The Catalyst 3850 switches are the next generation of enterprise class stackable access layer switches that provide full convergence between wired and wireless networks on a single platform. This convergence is built on the resilience of new and improved 480-Gbps StackWise-480 and Cisco StackPower. Wired and wireless security and application visibility and control are natively built into the switch.
The Catalyst 3850 switches also support full IEEE 802.3 at Power over Ethernet Plus (PoE+), modular and field replaceable network modules, redundant fans, and power supplies. The Catalyst 3850 switches enhance productivity by enabling applications such as IP telephony, wireless, and video for a true borderless network experience.
The Cisco IOS XE software represents the continuing evolution of the preeminent Cisco IOS operating system. The Cisco IOS XE architecture and well-defined set of APIs extend the Cisco IOS software to improve portability across platforms and extensibility outside the Cisco IOS environment. The Cisco IOS XE software retains the same look and feel of the Cisco IOS software, while providing enhanced future-proofing and improved functionality.
Behavior change—When using PAP authentication, the MAC address of the client is presented in upper case characters as credential information to the AAA server. In previous releases, the MAC address was presented in lower case characters.
No features were added or enhanced for this release. For more information about other updates in this release, see the “Caveats” section.
What’s New in Cisco IOS XE Release 3.3.4SE
No features were added or enhanced for this release. For more information about updates in this release, see the “Caveats” section.
The cpp [ all | disable | system-default | traffic-type ] global configuration command for configuring Control Plane Policing (CPP) has been updated to include keywords for modifying CPP policer settings on CPU queues and for controlling the policer rate based on traffic types.
Wired Web UI (Device Manager)—An easy-to-use web interface that offers quick configuration and monitoring capabilities. Using a web browser, you can access Device Manager from anywhere in your network.
Nine-member stacks—Up to nine switches can participate in a switch stack. All switches must be running the same feature set.
Cisco Universal Power Over Ethernet (Cisco UPOE) feature—Sources up to 60 W of power (2X 30W) over both signal and spare pairs of the RJ-45 Ethernet cable based on IEEE 802.3at standards. It automatically detects Cisco UPOE-compliant power devices and negotiates power up to 60 W by using Layer 2 power negotiation protocols, such as Link Layer Discovery Protocol (LLDP). (Catalyst 3850 UPOE switches).
Wireshark—A packet analyzer program that supports multiple protocols and presents information in a text-based user interface. Wireshark analyzes wired traffic and wireless traffic.
HSRP version 2 support for IPv4 and IPv6—Improves management and troubleshooting of IP multicast addresses. Also addresses the restrictions in HSRP version 1, such as:
– Group numbers are restricted to the range from 0 to 255. HSRP version 2 expands the group number range from 0 to 4095.
– Multicast address 126.96.36.199 is used to send HSRP hello messages. This address can conflict with Cisco Group Management Protocol (CGMP) leave processing. HSRP version 2 uses the new IP multicast address 188.8.131.52 to send hello packets instead of the multicast address of 184.108.40.206.
Note HSRP is supported in the IP Base and IP Services feature sets. It is not supported in the LAN Base feature set.
Wired Guest Access—Uses Ethernet in IP (RFC3378) within the centralized architecture to create a tunnel across a Layer 3 topology between two WLC endpoints. No additional protocols or segmentation techniques are needed to isolate guest traffic from the enterprise.
Service Discovery Gateway feature—Enables multicast Domain Name System (mDNS) to operate across Layer 3 boundaries by filtering, caching, and redistributing services from one Layer 3 domain to another. This feature enhances Bring Your Own Device (BYOD).
Captive Portal Bypassing for Local Web Authentication—Support for Apple devices that need to resolve Wireless Internet Service Provider roaming (WISPr) and have support for captive portal bypass.
Critical Voice VLAN support—Puts phone traffic into the configured voice VLAN of a port if the authentication server becomes unreachable.
Multicast Fast Convergence with Flex Links Failover feature—Reduces the convergence time of multicast traffic after a Flex Links failure.
Client Count per WLAN—You can configure client limits per WLAN, per AP per WLAN, and per AP per Radio. The number of clients that you can configure for each WLAN depends on the platform that you are using.
802.11w support—Support for the 802.11w standard as defined by the Management Frame Protection (MFP) service. Disassociation, Deauthentication, and Robust Action frames increase Wi-Fi network security by protecting the management frames from being spoofed.
802.11r support in local mode—Support for IEEE Standard for fast roaming allows the handshake with the new access point before the client roams to the target access point. Allows clients to move between access points without breaking a session.
Wi-Fi Direct Client Policy—Devices that are Wi-Fi Direct capable can connect directly to each other quickly and conveniently to do tasks such as printing, synchronization, and sharing of data. Wi-Fi Direct devices may associate with multiple peer-to-peer (P2P) devices and with infrastructure wireless LANs (WLANs) concurrently. You can use the controller to configure the Wi-Fi Direct Client Policy, on a per WLAN basis, where you can allow or disallow association of Wi-Fi devices with infrastructure WLANs, or disable Wi-Fi Direct Client Policy altogether for WLANs.
Assisted Roaming—The 802.11k standard allows clients to request neighbor reports containing information about known neighbor access points that are candidates for a service set transition. The use of the 802.11k neighbor list can limit the need for active and passive scanning. The assisted roaming feature is based on an intelligent and client-optimized neighbor list.
Support for IPv6 wireless clients—Client policies can have IPv4 and IPv6 filters.
Support for 802.11ac module—The 802.11ac radio module, which is based on the IEEE 802.11ac Wave 1 standard, is available on the Cisco lightweight access points.
The 802.11ac module provides enterprise-class reliability and wired-network-like performance. The 802.11ac module supports three spatial streams and 80 MHz-wide channels for a maximum data rate of 1.3 Gbps. The 802.11ac standard is a 5-GHz-only technology, which is faster and a more scalable version of the 802.11n standard.
Application Visibility and Control—Classifies applications using deep packet inspection techniques with the Network-Based Application Recognition (NBAR2) engine and provides application-level visibility into Wi-Fi networks.
Note The capability of dropping or marking the data traffic (control part) is not supported in the Cisco IOS XE 3.3.0SE.
– Manage Rogue devices—The controller continuously monitors all the nearby access points and automatically discovers and collects information on rogue access points and clients. When the controller discovers a rogue access point, it uses the Rogue Location Discovery Protocol (RLDP) to determine if the rogue is attached to your network. For more information about managing rogue devices, see the “Managing Rogue Devices” section in the System Management Configuration Guide.
– Classify rogue access points—The controller software enables you to create rules that can organize and display rogue access points as Friendly, Malicious, or Unclassified. For more information about classifying rogue access points, see the “Classifying Rogue Access Points” section in the System Management Configuration Guide.
– wIPS—The Cisco Adaptive wireless intrusion prevention system (wIPS) continually monitors wireless traffic on both the wired and wireless networks and uses network intelligence to analyze attacks and more accurately pinpoint and proactively prevent attacks in the future. You can configure an access point to work in wIPS mode if the access point is in the Monitor or Local mode.
– Radio Frequency Grouping—A radio frequency (RF) group is a logical collection of switches that coordinate to perform radio resource management (RRM) in a globally optimized manner to perform network calculations on a per-radio basis. An RF group exists for each 802.11 network type. Clustering switches into a single RF group enables the RRM algorithms to scale beyond the capabilities of a single switch.
Security Group Tag/Security Group ACL (SG/SGACL)—a set of features that improves the deployment of the overall Cisco TrustSec solution, including:
– Cisco TrustSec VLAN to SGT mapping— enables deployment of SGT on devices that are not capable of SGT tagging but are VLAN-capable.
– IP address to SGT mapping—enables deployment of SGT on resources with static IP addresses.
– Port to SGT mapping—enables SGT tagging of all traffic from a particular port.
Lightweight Directory Access Protocol Server mode—Operates as the backend database for web authentication to retrieve user credentials and authenticate the user.
Wireless Flexible NetFlow—Enables flow monitoring and control of wireless traffic.
Enhanced QoS support for wireless IPv6 clients—Support for IPv6 ACLs and DSCP-matching of IPv6 packets.
Cisco Express Forwarding (CEF)—Supported in the LAN Base feature set.
Protocol-independent multicast (PIM) for IPv4 traffic—Supported in the IP Base feature set.
Policy-based routing (PBR) for IPv4 traffic—Supported in the IP Base feature set.
OSPF enhancements—Support for up to 1000 routes.
Catalyst 3850 Switch Models
Table 2 Catalyst 3850 Switch Models
Cisco IOS Image
Cisco Catalyst 3850 Stackable 24 10/100/1000 Ethernet ports, with 350-WAC power supply 1 RU, LAN Base feature set (StackPower cables must be purchased separately)
Cisco Catalyst 3850 Stackable 48 10/100/1000 Ethernet ports, with 350-WAC power supply 1 RU, LAN Base feature set (StackPower cables must be purchased separately)
Cisco Catalyst 3850 Stackable 24 10/100/1000 Ethernet PoE+ ports, with 715-WAC power supply 1 RU, LAN Base feature set (StackPower cables must be purchased separately)
Cisco Catalyst 3850 Stackable 48 10/100/1000 Ethernet PoE+ ports, with 715-WAC power supply 1 RU, LAN Base feature set (StackPower cables must be purchased separately)
Cisco Catalyst 3850 Stackable 48 10/100/1000 Ethernet PoE+ ports, with 1100-WAC power supply 1 RU, LAN Base feature set (StackPower cables must be purchased separately)
Cisco Catalyst 3850 Stackable 24 10/100/1000 Ethernet ports, with 350-WAC power supply 1 RU, IP Base feature set
Cisco Catalyst 3850 Stackable 48 10/100/1000 Ethernet ports, with 350-WAC power supply 1 RU, IP Base feature set
Cisco Catalyst 3850 Stackable 24 10/100/1000 Ethernet PoE+ ports, with 715-WAC power supply 1 RU, IP Base feature set
Cisco Catalyst 3850 Stackable 48 10/100/1000 Ethernet PoE+ ports, with 715-WAC power supply 1 RU, IP Base feature set
Cisco Catalyst 3850 Stackable 48 10/100/1000 Ethernet PoE+ ports, with 1100-WAC power supply 1 RU, IP Base feature set
Cisco Catalyst 3850 Stackable 24 10/100/1000 Ethernet ports, with 350-WAC power supply 1 RU, IP Services feature set
Cisco Catalyst 3850 24-port PoE IP Base with 5-access point license
Cisco Catalyst 3850 48-port PoE IP Base with 5-access point license
Windows 2000, Windows 2003, Windows XP, Windows Vista, or Windows 7
Wireless Web UI Software Requirements
– Windows XP
– Windows 7
– Mac OS X
– Google Chrome
– Microsoft Internet Explorer
– Mozilla Firefox
Finding the Software Version and Feature Set
Table 9 shows the mapping of the Cisco IOS XE version number and the Cisco IOS version number.
Table 9 Cisco IOS XE to Cisco IOS Version Number Mapping
Cisco IOS XE Version
Cisco IOSd Version
Cisco Wireless Control Module Version
Access Point Version
The package files for the Cisco IOS XE software are stored on the system board flash device (flash:).
You can use the show version privileged EXEC command to see the software version that is running on your switch.
Note Although the show version output always shows the software image running on the switch, the model name shown at the end of this display is the factory configuration and does not change if you upgrade the software license.
You can also use the dir filesystem : privileged EXEC command to see the directory names of other software images that you might have stored in flash memory.
4.Cisco WLC Release 7.6 is not compatible with Cisco Prime Infrastructure 2.0.
5.Prime Infrastructure 2.0 enables you to manage Cisco WLC 220.127.116.11 with the features of Cisco WLC 18.104.22.168 and earlier releases. Prime Infrastructure 2.0 does not support any features of Cisco WLC 22.214.171.124 including the new AP platforms.
6.Prime Infrastructure 2.1.1 allows you to manage Cisco WLC Releases 126.96.36.199 and 7.6.x with the features of Cisco WLC 188.8.131.52 and earlier releases. Prime Infrastructure 2.1.1 does not support any features that are introduced in Cisco WLC Releases 184.108.40.206 and 7.6.x except the new access point platforms and the new mobility feature.
Interoperability with Other Client Devices
This section describes the interoperability of this version of the switch software release with other client devices.
Table 11 lists the client types on which the tests were conducted. The clients included laptops, handheld devices, phones, and printers.
Table 11 Client Types
Client Type and Name
220.127.116.11 or 18.104.22.168, v13.4
XP/Vista: 22.214.171.124 Win7: 126.96.36.199
Dell 1505/1510/Broadcom 4321MCAG/4322HM
Dell 1515 (Atheros)
Dell 1520/Broadcom 43224HMS
Dell 1530 (Broadcom BCM4359)
MacBook Pro (Broadcom)
Apple iPad Mini
Samsung Galaxy Tab
Windows Mobile 6.5 / 2.01.06.0355
Windows Mobile 6.1 / 2.01.06.0333
Windows Mobile 6.5 / 3.00.0.0.051R
Windows Mobile 6.5 / 3.00.2.0.006R
Phones and Printers
Apple iPhone 5
Apple iPhone 5s
Apple iPhone 5c
Apple iPhone 4
Apple iPhone 4S
Apple iPhone 5
Samsung Galaxy S II
Samsung Galaxy Nexus
Upgrading the Switch Software
For information about how to upgrade the switch software, see the System Management Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches) at the following URL:
The Catalyst 3850 switch supports three different feature sets:
LAN Base feature set—Provides basic Layer 2+ features, including access control lists (ACLs) and quality of service (QoS) and up to 4094 VLANs.
IP Base feature set—Provides Layer 2+ and basic Layer 3 features (enterprise-class intelligent services). These features include access control lists (ACLs), quality of service (QoS), ACLs, QoS, static routing, EIGRP stub routing, IP multicast routing, Routing Information Protocol (RIP), basic IPv6 management, the Open Shortest Path First (OSPF) Protocol, and support for wireless controller functionality.
IP Services feature set—Provides a richer set of enterprise-class intelligent services and full IPv6 support. It includes all IP Base features plus full Layer 3 routing (IP unicast routing, IP multicast routing, and fallback bridging). The IP Services feature set includes protocols such as the Enhanced Interior Gateway Routing Protocol (EIGRP), the Open Shortest Path First (OSPF) Protocol, and support for wireless controller functionality.
Note A separate access point count license is required to use the switch as a wireless controller.
For more information about the features, see the product data sheet at this URL:
Although visible in the CLI, the following commands are not supported:
– switchport mode dot1qtunnel
– collect flow username
– authorize-lsc-ap (CSCui93659)
– show platform qos xxx (CSCug09112)
WCCPv2 is supported for egress IPv4 traffic with the following limitations and restrictions:
– Load balancing using only mask assignments; no support for hash assignments in hardware.
– No VRF-aware WCCP support.
– No IPv6 WCCP support.
– Either PBR or WCCP configuration is supported on an interface.
– Maximum number of service groups is eight for ingress and eight for egress.
The following features are not supported in Cisco IOS XE Release 3.3.0SE:
– Outdoor Access Points
– Mesh, FlexConnect, and Office Extend Access Point deployment
– Wireless Guest Anchor Controller (The Catalyst 3850 switch can be configured as a foreign controller.)
– IPv6 Multicast Routing
– Resilient Ethernet Protocol
– Virtual Router Redundancy Protocol (VRRP)
– Private VLANs
– Device Sensor
– MVR (Multicast VLAN Registration)
– IPv6 routing - OSPFv3 Authentication
– Call Home
– DVMRP Tunneling
– Port Security on EtherChannel
– 802.1x Configurable username and password for MAB
– Government Certificates: Common Criteria & FIPS
– Link State Tracking (L2 Trunk Failover)
– Disable Per VLAN MAC Learning
– IEEE 802.1X-2010 with 802.1AE support
– IEEE 802.1AE MACsec (MKA & SAP)
– Command Switch Redundancy
– CNS Config Agent
– Dynamic Access Ports
– IPv6 Ready Logo phase II - Host
– IPv6 IKEv2 / IPSecv3
– OSPFv3 Graceful Restart (RFC 5187)
– Fallback bridging for non-IP traffic between VLANs
– DHCP snooping ASCII circuit ID
– Protocol Storm Protection
– 802.1x NEAT
– Per VLAN Policy & Per Port Policer
– Packet Based Storm Control
– Ingress/egress Shared Queues
– Trust Boundary Configuration
– Cisco Group Management Protocol (CGMP)
– Device classifier for ASP
– IPSLA Media Operation
– Passive Monitoring
– Performance Monitor (Phase 1)
– AAA: RADIUS over IPv6 transport
– AAA: TACACS over IPv6 Transport
– Auto QoS for Video endpoints
– EX SFP Support (GLC-EX-SMD)
– IPv6 Strict Host Mode Support
– IPv6 Static Route support on LAN Base images
– VACL Logging of access denied
– RFC5460 DHCPv6 Bulk Leasequery
– DHCPv6 Relay Source Configuration
– RFC 4293 IP-MIB (IPv6 only)
– RFC 4292 IP-FORWARD-MIB (IPv6 only)
– RFC4292/RFC4293 MIBs for IPv6 traffic
– IEEE 802.1Q Tunnel (Q-in-Q)
– Layer 2 Tunneling Protocol Enhancements
– UniDirectional Link Routing (UDLR)
– Pragmatic General Multicast (PGM)
– PVLAN, DAI, IPSG Interoperability
– Ingress Rate Limiting
– Ingress Strict Priority Queuing (Expedite)
– Weighted Random Early Detect (WRED)
– Improvements in QoS policing rates
– Fast SSID support for guest access WLANs
Limitations and Restrictions
You cannot configure NetFlow export using the Ethernet Management port (g0/0).
The switch does not support CDP bypass.
The maximum committed information rate (CIR) for voice traffic on a wireless port is 132 Mb/sec.
On WS-C3850-48 switches, if the cable plugged into port 1 has a long cable boot, the boot may stay in contact with the mode button and cause the switch to reload and reset the configuration. To workaround this issue, use the no setup express command to disable Express Setup, or remove the cable boot from the cable in port 1.
Restrictions for Cisco TrustSec:
– Cisco TrustSec can be configured only on physical interfaces, not on logical interfaces.
– Cisco TrustSec for IPv6 is not supported.
– Dynamic binding of IP-SGT is not supported for hosts on Layer 3 physical routed interfaces because the IP Device Tracking feature for Layer 3 physical interfaces is not supported.
– Cisco TrustSec cannot be configured on a pure bridging domain with IPSG feature enabled. You must either enable IP routing or disable the IPSG feature in the bridging domain.
– Cisco TrustSec on the switch supports up to 255 security group destination tags for enforcing security group ACLs.
The Bug Search Tool (BST), which is the online successor to Bug Toolkit, is designed to improve the effectiveness in network risk management and device troubleshooting. The BST allows partners and customers to search for software bugs based on product, release, and keyword, and aggregates key data such as bug details, product, and version. The tool has a provision to filter bugs based on credentials to provide external and internal bug views for the search input.
To view the details of a caveat listed in this document:
Crash as multi data/voice clients auth followed by host-mode change
3850 SW crash due to process watchdog loop with NGWC Learning Process
3850 not pulling right correct OID for stack port change
iosd crash while configuring no ntp server
Catalyst 3850 Switch Hardware Installation Guide
The description of the network module is incorrect. It should read:
Four-slot SFP module:
Two slots (left side) support only 1-Gigabit SFP modules and two slots (right side) support either 1-Gigabit SFP or 10-Gigabit SFP modules.
Supported combinations of SFP and SFP+ modules:
Slots 1, 2, 3, and 4 populated with 1-Gigabit SFP modules.
Slots 1 and 2 populated with 1-Gigabit SFP modules and Slot 3 and 4 populated with 10-Gigabit SFP+ module.
Hardware Guide (French Version)
The French version of the Catalyst 3850 Switch Hardware Guide does not include information about the Catalyst 3850-12S and Catalyst 3850-24S switches. For information on these switches, see the English hardware guide at: http://www.cisco.com/go/cat3850_hw
Regulatory Compliance and Safety Information for the Catalyst 3850 Switch
In the French RCSI guide, statement warning 1044 is erroneously included. It does not apply to the switches.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
Subscribe to the What’s New in Cisco Product Documentation, which lists all new and revised Cisco Technical documentation, as an RSS feed and deliver content directly to your desktop using a read application. The RSS feeds are a free service.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.