Release Notes for the Cisco IE 3000 Switch, Cisco IOS Release 15.2(1)EY

Supported Hardware

Switches and Modules

.

SPF Modules Supported

Express Setup Requirements

Hardware

• 1 gigahertz (GHz) or faster 32-bit (x86) or 64-bit (x64) processor
• 1 gigabyte (GB) RAM (32-bit) or 2 GB RAM (64-bit)
• 16 GB available hard disk space (32-bit) or 20 GB (64-bit)

Software

• PC with Windows 7, or Mac OS 10.6.x
• Web browser (Internet Explorer 9.0, 10.0, and 11.0, or Firefox 25, 26) with JavaScript enabled

Express Setup verifies the browser version when starting a session, and it does not require a plug-in.

• Straight-through or crossover Category 5 or 6 cable

Cluster Compatibility

You cannot create and manage switch clusters through Device Manager. To create and manage switch clusters, use the command-line interface (CLI) or the Network Assistant application.

When creating a switch cluster or adding a switch to a cluster, follow these guidelines:

• When you create a switch cluster, we recommend configuring the highest-end switch in your cluster as the command switch.
• If you are managing the cluster through Network Assistant, the switch with the latest software should be the command switch.
• The standby command switch must be the same type as the command switch. For example, if the command switch is a Cisco IE 3000 switch, all standby command switches must be Cisco IE 3000 switches.

For additional information about clustering, see Getting Started with Cisco Network Assistant and Release Notes for Cisco Network Assistant (not orderable but available on Cisco.com), the software configuration guide, and the command reference.

CNA Compatibility

Cisco IOS Release 15.2(1)EY is compatible with Cisco Network Assistant (CNA) 5.4 and later.

Note CNA 5.4 and earlier do not support the cisco-ie-macros that were introduced in Cisco IOS Release 12.2(55)SE. Using the new Smartport role names will cause CNA errors.

We recommend installing the latest version of CNA from this URL:
http://software.cisco.com/download/release.html?mdfid=280771500&softwareid=280775097&release=5.8.6&flowid=5128

For more information about Cisco Network Assistant, see the Release Notes for Cisco Network Assistant on Cisco.com.

Finding the Software Version and Feature Set

The Cisco IOS image is stored as a bin file in a directory that is named with the Cisco IOS release. A subdirectory contains the files needed for web management. The image is stored on the compact flash memory card.

You can use the show version privileged EXEC command to see the software version that is running on your switch. The second line of the display shows the version.

You can also use the dir filesystem : privileged EXEC command to see the directory names of other software images that you might have stored in flash memory.

Deciding Which Files to Use

The upgrade procedures in these release notes describe how to perform the upgrade by using a combined tar file. This file contains the Cisco IOS image file and the files needed for the embedded Device Manager. You must use the combined tar file to upgrade the switch through Device Manager. To upgrade the switch through the command-line interface (CLI), use the tar file and the archive download-sw privileged EXEC command.

Table 1 lists the filenames for this software release.

If you download the IP services image and plan to use Layer 3 functionality, you must use the Switch Database Management (SDM) routing template. To see which template is currently active template, enter the show sdm prefer privileged EXEC command. If necessary, change the SDM template to the routing template by entering the sdm prefer routing global configuration command. You will be prompted to reload the switch to activate the new template.

Note The switch must be running Cisco IOS Release 12.2(52)SE or later to configure the routing template.

Archiving Software Images

As a best practice for any upgrade, you should first archive copies of the current Cisco IOS release and the new Cisco IOS release before you upgrade to new software. You should keep these archived images until you have upgraded all devices in the network to the new Cisco IOS image and until you have verified that the new Cisco IOS image works properly in your network.

Cisco routinely removes old Cisco IOS versions from Cisco.com. See Product Bulletin 2863 for more information:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6969/ps1835/prod_bulletin0900aecd80281c0e.html

You can copy the bin software image file on the flash memory to the appropriate TFTP directory on a host by using the copy flash: tftp: privileged EXEC command.

Note Although you can copy any file on the flash memory to the TFTP server, it is time consuming to copy all of the HTML files in the tar file. We recommend that you download the tar file from Cisco.com and archive it on an internal host in your network.

You can also configure the switch as a TFTP server to copy files from one switch to another without using an external TFTP server by using the tftp-server global configuration command. For more information about the tftp-server command, see the “Basic File Transfer Services Commands” section of the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 :
http://www.cisco.com/en/US/docs/ios/fundamentals/command/reference/cf_t1.html

Upgrading a Switch by Using Device Manager or Network Assistant

You can upgrade switch software by using Device Manager or Network Assistant. For detailed instructions, click Help.

Note When using Device Manager to upgrade your switch, do not use or close your browser session after the upgrade process begins. Wait until after the upgrade process completes.

Upgrading a Switch by Using the CLI

This procedure is for copying the combined tar file to the switch. You copy the file to the switch from a TFTP server and extract the files. You can download an image file and replace or keep the current image.

Note Make sure that the compact flash card is inserted into the switch before downloading the software.

To download software, follow these steps:

Step 1 Use Table 1 to identify the file that you want to download.

Step 2 Download the software image file:

a. If you are a registered customer, go to this URL and log in.

http://software.cisco.com/download/navigator.html?mdfid=282082952&catid=268438038

b. Navigate to Switches > Industrial Ethernet Switches.

c. Navigate to your switch model.

d. Click IOS Software, then select the latest IOS release.

e. Download the image you identified in Step 1.

Step 3 Copy the image to the appropriate TFTP directory on the workstation, and make sure that the TFTP server is properly configured.
For more information, see the Cisco IE 3000 Switch Software Configuration Guide.

Step 4 Log into the switch through the console port or a Telnet session.

Step 5 (Optional) Ensure that you have IP connectivity to the TFTP server by entering this privileged EXEC command:

For more information about assigning an IP address and default gateway to the switch, see the software configuration guide for this release.

Step 6 Download the image file from the TFTP server to the switch. If you are installing the same version of software that is currently on the switch, overwrite the current image by entering this privileged EXEC command:

The /overwrite option overwrites the software image in flash memory with the downloaded one.

The /reload option reloads the system after downloading the image unless the configuration has been changed and not saved.

For // location, specify the IP address of the TFTP server.

For / directory / image-name .tar, specify the directory (optional) and the image to download. Directory and image names are case sensitive.

This example shows how to download an image from a TFTP server at 198.30.20.19 and to overwrite the image on the switch:

You can also download the image file from the TFTP server to the switch and keep the current image by replacing the /overwrite option with the /leave-old-sw option.

Recovering from a Software Failure

For recovery procedures, see the “Troubleshooting” chapter in the software configuration guide for this release.

Digital Optical Monitoring

Digital Optical Monitoring (DOM) is supported when using a DOM-capable SFP transceiver module. For information about the switch models that have SFP or dual-purpose ports, see Supported Hardware. For information about DOM-capable SFP modules, see SPF Modules Supported.

Note DOM is not supported on downlink SFP ports.

DOM allows monitoring real-time parameters of the switch, such as optical input and output power, temperature, laser bias current, and transceiver supply voltage. These parameters are monitored against the threshold values. The real-time DOM parameters can be monitored using command line interface or SNMP interface.

DOM is possible only with DOM-capable transceiver modules. When using an SFP module in a dual purpose port, DOM is supported if the interface media type is configured to SFP or if global transceiver monitoring is enabled.

Transceiver monitoring is enabled by default.

Precision Time Protocol (PTP)

Several enhancements were made to improve the implementation of Precision time Protocol (PTP).

• End-to-End Transparent Clock (E2E TC) now supports at least 300 PTP messages per second. The previous capacity was 10 - 20 PTP messages per second. The E2E TC timing performance also was enhanced to frequency lock to the GMC, thereby reducing timing errors.
• With the recommended settings, the Boundary Clock now supports eight clocks in a chain (previously became unstable with four clocks). The timing performance also was enhanced to improve stability and precision. We recommend setting the logDelReqInterval to -2 (-2 to 6 supported) and the logSyncInterval to -1 (-1 to 1 supported) for chains of Boundary Clocks. The PTP Clock must receive 50 Sync messages and 6 DelReq messages for a port to leave the UNCALIBRATED state.
• Added support for PTP management messages, such as example: CLOCK_DESCRIPTION, as defined in Clause 15 of IEEE Std 1588-2008. These management messages are mandatory for CIP/ODVA compliance.

Security Group Tag Exchange Protocol for Cisco TrustSec

Cisco Industrial Ethernet switches now can participate in the Cisco TrustSec security architecture by using the SGT Exchange Protocol (SXP). Cisco TrustSec establishes domains of trusted network devices. After a device is authenticated, communication is secured by using encryption and other mechanisms. As packets enter the network, they are classified by security group tags (SGTs) for the purpose of applying security policies. SXP is used to propagate the SGTs across network devices, such as the IE switches, that do not have hardware support for Cisco TrustSec.

To use this feature, enable SXP and configure the connections on each device that needs to participate in SXP exchanges.

• Enable SXP by entering the cts sxp enable command in global configuration mode.
• Configure each SXP connection by specifying the peer’s IP address, the password, and the role. For role, you can specify which device is the “speaker” and the “listener” in the exchange.

For detailed information about the configuration commands and show commands, see “SGT Exchange Protocol over TCP (SXP)” at http://www.cisco.com/en/US/partner/docs/switches/lan/trustsec/configuration/guide/sxp_config.html#wp1056896

IP Device Tracking

IP Device Tracking (IPDT) is globally enabled in the 15.2(1)EY release on all IE platforms. You can disable IPDT probing at the interface level using the CLI ip device tracking maximum 0 to avoid timeouts when end devices are in IP probing tentative state. This is especially critical if the switches are used in control automation, such as in an EtherNet/IP and Profinet network environment.

Web Device Manager Enhancements

The 15.2(1)EY release introduces an enhanced Web Device Manager GUI that is easier to use. The upgrade requires IOS tar file extraction and upgrade.

Cisco IOS Limitations

• Ethernet
• IP
• QoS
• RADIUS
• SPAN and RSPAN
• Spanning Tree Protocol
• Trunking
• VLAN

Ethernet

• Traffic on EtherChannel ports is not perfectly load-balanced. Egress traffic on EtherChannel ports are distributed to member ports on load balance configuration and traffic characteristics like MAC or IP address. More than one traffic stream may map to same member ports based on hashing results calculated by the ASIC.

If this happens, uneven traffic distribution will happen on EtherChannel ports.

Changing the load balance distribution method or changing the number of ports in the EtherChannel can resolve this problem. Use any of these workarounds to improve EtherChannel load balancing:

– for random source-ip and dest-ip traffic, configure load balance method as src-dst-ip

– for incrementing source-ip traffic, configure load balance method as src-ip

– for incrementing dest-ip traffic, configure load balance method as dst-ip

– Configure the number of ports in the EtherChannel so that the number is equal to a power of 2 (i.e. 2, 4, or 8)

For example, with load balance configured as dst-ip with 150 distinct incrementing destination IP addresses, and the number of ports in the EtherChannel set to either 2, 4, or 8, load distribution is optimal.(CSCeh81991)

IP

• When the rate of received DHCP requests exceeds 2,000 packets per minute for a long time, the response time might be slow when you are using the console.

The workaround is to use rate limiting on DHCP traffic to prevent a denial of service attack from occurring. (CSCeb59166)

QoS

• Some switch queues are disabled if the buffer size or threshold level is set too low with the mls qos queue-set output global configuration command. The ratio of buffer size to threshold level should be greater than 10 to avoid disabling the queue.

The workaround is to choose compatible buffer sizes and threshold levels. (CSCea76893)

• When auto-QoS is enabled on the switch, priority queuing is not enabled. Instead, the switch uses shaped round robin (SRR) as the queuing mechanism. The auto-QoS feature is designed on each platform based on the feature set and hardware limitations, and the queuing mechanism supported on each platform might be different. There is no workaround. (CSCee22591)

RADIUS

• RADIUS change of authorization (COA) reauthorization is not supported on the critical auth VLAN.

There is no workaround. (CSCta05071)

SPAN and RSPAN

• When the RSPAN feature is configured on a switch, Cisco Discovery Protocol (CDP) packets received from the RSPAN source ports are tagged with the RSPAN VLAN ID and forwarded to trunk ports carrying the RSPAN VLAN. When this happens a switch that is more than one hop away incorrectly lists the switch that is connected to the RSPAN source port as a CDP neighbor.

This is a hardware limitation. The workaround is to disable CDP on all interfaces carrying the RSPAN VLAN on the device connected to the switch. (CSCeb32326)

• CDP, VLAN Trunking Protocol (VTP), and Port Aggregation Protocol (PAgP) packets received from a SPAN source are not sent to the destination interfaces of a local SPAN session. The workaround is to use the monitor session session_number destination { interface interface-id encapsulation replicate} global configuration command for local SPAN. (CSCed24036)

Spanning Tree Protocol

• CSCtl60247

When a switch or switch stack running Multiple Spanning Tree (MST) is connected to a switch running Rapid Spanning Tree Protocol (RSTP), the MST switch acts as the root bridge and runs per-VLAN spanning tree (PVST) simulation mode on boundary ports connected to the RST switch. If the allowed VLAN on all trunk ports connecting these switches is changed to a VLAN other than VLAN 1 and the root port of the RSTP switch is shut down and then enabled, the boundary ports connected to the root port move immediately to the forward state without going through the PVST+ slow transition.

There is no workaround.

Trunking

• IP traffic with IP options set is sometimes leaked on a trunk port. For example, a trunk port is a member of an IP multicast group in VLAN X but is not a member in VLAN Y. If VLAN Y is the output interface for the multicast route entry assigned to the multicast group and an interface in VLAN Y belongs to the same multicast group, the IP-option traffic received on an input VLAN interface other than one in VLAN Y is sent on the trunk port in VLAN Y because the trunk port is forwarding in VLAN Y, even though the port has no group membership in VLAN Y.

There is no workaround. (CSCdz42909).

• For trunk ports or access ports configured with IEEE 802.1Q tagging, inconsistent statistics might appear in the show interfaces counters privileged EXEC command output. Valid IEEE 802.1Q frames of 64 to 66 bytes are correctly forwarded even though the port LED blinks amber, and the frames are not counted on the interface statistics.

There is no workaround. (CSCec35100).

VLAN

• If the number of VLANs times the number of trunk ports exceeds the recommended limit of 13,000, the switch can fail.

The workaround is to reduce the number of VLANs or trunks. (CSCeb31087)

• When line rate traffic is passing through a dynamic port, and you enter the switchport access vlan dynamic interface configuration command for a range of ports, the VLANs might not be assigned correctly. One or more VLANs with a null ID appears in the MAC address table instead.

The workaround is to enter the switchport access vlan dynamic interface configuration command separately on each port. (CSCsi26392)

• When many VLANs are configured on the switch, high CPU utilization occurs when many links are flapping at the same time.

The workaround is to remove unnecessary VLANs to reduce CPU utilization when many links are flapping. (CSCtl04815)

Important Notes

• Device Manager Notes
• SDM Template Notes

Device Manager Notes

• You cannot create and manage switch clusters through Device Manager. To create and manage switch clusters, use the CLI or Cisco Network Assistant.
• We recommend this browser setting to speed up the time needed to display Device Manager from Microsoft Internet Explorer.

From Microsoft Internet Explorer:

1. Choose Tools > Internet Options.

2. Click Settings in the “Temporary Internet files” area.

3. From the Settings window, choose Automatically.

4. Click OK.

5. Click OK to exit the Internet Options window.

• The HTTP server interface must be enabled to display Device Manager. By default, the HTTP server is enabled on the switch. Use the show running-config privileged EXEC command to see if the HTTP server is enabled or disabled.

Beginning in privileged EXEC mode, follow these steps to configure the HTTP server interface:

• Device Manager uses the HTTP protocol (the default is port 80) and the default method of authentication (the enable password) to communicate with the switch through any of its Ethernet ports and to allow switch management from a standard web browser.

If you change the HTTP port, you must include the new port number when you enter the IP address in the browser Location or Address field (for example, http://10.1.126.45:184 where 184 is the new HTTP port number). You should write down the port number through which you are connected. Use care when changing the switch IP information.

If you are not using the default method of authentication (the enable password), you need to configure the HTTP server interface with the method of authentication used on the switch.

Beginning in privileged EXEC mode, follow these steps to configure the HTTP server interface:

SDM Template Notes

Due to changes in the default image settings, IP routing is no longer enabled in the default SDM template. Systems that upgrade from an earlier Cisco IOS release to Release 15.2(1)EY must run a non-default SDM template to preserve the earlier IP routing configurations.

This document is to be used in conjunction with the documents listed in the “Related Documentation” section.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

© 2013–2015 Cisco Systems, Inc. All rights reserved.