Guest

Cisco Catalyst 3750 Metro Series Switches

Release Notes for the Catalyst 3750 Metro Switch, Cisco IOS Release 12.1(14)AX (Rev. 4/04 and 6/04)

  • Viewing Options

  • PDF (1.1 MB)
  • Feedback
Release Notes for the Catalyst 3750 Metro Switch, Cisco IOS Release 12.1(14)AX

Table Of Contents

Release Notes for the
Catalyst 3750 Metro Switch,
Cisco IOS Release 12.1(14)AX

Contents

Hardware Supported

Downloading Software

Finding the Software Version and Feature Set

Deciding Which Files to Use

Upgrading a Switch by Using the CLI

Recovering from a Software Failure

Installation Notes

New Features

New Hardware Features

New Software Features

Limitations and Restrictions

Cisco IOS Limitations and Restrictions

Open Caveats

Resolved Caveats

Documentation Updates

Hardware Installation Guide

Related Documentation

Obtaining Documentation

Cisco.com

Ordering Documentation

Documentation Feedback

Obtaining Technical Assistance

Cisco Technical Support Website

Submitting a Service Request

Definitions of Service Request Severity

Obtaining Additional Publications and Information


Release Notes for the
Catalyst 3750 Metro Switch,
Cisco IOS Release 12.1(14)AX


Revised April 21, 2004 and June 18, 2004

The Cisco IOS Release 12.1(14)AX runs on all Catalyst 3750 Metro switches.

These release notes include important information about this Cisco IOS release and any limitations, restrictions, and caveats that apply to it. Verify that these release notes are correct for your switch:

If you are installing a new switch, refer to the Cisco IOS release label on the rear panel of your switch.

If your switch is on, use the show version privileged EXEC command. See the "Finding the Software Version and Feature Set" section.

If you are upgrading to a new release, refer to the software upgrade filename for the software version.

For the complete list of switch documentation, see the "Related Documentation" section.

You can download the switch software from these sites:

http://www.cisco.com/kobayashi/sw-center/sw-lan.shtml

(for registered Cisco.com users with a login password)

http://www.cisco.com/public/sw-center/sw-lan.shtml

(for nonregistered Cisco.com users)

This software release is part of a special release of Cisco IOS software that is not released on the same 8-week maintenance cycle that is used for other platforms. As maintenance releases and future software releases become available, they will be posted to Cisco.com (previously Cisco Connection Online [CCO]) in the Cisco IOS software area.

Contents

This information is in the release notes:

"Hardware Supported" section

"Downloading Software" section

"Installation Notes" section

"New Features" section

"Limitations and Restrictions" section

"Open Caveats" section

"Resolved Caveats" section

"Documentation Updates" section

"Related Documentation" section

"Obtaining Documentation" section

"Documentation Feedback" section

"Obtaining Technical Assistance" section

"Obtaining Additional Publications and Information" section

Hardware Supported

Table 1 lists the hardware supported by this software release.

Table 1 Supported Hardware 

Switch
Description

Catalyst 3750 Metro 24-AC switch

24 10/100 Ethernet ports, 2 1000X standard SFP1 module slots, 2 1000X ES2 SFP slots, and field-replaceable AC power supply

Catalyst 3750 Metro 24-DC switch

24 10/100 Ethernet ports, 2 1000X standard SFP module slots, 2 1000X ES SFP slots, and field-replaceable DC power supply

SFP modules

1000BASE-T, 1000BASE-SX, and 1000BASE-LX

1 Small form-factor pluggable

2 Enhanced services


Downloading Software

These are the procedures for downloading software:

"Finding the Software Version and Feature Set" section

"Deciding Which Files to Use" section

"Upgrading a Switch by Using the CLI" section

"Recovering from a Software Failure" section


Note Before downloading software, read this section for important information.


Finding the Software Version and Feature Set

The Cisco IOS image is stored as a bin file in a directory that is named with the Cisco IOS release. The image is stored on the system board flash device (flash:).

You can use the show version privileged EXEC command to see the software version that is running on your switch.

You can also use the dir filesystem: privileged EXEC command to see the directory names of other software images that you might have stored in flash memory.

Deciding Which Files to Use

The upgrade procedures in these release notes describe how to perform the upgrade by using a combined tar file. This file contains the Cisco IOS image file. To upgrade the switch through the command-line interface (CLI), use the tar file and the archive download-sw privileged EXEC command.

Table 2 lists the software filename for this software release.

Table 2 Cisco IOS Software Image Files for Catalyst 3750 Metro Switches 

Filename

Description

c3750me-i5-tar.121.14-AX.tar

Cisco IOS image tar file.
This image has Layer 2+ and Layer 3 features.

c3750me-i5k2-tar.121.14-AX.tar

Cisco IOS crypto image tar file.
This image has the Kerberos, SSH, Layer 2+, and Layer 3 features.


Upgrading a Switch by Using the CLI

This procedure is for copying the tar file to the switch. You copy the file to the switch from a TFTP server and extract the files. You can download an image file and replace or keep the current image.

Download the software from Cisco.com to your management station by following these steps:


Step 1 Use Table 2 to identify the file that you want to download.

Step 2 Download the software image file from Cisco.com.

If you have a SmartNet support contract, go to this URL and log in to download the appropriate files:

http://www.cisco.com/kobayashi/sw-center/sw-lan.shtml

If you do not have a SmartNet contract, go to this URL and follow the instructions to register on Cisco.com and download the appropriate files:

http://www.cisco.com/public/sw-center/sw-lan.shtml

To download the files, click the link for your switch platform, and then follow the links on the page to select the correct tar image file.

Step 3 Copy the image to the appropriate TFTP directory on the workstation, and make sure that the TFTP server is properly configured.

For more information, refer to Appendix B in the software configuration guide for this release.

Step 4 Log in to the switch through the console port or a Telnet session.

Step 5 Check your VLAN 1 configuration by using the show interfaces vlan 1 privileged EXEC command, and verify that VLAN 1 is part of the same network as the TFTP server. (Check the Internet address is line near the top of the display.)

Step 6 Download the image file from the TFTP server to the switch. If you are installing the same version of software that is currently on the switch, overwrite the current image by using this privileged EXEC command:

archive download-sw /overwrite /reload tftp:[[//location]/directory]/image-name.tar

The /overwrite option overwrites the software image in flash memory with the downloaded one.

The /reload option reloads the system after downloading the image unless the configuration has been changed and not been saved.

For //location, specify the IP address of the TFTP server.

For /directory/image-name.tar, specify the directory (optional) and the image to download. Directory and image names are case sensitive.

This example shows how to download an image from a TFTP server at 198.30.20.19 and to overwrite the image on the switch:

Switch# archive download-sw /overwrite tftp://198.30.20.19/c3750me-i5-tar.121.14-AX.tar

You can also download the image file from the TFTP server to the switch and keep the current image by replacing the /overwrite option with the /leave-old-sw option.


Recovering from a Software Failure

Switch software can be corrupted during an upgrade, by downloading the wrong file to the switch, and by deleting the image file. In all of these cases, the switch does not pass the power-on self-test (POST), and there is no connectivity. You can use the Xmodem protocol to recover from these failures.

For detailed recovery procedures, refer to the "Troubleshooting" chapter in the software configuration guide for this release.

Installation Notes

You can assign IP information to your switch by using these methods:

The Express Setup program (Refer to the Catalyst 3750 Metro Switch Hardware Installation Guide.)

The CLI-based setup program (Refer to the Catalyst 3750 Metro Switch Hardware Installation Guide.)

The DHCP-based autoconfiguration (Refer to the Catalyst 3750 Metro Switch Software Configuration Guide.)

Manually assigning an IP address (Refer to the Catalyst 3750 Metro Switch Software Configuration Guide.)

New Features

These are the new supported hardware and the new software features provided this release:

"New Hardware Features" section

"New Software Features" section

New Hardware Features

For a list of all supported hardware, see the "Hardware Supported" section.

New Software Features

This release is the first software release for the Catalyst 3750 Metro switch. For a detailed list of key features for this software release, refer to the Catalyst 3750 Metro Switch Software Configuration Guide.

Limitations and Restrictions

You should review this section before you begin working with the switch. These are known limitations that will not be fixed, and there is not always a workaround. Some features might not work as documented, and some features could be affected by recent changes to the switch hardware or software.

Cisco IOS Limitations and Restrictions

These limitations apply to Cisco IOS configuration:

The switch does not support tunnel interfaces for unicast routed traffic. Only Distance Vector Multicast Routing Protocol (DVMRP) tunnel interfaces are supported for multicast routing.

Nonreverse-path forwarded (RPF) IP multicast traffic to a group that is bridged in a VLAN is leaked onto a trunk port in the VLAN even if the port is not a member of the VLAN group, but it is a member in some other VLAN group. Unnecessary traffic is sent on the trunk port and needlessly reduces the bandwidth of the port. There is no workaround because non-RPF traffic is continuous in certain topologies. As long as the trunk port is a member on a trunk port in at least one VLAN, this problem for the non-RPF traffic occurs. (CSCdu25219)

If a bridge group contains a VLAN that has a static MAC address configured, all non-IP traffic in the bridge group with this MAC address destination is sent to all ports in the bridge group. The workaround is to remove the VLAN from the bridge group or to remove the static MAC address from the VLAN. (CSCdw81955)

If the number of multicast routes and Internet Group Management Protocol (IGMP) groups are more than the maximum number in the Switch Database Management (SDM) template shown with the show sdm prefer global configuration command, the traffic received on unknown groups is flooded in the received VLAN even though the show ip igmp snooping multicast-table privileged EXEC command output shows otherwise. The workaround is to reduce the number of multicast routes and IGMP snooping groups to less than the maximum supported value. (CSCdy09008)

An egress SPAN copy of routed unicast traffic might show an incorrect destination MAC address on both local and remote SPAN sessions. This limitation does not apply to bridged packets. The workaround for local SPAN is to use the replicate option. There is no workaround for a remote SPAN session. This is a hardware limitation. (CSCdy72835)

Egress SPAN routed packets (both unicast and multicast) show the incorrect source MAC address. For remote SPAN packets, the source MAC address should be the MAC address of the egress VLAN, but instead the packet shows the MAC address of the remote SPAN (RSPAN) VLAN. For local SPAN packets with native encapsulation on the destination port, the packet shows the MAC address of VLAN 1. This problem does not appear with local SPAN when the encapsulation replicate option is used. This limitation does not apply to bridged packets. The workaround is to use the encapsulate replicate keywords in the monitor session global configuration command. Otherwise, there is no workaround. This is a hardware limitation. (CSCdy81521)

IGMP filtering is applied to packets that are forwarded through hardware. It is not applied to packets that are forwarded through software. Hence, with multicast routing enabled, the first few packets are sent from a port even when IGMP filtering is set to deny those groups on that port. There is no workaround. (CSCdy82818)

A static IP address might be removed when the previously acquired DHCP IP address lease expires.

This problem occurs under these conditions:

When the switch is booted without a configuration (no config.text file in flash memory).

When the switch is connected to a DHCP server that is configured to give an address to it (the dynamic IP address is assigned to VLAN 1).

When an IP address is configured on VLAN 1 before the dynamic address lease assigned to VLAN 1 expires.

The workaround is to reconfigure the static IP address. (CSCea71176)

The switch treats frames received with mixed encapsulation (802.1Q and Inter-Switch Link [ISL]) as frames with FCS errors, increments the error counters, and causes the port LED to blink amber. This happens when an ISL-unaware device receives an ISL-encapsulated packet and forwards the frame to an 802.1Q trunk interface. There is no workaround. (CSCdz33708)

IP-option traffic is sometimes leaked unnecessarily on a trunk port. Suppose the trunk port in question is a member of an IP multicast group in VLAN X, but it is not a member in VLAN Y. In VLAN Y, there is another port that has membership in the group, and VLAN Y is the output interface for the multicast route entry corresponding to the group. IP-options traffic received on an input interface VLAN (other than VLAN Y) is unnecessarily sent on the trunk port in VLAN Y because the trunk port is forwarding in VLAN Y (even though the port has no group membership in VLAN Y). There is no workaround. (CSCdz42909)

Known unicast (secured addresses) are flooded within a bridge group under this condition: If secure addresses are learned or configured on a port and the VLAN on this port is part of a bridge group, non-IP traffic destined to the secure addresses is flooded within the bridge group. The workaround is to disable fallback bridging. To remove an interface from a bridge group and to remove the bridge group, use the no bridge-group bridge-group interface configuration command. Another workaround is to disable port security on all ports in all VLANs participating in fallback bridging by using the no switchport port-security interface configuration command. (CSCdz80499)

When you use the ip access-group interface configuration command with a router access control list (ACL) to deny access to a group in a VLAN, multicast data to the group that is received in the VLAN is always flooded in the VLAN regardless of IGMP group membership in the VLAN. This provides access to directly connected clients, if any, in the VLAN. The workaround is to not apply a router ACL configured to deny access to a VLAN interface. Apply the security through other means; for example, apply VLAN maps to the VLAN instead of using a router ACL for the group. (CSCdz86110)

SNAP-encapsulated IP packets are dropped without an error message being reported at the interface. The switch does not support SNAP-encapsulated IP packets. There is no workaround. (CSCdz89142)

The switch does not create an adjacency table entry when the Address Resolution Protocol (ARP) timeout value is 15 seconds and the ARP request times out.

The workaround is to set an ARP timeout value higher than 120 seconds. (CSCea21674)

A route map that contains an ACL with a DSCP clause cannot be applied to a Layer 3 interface. The switch rejects this configuration and issues an error message that shows that the route map is unsupported. There is no workaround. (CSCea52915)

During periods of very high traffic and when two RSPAN source sessions are configured, the VLAN ID of packets in one RSPAN session might overwrite the VLAN ID of the other RSPAN session. If this occurs, packets intended for one RSPAN VLAN are incorrectly sent to the other RSPAN VLAN. This problem does not affect RSPAN destination sessions. The workaround is to configure only one RSPAN source session. (CSCea72326)

Some switch queues are disabled if the buffer size or threshold level is set too low with the mls qos queue-set output global configuration command. The ratio of buffer size to threshold level should be greater than ten to avoid disabling the queue. The workaround is to choose compatible buffer sizes and threshold levels. (CSCea76893)

When an IP phone is connected to the switch, the port VLAN ID (PVID) and the voice VLAN ID (VVID) both learn its MAC address. However, after dynamic MAC addresses are deleted, only VVID relearns the IP phone MAC address. MAC addresses are deleted manually or automatically for a topology change or when port security or an 802.1x feature is enabled or disabled. There is no workaround. (CSCea80105)

After changing the access VLAN on a port that has 802.1x enabled, the IP phone address is removed. Because learning is restricted on 802.1x capable ports, it takes approximately 30 seconds before the address is relearned. There is no workaround. (CSCea85312)

The egress-SPAN data rate might degrade when fallback bridging or multicast routing is enabled. The amount of degradation depends on the processor loading. Typically, the switch can egress-SPAN at up to 40,000 packets per second (64-byte packets). As long as the total traffic being monitored is below this limit, there is no degradation. However, if the traffic being monitored exceeds the limit, only a portion of the source stream is spanned. When this occurs, this console message appears: Decreased egress SPAN rate.

In all cases, normal traffic is not affected; the degradation limits only how much of the original source stream can be egress-spanned. If fallback bridging and multicast routing are disabled, egress-SPAN is not degraded. There is no workaround. If possible, disable fallback bridging and multicast routing. If possible, use ingress-SPAN to observe the same traffic. (CSCeb01216)

Some IGMP report and query packets with IP options might not be ingress-spanned. Packets that are susceptible to this problem are IGMP packets containing 4 bytes of IP options (IP header length of 24). An example of such packets would be IGMP reports and queries having the router alert IP option. Ingress-spanning of such packets is not accurate and can vary with traffic rate. Typically, very few or none of these packets are spanned. There is no workaround. (CSCeb23352)

If the number of VLANs times the number of trunk ports exceeds the recommended limit of 13000, the switch can halt. The workaround is to reduce the number of VLANs or trunks. (CSCeb31087)

Port-based Ethernet over Multiprotocol Label Switching (EoMPLS) sessions do not function if the incoming port is configured as an Inter-Switch Link (ISL) trunk. The workaround is to configure the incoming ports as an 802.1Q trunk or as an access port. (CSCeb44014)

When traffic with different class of service (CoS) values is sent into a 802.1Q tunnel, only the CoS 0 statistics increment in the show mls qos interface user EXEC command display. There is no workaround. (CSCeb75230)

The display for the show mpls ldp neighbor ipaddr-of-neighbor detail user EXEC command always shows the targeted hello holdtime value as infinite. The workaround is to use the show mpls ldp parameter user EXEC command to see the configured value. (CSCeb76775)

The bandwidth interface configuration command is not supported at the interface level, but it appears in the CLI. There is no workaround. (CSCeb80223)

The random-detect interface configuration command is not supported at the interface level, but it appears in the CLI. There is no workaround. (CSCeb80300)

The display for the show policy-map interface user EXEC command shows zeros for the counters associated with class-map match criteria. There is no workaround. (CSCec08205)

When MPLS is enabled, traceroute is not supported. There is no workaround. (CSCec13655)

The priority policy-map class configuration command cannot be configured for the default traffic class in a policy map. The workaround is to configure explicit matches for traffic that requires priority treatment. (CSCec38901)

VLAN mappings can be configured on a per-interface basis. A different set of mappings can be configured on each ES interface. The per-interface VLAN mappings remain in effect even when the ES ports are bundled in an EtherChannel. For example, if you map Gigabit Ethernet 1/1/1 to VLAN 20 through VLAN 50 and Gigabit Ethernet 1/1/2 to VLAN 20 through VLAN 70, traffic on VLAN 20 leaving the switch through the ES port bundle should be load balanced across the individual ES interfaces. However, some of that traffic is incorrectly translated to VLAN 50, and some is incorrectly translated to VLAN 70. The workaround is to configure identical VLAN mappings on both ES ports if they are going to be bundled into an EtherChannel. (CSCec49520)

Open Caveats

These are the open Cisco IOS configuration caveats:

CSCdz30046

When multicast VLAN registration (MVR) groups are added or deleted, the receiver port that joined the groups after the addition still receives traffic even after the group is deleted. The correct behavior is that MVR data traffic to the group should stop flowing to the receiver port immediately after the no mvr group ip-address global configuration command is entered.

The workaround is to disable MVR by using the no mvr global configuration command and then to re-enable it by using the mvr command. Add and delete the groups that have problems by using the mvr group ip-address and the no mvr group ip-address global configuration commands.

CSCea90131

Under these conditions, the switch might report a false security violation after an 802.1x supplicant is authenticated and assigned a new VLAN by the RADIUS server:

802.1x, port security, and voice VLAN are configured on a port.

The maximum number of secure addresses has been learned on the port before it is authenticated.

The VLAN assigned by the RADIUS server is different than the access VLAN configured on the port.

This problem does not prevent traffic from being forwarded to the 802.1x client, but the show port-security privileged EXEC command output might show that the port is SecureDown when it is actually SecureUp and forwarding traffic correctly.

The workaround is to restart the interfaces that appear to be out of sync by using the shutdown and then the no shutdown interface configuration commands.

CSCeb10032

The switch might not be able to pass Vine (Advanced Research Projects Agency) ARPA frames over bridge groups.

The workaround is to use Subnetwork Access Protocol (SNAP) frames.

CSCeb14406

DVMRP does not correctly forward packets.

There is no workaround.

CSCeb29898

After starting up a switch that has more than 300 VLANs and the maximum number of static Etherchannel groups (12), all interfaces that are part of an Etherchannel might stay down. This occurs because the remote switch detects an Etherchannel misconfiguration and disables its ports. This problem can occur in either per-VLAN-spanning-tree plus (PVST+) or rapid-PVST+ mode.

The workaround is to restart the EtherChannel ports or to configure automatic recovery:

Use the shutdown and no shutdown interface configuration commands on the remote switch to restart all err-disabled interfaces.

Use the errdisable recovery cause channel-misconfig global configuration command to enable automatic link recovery on the remote switch, and use the errdisable recovery interval global configuration command to configure a short recovery interval.

CSCeb35422

On a voice VLAN port with both 802.1x and port security enabled, dynamic secure addresses might not get deleted when the port is changed from multihost mode to single-host mode. This means that addresses learned in the multihost mode are still allowed after changing to single-host mode. This problem occurs under these conditions:

The port is in authorized state.

The port learns the MAC addresses of multiple hosts.

VLAN assignment is not enabled for the authorized host.

The workaround is to disable and then re-enable port security on the port.

CSCeb42949

The switch does not work with the User Registration Tool (URT). The PC attempting to connect to the network can login successfully, but is not allowed to pass traffic after the port is moved to the user VLAN. The MAC address for that device shows BLOCKED.

There is no workaround.

CSCeb54159

If an interface on the switch is mapped to queue-set 2, and you disable and then re-enable multilayer QoS globally by using the mls qos global configuration command, the interface is no longer mapped to the correct egress queue-set.

The workaround is to reconfigure the interface queue-set by using the no queue-set interface configuration command followed by the queue-set 2 interface configuration command.

CSCeb56226

If an 802.1x port is configured for forced-unauthorized port control mode and voice VLAN, after you remove the voice VLAN and disable 802.1x on the port, the port no longer passes traffic.

The workaround is to restart the port by using the shutdown and then the no shutdown interface configuration commands.

CSCeb78921

When MPLS traffic has been running long enough for the MPLS byte counters to roll over, entering the show mpls forwarding-table user EXEC command results in a display with large negative bytes. Clearing the MPLS counters does not remedy the situation.

There is no workaround.

CSCec01607

The CISCO-CLASS-BASED-QOS-MIB cbQosPoliceCfgTable shows two policers when only one has been created. This happens only when creating a single-rate policer.

There is no workaround.

CSCec13135

The cbQosREDCfg, cbQosREDClassCfg and cbQosREDClassStats tables in CISCO-CLASS-BASED-QOS-MIB are unsupported.

The workaround is to use the random-detect policy-map class configuration command to configure Weighted Random Early Detection (WRED) and the show policy-map user EXEC command to monitor WRED.

CSCec19825

The etherHistoryUtilization object reports incorrect network utilization values for interfaces.

There is no workaround.

CSCec52524

When a switch boots without a configuration file, you are prompted for a Yes or No response to the Continue with configuration dialog? [yes/no] question. Even after you enter a response, pressing the Mode button for up to 2 seconds puts the switch in Express Setup mode and erases any configuration information that has been entered.

The workaround is to not enter Express Setup mode after configuration information has been entered.

CSCec57743

The no setup express global configuration command does not appear in the CLI menu when you enter the no ? command.

The workaround is to enter the no setup express global configuration command.

CSCec66730

A port configured with the dot1x port-control auto interface configuration command can be also configured in a channel group, even though these options are mutually exclusive.

There is no workaround.

CSCec70857

If you change the ingress priority queue settings for queue 2 by using the mls qos srr-queue input priority-queue 2 bandwidth weight global configuration command, the show running-config user EXEC command display contains an extra input keyword, for example, mls qos srr-queue input priority-queue input 2 bandwidth weight. This causes subsequent problems if the command is saved and if the switch reloaded.

The workaround is to edit the generated configuration file (config.text) and remove the extra input keyword before reloading the switch.

CSCec71041

When automatic QoS (auto-QoS) is configured on an interface and that interface is changed from routed mode to switched mode or switched mode to routed mode, the trust policies displayed by the show running-config user EXEC command and the show mls qos interface user EXEC command are incorrect for the new interface type.

The workaround is to disable auto-QoS on the interface by using the no auto qos voip [cisco-phone | trust] interface configuration command, to change the interface to routed or switched mode, and then to reconfigure auto-QoS by using the auto qos voip {cisco-phone | trust} interface configuration command.

CSCec72190

Changing the STP mode from PVST to MST (by using the spanning-tree mode mst global configuration command) or from MST to PVST (by using the spanning-tree mode pvst global configuration command) causes the LEDs for Layer 3 interfaces to turn amber, even though the ports are up.

The workaround is to use the shutdown and then the no shutdown interface configuration commands on each Layer 3 interface to force the LEDs back into sync.

CSCec72935

The port bandwidth limit displayed by show mls qos interface user EXEC command is 100 minus the configured value. For example, if the configured value is 70, the display shows 30.

There is no workaround.

CSCec73580

When the switchport voice vlan {vlan-id | dot1p | none | untagged} interface configuration command and the spanning-tree bpduguard {disable | enable} interface configuration command are configured together on an interface connected to another Catalyst 3750 Metro switch, the interface does not go into an error-disabled state (BPDU guard does not work).

There is no workaround.

CSCec75945

Modifying a QoS class within a very large service policy that is attached to an ES port can cause high CPU utilization and an unresponsive CLI for an excessive period of time.

The workaround is to detach the service policy from the port while making the modifications and then to re-attach the service policy.

CSCec84254

The switch does not link up with some media converters running at 100Mb. This problem occurs on 10/100BASE-T interfaces.

There is no workaround.

CSCed03214

If the switch is connected to a device in 10Mbps half-duplex mode, the CPU and the network ports might lock up. When this happens, this error message might appear continuously on the console:

%SUPQ-4-CPUHB_RECV_STARVE: Still seeing receive queue stuck after throttling

You also might see system FCS error frames displayed in the show controller ethernet-controller privileged EXEC command output.

There is no workaround.

CSCed16780

Layer 2 protocol tunneling does not function reliably on EtherChannel interfaces.

There is no workaround.

CSCed23767

You cannot disable MAC address aging on a secure port. When port security is enabled on an interface, the recommended procedure to disable secure MAC address aging on the port is to set the aging time to zero. However, when you enter the switchport port-security aging time 0 interface configuration command, the switch does not accept 0 as a valid entry even though the CLI help string indicates that it is a valid setting.

There is no workaround.

CSCed26316

When an ES port is configured as an ISL trunk port, sending jumbo frames through the ES port causes the connected link to receive fragments and cyclic redundancy check (CRC) errors on a high percentage of the traffic. After a prolonged traffic run, the ES ports might stop forwarding traffic.

The workaround is to use 802.1Q encapsulation on ES ports when the switch supports jumbo frames.

CSCed27873

When an ES port is configured as an ISL trunk port, the interface counters count ISL packets that are within the system MTU size (1500 bytes) as giant packets that were discarded because they exceeded the system MTU.

The workaround is to configure the ES port as an 802.1Q trunk port.

CSCed29932

When you change the MPLS router ID by entering the mpls ldp router-id [loopback value] force global configuration command, the local router ID is changed, but the label distribution protocol (LDP) does not bind with the LDP neighbor until the loopback interface is shut down and brought back up.

The workaround is to enter a shutdown and then a no shutdown interface configuration command on the loopback interface after you change the MPLS router ID.

CSCed30184

An EtherChannel configured for 802.1Q tunneling and the Port Aggregation Protocol (PAgP) or the Link Aggregation Control Protocol (LACP) does not come up.

The workaround is to use channel-group channel-group-number mode on interface configuration command to make the EtherChannel come up.

CSCed36621

Although the default range for local MPLS labels available for use on packet interfaces is from 16 to 100000, the switch rejects MPLS traffic with a label greater than 8192.

The workaround is to use the mpls label range min max global configuration command to set the maximum label value to 8192.

CSCed47290

MPLS does not function on switch virtual interfaces (SVIs).

There is no workaround.

Resolved Caveats

These caveats are resolved in this release:

CSCdu53656

A Cisco device running IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DOS) attack from a malformed BGP packet. The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a malformed packet. BGP MD5 is a valid workaround for this problem.

Cisco has made free software available to address this problem. For more details, please refer to this advisory, available at http://www.cisco.com/warp/public/707/cisco-sa-20040616-bgp.shtml.

CSCea28131

A Cisco device running IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DOS) attack from a malformed BGP packet. The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a malformed packet. BGP MD5 is a valid workaround for this problem.

Cisco has made free software available to address this problem. For more details, please refer to this advisory, available at http://www.cisco.com/warp/public/707/cisco-sa-20040616-bgp.shtml.

CSCed27956

A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.

All Cisco products which contain TCP stack are susceptible to this vulnerability.

This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.

A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.

CSCed38527

A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.

All Cisco products which contain TCP stack are susceptible to this vulnerability.

This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.

A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.

Documentation Updates

These are the documentation updates for this release.

Hardware Installation Guide

These are the documentation updates for the Catalyst 3750 Metro Switch Hardware Installation Guide.

The guide incorrectly states that the switch supports the 1000BASE-ZX SFP. This SFP is not supported.

The Preface does not include these translations for the Warning symbol and explanation (Statement 1071):

Warning


IMPORTANT SAFETY INSTRUCTIONS

This warning symbol means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents. Use the statement number provided at the end of each warning to locate its translation in the translated safety warnings that accompanied this device. Statement 1071

SAVE THESE INSTRUCTIONS

Varning!

VIKTIGA SÄKERHETSANVISNINGAR

Denna varningssignal signalerar fara. Du befinner dig i en situation som kan leda till personskada. Innan du utför arbete på någon utrustning måste du vara medveten om farorna med elkretsar och känna till vanliga förfaranden för att förebygga olyckor. Använd det nummer som finns i slutet av varje varning för att hitta dess översättning i de översatta säkerhetsvarningar som medföljer denna anordning.

SPARA DESSA ANVISNINGAR


In Appendix C, "Connecting the Power Supply," the "Connecting to DC Power" section should include this Suitable for Mounting warning statement:

Warning


Suitable for mounting on concrete or other non-combustible surface only. Statement 345

Waarschuwing

Kan alleen worden bevestigd op een betonnen of andere niet-ontvlambare ondergrond.

Varoitus

Sopii kiinnitettäväksi vain betonipintaan tai muuhun palamattomaan pintaan.

Avertissement

Adapté uniquement pour un montage sur du béton ou sur toute autre surface incombustible.

Warnung

Nur geeignet zum Anbringen an Beton- oder anderen nichtbrennbaren Oberflächen.

Avvertenza

Installazione idonea solo su superfici in cemento o altre superfici non infiammabili.

Advarsel

Bare for montering på betongoverflater eller andre ikke-brennbare overflater.

Aviso

Adequado apenas para montagem em superfície de cimento ou noutra superfície não combustível.

¡Advertencia!

Adecuado sólo para su instalación en cemento o en cualquier otra superficie incombustible.

Varning!  

Passar endast för montering på cementyta eller annan ej antändlig yta.


In Appendix E, "Translated Safety Warnings," the Warning statement about installation for short-circuit (overcurrent) protection has changed (Statement 1005-Circuit Breaker).

Warning


This product relies on the building's installation for short-circuit (overcurrent) protection. Ensure that the protective device is rated not greater than:
10 A Statement 1005

Waarschuwing

Dit product is afhankelijk van de installatie van het gebouw voor beveiliging tegen kortsluiting (overstroom). Controleer of de beschermingsinrichting niet meer dan:
10 A is.

Varoitus

Tämä tuote on riippuvainen rakennukseen asennetusta oikosulkusuojauksesta (ylivirtasuojauksesta). Varmista, että suojalaitteen mitoitus ei ole yli:
10 A

Attention

Pour ce qui est de la protection contre les courts-circuits (surtension), ce produit dépend de l'installation électrique du local. Vérifiez que le courant nominal du dispositif de protection n'est pas supérieur à :
10 A

Warnung

Dieses Produkt ist darauf angewiesen, dass im Gebäude ein Kurzschluss- bzw. Überstromschutz installiert ist. Stellen Sie sicher, dass der Nennwert der Schutzvorrichtung nicht mehr als:
10 A (max), 80 VDC (min) beträgt.

Avvertenza

Questo prodotto dipende dall'impianto dell'edificio per quanto riguarda la protezione contro cortocircuiti (sovracorrente). Assicurarsi che il dispositivo di protezione non abbia un rating superiore a:
10 A

Advarsel

Dette produktet er avhengig av bygningens installasjoner av kortslutnings (overstrøm)-beskyttelse. Påse at verneenheten ikke er merket høyere enn:
10 A

Aviso

Este produto depende das instalações existentes para proteção contra curto-circuito (sobrecarga). Assegure-se de que o fusível ou disjuntor não seja superior a:
10 A

¡Advertencia!

Este equipo utiliza el sistema de protección contra cortocircuitos (o sobrecorrientes) del edificio. Asegúrese de que el dispositivo de protección no sea superior a:
10 A

Varning!

Denna produkt är beroende av i byggnaden installerat kortslutningsskydd (överströmsskydd). Kontrollera att skyddsanordningen inte har högre märkvärde än:
10 A

10 A

10 A

10 A

10 A



Related Documentation

These documents provide information about the switch and are available from this Cisco.com site:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750m/index.htm

You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.com sites and from the telephone numbers listed in the "Obtaining Documentation" section.

Catalyst 3750 Metro Switch Software Configuration Guide (order number DOC-7815870=)

Catalyst 3750 Metro Switch Command Reference (order number DOC-7815871=)

Catalyst 3750 Metro Switch System Message Guide (order number DOC-7815872=)

Catalyst 3750 Metro Switch Hardware Installation Guide (order number DOC-7815869=)

Cisco Small Form-Factor Pluggable Modules Installation Notes (not orderable but available on Cisco.com)

Obtaining Documentation

Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation at this URL:

http://www.cisco.com/univercd/home/home.htm

You can access the Cisco website at this URL:

http://www.cisco.com

You can access international Cisco websites at this URL:

http://www.cisco.com/public/countries_languages.shtml

Ordering Documentation

You can find instructions for ordering documentation at this URL:

http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm

You can order Cisco documentation in these ways:

Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Ordering tool:

http://www.cisco.com/en/US/partner/ordering/index.shtml

Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

Documentation Feedback

You can send comments about technical documentation to bug-doc@cisco.com.

You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:

Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service contract, contact your reseller.

Cisco Technical Support Website

The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, 365 days a year at this URL:

http://www.cisco.com/techsupport

Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:

http://tools.cisco.com/RPF/register/register.do

Submitting a Service Request

Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool automatically provides recommended solutions. If your issue is not resolved using the recommended resources, your service request will be assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this URL:

http://www.cisco.com/techsupport/servicerequest

For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.

To open a service request by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553 2447

For a complete list of Cisco TAC contacts, go to this URL:

http://www.cisco.com/techsupport/contacts

Definitions of Service Request Severity

To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.

Severity 1 (S1)—Your network is "down," or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

Severity 3 (S3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL:

http://www.cisco.com/go/marketplace/

The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:

http://cisco.com/univercd/cc/td/doc/pcat/

Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL:

http://www.ciscopress.com

Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and networking investments. Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources. You can access Packet magazine at this URL:

http://www.cisco.com/packet

iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies learn how they can use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions. You can access iQ Magazine at this URL:

http://www.cisco.com/go/iqmagazine

Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/ipj

World-class networking training is available from Cisco. You can view current offerings at this URL:

http://www.cisco.com/en/US/learning/index.html