Guest

Cisco Catalyst 3750 Metro Series Switches

Release Notes for the Catalyst 3750 Metro Switch, Cisco IOS Release 12.2(25)SED

  • Viewing Options

  • PDF (803.5 KB)
  • Feedback
Release Notes for the Catalyst 3750 Metro Switch Cisco IOS Release 12.2(25)SED and Later

Table Of Contents

Release Notes for the
Catalyst 3750 Metro Switch
Cisco IOS Release 12.2(25)SED and Later

Contents

Hardware Supported

Uploading the Switch Software

Finding the Software Version and Feature Set

Deciding Which Files to Use

Archiving Software Images

Upgrading a Switch by Using the CLI

Recovering from a Software Failure

Installation Notes

New Features

New Hardware Features

New Software Features

Minimum Cisco IOS Release for Major Features

Limitations and Restrictions

Configuration

Ethernet

Fallback Bridging

HSRP

IP

IP Telephony

MAC Addressing

MPLS and EoMPLS

Multicasting

QoS

Routing

SPAN and RSPAN

Trunking

Tunneling

VLAN

Important Notes

Open Caveats

Resolved Caveats

Resolved Caveats in Cisco IOS Release 12.2(25)SED1

Resolved Caveats in Cisco IOS Release 12.2(25)SED

Documentation Updates

Updates for the Software Configuration Guide

Using IEEE 802.1x with Restricted VLAN

Understanding MAC Address-Table Move Update

Configuring the MAC Address-Table Move Update Feature

Configuring a Restricted VLAN

Updates for the Command Reference

clear mac address-table move update

dot1x auth-fail max-attempts

dot1x auth-fail vlan

mac address-table move update

show mac address-table move update

Updates for the Hardware Installation Guide

Statement 361—VoIP and Emergency Calling Services do not Function if Power Fails

Related Documentation

Obtaining Documentation

Cisco.com

Documentation DVD

Ordering Documentation

Documentation Feedback

Cisco Product Security Overview

Reporting Security Problems in Cisco Products

Obtaining Technical Assistance

Cisco Technical Support Website

Submitting a Service Request

Definitions of Service Request Severity

Obtaining Additional Publications and Information


Release Notes for the
Catalyst 3750 Metro Switch
Cisco IOS Release 12.2(25)SED and Later


Revised November 28, 2005

The Cisco IOS Release 12.2(25)SED runs on all Catalyst 3750 Metro switches.

These release notes include important information about Cisco IOS Release 12.2(25)SED and Cisco IOS Release 12.2(25)SED1 and any limitations, restrictions, and caveats that apply to the releases. Verify that these release notes are correct for your switch:

If you are installing a new switch, see the Cisco IOS release label on the rear panel of your switch.

If your switch is on, use the show version privileged EXEC command. See the "Finding the Software Version and Feature Set" section.

If you are upgrading to a new release, see the software upgrade filename for the software version. See the "Deciding Which Files to Use" section.

For the complete list of switch documentation, see the "Related Documentation" section.

You can download the switch software from this site:

http://www.cisco.com/kobayashi/sw-center/sw-lan.shtml

This software release is part of a special release of Cisco IOS software that is not released on the same 8-week maintenance cycle that is used for other platforms. As maintenance releases and future software releases become available, they will be posted to Cisco.com in the Cisco IOS software area.

Cisco IOS Release 12.2(25)SED is based on Cisco IOS Release 12.2(25)S. Open caveats in Cisco IOS Release 12.2(25)S also affect Cisco IOS Release 12.2(25)SED, unless they are listed in the Cisco IOS Release 12.2(25)SED resolved caveats list. The list of open caveats in Cisco IOS Release 12.2(25)S is available at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122relnt/122srn.htm#wp2367913

Contents

This information is in the release notes:

"Hardware Supported" section

"Uploading the Switch Software" section

"Installation Notes" section

"New Features" section

"Minimum Cisco IOS Release for Major Features" section

"Limitations and Restrictions" section

"Important Notes" section

"Open Caveats" section

"Resolved Caveats" section

"Documentation Updates" section

"Related Documentation" section

"Obtaining Documentation" section

"Obtaining Technical Assistance" section

"Obtaining Additional Publications and Information" section

Hardware Supported

Table 1 lists the supported hardware and the minimum Cisco IOS release required.

Table 1 Supported Hardware 

Switch
Description
Supported by Minimum Cisco IOS Release

Catalyst 3750 Metro 24-AC switch

24 10/100 Ethernet ports, 2 1000X standard SFP1 module slots, 2 1000X ES2 SFP slots, and field-replaceable AC power supply

Cisco IOS Release 12.1(14)AX

Catalyst 3750 Metro 24-DC switch

24 10/100 Ethernet ports, 2 1000X standard SFP module slots, 2 1000X ES SFP slots, and field-replaceable DC power supply

Cisco IOS Release 12.1(14)AX

SFP modules

1000BASE-T, 1000BASE-SX, and1000BASE-LX

1000BASE-ZX and CWDM3

100BASE-FX MMF4

Cisco IOS Release 12.1(14)AX


Cisco IOS Release 12.1(14)AX1

Cisco IOS Release 12.2(25)EY

1 SFP = small form-factor pluggable

2 ES = enhanced services

3 CWDM = coarse wavelength-division multiplexer

4 MMF = multimode fiber


Uploading the Switch Software

These are the procedures for downloading software:

"Finding the Software Version and Feature Set" section

"Deciding Which Files to Use" section

"Archiving Software Images" section

"Upgrading a Switch by Using the CLI" section

"Recovering from a Software Failure" section


Note Before downloading software, read this section for important information.


Finding the Software Version and Feature Set

The Cisco IOS image is stored as a bin file in a directory that is named with the Cisco IOS release. The image is stored on the system board flash device (flash:).

You can use the show version privileged EXEC command to see the software version that is running on your switch.

You can also use the dir filesystem: privileged EXEC command to see the directory names of other software images that you might have stored in flash memory.

Deciding Which Files to Use

The upgrade procedures in these release notes describe how to perform the upgrade by using a combined tar file. This file contains the Cisco IOS image file. To upgrade the switch through the command-line interface (CLI), use the tar file and the archive download-sw privileged EXEC command.

Table 2 lists the software filename for this software release.

Table 2 Cisco IOS Software Image Files for Catalyst 3750 Metro Switches 

Filename

Description

c3750me-i5-tar.122-25.SED1.tar

Cisco IOS image tar file.
This image has Layer 2+ and Layer 3 features.

c3750me-i5k91-tar.122-25.SED1.tar

Cisco IOS cryptographic image tar file.
This image has the Kerberos, SSH1 , SSL2 , Layer 2+, and Layer 3 features.

1 SSH = Secure Shell

2 SSL = Secure Socket Layer


Archiving Software Images

Before upgrading your switch software, make sure that you have archived copies of the current Cisco IOS release and the Cisco IOS release to which you are upgrading. You should keep these archived images until you have upgraded all devices in the network to the new Cisco IOS image and until you have verified that the new Cisco IOS image works properly in your network.

Cisco routinely removes old Cisco IOS versions from Cisco.com. See Product Bulletin 2863 for more information:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/prod_bulletin0900aecd80281c0e.html

You can copy the bin software image file on the flash memory to the appropriate TFTP directory on a host by using the copy flash: tftp: privileged EXEC command.


Note Although you can copy any file on the flash memory to the TFTP server, it is time consuming to copy all of the HTML files in the tar file. We recommend that you download the tar file from Cisco.com and archive it on an internal host in your network.


You can also configure the switch as a TFTP server to copy files from one switch to another without using an external TFTP server by using the tftp-server global configuration command. For more information about the tftp-server command, see the "Basic File Transfer Services Commands" section of the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/ffun_r/ffrprt2/frf011.htm#wp1018426

Upgrading a Switch by Using the CLI

This procedure is for copying the tar file to the switch. You copy the file to the switch from a TFTP server and extract the files. You can download an image file and replace or keep the current image.

Download the software from Cisco.com to your management station by following these steps:


Step 1 Use Table 2 to identify the file that you want to download.

Step 2 Download the software image file from Cisco.com.

Go to this URL and log in to download the appropriate files:

http://www.cisco.com/kobayashi/sw-center/sw-lan.shtml

To download the files, click the link for your switch platform, and then follow the links on the page to select the correct tar image file.

Step 3 Copy the image to the appropriate TFTP directory on the workstation, and make sure that the TFTP server is properly configured.

For more information, see Appendix B in the software configuration guide for this release.

Step 4 Log in to the switch through the console port or a Telnet session.

Step 5 Check your VLAN 1 configuration by using the show interfaces vlan 1 privileged EXEC command, and verify that VLAN 1 is part of the same network as the TFTP server. (Check the Internet address is line near the top of the display.)

Step 6 Download the image file from the TFTP server to the switch. If you are installing the same version of software that is currently on the switch, overwrite the current image by using this privileged EXEC command:

archive download-sw /overwrite /reload tftp:[[//location]/directory]/image-name.tar

The /overwrite option overwrites the software image in flash memory with the downloaded one.

The /reload option reloads the system after downloading the image unless the configuration has been changed and not been saved.

For //location, specify the IP address of the TFTP server.

For /directory/image-name.tar, specify the directory (optional) and the image to download. Directory and image names are case sensitive.

This example shows how to download an image from a TFTP server at 198.30.20.19 and to overwrite the image on the switch:

Switch# archive download-sw /overwrite tftp://198.30.20.19/c3750me-i5-tar.122-25.EY.tar

You can also download the image file from the TFTP server to the switch and keep the current image by replacing the /overwrite option with the /leave-old-sw option.


Recovering from a Software Failure

Switch software can be corrupted during an upgrade, by downloading the wrong file to the switch, and by deleting the image file. In all of these cases, the switch does not pass the power-on self-test (POST), and there is no connectivity. You can use the Xmodem protocol to recover from these failures.

For detailed recovery procedures, see the "Troubleshooting" chapter in the software configuration guide for this release.

Installation Notes

You can assign IP information to your switch by using these methods:

The Express Setup program (See the Catalyst 3750 Metro Switch Hardware Installation Guide.)

The CLI-based setup program (See the Catalyst 3750 Metro Switch Hardware Installation Guide.)

The DHCP-based autoconfiguration (See the Catalyst 3750 Metro Switch Software Configuration Guide.)

Manually assigning an IP address (See the Catalyst 3750 Metro Switch Software Configuration Guide.)

New Features

These are the new supported hardware and the new software features provided this release:

"New Hardware Features" section

"New Software Features" section

New Hardware Features

For a list of all supported hardware, see the "Hardware Supported" section.

New Software Features

This release contains this new switch feature (available in all software images):

Restricted VLAN to provide limited services to users who are IEEE 802.1x compliant, but do not have the credentials to authenticate through the standard IEEE 802.1x processes.

Support for hierarchical virtual private LAN service (H-VPLS).

Minimum Cisco IOS Release for Major Features

Table 3 lists the minimum software release required to support the major features on the Catalyst 3750 Metro switch.


Note Features not included in the table are available in all releases. You can see a list of features from the first release at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750m/12225ey/3750mscg
/swintro.htm


Table 3 Catalyst 3750 Metro Switch Features and the Minimum Cisco IOS Release Required 

Feature
Minimum Cisco IOS Release Required

H-VPLS

12.2(25)SED

IEEE 802.1x restricted VLANs

12.2(25)SED

IEEE 802.1x accounting and MIBs (IEEE8021-PAE-MIB and CISCO-PAE-MIB)

12.2(25)EY

DHCP snooping with the option-82 information option

12.2(25)EY

DHCP snooping binding database configuration

12.2(25)EY

Dynamic ARP inspection

12.2(25)EY

EtherChannel guard

12.2(25)EY

Flex Links

12.2(25)EY

IGMPv3 snooping

12.2(25)EY

IGMP throttling

12.2(25)EY

IP source guard

12.2(25)EY

MultipleVPN Routing/Forwarding (Multi-VRF) CE

12.2(25)EY

Private VLAN

12.2(25)EY

SFP diagnostic management interface

12.2(25)EY

SSHv2 server application (cryptographic images only)

12.2(25)EY

SSL Version 3.0 for secure HTTP communication (cryptographic images only)

12.2(25)EY

Smartports macros

12.2(25)EY

Auto-QoS

12.2(25)EY

VLAN-based QoS and dual-level hierarchical policy maps on SVIs

12.2(25)EY

Matching the CoS of the inner tag for IEEE 802.1Q tunneling traffic.

12.2(25)EY

Applying hierarchical service policies in the inbound direction on an ES port.

12.2(25)EY

Storm control enhancements

12.2(25)EY

SFP diagnostic management interface

12.2(25)EY

Unicast MAC address filtering

12.2(25)EY

QoS egress priority queue

12.1(14)AX2

QoS DSCP transparency

12.1(14)AX2

Point-to-point Layer 2 protocol tunneling

12.1(14)AX1


Limitations and Restrictions

You should review this section before you begin working with the switch. These are known limitations that will not be fixed, and there is not always a workaround. Some features might not work as documented, and some features could be affected by recent changes to the switch hardware or software.

"Configuration" section

"Ethernet" section

"Fallback Bridging" section

"HSRP" section

"IP" section

"IP Telephony" section

"MAC Addressing" section

"MPLS and EoMPLS" section

"Multicasting" section

"QoS" section

"Routing" section

"SPAN and RSPAN" section

"Trunking" section

"Tunneling" section

"VLAN" section

Configuration

These are the configuration limitations:

A static IP address might be removed when the previously acquired DHCP IP address lease expires.

This problem occurs under these conditions:

When the switch is booted without a configuration (no config.text file in flash memory).

When the switch is connected to a DHCP server that is configured to give an address to it (the dynamic IP address is assigned to VLAN 1).

When an IP address is configured on VLAN 1 before the dynamic address lease assigned to VLAN 1 expires.

The workaround is to reconfigure the static IP address. (CSCea71176)

When the show interface privileged EXEC is entered on a port that is running IEEE 802.1Q, inconsistent statistics from ports running IEEE 802.1Q might be reported.

The workaround is to upgrade to Cisco IOS Release 12.2(25)EY. (CSCec35100)

When you change a port from a nonrouted port to a routed port or the reverse, the applied auto-QoS setting is not changed or updated when you verify it by using the show running interface or show mls qos interface user EXEC commands.

These are the workarounds:

1. Disable auto-QoS on the interface.

2. Change the routed port to a nonrouted port or the reverse.

3. Re-enable auto-QoS on the interface. (CSCec44169)

The DHCP snooping binding database is not written to flash or a remote file in any of these situations:

When the Network Time Protocol (NTP) is configured, but the NTP clock is not synchronized. You can check the clock status by entering the show NTP status privileged EXEC command and verifying that the network connection to the NTP server and peer work correctly.

The DHCP snooping database file is manually removed from the file system. After enabling the DHCP snooping database by configuring a database URL, a database file is created. If the file is removed manually from the file system, the DHCP snooping database does not create another database file. You need to disable the DHCP snooping database and enable it again to create the database file.

The URL for the configured DHCP snooping database was replaced because the original URL is not accessible. The new URL might not take effect after the timeout of the old URL.

No workaround is necessary; these are the designed behaviors. (CSCed50819)

When dynamic ARP inspection is enabled on a switch or switch stack, ARP and RARP packets greater than 2016 bytes are dropped by the switch or switch stack. This is a hardware limitation.

However, when dynamic ARP inspection is not enabled and jumbo MTU is configured, ARP and RARP packets are correctly bridged in hardware. (CSCed79734)

When connected to some third-party devices that send early preambles, a switch port operating at 100 Mbps full duplex or 100 Mbps half duplex might bounce the line protocol up and down. The problem is observed only when the switch is receiving frames.

The workaround is to configure the port for 10 Mbps and half duplex or to connect a hub or a nonaffected device to the switch. (CSCed39091)

Dynamic ARP inspection log entries might be lost after a switch failure. Any log entries that are still in the log buffer (have not been output as a system message) on a switch that fails will be lost.

When you enter the show ip arp inspection log privileged EXEC command, the log entries from all switches in the stack are moved to the switch on which the command was entered.

There is no workaround. (CSCed95822)

When port security is enabled on an interface in restricted mode and the switchport block unicast interface command has been entered for that interface, MAC addresses are incorrectly forwarded when they should be blocked.

The workaround is to enter the no switchport block unicast interface configuration command for that specific interface. (CSCee93822)

The Catalyst 3750 Metro switch does not learn its own MAC address on Layer 2 interfaces. For example: Ports 1/0/1 and 1/0/2 belong to VLAN x, port 1/0/3 is a Layer 3 port with an IP address that belongs to the subnet of VLAN x, and ports 1/0/2 and 1/0/3 are connected. In this case, a host connected to port 1/0/1 cannot ping port 1/0/3. The switch does not update the CAM table and does not use the MAC address of port 1/0/3 in the CAM table for port 1/0/2.

The workaround is to statically configure the MAC address of port 1/0/3 in the CAM table of the switch bound to port 1/0/2 by using the mac address-table static mac-addr vlan vlan-id interface fastethernet1/0/2 global configuration command. (CSCee87864)

A traceback error occurs if a crypto key is generated after an SSL client session.

There is no workaround. This is a cosmetic error and does not affect the functionality of the switch. (CSCef59331)

Ethernet

This is the Ethernet limitation:

SNAP-encapsulated IP packets are dropped without an error message being reported at the interface. The switch does not support SNAP-encapsulated IP packets. There is no workaround. (CSCdz89142)

Fallback Bridging

These are the fallback bridging limitations:

If a bridge group contains a VLAN that has a static MAC address configured, all non-IP traffic in the bridge group with this MAC address destination is sent to all ports in the bridge group.

The workaround is to remove the VLAN from the bridge group or to remove the static MAC address from the VLAN. (CSCdw81955)

Known unicast (secured addresses) are flooded within a bridge group under this condition: If secure addresses are learned or configured on a port and the VLAN on this port is part of a bridge group, non-IP traffic destined to the secure addresses is flooded within the bridge group.

The workaround is to disable fallback bridging. To remove an interface from a bridge group and to remove the bridge group, use the no bridge-group bridge-group interface configuration command. Another workaround is to disable port security on all ports in all VLANs participating in fallback bridging by using the no switchport port-security interface configuration command. (CSCdz80499)

HSRP

These are the Hot Standby Routing Protocol (HSRP) limitations:

When the active switch fails in a switch cluster that uses HSRP redundancy, the new active switch might not contain a full cluster member list.

The workaround is to ensure that the ports on the standby cluster members are not in the spanning-tree blocking state. To verify that these ports are not in the blocking state, see the "Configuring STP" chapter in the software configuration guide. (CSCec76893)

HSRP does not function on multiprotocol label switching (MPLS) interfaces.

There is no workaround. Do not configure HSRP on MPLS interfaces. (CSCeg76540)

IP

These are the IP limitations:

The switch does not create an adjacency table entry when the Address Resolution Protocol (ARP) timeout value is 15 seconds and the ARP request times out.

The workaround is to set an ARP timeout value higher than 120 seconds. (CSCea21674)

When the rate of received DHCP requests exceeds 2,000 packets per minute for a long time, the response time might be slow when you are using the console.

The workaround is to use rate limiting on DHCP traffic to prevent a denial of service attack from occurring. (CSCeb59166)

IP Telephony

These are the IP telephony limitations:

Some access point (AP)-350 devices are incorrectly discovered as IEEE 802.3af Class 1 devices. These APs should be discovered as Cisco pre-standard devices. The show power inline user EXEC command shows the AP-350 as an IEEE Class 1 device.

The workaround is to power the AP by using an AC wall adaptor. (CSCin69533)

When an IP phone is connected to the switch, the port VLAN ID (PVID) and the voice VLAN ID (VVID) both learn its MAC address. However, after dynamic MAC addresses are deleted, only VVID relearns the IP phone MAC address. MAC addresses are deleted manually or automatically for a topology change or when port security or an IEEE 802.1x feature is enabled or disabled.

There is no workaround. (CSCea80105)

After changing the access VLAN on a port that has IEEE 802.1x enabled, the IP phone address is removed. Because learning is restricted on IEEE 802.1x capable ports, it takes approximately 30 seconds before the address is relearned.

There is no workaround. (CSCea85312)

MAC Addressing

This is the MAC addressing limitation:

When a MAC address is configured for filtering on the internal VLAN of a routed port, incoming packets from the MAC address to the routed port are not dropped. (CSCeb67937)

MPLS and EoMPLS

These are the multiprotocol label switching (MPLS) and Ethernet over MPLS (EoMPLS) limitations:

Port-based Ethernet over Multiprotocol Label Switching (EoMPLS) sessions do not function if the incoming port is configured as an Inter-Switch Link (ISL) trunk.

The workaround is to configure the incoming ports as an IEEE 802.1Q trunk or as an access port. (CSCeb44014)

The display for the show mpls ldp neighbor ipaddr-of-neighbor detail user EXEC command always shows the targeted hello holdtime value as infinite.

The workaround is to use the show mpls ldp parameter user EXEC command to see the configured value. (CSCeb76775)

When MPLS is enabled, traceroute is not supported.

There is no workaround. (CSCec13655)

Multicasting

These are the multicasting limitations:

The switch does not support tunnel interfaces for unicast routed traffic. Only Distance Vector Multicast Routing Protocol (DVMRP) tunnel interfaces are supported for multicast routing.

Nonreverse-path forwarded (RPF) IP multicast traffic to a group that is bridged in a VLAN is leaked onto a trunk port in the VLAN even if the port is not a member of the VLAN group, but it is a member in some other VLAN group. Unnecessary traffic is sent on the trunk port and needlessly reduces the bandwidth of the port.

There is no workaround because non-RPF traffic is continuous in certain topologies. As long as the trunk port is a member on a trunk port in at least one VLAN, this problem for the non-RPF traffic occurs. (CSCdu25219)

If the number of multicast routes and Internet Group Management Protocol (IGMP) groups are more than the maximum number in the Switch Database Management (SDM) template shown with the show sdm prefer global configuration command, the traffic received on unknown groups is flooded in the received VLAN even though the show ip igmp snooping multicast-table privileged EXEC command output shows otherwise.

The workaround is to reduce the number of multicast routes and IGMP snooping groups to less than the maximum supported value. (CSCdy09008)

IGMP filtering is applied to packets that are forwarded through hardware. It is not applied to packets that are forwarded through software. Hence, with multicast routing enabled, the first few packets are sent from a port even when IGMP filtering is set to deny those groups on that port.

There is no workaround. (CSCdy82818)

When you use the ip access-group interface configuration command with a router access control list (ACL) to deny access to a group in a VLAN, multicast data to the group that is received in the VLAN is always flooded in the VLAN regardless of IGMP group membership in the VLAN. This provides access to directly connected clients, if any, in the VLAN.

The workaround is to not apply a router ACL configured to deny access to a VLAN interface. Apply the security through other means; for example, apply VLAN maps to the VLAN instead of using a router ACL for the group. (CSCdz86110)

(Catalyst 3750 switches) When IP Protocol-Independent Multicast (PIM) is enabled on a tunnel interface, the switch incorrectly displays the Multicast is not supported on tunnel interfaces error message. IP PIM is not supported on tunnel interfaces.

There is no workaround. (CSCeb75366)

If an IG MP report packet has two multicast group records, the switch removes or adds interfaces depending on the order of the records in the packet:

If the ALLOW_NEW_SOURCE record is before the BLOCK_OLD_SOURCE record, the switch removes the port from the group.

If the BLOCK_OLD_SOURCE record is before the ALLOW_NEW_SOURCE record, the switch adds the port to the group.

There is no workaround. (CSCec20128)

When IGMP snooping is disabled and you enter the switchport block multicast interface configuration command, IP multicast traffic is not blocked.

The switchport block multicast interface configuration command is only applicable to non-IP multicast traffic.

There is no workaround. (CSCee16865)

Incomplete multicast traffic can be seen under either of these conditions:

You disable and then re-enable IP multicast routing on an interface.

A switch mroute table temporarily runs out of resources and recovers later.

The workaround is to enter clear ip mroute privileged EXEC command on the interface. (CSCef42436)

When more multicast groups are configured than are supported by the selected Security Device Manager (SDM) template, Layer 2 multicast traffic is flooded on one or more multicast groups.

There is no workaround. (CSCef67261)

QoS

These are the QoS limitations:

Some switch queues are disabled if the buffer size or threshold level is set too low with the mls qos queue-set output global configuration command. The ratio of buffer size to threshold level should be greater than ten to avoid disabling the queue.

The workaround is to choose compatible buffer sizes and threshold levels. (CSCea76893)

When traffic with different class of service (CoS) values is sent into a IEEE 802.1Q tunnel, only the CoS 0 statistics increment in the show mls qos interface user EXEC command display.

There is no workaround. (CSCeb75230)

The bandwidth interface configuration command is not supported at the interface level, but it appears in the CLI.

There is no workaround. (CSCeb80223)

The random-detect interface configuration command is not supported at the interface level, but it appears in the CLI.

There is no workaround. (CSCeb80300)

The display for the show policy-map interface user EXEC command shows zeros for the counters associated with class-map match criteria.

There is no workaround. (CSCec08205)

The priority policy-map class configuration command cannot be configured for the default traffic class in a policy map.

The workaround is to configure explicit matches for traffic that requires priority treatment. (CSCec38901)

Modifying a QoS class within a very large service policy that is attached to an ES port can cause high CPU utilization and an unresponsive CLI for an excessive period of time.

The workaround is to detach the service policy from the port while making the modifications and then to re-attach the service policy. (CSCec75945)

When packets are queued for egress on an ES port due to the application of a QoS service policy, they consume packet buffer memory on the switch. If many queues are simultaneously congested and are unable to drain, packet loss can occur in either direction (ingress or egress) due to the lack of buffer memory.

If this becomes a problem, you can change switch behavior by using the queue-limit policy-map class configuration command at the class level to set shorter queue depths. Each shaper has an associated buffer queue with a default depth of 128 packets.

For example:

Switch(config)# policy-map cos2-policy
Switch(config-pmap)# class cos2
Switch(config-pmap-c)# bandwidth 50000
Switch(config-pmap-c)# queue-limit 32

The point at which buffer memory is exhausted depends on the number of queues, the sizes of the queued packets, and whether or not the traffic pattern being sent to the switch allows the queues to drain at all.

Upgrading your switch to Cisco IOS Release 12.2(25)EY greatly reduces the possibility of this situation happening, although it can still occur with some configurations and traffic patterns. (CSCed83886)

When auto-QoS is enabled on the switch, priority queuing is not enabled. Instead, the switch uses shaped round robin (SRR) as the queuing mechanism. The auto-QoS feature is designed on each platform based on the feature set and hardware limitations, and the queuing mechanism supported on each platform might be different.

There is no workaround. (CSCee22591)

Routing

These are the routing limitations:

The switch does not support tunnel interfaces for unicast routed traffic. Only Distance Vector Multicast Routing Protocol (DVMRP) tunnel interfaces are supported for multicast routing.

A route map that contains an ACL with a DSCP clause cannot be applied to a Layer 3 interface. The switch rejects this configuration and issues an error message that shows that the route map is unsupported.

There is no workaround. (CSCea52915)

A spanning-tree loop might occur if all of these conditions are true:

Port security is enabled with the violation mode set to protected.

The maximum number of secure addresses is less than the number of switches connected to the port.

There is a physical loop in the network through a switch whose MAC address has not been secured, and its BPDUs cause a secure violation.

The workaround is to change any one of the listed conditions. (CSCed53633)

SPAN and RSPAN

These are the SPAN and Remote SPAN (RSPAN) limitations:

An egress SPAN copy of routed unicast traffic might show an incorrect destination MAC address on both local and remote SPAN sessions. This limitation does not apply to bridged packets. The workaround for local SPAN is to use the replicate option. There is no workaround for a remote SPAN session. This is a hardware limitation. (CSCdy72835)

Egress SPAN routed packets (both unicast and multicast) show the incorrect source MAC address. For remote SPAN packets, the source MAC address should be the MAC address of the egress VLAN, but instead the packet shows the MAC address of the remote SPAN (RSPAN) VLAN. For local SPAN packets with native encapsulation on the destination port, the packet shows the MAC address of VLAN 1. This problem does not appear with local SPAN when the encapsulation replicate option is used and does not apply to bridged packets.

The workaround is to use the encapsulate replicate keywords in the monitor session global configuration command. This is a hardware limitation. (CSCdy81521)

During periods of very high traffic and when two RSPAN source sessions are configured, the VLAN ID of packets in one RSPAN session might overwrite the VLAN ID of the other RSPAN session. Packets intended for one RSPAN VLAN are incorrectly sent to the other RSPAN VLAN. This problem does not affect RSPAN destination sessions.

The workaround is to configure only one RSPAN source session. (CSCea72326)

The egress-SPAN data rate might degrade when fallback bridging or multicast routing is enabled. The amount of degradation depends on the processor loading. Typically, the switch can process egress-SPAN at up to 40,000 packets per second (64-byte packets). When the total traffic being monitored is below this limit, there is no degradation. However, if the traffic exceeds the limit, only a portion of the source stream is monitored. When this occurs, this console message appears: Decreased egress SPAN rate.

In all cases, normal traffic is not affected; the degradation limits only how much of the original source stream can be monitored. If fallback bridging and multicast routing are disabled, egress-SPAN monitoring is not degraded.

There is no workaround. If possible, disable fallback bridging and multicast routing. If possible, use ingress-SPAN to observe the same traffic. (CSCeb01216)

Some IGMP report and query packets with IP options might not be ingress-span monitored. Packets that are susceptible to this problem are IGMP packets with 4 bytes of IP options (IP header length of 24). Examples of such packets are IGMP reports and queries having the router alert IP option. Ingress-span monitoring of such packets is not accurate and can vary with traffic rate. Typically, very few or none of these packets are monitored.

There is no workaround. (CSCeb23352)

Cisco Discovery Protocol (CDP), VLAN Trunking Protocol (VTP), and Port Aggregation Protocol (PAgP) packets received from a SPAN source are not sent to the destination interfaces of a local SPAN session.

The workaround is to use the monitor session session_number destination {interface interface-id encapsulation replicate} global configuration command for a local SPAN session. (CSCed24036)

Trunking

These are the trunking limitations:

The switch treats frames received with mixed encapsulation (IEEE 802.1Q and Inter-Switch Link [ISL]) as frames with FCS errors, increments the error counters, and causes the port LED to blink amber. This happens when an ISL-unaware device receives an ISL-encapsulated packet and forwards the frame to an IEEE 802.1Q trunk interface.

There is no workaround. (CSCdz33708)

IP traffic with IP options set is sometimes leaked on a trunk port. For example, a trunk port is a member of an IP multicast group in VLAN X but is not a member in VLAN Y. If VLAN Y is the output interface for the multicast route entry assigned to the multicast group and an interface in VLAN Y belongs to the same multicast group, the IP-option traffic received on an input VLAN interface other than one in VLAN Y is sent on the trunk port in VLAN Y. This is because the trunk port is forwarding in VLAN Y, even though the port has no group membership in VLAN Y.

There is no workaround. (CSCdz42909)

For trunk ports or access ports configured with IEEE 802.1Q tagging, inconsistent statistics might appear in the show interfaces counters privileged EXEC command output. Valid IEEE 802.1Q frames of 64 to 66 bytes are correctly forwarded even though the port LED blinks amber, and the frames are not counted on the interface statistics.

There is no workaround. (CSCec35100).

Tunneling

This is the tunneling limitation:

VLAN mappings can be configured on a per-interface basis. A different set of mappings can be configured on each ES interface. The per-interface VLAN mappings remain in effect even when the ES ports are bundled in an EtherChannel. For example, if you map Gigabit Ethernet 1/1/1 to VLAN 20 through VLAN 50 and Gigabit Ethernet 1/1/2 to VLAN 20 through VLAN 70, traffic on VLAN 20 leaving the switch through the ES port bundle should be load-balanced across the individual ES interfaces. However, some of that traffic is incorrectly translated to VLAN 50, and some is incorrectly translated to VLAN 70.

The workaround is to configure identical VLAN mappings on both ES ports if they are going to be bundled into an EtherChannel. (CSCec49520)

VLAN

These are the VLAN limitations:

If the number of VLANs times the number of trunk ports exceeds the recommended limit of 13,000, the switch can halt.

The workaround is to reduce the number of VLANs or trunks. (CSCeb31087)

A CPUHOG message sometimes appears when you configure a private VLAN. Enable port security on one or more of the ports affected by the private VLAN configuration.

There is no workaround. (CSCed71422)

When you apply a per-VLAN QoS per-port policer policy-map to a VLAN SVI, the second-level (child) policy-map in use cannot be re-used by another policy-map.

The workaround is to define another policy-map name for the second-level policy-map with the same configuration to be used for another policy-map. (CSCef47377)

Important Notes

These are the important notes related to this software release:

The behavior of the no logging on global configuration command changed in Cisco IOS Release 12.2(25)EY and later. In software releases earlier than Cisco IOS Release 12.2(25)EY, both of these command pairs disabled logging to the console:

the no logging on and then the no logging console global configuration commands

the logging on and then the no logging console global configuration commands

In Cisco IOS Release 12.2(18)SE and later, you can only use the logging on and then the no logging console global configuration commands to disable logging to the console. (CSCec71490)

Beginning with Cisco IOS Release 12.2(25)EY, ISL encapsulation is supported only on standard ports and not on enhanced services (ES) ports. The ES ports support only IEEE 802.1Q encapsulation and the switchport trunk encapsulation interface configuration command is no longer visible on these ports. When you are upgrading a switch from Cisco IOS Release 12.1(14)AX to Cisco IOS Release 12.2(25)EY or later, during the initial configuration process, the switchport trunk encapsulation option is rejected on ES ports and an error message appears. You can ignore this error message. If you save the new configuration by using the copy running-config startup-config privileged EXEC command and later re-install the Cisco IOS Release 12.1(14)AX image, the trunk encapsulation method originally configured on ES ports is lost and the ES ports use the default encapsulation method, which is to negotiate.

In Cisco IOS Release 12.1(14)AX and earlier, port-based EoMPLS sessions could only be configured on switch ports. In Cisco IOS Release 12.2(25)EY and later, port-based EoMPLS sessions can only be configured on routed ports.


Note This change is handled automatically during an upgrade to Cisco IOS 12.2(25)EY or later, but if a configuration is written to NVRAM and the switch is then reloaded with Cisco IOS 12.1(14)AX, the new-style configuration is lost.


Beginning with Cisco IOS Release 12.2(25)EY, you must specify the encapsulation type when using the xconnect interface configuration command.


Note This change is handled automatically during an upgrade to Cisco IOS 12.2(25)EY or later, but if a configuration is written to NVRAM and the switch is then reloaded with Cisco IOS 12.1(14)AX, the new-style configuration is lost.


In Cisco IOS Release 12.1(14)AX1, the switch supported point-to-point Layer 2 protocol tunneling, which was not documented in the Cisco IOS Release 12.1(14)AX software documentation. This information is in the Release Notes for the Catalyst 3750 Metro Switch, Cisco IOS Release 12.1(14) AX1 at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750m/12114ax/ol464602.htm#wp44273

This information is part of Chapter 26, "Configuring QoS." For the complete chapter (minus these updates), go to this URL:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750m/12114ax/3750mscg/swqos.htm

Open Caveats

These are the Cisco IOS severity-3 open configuration caveats with possible unexpected activity in this software release:

CSCeg09032

Open Shortest Path First (OSPF) routes might not appear in the routing table after a topology change if Incremental SPF (iSPF) is enabled.

The workaround is to disable iSPF.

CSCeg36369

A Catalyst ME 3750 running Release 12.1(14)AX2 fails to learn the source MAC address of a Cisco Discovery Protocol (CDP) frame when CDP is disabled on the port.

There is no workaround.

CSCeg44446

Policy-based routing (PBR) for IP Version 4 (IPv4) traffic is not available when you run IPv4 and IPv6 traffic on the switch. To run the IPv6 routing protocols on the switch, you need to use a Dual IPv4-IPv6 Switch Database Management (SDM) template. These SDM templates have no resource provisions for PBR.

There is no workaround.

CSCeh20081

When a trunk interface is converted to an IEEE 802.1Q tunnel, a traceback error similar to the following might appear:

3d20h: %PLATFORM_UCAST-3-LB: PI<->PD handles out of sync for Adj 222.1.1.1 LB -Traceback= 252620 A9204C A84E60 A86260 A92E7C AA36A0 AA3520 A96C60 A8A288 A78DC4 B095C8

There is no workaround. This does not affect switch functionality.

CSCeh21255

When Ethernet over MPLS (EoMPLS) is configured on a switch, if one ES port is put in an EtherChannel and the other ES port is left as a trunk, a Layer 2 loop can be generated, and a CPUHOG traceback can appear if looped traffic is being process by the CPU.

The workaround is to remove the ES port from the EtherChannel. To avoid the condition when breaking up an EtherChannel that consists of ES ports, remove the port-channel interface, or remove the interfaces from the port-channel simultaneously by using the interface range configuration option.

CSCeh13477

When ES interfaces in an EtherChannel are carrying Multiprotocol Label Switching (MPLS) traffic and more routes are configured than are supported in the SDM template, messages similar to the following might appear when the interface is shut down and brought back up:

2d20h: %PLATFORM_UCAST-3-LB: PI<->PD handles out of sync for Adj 222.1.1.1 LB -Traceback= 252620 A919CC A847E0 A85BE0 A927FC AA2D28 A965E0 A89C08 A78744 B08F48 ADF504 ADDC4C AE3460 AD25CC B94AA0 B94F20

There is no workaround.

CSCei35702

The Cross Stack UplinkFast feature is delayed by 30 seconds when all the interfaces on the root switch are configured with the no shutdown interface configuration command.

There is no workaround; this is the expected behavior.

CSCei63394

When an IEEE 802.1x restricted VLAN is configured on a port and a hub with multiple devices is connected to that port, no syslog messages are generated.

This is not a supported configuration. Only one host should be connected to an IEEE 802.1x restricted VLAN port.

CSCei80087

When configuring a hierarchical policy map, changes to the match criteria of the VLAN level class-map do not take effect until the policy map is detached and reapplied.

The workaround is to detach the policy map from the interface, make the VLAN-level changes, and reapply the policy map.

CSCin33082

If the distance of two or more static IP routes is changed in a particular order, some routes do not appear in the routing table.

The workaround is to use the clear ip route privileged EXEC command.

CSCsb56438

There is an extra index in the port table of the ciscoStpExtensions MIB that does not exist in the portCrossIndex MIB. For example, extra indexes like 1000-16/40 are seen in stpxRootGuardConfigEnabled displays that do not exist in portCrossIndex, and they appear during an SNMP walk operation.

There is no workaround.

CSCsb60164

When a stack master fails or leaves the stack, a cross-stack EtherChannel in trunk mode running Link Aggregation Control Protocol (LACP) protocol might stop forwarding traffic on some VLANs.

The workaround is to enable the stack-mac persistent feature by using the stack-mac persistent timer global configuration command. You can also use the shutdown interface configuration command and then the no shutdown command on the EtherChannel interface.

CSCsb62432

If two VLANs are configured on the same switch (for example, VLAN 1 and VLAN 2) with an SVI configured in VLAN 1 and an external bridging device connected to the switch, traffic sent from VLAN 2 to the SVI in VLAN 1 is dropped.

The workaround is to configure a static MAC address for the SVI in the MAC address table of VLAN 2.

CSCsb79198

During IEEE 802.1x authentication, a RADIUS server might download a per-user IP address access control list (ACL) or a MAC address ACL that is applied to the interface as part of the Access-Accept message. If the ACL is too large, the switch might not be able to apply it, and authentication fails and starts over.

The workaround is to reduce the size of the per-user ACL access control entries (ACEs) to less than 20 if ACLs are downloaded as part of IEEE 802.1x authorization.

CSCsb79318

If the re-authentication timer and re-authentication action is downloaded from the RADIUS server using the Session-Timeout and Termination-Action RADIUS attributes, the switch performs the termination action even when the port is not configured with the dot1x timeout reauth server global configuration command and uses the Termination-Action downloaded from a RADIUS server as part of IEEE 802.1x authorization.

The workaround is to remove the Termination-Action attribute from the IEEE 802.1x policy on the RADIUS server if dot1x timeout reauth server is not configured on the port.

CSCsb81283

MAC address notification traps do not work when port security is enabled on the interface.

The workaround is to disable port security on the interface.

CSCsb82422

The switch does not forward an IEEE802.1x request that has null credentials.

There is no workaround.

CSCsb87895

Hierarchical per-VLAN policy-map police action does not work if there is no configured child policy-map in the first class-map.

The workaround is to add any child policy-map to the first class-map or to move the class-map so that it is not the first class-map in the policy-map.

CSCsb97854

When a source port for a SPAN session has IEEE 802.1x enabled, Extensible Authentication Protocol over LAN (EAPOL) packets are not visible to the packet sniffing tool.

The workaround is to enable a voice VLAN on the SPAN source port.

Resolved Caveats

These are the caveats that have been resolved in these releases.

"Resolved Caveats in Cisco IOS Release 12.2(25)SED1" section

"Resolved Caveats in Cisco IOS Release 12.2(25)SED" section

Resolved Caveats in Cisco IOS Release 12.2(25)SED1

These caveats were resolved:

CSCeh43851

The switch no longer drops IP packets with an encrypted TCP header or with a TCP header that is fragmented into two different Ethernet frames.

CSCsc33604

The maximum transmission unit (MTU) jumbo setting now provides the upper limit for the multiprotocol label switching (MPLS) MTU configuration range.

CSCsc41813

A switch running Cisco IOS Release 12.2(25)SED might reload or display error messages when the user attempts to access the flash filesystem. This might occur when using the dir or copy commands on the flash filesystem, or changing boot configurations, such as boot system filename.

To avoid this problem, you can upgrade the switch software to Cisco IOS Release 12.2(25)SED1.

Resolved Caveats in Cisco IOS Release 12.2(25)SED

These caveats were resolved:

CSCeb35422

On a voice VLAN port with both IEEE 802.1x and port security enabled, dynamic secure addresses are now deleted when the port is changed from multihost mode to single-host mode. This problem no longer occurs under these conditions:

The port is in an authorized state.

The port learns the MAC addresses of multiple hosts.

VLAN assignment is not enabled for the authorized host.

CSCec19825

When the receive rate is 100 Mbps and the sample interval (historyControlInterval) is more than 45 seconds, the calculation of the SNMP etherHistoryUtilization report is now correct and no longer shows a much lower utilization than expected.

CSCef37624

You can now ping a Layer 3 interface that has a Network Address Translation (NAT) configuration.

CSCef65928

When a class map of an attached policy map has its match condition removed and is then re-applied, free memory is no longer lost.

CSCef94884

Unconfiguring OSPFv3 no longer causes a memory leak.

CSCeg27382

If the per-VLAN QoS per-port policer policy-map is already attached to a VLAN Switched Virtual Interface (SVI), you cannot modify the second level (port-level) policy-map. If you modify the policy-map by removing the policer while the policy-map is still attached, an error message appears, and the policy-map is detached by the switch. You can now reapply the policer to that policy-map after the policer is removed and the policy-map is detached from the interface.

CSCeg29704

When QoS is enabled, bursty and TCP-based applications no longer have significant performance degradation due to unexpected packet drops on some of the egress queues.

CSCeg52581

If you start a session on a switch cluster member by using the rcommand user EXEC command, the commands that you enter in the rcommand session are now respective of the authorization status on the cluster command switch.

CSCeg77479

If the pathnames for the system image and boot filenames are each more than 75 characters, all characters are now displayed when you enter the show version user EXEC command.

CSCeh08767

When the bgp suppress-inactive command was toggled, the Border Gateway Protocol (BGP) table showing version numbers for prefixes that BGP could not install in the RIB could increase constantly.

CSCeh12034

The Catalyst 3750 Metro switch no longer compares incoming MPLS traffic against the MPLS maximum transmission unit (MTU) size.

CSCeh15382

When a customer-edge (CE) device is connected to a Catalyst 3750 Metro switch through an EtherChannel that is in an Ethernet over MPLS (EoMPLS) port tunnel, reloading the CE no longer causes a traceback error.

CSCeh16771

In a hierarchical service policy, if a two-rate, three-level policer does not have a specified action to perform on packets that exceed the peak information rate (PIR), when the configuration is written to NVRAM, the switch configuration no longer contains corrupted characters. If the switch reloads, the policer is not rejected because of a corrupted configuration.

CSCeh25207

If a hierarchical service policy attached to an enhanced services (ES) interface is modified to include an invalid statement (for example, a set action in a VLAN class or a mixture of VLAN and QoS class matches at the same level of the hierarchy), the switch now automatically returns to the last valid configuration. The invalid command is not saved in the configuration, and the switch no longer reloads if you globally disable and re-enable QoS.

CSCei09731

If multiple paths to a recursive route are available and not all packets are tagged or untagged, a switch running Cisco IOS Release 12.2(25)EY2 no longer fails.

CSCei19583

On a switch running Cisco IOS Release 12.2(25)EY2 on which MPLS is configured, MPLS packets are now forwarded correctly from one VLAN to another VLAN.

CSCsb54920

After the switch restarts, ingress traffic policing with nonhierarchical service policies now work properly on ES ports.

CSCsb75533

A Catalyst 2970 switch running Release 12.2(25)SEB1 and a vendor type of cevPortGigBaseLX does not display the SNMP table entAliasMappingTable.

CSCsc06286

When there are more than 16 switch ports configured with IEEE 802.1x authentication or port-security in the protect or restrict mode, the switch no longer allows traffic on ports in the unauthorized state.

Documentation Updates

This section provides these updates to the product documentation:

"Updates for the Software Configuration Guide" section

"Updates for the Command Reference" section

"Updates for the Hardware Installation Guide" section

Updates for the Software Configuration Guide

These are the documentation updates for the software configuration guides for this release:

In Cisco IOS Release 12.2(25)SED or later, the switch supports hierarchical virtual private LAN service (H-VPLS) architecture to simulate LAN services over the MPLS network. The switch supports H-VPLS using IEEE 802.1Q tunneling or Ethernet over multiprotocol label switching (EoMPLS). For more information, see these software documents:

For information about EoMPLS, see the "Understanding EoMPLS" section in the "Configuring MPLS and EoMPLS" chapter in the software configuration guide.

For information about configuring EoMPLS, see the "Enabling EoMPLS" section in the "Configuring MPLS and EoMPLS" chapter in the software configuration guide.

For information about the EoMPLS configuration commands, see the command reference.

For information about IEEE 802.1Q tunneling, see the "Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling" chapter in the software configuration guide.

For information about configuring H-VPLS on Cisco 7600 routers, see the "Configuring Multiprotocol Label Switching on the Optical Services Modules" section in the OSM Configuration Note, 12.2SX at

http://www.cisco.com/univercd/cc/td/doc/product/core/cis7600/cfgnotes/optical/122sx/
mpls.htm

In the "Secondary and Primary VLAN Configuration" section in the "Configuring Private VLANs" chapter, and in the "IEEE 802.1Q Tunneling Configuration" section in the "IEEE 802.1Q and Layer 2 Protocol Tunneling" chapter, this guideline is added:

To allow data to pass between two private VLANs through a tunnel, configure VLAN translation on the ES ports of the edge switches and use the same VLAN ID on the private VLAN ports of the switches.

In the "DHCP Snooping Binding Database" section in the "Configuring DHCP Features and IP Source Guard" chapter, the information in the third and fifth paragraphs is incorrect. This is the correct information:

To keep the bindings when the switch reloads, you must use the DHCP snooping database agent. If the agent is disabled, dynamic ARP or IP source guard is enabled, and the DHCP snooping binding database has dynamic bindings, the switch loses its connectivity. If the agent is disabled and only DHCP snooping is enabled, the switch does not lose its connectivity, but DHCP snooping might not prevent DHCP spoofing attacks.

When a switch learns of new bindings or when it loses bindings, the switch immediately updates the entries in the database. It also updates the entries in the binding file. The frequency at which the file is updated is based on a configurable delay, and the updates are batched. If the file is not updated in a specified time (set by the write-delay and abort-timeout values), the update stops.

In the "Enabling the DHCP Snooping Binding Database Agent" section in the "Configuring DHCP Features and IP Source Guard" chapter, this information is added to Step 6:

Use the ip dhcp snooping binding privileged EXEC command when you are testing or debugging the switch.

In the "Enabling the DHCP Snooping Binding Database Agent" section in the "Configuring DHCP Features and IP Source Guard" chapter, the information about the no ip dhcp snooping database global configuration command is incorrect. This is the correct information:

To stop using the database agent and bindings file, use the no ip dhcp snooping database global configuration command.

In the "Configuration Guidelines" section of the "Understanding Port Security" section in the "Configuring Port-Based Traffic Control" chapter, this information is incorrect:

Port security can only be configured on static access ports or trunk ports. A secure port cannot be a dynamic access port.

This is the correct information:

Port security can only be configured on static access ports, trunk ports, or tunnel ports. A secure port cannot be a dynamic access port.

In the "Configuring QoS" chapter of the software configuration guides for Cisco IOS Release 12.2(25)EY and Cisco IOS Release 12.1(14)AX, the examples that have this command are incorrect:

switchport trunk encapsulation isl

The correct command is switchport trunk encapsulation dot1q.

This information is incorrect in the "Configuring QoS" chapter of the software configuration guide:

If you enter the no mls qos rewrite ip dscp global configuration command to enable DSCP transparency and then enter the mls qos trust [cos | dscp] interface configuration command, DSCP transparency is disabled.

This is the correct information:

If you enter the no mls qos rewrite ip dscp global configuration command to enable DSCP transparency and then enter the mls qos trust [cos | dscp] interface configuration command, DSCP transparency is still enabled.

In the "Hierarchical QoS Configuration Guidelines" section of the "Configuring QoS" chapter, this guideline is added:

If an egress hierarchical policy map includes the set policy-map class configuration command, the port trust state is not affected. For example, setting the CoS to 2 only affects the CoS value of the packet, and the DSCP value of the packet is not modified based on the CoS-to-DSCP map.

The show mac-address-table multicast user EXEC command is not supported.

In Cisco IOS Release 12.2(25)EY and later, the snmp-server ifindex persist global command is not supported.

This section was added to the "Configuring IEEE 802.1x Port-Based Authentication" chapter:

Using IEEE 802.1x with Restricted VLAN

You can configure a restricted VLAN (sometimes called an authentication failed VLAN) for each IEEE 802.1x port on a switch to provide limited services to clients that cannot access the guest VLAN. These clients are IEEE 802.1x-compliant and cannot access another VLAN because they fail the authentication process. A restricted VLAN allows users without valid credentials on an authentication server (typically, visitors to an enterprise) to access a limited set of services. The administrator can control the services available to the restricted VLAN.


Note You can configure a VLAN to be both the guest VLAN and the restricted VLAN if you want to provide the same services to both types of users.


Without this feature, the client indefinitely attempts and fails authentication and the switch port remains in the spanning-tree blocking state. With this feature, you can configure the switch port to be in the restricted VLAN after a specified number of authentication attempts (the default value is 3 attempts).

The authenticator counts the failed authentication attempts for the client. When this count exceeds the configured maximum authentication attempts, the port moves to the restricted VLAN. The failed attempt count increments when the RADIUS server replies with either an EAP failure or an empty response without an EAP packet. When the port moves into the restricted VLAN, the failed attempt counter resets.

Users who fail authentication remain in the restricted VLAN until the next re-authentication attempt. A port in the restricted VLAN tries to re-authenticate at configured intervals (the default is 60 seconds). If re-authentication fails, the port remains in the restricted VLAN. If re-authentication is successful, the port moves either to the configured VLAN or to a VLAN sent by the RADIUS server. You can disable re-authentication. If you do this, the only way to start the authentication process again is for the port to receive a link down or EAP logoff event. We recommend that you keep re-authentication enabled if a client might connect through a hub. When a client disconnects from the hub, the port might not receive the link down or EAP logoff event.

After a port moves to the restricted VLAN, it sends a simulated EAP success message to the client instead of an EAP failure message. This prevents clients from indefinitely attempting authentication. Some clients (for example, devices running Windows XP) cannot implement DHCP without EAP success.

Restricted VLANs are supported only on IEEE 802.1x ports in single-host mode and on Layer 2 ports.

You can configure any active VLAN except an RSPAN VLAN, a primary private VLAN, or a voice VLAN as an IEEE 802.1x restricted VLAN. The restricted VLAN feature is not supported on internal VLANs (routed ports) or trunk ports; it is supported only on access ports.

This feature works with port security. As soon as the port is authorized, a MAC address is provided to port security. If port security does not permit the MAC address or if the maximum secure address count is reached, the port becomes unauthorized and error-disabled.

Other port security features such as Dynamic ARP Inspection, DHCP snooping, and IP source guard can be configured independently on a restricted VLAN.

These are the updates for the "IEEE 802.1x Configuration Guidelines" section in the "Configuring IEEE 802.1x Port-Based Authentication" chapter:

You can configure any VLAN except an RSPAN VLAN, a primary private VLAN, or a voice VLAN as an IEEE 802.1x restricted VLAN. The restricted VLAN feature is not supported on internal VLANs (routed ports) or trunk ports; it is supported only on access ports.

You can configure IEEE 802.1x on a private-VLAN port, but do not configure IEEE 802.1x with port security, a voice VLAN, a guest VLAN, a restricted VLAN, or a per-user ACL on private-VLAN ports.

This section was added to the "Configuring Flex Links and the MAC Address-Table Move Update Feature" chapter:

Understanding MAC Address-Table Move Update

The MAC address-table move update feature allows the switch to provide rapid bidirectional convergence when a primary (forwarding) link goes down and the standby link begins forwarding traffic.

In Figure 1, switch A is an access switch, and ports 1 and 2 on switch A are connected to uplink switches B and D through a Flex Link pair. Port 1 is forwarding traffic, and port 2 is in the backup state. Traffic from the PC to the server is forwarded from port 1 to port 3. The MAC address of the PC has been learned on port 3 of switch C. Traffic from the server to the PC is forwarded from port 3 to port 1.

If the MAC address-table move update feature is not configured and port 1 goes down, port 2 starts forwarding traffic. However, for a short time, switch C keeps forwarding traffic from the server to the PC through port 3, and the PC does not get the traffic because port 1 is down. If switch C removes the MAC address of the PC on port 3 and relearns it on port 4, traffic can then be forwarded from the server to the PC through port 2.

If the MAC address-table move update feature is configured and enabled on the switches in Figure 1 and port 1 goes down, port 2 starts forwarding traffic from the PC to the server. The switch sends a MAC address-table move update packet from port 2. Switch C gets this packet on port 4 and immediately learns the MAC address of the PC on port 4, which reduces the reconvergence time.

You can configure the access switch, switch A, to send MAC address-table move update messages. You can also configure the uplink switches B, C, and D to get and process the MAC address-table move update messages. When switch C gets a MAC address-table move update message from switch A, switch C learns the MAC address of the PC on port 4. Switch C updates the MAC address table, including the forwarding table entry for the PC. The switch then starts forwarding traffic from the server to the PC through port 4, which reduces the loss of traffic from the server to the PC.

Figure 1 MAC Address-Table Move Update Example

Configuring the MAC Address-Table Move Update Feature

Follow these guidelines to configure MAC address-table move update feature:

You can enable and configure this feature on the access switch to send the MAC address-table move updates.

You can enable and configure this feature on the uplink switches to get the MAC address-table move updates.

Beginning in privileged EXEC mode, follow these steps to configure an access switch to send MAC address-table move updates:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

interface interface-id

Specify the interface, and enter interface configuration mode. The interface can be a physical Layer 2 interface or a port channel (logical interface). The port-channel range is 1 to 48.

Step 3 

switchport backup interface interface-id

or

switchport backup interface interface-id mmu primary vlan vlan-id

Configure a physical Layer 2 interface (or port channel), as part of a Flex Link pair with the interface. The MAC address-table move update VLAN is the lowest VLAN ID on the interface.

Configure a physical Layer 2 interface (or port channel) and specify the VLAN ID on the interface, which is used for sending the MAC address-table move update.

When one link is forwarding traffic, the other interface is in standby mode.

Step 4 

end

Return to global configuration mode.

Step 5 

mac address-table move update transmit

Enable the access switch to send MAC address-table move updates to other switches in the network if the primary link goes down and the switch starts forwarding traffic through the standby link.

Step 6 

end

Return to privileged EXEC mode.

Step 7 

show mac address-table move update

Verify the configuration.

Step 8 

copy running-config startup config

(Optional) Save your entries in the switch startup configuration file.

To disable the MAC address-table move update feature on the access switch, use the no mac address-table move update transmit interface configuration command. To display the MAC address-table move update information, use the show mac address-table move update privileged EXEC command.

This example shows how to configure an access switch to send MAC address-table move update messages:

Switch# configure terminal 
Switch(conf)# interface fastethernet1/0/1
Switch(conf-if)# switchport backup interface fastethernet1/0/2 mmu primary vlan 2
Switch(conf-if)# end
Switch(conf)# mac address-table move update transmit
Switch(conf)# end

Verify the configuration as shown in this example:

Switch# show mac-address-table move update 
Switch-ID : 01d0.2bfc.3180
Dst mac-address : 0180.c200.0010
Vlans/Macs supported : 1023/8320
Default/Current settings: Rcv Off/Off, Xmt Off/Off
Max packets per min : Rcv 40, Xmt 60 
Rcv packet count : 0
Rcv conforming packet count : 0
Rcv invalid packet count : 0
Rcv packet count this min : 0
Rcv threshold exceed count : 0
Rcv last sequence# this min : 0
Rcv last interface : None
Rcv last src-mac-address : 0000.0000.0000
Rcv last switch-ID : 0000.0000.0000 
Xmt packet count : 0
Xmt packet count this min : 0
Xmt threshold exceed count : 0
Xmt pak buf unavail cnt : 0
Xmt last interface : None

Beginning in privileged EXEC mode, follow these steps to configure a switch to get and process MAC address-table move update messages:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

mac address-table move update receive

Enable the switch to get and process the MAC address-table move updates.

Step 3 

end

Return to privileged EXEC mode.

Step 4 

show mac address-table move update

Verify the configuration.

Step 5 

copy running-config startup config

(Optional) Save your entries in the switch startup configuration file.

To disable the MAC address-table move update feature on the access switch, use the no mac address-table move update receive configuration command. To display the MAC address-table move update information, use the show mac address-table move update privileged EXEC command.

This example shows how to configure a switch to get and process MAC address-table move update messages:

Switch# configure terminal 
Switch(conf)# mac address-table move update receive
Switch(conf)# end

This section is added to the "Configuring IEEE 802.1x Port-Based Authentication" chapter:

Configuring a Restricted VLAN

When you configure a restricted VLAN on a switch, clients that are IEEE 802.1x-compliant are moved into the restricted VLAN when the authentication server does not receive a valid username and password. The switch supports restricted VLANs only in single-host mode.

Beginning in privileged EXEC mode, follow these steps to configure a restricted VLAN. This procedure is optional.

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

interface interface-id

Specify the port to be configured, and enter interface configuration mode. For the supported port types, see the "IEEE 802.1x Configuration Guidelines" section on page 10-18.

Step 3 

switchport mode access

or

switchport mode private-vlan host

Set the port to access mode,

or

Configure the Layer 2 port as a private-VLAN host port.

Step 4 

dot1x port-control auto

Enable IEEE 802.1x authentication on the port.

Step 5 

dot1x auth-fail vlan vlan-id

Specify an active VLAN as an IEEE 802.1x restricted VLAN. The range is 1 to 4094.

You can configure any active VLAN except an internal VLAN (routed port), an RSPAN VLAN, a primary private VLAN, or a voice VLAN as an IEEE 802.1x restricted VLAN.

Step 6 

end

Return to privileged EXEC mode.

Step 7 

show dot1x interface interface-id

(Optional) Verify your entries.

Step 8 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To disable and remove the restricted VLAN, use the no dot1x auth-fail vlan interface configuration command. The port returns to the unauthorized state.

This example shows how to enable VLAN 2 as an IEEE 802.1x restricted VLAN:

Switch(config)# interface gigabitethernet1/0/2
Switch(config-if)# dot1x auth-fail vlan 2

Use the dot1x auth-fail max-attempts interface configuration command to configure the maximum number of authentication attempts allowed before a user is assigned to the restricted VLAN. The range of allowable authentication attempts is 1 to 3. The default is 3 attempts.

Beginning in privileged EXEC mode, follow these steps to configure the maximum number of allowed authentication attempts. This procedure is optional.

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

interface interface-id

Specify the port to be configured, and enter interface configuration mode. For the supported port types, see the "IEEE 802.1x Configuration Guidelines" section on page 10-18.

Step 3 

switchport mode access

or

switchport mode private-vlan host

Set the port to access mode,

or

Configure the Layer 2 port as a private-VLAN host port.

Step 4 

dot1x port-control auto

Enable IEEE 802.1x authentication on the port.

Step 5 

dot1x auth-fail vlan vlan-id

Specify an active VLAN as an IEEE 802.1x restricted VLAN. The range is 1 to 4094.

You can configure any active VLAN except an internal VLAN (routed port), an RSPAN VLAN, a primary private VLAN, or a voice VLAN as an IEEE 802.1x restricted VLAN.

Step 6 

dot1x auth-fail max-attempts max attempts

Specify a number of authentication attempts to allow before a port moves to the restricted VLAN. The range is 1 to 3, and the default is 3.

Step 7 

end

Return to privileged EXEC mode.

Step 8 

show dot1x interface interface-id

(Optional) Verify your entries.

Step 9 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To return to the default value, use the no dot1x auth-fail max-attempts interface configuration command.

This example shows how to set 2 as the number of authentication attempts allowed before the port moves to the restricted VLAN:

Switch(config-if)# dot1x auth-fail max-attempts 

Updates for the Command Reference

These are updates to the command reference:

In Cisco IOS Release 12.2(25)EY1 and earlier, the range for the message-interval-timer in the udld message time message-timer-interval global configuration command is 7 to 90 seconds. In Cisco IOS Release 12.2(25)EY2 and later, the range for the message-timer-interval is 1 to 90 seconds.

The description and usage guidelines for the ip dhcp snooping database global configuration command are incorrect. This is the correct information:

Use the ip dhcp snooping database global configuration command to configure the DHCP snooping binding database agent. Use the no form of this command to disable the agent, to reset the timeout value, or to reset the write-delay value.

If NTP is configured, the switch writes binding changes to the binding file only when the switch system clock is synchronized with NTP.

Use the no ip dhcp snooping database command to disable the agent.

These commands were added for this release:

clear mac address-table move update

Use the clear mac address-table move update privileged EXEC command on the switch to clear the mac address-table-move update-related counters.

clear mac address-table move update

Syntax Description

This command has no arguments or keywords.

Defaults

No default is defined.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(25)SED

This command was introduced.

Examples

This example shows how to clear the MAC address-table move update related counters.

Switch# clear mac address-table move update

You can verify that the information was cleared by entering the show mac address-table move update privileged EXEC command.

Related Commands

Command
Description

mac address-table move update {receive | transmit}

Configures MAC address-table move update on the switch.

show mac address-table move update

Displays the MAC address-table move update information on the switch.

dot1x auth-fail max-attempts

Use the dot1x auth-fail max-attempts interface configuration command to configure the maximum allowable authentication attempts before a port is moved to the restricted VLAN. To return to the default setting, use the no form of this command.

dot1x auth-fail max-attempts max-attempts

no dot1x auth-fail max-attempts

Syntax Description

max-attempts

Specify an allowed maximum of authentication attempts before a port is moved to the restricted VLAN. The range is 1 to 3, the default value is 3.


Defaults

The default value is 3 attempts.

Command Modes

Interface configuration

Command History

Release
Modification

12.2(25)SED

This command was introduced.


Usage Guidelines

If you reconfigure the allowable maximum number of authentication attempts, the change takes effect after the re-authentication timer expires.

Examples

This example shows how to set 2 as the maximum number of authentication attempts allowed before the port is moved to the restricted VLAN on port 3:

Switch# configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface gigabitethernet1/0/3
Switch(config-if)# dot1x auth-fail max-attempts 2
Switch(config-if)# end
Switch(config)# end
Switch#

You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.

Related Commands

Command
Description

dot1x auth-fail vlan [vlan id]

Enables the optional restricted VLAN feature.

dot1x max-reauth-req [count]

Sets the maximum number of times that the switch restarts the authentication process before a port changes to the unauthorized state.

show dot1x [interface interface-id]

Displays IEEE 802.1x status for the specified port.


dot1x auth-fail vlan

Use the dot1x auth-fail vlan interface configuration command on the switch to enable the restricted VLAN on a port. To return to the default setting, use the no form of this command.

dot1x auth-fail vlan vlan-id

no dot1x auth-fail vlan vlan-id

Syntax Description

vlan-id

Specify a VLAN in the range of 1 to 4094.


Defaults

No restricted VLAN is configured.

Command Modes

Interface configuration

Command History

Release
Modification

12.2(25)SED

This command was introduced.


Usage Guidelines

You can configure a restricted VLAN on ports configured as follows:

single-host (default) mode

auto mode for authorization

You should enable re-authentication. Otherwise, the ports in restricted VLANs do not receive re-authentication requests. To start the re-authentication process, the restricted VLAN must receive a link-down event or an Extensible Authentication Protocol (EAP) logoff event from the port. If a host is connected through a hub, the port might never receive a link-down event when that host is disconnected, and, as a result, might not detect any new hosts until the next re-authentication attempt occurs.

If the supplicant fails authentication, the port is moved to a restricted VLAN, and an EAP success message is sent to the supplicant. Because the supplicant is not notified of the actual authentication failure, there might be confusion about this restricted network access. An EAP success message is sent for these reasons:

If the EAP success message is not sent, the supplicant tries to authenticate every 60 seconds (the default) by sending an EAP-start message.

Some hosts (for example, devices running Windows XP) cannot implement DHCP until they receive an EAP success message.

A supplicant might cache an incorrect username and password combination after receiving an EAP success message from the authenticator and re-use that information in every re-authentication. Until the supplicant sends the correct username and password combination, the port remains in the restricted VLAN.

Internal VLANs used for Layer 3 ports cannot be configured as restricted VLANs.

You cannot configure a VLAN to be both a restricted VLAN and a voice VLAN. If you do this, a syslog message is generated.

When a restricted VLAN port is moved to an unauthorized state, the authentication process restarts. If the supplicant fails the authentication process again, the authenticator waits in the held state. After the supplicant has correctly re-authenticated, all IEEE 802.1x ports are reinitialized and treated as normal IEEE 802.1x ports.

When you reconfigure a restricted VLAN as a different VLAN, any ports in the restricted VLAN are also moved, and the ports stay in their currently authorized state.

When you shut down or remove a restricted VLAN from the VLAN database, any ports in the restricted VLAN are immediately moved to an unauthorized state, and the authentication process restarts. The authenticator does not wait in a held state because the restricted VLAN configuration still exists. While the restricted VLAN is inactive, all authentication attempts are counted so that when the restricted VLAN becomes active, the port is immediately placed in the restricted VLAN.

The restricted VLAN is supported only in single host mode (the default port mode). For this reason, when a port is placed in a restricted VLAN, the supplicant's MAC address is added to the MAC address table, and any other MAC address that appears on the port is treated as a security violation.

Examples

This example shows how to configure a restricted VLAN on port 1:

Switch# configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface gigabitethernet1/0/1
Switch(config-if)# dot1x auth-fail vlan 40
Switch(config-if)# end
Switch(config)# end
Switch#

You can verify your configuration by entering the show dot1x [interface interface-id] privileged EXEC command.

Related Commands

Command
Description

dot1x auth-fail max-attempts [max-attempts]

Configures the number of authentication attempts allowed before assigning a supplicant to the restricted VLAN.

show dot1x [interface interface-id]

Displays IEEE 802.1x status for the specified port.


mac address-table move update

Use the mac address-table move update global configuration command on the switch to enable the MAC address-table move update feature. Use the no form of this command to return to the default setting.

mac address-table move update {receive | transmit}

no mac address-table move update {receive | transmit}

Syntax Description

receive

Specify that the switch processes MAC address-table move update messages.

transmit

Specify that the switch sends MAC address-table move update messages to other switches in the network if the primary link goes down and the standby link comes up.


Command Modes

Global configuration.

Defaults

By default, the MAC address-table move update feature is disabled.

Command History

Release
Modification

12.2(25)SED

This command was introduced.


Usage Guidelines

The MAC address-table move update feature allows the switch to provide rapid bidirectional convergence if a primary (forwarding) link goes down and the standby link begins forwarding traffic.

You can configure the access switch to send the MAC address-table move update messages if the primary link goes down and the standby link comes up. You can configure the uplink switches to receive and process the MAC address-table move update messages.

Examples

This example shows how to configure an access switch to send MAC address-table move update messages:

Switch# configure terminal 
Switch(conf)# mac address-table move update transmit
Switch(conf)# end

This example shows how to configure an uplink switch to get and process MAC address-table move update messages:

Switch# configure terminal 
Switch(conf)# mac address-table move update receive
Switch(conf)# end

You can verify your settings by entering the show mac address-table move update privileged EXEC command.

show mac address-table move update

Use the show mac address-table move update user EXEC command to display the MAC address-table move update information on the switch.

show mac address-table move update [ | {begin | exclude | include} expression]

Syntax Description

| begin

(Optional) Display begins with the line that matches the expression.

| exclude

(Optional) Display excludes lines that match the expression.

| include

(Optional) Display includes lines that match the specified expression.

expression

Expression in the output to use as a reference point.


Command Modes

User EXEC

Command History

Release
Modification

12.2(25)SED

This command was introduced.


Usage Guidelines

Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.

Examples

This is an example of output from the show mac address-table move update command:

Switch> show mac address-table move update
Switch-ID : 010b.4630.1780
Dst mac-address : 0180.c200.0010
Vlans/Macs supported : 1023/8320
Default/Current settings: Rcv Off/On, Xmt Off/On
Max packets per min : Rcv 40, Xmt 60
Rcv packet count : 10
Rcv conforming packet count : 5
Rcv invalid packet count : 0
Rcv packet count this min : 0
Rcv threshold exceed count : 0
Rcv last sequence# this min : 0
Rcv last interface : Po2
Rcv last src-mac-address : 0003.fd6a.8701
Rcv last switch-ID : 0303.fd63.7600
Xmt packet count : 0
Xmt packet count this min : 0
Xmt threshold exceed count : 0
Xmt pak buf unavail cnt : 0
Xmt last interface : None
switch#

Related Commands

Command
Description

clear mac address-table move update

Clears the MAC address-table move update counters.

mac address-table move update {receive | transmit}

Configures MAC address-table move update on the switch.


Updates for the Hardware Installation Guide

The Preface for the Catalyst 3750 Metro Switch Hardware Installation Guide does not include the translations for the Warning symbol and explanation (Statement 1071) or a change to the Warning statement about installation for short-circuit (overcurrent) protection (Statement 1005-Circuit Breaker) in Appendix E, "Translated Safety Warnings."

This information is in the Release Notes for the Catalyst 3750 Metro Switch, Cisco IOS Release 12.1(14)AX at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750m/12114ax/ol464601.htm#35851

This warning was added to the Catalyst 3750 Metro Switch Hardware Installation Guide:

Statement 361—VoIP and Emergency Calling Services do not Function if Power Fails

Warning


Voice over IP (VoIP) service and the emergency calling service do not function if power fails or is disrupted. After power is restored, you might have to reset or reconfigure equipment to regain access to VoIP and the emergency calling service. In the USA, this emergency number is 911. You need to be aware of the emergency number in your country. Statement 361

Waarschuwing

Voice over IP (VoIP)-service en de service voor noodoproepen werken niet indien er een stroomstoring is. Nadat de stroomtoevoer is hersteld, dient u wellicht de configuratie van uw apparatuur opnieuw in te stellen om opnieuw toegang te krijgen tot VoIP en de noodoproepen. In de VS is het nummer voor noodoproepen 911. U dient u zelf op de hoogte te stellen van het nummer voor noodoproepen in uw land.

Varoitus

Voice over IP (VoIP) -palvelu ja hätäpuhelupalvelu eivät toimi, jos virta katkeaa tai sen syötössä esiintyy häiriöitä. Kun virransyöttö on taas normaali, sinun täytyy mahdollisesti asettaa tai määrittää laitteisto uudelleen, jotta voisit jälleen käyttää VoIP-palvelua ja hätäpuhelupalvelua. Yhdysvalloissa hätänumero on 911. Selvitä, mikä on omassa kotimaassasi käytössä oleva hätänumero.

Attention

Le service Voice over IP (VoIP) et le service d'appels d'urgence ne fonctionnent pas en cas de panne de courant. Une fois que le courant est rétabli, vous devrez peut-être réinitialiser ou reconfigurer le système pour accéder de nouveau au service VoIP et à celui des appels d'urgence. Aux États-Unis, le numéro des services d'urgence est le 911. Vous devez connaître le numéro d'appel d'urgence en vigueur dans votre pays.

Warnung

Bei einem Stromausfall oder eingeschränkter Stromversorgung funktionieren VoIP-Dienst und Notruf nicht. Sobald die Stromversorgung wieder hergestellt ist, müssen Sie möglicherweise die Geräte zurücksetzen oder neu konfigurieren, um den Zugang zu VoIP und Notruf wieder herzustellen. Die Notrufnummer in den USA lautet 911. Wählen Sie im Notfall die für Ihr Land vorgesehene Notrufnummer.

Avvertenza

Il servizio Voice over IP (VoIP) e il servizio per le chiamate di emergenza non funzionano in caso di interruzione dell'alimentazione. Ristabilita l'alimentazione, potrebbe essere necessario reimpostare o riconfigurare l'attrezzatura per ottenere nuovamente l'accesso al servizio VoIP e al servizio per le chiamate di emergenza. Negli Stati Uniti, il numero di emergenza è 911. Si consiglia di individuare il numero di emergenza del proprio Paese.

Advarsel

Tjenesten Voice over IP (VoIP) og nødanropstjenesten fungerer ikke ved strømbrudd. Etter at strømmen har kommet tilbake, må du kanskje nullstille eller konfigurere utstyret på nytt for å få tilgang til VoIP og nødanropstjenesten. I USA er dette nødnummeret 911. Du må vite hva nødnummeret er i ditt land.

Aviso

O serviço Voice over IP (VoIP) e o serviço de chamadas de emergência não funcionam se houver um corte de energia. Depois do fornecimento de energia ser restabelecido, poderá ser necessário reiniciar ou reconfigurar o equipamento para voltar a utilizar os serviços VoIP ou chamadas de emergência. Nos EUA, o número de emergência é o 911. É importante que saiba qual o número de emergência no seu país.

¡Advertencia!

El servicio de voz sobre IP (VoIP) y el de llamadas de emergencia no funcionan si se interrumpe el suministro de energía. Tras recuperar el suministro es posible que deba que restablecer o volver a configurar el equipo para tener acceso a los servicios de VoIP y de llamadas de emergencia. En Estados Unidos el número de emergencia es el 911. Asegúrese de obtener el número de emergencia en su país.

Varning!

Tjänsten Voice over IP (VoIP) och larmnummertjänsten fungerar inte vid strömavbrott. Efter att strömmen kommit tillbaka måste du kanske återställa eller konfigurera om utrustningen för att få tillgång till VoIP och larmnummertjänsten. I USA är det här larmnumret 911. Du bör ta reda på det larmnummer som gäller i ditt land.

 

 



Related Documentation

These documents provide information about the switch and are available from this Cisco.com site:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750m/index.htm

You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.com sites and from the telephone numbers listed in the "Obtaining Documentation" section.

Catalyst 3750 Metro Switch Software Configuration Guide (order number DOC-7816793=)

Catalyst 3750 Metro Switch Command Reference (order number DOC-7816797=)

Catalyst 3750 Metro Switch System Message Guide (order number DOC-7816792=)

Catalyst 3750 Metro Switch Hardware Installation Guide (order number DOC-7815869=)

Cisco Small Form-Factor Pluggable Modules Installation Notes (not orderable but available on Cisco.com)

Obtaining Documentation

Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation at this URL:

http://www.cisco.com/univercd/home/home.htm

You can access the Cisco website at this URL:

http://www.cisco.com

You can access international Cisco websites at this URL:

http://www.cisco.com/public/countries_languages.shtml

Documentation DVD

Cisco documentation and additional literature are available in a Documentation DVD package, which may have shipped with your product. The Documentation DVD is updated regularly and may be more current than printed documentation. The Documentation DVD package is available as a single unit.

Registered Cisco.com users (Cisco direct customers) can order a Cisco Documentation DVD (product number DOC-DOCDVD=) from the Ordering tool or Cisco Marketplace.

Cisco Ordering tool:

http://www.cisco.com/en/US/partner/ordering/

Cisco Marketplace:

http://www.cisco.com/go/marketplace/

Ordering Documentation

You can find instructions for ordering documentation at this URL:

http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm

You can order Cisco documentation in these ways:

Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Ordering tool:

http://www.cisco.com/en/US/partner/ordering/

Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 1 800 553-NETS (6387).

Documentation Feedback

You can send comments about technical documentation to bug-doc@cisco.com.

You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:

Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Cisco Product Security Overview

Cisco provides a free online Security Vulnerability Policy portal at this URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

From this site, you can perform these tasks:

Report security vulnerabilities in Cisco products.

Obtain assistance with security incidents that involve Cisco products.

Register to receive security information from Cisco.

A current list of security advisories and notices for Cisco products is available at this URL:

http://www.cisco.com/go/psirt

If you prefer to see advisories and notices as they are updated in real time, you can access a Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this URL:

http://www.cisco.com/en/US/products/products_psirt_rss_feed.html

Reporting Security Problems in Cisco Products

Cisco is committed to delivering secure products. We test our products internally before we release them, and we strive to correct all vulnerabilities quickly. If you think that you might have identified a vulnerability in a Cisco product, contact PSIRT:

Emergencies — security-alert@cisco.com

Nonemergencies — psirt@cisco.com


Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product to encrypt any sensitive information that you send to Cisco. PSIRT can work from encrypted information that is compatible with PGP versions 2.x through 8.x.

Never use a revoked or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one that has the most recent creation date in this public key server list:

http://pgp.mit.edu:11371/pks/lookup?search=psirt%40cisco.com&op=index&exact=on


In an emergency, you can also reach PSIRT by telephone:

1 877 228-7302

1 408 525-6532

Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service contract, contact your reseller.

Cisco Technical Support Website

The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, 365 days a year, at this URL:

http://www.cisco.com/techsupport

Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:

http://tools.cisco.com/RPF/register/register.do


Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting a web or phone request for service. You can access the CPI tool from the Cisco Technical Support Website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by product ID or model name; by tree view; or for certain products, by copying and pasting show command output. Search results show an illustration of your product with the serial number label location highlighted. Locate the serial number label on your product and record the information before placing a service call.


Submitting a Service Request

Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this URL:

http://www.cisco.com/techsupport/servicerequest

For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.

To open a service request by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447

For a complete list of Cisco TAC contacts, go to this URL:

http://www.cisco.com/techsupport/contacts

Definitions of Service Request Severity

To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.

Severity 1 (S1)—Your network is "down," or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

Severity 3 (S3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL:

http://www.cisco.com/go/marketplace/

Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL:

http://www.ciscopress.com

Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and networking investments. Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources. You can access Packet magazine at this URL:

http://www.cisco.com/packet

iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies learn how they can use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions. You can access iQ Magazine at this URL:

http://www.cisco.com/go/iqmagazine

Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/ipj

World-class networking training is available from Cisco. You can view current offerings at this URL:

http://www.cisco.com/en/US/learning/index.html