Guest

Cisco Catalyst 3560 Series Switches

Release Notes for the Catalyst 3560 Switch, Cisco IOS Release 12.1(19)EA1b (Rev. 4/04 and 6/04)

  • Viewing Options

  • PDF (416.8 KB)
  • Feedback
Release Notes for the Catalyst 3560 Switches Cisco IOS Release 12.1(19)EA1b

Table Of Contents

Release Notes for the Catalyst 3560 Switches
Cisco IOS Release 12.1(19)EA1b

Contents

System Requirements

Hardware Supported

Software Compatibility

Windows

Cluster Compatibility

Downloading Software

Finding the Software Version and Feature Set

Deciding Which Files to Use

Upgrading a Switch by Using CMS

Upgrading a Switch by Using the CLI

Recovering from a Software Failure

Installation Notes

Catalyst 3560 Features

Limitations and Restrictions

Cisco IOS Limitations and Restrictions

Cluster Limitations and Restrictions

CMS Limitations and Restrictions

Important Notes

Cisco IOS Notes

CMS Notes

Open Caveats

Open Cisco IOS Caveats

Open CMS Caveats

Resolved Caveats

Corrections to the Software Documentation

Related Documentation

Obtaining Documentation

Cisco.com

Ordering Documentation

Documentation Feedback

Obtaining Technical Assistance

Cisco TAC Website

Opening a TAC Case

TAC Case Priority Definitions

Obtaining Additional Publications and Information


Release Notes for the Catalyst 3560 Switches
Cisco IOS Release 12.1(19)EA1b


April 21, 2004 and June 18, 2004

The Cisco IOS Release 12.1(19)EA1b runs on all Catalyst 3560 switches.

These release notes include important information about this Cisco IOS release and any limitations, restrictions, and caveats that apply to it. Verify that these release notes are correct for your switch by referring to the Cisco IOS release label on the rear panel of your switch. If your switch is on, use the show version privileged EXEC command. See the "Finding the Software Version and Feature Set" section.

For the complete list of Catalyst 3560 switch documentation, see the "Related Documentation" section.

You can download the switch software from these sites:

http://www.cisco.com/kobayashi/sw-center/sw-lan.shtml

(for registered Cisco.com users with a login password)

http://www.cisco.com/public/sw-center/sw-lan.shtml

(for nonregistered Cisco.com users)

This software release is part of a special release of Cisco IOS software that is not released on the same 8-week maintenance cycle that is used for other platforms. As maintenance releases and future software releases become available, they will be posted to Cisco.com (previously Cisco Connection Online [CCO]) in the Cisco IOS software area.

Contents

This information is in the release notes:

"System Requirements" section

"Downloading Software" section

"Installation Notes" section

"Catalyst 3560 Features" section

"Limitations and Restrictions" section

"Important Notes" section

"Open Caveats" section

"Resolved Caveats" section

"Corrections to the Software Documentation" section

"Related Documentation" section

"Obtaining Documentation" section

"Obtaining Technical Assistance" section

System Requirements

The system requirements are described in these sections:

"Hardware Supported" section

"Software Compatibility" section

"Cluster Compatibility" section

Hardware Supported

Table 1 lists the hardware supported by this software release.

Table 1 Supported Hardware 

Switch
Description

Catalyst 3560-24PS

24 10/100 Power over Ethernet (PoE) ports and 2 SFP1 module slots

Catalyst 3560-48PS

48 10/100 PoE ports and 4 SFP module slots

SFP modules

1000BASE-T, 1000BASE-SX, 1000BASE-LX, 1000BASE-ZX, and CWDM2

Redundant power system

Cisco RPS 675 Redundant Power System

1 Small form-factor pluggable

2 Coarse Wavelength-Division Multiplexing


Software Compatibility

For hardware requirements and for operating system and browser recommendations for running CMS, refer to the "Getting Started with CMS" chapter of the software configuration guide.

You need to install a browser plug-in to run CMS from Windows and Solaris.

Windows

CMS requires a plug-in to run on Windows. You can download the latest plug-in from this URL:

http://cco.cisco.com/pcgi-bin/Support/ClusterMgmtSuite/cms_plugin_redirect.cgi?platform=windows&version=1.0

The plug-in includes a console window that you can use to troubleshoot CMS or to view the CLI commands from CMS on Windows. When CMS is running, press F2 to display or to hide the CMS console. Press F3 to display or to hide the CLI commands that CMS is sending.


Note If you need to both upgrade your web browser and install the CMS plug-in, you must upgrade your browser first. If you install the CMS plug-in and then upgrade your browser, the plug-in is not registered with the new browser.



Note Do not install the CMS plug-in on Solaris.


Solaris

You must use the Java 1.4.1-02 plug-in to run CMS on Solaris. You can download this plug-in from this URL:

www.cisco.com/public/sw-center/lan/java/1.4.1-02.html

To see the Installation Notes for this plug-in, click View next to Installation Instructions in the JRE column. Click Download in the JRE column to download the plug-in for Solaris.

Cluster Compatibility

This section describes how to choose command and standby command switches when a cluster consists of a mixture of Catalyst switches. When creating a switch cluster or adding a switch to a cluster, follow these guidelines:

When you create a switch cluster, we recommend configuring the highest-end switch in your cluster as the command switch. Table 2 lists the cluster capabilities and Cisco IOS releases for the switches. The switches are listed from highest- to lowest-end switch.

If you are managing the cluster through CMS, the switch that has the latest software should be the command switch, unless your command switch is running Cisco IOS Release 12.1(19)EA1 or later.

The standby command switch must be the same type as the command switch. For example, if the command switch is a Catalyst 3750 switch, all standby command switches must be Catalyst 3750 switches.

Table 2 Switch Software and Cluster Capability 

Switch
Cisco IOS Release
Cluster Capability

Catalyst 3750

12.1(11)AX or later

Member or command switch

Catalyst 3560

12.1(19)EA1b

Member or command switch

Catalyst 3550

12.1(4)EA1 or later

Member or command switch

Catalyst 2970

12.1(11)AX or later

Member or command switch

Catalyst 2955

12.1(12c)EA1 or later

Member or command switch

Catalyst 2950

12.1(5.2)WC(1) or later

Member or command switch

Catalyst 2950 LRE

12.1(11)JY or later

Member or command switch

Catalyst 2940

12.1(13)AY or later

Member or command switch

Catalyst 3500 XL

12.0(5.1)XU or later

Member or command switch

Catalyst 2900 XL (8-MB switches)

12.0(5.1)XU or later

Member or command switch

Catalyst 2900 XL (4-MB switches)

11.2(8.5)SA6 (recommended)

Member switch only1

Catalyst 1900 and 2820

9.00(-A or -EN) or later

Member switch only

1 Catalyst 2900 XL (4-MB) switches appear in the front-panel and topology views of the Cluster Management Suite (CMS). However, CMS does not support configuration or monitoring of these switches.


CMS is not forward-compatible on command switches running Cisco IOS 12.1(14)EA1 and earlier. This means that if a member switch is running a release that is earlier than the release running on the command switch, the new features are not available on the member switch. If the member switch is a new device running a release that is later than the release on the command switch, the command switch cannot recognize the member switch, and the Front Panel view displays it as an unknown device. You cannot configure any parameters or generate a report through CMS for that member; instead, you must launch the Device Manager application to configure and to obtain reports for that member.

If you have a cluster with switches that are running different versions of Cisco IOS software, software features added on the latest release might not be reflected on switches running the older releases. For example, if you start CMS on a Catalyst 2900 XL switch running Cisco IOS Release 11.2(8)SA6, the windows and functionality can be different from a switch running Cisco IOS Release 12.0(5)WC(1) or later.

Some early Cisco IOS Releases, such as 11.2(8)SA5 or earlier, do not support clustering.

For more information about clustering and CMS, refer to the software configuration guide.

Downloading Software

These are the procedures for downloading software:

"Finding the Software Version and Feature Set" section

"Deciding Which Files to Use" section

"Upgrading a Switch by Using CMS" section

"Upgrading a Switch by Using the CLI" section

"Recovering from a Software Failure" section


Note Before downloading software, read this section for important information.


Finding the Software Version and Feature Set

The Cisco IOS image is stored as a bin file in a directory that is named with the Cisco IOS release. A subdirectory contains the files needed for web management. The image is stored on the system board flash device (flash:).

You can use the show version privileged EXEC command to see the software version that is running on your switch. The second line displays C3560-I5-M for the enhanced multilayer image (EMI) or C3560-I9-M for the standard multilayer software image (SMI).


Note Although the show version output always shows the software image running on the switch, the model name shown at the end of this display is the factory configuration (SMI or EMI) and does not change if you upgrade the software image.


You can also use the dir filesystem: privileged EXEC command to see the directory names of other software images that you might have stored in flash memory.

Deciding Which Files to Use

The upgrade procedures in these release notes describe how to perform the upgrade by using a combined tar file. This file contains both the Cisco IOS image file and the CMS software. You must use the combined tar file to upgrade the switch through CMS. To upgrade the switch through the CLI, use the tar file and the archive download-sw privileged EXEC command.

Table 3 lists the software filenames for this software release.

Table 3 Cisco IOS Software Image Files for Catalyst 3560 Switches 

Filename

Description

c3560-i9-tar.121-19.EA1b.tar

Cisco IOS SMI image file and CMS files.
This image has Layer 2+ and basic Layer 3 routing features.

c3560-i5-tar.121-19.EA1b.tar

Cisco IOS EMI image file and CMS files.
This image has both Layer 2+ and full Layer 3 routing features.

c3560-i9k2-tar.121-19.EA1b.tar

Cisco IOS SMI cryptographic image file and CMS files.
This image has the Kerberos, SSH, and Layer 2+, and basic Layer 3 routing features.

c3560-i5k2-tar.121-19.EA1b.tar

Cisco IOS EMI cyrptographic image file and CMS files.
This image has the Kerberos, SSH, Layer 2+, and full Layer 3 features.


Upgrading a Switch by Using CMS

You can upgrade switch software by using CMS. From the feature bar, select Administration > Software Upgrade. For detailed instructions, click Help.

Upgrading a Switch by Using the CLI

This procedure is for copying the combined tar file to the Catalyst 3560 switch. You copy the file to the switch from a TFTP server and extract the files. You can download an image file and replace or keep the current image.

To download software, follow these steps:


Step 1 Use Table 3 to identify the file that you want to download.

Step 2 Download the software image file.

If you have a SmartNet support contract, go to this URL, and log in to download the appropriate files:

http://www.cisco.com/kobayashi/sw-center/sw-lan.shtml

If you do not have a SmartNet contract, go to this URL, and follow the instructions to register on Cisco.com and download the appropriate files:

http://www.cisco.com/public/sw-center/sw-lan.shtml

To download the SMI and EMI files, select Catalyst 3560 software.

To obtain authorization and to download the cyrptographic software files, select Catalyst 3560 3DES Cryptographic Software.

Step 3 Copy the image to the appropriate TFTP directory on the workstation, and make sure that the TFTP server is properly configured.

For more information, refer to Appendix B in the software configuration guide for this release.

Step 4 Log into the switch through the console port or a Telnet session.

Step 5 Ensure that you have IP connectivity to the TFTP server by using this privileged EXEC command:

Switch# ping tftp-server-address

For more information about assigning an IP address and default gateway to the switch, refer to the Catalyst 3560 Switch Software Configuration Guide.

Step 6 Download the image file from the TFTP server to the switch. If you are installing the same version of software that is currently on the switch, overwrite the current image by using this privileged EXEC command:

archive download-sw /overwrite /reload tftp:[[//location]/directory]/image-name.tar

The /overwrite option overwrites the software image in flash memory with the downloaded one.

The /reload option reloads the system after downloading the image unless the configuration has been changed and not saved.

For //location, specify the IP address of the TFTP server.

For /directory/image-name.tar, specify the directory (optional) and the image to download. Directory and image names are case sensitive.

This example shows how to download an image from a TFTP server at 198.30.20.19 and to overwrite the image on the switch:

Switch# archive download-sw /overwrite tftp://198.30.20.19/c3560-i9-tar.121-19.EA1.tar

You can also download the image file from the TFTP server to the switch and keep the current image by replacing the /overwrite option with the /leave-old-sw option.


Recovering from a Software Failure

For detailed recovery procedures, refer to the "Troubleshooting" chapter in the software configuration guide for this release.

Installation Notes

You can assign IP information to your switch by using these methods:

The Express Setup program (Refer to the Catalyst 3560 Switch Hardware Installation Guide.)

The CLI-based setup program (Refer to the Catalyst 3560 Switch Hardware Installation Guide.)

The Dynamic Host Configuration Protocol (DHCP)-based autoconfiguration (Refer to the Catalyst 3560 Switch Software Configuration Guide.)

Manually assigning an IP address (Refer to the Catalyst 3560 Switch Software Configuration Guide.)

Catalyst 3560 Features

This is the first release of the Catalyst 3560 switch. For a list of all supported hardware, see the "Hardware Supported" section.

Cisco IOS Release 12.1(19)EA1b contains these features:

Ability to provide power to connected Cisco pre-standard and IEEE 802.3af-compliant powered devices from all 10/100 Ethernet ports if the switch detects that there is no power on the circuit.

24-port PoE switch provides 15.4 W of power on each 10/100 port; 48-port PoE switch provides 15.4 W of power to any 24 of the 48 10/100 ports, or any combination of ports provide an average of 7.7 W of power at the same time, up to maximum switch power output of 370 W.

Automatic detection and power budgeting; the switch maintains a power budget, monitors and tracks requests for power, and grants power only when it is available.

DHCP server for automatic assignment of IP addresses and other DHCP options to IP hosts.

DHCP snooping to filter untrusted DHCP messages between untrusted hosts and DHCP servers.

Internet Group Management Protocol (IGMP) snooping for IGMP version 3 to limit the flooding of multicast traffic.

IGMP throttling for configuring the action when the maximum number of entries is in the IGMP forwarding table.

IGMP report suppression for sending only one IGMP report per multicast router query to the multicast devices (supported only for IGMPv1 or IGMPv2 queries).

Unicast MAC filtering to drop packets with specific source or destination MAC addresses.

Support for the SSHv2 server application.

Support for an egress priority queue that must be empty before the other three queues are serviced.


Note In the software documentation, IP refers to IP version 4 (IPv4).


CMS support for these features:

The option to install CMS to your computer rather than to download it from the cluster every time you start a CMS session.


Note CMS is downloaded to your browser each time you launch CMS. You can increase the speed at which CMS loads by permanently installing CMS on your PC or workstation. Select CMS > Installation and Distributions, and click Install. CMS is installed locally and will load faster the next time that you launch it.


A feature bar, which offers networking features to configure and reports, graphs, and statistics to display. These options were previously on the menu bar, which is now dedicated to CMS service options. You can choose features from menus on the Features tab or search for them on the Search tab.

Device-specific online help. Help topics appear below labels that name the devices to which the information applies. Topics appear only for the networking features in the cluster.

This release uses a CMS plug-in (Windows only) that replaces the Java plug-in.


Note You must download the latest CMS plug-in to run CMS for this release.


You can download the latest plug-in from this URL:

http://www.cisco.com/pcgi-bin/tablebuild.pl/CMS-Plug-In-Win-1-0

The CMS plug-in includes a console window that you can use for troubleshooting. For more information, see the "Corrections to the Software Documentation" section.

For more information about new CMS features, click Help > What's New from the online help.

For a detailed list of key features for this software release, refer to the Catalyst 3560 Switch Software Configuration Guide.

Limitations and Restrictions

You should review this section before you begin working with the switch. These are known limitations that will not be fixed, and there is not always a workaround. Some features might not work as documented, and some features could be affected by recent changes to the switch hardware or software.

These sections describe the limitations and restrictions:

"Cisco IOS Limitations and Restrictions" section

"Cluster Limitations and Restrictions" section

"CMS Limitations and Restrictions" section

Cisco IOS Limitations and Restrictions

These limitations apply to Cisco IOS configuration:

The switch does not support tunnel interfaces for unicast routed traffic. Only Distance Vector Multicast Routing Protocol (DVMRP) tunnel interfaces are supported for multicast routing.

Non-reverse-path forwarded (RPF) IP multicast traffic to a group that is bridged in a VLAN is leaked onto a trunk port in the VLAN even if the port is not a member of the group in the VLAN, but it is a member of the group in some other VLAN. Because unnecessary traffic is sent on the trunk port, it needlessly reduces the bandwidth of the port. There is no workaround for this problem because non-RPF traffic is continuous in certain topologies. As long as the trunk port is a member on a trunk port in at least one VLAN, this problem for the non-RPF traffic occurs. (CSCdu25219)

If a bridge group contains a VLAN that has a static MAC address configured, all non-IP traffic in the bridge group with this MAC address destination is sent to all ports in the bridge group. The workaround is to remove the VLAN from the bridge group or to remove the static MAC address from the VLAN. (CSCdw81955)

If the number of multicast routes and Internet Group Management Protocol (IGMP) groups are more than the maximum number specified with the show sdm prefer global configuration command, the traffic received on unknown groups is flooded in the received VLAN even though the show ip igmp snooping multicast-table privileged EXEC command output shows otherwise. The workaround is to reduce the number of multicast routes and IGMP snooping groups to less than the maximum supported value. (CSCdy09008)

An egress SPAN copy of routed unicast traffic might show an incorrect destination MAC address on both local and remote SPAN sessions. This limitation does not apply to bridged packets. The workaround for local SPAN is to use the replicate option. For a remote SPAN session, there is no workaround. This is a hardware limitation. (CSCdy72835)

Egress SPAN routed packets (both unicast and multicast) show the incorrect source MAC address. For remote SPAN packets, the source MAC address should be the MAC address of the egress VLAN, but instead the packet shows the MAC address of the remote SPAN (RSPAN) VLAN. For local SPAN packets with native encapsulation on the destination port, the packet shows the MAC address of VLAN 1. This problem does not appear with local SPAN when the encapsulation replicate option is used. This limitation does not apply to bridged packets. The workaround is to use the encapsulate replicate keywords in the monitor session global configuration command. Otherwise, there is no workaround. This is a hardware limitation. (CSCdy81521)

IGMP filtering is applied to packets that are forwarded through hardware. It is not applied to packets that are forwarded through software. Hence, with multicast routing enabled, the first few packets are sent from a port even when IGMP filtering is set to deny those groups on that port. There is no workaround. (CSCdy82818)

A static IP address might be removed when the previously acquired Dynamic Host Configuration Protocol (DHCP) IP address lease expires.

This problem occurs under these conditions:

When the switch is booted without a configuration (no config.text file in flash memory).

When the switch is connected to a DHCP server that is configured to give an address to it (the dynamic IP address is assigned to VLAN 1).

When an IP address is configured on VLAN 1 before the dynamic address lease assigned to VLAN 1 expires.

The workaround is to reconfigure the static IP address. (CSCea71176)

The switch treats frames received with mixed encapsulation (802.1Q and Inter-Switch Link [ISL]) as frames with FCS errors, increments the error counters, and causes the LED to blink amber. This happens when an ISL-unaware device receives an ISL-encapsulated packet and forwards the frame to an 802.1Q trunk interface. There is no workaround. (CSCdz33708)

IP-option software-forwarded traffic is sometimes leaked unnecessarily on a trunk port. Suppose the trunk port in question is member of an IP multicast group in VLAN X, but it is not a member in VLAN Y. In VLAN Y, there is another port that has membership to the group, and VLAN Y is the output interface for the multicast route entry corresponding to the group. IP options traffic received on an input interface VLAN (other than VLAN Y) is unnecessarily sent on the trunk port in VLAN Y because the trunk port is forwarding in VLAN Y (even though the port has no group membership in VLAN Y). There is no workaround. (CSCdz42909)

Known unicast (secured addresses) are flooded within a bridge group under these conditions: If secure addresses are learned or configured on a port and the VLAN on this port is part of a bridge group, non-IP traffic destined to the secure addresses is flooded within the bridge group. The workaround is to disable fallback bridging. To remove an interface from a bridge group and to remove the bridge group, use the no bridge-group bridge-group interface configuration command. Another workaround is to disable port security on all ports in all VLANs participating in fallback bridging by using the no switchport port-security interface configuration command. (CSCdz80499)

When you use the ip access-group interface configuration command with a router access-control list (ACL) to deny access to a group in a VLAN, multicast data to the group that is received in the VLAN is always flooded in the VLAN regardless of IGMP group membership in the VLAN. This provides reachability to directly connected clients, if any, in the VLAN. The workaround is to not apply a router ACL set to deny access to a VLAN interface. Apply the security through other means; for example, apply VLAN maps to the VLAN instead of using a router ACL for the group. (CSCdz86110)

SNAP-encapsulated IP packets are dropped without an error message being reported at the interface. The switch does not support SNAP-encapsulated IP packets. There is no workaround. (CSCdz89142)

The switch does not create an adjacency table entry when the ARP timeout value is 15 seconds and the ARP request times out.

The workaround is to not set an ARP timeout value lower than 120 seconds. (CSCea21674)

A route map that contains an ACL with a DSCP clause cannot be applied to a Layer 3 interface. The switch rejects this configuration and sends an error message that the route map is unsupported. There is no workaround. (CSCea52915)

During periods of very high traffic, when two RSPAN source sessions are configured, the VLAN ID of packets in one RSPAN session might overwrite the VLAN ID of the other RSPAN session. If this occurs, packets intended for one RSPAN VLAN are incorrectly sent to the other RSPAN VLAN. This problem does not affect RSPAN destination sessions. The workaround is to configure only one RSPAN source session. (CSCea72326)

Some switch queues are disabled if the buffer size or threshold level is set too low with the mls qos queue-set output global configuration command. The ratio of buffer size to threshold level should be greater than 10 to avoid disabling the queue. The workaround is to choose compatible buffer sizes and threshold levels. (CSCea76893)

When an IP phone is connected to the switch, the Port VLAN ID (PVID) and the Voice VLAN ID (VVID) both learn its MAC address. However, after dynamic MAC addresses are deleted, only the VVID relearns the phone MAC address. MAC addresses are deleted manually or automatically for a topology change or when port security or an 802.1X feature is enabled or disabled. There is no workaround. (CSCea80105)

After changing the access VLAN on a port that has 802.1X enabled, the IP phone address is removed. Because learning is restricted on 802.1X capable ports, it takes approximately 30 seconds before the address is relearned. No workaround is necessary. (CSCea85312)

The egress SPAN data rate might degrade when fallback bridging or multicast routing is enabled. The amount of degradation depends on the processor loading. Typically, the switch can egress SPAN up to 40,000 packets per second (64-byte packets). As long as the total traffic being monitored is below this limit, there is no degradation. However, if the traffic being monitored exceeds the limit, only a portion of the source stream is spanned. When this occurs, the following console message appears: Decreased egress SPAN rate. In all cases, normal traffic is not affected; the degradation limits only how much of the original source stream can be egress spanned. If fallback bridging and multicast routing are disabled, egress SPAN is not degraded. There is no workaround. If possible, disable fallback bridging and multicast routing. If possible, use ingress SPAN to observe the same traffic. (CSCeb01216)

If a 10/100BASE-T port configured for forced 100 mbps full-duplex mode is connected to a link partner that is auto-negotiating, the link partner comes up in 100 mbps full-duplex mode. However, if the same link partner is connected to a Gigabit port configured for forced 100 mbps full-duplex mode, the link comes up in 100 mbps half-duplex mode. The reason for this inconsistent behavior is that the 10/100 port auto-negotiates even if both speed and duplex mode are fixed, whereas the Gigabit port does not. This is a hardware limitation. No workaround is necessary. (CSCeb14068)

On Catalyst 3750 switches running Cisco IOS 12.1(14)EA1 software and later, some IGMP report and query packets with IP options might not be ingress-spanned. Packets that are susceptible to this problem are IGMP packets containing 4 bytes of IP options (IP header length of 24). An example of such packets would be IGMP reports and queries having the router alert IP option. Ingress-spanning of such packets is not accurate and can vary with traffic rate. Typically, very few or none of these packets are spanned. There is no workaround. (CSCeb23352)

If the number of VLANs times the number of trunk ports exceeds the recommended limit of 13,000, the switch can fail. The workaround is to reduce the number of VLANs or trunks. (CSCeb31087)

When the rate of received DHCP requests exceeds 2,000 packets per minute for a long time, the response time might be slow when you are using the console. The workaround is to use rate limiting on DHCP traffic to prevent a denial of service attack from occurring. (CSCeb59166)

If an IGMP report packet has two multicast group records, the switch removes or adds interfaces depending on the order of the records in the packet:

If the ALLOW_NEW_SOURCE record is before the BLOCK_OLD_SOURCE record, the switch removes the port from the group.

If the BLOCK_OLD_SOURCE record is before the ALLOW_NEW_SOURCE record, the switch adds the port to the group.

There is no workaround. (CSCec20128)

For trunk ports or access ports configured with 802.1Q tagging, inconsistent statistics might appear in the show interfaces counters privileged EXEC command. Valid 802.1Q frames of 64 to 66 bytes are correctly forwarded even though the port LED blinks amber and the frames are not counted on the interface statistics. There is no workaround. (CSCec35100).

Cluster Limitations and Restrictions

These limitations apply to cluster configuration:

When there is a transition from the cluster active command switch to the standby command switch, Catalyst 1900, 2820, and 2900 4-MB switches that are cluster members might lose their cluster configuration. You must manually add these switches back to the cluster.
(CSCds32517, CSCds44529, CSCds55711, CSCds55787, CSCdt70872)

When a Catalyst 2900 XL or Catalyst 3500 XL cluster command switch is connected to a Catalyst 3550, a 3560, or a 3750 switch, the command switch does not find any cluster candidates beyond the Catalyst 3550, the 3560, or the 3750 switch if it is not a member of the cluster. You must add the Catalyst 3550, the 3560, or the 3750 switch to the cluster. You can then see any cluster candidates connected to it. (CSCdt09918)

If both the active command-switch and the standby command switch fail at the same time, the cluster is not automatically recreated. Even if there is a third passive command switch, it might not recreate all cluster members because it might not have all the latest cluster configuration information. You must manually recreate the cluster if both the active and standby command switches simultaneously fail. (CSCdt43501)

CMS Limitations and Restrictions

These limitations apply to CMS configuration:

Host names and Domain Name System (DNS) server names that contain commas on a cluster command switch, member switch, or candidate switch can cause CMS to behave unexpectedly. You can avoid this instability in the interface by not using commas in host names or DNS names. Do not enter commas when entering multiple DNS names in the IP Configuration tab of the IP Management window in CMS.

Access control entries (ACEs) that contain the host keyword precede all other ACEs in standard access control lists (ACLs). You can reposition the ACEs in a standard ACL with one restriction: No ACE with the any keyword or a wildcard mask can precede an ACE with the host keyword.

CMS performance degrades if the Topology View is open for several hours on a Solaris machine. The cause might be a memory leak. The workaround is to close the browser, reopen it, and launch CMS again. (CSCds29230)

If you are printing a Topology View or Front Panel View that contains many devices and are running Solaris 2.6 with JDK1.2.2, you might get an Out of Memory error message. The workaround is to close the browser, re-open it, and launch CMS again. Before you perform any other task, bring up the view that you want to print, and click Print in the CMS menu. (CSCds80920)

CMS fails when a switch is running the cyrptographic software image and the vty lines have been configured to use only secure shell (SSH) using the transport input ssh and line vty 0 15 global configuration commands. The workaround is to allow SSH and Telnet access through the vty lines by using the transport input ssh telnet and line vty 0 15 global configuration commands (CSCdz01037).

When you add a new member with a username and password that is different from the existing cluster members' username and password, CMS produces an exception error because of an authentication failure. The workaround is to add the new member without any username and password. When the new member is added to the cluster, remove the existing username and password from the Username and Password fields, enter a new username and password, and then apply it to all cluster members. (CSCdz07957)

When the Link Graphs application has run for hours displaying packet drop and error information, sometimes the X-axis crosses the Y-axis at a negative y value instead of at y = 0. This condition occurs with all supported operating systems, browsers, and Java plug-ins. There is no workaround. (CSCdz32584)

The SNMP dialog box changes size after you click Apply or Refresh. This behavior has no affect on SNMP functionality. There is no workaround. (CSCdz84255)

When you enable log scaling for link graphs, the Y-axis scale becomes illegible. There is no workaround. (CSCdz81086)

The CMS window does not return to full size after you resize elements when using Netscape version 6.xx on Solaris and Linux. This is a Netscape browser problem. There is no workaround. (CSCea01179)

CMS files that are downloaded from the switch to the local client machine are not cached on the local drive. As the result. the CMS files are downloaded every time CMS is invoked. There is no workaround. (CSCea26211)

CMS sometimes halts after you click Apply when using Netscape 4.7 on the Japanese version of Windows 98 or Windows ME. The workaround is to use Microsoft Internet Explorer or Netscape 6.0 or later. (CSCea27408)

The icons on the CMS menu toolbar become blank. This can happen when you unlock the PC with CMS running or interrupt the in-display screen saver. The workaround is to resize the CMS browser window so that the screen refreshes. (CSCea80753)

Changing the password or current authentication while CMS is running causes HTTP requests to fail. The workaround is to close all browser sessions and then relaunch CMS. (CSCeb33995)

Running pop-up blocking software with a browser prevents CMS from loading. The workaround is to disable the pop-up blocking software before launching CMS. (CSCec24615)

Important Notes

These sections describe the important notes related to this software release:

"Cisco IOS Notes" section

"CMS Notes" section

Cisco IOS Notes

This note applies to Cisco IOS software:

The 802.1X feature in Cisco IOS Release 12.1(19)EA1b is not fully backward-compatible with the same feature in earlier Cisco IOS releases. If you are copying the 802.1X configuration from another switch running Cisco IOS 12.1(14)EA1 or earlier, you must re-enable 801.1X on the switch by using the dot1x system-auth-control global configuration command. This global command does not exist in Cisco IOS Release 12.1(14)EA1 or earlier. Failure to re-enable 801.1X weakens security because some hosts can then access the network without authentication.

CMS Notes

These notes apply to CMS configuration:

If you use CMS on Windows 2000, it might not apply configuration changes if you change the enable password from the CLI during your CMS session. You have to restart CMS and enter the new password when prompted. Platforms other than Windows 2000 prompt you for the new enable password when it is changed.

CMS does not display QoS classes that are created through the CLI if these classes have multiple match statements. When using CMS, you cannot create classes that match more than one match statement. CMS does not display policies that have such classes.

If you use Internet Explorer 5.5 and select a URL with a nonstandard port at the end of the address (such as www.add.com:84), you must enter http:// as the URL prefix. Otherwise, you cannot launch CMS.

Within an ACL, you can change the sequence of ACEs that have the host keyword. However, because such ACEs are independent from each other, the change has no effect on the way the ACL filters traffic.

If you use the Netscape browser to view the CMS GUI and you resize the browser window while CMS is initializing, CMS does not resize to fit the window.

Resize the browser window again when CMS is not busy.

In the Front Panel view or the Topology view, CMS does not display error messages in read-only mode for these switches:

Catalyst 2900 XL or Catalyst 3500 XL member switches running Cisco IOS Release 12.0(5)WC2 or earlier

Catalyst 2950 member switches running Cisco IOS Release 12.0(5)WC2 or earlier

Catalyst 3550 member switches running Cisco IOS Release 12.1(6)EA1 or earlier

In the Front Panel view, if the switch is running one of the previously listed software releases, the device LEDs do not appear. In the Topology view, if the member is a Long-Reach Ethernet (LRE) switch, the customer premises equipment (CPE) connected to the switch does not appear. The Bandwidth and Link graphs also do not appear in these views.

To view switch information, you need to upgrade the member switch software. For information about upgrading switch software, see the "Downloading Software" section.

Open Caveats

These sections describe the open caveats with possible unexpected activity in this software release:

"Open Cisco IOS Caveats" section

"Open CMS Caveats" section

Open Cisco IOS Caveats

These are the severity 3 Cisco IOS configuration caveats:

CSCdz30046

When multicast VLAN registration (MVR) groups are added or deleted, the receiver port that joined the groups after the addition still receives traffic even after the group is deleted. The correct behavior is that MVR data traffic to the group should stop flowing to the receiver port immediately after the no mvr group ip-address global configuration command is entered.

The workaround is to disable MVR by using the no mvr global configuration command and then to re-enable it by using the mvr command. Add and delete the groups that have problems by using the mvr group ip-address and the no mvr group ip-address global configuration commands.

CSCeb35422

On a voice VLAN port with both 802.1X and port security enabled, dynamic secure addresses might not get deleted when the port is changed from multihost mode to single-host mode. This means that addresses learned in the multihost mode are still allowed after changing to single-host mode. This problem occurs under the following conditions:

The port is in authorized state.

The port learns the MAC address of multiple hosts.

VLAN assignment is not enabled for the authorized host.

The workaround is to disable and then re-enable port security on the port.

CSCeb42949

The switch does not work with the User Registration Tool (URT). The PC attempting to connect to the network can log in successfully, but is not allowed to pass traffic after the port is moved to the user VLAN. The MAC address for that device shows BLOCKED.

There is no workaround.

CSCeb49472

Although it is visible in the command-line help string, the source-only-learning keyword is not supported. The igmp snooping report-suppression feature also does not work.

There is no workaround.

CSCeb67510

When both the sharing and shaping weights are enabled, the receiving rates might not follow the shared bandwidth weight if the priority queue is enabled on the egress queue.

The workaround is to use lower values of the shaped and shared weights for queues other than the first queue when the egress priority queue is enabled and if shaping in other queues is required.

CSCeb67937

When a MAC address is configured for filtering on the internal VLAN of a routed port, incoming packets from the MAC address to the routed port are not dropped.

CSCeb75366

When IP Protocol-Independent Multicast (PIM) is enabled on a tunnel interface, the switch incorrectly displays the Multicast is not supported on tunnel interfaces error message. IP PIM is supported on tunnel interfaces.

There is no workaround.

CSCeb81842

For an interface, if the voice VLAN and the access VLAN are assigned to different VLANs and the access VLAN enters a suspended state, the IP phones do not work.

The workaround is to reset the access VLAN to the active state.

CSCec05769

If the system jumbo frame size is configured by using the system mtu jumbo global configuration command, the switch does not consistently forward routed IP packets between 1518 and 2016 bytes. These packets might be forwarded or dropped.

There is no workaround.

CSCec07637

When an ACL that denies packets is configured on an ingress or an egress interface, the CPU usage might be as high as 70 percent because these packets are forwarded to the CPU to determine if an ICMP-unreachable packet should be generated.

There is no workaround.

CSCec11048

When a configured secure MAC address exists on an interface, you cannot change it to a sticky MAC address. Alternatively, if a sticky MAC address exists on an interface, you cannot change it to a secure MAC address.

The workaround is to remove the configured secure or sticky MAC address by using the no switchport port-security mac-address mac-address or the no switchport port-security mac-address sticky mac-address interface configuration command before reconfiguring the port.

CSCec12147

When the CISCO-STP-EXTENSIONS-MIB is polled, unknown indexes could be returned for some MIB objects.

The workaround is to remove all port-channel configuration information.

CSCec21040

When an 802.1X- enabled port is authenticated with a RADIUS-assigned VLAN, the port is shut down or the link is removed, and a traceback message appears.

There is no workaround.

CSCec21320

After a link is up, a switch sends three EAP-Request/Identity messages to the client. There is a 30-second gap between messages. However, PCs that are running Windows XP or Windows 2000 drop the first message so that the second message that the client receives appears to be the first, which is at least 30 seconds after the link is up. Therefore, a user does not see a password window until at least 30 seconds after the link is up.

There is no workaround.

CSCec22431

During the SNMP polling of the VlanTrunkPortTable table in the CISCO-VTP-MIB, Telnet and ping traffic might be disrupted.

The workaround is to not poll the CISCO-VTP-MIB.

CSCec22572

If per-user access control lists (ACLs) are downloaded from a RADIUS server after successful 802.1X authentication, disabling 802.1X does not remove the attached per-user ACLS from the interface.

The workaround is to enter the shutdown and no shutdown interface configuration commands to remove the ACLs.

CSCec22610

When a port has port security enabled and the port is changed from a trunk port to an access port, the switch might fail.

The workaround is to disable port security before changing the trunk port to an access port.

CSCec27421

If QoS is enabled and the trust state is not configured on an ingress interface, mapping the CoS or DSCP values to the ingress or egress queues does not take effect when you enter the mls qos srr-queue input {cos-map | dscp-map} or the mls qos srr-queue output {cos-map | dscp-map} command.

The workaround is to configure the trust state on the ingress interface by using the mls qos trust {cos | dscp} interface configuration command and then map the CoS or DSCP values to the ingress or egress queues.

CSCec29970

If you change the input priority queue for queue 2 by using the mls qos srr-queue input priority-queue 2 bandwidth global configuration command, the configurations that are generated contain an extra input keyword such as mls qos srr-queue input priority-queue input 2 bandwidth. This extra keyword causes an error message if the command is saved and the switch is reloaded.

This is the workaround:

1. Copy the config.text file to a PC or terminal.

2. Edit the config.text file, and remove the extra input keyword.

3. Copy the file back to your switch.

4. Reload the switch.

CSCec31436

When there are many configured secure and sticky MAC addresses on a port, some addresses might be dropped and removed from the configuration when the switch restarts.

There is no workaround.

CSCec32453

When you configure a unicast MAC address filter that matches a Windows XP 802.1X client MAC address, the switch sends an authentication succeed EAPOL packet to the client followed by an authentication failure EAPOL packet. The Windows XP 802.1X client continues to reauthenticate itself.

There is no workaround.

CSCec35148

If you change the policy-based routing (PBR) configuration on a switch, the processor memory might leak. If the amount of available processor memory becomes too low, the switch becomes unusable.

The workaround is to reload the switch.

CSCec60076

If Bridge Protocol Data Unit (BPDU) filtering is enabled on a trunk port and BPDUs are received on VLANs on which an STP instance is not running, the BPDUs are dropped.

There is no workaround.

CSCed09484

When a type 1 Token Ring patch cable is connected to a PoE port, these syslog messages appear every 10 seconds:

00:01:06: %ILPOWER-7-DETECT: Interface Fa1/0/1: Power Device detected: Cisco PD

00:01:06: %ILPOWER-5-POWER_GRANTED: Interface Fa1/0/1: Power granted

00:01:06: %ILPOWER-3-CONTROLLER_PORT_ERR: Controller port error,

Interface Fa1/0/1: Power Controller reports power Tstart error detected

There is no workaround. However, when a valid link partner is connected to the PoE port, it operates normally and without user intervention.

Open CMS Caveats

These are the severity 3 CMS configuration caveats:

CSCeb23334

CMS does not validate configuration values for the STP port priority before applying them to the switch. When invalid values are applied, the attempt fails silently without a warning message. This applies to all switches running Cisco IOS Release 12.1 or later.

There is no workaround. Make sure that configuration values are valid.

CSCeb23416

CMS does not validate configuration values for STP port path cost before applying them to the switch. When invalid values are applied, the attempt fails silently without a warning message. This applies to all switches running Cisco IOS Release 12.1 or later.

There is no workaround. Make sure that configuration values are valid for the switch type.

CSCeb23592

CMS does not validate configuration values for STP bridge parameters before applying them to the switch. When invalid values are applied, the attempt fails silently without a warning message. This applies to all switches running Cisco IOS Release 12.1 or later.

There is no workaround. Make sure that configuration values are valid.

CSCeb38967

When CMS is operating in read-only mode, an error is reported if help is launched from the QoS Graph dialog box.

There is no workaround.

CSCeb40625

CMS does not apply shaped bandwidth weights that are invalid. Shaped weights are invalid if the sum of their reciprocals is greater than 1 and the weight of a queue is 0.

There is no workaround.

CSCec03397

The settings on the Catalyst 2950 LRE ports cannot be modified by using the Port Settings window in CMS.

There is no workaround.

CSCec09433

You cannot attach or remove an ACL from an interface when you are in guide mode.

The workaround is to use expert mode to attach or remove an ACL from an interface.

CSCec08618

When you change the Spanning Tree Protocol (STP) port priority on a switch that is running
Cisco IOS Release 12.1(19)EA1a or later, the value must range from 0 to 240 and be in an increment of 16. If you enter a value that is not an increment of 16, the configuration fails, and no error message appears.

The workaround is to enter values from 0 to 240 that are in increments of 16.

CSCec08662

If UplinkFast is enabled and you enter a value in the Path Cost field in the STP Modify Port Parameters window, 3000 is automatically added to the configured-STP cost value. For example, if the path cost is 10, the actual value is 3010. If you disable UplinkFast, the path-cost value changes to its originally configured value of 10.

There is no workaround.

CSCec16057

CMS does not recognize the CWDM SFP module on the Catalyst 2940 switches, even though the CWDM SPF module is supported by the switches.

There is no workaround.

CSCec18805

When you launch the IP Multicast wizard, multicast-enabled devices do not appear in the list of multicast-enabled devices.

There is no workaround. The wizard does not display multicast-enabled devices.

CSCec24473

When you right-click the Catalyst 3560 switch in the Front Panel view, these pop-up menu options do not appear:

The delete-cluster menu option if the Catalyst 3560 switch is a commander switch.

The remove-from cluster option if the Catalyst 3560 switch is a member switch.

The workarounds are to select these menu options from the feature bar:

Select Cluster > Delete Cluster to delete a cluster from a command switch.

Select Cluster > Remove from Cluster to remove a member switch.

CSCec34831

When you click Highlight VLAN Port Membership Modes in the VLAN window of a switch whose front panel is not displayed in Front Panel view, CMS brings the Front Panel view to the foreground, but the Front Panel view of the switch does not appear and you cannot see the highlighted ports.

Use one of these workarounds:

From the Front Panel view the cluster tree, check the box beside the switch icon so that the switch front panel appears in Front Panel view. Then click Highlight VLAN Port Membership Modes in the VLAN window. The switch front panel appears, and you can see the highlighted ports.

After you click Highlight VLAN Port Membership Modes in VLAN window, you should check the box beside the switch icon in the Front Panel view cluster tree. The switch front panel appears, and you can see the highlighted ports.

CSCec45975

When you click Previous instead of Finish in the Save Configuration window, the configuration for the interfaces is not applied to the member devices.

The workaround is to click the Finish button to apply the configuration to member devices. If you need to modify the configuration, you need to launch the configuration wizard again.

CSCec47247

The IGMP Report Window does not list all the entries in the table.

There is no workaround.

Resolved Caveats

These Cisco IOS caveats were resolved in Cisco IOS Release 12. 1(19)EA1b:

CSCdu53656

A Cisco device running IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DOS) attack from a malformed BGP packet. The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a malformed packet. BGP MD5 is a valid workaround for this problem.

Cisco has made free software available to address this problem. For more details, please refer to this advisory, available at http://www.cisco.com/warp/public/707/cisco-sa-20040616-bgp.shtml.

CSCea28131

A Cisco device running IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DOS) attack from a malformed BGP packet. The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a malformed packet. BGP MD5 is a valid workaround for this problem.

Cisco has made free software available to address this problem. For more details, please refer to this advisory, available at http://www.cisco.com/warp/public/707/cisco-sa-20040616-bgp.shtml.

CSCed27956

A vulnerability in Transmission Control Protocol specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in much shorter time then was previously publicly discussed. This can lead to a Denial of Service attack. Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated session, which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (e.g., router, switch, computer) and not to the sessions that are only passing through the device (e.g., transit traffic that is being routed by a router).

All Cisco products which contain TCP stack are susceptible to this vulnerability.

This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.

A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.

CSCed38527

A vulnerability in Transmission Control Protocol specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in much shorter time then was previously publicly discussed. This can lead to a Denial of Service attack. Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated session, which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (e.g., router, switch, computer) and not to the sessions that are only passing through the device (e.g., transit traffic that is being routed by a router).

All Cisco products which contain TCP stack are susceptible to this vulnerability.

This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.

A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.

Corrections to the Software Documentation

These release notes can be used with the Catalyst 3560 switch software guides, which reference Cisco IOS Release 12.1(19)EA1.

These are corrections for the "Getting Started with CMS" chapter:

The CMS plug-in includes a console window that you can use to troubleshoot CMS or to view the CLI commands from CMS.

When CMS is running, press F2 to display or to hide the CMS console. Press F3 to display or to hide the CLI commands that CMS is sending.

The chapter incorrectly states that Java plug-in 1.4.1 is required for Solaris. Java plug-in 1.4.1_02 is required to run CMS on Solaris. You can download it from this URL:

http://www.cisco.com/public/sw-center/lan/java/1.4.1-02.html

Related Documentation

These documents provide complete information about the switch and are available at Cisco.com:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/index.htm

You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.com sites and from the telephone numbers listed in the "Obtaining Documentation" section.

Catalyst 3560 Switch Software Configuration Guide (order number DOC-7816156=)

Catalyst 3560 Switch Command Reference (order number DOC-7816155=)

Catalyst 3560 Switch System Message Guide (order number DOC-7816154=)

Cluster Management Suite (CMS) online help (available only from the switch CMS software)

Catalyst 3560 Switch Hardware Installation Guide (order number DOC-7816057=)

Cisco Small Form-Factor Pluggable Modules Installation Notes (not orderable but available on Cisco.com)

Cisco RPS 675 Redundant Power System Hardware Installation Guide (order number DOC-7815201=)

Obtaining Documentation

Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation on the World Wide Web at this URL:

http://www.cisco.com/univercd/home/home.htm

You can access the Cisco website at this URL:

http://www.cisco.com

International Cisco websites can be accessed from this URL:

http://www.cisco.com/public/countries_languages.shtml

Ordering Documentation

You can find instructions for ordering documentation at this URL:

http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm

You can order Cisco documentation in these ways:

Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Ordering tool:

http://www.cisco.com/en/US/partner/ordering/index.shtml

Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

Documentation Feedback

You can submit e-mail comments about technical documentation to bug-doc@cisco.com.

You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:

Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, the Cisco Technical Assistance Center (TAC) provides 24-hour-a-day, award-winning technical support services, online and over the phone. Cisco.com features the Cisco TAC website as an online starting point for technical assistance. If you do not hold a valid Cisco service contract, please contact your reseller.

Cisco TAC Website

The Cisco TAC website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The Cisco TAC website is available 24 hours a day, 365 days a year. The Cisco TAC website is located at this URL:

http://www.cisco.com/tac

Accessing all the tools on the Cisco TAC website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a login ID or password, register at this URL:

http://tools.cisco.com/RPF/register/register.do

Opening a TAC Case

Using the online TAC Case Open Tool is the fastest way to open P3 and P4 cases. (P3 and P4 cases are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Case Open Tool automatically recommends resources for an immediate solution. If your issue is not resolved using the recommended resources, your case will be assigned to a Cisco TAC engineer. The online TAC Case Open Tool is located at this URL:

http://www.cisco.com/tac/caseopen

For P1 or P2 cases (P1 and P2 cases are those in which your production network is down or severely degraded) or if you do not have Internet access, contact Cisco TAC by telephone. Cisco TAC engineers are assigned immediately to P1 and P2 cases to help keep your business operations running smoothly.

To open a case by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447

For a complete listing of Cisco TAC contacts, go to this URL:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

TAC Case Priority Definitions

To ensure that all cases are reported in a standard format, Cisco has established case priority definitions.

Priority 1 (P1)—Your network is "down" or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Priority 2 (P2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

Priority 3 (P3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

Priority 4 (P4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Go to this URL to visit the company store:

http://www.cisco.com/go/marketplace/

The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:

http://cisco.com/univercd/cc/td/doc/pcat/

Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press online at this URL:

http://www.ciscopress.com

Packet magazine is the Cisco quarterly publication that provides the latest networking trends, technology breakthroughs, and Cisco products and solutions to help industry professionals get the most from their networking investment. Included are networking deployment and troubleshooting tips, configuration examples, customer case studies, tutorials and training, certification information, and links to numerous in-depth online resources. You can access Packet magazine at this URL:

http://www.cisco.com/packet

iQ Magazine is the Cisco bimonthly publication that delivers the latest information about Internet business strategies for executives. You can access iQ Magazine at this URL:

http://www.cisco.com/go/iqmagazine

Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/ipj

Training—Cisco offers world-class networking training. Current offerings in network training are listed at this URL:

http://www.cisco.com/en/US/learning/index.html