The Catalyst 3650 switches are the next generation of enterprise class stackable access layer switches that provide full convergence between wired and wireless networks on a single platform. This convergence is built on the resilience of new and improved 160-Gbps StackWise-160 and Cisco StackPower. Wired and wireless security and application visibility and control are natively built into the switch.
The Catalyst 3650 switches also support full IEEE 802.3at Power over Ethernet Plus (PoE+), modular and field replaceable network modules, redundant fans, and power supplies. The Catalyst 3650 switches enhance productivity by enabling applications such as IP telephony, wireless, and video for a true borderless network experience.
The Cisco IOS XE software represents the continuing evolution of the preeminent Cisco IOS operating system. The Cisco IOS XE architecture and well-defined set of APIs extend the Cisco IOS software to improve portability across platforms and extensibility outside the Cisco IOS environment. The Cisco IOS XE software retains the same look and feel of the Cisco IOS software, while providing enhanced future-proofing and improved functionality.
Provides quick and easy access to all relevant documentation for specific platforms. Look for Quick Links to Platform Documentation on the respective platform documentation pages.
Integrated Documentation Guides
Provides platform and software documentation for these technologies:
IP Multicast Routing Configuration Guide
Cisco Flexible Netflow Configuration Guide
Cisco IOS Device Sensor for ISE profiling
(IP Base and IP Services)
Supports Cisco Identity Services Engine (ISE) profiling for connected devices by using IOS Device Sensor
VRF-aware support for IPv6 routing protocols
Introduces VRF-aware support for IPv6 routing protocols (VRF-aware OSPFv3, EIGRPv6, and BGPv6).
IEEE 802.1Q Tunnel (Q-in-Q)
Supports IEEE 802.1Q tunneling.
Medianet Support (MSP, Metadata (no QoS), Perfmon, Mediatrace)
(IP Base and IP Services)
Supports Cisco Media Services Proxy, Cisco Medianet Metadata (no QoS), and Cisco Performance Monitor.
Eliminates the overhead of manual post install configuration on all the switches, in the smart install network.
Provides a single line CLI, to enable base line security features (Port Security, DHCP snooping, DAI)
(IP Base and IP Enterprise Services)
Extends IOS and XE software to support a subset of the IOS IPv6 PBR feature
Introduces support for Cisco EnergyWise Version 2.8. For more information, see the Cisco EnergyWise software release notes and configuration guide.
IPv6 Unicast Reverse Path Forwarding
(IP Base, IP Lite, and IP Services)
Introduces support for Unicast Reverse Path Forwarding in IPv6.
WCCP in IP base
(IP Services or IP Base)
Supports for Web Cache Communication Protocol (WCCP).
Object Tracking: IPv6 Route Tracking
(IP-Base and IP Services / IP Enterprise Services)
Expands the Enhanced Object Tracking (EOT) functionality to allow the tracking of IP version 6 (IPv6) routes.
IPv6 Static Route support for Object Tracking
Allows an IPv6 Static Route to be associated with a tracked-object.
Open Plug-N-Play Agent
Switch-based agent support for zero touch automated device installation solution called NG-PNP.
Cisco TrustSec Critical Authentication
Ensures that the Network Device Admission Control (NDAC)-authenticated 802.1X links between Cisco TrustSec devices are in open state even when the Authentication, Authorization, and Accounting (AAA) server is not reachable.
Enabling Bidirectional SXP Support
Enhances the functionality of Cisco TrustSec with SXP version 4 by adding support for Security Group Tag (SGT) Exchange Protocol (SXP) bindings that can be propagated in both directions between a speaker and a listener over a single connection.
Enablement of Security Group ACL at Interface Level
(IP-Lite, IP-Base, IP Services /Enterprise Services)
Controls and manages the Cisco TrustSec access control on a network device based on an attribute-based access control list. When a security group access control list (SGACL) is enabled globally, the SGACL is enabled on all interfaces in the network by default; use the Enablement of Security Group ACL at Interface Level feature to disable the SGACL on a Layer 3 interface.
Role-Based CLI Inclusive Views
(IP-Lite, IP-Base, IP Services / IP Enterprise Services)
Enables a standard CLI view including all commands by default.
Custom Web Authentication Result Display Enhancement
Displays the authentication results on the main HTML page. There is no pop-up window to display the authentication results.
Custom Web Authentication Download Bundle
Ensures that one or more custom HTML pages can be downloaded and configured from a single tar file bundle.
The images and the custom pages containing the images are also part of the same downloadable tar file bundle.
Virtual IP Support for Images in Custom Web Authentication
Supports image file names without prefixes and removes the requirement of users having to specify the wireless management interface IP to indicate the source of image in the HTML code.
Service Discovery Gateway: mDNS enhancements
Enables multicast Domain Name System (mDNS) to operate across layer 3 boundaries.
HSRP: Global IPv6 Address
(IP-Lite, IP-Base, IP Services/ IP Enterprise Services)
Allows users to configure multiple non-link local addresses as virtual addresses. The Hot Standby Router Protocol (HSRP) ensures host-to-router resilience and failover, in case the path between a host and the first-hop router fails, or the first-hop router itself fails.
(IP-Base, IP Services/Enterprise Services)
Allows the device-sensor to extract the HTTP packet Type-Length-Value (TLV) to derive useful information about the end device type.
Banner Page and Inactivity timeout for HTTP/S connections
Allows you to create a banner page and set an inactivity timeout for HTTP or HTTP Secure (HTTPS) connections. The banner page allows you to log on to the server when the session is invalid or expired.
(LAN-Lite, LAN-Base, IP-Lite, IP-Base, IP Services/ IP Enterprise Services)
Allows you to select the type, length, value (TLV) fields that are sent on a particular interface to filter information sent through Cisco Discovery Protocol packets.
OSPFv3 Authentication Trailer
Provides a mechanism to authenticate Open Shortest Path First version 3 (OSPFv3) protocol packets as an alternative to existing OSPFv3 IPsec authentication.
Policy Based Routing: Recursive Next Hop
Enhances route maps to enable configuration of a recursive next-hop IP address that is used by policy-based routing (PBR).
IPv6 Policy-Based Routing
(IP-Lite, IP-Base, IP Services/ IP Enterprise Services)
Allows you to manually configure how the received packets should be routed. PBR allows you to identify packets by using several attributes and to specify the next hop or the output interface to which the packet should be sent.
PBR Support for Multiple Tracking Options
Extends the capabilities of object tracking using Cisco Discovery Protocol (CDP) to allow the policy-based routing (PBR) process to verify object availability by using additional methods.
Web Authentication Redirection to Original URL
Enables networks to redirect guest users to the URL they had originally requested. This feature is enabled by default and requires no configuration.
Determines the level of network access provided to an endpoint based on the type of the endpoint device. This feature also permits hardbinding between the end device and the interface. Autoconfig falls under the umbrella of Smart Operations solution.
Provides a mechanism to configure multiple commands at the same time and associate it with a target such as an interface. An interface template is a container of configurations or policies that can be applied to specific ports.
Enables strong ciphers (SHA2) for NMSP connections.
IPv6 Multicast Routing
Introduces IPv6 multicast routing.
Embedded Event Manager (EEM) 4.0
Provides unique customization capabilities and event driven automation within Cisco products.
Provides the capability to diagnose Media Stream on top of various instrumentations in Cisco routers/switches and endpoints. Also addresses the MediaNet Video monitoring requirement to discover the signaling path and provides end-to-end diagnostics along the media stream routes.
Support is added to the following APs in this release:
Note The Cisco Aironet 1530 Series APs are supported operating only in Local mode; these APs in mesh mode are not supported.
Access control lists (ACLs) when configured using fully qualified domain name (FQDN) enables ACLs to be applied based on the destination domain name. The destination domain name is then resolved to an IP address, which is provided to the client as a part of DNS response. Guest users can log in using web authentication with parameter map that consists of FQDN ACL name. You can apply access list to a specific domain. RADIUS server has to send AAA attribute fqdn-acl-name to the controller. The operating system checks for the pass through domain list, its mapping, and permits the FQDN. FQDN ACL allows clients to access only configured domains without authentication. The FQDN ACL is supported only for IPv4 wireless session.
Local policies can profile devices based on HTTP and DHCP to identify the end devices on the network. Users can configure device-based policies and enforce the policies per user or per device policy on the network. Local policies allow profiling of mobile devices and basic onboarding of the profiled devices to a specific VLAN. They also assign ACL and QoS or configure session timeouts
Auto MAC Learning of Valid Client via MSE
You can validate the rogue clients by utilizing the resources available in the Cisco Mobility Services Engine (MSE). Using MSE, you can dynamically list the clients joining to the controller. The list of clients joined to the controller is stored in the MSE as a centralized location, where the controller communicates with MSE and validates the client before reporting if the rogue client is a valid one or not. MSE maintains the MAC addresses of clients joined to the controller. The communication between the controller and MSE is an on-demand service as the controller requests this service from MSE.
Marking and policing actions for ingress SSID and client policies are applied at the access point. The SSID and client ingress policies that you configure in the controller are pushed to the AP. The AP performs policing and marking actions for each packet. However, the controller selects the QoS policies. Marking and policing of egress SSID and client policies are applied at the controller. QoS statistics are collated for client and SSID targets in ingress direction. Statistics are supported only for ingress policies with a maximum of five classes on wireless targets. For very large policies, statistics for ingress policies are not visible at the controller. The frequency of the statistics depends on the number of clients associated with the access point.
Implement Control part of AVC (Tie-in to QOS)
Application Visibility and Control (AVC) classifies applications using deep packet inspection techniques with the Network-Based Application Recognition (NBAR2) engine, and provides application-level visibility and control (QoS) in wireless networks. After the applications are recognized, the AVC feature enables you to either drop, mark, or police the data traffic. AVC is configured by defining a class map in a QoS client policy to match a protocol. AVC QoS actions are applied with AVC filters in both upstream and downstream directions. The QoS actions supported for upstream flow are drop, mark, and police, and for downstream flow are mark and police. AVC QoS is applicable only when the application is classified correctly and matched with the class map filter in the policy map.
Note This feature is applicable only to wireless clients.
2.Cisco Wireless Release 8.0 is targeted to be available by August 2014.
3.Because of SHA-2 certificate implementation, MSE 7.6 is not compatible with Cisco IOS XE Release 3.6E. Therefore, we recommend that you upgrade to MSE 8.0.
4.If MSE is deployed on your network, we recommend that you upgrade to Cisco Prime Infrastructure 2.1.2.
5.Prime Infrastructure 2.0 enables you to manage Cisco WLC c220.127.116.11 with the features of Cisco WLC 18.104.22.168 and earlier releases. Prime Infrastructure 2.0 does not support any features of Cisco WLC 22.214.171.124 including the new AP platforms.
– Windows 7, Windows Vista, Windows XP, Windows 2003, or Windows 2000
Wireless Web UI Software Requirements
– Windows 7
– Windows 8
– Mac OS X 10.8
– Google Chrome—Version 35
– Microsoft Internet Explorer—Versions 10 or 11
– Mozilla Firefox—Version 30
– Safari—Version 6.1
Finding the Software Version and Feature Set
Table 9 shows the mapping of the Cisco IOS XE version number and the Cisco IOS version number.
Table 9 Cisco IOS XE to Cisco IOS Version Number Mapping
Cisco IOS XE Version
Cisco IOSd Version
Cisco Wireless Control Module Version
Access Point Version
The package files for the Cisco IOS XE software are stored on the system board flash device (flash:).
You can use the show version privileged EXEC command to see the software version that is running on your switch.
Note Although the show version output always shows the software image running on the switch, the model name shown at the end of this display is the factory configuration and does not change if you upgrade the software license.
You can also use the dir filesystem : privileged EXEC command to see the directory names of other software images that you might have stored in flash memory.
Upgrading the Switch Software
For information about how to upgrade the switch software, see the System Management Configuration Guide, Cisco IOS XE Release 3E (Catalyst 3650 Switches) at the following URL:
After you upgrade to Cisco IOS XE Release 3.6E, the WebAuth success page behavior is different from the behavior seen in Cisco IOS XE Release 3.3.X SE. After a successful authentication on the WebAuth login page, the original requested URL opens in a pop-up window and not on the parent page. Therefore, we recommend that you upgrade the Web Authentication bundle so that the bundle is in the format that is used by the AireOS Wireless LAN Controllers.
To download a sample Web Authentication bundle, follow these steps:
Step 2 Navigate to Products > Switches > Campus LAN Switches - Access > Cisco Catalyst 3650 Series Switches.
Step 3 Click a switch model.
Step 4 Click Wireless Lan Controller Web Authentication Bundle.
Step 5 Choose Release 3.6.0 and click Download.
Step 6 After the download, follow the instructions provided in the Read Me file that is attached in the bundle.
Note In a High Availability scenario, if you download the Web Authentication bundle to the active controller, the bundle cannot be synchronized with the standby controller. Therefore, we recommend that you also manually download the Web Authentication bundle to the standby controller.
The Catalyst 3650 switch supports three different feature sets:
LAN Base feature set—Provides basic Layer 2+ features, including access control lists (ACLs) and quality of service (QoS) and up to 4094 VLANs.
IP Base feature set—Provides Layer 2+ and basic Layer 3 features (enterprise-class intelligent services). These features include access control lists (ACLs), quality of service (QoS), ACLs, QoS, static routing, EIGRP stub routing, IP multicast routing, Routing Information Protocol (RIP), basic IPv6 management, the Open Shortest Path First (OSPF) Protocol, and support for wireless controller functionality.
IP Services feature set—Provides a richer set of enterprise-class intelligent services and full IPv6 support. It includes all IP Base features plus full Layer 3 routing (IP unicast routing, IP multicast routing, and fallback bridging). The IP Services feature set includes protocols such as the Enhanced Interior Gateway Routing Protocol (EIGRP), the Open Shortest Path First (OSPF) Protocol, and support for wireless controller functionality.
Note A separate access point count license is required to use the switch as a wireless controller.
For more information about the features, see the product data sheet at this URL:
This section describes the interoperability of this version of the switch software release with other client devices.
Table 11 lists the client types on which the tests were conducted. The clients included laptops, handheld devices, phones, and printers.
Table 11 Client Types
Client Type and Name
126.96.36.199 or 188.8.131.52, v13.4
184.108.40.206, Windows 8.1
XP/Vista: 220.127.116.11 Win7: 18.104.22.168
Dell 1505/1510/Broadcom 4321MCAG/4322HM
Dell 1515 (Atheros)
Dell 1520/Broadcom 43224HMS
Dell 1530 (Broadcom BCM4359)
MacBook Pro (Broadcom)
Macbook Air (11AC)
Apple iPad Air
Apple iPad Mini
Samsung Galaxy Tab
Windows Mobile 6.5 / 2.01.06.0355
Windows Mobile 6.1 / 2.01.06.0333
Windows Mobile 6.5 / 3.00.0.0.051R
Windows Mobile 6.5 / 3.00.2.0.006R
Phones and Printers
Apple iPhone 4
Apple iPhone 4S
Apple iPhone 5s
Apple iPhone 5c
Apple iPhone 6
Samsung Galaxy S II
Samsung Galaxy Nexus
Samsung Galaxy S4 (GT-I9500)
Samsung Galaxy Note (SM-900)
A switch stack containing a mix of Catalyst 3850 and Catalyst 3650 switches is not supported.
With Cisco Prime Infrastructure 2.1.1, the refresh config and inventory collection tasks from the switch might take anywhere from 20 minutes to 40 minutes. For more information, see CSCum62747 on the Bug Search Tool.
Although visible in the CLI, the following commands are not supported:
– collect flow username
– authorize-lsc-ap (CSCui93659)
The following features are not supported in Cisco IOS XE Release 3.6E:
– Outdoor Access Points
– Mesh, FlexConnect, and OfficeExtend access point deployment
– Wireless Guest Anchor Controller (The Catalyst 3850 switch can be configured as a foreign controller.)
– Resilient Ethernet Protocol
– Private VLANs
– MVR (Multicast VLAN Registration)
– IPv6 routing - OSPFv3 Authentication
– Call Home
– DVMRP Tunneling
– Port Security on EtherChannel
– 802.1x Configurable username and password for MAB
– Link State Tracking (L2 Trunk Failover)
– Disable Per VLAN MAC Learning
– IEEE 802.1X-2010 with 802.1AE support
– IEEE 802.1AE MACsec (MKA & SAP)
– Command Switch Redundancy
– CNS Config Agent
– Dynamic Access Ports
– IPv6 Ready Logo phase II - Host
– IPv6 IKEv2 / IPSecv3
– OSPFv3 Graceful Restart (RFC 5187)
– Fallback bridging for non-IP traffic between VLANs
– DHCP snooping ASCII circuit ID
– Protocol Storm Protection
– 802.1x NEAT
– Per VLAN Policy & Per Port Policer
– Packet Based Storm Control
– Ingress/egress Shared Queues
– Trust Boundary Configuration
– Cisco Group Management Protocol (CGMP)
– Device classifier for ASP
– IPSLA Media Operation
– Passive Monitoring
– Performance Monitor (Phase 1)
– AAA: RADIUS over IPv6 transport
– AAA: TACACS over IPv6 Transport
– Auto QoS for Video endpoints
– EX SFP Support (GLC-EX-SMD)
– IPv6 Strict Host Mode Support
– IPv6 Static Route support on LAN Base images
– VACL Logging of access denied
– RFC5460 DHCPv6 Bulk Leasequery
– DHCPv6 Relay Source Configuration
– RFC 4293 IP-MIB (IPv6 only)
– RFC 4292 IP-FORWARD-MIB (IPv6 only)
– RFC4292/RFC4293 MIBs for IPv6 traffic
– Layer 2 Tunneling Protocol Enhancements
– UniDirectional Link Routing (UDLR)
– Pragmatic General Multicast (PGM)
– PVLAN, DAI, IPSG Interoperability
– Ingress Rate Limiting
– Ingress Strict Priority Queuing (Expedite)
– Weighted Random Early Detect (WRED)
– Improvements in QoS policing rates
– Fast SSID support for guest access WLANs
Be careful when connecting a “snagless” Ethernet cable to port 1 on a 48-port switch. The protective boot of the cable might inadvertently press the Mode button, causing the switch to erase its startup configuration and reboot. (CSCuj17317)
There is no workaround except to avoid connecting a “snagless” Ethernet cable to port 1 on a 48-port switch.
Limitations and Restrictions
Note Device Classifier has been disabled by default starting from Release 3.6.0E. Any features dependent on device classifier should enable it if required.
You cannot configure NetFlow export using the Ethernet Management port (g0/0).
The switch does not support CDP bypass.
The maximum committed information rate (CIR) for voice traffic on a wireless port is 132 Mb/sec.
Flex Links are not supported. We recommend that you use spanning tree protocol (STP) as the alternative.
Restrictions for Cisco TrustSec:
– Cisco TrustSec can be configured only on physical interfaces, not on logical interfaces.
– Cisco TrustSec for IPv6 is not supported.
– Dynamic binding of IP-SGT is not supported for hosts on Layer 3 physical routed interfaces because the IP Device Tracking feature for Layer 3 physical interfaces is not supported.
– Cisco TrustSec cannot be configured on a pure bridging domain with IPSG feature enabled. You must either enable IP routing or disable the IPSG feature in the bridging domain.
– Cisco TrustSec on the switch supports up to 255 security group destination tags for enforcing security group ACLs.
The Bug Search Tool (BST), which is the online successor to Bug Toolkit, is designed to improve the effectiveness in network risk management and device troubleshooting. The BST allows partners and customers to search for software bugs based on product, release, and keyword, and aggregates key data such as bug details, product, and version. The tool has a provision to filter bugs based on credentials to provide external and internal bug views for the search input.
To view the details of a caveat listed in this document:
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
Subscribe to the What’s New in Cisco Product Documentation, which lists all new and revised Cisco Technical documentation, as an RSS feed and deliver content directly to your desktop using a read application. The RSS feeds are a free service.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.