Table of Contents
- What’s New in Cisco IOS XE Release 3.3.3SE
- What’s New in Cisco IOS XE Release 3.3.2SE
- What’s New in Cisco IOS XE Release 3.3.1SE
- What’s New in Cisco IOS XE Release 3.3.0SE
- Supported Hardware
- Wired Web UI (Device Manager) System Requirements
- Wireless Web UI Software Requirements
- Finding the Software Version and Feature Set
- Upgrading the Switch Software
- Interoperability with Other Client Devices
- Important Notes
- Limitations and Restrictions
- Documentation Updates
- Related Documentation
- Obtaining Documentation and Submitting a Service Request
The Catalyst 3850 switches are the next generation of enterprise class stackable access layer switches that provide full convergence between wired and wireless networks on a single platform. This convergence is built on the resilience of new and improved 480-Gbps StackWise-480 and Cisco StackPower. Wired and wireless security and application visibility and control are natively built into the switch.
The Catalyst 3850 switches also support full IEEE 802.3 at Power over Ethernet Plus (PoE+), modular and field replaceable network modules, redundant fans, and power supplies. The Catalyst 3850 switches enhance productivity by enabling applications such as IP telephony, wireless, and video for a true borderless network experience.
The Cisco IOS XE software represents the continuing evolution of the preeminent Cisco IOS operating system. The Cisco IOS XE architecture and well-defined set of APIs extend the Cisco IOS software to improve portability across platforms and extensibility outside the Cisco IOS environment. The Cisco IOS XE software retains the same look and feel of the Cisco IOS software, while providing enhanced future-proofing and improved functionality.
For more information about the Cisco IOS XE software, see http://www.cisco.com/en/US/prod/collateral/iosswrel/ps9442/ps11192/ps11194/QA_C67-622903.html
- Catalyst 3850-12S and Catalyst 3850-24S switches that support SFP+ module slots. For more details, see the “Switch Models” section.
- Support for DWDM SFP+ and 10G ZR SFP+ modules. For a list of all supported SFP+ modules, see http://www.cisco.com/c/en/us/td/docs/interfaces_modules/transceiver_modules/compatibility/matrix/OL_6974.html .
The cpp [ all | disable | system-default | traffic-type ] global configuration command for configuring Control Plane Policing (CPP) has been updated to include keywords for modifying CPP policer settings on CPU queues and for controlling the policer rate based on traffic types.
You can verify your setting by entering the show platform qos queue stats internal cpu policer privileged EXEC command. For information about this show command, see the “show platform qos queue stats internal cpu policer” section.
No features were added or enhanced for this release. For updates in this release, see Resolved Caveats in Cisco IOS XE Release 3.3.2SE.
- Support added for Cisco Aironet 3700 Series Access Points—The Cisco Aironet 3700 Series Access Points with the 802.11ac module is supported in this release. For more information about the AP, see http://www.cisco.com/en/US/products/ps13367/index.html .
- For information about open and resolved caveats, see “Caveats” section.
- Wired Web UI (Device Manager)—An easy-to-use web interface that offers quick configuration and monitoring capabilities. Using a web browser, you can access Device Manager from anywhere in your network.
- Nine-member stacks—Up to nine switches can participate in a switch stack. All switches must be running the same feature set.
- Cisco Universal Power Over Ethernet (Cisco UPOE) feature—Sources up to 60 W of power (2X 30W) over both signal and spare pairs of the RJ-45 Ethernet cable based on IEEE 802.3at standards. It automatically detects Cisco UPOE-compliant power devices and negotiates power up to 60 W by using Layer 2 power negotiation protocols, such as Link Layer Discovery Protocol (LLDP). (Catalyst 3850 UPOE switches).
- Wireshark—A packet analyzer program that supports multiple protocols and presents information in a text-based user interface. Wireshark analyzes wired traffic and wireless traffic.
- HSRP version 2 support for IPv4 and IPv6—Improves management and troubleshooting of IP multicast addresses. Also addresses the restrictions in HSRP version 1, such as:
– Multicast address 184.108.40.206 is used to send HSRP hello messages. This address can conflict with Cisco Group Management Protocol (CGMP) leave processing. HSRP version 2 uses the new IP multicast address 220.127.116.11 to send hello packets instead of the multicast address of 18.104.22.168.
- Wired Guest Access—Uses Ethernet in IP (RFC3378) within the centralized architecture to create a tunnel across a Layer 3 topology between two WLC endpoints. No additional protocols or segmentation techniques are needed to isolate guest traffic from the enterprise.
- Service Discovery Gateway feature—Enables multicast Domain Name System (mDNS) to operate across Layer 3 boundaries by filtering, caching, and redistributing services from one Layer 3 domain to another. This feature enhances Bring Your Own Device (BYOD).
- Captive Portal Bypassing for Local Web Authentication—Support for Apple devices that need to resolve Wireless Internet Service Provider roaming (WISPr) and have support for captive portal bypass.
- Critical Voice VLAN support—Puts phone traffic into the configured voice VLAN of a port if the authentication server becomes unreachable.
- Multicast Fast Convergence with Flex Links Failover feature—Reduces the convergence time of multicast traffic after a Flex Links failure.
- Client Count per WLAN—You can configure client limits per WLAN, per AP per WLAN, and per AP per Radio. The number of clients that you can configure for each WLAN depends on the platform that you are using.
- 802.11w support—Support for the 802.11w standard as defined by the Management Frame Protection (MFP) service. Disassociation, Deauthentication, and Robust Action frames increase Wi-Fi network security by protecting the management frames from being spoofed.
- 802.11r support in local mode—Support for IEEE Standard for fast roaming allows the handshake with the new access point before the client roams to the target access point. Allows clients to move between access points without breaking a session.
- Wi-Fi Direct Client Policy—Devices that are Wi-Fi Direct capable can connect directly to each other quickly and conveniently to do tasks such as printing, synchronization, and sharing of data. Wi-Fi Direct devices may associate with multiple peer-to-peer (P2P) devices and with infrastructure wireless LANs (WLANs) concurrently. You can use the controller to configure the Wi-Fi Direct Client Policy, on a per WLAN basis, where you can allow or disallow association of Wi-Fi devices with infrastructure WLANs, or disable Wi-Fi Direct Client Policy altogether for WLANs.
- Assisted Roaming—The 802.11k standard allows clients to request neighbor reports containing information about known neighbor access points that are candidates for a service set transition. The use of the 802.11k neighbor list can limit the need for active and passive scanning. The assisted roaming feature is based on an intelligent and client-optimized neighbor list.
- Support for IPv6 wireless clients—Client policies can have IPv4 and IPv6 filters.
- Support for 802.11ac module—The 802.11ac radio module, which is based on the IEEE 802.11ac Wave 1 standard, is available on the Cisco lightweight access points.
The 802.11ac module provides enterprise-class reliability and wired-network-like performance. The 802.11ac module supports three spatial streams and 80 MHz-wide channels for a maximum data rate of 1.3 Gbps. The 802.11ac standard is a 5-GHz-only technology, which is faster and a more scalable version of the 802.11n standard.
- Application Visibility and Control—Classifies applications using deep packet inspection techniques with the Network-Based Application Recognition (NBAR2) engine and provides application-level visibility into Wi-Fi networks.
– Manage Rogue devices—The controller continuously monitors all the nearby access points and automatically discovers and collects information on rogue access points and clients. When the controller discovers a rogue access point, it uses the Rogue Location Discovery Protocol (RLDP) to determine if the rogue is attached to your network. For more information about managing rogue devices, see the “Managing Rogue Devices” section in the System Management Configuration Guide.
– Classify rogue access points—The controller software enables you to create rules that can organize and display rogue access points as Friendly, Malicious, or Unclassified. For more information about classifying rogue access points, see the “Classifying Rogue Access Points” section in the System Management Configuration Guide.
– wIPS—The Cisco Adaptive wireless intrusion prevention system (wIPS) continually monitors wireless traffic on both the wired and wireless networks and uses network intelligence to analyze attacks and more accurately pinpoint and proactively prevent attacks in the future. You can configure an access point to work in wIPS mode if the access point is in the Monitor or Local mode.
– Radio Frequency Grouping—A radio frequency (RF) group is a logical collection of switches that coordinate to perform radio resource management (RRM) in a globally optimized manner to perform network calculations on a per-radio basis. An RF group exists for each 802.11 network type. Clustering switches into a single RF group enables the RRM algorithms to scale beyond the capabilities of a single switch.
- Security Group Tag/Security Group ACL (SG/SGACL)—a set of features that improves the deployment of the overall Cisco TrustSec solution, including:
- Lightweight Directory Access Protocol Server mode—Operates as the backend database for web authentication to retrieve user credentials and authenticate the user.
- Wireless Flexible NetFlow—Enables flow monitoring and control of wireless traffic.
- Enhanced QoS support for wireless IPv6 clients—Support for IPv6 ACLs and DSCP-matching of IPv6 packets.
- Cisco Express Forwarding (CEF)—Supported in the LAN Base feature set.
- Protocol-independent multicast (PIM) for IPv4 traffic—Supported in the IP Base feature set.
- Policy-based routing (PBR) for IPv4 traffic—Supported in the IP Base feature set.
- OSPF enhancements—Support for up to 1000 routes.
Table 3 lists the three optional uplink network modules with 1-Gigabit and 10-Gigabit slots. You should only operate the switch with either a network module or a blank module installed.
- Two slots (left side) support only 1-Gigabit SFP modules and two slots (right side) support either 1-Gigabit SFP or 10-Gigabit SFP+ modules.
Table 4 lists the supported products of the Catalyst 3850 switch.
Table 5 lists the specific supported Cisco access points.
Table 6 lists the software compatibility matrix.
233 MHz minimum3
Table 8 shows the mapping of the Cisco IOS XE version number and the Cisco IOS version number.
Note Although the show version output always shows the software image running on the switch, the model name shown at the end of this display is the factory configuration and does not change if you upgrade the software license.
- LAN Base feature set—Provides basic Layer 2+ features, including access control lists (ACLs) and quality of service (QoS) and up to 4094 VLANs.
- IP Base feature set—Provides Layer 2+ and basic Layer 3 features (enterprise-class intelligent services). These features include access control lists (ACLs), quality of service (QoS), ACLs, QoS, static routing, EIGRP stub routing, IP multicast routing, Routing Information Protocol (RIP), basic IPv6 management, the Open Shortest Path First (OSPF) Protocol, and support for wireless controller functionality.
- IP Services feature set—Provides a richer set of enterprise-class intelligent services and full IPv6 support. It includes all IP Base features plus full Layer 3 routing (IP unicast routing, IP multicast routing, and fallback bridging). The IP Services feature set includes protocols such as the Enhanced Interior Gateway Routing Protocol (EIGRP), the Open Shortest Path First (OSPF) Protocol, and support for wireless controller functionality.
Table 9 lists the client types on which the tests were conducted. The clients included laptops, handheld devices, phones, and printers.
- Be careful when connecting a “snagless” Ethernet cable to port 1 on a 48-port switch. The protective boot of the cable might inadvertently press the Mode button, causing the switch to erase its startup configuration and reboot. (CSCuj17317)
- You cannot configure NetFlow export using the Ethernet Management port (g0/0).
- The switch does not support CDP bypass.
- The maximum committed information rate (CIR) for voice traffic on a wireless port is 132 Mb/sec.
- On WS-C3850-48 switches, if the cable plugged into port 1 has a long cable boot, the boot may stay in contact with the mode button and cause the switch to reload and reset the configuration. To workaround this issue, use the no setup express command to disable Express Setup, or remove the cable boot from the cable in port 1.
If you need information about a specific caveat that does not appear in these release notes, you can use the Cisco Bug Toolkit to find caveats of any severity. Click this URL to browse to the Bug Toolkit:
- Open Caveats
- Resolved Caveats in Cisco IOS XE Release 3.3.3SE
- Resolved Caveats in Cisco IOS XE Release 3.3.2SE
- Resolved Caveats in Cisco IOS XE Release 3.3.1SE
- Resolved Caveats in Cisco IOS XE Release 3.3.0SE
– On a standalone switch, you cannot configure an EtherChannel group on the EtherChannel member port, because a maximum limit for the bindings is configured on this port ( ip device tracking maximum interface command).
– The switch stack does not boot up after stateful switchover (SSO) is configured, because “0” is set as the maximum limit for the bindings configured on an EtherChannel member port on a member switch.
Be careful when connecting a “snagless” Ethernet cable to port 1 on a 48-port switch. The protective boot of the cable might inadvertently press the Mode button, causing the switch to erase its startup configuration and reboot.
A non-designated PIM router does not forward multicast packets in the same VLAN from where they are received. This occurs in the following situation: When switches are configured with both HSRP and multicast routing, one of the switches will be the active designated router and the others become non-designated routers. The HSRP router that becomes a non-designated router will not be flooding the multicast packets in the same VLAN it is received. This affects the rectangle topologies where the distribution switches are connected to access switches.
IP Device Tracking (IPDT) cannot be disabled on the switch if a switch interface is configured with the dot1x pae authenticator interface configuration command and the authentication control-direction interface configuration command.
If you configure a SPAN session with more than one source port on the same standalone switch or on multiple source ports on the same stack member, traffic is only captured from one of the ports with no traffic captured on the other ports.
The workaround is to spread the source ports across the different stack members. If you need to use source ports on a standalone switch or on one stack member, use the source ports in different SPAN sessions.
When a wireless client switches between a switch (which has mobility configured and is acting as an anchor) and a foreign switch, the SSID of the client shows differently on the anchor and foreign switches. The anchor switch shows that the client has the previous SSID but the foreign switch shows the client has a new SSID.
A switch stack (running Cisco IOS XE 3.3.1SE) with an ACL configured on the management interface causes all switches in the stack to display incorrect output for show platform qos policy and show platform acl .
The WLAN session timeout field on the Wireless Web UI shows that 0 means an infinite session timeout. However, when you attempt to save the setting as 0 , an error is displayed stating that the value needs to be between 300 and 86400.
Platform table manager entries for multicast resources are not available on the standby switch after a switchover occurs on a switch stack with densely populated interfaces and heavy multicast usage (either many groups in use or regular leave and join processing).
A web authentication failure occurs on an ISE because the session ID is no longer valid. This occurs on a switch—running 3.3.1 with Central Web Authentication (CWA) configured—when the following happens:
When a large number of Application Visibility and Control (AVC) flows are being learned from a scaled number of access points and wireless clients, the AVC cache fills up and the switch runs out of memory. This causes clients to lose connectivity to the switch after a day or so.
Shaper configuration is not correct on the first two uplinks of a 4 x 1G uplink module installed on a 24-port switch. The shaper configuration in the hardware is 1/10th of what is configured in the CLI.
After collecting “raw netflow” data, the active switch crashes. The show flow monitor v4 cache privileged EXEC command causes the switch to reboot with the following message: %SCHED-3-TRASHING: Process thrashing on watched message event.
Multicast traffic is not routed between vlans. The “rep ri” column will show “0” for the affected multicast groups. Also, the output of the show platform table-manager database resource_type 21 | count F0 command will show more than 3000.
The workaround is to connect to the WEB authentication SSID, open a WEB browser, close the browser, change the device's SSID settings to disable Auto-login, and then re-open the browser. The client should then WEB authenticate successfully.
When the ambient temperature of the switch changes and the fan has to adjust accordingly, the RMP fan values programmed in the MCU may be different than those read from the fan. As a result, this intermittent error message occurs.
-Traceback= 190BA74z 182D4C8z 5E68CD5z 5E68B63z 55817EBz 55815D7z 558154Dz 5580E60z 5580444z 55802CAz
When the Ethernet management port receives a frame whose destination MAC address is not FA1, it does not drop the traffic. Instead, the port uses the vrf mgmtVrf routing table to route the traffic back.
When policy maps are PRE chained in conjunction with concurrent or sequential authentication sessions, events associated with each authentication method's chained policy are evaluated and executed instead of only those events associated with the method for which the session was authorized. For example, a policy specifies that sessions be authenticated using dot1x or mab, and upon success of either method, chain (attach) a child policy map. If both authentication methods succeed, the session, based on priority, is authorized with dot1x. Subsequent events are matched against both the MAB and dot1x chained policy maps instead of the dot1x chained policy map.
When the switch stack is running in install mode and set to boot with the boot system switch all flash:packages.conf command, the show boot system command does not properly display the BOOT variable for the standby and member switches. The effect is only on the show commands; there is no effect on operations.
When a policy with priority and a policer is attached to a range of interfaces on an uplink, in some scenarios, any change made to the policer rate causes the policy to be unprogrammed on one or more ports.
The DHCP snooping database agent fails to start while changing the DNS entry that the URL pointed to or when restarting the DHCP server. To avoid this issue, use another file transport mechanism like SCP or TFTP.
If you copy and paste several wireless configuration lines into the configuration, the system drops the first few characters from every other line. The number of characters dropped appears to be related to how long the command takes to execute. The issue does not occur on non-wireless configuration lines.
Multicast traffic travels on the WLAN-mapped VLAN rather than on the AP-group mapped VLAN when an AP is placed in an AP group where VLAN is overridden for the SSID and a client associates with the AP that is broadcasting this SSID.
In a switch stack, a member switch stops working due to a loop with the NGWC Learning Process. This loop can occur when multiple MAC addresses flap between ports, for example, after a wired to wireless MAC move.event snmp oid 22.214.171.124.126.96.36.199.500.1.2.2.1.1 get-type next entry-op eq entry-val "2" entry-type value poll-interval 5
- The description of the network module is incorrect. It should read:
- Two slots (left side) support only 1-Gigabit SFP modules and two slots (right side) support either 1-Gigabit SFP or 10-Gigabit SFP modules.
The French version of the Catalyst 3850 Switch Hardware Guide does not include information about the Catalyst 3850-12S and Catalyst 3850-24S switches. For information on these switches, see the English hardware guide at: http://www.cisco.com/go/cat3850_hw
- The name of the Cisco IOS software bundle and the names of the Cisco IOS package files are incorrect. The correct filenames are:
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation , which also lists all new and revised Cisco technical documentation, at:
Subscribe to the What’s New in Cisco Product Documentation , which lists all new and revised Cisco Technical documentation, as an RSS feed and deliver content directly to your desktop using a read application. The RSS feeds are a free service.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks . Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.