Table Of Contents
Finding the Software Version and Feature Set
Recovering from a Software Failure
Minimum Cisco IOS Release for Major Features
Bidirectional Forwarding Detection
Updates to the Software Configuration Guides
Update to the "Configuring IP Unicast Routing" chapter:
Updates to the "Configuring QoS" Chapter
Updates to the "Configuring Ethernet OAM, CFM, and E-LMI" Chapter
Update to the "Configuring IEEE 802.1x Port-Based Authentication" Chapter
Update to the ME 3400 Hardware Installation Guide
Updates to the System Message Guide
Cisco ME 3400E-24TS-M and Cisco ME 3400EG-12CS-M
Obtaining Documentation and Submitting a Service Request
Release Notes for the Cisco ME 3400E and
ME 3400 Ethernet Access Switches, Cisco IOS Release 12.2(53)SE
Revised on March 31, 2010
Cisco IOS Release 12.2(53)SE runs on the Cisco ME 3400E and ME 3400 Series Ethernet Access switches.
These release notes include important information about Cisco IOS Release 12.2(53)SE and any limitations, restrictions, and caveats that apply to the release. Verify that these release notes are correct for your switch:
•If you are installing a new switch, see the Cisco IOS release label on the rear panel of your switch.
•If your switch is on, use the show version privileged EXEC command. See the "Finding the Software Version and Feature Set" section.
•If you are upgrading to a new release or different image, see the software upgrade filename for the software version. See the "Deciding Which Files to Use" section.
For the complete list of Cisco ME 3400E and ME 3400 switch documentation, see the "Related Documentation" section.
You can download the switch software from this site (registered Cisco.com users with a login password):
http://tools.cisco.com/support/downloads/go/MDFTree.x?butype=switches
This software release is part of a special release of Cisco IOS software that is not released on the same 8-week maintenance cycle that is used for other platforms. As maintenance releases and future software releases become available, they will be posted to Cisco.com in the Cisco IOS software area.
Contents
This information is in the release notes:
•Upgrading the Switch Software
•Minimum Cisco IOS Release for Major Features
•Obtaining Documentation and Submitting a Service Request
Hardware Supported
Table 1 lists the hardware supported on Cisco IOS Release 12.2(50)SE.
Table 1 Supported Hardware
Device Description Supported by Minimum Cisco IOS ReleaseME 3400E-24TS-M
24 10/100 ports and 2 dual-purpose ports; supports removable AC- and DC-power supplies.
Cisco IOS Release 12.2(44)EY
ME 3400EG-12CS-M
12 dual-purpose ports and 4 SFP module slots; supports removable AC- and DC-power supplies.
Cisco IOS Release 12.2(44)EY
ME 3400EG-2CS-A
2 dual-purpose ports and 2 SFP module slots, AC-power input.
Cisco IOS Release 12.2(44)EY
ME 3400-24FS-A
24 100BASE-FX SFP module ports and 2 Gigabit Ethernet SFP module ports, AC power
Cisco IOS Release 12.2(40)SE
ME 3400G-2CS
2 dual-purpose ports and 2 SFP-only module ports, AC power
Cisco IOS Release 12.2(35)SE1
ME-3400G-12CS-A
12 dual-purpose ports and 4 SFP-only module ports
Cisco IOS Release 12.2(25)SEG1
ME-3400G-12CS-D
12 dual-purpose ports and 4 SFP-only module ports
Cisco IOS Release 12.2(25)SEG1
ME-3400-24TS-A
24 10/100 ports and 2 SFP module slots, AC power
Cisco IOS Release 12.2(25)EX
ME-3400-24TS-D
24 10/100 ports and 2 SFP module slots, DC power
Cisco IOS Release 12.2(25)EX
SFP modules
ME 3400
1000BASE-T, -BX, -SX, -LX/LH, -ZX
100BASE-BX, FX, -LX
Coarse wavelength-division multiplexing (CWDM)Cisco IOS Release 12.2(25)EX
Digital optical monitoring (DOM) support for GLC-BX, CWDM and DWDM SFPs
Cisco IOS Release 12.2(44)SE
100BASE-EX, 100BASE-ZX
1000BASE-LX/LH MMF and SMF
1000BASE-SX MMF
DOM support for GLC-ZX-SM SFP, 1000BASE-LX/LH, and 1000BASE-SX
Cisco IOS Release 12.2(46)SE
DOM support for 1000BASE-BX
Additional DWDM SFPs qualification
Cisco IOS Release 12.2(50)SE
For a complete list of ME 3400 supported SFPs and part numbers, see the ME 3400 data sheet at:
SFP modules
ME 3400E
1000BASE-BX10, -SX, -LX/LH, -ZX
100BASE -BX10, -EX, -FX (GLC-FE-100FX only), -LX10, -ZX
1000BASE-T and 10/100/100BASE-T—Category 5,6
(SFP-only ports; not supported on dual-purpose ports)Coarse wavelength-division multiplexing (CWDM)
Dense wavelength-division multiplexing (DWDM)
Digital optical monitoring (DOM) support for SFP-GE-S, SFP-GE-L, 1000BASE-BX10, 1000BASE-ZX, CWDM and DWDM SFPs
Note See the hardware installation guide for SFP model numbers.
Cisco IOS Release 12.2(44)EY
Additional DWDM SFPs qualification
Cisco IOS Release 12.2(50)SE
For a complete list of ME 3400E supported SFPs and part numbers, see the ME 3400E data sheet at:
http://www.cisco.com/en/US/prod/collateral/switches/ps6568/ps9637/data_sheet_c78-495220.html
Cable
Catalyst 3560 SFP interconnect cable
Cisco IOS Release 12.2(25)EX
Upgrading the Switch Software
These are the procedures for downloading software. Before downloading software, read this section for important information:
•Finding the Software Version and Feature Set
•Recovering from a Software Failure
Finding the Software Version and Feature Set
The Cisco IOS image is stored as a bin file in a directory that is named with the Cisco IOS release. The image is stored on the system board flash device (flash:).
You can use the show version privileged EXEC command to see the software version that is running on your switch. The second line of the display shows the version.
You can also use the dir filesystem: privileged EXEC command to see the directory names of other software images that you might have stored in flash memory.
Deciding Which Files to Use
The upgrade procedures in these release notes describe how to perform the upgrade by using a combined tar file. This file contains the Cisco IOS image file. To upgrade the switch through the command-line interface (CLI), use the tar file and the archive download-sw privileged EXEC command.
Table 2 lists the filenames for this software release.
Note The ME 3400 metro base image is not supported on the Cisco ME 3400E switch.
Archiving Software Images
Before upgrading your switch software, make sure that you have archived copies of the current Cisco IOS release and the Cisco IOS release to which you are upgrading. You should keep these archived images until you have upgraded all devices in the network to the new Cisco IOS image and until you have verified that the new Cisco IOS image works properly in your network.
Cisco routinely removes old Cisco IOS versions from Cisco.com. See Product Bulletin 2863 for more information:
http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps5187/prod_bulletin0900aecd80281c0e.html
You can copy the bin software image file on the flash memory to the appropriate TFTP directory on a host by using the copy flash: tftp: privileged EXEC command.
You can also configure the switch as a TFTP server to copy files from one switch to another without using an external TFTP server by using the tftp-server global configuration command. For more information about the tftp-server command, see the "Basic File Transfer Services Commands" section of the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 at this URL:
Upgrading a Switch
This procedure is for copying the combined tar file to the switch. You copy the file to the switch from a TFTP server and extract the files. You can download an image file and replace or keep the current image.
Note For downloading software, we recommend that you connect to the TFTP server through a network node interface (NNI). If you want to connect to the server through a user network interface (UNI), see the "Troubleshooting" chapter of the software configuration guide for methods for enabling ping capability on UNIs. See the "New Software Features" section for a definition of NNIs and UNIs.
To download software, follow these steps:
Step 1 Use Table 2 to identify the file that you want to download.
Step 2 Download the software image file. If you have a SmartNet support contract, log in to cisco.com and go to this URL, and log in to download the appropriate files:
http://www.cisco.com/cgi-bin/Software/Iosplanner/Planner-tool/iosplanner.cgi
Click on "Launch the IOS Upgrade Planner" and search for the ME3400 platform to select the appropriate files:
•Select the software release and image you want to download.
•You might need to obtain authorization and to download the cryptographic software files
Step 3 Copy the image to the appropriate TFTP directory on the workstation, and make sure that the TFTP server is properly configured.
For more information, refer to Appendix B in the software configuration guide for this release.
Step 4 Log into the switch through the console port or a Telnet session.
Step 5 (Optional) Ensure that you have IP connectivity to the TFTP server by entering this privileged EXEC command:
Switch# ping tftp-server-address
Note By default, ping is supported on network node interfaces (NNIs), but you cannot ping from a user network interface (UNI) because the control-plane security feature drops ICMP response packets received on UNIs. See the "Troubleshooting" chapter of the software configuration guide for methods for pinging from the switch to a host connected to a UNI.
For more information about assigning an IP address and default gateway to the switch, refer to the software configuration guide for this release.
Step 6 Download the image file from the TFTP server to the switch. If you are installing the same version of software that is currently on the switch, overwrite the current image by entering this privileged EXEC command:
Switch# archive download-sw /overwrite /reload tftp:[[//location]/directory]/image-name.tarThe /overwrite option overwrites the software image in flash memory with the downloaded one.
The /reload option reloads the system after downloading the image unless the configuration has been changed and not saved.
For //location, specify the IP address of the TFTP server.
For /directory/image-name.tar, specify the directory (optional) and the image to download. Directory and image names are case sensitive.
This example shows how to download an image from a TFTP server at 198.30.20.19 and to overwrite the image on the switch:
Switch# archive download-sw /overwritetftp://198.30.20.19/image-name.tarYou can also download the image file from the TFTP server to the switch and keep the current image by replacing the /overwrite option with the /leave-old-sw option.
Recovering from a Software Failure
For recovery procedures, see the "Troubleshooting" chapter in the software configuration guide for this release.
Installation Notes
You can assign IP information to your switch by using these methods:
•The CLI-based setup program, as described in the switch hardware installation guide.
•The DHCP-based autoconfiguration, as described in the switch software configuration guide.
•Manually assigning an IP address, as described in the switch software configuration guide.
New Features
New Hardware Features
For a list of all supported hardware, see the "Hardware Supported" section.
New Software Features
•Enhancements for ingress QoS classification (ME 3400 and ME 3400E):
–improved scalability
–simultaneous multifield and COS IP DSCP, and IP precedence classification
–ingress class-default support in per-port, per-VLAN policies
•Support for ingress QoS classification for QinQ-based service on 802.1Q tunneled ports (ME 3400E only)
•Support for the ip vrf forwarding vrf-name server-group configuration and the ip radius source-interface global configuration VRF-Aware RADIUS commands. For more information, see the "Updates to the Software Configuration Guides" section.
Minimum Cisco IOS Release for Major Features
Table 3 lists the minimum software release (after the first release) required to support the major features of the Cisco ME 3400E and ME 3400 switch. Features not listed are supported in all releases.
Note The first release for the Cisco ME3400E switch was 12.2(44)EY and it included all ME 3400 features through release 12.2(44)SE.
Limitations and Restrictions
You should review this section before you begin working with the switch. These are known limitations that will not be fixed, and there is not always a workaround. Some features might not work as documented, and some features could be affected by recent changes to the switch hardware or software.
•Bidirectional Forwarding Detection
•IP
•REP
•QoS
•VLAN
Bidirectional Forwarding Detection
•The BFD session with the neighbor flaps when there is close to 100% bidirectional line rate traffic transmitted through the physical links that connect the neighbors. This happens only on the sessions where the Layer 3 BFD neighboring switches are connected through a Layer 2 intermediate switch.
The workaround is to make sure that there is no 100% bidirectional unknown traffic flowing through the intermediate Layer 2 switch in the same links where the Layer 3 switches are connected. An alternate workaround is to always directly the Layer 3 switches when BFD is running. (CSCsu94835)
Configuration
•The far-end fault optional facility is not supported on the GLC-GE-100FX SFP module.
The workaround is to configure aggressive UDLD. (CSCsh70244).
•A static IP address might be removed when the previously acquired DHCP IP address lease expires.
This problem occurs under these conditions:
–When the switch is booted without a configuration (no config.text file in flash memory).
–When the switch is connected to a DHCP server that is configured to give an address to it (the dynamic IP address is assigned to VLAN 1).
–When an IP address is configured on VLAN 1 before the dynamic address lease assigned to VLAN 1 expires.
The workaround is to reconfigure the static IP address. (CSCea71176 and CSCdz11708)
•The DHCP snooping binding database is not written to flash memory or a remote file in any of these situations:
–When the Network Time Protocol (NTP) is configured, but the NTP clock is not synchronized. You can check the clock status by entering the show NTP status privileged EXEC command and verifying that the network connection to the NTP server and the peer work correctly.
–The DHCP snooping database file is manually removed from the file system. After enabling the DHCP snooping database by configuring a database URL, a database file is created. If the file is manually removed from the file system, the DHCP snooping database does not create another database file. You need to disable the DHCP snooping database and enable it again to create the database file.
–The URL for the configured DHCP snooping database was replaced because the original URL was not accessible. The new URL might not take effect after the timeout of the old URL.
No workaround is necessary; these are the designed behaviors. (CSCed50819)
•When dynamic ARP inspection is enabled on a switch, ARP and RARP packets greater than 2016 bytes are dropped by the switch or switch stack. This is a hardware limitation.
However, when dynamic ARP inspection is not enabled and a jumbo MTU is configured, ARP and RARP packets are correctly bridged in hardware. (CSCed79734)
•Dynamic ARP inspection log entries might be lost after a switch failure. Any log entries that are still in the log buffer (have not been output as a system message) on a switch that fails are lost.
When you enter the show ip arp inspection log privileged EXEC command, the log entries from all switches in the stack are moved to the switch on which you entered the command.
There is no workaround. (CSCed95822)
•When port security is enabled on an interface in restricted mode and the switchport block unicast interface command has been entered on that interface, MAC addresses are incorrectly forwarded when they should be blocked
The workaround is to enter the no switchport block unicast interface configuration command on that specific interface. (CSCee93822)
•A traceback error occurs if a crypto key is generated after an SSL client session.
There is no workaround. This is a cosmetic error and does not affect the functionality of the switch. (CSCef59331)
•When you enter the boot host retry timeout global configuration command to specify the amount of time that the client should keep trying to download the configuration and you do not enter a timeout value, the default value is zero, which should mean that the client keeps trying indefinitely. However, the client does not keep trying to download the configuration.
The workaround is to always enter a non zero value for the timeout value when you enter the boot host retry timeout timeout-value command. (CSCsk65142)
EtherChannel
•The switch might display tracebacks similar to this example when an EtherChannel interface port-channel type changes from Layer 2 to Layer 3 or the reverse:
15:50:11: %COMMON_FIB-4-FIBNULLHWIDB: Missing hwidb for fibhwidb Port-channel1 (ifindex 1632) -Traceback= A585C B881B8 B891CC 2F4F70 5550E8 564EAC 851338 84AF0C 4CEB50 859DF4 A7BF28 A98260 882658 879A58
There is no workaround. (CSCsh12472)
IP
•The switch does not create an adjacent table entry when the ARP timeout value is 15 seconds and the ARP request times out. The workaround is to not set an ARP timeout value lower than 120 seconds. (CSCea21674)
MAC Addressing
When a MAC address is configured for filtering on the internal VLAN of a routed port, incoming packets from the MAC address to the routed port are not dropped. (CSCeb67937)
Multicasting
•The switch does not support tunnel interfaces, including DVMRP and PIM tunneling.
•Nonreverse-path forwarded (RPF) IP multicast traffic to a group that is bridged in a VLAN is leaked onto a trunk port in the VLAN even if the port is not a member of the group in the VLAN, but it is a member of the group in another VLAN. Because unnecessary traffic is sent on the trunk port, it reduces the bandwidth of the port. There is no workaround for this problem because non-RPF traffic is continuous in certain topologies. As long as the trunk port is a member of the group in at least one VLAN, this problem occurs for the non-RPF traffic. (CSCdu25219)
•If the number of multicast routes and Internet Group Management Protocol (IGMP) groups are more than the maximum number specified by the show sdm prefer global configuration command, the traffic received on unknown groups is flooded in the received VLAN even though the show ip igmp snooping multicast-table privileged EXEC command output shows otherwise. The workaround is to reduce the number of multicast routes and IGMP snooping groups to less than the maximum supported value. (CSCdy09008)
•IGMP filtering is applied to packets that are forwarded through hardware. It is not applied to packets that are forwarded through software. Hence, with multicast routing enabled, the first few packets are sent from a port even when IGMP filtering is set to deny those groups on that port. There is no workaround. (CSCdy82818)
•When you use the ip access-group interface configuration command with a router access control list (ACL) to deny access to a group in a VLAN, multicast data to the group that is received in the VLAN is always flooded in the VLAN, regardless of IGMP group membership in the VLAN. This provides reachability to directly connected clients, if any, in the VLAN. The workaround is to not apply a router ACL set to deny access to a VLAN interface. Apply the security through other means; for example, apply VLAN maps to the VLAN instead of using a router ACL for the group. (CSCdz86110)
•If an IGMP report packet has two multicast group records, the switch removes or adds interfaces depending on the order of the records in the packet:
–If the ALLOW_NEW_SOURCE record is before the BLOCK_OLD_SOURCE record, the switch removes the port from the group.
–If the BLOCK_OLD_SOURCE record is before the ALLOW_NEW_SOURCE record, the switch adds the port to the group.
There is no workaround. (CSCec20128)
•When IGMP snooping is disabled and you enter the switchport block multicast interface configuration command, IP multicast traffic is not blocked.
The switchport block multicast interface configuration command is only applicable to non-IP multicast traffic.
There is no workaround. (CSCee16865)
•Incomplete multicast traffic can be seen under either of these conditions:
–You disable IP multicast routing or re-enable it globally on an interface.
–A switch mroute table temporarily runs out of resources and recovers later.
The workaround is to enter the clear ip mroute privileged EXEC command on the interface. (CSCef42436)
REP
•Although you can configure a REP segment without configuring REP edge ports, we recommend that you configure REP edge ports whenever possible because edge ports enable these functions:
–selecting the preferred alternate port
–configuring VLAN load balancing
–configuring topology change notifications (TCNs) toward STP, other REP segments, or an interface
–initiating the topology collection process
–preemption mechanisms
You cannot enable these functions on REP segments without edge ports.
•On a switch running both Resilient Ethernet Protocol (REP) and Bidirectional Forwarding Detection (BFD), when the REP link status layer (LSL) age-out value is less than 1000 milliseconds (1 second), the REP link flaps if the BFD interface is shut down and then brought back up.
The workaround is to use the rep lsl-age-out timer interface configuration command to configure the REP LSL age timer for more than 1 second. (CSCsz40613)
Routing
•The switch does not support tunnel interfaces for routed traffic.
•A route map that has an ACL with a Differentiated Services Code Point (DSCP) clause cannot be applied to a Layer 3 interface. The switch rejects this configuration and displays a message that the route map is unsupported. There is no workaround. (CSCea52915)
•A spanning-tree loop might occur if all of these conditions are true:
–Port security is enabled with the violation mode set to protected.
–The maximum number of secure addresses is less than the number of switches connected to the port.
–There is a physical loop in the network through a switch whose MAC address has not been secured, and its BPDUs cause a secure violation.
The workaround is to change any one of the listed conditions. (CSCed53633)
QoS
•When you use the bandwidth policy-map class command to configure more than one class in a policy map for Class-based Weighted Fair Queuing (CBWFQ), and the committed information rate (CIR) bandwidth for any of the classes is less than 2 percent of the interface rate, the CBWFQ classes in the policy may not receive the configured CIR bandwidths.
There is no workaround, but it is unlikely that a CBWFQ class would be configured with such a low CIR bandwidth. (CSCsb98219)
•Although visible in the command-line help, the conform-action color class-map police configuration command is not supported. Entering the command has no affect.
There is no workaround. (CSCsk00594)
•When CPU protection is disabled, you can configure 64 policers per port on most switches. However, on Cisco ME 3400EG-12CS and Cisco ME 3400G-12CS switches, due to hardware limitations, you can attach 64 per-port, per-VLAN policers to a maximum of 6 ports. If you attempt to attach more than 6 per-port, per-VLAN 64-policer policy maps, the attachment fails.
There is no workaround. (CSCsv21416)
SPAN and RSPAN
•The egress SPAN data rate might degrade when multicast routing is enabled. The amount of degradation depends on the processor loading. Typically, the switch can egress SPAN at up to 40,000 packets per second (64-byte packets). As long as the total traffic being monitored is below this limit, there is no degradation. However, if the traffic being monitored exceeds the limit, only a portion of the source stream is spanned. When this occurs, the following console message appears:
Decreased egress SPAN rate
. In all cases, normal traffic is not affected; the degradation limits only how much of the original source stream can be egress spanned. If multicast routing is disabled, egress SPAN is not degraded.There is no workaround. If possible, disable multicast routing. If possible, use ingress SPAN to observe the same traffic. (CSCeb01216)
•Some IGMP report and query packets with IP options might not be ingress-spanned. Packets that are susceptible to this problem are IGMP packets containing 4 bytes of IP options (IP header length of 24). An example of such packets would be IGMP reports and queries having the router alert IP option. Ingress-spanning of such packets is not accurate and can vary with the traffic rate. Typically, very few or none of these packets are spanned. There is no workaround. (CSCeb23352)
•When system jumbo MTU size is configured on a switch and the egress ports can support jumbo frames, the egress SPAN jumbo frames are not forwarded to the SPAN destination ports.
There is no workaround. (CSCsj21718)
•Cisco Discovery Protocol (CDP) and Port Aggregation Protocol (PAgP) packets received by network node interfaces (NNIs) from a SPAN source are not sent to the destination interfaces of a local SPAN session.
The workaround is to use the monitor session session_number destination {interface interface-id encapsulation replicate} global configuration command for local SPAN. (CSCed24036)
Trunking
•IP traffic with IP options set is sometimes leaked on a trunk port. For example, a trunk port is a member of an IP multicast group in VLAN X but is not a member in VLAN Y. If VLAN Y is the output interface for the multicast route entry assigned to the multicast group and an interface in VLAN Y belongs to the same multicast group, the IP-option traffic received on an input VLAN interface other than one in VLAN Y is sent on the trunk port in VLAN Y because the trunk port is forwarding in VLAN Y, even though the port has no group membership in VLAN Y. There is no workaround. (CSCdz42909).
•For trunk ports or access ports configured with IEEE 802.1Q tagging, inconsistent statistics might appear in the show interfaces counters privileged EXEC command output. Valid IEEE 802.1Q frames of 64 to 66 bytes are correctly forwarded even though the port LED blinks amber, and the frames are not counted on the interface statistics. There is no workaround. (CSCec35100).
VLAN
•If the number of VLANs times the number of trunk ports exceeds the recommended limit of 13,000, the switch can fail.
The workaround is to not configure more than the recommended number of VLANs and trunks. (CSCeb31087)
•A CPUHOG message sometimes appears when you configure a private VLAN. Enable port security on one or more of the ports affected by the private VLAN configuration.
There is no workaround. (CSCed71422)
•When several per-port, per-VLAN parent policies are attached to the input of one or more interfaces and a child policy of these parent policies is modified, the parent policies are detached from the interfaces and reattached during the process. Because the modified policy is large, the TCAM entries are being used up, and the attached policies should be removed. However, some of the parent policies are not removed from the interface, and the TCAM entries are cleared. If you save the configuration and reload the switch, the policies are detached, but the TCAM is full, and you cannot attach other policies.
This error message appears:
QOSMGR-4-QOS_TCAM_RESOURCE_EXCEED_MAX: Exceeded a maximum of QoS TCAM resources
The workaround is to manually detach the policy maps from all the interfaces by entering the no service-policy input policy-map-name interface configuration command on each interface. (CSCsk58435)
Open Caveats
•CSCtd29049
A switch that has at least one trunk port configured might fail when you configure more than 950 VLANS by using the vlan vlan-id global configuration command.
There is no workaround.
Resolved Caveats
This release resolves these previously open caveats:
•CSCsj68446
The Network Time Protocol (NTP) might not synchronize when the switch is configured as an NTP client. These are the two possible workarounds:
–Enter the no ntp global configuration command twice.
–Reconfigure NTP on the port. For more information, see the "Configuring NTP" section of the "Administering the Switch" chapter in the software configuration guide.
•CSCsz18634
On a switch running Cisco IOS release 12.2(46)SE, the output of the show interfaces privileged EXEC command shows 0 packets for port channel input and output rates.
The workaround is to reload the switch by entering the reload privileged EXEC command.
•CSCtc16848
The output of the show inventory user EXEC command sometimes does not display all of the connected SFP modules. The EntitityMIB does not report these SFP modules.
This occurs intermittently on the 3560-48TS, C3560-48PS, and C3560G-48PS switches. There is no workaround.
•CSCtc20603
If IEEE 802.1Q native VLAN tagging is enabled on a switch, PDUs sent from an EtherChannel in LACP mode are tagged.
There is no workaround.
•CSCtc30872
When a BPDU guard is globally enabled on a switch and the access VLAN is a VLAN other than VLAN 1, BPDU guard does not run on a multiple VLAN access port.
The workaround is to enable BPDU guard on the port.
•CSCtc53210
All the matched traffic for a policer is rewritten with the first dscp value of the access-list under these conditions:
–A service policy is attached to an interface.
–That interface uses a match using an access list with dscp values and is using the transmit action.
The workaround is to use a policer with set-dscp-transmit dscp instead of transmit action.
•CSCtc57809
When the no mac address-table static mac-addr vlan vlan-id interface interface-id global configuration command is used to remove a dynamically learned MAC address, the switch fails under these conditions:
–The physical interface is in a no shut state.
–The MAC address is first dynamically learned and then changed to static.
There is no workaround.
•CSCtd31242
An IP phone loses network connectivity under these conditions:
–The IP phone is authenticated by MAB (in Open1x mode) on a supplicant switch.
–The supplicant switch is connected to an authenticator switch through the NEAT protocol.
A call is placed using the IP phone. After approximately 5 minutes, network connectivity to the phone is lost.
The workaround is to statically configure the MAC address of the IP phone on the authenticator switch.
•CSCtd72456
After you have entered the snmp-server host informs global configuration command to enable SNMP informs on a switch, the switch might fail if you enter the show snmp pending user EXEC command.
There is no workaround. Do not enter the show command when SNMP informs are enabled.
Documentation Updates
•Updates to the Software Configuration Guides
•Update to the ME 3400 Hardware Installation Guide
•Updates to the System Message Guide
Note For information about ME 3400 support for ingress QoS classification on QinQ-based ports, see the Configuring ME 3400E QoS Classification for QinQ-Based Service, Release 12.2(53)SE document under the ME 3400E Configuration Guides link.
Updates to the Software Configuration Guides
Update to the "Configuring IP Unicast Routing" chapter:
User Interface for VRF-Aware RADIUS
To configure VRF-Aware RADIUS, you must first enable AAA on a RADIUS server. This release supports the ip vrf forwarding vrf-name server-group configuration and the ip radius source-interface global configuration commands, as described in the Per VRF AAA Feature Guide at this URL:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftvrfaaa.html
Updates to the "Configuring QoS" Chapter
These features are now supported.
Ingress class-default Support in Per-Port, Per-VLAN Policies (ME 3400 and 3400E)
In past releases in a per-port, per-VLAN hierarchical input policy-map, you could not associate a child policy with the class class-default of the parent policy map. You could only classify on known VLANs received on a port. In Cisco IOS Release 12.2(53)SE, you can now enter class class-default in the parent policy map of a per-port, per-VLAN hierarchical input policy map to classify all VLANs not identified by specified parent VLAN classes. You can then associate a child-policy to this parent class class-default by using the service-policy child-policy-map name policy-map class configuration command to specify child classes and actions to apply to this traffic.
In this sample configuration, the child policy map child-policy-1 is associated with the class customer1-vlan and child policy-2 is associated with all other traffic.
Switch(config)# policy-map uni-parent
Switch(config-pmap)# class customer1-vlan
Switch(config-pmap-c)# service-policy child-policy-1
Switch(config-pmap-c)# exit
Switch(config-pmap)# class class-default
Switch(config-pmap-c)# service-policy child-policy-2
Switch(config-pmap-c)# exit
These same limitations from past releases about combinations of child-policies with a particular VLAN-ID in per-port, per-VLAN policies across the switch also apply to the class-default in per-port, per-VLAN policies.
•You cannot combine Layer 2 child policies classifying on S-COS, C-COS, or Layer 2 (MAC) ACLs and Layer 3 child policies classifying on DSCP, IP precedence or Layer 3 (IP) ACLs.
•You cannot combine a class default only child policy and a Layer 3 child policy classifying on DSCP, IP precedence, or Layer 3 (IP) ACLs.
Simultaneous Multifield and COS, IP DSCP, and IP Precedence QoS Classification (ME 3400 and 3400E)
In past releases, multifield classification using Layer-3 IP ACLs and DSCP classification simultaneously for every packet was not fully supported. You could configure either Layer-3 IP ACL classification or DSCP classification for every packet. Also multifield classification using Layer-2 MAC ACLs and COS classification simultaneously for every packet was not fully supported. You could configure either Layer-2 MAC-ACL classification or COS classification for every packet.
In Cisco IOS Release 12.2(53)SE, you can simultaneously configure multifield classification with Layer-3 IP ACLs and DSCP classification for every packet by using the IP access group to identify the required DSCP value to be classified along with other IP-header fields. You can also simultaneously configure multifield classification with Layer-2 MAC ACLs and COS classification for every packet by using the MAC access group to identify the COS value to be classified along with other MAC-header fields.
Ingress QoS Classification Scalability Enhancements (ME 3400 and 3400E)
In previous releases, ME 3400 and ME 3400E 24TS and 2CS models supported ingress QoS classification for 254 unique VLAN IDs on the switch. In Cisco IOS Release 12.2(53)SE, you can configure ingress QoS classification for 256 or more VLAN IDs (255 unique VLAN IDs plus the class-default, which can classify on all remaining VLAN-IDs).
In previous releases, ME 3400 and ME 3400E 12CS models supported ingress QoS classification for 254 unique VLAN IDs. In Cisco IOS Release 12.2(53)SE, you can configure ingress QoS classification for 1024 or more VLAN-IDs on the switch (255 unique VLAN IDs plus class default, which can classify on all the rest of the VLAN-IDs, on each set of four ports).
In Cisco IOS Release 12.2(53)SE, on ME 3400E switches, you can also classify on the inner VLAN-ID of QinQ packets on QinQ ports. There is no limit on any switch models to the number of inner VLAN IDs that can be classified in ingress QoS policies.
Updates to the "Configuring Ethernet OAM, CFM, and E-LMI" Chapter
•This information was added:
The Service Diagnostics 2.0 C FM diagnostic scripts is part of the 12.2(52)SE release. The script is available for download at:
Refer to the Service Diagnostic 2.0 user guide at:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps9424/whitepaper_c11-566741.html
•This information was corrected:
In the "Configuring the CFM Domain" section, Step 2 was to enter the ethernet cfm ieee global configuration command to configure the CFM version as IEEE 802.1ag.
This step is not required. If you are running Cisco IOS Release 12.2(52)SE, the CFM version is always 802.1ag, and the command is automatically generated when you enable CFM.
Update to the "Configuring IEEE 802.1x Port-Based Authentication" Chapter
This section was added:
Common Session ID
Authentication manager uses a single session ID (referred to as a common session ID) for a client no matter which authentication method is used. This ID is used for all reporting purposes, such as the show commands and MIBs. The session ID appears with all per-session syslog messages.
The session ID includes:
•The IP address of the Network Access Device (NAD)
•A monotonically increasing unique 32 bit integer
•The session start time stamp (a 32 bit integer)
This example shows how the session ID appears in the output of the show authentication command. The session ID in this example is 160000050000000B288508E5:
Switch# show authentication sessions
Interface MAC Address Method Domain Status Session IDFa4/0/4 0000.0000.0203 mab DATA Authz Success 160000050000000B288508E5This is an example of how the session ID appears in the syslog output. The session ID in this example is also160000050000000B288508E5:
1w0d: %AUTHMGR-5-START: Starting 'mab' for client (0000.0000.0203) on Interface Fa4/0/4 AuditSessionID 160000050000000B288508E51w0d: %MAB-5-SUCCESS: Authentication successful for client (0000.0000.0203) on Interface Fa4/0/4 AuditSessionID 160000050000000B288508E51w0d: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0000.0000.0203) on Interface Fa4/0/4 AuditSessionID 160000050000000B288508E5The session ID is used by the NAD, the AAA server, and other report-analyzing applications to identify the client. The ID appears automatically. No configuration is required.
Update to the ME 3400 Hardware Installation Guide
This is an installation update to the Cisco ME3400 Hardware Installation Guide.
Cisco Ethernet Switches are equipped with cooling mechanisms, such as fans and blowers. However, these fans and blowers can draw dust and other particles, causing contaminant buildup inside the chassis, which can result in a system malfunction.
You must install this equipment in an environment as free as possible from dust and foreign conductive material (such as metal flakes from construction activities).
These standard provide guidelines for acceptable working environments and acceptable levels of suspended particulate matter:
•Network Equipment Building Systems (NEBS) GR-63-CORE
•National Electrical Manufacturers Association (NEMA) Type 1
•International Electrotechnical Commission (IEC) IP-20
Updates to the System Message Guide
These messages were added but are not yet in the system message guide:
Error Message DOT1X-4-MEM_UNAVAIL: Memory was not available to perform the 802.1X action. AuditSessionID [chars]Explanation The system memory is not sufficient to perform the IEEE 802.1x authentication. [chars] is the session ID.
Recommended Action Reduce other system activity to reduce memory demands.
Error Message DOT1X-5-FAIL: Authentication failed for client ([chars]) on Interface [chars] AuditSessionID [chars]Explanation The authentication was unsuccessful. The first [chars] is the client ID, the second [chars] is the interface, and the third [chars] is the session ID.
Recommended Action No action is required.
Error Message %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client ([chars]) on Interface [chars] AuditSessionID [chars]Recommended Action The authentication result was overridden. The first [chars] is the client ID, the second [chars] is the interface, and the third [chars] is the session ID.
Explanation No action is required.
Error Message DOT1X-5-SUCCESS: Authentication successful for client ([chars]) on Interface [chars] AuditSessionID [chars]Explanation Authentication was successful. The first [chars] is the client ID, the second [chars] is the interface, and the third [chars] is the session ID.
Recommended Action No action is required.
Error Message DOT1X_SWITCH-5-ERR_ADDING_ADDRESS: Unable to add address [enet] on [chars] AuditSessionID [chars]Explanation The client MAC address could not be added to the MAC address table because the hardware memory is full or the address is a secure address on another port. This message might appear if IEEE 802.1x is enabled. [enet] is the client MAC address, the first [chars] is the interface, and the second [chars] is the session ID.
Recommended Action If the hardware memory is full, remove some of the dynamic MAC addresses. If the client address is on another port, remove it from that port.
Error Message DOT1X_SWITCH-5-ERR_INVALID_PRIMARY_VLAN: Attempt to assign primary VLAN [dec] to 802.1x port [chars] AuditSessionID [chars]Explanation An attempt was made to assign a primary VLAN to an IEEE 802.1x port, which is not allowed. [dec] is the VLAN, the first [chars] is the port, and the second [chars] is the session ID.
Recommended Action Use a different VLAN.
Error Message DOT1X_SWITCH-5-ERR_INVALID_SEC_VLAN: Attempt to assign invalid secondary VLAN [dec] to PVLAN host 802.1x port [chars] AuditSessionID [chars]Explanation An attempt was made to assign a nonsecondary VLAN to a private VLAN host IEEE 802.1x port. [dec] is the VLAN, the first [chars] is the port, and the second [chars] is the session ID.
Recommended Action Change the mode of the port so that it is no longer a PVLAN host port or use a valid secondary VLAN.
Error Message DOT1X_SWITCH-5-ERR_PRIMARY_VLAN_NOT_FOUND: Attempt to assign VLAN [dec], whose primary VLAN does not exist or is shutdown, to 802.1x port [chars] AuditSessionID [chars]Explanation An attempt was made to assign a private VLAN whose primary VLAN does not exist or is shut down. [dec] is the VLAN, the first [chars] is the port, and the second [chars] is the session ID.
Recommended Action Make sure the primary VLAN exists and is not shut down. Verify that the private VLAN is associated with a primary VLAN.
Error Message DOT1X_SWITCH-5-ERR_SEC_VLAN_INVALID: Attempt to assign secondary VLAN [dec] to non-PVLAN host 802.1x port [chars] AuditSessionID [chars]Explanation An attempt was made to assign a secondary VLAN to a port that is not a private VLAN host port, which is not allowed. [dec] is the VLAN, the first [chars] is the port, and the second [chars] is the session ID.
Recommended Action Change the mode of the port so that it is configured as a private VLAN host port, or use a different VLAN that is not configured as a secondary VLAN.
Error Message DOT1X_SWITCH-5-ERR_SPAN_DST_PORT: Attempt to assign VLAN [dec] to 802.1x port [chars], which is configured as a SPAN destination AuditSessionID [chars]Explanation An attempt was made to assign a VLAN to an IEEE 802.1x port that is configured as a Switched Port Analyzer (SPAN) destination port. [dec] is the VLAN, the first [chars] is the port, and the second [chars] is the session ID.
Recommended Action Change the SPAN configuration so that the port is no longer a SPAN destination port, or change the configuration so that no VLAN is assigned.
Error Message DOT1X_SWITCH-5-ERR_VLAN_EQ_VVLAN: Data VLAN [dec] on port [chars] cannot be equivalent to the Voice VLAN AuditSessionID [chars]Explanation An attempt was made to assign a data VLAN to an IEEE 802.1x port that is the same as the voice VLAN. [dec] is the VLAN, the first [chars] is the port, and the second [chars] is the session ID.
Recommended Action Change either the voice VLAN or the IEEE 802.1x-assigned VLAN on the interface so that they are not the same.
Error Message DOT1X_SWITCH-5-ERR_VLAN_INTERNAL: Attempt to assign internal VLAN [dec] to 802.1x port [chars] AuditSessionID [chars]Explanation An attempt was made to assign an invalid VLAN to an IEEE 802.1x port. The VLAN specified is used internally and cannot be assigned to this port. [dec] is the VLAN, the first [chars] is the port, and the second [chars] is the session ID.
Explanation Assign a different VLAN.
Error Message DOT1X_SWITCH-5-ERR_VLAN_INVALID: Attempt to assign invalid VLAN [dec] to 802.1x port [chars] AuditSessionID [chars]Explanation An attempt was made to assign an invalid VLAN to an IEEE 802.1x port. The VLAN specified is out of range. [dec] is the VLAN, the first [chars] is the port, and the second [chars] is the session ID.
Recommended Action Update the configuration to use a valid VLAN.
Error Message DOT1X_SWITCH-5-ERR_VLAN_NOT_FOUND: Attempt to assign non-existent or shutdown VLAN [chars] to 802.1x port [chars] AuditSessionID [chars]Explanation An attempt was made to assign a VLAN to an IEEE 802.1x port, but the VLAN was not found in the VLAN Trunking Protocol (VTP) database. [dec] is the VLAN, the first [chars] is the port, and the second [chars] is the session ID.
Recommended Action Make sure the VLAN exists and is not shutdown or use another VLAN.
These messages were deleted but are still in the system message guide:
Error Message DOT1X-4-MEM_UNAVAIL: Memory was not available to perform the 802.1X action.nnError Message DOT1X-5-SUCCESS: Authentication successful for client ([chars]) on Interface [chars]Error Message DOT1X_SWITCH-5-ERR_ADDING_ADDRESS: Unable to add address [enet] on [chars]Error Message DOT1X_SWITCH-5-ERR_INVALID_PRIMARY_VLAN: Attempt to assign primary VLAN [dec] to 802.1x port [chars]Error Message DOT1X_SWITCH-5-ERR_INVALID_SEC_VLAN: Attempt to assign invalid secondary VLAN [dec] to PVLAN host 802.1x port [chars]Error Message DOT1X_SWITCH-5-ERR_PRIMARY_VLAN_NOT_FOUND: Attempt to assign VLAN [dec], whose primary VLAN does not exist or is shutdown, to 802.1x port [chars]Error Message DOT1X_SWITCH-5-ERR_SEC_VLAN_INVALID: Attempt to assign secondary VLAN [dec] to non-PVLAN host 802.1x port [chars]Error Message DOT1X_SWITCH-5-ERR_SPAN_DST_PORT: Attempt to assign VLAN [dec] to 802.1x port [chars], which is configured as a SPAN destinationError Message DOT1X_SWITCH-5-ERR_VLAN_EQ_VVLAN: Data VLAN [dec] on port [chars] cannot be equivalent to the Voice VLAN.Error Message DOT1X_SWITCH-5-ERR_VLAN_INTERNAL: Attempt to assign internal VLAN [dec] to 802.1x port [chars]Error Message DOT1X_SWITCH-5-ERR_VLAN_INVALID: Attempt to assign invalid VLAN [dec] to 802.1x port [chars]Error Message DOT1X_SWITCH-5-ERR_VLAN_NOT_FOUND: Attempt to assign non-existent or shutdown VLAN [dec] to 802.1x port [chars]Error Message DOT1X_SWITCH-5-ERR_VLAN_ON_ROUTED_PORT: Dot1x cannot assign a VLAN [dec] to a routed port [chars]Error Message DOT1X_SWITCH-5-ERR_VLAN_PROMISC_PORT: Attempt to assign VLAN [dec] to promiscuous 802.1x port [chars]Error Message DOT1X_SWITCH-5-ERR_VLAN_RESERVED: Attempt to assign reserved VLAN [dec] to 802.1x port [chars]Error Message DOT1X_SWITCH-5-ERR_VLAN_RSPAN: Attempt to assign RSPAN VLAN [dec] to 802.1x port [chars]. 802.1x is incompatible with RSPANError Message SW_VLAN-4-VTP_USER_NOTIFICATION: VTP protocol user notification: [chars].Updates to the ME 3400E Regulatory Compliance and Safety Information Guide and the Getting Started Guide
These warnings were incorrectly documented in the guides. These are the correct warnings:
All Switches
Warning This product relies on the building's installation for short-circuit (overcurrent) protection. Ensure that the protective device is rated not greater than:
10 A Statement 1005
Cisco ME 3400EG-2CS-A
Warning To prevent the system from overheating, do not operate it in an area that exceeds the maximum recommended ambient temperature of:
140°F (60°C) Statement 1047
Cisco ME 3400E-24TS-M and Cisco ME 3400EG-12CS-M
Warning To prevent the system from overheating, do not operate it in an area that exceeds the maximum recommended ambient temperature of:
149°F (65°C) Statement 1047
Related Documentation
These documents provide complete information about the switch and are available from this Cisco.com site:
•Cisco ME 3400E switch:
http://www.cisco.com/en/US/products/ps9637/tsd_products_support_series_home.html
•Cisco ME 3400 switch:
http://www.cisco.com/en/US/products/ps6580/tsd_products_support_series_home.html
These are combined documents for the switches:
•Cisco ME 3400E, ME 3400, and ME 2400 Ethernet Access Switches System Message Guide
These documents are available for the Cisco ME 3400E switch:
•Release Notes for the Cisco ME 3400E Ethernet Access Switch
•Cisco ME 3400E Ethernet Access Switch Software Configuration Guide
•Cisco ME 3400E Ethernet Access Switch Command Reference
•Cisco ME 3400E Ethernet Access Switch Hardware Installation Guide
•Cisco ME 3400E Ethernet Access Switch Getting Started Guide
•Regulatory Compliance and Safety Information for the Cisco ME 3400E Ethernet Access Switch
These documents are available for the Cisco ME 3400 switch:
•Cisco ME 3400 Ethernet Access Switch Software Configuration Guide
•Cisco ME 3400 Ethernet Access Switch Command Reference
•Cisco ME 3400 and ME 2400 Ethernet Access Switch System Message Guide
•Cisco ME 3400 Ethernet Access Switch Hardware Installation Guide
•Cisco ME 3400 and ME 2400 Ethernet Access Switches Getting Started Guide
•Regulatory Compliance and Safety Information for the Cisco ME 3400 and ME 2400 Ethernet Access Switches
•Configuration Notes for the Cisco ME 3400G-12CS Ethernet Access Switch
•Cisco Small Form-Factor Pluggable Modules Installation Notes
•Cisco CWDM GBIC and CWDM SFP Installation Note
•These compatibility matrix documents are available from this Cisco.com site:
http://www.cisco.com/en/US/products/hw/modules/ps5455/products_device_support_tables_list.html
–Cisco Gigabit Ethernet Transceiver Modules Compatibility Matrix
–Cisco 100-Megabit Ethernet SFP Modules Compatibility Matrix
–Cisco Small Form-Factor Pluggable Modules Compatibility Matrix
–Compatibility Matrix for 1000BASE-T Small Form-Factor Pluggable Modules
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
CCDE, CCENT, CCSI, Cisco Eos, Cisco Explorer, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco TrustSec, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1002R)
© 2009-2010 Cisco Systems, Inc. All rights reserved.