically reauthenticate the PC.

There is no workaround.

• CSCtf78276

A switch running Cisco IOS Release 12.2(53)SE1 stops when IEEE 802.1x authentication is enabled.

The workaround is to apply a VLAN that the RADIUS server assigned to the switch.

  • CSCtg26941

Multidomain authentication (MDA) with guest VLAN or MAC authentication bypass (MAB) as a fallback method is enabled on a switch running Cisco IOS Release 12.2(53)SE. When a non-802.1x client is connected to a IP phone and the phone connected to a switch port shuts down and then restarts, the client MAC address status is drop in the MAC address table. It takes 5 minutes for the client to access the network.

The workaround is to use another software release, such as Cisco IOS Release 12.2(44)SE2.

  • CSCtg41473

A memory shortage occurs when transceiver module diagnostic tests run. For example, this occurs when you enter the show interface transceiver detail privileged command or when SNMP or a network management system (NMS), such as Cisco Network Assistance or Cisco Works, uses the command.

The workaround is to restart the switch.

  • CSCtg47738

This error message is displayed after copying a configuration file to the running configuration file fails:

%Error opening system:/running-config (No such file or directory)

The output of the dir system:/ EXEC command also does not show a running configuration file.

The workaround is to reload the switch.

Documentation Updates

Updates for the Software Configuration Guide

The switch does not support the verify user EXEC command.

In the “Power Over Ethernet Ports” section in the “Configuring Interface Characteristics” chapter of the Catalyst 3550 Multilayer Switch Software Configuration Guide , this information is changed:

Catalyst 3550 PoE-capable switch ports automatically supply power to these connected devices (if the switch senses that there is no power on the circuit):

Cisco pre-standard powered devices (such as Cisco IP Phones and Cisco Aironet Access Points)

IEEE 802.3af-compliant powered devices other than a Catalyst 3550 switch, which is not
IEEE 802.3af-compliant.

A powered device can receive redundant power when it is connected to a PoE switch port and to an AC power source.

The documentation updates for the software configuration guide are in the latest version of the book at this URL:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_44_se/configuration/guide/3550SCG.html

In the “Configuring RIP for IPv6” section in the “Configuring IPv6 Unicast Routing” chapter, the task table is incorrect. This is the correct table:

Command
Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

ipv6 router rip name

Configure an IPv6 RIP routing process, and enter router configuration mode for the process.

Step 3

maximum-paths number-paths

(Optional) Define the maximum number of equal-cost routes that IPv6 RIP can support. The range is from 1 to 32, and the default is 16 routes.

Step 4

exit

Return to global configuration mode.

Step 5

interface interface-id

Enter interface configuration mode, and specify the Layer 3 interface to configure.

Step 6

ipv6 rip name enable

Enable the specified IPv6 RIP routing process on the interface.

Step 7

ipv6 rip name default-information { only | originate }

(Optional) Originate the IPv6 default route (::/0) into the RIP routing process updates sent from the specified interface.

Note To avoid routing loops after the IPv6 default route (::/0) is originated from any interface, the routing process ignores all default routes received on any interface.

  • only —Select to originate the default route, but suppress all other routes in the updates sent on this interface.
  • originate —Select to originate the default route in addition to all other routes in the updates sent on this interface.

Step 8

end

Return to privileged EXEC mode.

Step 9

show ipv6 rip [ name ] [ database ] [ next-hops ]

or

show ipv6 route rip [ updated ]

Display information about IPv6 RIP processes.

Display the contents of the IPv6 routing table.

Step 10

copy running-config startup-config

(Optional) Save your entries in the configuration file.

Updates for the Command Reference

For the duplex command, this information in the “Defaults” section is incorrect:

The default is auto.

This is the correct default information:

The default is auto for Fast Ethernet and Gigabit Ethernet ports.

The default is full for the 1000BASE-x (where x is -LX/LH, -SX, -T, and -ZX) GBIC module.

This information is added to the “Usage Guidelines” section:

A Gigabit Ethernet switch interface can operate in half-duplex mode if the duplex mode on the switch is auto, a Gigastack GBIC is in the module slot, and a device is connected to the switch through the GBIC.

Other documentation updates for the command reference are in the latest version of the book at this URL:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_44_se/command/reference/cr.html

Updates for the System Message Guide

New Messages

Error Message IFMGR-3-IFINDEX_PERSIST_ENTRY_CORRUPT: [chars] seems to be corrupted. Trying to read [dec] size

Explanation The ifIndex table is corrupted. [chars] is the path to the IfIndex file, and [dec] is the number of bytes that was being read from the ifIndex table when the corruption was detected.

Recommended Action Delete the ifindex table.

Error Message IFMGR-3-INVALID_PERSISTENT_DATA: Invalid persistent data

Explanation The interface manager attempts to write invalid persistent data.

Recommended Action Copy the message exactly as it appears on the console or in the system log. Research and attempt to resolve the error by using the Output Interpreter. Use the Bug Toolkit to look for similar reported problems. If you still require assistance, open a case with the TAC, or contact your Cisco technical support representative, and provide the representative with the gathered information.

Error Message ILET-1-AUTHENTICATION_FAIL: This Switch may not have been manufactured by Cisco or with Cisco’s authorization. This product may contain software that was copied in violation of Cisco’s license terms. If your use of this product is the cause of a support issue, Cisco may deny operation of the product, support under your warranty or under a Cisco technical support program such as Smartnet. Please contact Cisco’s Technical Assistance Center for more information.

Explanation A license authentication failure occurred for the switch.

Recommended Action Contact your Cisco sales representative for assistance.

Error Message ILET-1-DEVICE_AUTHENTICATION_FAIL: The [chars] inserted in this switch may not have been manufactured by Cisco or with Cisco's authorization. If your use of this product is the cause of a support issue, Cisco may deny operation of the product, support under your warranty or under a Cisco technical support program such as Smartnet. Please contact Cisco's Technical Assistance Center for more information.

Explanation A license authentication failure occurred for a component that was inserted in the switch. [chars] is the component.

Recommended Action Contact your Cisco sales representative for assistance.

Error Message SCHED-3-UNEXPECTEDEVENT: [traceback] [process information] Process received unknown event (maj [hex], min [hex])

Explanation A process did not handle an event. The first [hex] is the major event number, and the second [hex] is the minor event number, both of which allow you to identify the event that occurred.

Recommended Action Copy the message exactly as it appears on the console or in the system log. Research and attempt to resolve the error by using the Output Interpreter. Use the Bug Toolkit to look for similar reported problems. If you still require assistance, open a case with the TAC, or contact your Cisco technical support representative, and provide the representative with the gathered information.

Modified Messages

Error Message HARDWARE-3-ASICNUM_ERROR: [traceback] Port-ASIC number [dec] is invalid

Explanation The port ASIC number is invalid. [dec] is the port ASIC number.

Recommended Action Copy the message exactly as it appears on the console or in the system log. Research and attempt to resolve the error by using the Output Interpreter. Use the Bug Toolkit to look for similar reported problems. If you still require assistance, open a case with the TAC, or contact your Cisco technical support representative, and provide the representative with the gathered information.

Error Message HARDWARE-3-PORTNUM_ERROR: [traceback] port number [dec] is invalid

Explanation The port number is out of range. [dec] is the port number.

Recommended Action Copy the message exactly as it appears on the console or in the system log. Research and attempt to resolve the error by using the Output Interpreter. Use the Bug Toolkit to look for similar reported problems. If you still require assistance, open a case with the TAC, or contact your Cisco technical support representative, and provide the representative with the gathered information.

Error Message SPANTREE-2-BLOCK_BPDUGUARD_VP: Received BPDU on port [chars], vlan [dec] with BPDU Guard enabled. Disabling vlan.

Explanation A BPDU was received on the interface and the VLAN specified in the error message. The spanning tree BPDU guard feature was enabled and configured to shut down the VLAN. As a result, the VLAN was placed in the error-disabled state. [chars] is the interface, and [dec] is the VLAN.

Recommended Action Either remove the device sending BPDUs, or disable the BPDU guard feature. The BPDU guard feature can be locally configured on the interface or globally configured on all ports that have Port Fast enabled. Re-enable the interface and vlan by entering the clear errdisable privileged EXEC command.

Updates for the Regulatory Compliance and Safety Information for the Catalyst 3550 Multilayer Switch

This information was added to the Regulatory Compliance and Safety Information for the Catalyst 3550 Multilayer Switch :

Statement 361—VoIP and Emergency Calling Services do not Function if Power Fails

 


Warning



Voice over IP (VoIP) service and the emergency calling service do not function if power fails or is disrupted. After power is restored, you might have to reset or reconfigure equipment to regain access to VoIP and the emergency calling service. In the USA, this emergency number is 911. You need to be aware of the emergency number in your country. Statement 361

Waarschuwing

Voice over IP (VoIP)-service en de service voor noodoproepen werken niet indien er een stroomstoring is. Nadat de stroomtoevoer is hersteld, dient u wellicht de configuratie van uw apparatuur opnieuw in te stellen om opnieuw toegang te krijgen tot VoIP en de noodoproepen. In de VS is het nummer voor noodoproepen 911. U dient u zelf op de hoogte te stellen van het nummer voor noodoproepen in uw land.

Varoitus

Voice over IP (VoIP) -palvelu ja hätäpuhelupalvelu eivät toimi, jos virta katkeaa tai sen syötössä esiintyy häiriöitä. Kun virransyöttö on taas normaali, sinun täytyy mahdollisesti asettaa tai määrittää laitteisto uudelleen, jotta voisit jälleen käyttää VoIP-palvelua ja hätäpuhelupalvelua. Yhdysvalloissa hätänumero on 911. Selvitä, mikä on omassa kotimaassasi käytössä oleva hätänumero.

Attention

Le service Voice over IP (VoIP) et le service d’appels d’urgence ne fonctionnent pas en cas de panne de courant. Une fois que le courant est rétabli, vous devrez peut-être réinitialiser ou reconfigurer le système pour accéder de nouveau au service VoIP et à celui des appels d’urgence. Aux États-Unis, le numéro des services d’urgence est le 911. Vous devez connaître le numéro d’appel d'urgence en vigueur dans votre pays.

Warnung

Bei einem Stromausfall oder eingeschränkter Stromversorgung funktionieren VoIP-Dienst und Notruf nicht. Sobald die Stromversorgung wieder hergestellt ist, müssen Sie möglicherweise die Geräte zurücksetzen oder neu konfigurieren, um den Zugang zu VoIP und Notruf wieder herzustellen. Die Notrufnummer in den USA lautet 911. Wählen Sie im Notfall die für Ihr Land vorgesehene Notrufnummer.

Avvertenza

Il servizio Voice over IP (VoIP) e il servizio per le chiamate di emergenza non funzionano in caso di interruzione dell'alimentazione. Ristabilita l'alimentazione, potrebbe essere necessario reimpostare o riconfigurare l'attrezzatura per ottenere nuovamente l'accesso al servizio VoIP e al servizio per le chiamate di emergenza. Negli Stati Uniti, il numero di emergenza è 911. Si consiglia di individuare il numero di emergenza del proprio Paese.

Advarsel

Tjenesten Voice over IP (VoIP) og nødanropstjenesten fungerer ikke ved strømbrudd. Etter at strømmen har kommet tilbake, må du kanskje nullstille eller konfigurere utstyret på nytt for å få tilgang til VoIP og nødanropstjenesten. I USA er dette nødnummeret 911. Du må vite hva nødnummeret er i ditt land.

Aviso

O serviço Voice over IP (VoIP) e o serviço de chamadas de emergência não funcionam se houver um corte de energia. Depois do fornecimento de energia ser restabelecido, poderá ser necessário reiniciar ou reconfigurar o equipamento para voltar a utilizar os serviços VoIP ou chamadas de emergência. Nos EUA, o número de emergência é o 911. É importante que saiba qual o número de emergência no seu país.

¡Advertencia!

El servicio de voz sobre IP (VoIP) y el de llamadas de emergencia no funcionan si se interrumpe el suministro de energía. Tras recuperar el suministro es posible que deba que restablecer o volver a configurar el equipo para tener acceso a los servicios de VoIP y de llamadas de emergencia. En Estados Unidos el número de emergencia es el 911. Asegúrese de obtener el número de emergencia en su país.

Varning!

Tjänsten Voice over IP (VoIP) och larmnummertjänsten fungerar inte vid strömavbrott. Efter att strömmen kommit tillbaka måste du kanske återställa eller konfigurera om utrustningen för att få tillgång till VoIP och larmnummertjänsten. I USA är det här larmnumret 911. Du bör ta reda på det larmnummer som gäller i ditt land.

 

 

 

 

 

 

 


 

Update to the Hardware Installation Guide

The “Connectors and Cables” appendix incorrectly refers to a crossover cable as a rollover cable. This is the correct information:

You can identify a crossover cable by comparing the two modular cable ends. Hold the cable ends side-by-side, with the tab at the back, right plug, as shown in Figure 1.

Figure 1 Identifying a Crossover Cable

 

 

1

Pin 1

2

Pin 9

On a crossover cable, the wire connected to the pin on the outside of the left plug should be the same color as the wire connected to the pin on the outside of the right plug.

Update to the Getting Start Guide

When you launch Express Setup, you are prompted for the switch password. Enter the default password, cisco . The switch ignores text in the username field. Before you complete and exit Express Setup, you must change the password from the default password, cisco .

Related Documentation

These documents provide complete information about the switch:
http://www.cisco.com/en/US/products/hw/switches/ps646/tsd_products_support_series_home.html

  • Catalyst 3550 Multilayer Switch Software Configuration Guide
  • Catalyst 3550 Multilayer Switch Command Reference
  • Catalyst 3750, 3560, 3550, 2970, and 2960 Switch System Message Guide
  • Catalyst 3550 Multilayer Switch Hardware Installation Guide

Catalyst 3550 Switch Getting Started Guide

  • Regulatory Compliance and Safety Information for the Catalyst 3550 Switch

For information about other related products, see these documents:

  • Getting Started with Cisco Network Assistant
  • Release Notes for Cisco Network Assistant
  • 1000BASE-T Gigabit Interface Converter Installation Note
  • Catalyst GigaStack Gigabit Interface Converter Hardware Installation Guide
  • Network Admission Control Software Configuration Guide

Obtaining Documentation, Obtaining Support, and Security Guidelines

For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What’s New in Cisco Product Documentation , which also lists all new and revised Cisco technical documentation:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html