 Feedback
|
Table Of Contents
Release Notes for the Catalyst 3560-C Switch, Cisco IOS Release 12.2(55)EX and Later
Device Manager System Requirements
Finding the Software Version and Feature Set
Upgrading a Switch by Using the Device Manager
Upgrading a Switch by Using the CLI
Recovering from a Software Failure
Resolved Caveats in Cisco IOS Release 12.2(55)EX and Later
Updates to the Catalyst 3560-C and 2960-C Switch Hardware Documentation
Update to the Catalyst 3560-C and 2960-C Switch Getting Started Guide
Catalyst 3560-C Updates to the Catalyst 3560 Switch Software Configuration Guide
POE, Power Monitoring, and Power Policing
PoE+ Uplinks and PoE Pass-Through Capability
Understanding Media Access Control Security and MACsec Key Agreement
Catalyst 3560-C Updates to the Catalyst 3560 Switch Command Reference
authentication event linksec fail action
clear macsec counters interface
mka policy (global configuration)
mka policy (interface configuration)
show controllers ethernet phy macsec
Obtaining Documentation and Submitting a Service Request
Release Notes for the Catalyst 3560-C Switch, Cisco IOS Release 12.2(55)EX and Later
Updated March 22, 2012.
Cisco IOS Release 12.2(55)EX3 runs on all Catalyst 3560-C compact switches. See Table 1 to see the minimum Cisco IOS release required by the different switches.
These release notes include important information about Cisco IOS Release 12.2(55)EX and later and any limitations, restrictions, and caveats that apply to the releases. Verify that these release notes are correct for your switch:
•
If you are installing a new switch, see the Cisco IOS release label on the rear panel of your switch.
•
•
You can download the switch software from this site (registered Cisco.com users with a login password):
http://www.cisco.com/cisco/web/download/index.htmlThe Catalyst 3560-C universal image is an IP base image. Unless otherwise indicated, the software supports all features that are supported by the Catalyst 3560 IP base image in Cisco IOS Release 12.2(55)SE and that are described in the Catalyst 3560 software configuration guide and command reference.
Note
For basic configuration and command information, see the configuration guide and command reference for the Catalyst 3560 switch for Cisco IOS Release 12.2(55)SE on Cisco.com:
http://www.cisco.com/en/US/products/hw/switches/ps5528/tsd_products_support_series_home.html
Contents
•
•
Catalyst 3560-C Features
Unless otherwise indicated, the Catalyst 3560-C switches supports all features that are supported by the Catalyst 3560 IP base image in Cisco IOS Release 12.2(55)SE, including these applications:
•
http://www.cisco.com/en/US/docs/switches/lan/smart_install/release_12.2_55_se/configuration/guide/smart_install3.html•
http://www.cisco.com/en/US/docs/switches/lan/energywise/phase2/ios/configuration/guide/ew_v2.htmland the release notes at:
http://www.cisco.com/en/US/docs/switches/lan/energywise/phase2/ios/release/notes/OL19810.htmlThe Catalyst 3560-C compact switches also support these features that are not supported on
Catalyst 3560 switches in Cisco IOS Release 12.2(55)SE:•
•
•
•
•
•
See the "Documentation Updates" section for configuration and commands for these features.
The Catalyst 3560-C does not support the IP services image.
Note
It also does not support these features that are supported in the Catalyst 3560 IP base image:
•
•
•
•
•
•
System Requirements
•
•
Supported Hardware
Table 1 Catalyst 3560-C Switches Supported
Catalyst 3560CG-8PC-S
8 10/100/1000 PoE+1 ports
2 dual-purpose uplink ports (each dual-purpose port has 1 10/100/1000BASE-T copper port and 1 SFP2 module slot)
Cisco IOS Release 12.2(55)EX
Catalyst 3560CG-8TC-S
8 10/100/1000 ports
2 dual-purpose uplink ports
Cisco IOS Release 12.2(55)EX
Catalyst 3560CPD-8PT-S
8 10/100/1000 PoE+ ports
2 10/100/1000 PoE+ uplink ports
Cisco IOS Release 12.2(55)EX2
Catalyst 3560C-8PC-S
8 10/100 PoE+ ports
2 dual-purpose uplink ports.
Cisco IOS Release 12.2(55)EX3
Catalyst 3560C-12PC-S
12 10/100 PoE+ ports
2 dual-purpose uplink ports.
Cisco IOS Release 12.2(55)EX3
1 PoE = Power over Ethernet. up to 30 W per port.
2 SFP = small form-factor pluggable
Table 2 Other Supported Hardware
SFP1 modules
GLC-(LH,SX,ZX,BX-D, BX-U)
GLC-FE-(100FX,100LX,100BX-D, 100BX-U)
CWDM SFPs
For complete lists of supported SFP modules, see the hardware installation guide and the documents on this page:
http://www.cisco.com/en/US/products/hw/modules/ps5455/products_device_support_tables_list.html
Cisco IOS Release 12.2(55)EX
1 SFP = Small-form-factor pluggable.
Device Manager System Requirements
Hardware Requirements
Table 3 Minimum Hardware Requirements
233 MHz minimum1
512 MB2
256
1024 x 768
Small
1 We recommend 1 GHz.
2 We recommend 1 GB DRAM.
Software Requirements
•
•
The device manager verifies the browser version when starting a session and does not require a plug-in.
Upgrading the Switch Software
•
•
•
Finding the Software Version and Feature Set
The Cisco IOS image is stored as a bin file in a directory that is named with the Cisco IOS release. A subdirectory contains the files needed for web management. The image is stored on the system board flash device (flash:).
Note
You can use the show version privileged EXEC command to see the software version that is running on your switch. The second line of the display shows the version.
You can also use the dir filesystem: privileged EXEC command to see the directory names of other software images that you might have stored in flash memory.
Deciding Which Files to Use
The upgrade procedures in these release notes describe how to perform the upgrade by using a combined tar file. This file contains the Cisco IOS image file and the files needed for the embedded device manager. You must use the combined tar file to upgrade the switch through the device manager. To upgrade the switch through the CLI, use the tar file and the archive download-sw privileged EXEC command.
Catalyst 3560-C switches running payload-encryption images can encrypt management and data traffic. Switches running nonpayload-encryption images can encrypt only management traffic, such as a Secure Shell (SSH) management session.
•
•
Archiving Software Images
Before upgrading your switch software, make sure that you have archived copies of the current Cisco IOS release and the Cisco IOS release to which you are upgrading. You should keep these archived images until you have upgraded all devices in the network to the new Cisco IOS image and until you have verified that the new Cisco IOS image works properly in your network.
Cisco routinely removes old Cisco IOS versions from Cisco.com. See Product Bulletin 2863 for more information:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6969/ps1835/
prod_bulletin0900aecd80281c0e.htmlYou can copy the bin software image file on the flash memory to the appropriate TFTP directory on a host by using the copy flash: tftp: privileged EXEC command.
Note
You can also configure the switch as a TFTP server to copy files from one switch to another without using an external TFTP server by using the tftp-server global configuration command. For more information about the tftp-server command, see the "Basic File Transfer Services Commands" section of the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2:
http://www.cisco.com/en/US/docs/ios/fundamentals/command/reference/cf_t1.htmlUpgrading a Switch by Using the Device Manager
You can upgrade switch software by using the device manager. For detailed instructions, click Help.
Note
Upgrading a Switch by Using the CLI
This procedure is for copying the combined tar file to the switch. You copy the file to the switch from a TFTP server and extract the files. You can download an image file and replace or keep the current image.
To download software, follow these steps:
Step 1
Step 2
a.
http://www.cisco.com/cisco/web/download/index.html
b.
c.
d.
Download the image that you identified in Step 1.
Step 3
For more information, see Appendix B in the software configuration guide for this release.
Step 4
Step 5
Switch# ping tftp-server-addressFor more information about assigning an IP address and default gateway to the switch, see the software configuration guide for this release.
Step 6
Switch# archive download-sw /overwrite /reload tftp:[[//location]/directory]/image-name.tarThe /overwrite option overwrites the software image in flash memory with the downloaded one.
The /reload option reloads the system after downloading the image unless the configuration has been changed and not saved.
For //location, specify the IP address of the TFTP server.
For /directory/image-name.tar, specify the directory (optional) and the image to download. Directory and image names are case sensitive.
This example shows how to download an image from a TFTP server at 198.30.20.19 and to overwrite the image on the switch:
Switch# archive download-sw /overwrite tftp://198.30.20.19/c3560c-universal -tar.122-55.EX3.tarYou can also download the image file from the TFTP server to the switch and keep the current image by replacing the /overwrite keywords with the /leave-old-sw keywords.
Recovering from a Software Failure
For recovery procedures, see the "Troubleshooting" chapter in the software configuration guide for this release.
Installation Notes
Use these methods to assign IP information to your switch:
•
•
•
•
Limitations and Restrictions
You should review this section before you begin working with the switch. These are known limitations that will not be fixed, and there is not always a workaround. Some features might not work as documented, and some features could be affected by recent changes to the switch hardware or software.
Cisco IOS Limitations
•
•
•
•
Configuration
•
This problem occurs under these conditions:
–
–
–
The workaround is to reconfigure the static IP address. (CSCea71176 and CSCdz11708)
•
1.
2.
3.
•
–
–
No workaround is necessary; these are the designed behaviors. (CSCed50819)
•
However, when dynamic ARP inspection is not enabled and a jumbo MTU is configured, ARP and RARP packets are correctly bridged in hardware. (CSCed79734)
•
The workaround is to configure the port for 10 Mb/s and half duplex or to connect a hub or a nonaffected device to the switch. (CSCed39091)
•
The workaround is to enter the no switchport block unicast interface configuration command on that specific interface. (CSCee93822)
•
There is no workaround. This is a cosmetic error and does not affect the functionality of the switch. (CSCef59331)
•
15:50:11: %COMMON_FIB-4-FIBNULLHWIDB: Missing hwidb for fibhwidb Port-channel1 (ifindex 1632) -Traceback= A585C B881B8 B891CC 2F4F70 5550E8 564EAC 851338 84AF0C 4CEB50 859DF4 A7BF28 A98260 882658 879A58(CSCsh12472)
•
The workaround is to configure aggressive UDLD. (CSCsh70244).
•
The workaround is to always enter a nonzero value for the timeout value when you enter the boot host retry timeout timeout-value command. (CSCsk65142)
•
Ethernet
•
If this happens, uneven traffic distribution occurs on EtherChannel ports.
Changing the load balance distribution method or changing the number of ports in the EtherChannel can resolve this problem. Use any of these workarounds to improve EtherChannel load balancing:
–
–
–
–
For example, with load balance configured as dst-ip with 150 distinct incrementing destination IP addresses, and the number of ports in the EtherChannel set to either 2, 4, or 8, load distribution is optimal.(CSCeh81991)
Fallback Bridging
•
•
HSRP
•
IP
•
•
IP Telephony
•
•
The workaround for networks with prestandard powered devices is to leave the maximum wattage set at the default value (15.4 W). You can also configure the maximum wattage for the port for no less than the value the powered device reports as the power consumption through CDP messages. For networks with IEEE Class 0, 3, or 4 devices, do not configure the maximum wattage for the port at less than the default 15.4 W (15,400 milliwatts). (CSCee80668)
•
•
The workaround is to enable PoE and to configure the switch to recover from the PoE error-disabled state. (CSCsf32300)
MAC Addressing
•
Multicasting
•
•
There is no workaround for this problem because non-RPF traffic is continuous in certain topologies. As long as the trunk port is a member of the group in at least one VLAN, this problem occurs for the non-RPF traffic. (CSCdu25219)
•
The workaround is to reduce the number of multicast routes and IGMP snooping groups to less than the maximum supported value. (CSCdy09008)
•
There is no workaround. (CSCdy82818)
•
The workaround is to not apply a router ACL set to deny access to a VLAN interface. Apply the security through other means; for example, apply VLAN maps to the VLAN instead of using a router ACL for the group. (CSCdz86110)
•
–
–
There is no workaround. (CSCec20128)
•
The switchport block multicast interface configuration command is only applicable to non-IP multicast traffic.
There is no workaround. (CSCee16865)
•
–
–
The workaround is to enter the clear ip mroute privileged EXEC command on the interface. (CSCef42436)
After you configure a switch to join a multicast group by entering the ip igmp join-group group-address interface configuration command, the switch does not receive join packets from the client, and the switch port connected to the client is removed from the IGMP snooping forwarding table.
Use one of these workarounds:
–
–
Power
•
The workaround is to enter the shutdown and the no shutdown interface configuration commands on the Fast Ethernet interface of a new IP phone that is attached to the service module port after the internal link is brought up. (CSCeh45465)
QoS
•
The workaround is to choose compatible buffer sizes and threshold levels. (CSCea76893)
•
There is no workaround. (CSCee22591)
•
01:01:32: %BIT-4-OUTOFRANGE: bit 1321 is not in the expected range of 0 to 1024There is no impact to switch functionality.
There is no workaround. (CSCtg32101)
RADIUS
•
There is no workaround. (CSCta05071)
Routing
•
•
There is no workaround. (CSCea52915)
Smart Install
•
The workaround is to use the TFTP utility of another server instead of a Windows server or to manually delete the existing backup file before backing up again. (CSCte53737)
•
The workaround, if you need to configure a switch in a stack with the backup configuration, is to use the vstack download config privileged EXEC command so that the director performs an on-demand upgrade on the client.
–
–
•
There is no workaround. (CSCtg98656)
•
–
–
There is no workaround. (CSCth35152)
SPAN and RSPAN
•
Decreased egress SPAN rate. In all cases, normal traffic is not affected; the degradation limits only how much of the original source stream can be egress spanned. If fallback bridging and multicast routing are disabled, egress SPAN is not degraded.There is no workaround. If possible, disable fallback bridging and multicast routing. If possible, use ingress SPAN to observe the same traffic. (CSCeb01216)
•
There is no workaround. (CSCeb23352)
•
The workaround is to use the monitor session session_number destination {interface interface-id encapsulation replicate} global configuration command for local SPAN. (CSCed24036)
Trunking
•
There is no workaround. (CSCdz33708)
•
There is no workaround. (CSCdz42909).
•
There is no workaround. (CSCec35100).
VLAN
•
The workaround is to reduce the number of VLANs or trunks. (CSCeb31087)
•
There is no workaround. (CSCed71422)
•
The workaround is to enter the switchport access vlan dynamic interface configuration command separately on each port. (CSCsi26392)
Device Manager Limitations
•
The workaround is to click Yes when you are prompted to accept the certificate. (CSCef45718)
Important Notes
Cisco IOS Notes
•
00:02:57: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.20.246.206:1645,1646 is not responding.If this message appears, check that there is network connectivity between the switch and the ACS. You should also check that the switch has been properly configured as an AAA client on the ACS.
Device Manager Notes
•
•
•
From Microsoft Internet Explorer:
1.
2.
3.
4.
5.
•
Beginning in privileged EXEC mode, follow these steps to configure the HTTP server interface:
•
If you change the HTTP port, you must include the new port number when you enter the IP address in the browser Location or Address field (for example, http://10.1.126.45:184 where 184 is the new HTTP port number). You should write down the port number through which you are connected. Use care when changing the switch IP information.
If you are not using the default method of authentication (the enable password), you need to configure the HTTP server interface with the method of authentication used on the switch.
Beginning in privileged EXEC mode, follow these steps to configure the HTTP server interface authentication method:
Open Caveats
•
In a Smart Install network, when the director is connected between the client and the DHCP server and the server has options configured for image and configuration, then the client does not receive the image and configuration files sent by the DHCP server during an automatic upgrade. Instead the files are overwritten by the director, and the client receives the image and configuration that the director sends.
Use one of these workarounds:
–
–
•
When ports in an EtherChannel are linking up, the message
EC-5-CANNOT_BUNDLE2might appear. This condition is often self-correcting, indicated by the appearance of anEC-5-COMPATIBLEmessage following the first message. On occasion, the issue does not self-correct, and the ports may remain unbundled.The workaround is to reload the switch or to restore the EtherChannel bundle by shutting down and then enabling the member ports and the EtherChannel in this order:
–
–
–
–
•
When the Catalyst 3560-C switch is the multiple spanning tree protocol (MSTP) master switch with one or more MST client switches attached and you map VLANs to an MST instance using the instance instance_id vlan vlan-range MST configuration command on it, if you enter the no spanning-tree mode MST configuration command on a client switch to disable MST mode, then the client switch does not update its VLAN mapping back to the original state.
The workaround is to restart the switch.
•
If you use the manual bootloader to boot up the software using the switch: prompt on a WS-C3560CG-8TC-S, WS-C3560CG-8PC-S, or WS-C3560CPD-8PT-S switch, the console port LED might not light to indicate whether the RJ-45 or mini-USB console is being used for output. When the switch is set to auto-boot Cisco IOS, the LEDs operate correctly. The problem is visible only when you stop the auto-boot process to access the bootloader.
There is no workaround.
Resolved Caveats in Cisco IOS Release 12.2(55)EX and Later
•
A vulnerability exists in the Smart Install feature of Cisco Catalyst Switches running Cisco IOS Software that could allow an unauthenticated, remote attacker to perform remote code execution on the affected device.
Cisco has released free software updates that address this vulnerability.
There are no workarounds available to mitigate this vulnerability other than disabling the Smart Install feature.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110928-smart-install.shtml.
•
The Cisco IOS Software network address translation (NAT) feature contains multiple denial of service (DoS) vulnerabilities in the translation of the following protocols:
–
–
–
All the vulnerabilities described in this document are caused by packets in transit on the affected devices when those packets require application layer translation.
Cisco has released free software updates that address these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110928-nat.shtml.
Documentation Updates
•
•
•
•
Updates to the Catalyst 3560-C and 2960-C Switch Hardware Documentation
•
Catalyst 3560CG-8PC-S, 3560CG-8TC-S, and 3560CPD-8PT-S
•
The heat sink fins are present on the Catalyst 3560CG-8PC-S, 2960C-8PC-L, 2960C-12PC-L 3560C-8PC-S, and 3560C-12PC-S switches.
•
http://www.cisco.com/en/US/docs/switches/lan/catalyst2960c_3560c/hardware/installation/guide/higinstall.html
Update to the Catalyst 3560-C and 2960-C Switch Getting Started Guide
The "Box Contents" section has been updated to include the reset cover. See this URL:
Catalyst 3560-C Updates to the Catalyst 3560 Switch Software Configuration Guide
•
•
•
Using the Switch USB Ports
USB Mini-Type B Console Port
The switch has two console ports—a USB mini-Type B console port and an RJ-45 console port. Console output appears on devices connected to both ports, but console input is active on only one port at a time. The USB connector takes precedence over the RJ-45 connector.
Note
Use the supplied USB Type A-to-USB mini-Type B cable to connect a PC or other device to the switch. The connected device must include a terminal emulation application. When the switch detects a valid USB connection to a powered-on device that supports host functionality (such as a PC), input from the RJ-45 console is disabled, and input from the USB console is immediately enabled. Removing the USB connection immediately reenables input from the RJ-45 console connection. An LED on the switch shows which console connection is in use.
Console Port Change Logs
At software startup, a log shows whether the USB or the RJ-45 console is active. The switch always first displays the RJ-45 media type.
In the sample output, the switch has a connected USB console cable. Because the bootloader did not change to the USB console, the first log shows the RJ-45 console. A short time later, the console changes, and the USB console log appears.
*Mar 1 00:01:00.171: %USB_CONSOLE-6-MEDIA_RJ45: Console media-type is RJ45.*Mar 1 00:01:00.431: %USB_CONSOLE-6-MEDIA_USB: Console media-type is USB.When the USB cable is removed or the PC de-activates the USB connection, the hardware automatically changes to the RJ-45 console interface:
Mar 1 00:20:48.635: %USB_CONSOLE-6-MEDIA_RJ45: Console media-type is RJ45.You can configure the console type to always be RJ-45, and you can configure an inactivity timeout for the USB connector.
Configuring the Console Media Type
Beginning in privileged EXEC mode, follow these steps to select the RJ-45 console media type. If you configure the RJ-45 console, USB console operation is disabled, and input always remains with the RJ-45 console.
This example disables the USB console media type and enables the RJ-45 console media type.
Switch# configure terminalSwitch(config)# line console 0Switch(config-line)# media-type rj45This configuration immediately terminates any active USB consoles in the stack. A log shows that this termination has occurred. This sample log shows that the console on switch 1 reverted to RJ-45.
*Mar 1 00:25:36.860: %USB_CONSOLE-6-CONFIG_DISABLE: Console media-type USB disabled by system configuration, media-type reverted to RJ45.At this point, the switch does not allow a USB console to have input. A log entry shows when a console cable is attached. If a USB console cable is connected to switch 2, it is prevented from receiving input.
*Mar 1 00:34:27.498: %USB_CONSOLE-6-CONFIG_DISALLOW: Console media-type USB is disallowed by system configuration, media-type remains RJ45. (switch-stk-2)This example reverses the previous configuration and immediately activates any USB console that is connected.
Switch# configure terminalSwitch(config)# line console 0Switch(config-line)# no media-type rj45Configuring the USB Inactivity Timeout
The configurable inactivity timeout reactivates the RJ-45 console if the USB console is activated but no input activity occurs on it for a specified time period. When the USB console is deactivated due to a timeout, you can restore its operation by disconnecting and reconnecting the USB cable.
Beginning in privileged EXEC mode, follow these steps to configure an inactivity timeout.
This example configures the inactivity timeout to 30 minutes:
Switch# configure terminalSwitch(config)# line console 0Switch(config-line)# usb 30To disable the configuration, use these commands:
Switch(config)# line console 0Switch(config-line)# no usbIf there is no (input) activity on a USB console for the configured number of minutes, the console reverts to RJ-45, and a log shows this occurrence:
*Mar 1 00:47:25.625: %USB_CONSOLE-6-INACTIVITY_DISABLE: Console media-type USB disabled due to inactivity, media-type reverted to RJ45.At this point, the only way to reactivate the USB console is to disconnect and reconnect the cable.
When the USB cable on the switch has been disconnected and reconnected, a log similar to this appears:
*Mar 1 00:48:28.640: %USB_CONSOLE-6-MEDIA_USB: Console media-type is USB.USB Type A Port
The USB Type A port provides access to external Cisco USB flash devices, also known as thumb drives or USB keys. The switch supports Cisco 64 MB, 256 MB, 512 MB, and 1 GB flash drives. You can use standard Cisco IOS CLI commands to read, write, erase, and copy to or from the flash device. You can also configure the switch to boot from the USB flash device.
Beginning in privileged EXEC mode, follow these steps to allow booting from the USB flash device.
To get information about the USB device, use the show usb {controllers | device | driver | port | tree} privileged EXEC command.
This example configures the switch to boot from the Catalyst 3560-C flash device. The image is the Catalyst 3560-C universal image.
Switch# configure terminalSwitch(config)# boot system flash usbflash0: c3560c-universalk9-mzTo disable booting from flash, enter the no form of the command.
This is sample output from the show usb device command:
Switch# show usb deviceHost Controller: 1Address: 0x1Device Configured: YESDevice Supported: YESDescription: STEC USB 1GBManufacturer: STECVersion: 1.0Serial Number: STI 3D508232204731Device Handle: 0x1010000USB Version Compliance: 2.0Class Code: 0x0Subclass Code: 0x0Protocol: 0x0Vendor ID: 0x136bProduct ID: 0x918Max. Packet Size of Endpoint Zero: 64Number of Configurations: 1Speed: HighSelected Configuration: 1Selected Interface: 0Configuration:Number: 1Number of Interfaces: 1Description: StorageAttributes: NoneMax Power: 200 mAInterface:Number: 0Description: BulkClass Code: 8Subclass: 6Protocol: 80Number of Endpoints: 2Endpoint:Number: 1Transfer Type: BULKTransfer Direction: Device to HostMax Packet: 512Interval: 0Endpoint:Number: 2Transfer Type: BULKTransfer Direction: Host to DeviceMax Packet: 512Interval: 0This is sample output from the show usb port command:
Switch# show usb portPort Number: 0Status: EnabledConnection State: ConnectedSpeed: HighPower State: ONPOE, Power Monitoring, and Power Policing
PoE switch ports automatically supply power to these connected devices if the switch senses that there is no power on the circuit:
•
•
•
The PoE+ standard supports all the features of 802.3af and increases the maximum power available on each PoE port from 15.4 W to 30 W.
A Cisco prestandard powered device does not provide its power requirement when the switch detects it, so a switch that does not support PoE+ allocates 15.4 W as the initial allocation for power budgeting; a PoE+ switch allocates 30 W (PoE+).
Note
When policing of the real-time power consumption is enabled, the switch takes action when a powered device consumes more power than the maximum amount allocated, also referred to as the cutoff-power value.
When PoE is enabled, the switch senses the real-time power consumption of the powered device and monitors the power consumption of the connected powered device; this is called power monitoring or power sensing. The switch also uses the power policing feature to police the power usage.
Power monitoring is backward-compatible with Cisco intelligent power management and CDP-based power consumption. It works with these features to ensure that the PoE port can supply power to the powered device. For more information about these PoE features, see the "Powered-Device Detection and Initial Power Allocation" section in the "Configuring Interfaces chapter of the Catalyst 3560 Software Configuration Guide.
The switch senses the power consumption of the connected device as follows:
1.
2.
3.
If the device uses more than the maximum power allocation on the port, the switch can either turn off power to the port, or the switch can generate a syslog message and update the LEDs (the port LED is now blinking amber) while still providing power to the device based on the switch configuration. By default, power-usage policing is disabled on all PoE ports.
If error recovery from the PoE error-disabled state is enabled, the switch automatically takes the PoE port out of the error-disabled state after the specified amount of time.
If error recovery is disabled, you can manually re-enable the PoE port by using the shutdown and no shutdown interface configuration commands.
4.
Maximum Power Allocation (Cutoff Power) on a PoE Port
When power policing is enabled, the switch determines the cutoff power on the PoE port in this order:
1.
2.
3.
Use the first or second method in the previous list to manually configure the cutoff-power value by entering the power inline consumption default wattage or the power inline [auto | static max] max-wattage command. If you do not manually configure the cutoff-power value, the switch automatically determines the value by using CDP power negotiation. If the switch cannot determine the value by using one of these methods, it uses the default value of 15.4 W.
On a switch with PoE+, if you do not manually configure the cutoff-power value, the switch automatically determines it by using CDP power negotiation or the device IEEE classification and LLDP power negotiation. If CDP or LLDP are not enabled, the default value of 30 W is applied. However without CDP or LLDP, the switch does not allow devices to consume more than 15.4 W of power because values from 15400 to 30000 mW are only allocated based on CDP or LLDP requests. If a powered device consumes more than 15.4 W without CDP or LLDP negotiation, the device might be in violation of the maximum current (Imax) limitation and might experience an Icut fault for drawing more current than the maximum. The port remains in the fault state for a time before attempting to power on again. If the port continuously draws more than 15.4 W, the cycle repeats.
Note
Power Consumption Values
You can configure the initial power allocation and the maximum power allocation on a port. However, these values are only the configured values that determine when the switch should turn on or turn off power on the PoE port. The maximum power allocation is not the same as the actual power consumption of the powered device. The actual cutoff power value that the switch uses for power policing is not equal to the configured power value.
When power policing is enabled, the switch polices the power usage at the switch port, which is greater than the power consumption of the device. When you manually set the maximum power allocation, you must consider the power loss over the cable from the switch port to the powered device. The cutoff power is the sum of the rated power consumption of the powered device and the worst-case power loss over the cable.
The actual amount of power consumed by a powered device on a PoE port is the cutoff-power value plus a calibration factor of 500 mW (0.5 W). The actual cutoff value is approximate and varies from the configured value by a percentage of the configured value. For example, if the configured cutoff power is 12 W, the actual cutoff-value is 11.4 W, which is 0.05% less than the configured value.
We recommend that you enable power policing when PoE is enabled on your switch. For example, if policing is disabled and you set the cutoff-power value by using the power inline auto max 6300 interface configuration command, the configured maximum power allocation on the PoE port is 6.3 W (6300 mW). The switch provides power to the connected devices on the port if the device needs up to 6.3 W. If the CDP-power negotiated value or the IEEE classification value exceeds the configured cutoff value, the switch does not provide power to the connected device. After the switch turns on power to the PoE port, the switch does not police the real-time power consumption of the device, and the device can consume more power than the maximum allocated amount, which could adversely affect the switch and the devices connected to the other PoE ports.
Configuring Power Policing
By default, the switch monitors the real-time power consumption of connected powered devices. You can configure the switch to police the power usage. By default, policing is disabled.
Beginning in privileged EXEC mode, follow these steps to enable policing of the real-time power consumption of a powered device connected to a PoE port:
To disable policing of the real-time power consumption, use the no power inline police interface configuration command. To disable error recovery for a PoE error-disabled cause, use the no errdisable recovery cause inline-power global configuration command.
For information about the output from the show power inline police privileged EXEC command, see the command reference for this release.
PoE+ Uplinks and PoE Pass-Through Capability
The Catalyst 3560CPD-8PT compact switches can receive power on the two uplink ports from a PoE+ capable-switch (for example a Catalyst 3750-X or 3560-X switch). The switch can also receive power from an AC power source when you use the auxiliary power input. When both uplink ports and auxiliary power are connected, the auxiliary power input takes precedence.
The minimum requirement to power the Catalyst 3560CPD-8PT switch is a single 30 W (PoE+) input. Although the switch might operate using two 15.4 W (PoE) inputs, this configuration is not supported. See Table 5 for details about the switch power budget.
The Catalyst 3560CPD-8PT switch can provide power to end devices through the eight downlink ports in one of two ways:
•
•
The downlink ports are PoE-capable, and each port can supply up to 15.4 W per port to a connected powered device. When the switch draws power from the uplink ports, the power budget (the available power on downlink ports) depends on the power source options shown in Table 5. When the switch receives power through the auxiliary connector, the power budget is similar to that of any other PoE switch.
You can configure the power management, budgeting, and policing the same as with any other Catalyst 3560-C PoE switch.
The show env power inline privileged EXEC command provides information about powering options and power backup on your switch:
Switch# show env powerPoE Power - Available:15.4(w) Backup:0.0(w)Power Source Type Power(w) Mode-------------- -------------- --------- ---------A.C. Input Auxilliary 51(w) AvailableGi0/2 Type2 30(w) Back-upAvailable : The PoE received on this link is used for powering this switch andproviding PoE pass-through if applicable.Back-up : In the absence of 'Available' power mode, the PoE received on thislink is used for powering this switch and providing PoE pass-throughif applicable.Available*: The PoE received on this link is used for powering this switch butdoes not contribute to the PoE pass-through.Back-up* : In the absence of 'Available' power mode, the PoE received on thislink is used for powering this switch but does not contribute tothe PoE pass-through.You can see the available power and the power required by each connected device by entering the show power inline privileged EXEC command. This is an example of output from a Catalyst 3560CPD-8PT:
Switch# show power inlineAvailable:15.4(w) Used:15.4(w) Remaining:0(w)Interface Admin Oper Power Device Class Max(Watts)--------- ------ ---------- ------- ------------------- ----- ----Gi0/1 auto off 0.0 n/a n/a 15.4Gi0/2 auto off 0.0 n/a n/a 15.4Gi0/3 auto off 0.0 n/a n/a 15.4Gi0/4 auto off 0.0 n/a n/a 15.4Gi0/5 auto on 15.4 IP Phone 8961 4 15.4Gi0/6 auto off 0.0 n/a n/a 15.4Gi0/7 auto off 0.0 n/a n/a 15.4Gi0/8 auto off 0.0 n/a n/a 15.4Enter the show power inline police privileged EXEC command to see power monitoring status. This is an example of output from a Catalyst 3560CPD-8PT:
Switch# show power inline policeAvailable:15.4(w) Used:15.4(w) Remaining: 0(w)Interface Admin Oper Admin Oper Cutoff OperState State Police Police Power Power--------- ------ ---------- ---------- ---------- ------ -----Gi0/1 auto off none n/a n/a 0.0Gi0/2 auto off none n/a n/a 0.0Gi0/3 auto off none n/a n/a 0.0Gi0/4 auto off none n/a n/a 0.0Gi0/5 auto on none n/a n/a 9.5Gi0/6 auto off none n/a n/a 0.0Gi0/7 auto off none n/a n/a 0.0Gi0/8 auto off none n/a n/a 0.0--------- ------ ---------- ---------- ---------- ------ -----Totals: 9.5The Catalyst 3560CG-8TC downlink ports cannot provide power to end devices. This is an example of output from the show power inline command on a Catalyst 3560CG-8TC switch:
Switch# show power inlineAvailable:0.0(w) Used:0.0(w) Remaining:0.0(w)Interface Admin Oper Power Device Class Max(Watts)--------- ------ ---------- ------- ------------------- ----- ----The show power inline dynamic-priority command shows the power priority of each port:
Switch# show power inline dynamic-priorityDynamic Port Priority-----------------------Port OperState Priority--------- --------- --------Gi0/1 off HighGi0/2 off HighGi0/3 off HighGi0/4 off HighGi0/5 off HighGi0/6 off HighGi0/7 off HighGi0/8 off HighThe SDM Template
The Catalyst 3560-C Fast Ethernet switches support the same templates as other Catalyst 3560 switches. See the Catalyst 3560 Software Configuration Guide and Catalyst 3560 Command Reference for details on the templates.
The Catalyst 3560-C Gigabit Ethernet switches support only a default Switch Database Management (SDM) template, which includes support for routing and for some IPv6 features. You cannot configure SDM templates, but you can use the show sdm prefer privileged EXEC command to verify supported resources. Table 6 lists the resources supported in the default template.
Note
Understanding Media Access Control Security and MACsec Key Agreement
Media Access Control Security (MACsec), defined in 802.1AE, provides MAC-layer encryption over wired networks by using out-of-band methods for encryption keying. The MACsec Key Agreement (MKA) Protocol provides the required session keys and manages the required encryption keys. MKA and MACsec are implemented after successful using the 802.1x Extensible Authentication Protocol (EAP) framework. On the Catalyst 3560-C switches, only host facing links (links between network access devices and endpoint devices such as a PC or IP phone) can be secured by using MACsec. MACsec is supported only on the downlink interfaces, Gigabit Ethernet 0/1 to 0/8.
A switch using MACsec accepts either MACsec or non-MACsec frames, depending on the policy associated with the client. MACsec frames are encrypted and protected with an integrity check value (ICV). When the switch receives frames from the client, it decrypts them and calculates the correct ICV by using session keys provided by MKA. The switch compares that ICV to the ICV within the frame. If they are not identical, the frame is dropped. The switch also encrypts and adds an ICV to any frames sent over the secured port (the access point used to provide the secure MAC service to a client) using the current session key.
The MKA Protocol manages the encryption keys used by the underlying MACsec protocol. The basic requirements of MKA are defined in 802.1x-REV. The MKA Protocol extends 802.1x to allow peer discovery with confirmation of mutual authentication and sharing of MACsec secret keys to protect data exchanged by the peers.
The EAP framework implements MKA as a newly defined EAP-over-LAN (EAPOL) packet. EAP authentication produces a master session key (MSK) shared by both partners in the data exchange. Entering the EAP session ID generates a secure connectivity association key name (CKN). Because the switch is the authenticator, it is also the key server, generating a random 128-bit secure association key (SAK), which it sends it to the client partner. The client is never a key server and can only interact with a single MKA entity, the key server. After key derivation and generation, the switch sends periodic transports to the partner at a default interval of 2 seconds.
The packet body in an EAPOL Protocol Data Unit (PDU) is referred to as a MACsec Key Agreement PDU (MKPDU). MKA sessions and participants are deleted when the MKA lifetime (6 seconds) passes with no MKPDU received from a participant. For example, if a client disconnects, the participant on the switch continues to operate MKA until 6 seconds have elapsed after the last MKPDU is received from the client.
These sections provide more details:
•
•
MKA Policies
You apply a defined MKA policy to an interface to enable MKA on the interface. Removing the MKA policy disables MKA on that interface. You can configure these options:
•
•
•
Virtual Ports
You use virtual ports for multiple secured connectivity associations on a single physical port. Each connectivity association (pair) represents a virtual port, with a maximum of two virtual ports per physical port. Only one of the two virtual ports can be part of a data VLAN; the other must externally tag its packets for the voice VLAN. You cannot simultaneously host secured and unsecured sessions in the same VLAN on the same port. Because of this limitation, 802.1x multiple authentication mode is not supported.
The exception to this limitation is in multiple-host mode when the first MACsec supplicant is successfully authenticated and connected to a hub that is connected to the switch. A non-MACsec host connected to the hub can send traffic without authentication because it is in multiple-host mode.
Virtual ports represent an arbitrary identifier for a connectivity association and have no meaning outside the MKA Protocol. A virtual port corresponds to a separate logical port ID. Valid port IDs for a virtual port are 0x0002 to 0xFFFF. Each virtual port receives a unique secure channel identifier (SCI) based on the MAC address of the physical interface concatenated with a 16-bit port ID.
MACsec, MKA and 802.1x Host Modes
You can use MACsec and the MKA Protocol with 802.1x single-host mode, multiple-host mode, or Multi Domain Authentication (MDA) mode. Multiple authentication mode is not supported.
Note
Single-Host Mode
Figure 1 shows how a single EAP authenticated session is secured by MACsec by using MKA.
Figure 1 Single-Host Mode with a Secured Data Session
The same switch port hosts an unsecured phone session using CDP bypass. Since CDP bypass mode bypasses authentication to provide access based only on device type, the switch does not attempt to enter into an MKA exchange with the phone. If a voice VLAN is configured, CDP packets bypass MAC sec. For secure voice access, you should use MDA mode.
Multiple-Host Mode
In standard (not 802.1x REV) 802. multiple-host mode, a port is open or closed based on a single authentication. If one user, the primary secured client services client host, is authenticated, the same level of network access is provided to any host connected to the same port. If a secondary host is a MACsec supplicant, it cannot be authenticated and traffic would no flow. A secondary host that is a non-MACsec host can send traffic to the network without authentication because it is in multiple-host mode. See Figure 2.
Figure 2 Standard Multiple-Host Mode - Unsecured
MKA Statistics
Some MKA counters are aggregated globally, while others are updated both globally and per session. You can also obtain information about the status of MKA sessions.
Configuring MKA and MACsec
•
Configuring an MKA Policy
Beginning in privileged EXEC mode, follow these steps to create an MKA Protocol policy:
This example configures the MKA policy relay-policy:
Switch(config)# mka policy replay-policySwitch(config-mka-policy)# replay-protection window-size 300Switch(config-mka-policy)# endConfiguring MACsec on an Interface
Beginning in privileged EXEC mode, follow these steps to configure MACsec on an interface with one MACsec session for voice and one for data:
This is an example of configuring and verifying MACsec on an interface:
Switch(config)# interface GigabitEthernet0/8Switch(config-if)# switchport access vlan 10Switch(config-if)# switchport mode accessSwitch(config-if)# macsecSwitch(config-if)# authentication event linksec fail action authorize vlan 2Switch(config-if)# authentication host-mode multi-domainSwitch(config-if)# authentication linksec policy must-secureSwitch(config-if)# authentication port-control autoSwitch(config-if)# authentication violation protectSwitch(config-if)# mka policy replay-policySwitch(config-if)# dot1x pae authenticatorSwitch(config-if)# spanning-tree portfastSwitch(config-if)# endSwitch# show authentication sessions interface gigabitethernet0/8Interface: GigabitEthernet0/8MAC Address: 001b.2140.ec3cIP Address: 1.1.1.103User-Name: ms1Status: Authz SuccessDomain: DATASecurity Policy: Must Secure ß--- NewSecurity Status: Secured ß--- NewOper host mode: multi-domainOper control dir: bothAuthorized By: Authentication ServerVlan Policy: 10Session timeout: 3600s (server), Remaining: 3567sTimeout action: ReauthenticateIdle timeout: N/ACommon Session ID: 0A05783B0000001700448BA8Acct Session ID: 0x00000019Handle: 0x06000017Runnable methods list:Method Statedot1x Authc SuccessCatalyst 3560-C Updates to the Catalyst 3560 Switch Command Reference
Revised and changed commands:
•
•
•
•
•
•
•
authentication event linksec fail action
To configure the required action for a link-security authentications failure, use the authentication event linksec fail action command in interface configuration mode. To disable the configured fail action, use the no form of this command.
authentication event linksec fail action {authorize vlan vlan-id | next-method}
no authentication event linksec fail action
Syntax Description
Defaults
The default is to take no action when link-security authentication fails.
Command Modes
Interface configuration
Command History
Usage Guidelines
When link-security authentication fails because of unrecognized user credentials, this command specifies that the switch authorizes a restricted VLAN on the port.
You can verify your setting by entering the show authentication sessions privileged EXEC command.
Examples
This example configures the interface so that the port is assigned to a restricted VLAN 40 after a failed authentication attempt:
Switch(config)# interface gigabitethernet0/3Switch(config-if)# authentication event linksec fail action authorize vlan 40Switch(config-if)# endRelated Commands
show authentication sessions
Displays information about authentication events on the switch.
authentication linksec policy
To set the static selection of a link-security policy, use the authentication linksec policy command in interface configuration mode. To return to the default state, use the no form of this command.
authentication linksec policy {must-not-secure | must-secure | should-secure}
no authentication linksec policy
Syntax Description
Defaults
The default is to support a link security policy of should secure.
Command Modes
MKA policy configuration
Command History
Usage Guidelines
The linksec policy might change after a successful reauthentication started by a local timer or a change of authorization (CoA) reauthenticate command. If the policy changes from must-not-secure to must-secure after a reauthentication, the system attempts to secure the session. If the MACsec key does not renegotiate a MACsec connection after a reauthentication, the session is terminated, and all local states are removed.
A per-user policy received after authentication overrides the interface configuration policy.
You can verify your setting by entering the show authentication sessions privileged EXEC command.
Examples
This example configures the interface to always secure MACsec sessions:
Switch(config)# interface gigabitethernet1/0/3Switch(config-if)# authentication linksec policy must-secureSwitch(config-if)# endRelated Commands
show authentication sessions
Displays information about authentication events on the switch.
auto qos video
Use the auto qos video interface configuration command on the to automatically configure quality of service (QoS) for video within a QoS domain. Use the no form of this command to return to the default setting.
auto qos video {cts | ip-camera}
no auto qos video {cts | ip-camera}
Syntax Description
Defaults
Auto-QoS video is disabled on the port.
When auto-QoS is enabled, it uses the ingress packet label to categorize traffic, to assign packet labels, and to configure the ingress and egress queues.
Table 7 Traffic Types, Packet Labels, and Queues
TrafficDSCP3
46
24, 26
48
56
34
-
CoS4
5
3
6
7
3
-
CoS-to-ingress queue map
4, 5 (queue 2)
0, 1, 2, 3, 6, 7 (queue 1)
CoS-to-egress queue map
4, 5
(queue 1)2, 3, 6, 7 (queue 2)
0 (queue 3)
2
(queue 3)0, 1 (queue 4)
1 STP = Spanning Tree Protocol.
2 BPDU = bridge protocol data unit.
3 DSCP = Differentiated Services Code Point.
4 CoS = class of service.
Table 8 Auto-QoS Configuration for the Ingress Queues
SRR1 shared
1
0, 1, 2, 3, 6, 7
70 percent
90 percent
Priority
2
4, 5
30 percent
10 percent
1 SRR = shaped round robin. Ingress queues support shared mode only.
Command Modes
Interface configuration
Command History
Usage Guidelines
Use this command to configure the QoS appropriate for video traffic within the QoS domain. The QoS domain includes the switch, the network interior, and edge devices that can classify incoming traffic for QoS.
Auto-Qos configures the switch for video connectivity with a Cisco TelePresence system and a Cisco IP camera.
To take advantage of the auto-QoS defaults, you should enable auto-QoS before you configure other QoS commands. You can fine-tune the auto-QoS configuration after you enable auto-QoS.
Note
If this is the first port on which you have enabled auto-QoS, the auto-QoS-generated global configuration commands are executed followed by the interface configuration commands. If you enable auto-QoS on another port, only the auto-QoS-generated interface configuration commands for that port are executed.
When you enable the auto-QoS feature on the first port, these automatic actions occur:
•
After auto-QoS is enabled, do not modify a policy map or aggregate policer that includes AutoQoS in its name. If you need to modify the policy map or aggregate policer, make a copy of it, and change the copied policy map or policer. To use the new policy map instead of the generated one, remove the generated policy map from the interface, and apply the new policy map.
To display the QoS configuration that is automatically generated when auto-QoS is enabled, enable debugging before you enable auto-QoS. Use the debug auto qos privileged EXEC command to enable auto-QoS debugging. For more information, see the debug auto qos command.
To disable auto-QoS on a port, use the no auto qos video interface configuration command. Only the auto-QoS-generated interface configuration commands for this port are removed. If this is the last port on which auto-QoS is enabled and you enter the no auto qos video command, auto-QoS is considered disabled even though the auto-QoS-generated global configuration commands remain (to avoid disrupting traffic on other ports affected by the global configuration). You can use the no mls qos global configuration command to disable the auto-QoS-generated global configuration commands. With QoS disabled, there is no concept of trusted or untrusted ports because the packets are not modified (the CoS, DSCP, and IP precedence values in the packet are not changed). Traffic is switched in pass-through mode (packets are switched without any rewrites and classified as best effort without any policing).
You can verify the configuration by entering the show auto qos video interface interface-id privileged EXEC command.
Examples
This example shows how to enable auto-QoS for a Cisco Telepresence interface with conditional trust. The interface is trusted only if a Cisco Telepresence device is detected; otherwise, the port is untrusted.
Switch(config)# interface gigabitethernet2/0/1Switch(config-if)# auto qos video ctsRelated Commands
clear macsec counters interface
To clear Media Access Control Security (MACsec) counters for an interface, use the clear macsec counters interface command in privileged EXEC mode.
clear macsec counters interface interface-id
Syntax Description
Command Modes
Privileged EXEC
Command History
Examples
This example clears the MACsec counters on the specified interface:
Switch# clear macsec counters interface gigabitethernet 0/2Related Commands
clear mka
Clears MACsec Key Agreement (MKA) protocol policies or information.
macsec
Enables MACsec on an interface.
show macsec
Displays MACsec information.
clear mka
To clear MACsec Key Agreement (MKA) protocol sessions or information, use the clear mka command in privileged EXEC mode.
clear mka {all | sessions [interface interface-id [port-id port-id]] | [local-sci sci] | statistics [interface interface-id port-id port-id] | [local-sci sci]}
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
When you enter the clear mka all command, the switch prompts for a confirmation and then deletes all active MKA sessions.
Examples
This example clears all active MKA sessions:
Switch# clear mka allAre you sure you want to do this? [yes/no]: yesThis example clears the statistics counter of a specific MKA session running with Local TX-SCI 0023330853030002:
Switch# clear mka statistics local-sci 0023330853030002Related Commands
confidentiality-offset
To configure the confidentiality offset value for the MACsec Key Agreement (MKA) Protocol policy, use the confidentiality-offset command in MKA policy configuration mode. To return to the default setting, use the no or default form of this command
confidentiality-offset offset-value
[no | default] confidentiality-offset
Syntax Description
offset-value
Identifies a confidentiality (encryption) offset value for the MKA policy. Valid values are 0, 30, and 50 octets (bytes).
Defaults
The default offset is 0 with no confidentiality offset.
Command Modes
MKA policy configuration
Command History
Usage Guidelines
If no confidentiality offset is configured, no encryption offset is used.
To use this feature, both peers must support confidentiality offset.
You can verify the configuration by entering the show mka session detail privileged EXEC command.
Examples
This example configures an MKA policy with a confidentiality offset of 30 bytes.
Switch(config)# mka policy replay-policySwitch(config-mka-policy)# replay-protection window-size 300Switch(config-mka-policy)# confidentiality offset 30Switch(config-mka-policy)# endRelated Commands
show mka session detail
Displays detailed information about active MKA sessions.
macsec
To enable 802.1ae Media Access Control Security (MACsec) on an interface, use the macsec command in interface configuration mode. To disable MACsec on the interface, use the no form of this command.
macsec
no macsec
Syntax Description
This command has no arguments or keywords.
Defaults
MACsec is disabled.
Command Modes
Interface configuration
Command History
Usage Guidelines
MACsec is supported only on downlink interfaces on the Catalyst 3560-C switch, Gigabit Ethernet 0/1 to 0/8.
The interface must be in switchport access mode to see this command.
Entering the macsec interface configuration command puts the interface in the MACsec mode.
You can verify the configuration by entering the show macsec summary privileged EXEC command.
Examples
This example configures MACsec on an interface:
Switch(config)# interface GigabitEthernet0/8Switch(config-if)# switchport access vlan 10Switch(config-if)# switchport mode accessSwitch(config-if)# macsecSwitch(config-if)# authentication event linksec fail action authorize vlan 2Switch(config-if)# authentication host-mode multi-domainSwitch(config-if)# authentication linksec policy must-secureSwitch(config-if)# authentication port-control autoSwitch(config-if)# authentication violation protectSwitch(config-if)# mka policy replay-policySwitch(config-if)# dot1x pae authenticatorSwitch(config-if)# spanning-tree portfastSwitch(config-if)# endRelated Commands
show macsec interface interface-id
Displays MACsec status and statistics for the specified interface.
show macsec summary
Displays switch MACsec configuration.
media-type rj45
To manually select the RJ-45 console connection for input, whether or not there is a device connected to the USB console port, use the media-type rj45 command in line configuration mode. To return to the default setting, use the no form of this command. The USB console takes precedence if devices are connected to both consoles.
media-type rj45
no media-type rj45
Syntax Description
This command has no arguments or keywords.
Defaults
The default is that the switch uses the USB console connector for input.
Command Modes
Line configuration
Command History
Usage Guidelines
The switch has a USB mini-Type B console connector and a USB console connector. Console output displays on devices connected to both connectors, but console input is active on only one input at a time, with the USB connector taking precedence. When you configure the media-type rj45 line configuration command, USB console operation is disabled and input always remains with the RJ-45 console.
Entering the no media-type rj45 line configuration command immediately activates the USB console when it is connected to a powered-on device with a terminal emulation application.
Removing the USB connector always enables input from the RJ-45 connector.
You can verify the configuration by entering the show running config privileged EXEC command.
Examples
This example configures the switch to always use the RJ-45 console input:
Switch(config)# line console 0Switch(config-line)# media-type rj45This example configures the switch to always use the USB console input if there is a connected powered-on device:
Switch(config)# line console 0Switch(config-line)# no media-type rj45Related Commands
mka default-policy
To apply the MACsec Key Agreement (MKA) protocol default policy on an interface, use the mka default-policy command in interface configuration mode. This command also enables MKA on the interface if no MKAs were applied. To disable MKA on the interface and clear any active MKA policies running on the interface, use the no form of this command.
mka default-policy
no mka default-policy
Syntax Description
This command has no arguments or keywords.
Defaults
The MKA default policy is not applied. MKA is not enabled.
Command Modes
Interface configuration
Command History
Usage Guidelines
If another MKA policy is already applied to an interface, entering this command clears all active MKA sessions running on the interface.
If the MKA default policy has already been applied to the interface, you are notified, and no sessions are cleared.
To remove any MKA policy from the interface, including the default, enter the no mka policy interface configuration command.
You can verify the configuration by entering the show mka default-policy privileged EXEC command.
Examples
This example shows what you see if you apply the default policy to an interface that already has a policy applied:
Switch(config)# interface gigabitethernet 1/0/6Switch(config-if)# mka policy my_policySwitch(config-if)# mka default-policy%MKA policy change has cleared all MKA Sessions on this interface.Related Commands
show mka default-policy
Displays information about the MACsec Key Agreement Protocol default policy.
mka policy (global configuration)
To create or configure a MACsec Key Agreement (MKA) Protocol policy and to enter MKA policy configuration mode, use the mka policy command in global configuration mode. To delete the policy, use the no form of this command.
mka policy policy name
no mka policy policy name
Syntax Description
policy name
Identifies an MKA policy and enters MKA policy configuration mode. The maximum policy name length is 16 characters.
Defaults
No MKA policies are created.
Command Modes
Global configuration
Command History
Usage Guidelines
If you enter the name of an existing policy, you see a warning that any changes to the policy deletes all active MKA sessions with that policy.
Whenever you change an MKA policy, active MKA sessions with that policy applied are cleared.
If you try to create a policy name with more than 16 characters, you see a warning message, and the policy is not created.
If you enter the no mka policy policy-name command to delete a policy that is applied to at least one interface, you are prompted to first remove the policy from all interfaces that it is applied to and then to reenter the command. If you attempt to delete a policy and the policy name does not exist, you are notified.
When you enter MKA policy mode, these commands are available:
•
•
•
•
•
You can verify the configuration by entering the show mka policy privileged EXEC command.
Examples
This example shows what you see if you create a policy name that already exists:
Switch(config)# mka policy test-policySwitch(config-mks-policy)# exitSwitch(config)# mka policy test-policy%MKA policy "test-policy" may have associated active MKA Sessions.Changes to MKA Policy "test-policy" valueswill cause all associated active MKS Sessions to be cleared.Related Commands
mka policy (interface configuration)
Applies an MKA policy to an interface.
show mka policy
Displays information about defined MKA protocol policies.
mka policy (interface configuration)
To apply an existing MACsec Key Agreement (MKA) Protocol policy to an interface, use the mka policy command in interface configuration mode. This command also enables MKA on the interface if no MKAs have been applied. To remove an existing policy from the interface, disable MKA on the interface, and clear any active MKA sessions running on the interface, use the no form of this command.
mka policy policy name
no mka policy
Syntax Description
Defaults
No MKA policies are applied. MKA is not enabled.
Command Modes
Interface configuration
Command History
Usage Guidelines
If a different MKA policy was applied to the interface, entering this command clears all active MKA sessions running on the interface.
If you enter a a policy name that is already applied to the interface, you are notified that the policy was already applied and no sessions are cleared.
If you enter a a policy name that does not exist, you are notified that the policy was not configured.
Entering the no mka policy interface command on an interface disables MKA on the interface and clears any active sessions that are running.
You can verify the configuration by entering the show mka policy privileged EXEC command.
Examples
This example shows the message that appears if you enter a policy name that has not been created:
Switch(config)# interface gigabitethernet 0/1Switch(config-if)# mka policy test-policy%MKA policy "test-policy" has not been configured.This example shows the message that appears if you enter a policy name when another policy has already been applied to the interface:
Switch(config)# interface gigabitethernet 0/1Switch(config-if)# mka policy test-policy%MKA policy change has cleared all MKA Sessions on this interface.Related Commands
mka policy (global configuration)
Creates an MKA policy and enters MKA policy configuration mode.
show mka policy
Displays MKA policies configured on the switch.
power inline police
To enable policing of the real-time power consumption, use the power inline police in interface configuration mode. To disable this feature, use the no form of this command.
power inline police [action {errdisable | log}]
no power inline police
Syntax Description
Defaults
Policing of the real-time power consumption of the powered device is disabled.
Command Modes
Interface configuration
Command History
Usage Guidelines
This command is supported only on Power over Ethernet (PoE)-capable ports. If you enter this command on a switch or port that does not support PoE, an error message appears.
The power inline police command is supported only on switches with PoE ports.
When policing of the real-time power consumption is enabled, the switch takes action when a powered device consumes more power than the allocated maximum amount.
When PoE is enabled, the switch senses the real-time power consumption of the powered device. This feature is called power monitoring or power sensing. The switch also polices the power usage with the power policing feature.
When power policing is enabled, the cutoff power on the PoE port is determined by one of these methods in this order:
1.
2.
3.
4.
Use the first or second method in the previous list to manually configure the cutoff-power value by entering the power inline consumption default wattage global configuration command, the power inline consumption wattage interface configuration command, or the power inline [auto | static max] max-wattage command. If you are do not manually configure the cutoff-power value, the switch automatically determines the value by using CDP power negotiation or the device IEEE classification, which is the third method in the list. If the switch cannot determine the value by using one of these methods, it uses the default value of 15.4 W or 30 W.
Note
If power policing is enabled, the switch polices power usage by comparing the real-time power consumption to the maximum power allocated on the PoE port. If the device uses more than the maximum power allocation (or cutoff power) on the port, the switch either turns power off to the port, or generates a syslog message and updates the LEDs (to blink amber) while still providing power to the device.
•
•
If you do not enter the action log keywords, the default action is to shut down the port, turn off power, and put the port in the PoE error-disabled state. To configure the PoE port to automatically recover from the error-disabled state, use the errdisable detect cause inline-power global configuration command to enable error-disabled detection for the PoE cause and the errdisable recovery cause inline-power interval interval global configuration command to enable the recovery timer for the PoE error-disabled cause.
Caution
You can verify power inline configuration by entering the show power inline police privileged EXEC command.
Examples
This example shows how to enable policing of the power consumption and to configure the switch to generate a syslog message on the PoE port on a switch:
Switch(config)# interface gigabitethernet0/2Switch(config-if)# power inline police action logRelated Commands
replay-protection window-size
To configure replay protection for Media Access Control Security (MACsec), use the replay-protection window-size command in MKA policy configuration mode. When replay protection is set, you must configure a window size in number of frames. Use the no form of the command to disable replay protection. Use the default form of this command to return to the default window size of 0 frames.
replay-protection window-size frames
[no | default] replay-protection
Syntax Description
window-size frames
Sets a window size as the number of frames. The range is from 0 to 4294967295. The default window size is 0.
Defaults
The default window size is 0 frames.
Command Modes
MKA policy configuration
Command History
Usage Guidelines
Entering the default replay-protection window-size command sets the number of frames to 0. Entering no default replay-protection window-size turns off replay protection.
Entering a window size of 0 is not the same as entering the no replay-protection command. Configuring a window size of 0 uses replay protection with a strict ordering of frames. Entering no replay-protection turns off replay-protection verification in MACsec.
You can verify your setting by entering the show mka session detail privileged EXEC command.
Examples
This example shows how to configure an MKA policy with a relay protection window size of 300 frames.
Switch(config)# mka policy replay-policySwitch(config-mka-policy)# replay-protection window-size 300Switch(config-mka-policy)# confidentiality offset 30Switch(config-mka-policy)# endRelated Commands
show mka session detail
Displays detailed information about active MKA sessions.
show controllers ethernet phy macsec
To display the internal Media Access Control Security (MACsec) counters or registers on an interface, use the show controllers ethernet phy macsec command in privileged EXEC mode.
show controllers ethernet interface-id phy macsec {counters | registers}
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The displayed information is useful for Cisco technical support representatives troubleshooting the switch.
Examples
This is an example output from the show controllers ethernet phy macsec counters command:
Switch# show controllers ethernet gigibitethernet0/1 phy macsec countersGigabitEthernet0/1 (gpn: 1, port-number: 1)-----------------------------------------------------------========== Active RX SA ==========ILU Entry : 1SCI : 0x1B2140EC4C0000AN : 0x0000NextPN : 0x0013Decrypt Key : 0x1E902BE3AF08549BAC995474C5F55526---------- RX SA Stats ----------IGR_HIT : 0xEIGR_OK : 0xEIGR_UNCHK : 0x0IGR_DELAY : 0x0IGR_LATE : 0x0IGR_INVLD : 0x0IGR_NOTVLD : 0x0========== Active TX SA ==========ELU Entry : 2SCI : 0x22BDCF9A010002AN : 0x0000NextPN : 0x0022Encrypt Key : 0x1E902BE3AF08549BAC995474C5F55526---------- TX SA Stats ----------EGR_HIT : 0x682EGR_PKT_PROT : 0x0EGR_PKT_ENC : 0x682========== Port Stats ==========IGR_UNTAG : 0x0IGR_NOTAG : 0x57BIGR_BADTAG : 0x0IGR_UNKSCI : 0x0IGR_MISS : 0x52B00-10-18, 03-06, 01-02This is an example output from the show controllers ethernet phy macsec registers command:
Switch# show controllers ethernet gigabitethernet0/1 phy macsec registersGigabitEthernet0/1 (gpn: 1, port-number: 1)-----------------------------------------------------------Macsec Registers-----------------------------------------------------------0000: 88E58100 Ethertypes Register0001: 00400030 Sizes Register0002: 00000010 Cfg Default Vlan0003: 00000000 Reset Control Register0007: 00000001 Port Number Register0009: 0000100C EGR Gen Register000B: 2FB40000 IGR Gen Register000E: 00000000 Replay Window Register0010: 00000047 ISC Gen Register001C: 00000000 LC Interrupt Register001D: 0000003A LC Interrupt Mask Register001E: 00000000 FIPS Control Register001F: 00000F0F ET Match Control Register0030: 888E8808 ET Match 0 Register0031: 88CC8809 ET Match 1 Register0032: 00000000 ET Match 2 Register0033: 00000000 ET Match 3 Register0040: 00019C49 Wire Mac Control 0 Register0041: 000200C1 Wire Mac Control 1 Register0042: 00000008 Wire Mac Control 2 Register0043: 00000020 Wire Mac Autneg Control Regist0047: 0007FE43 Wire Mac Hidden0 Register0050: 00009FC9 Sys Mac Control 0 Register0051: 000100B1 Sys Mac Control 1 Register0052: 00000000 Sys Mac Control 2 Register0053: 00000030 Sys Mac Autneg Control Registe0057: 0007FE43 Sys Mac Hidden0 Register0070: 00000040 SLC Cfg Gen Register0074: 00000004 Pause Control Register0076: 00002006 SLC Ram Control Register0060: 00000004 CiscoIP Enable Register00-10-18, 03-06, 01-02Related Commands
show macsec
To display 802.1ae Media Access Control Security (MACsec) information, use the show macsec command in privileged EXEC mode.
show macsec {interface interface-id | summary}
Syntax Description
interface interface-id
Displays MACsec interface details.
summary
Displays MACsec summary information.
Command Modes
Privileged EXEC
Command History
Examples
This is sample output of the show macsec interface command when there is no MACsec session established on the interface:
Switch# show macsec interface gigabitethernet 0/1MACsec is enabledReplay protect : enabledReplay window : 0Include SCI : yesCipher : GCM-AES-128Confidentiality Offset : 0CapabilitiesMax. Rx SA : 16Max. Tx SA : 16Validate Frames : strictPN threshold notification support : YesCiphers supported : GCM-AES-128No Transmit Secure ChannelsNo Receive Secure ChannelsThis is sample output of the show macsec interface command after the session is established:
Switch#show macsec interface gigabitethernet 0/1MACsec is enabledReplay protect : enabledReplay window : 0Include SCI : yesCipher : GCM-AES-128Confidentiality Offset : 0CapabilitiesMax. Rx SA : 16Max. Tx SA : 16Validate Frames : strictPN threshold notification support : YesCiphers supported : GCM-AES-128Transmit Secure ChannelsSCI : 0022BDCF9A010002Elapsed time : 00:00:00Current AN: 0 Previous AN: -1SC StatisticsAuth-only (0 / 0)Encrypt (1910 / 0)Receive Secure ChannelsSCI : 001B2140EC4C0000Elapsed time : 00:00:00Current AN: 0 Previous AN: -1SC StatisticsNotvalid pkts 0 Invalid pkts 0Valid pkts 1 Late pkts 0Uncheck pkts 0 Delay pkts 0Port StatisticsIngress untag pkts 0 Ingress notag pkts 1583Ingress badtag pkts 0 Ingress unknownSCI pkts 0Ingress noSCI pkts 0 Unused pkts 0Notusing pkts 0 Decrypt bytes 80914Ingress miss pkts 1492This is sample output of the show macsec summary command to see all established MACsec sessions:
Switch#show macsec summaryInterface Transmit SC Receive SCGigabitEthernet 0/1 0 0GigabitEthernet 0/2 1 1GigabitEthernet 0/4 0 0Related Commands
show mka default-policy
To display information about the MACsec Key Agreement (MKA) Protocol default policy, use the show mka default-policy command in privileged EXEC mode.
show mka default-policy [sessions] [detail]
Syntax Description
Command Modes
Privileged EXEC
Command History
Examples
This is sample output of the show mka default-policy command:
Switch#show mka default-policyMKA Policy Summary...Policy KS Delay Replay Window Conf InterfacesName Priority Protect Protect Size Offset Applied=============================================================================*DEFAULT POLICY* 0 NO YES 0 0 Gi0/3 Gi0/4/*******************************************************************************/This is sample output of the show mka default-policy detail command:
Switch#show mka default-policy detailMKA Policy Configuration ("*DEFAULT POLICY*")========================MKA Policy Name........ *DEFAULT POLICY*Key Server Priority.... 0Delay Protection....... NOReplay Protection...... YESReplay Window Size..... 0Confidentiality Offset. 0Applied Interfaces...GigabitEthernet0/5This is sample output of the show mka default-policy sessions command:
Switch#show mka default-policy sessionsSummary of All Active MKA Sessions with MKA Policy "*DEFAULT POLICY*"...Interface Peer-RxSCI Policy-Name Audit-Session-IDPort-ID Local-TxSCI Key-Svr Status CKN================================================================================...
Related Commands
show mka policy
To display a summary of all defined MACsec Key Agreement (MKA) protocol policies, including the MKA default policy, or to display a summary of a specified policy, use the show mka policy command in privileged EXEC mode.
show mka policy [policy-name [sessions] [detail]]
Syntax Description
Command Modes
Privileged EXEC
Command History
Examples
This is sample output of the show mka policy command:
Switch#show mka policyMKA Policy Summary...Policy KS Delay Replay Window Conf InterfacesName Priority Protect Protect Size Offset Applied===============================================================================*DEFAULT POLICY* 0 NO YES 0 0 Gi0/1MkaPolicy-1 0 NO YES 1000 0 Gi0/2 Gi0/3MkaPolicy-2 0 NO YES 0 50MkaPolicy-3 0 YES YES 64 30 Gi0/4
This is sample output of the show mka policy detail command:
Switch#show mka policy MkaPolicy detailMKA Policy Configuration ("MkaPolicy-3")========================MKA Policy Name........ MkaPolicy-3Key Server Priority.... 0Delay Protection....... NOReplay Protection...... YESReplay Window Size..... 64Confidentiality Offset. 30Applied Interfaces...GigabitEthernet0/4This is sample output of the show mka policy sessions command:
Switch#show mka policy replay-policy sessionsSummary of All Active MKA Sessions with MKA Policy "replay-policy"...Interface Peer-RxSCI Policy-Name Audit-Session-IDPort-ID Local-TxSCI Key-Svr Status CKN================================================================================Gi0/5 001b.2140.ec3c/0000 replay-policy 0A05783B0000001700448BA82 001e.bdfe.6d99/0002 YES Secured 3808F996026DFB8A2FCEC9A88BBD0680Related Commands
mka policy (global configuration)
Creates an MKA policy and enters MKA policy configuration mode.
mka policy (interface configuration)
Applies an MKA policy to the interface.
show mka session
To display a summary of active MACsec Key Agreement (MKA) Protocol sessions, use the show mka session command in privileged EXEC mode.
show mka session [detail] [interface interface-id] [port-id port-id]] [local-sci sci]
Syntax Description
Command Modes
Privileged EXEC
Command History
Examples
This is sample output of the show mka session command:
Switch#show mka sessionTotal MKA Sessions....... 1Secured Sessions... 1Pending Sessions... 0================================================================================Interface Peer-RxSCI Policy-Name Audit-Session-IDPort-ID Local-TxSCI Key-Svr Status CKN================================================================================Gi 0/1 001b.213d.28ed/0000 *DEFAULT POLICY* 02020202000000000000EAA62 001e.bdfe.8402/0002 YES Secured 3A06ECB1183E42BB4D7817EB2B949D0EGi1/0/2 001c.113f.2d3a/0000 MkaPolicy-1 02020533000000000000EC812 001e.bdfe.8402/0002 YES Secured F103EABB133F4AB3497312EF2A949A03
This is sample output of the show mka session detail command:
Switch#show mka session detailMKA Detailed Status for MKA Session===================================Status: SECURED - Secured MKA Session with MACsecLocal Tx-SCI............. 0022.bdcf.9a01/0002Interface MAC Address.... 0022.bdcf.9a01MKA Port Identifier...... 2Interface Name........... GigabitEthernet1/0/1Audit Session ID......... 0B0B0B3D0000034F050FA69BCAK Name (CKN)........... 46EFE9FE85199FE404FB7AFA3FD0732EMember Identifier (MI)... D7B00EDA353242704CC6B0DBMessage Number (MN)...... 7Authenticator............ YESKey Server............... YESLatest SAK Status........ Rx & TxLatest SAK AN............ 0Latest SAK KI (KN)....... D7B00EDA353242704CC6B0DB00000001 (1)Old SAK Status........... FIRST-SAKOld SAK AN............... 0Old SAK KI (KN).......... FIRST-SAK (0)SAK Transmit Wait Time... 0s (Not waiting for any peers to respond)SAK Retire Time.......... 0s (No Old SAK to retire)MKA Policy Name.......... *DEFAULT POLICY*Key Server Priority...... 0Delay Protection......... NOReplay Protection........ YESReplay Window Size....... 0Confidentiality Offset... 0Algorithm Agility........ 80C201Cipher Suite............. 0080020001000001 (GCM-AES-128)MACsec Capability........ 3 (MACsec Integrity, Confidentiality, & Offset)MACsec Desired........... YES# of MACsec Capable Live Peers............ 1# of MACsec Capable Live Peers Responded.. 1Live Peers List:MI MN Rx-SCI (Peer)---------------------------------------------------------DA296D3E62E0961234BF39A6 7 001b.2140.ec4c/0000Potential Peers List:MI MN Rx-SCI (Peer)---------------------------------------------------------This is sample output of the show mka session interface command:
Switch#show mka session interface gigabitethernet0/5Summary of All Currently Active MKA Sessions on Interface GigabitEthernet0/5.Interface Peer-RxSCI Policy-Name Audit-Session-IDPort-ID Local-TxSCI Key-Svr Status CKN================================================================================Gi0/5 001b.2140.ec3c/0000 replay-policy 0A05783B0000001700448BA82 001e.bdfe.6d99/0002 YES Secured 3808F996026DFB8A2FCEC9A88BBD0680Related Commands
clear mka sessions
Clears all MKA sessions or clear MKA sessions on a port-ID, interface, or Local TX-SCI.
macsec
Enables 802.1ae MACsec on an interface.
show mka statistics
To display global MACsec Key Agreement (MKA) Protocol statistics and error counters from active and previous MKA sessions, use the show mka statistics command in privileged EXEC mode.
show mka statistics [interface interface-id port-id port-id] | [local-sci sci]}
Syntax Description
Command Modes
Privileged EXEC
Command History
Examples
This is an example of the show mka statistics command output:
SWitch# show mka statisticsMKA Global Statistics=====================MKA Session TotalsSecured.................... 32Reauthentication Attempts.. 31Deleted (Secured).......... 1Keepalive Timeouts......... 0CA StatisticsPairwise CAKs Derived...... 32Pairwise CAK Rekeys........ 31Group CAKs Generated....... 0Group CAKs Received........ 0SA StatisticsSAKs Generated............. 32SAKs Rekeyed............... 31SAKs Received.............. 0SAK Responses Received..... 32MKPDU StatisticsMKPDUs Validated & Rx...... 580"Distributed SAK"..... 0"Distributed CAK"..... 0MKPDUs Transmitted......... 597"Distributed SAK"..... 32"Distributed CAK"..... 0MKA Error Counter Totals========================Bring-up Failures.................. 0Reauthentication Failures.......... 0SAK FailuresSAK Generation.................. 0Hash Key Generation............. 0SAK Encryption/Wrap............. 0SAK Decryption/Unwrap........... 0CA FailuresGroup CAK Generation............ 0Group CAK Encryption/Wrap....... 0Group CAK Decryption/Unwrap..... 0Pairwise CAK Derivation......... 0CKN Derivation.................. 0ICK Derivation.................. 0KEK Derivation.................. 0Invalid Peer MACsec Capability.. 2MACsec FailuresRx SC Creation................... 0Tx SC Creation................... 0Rx SA Installation............... 0Tx SA Installation............... 0MKPDU FailuresMKPDU Tx......................... 0MKPDU Rx Validation.............. 0MKPDU Rx Bad Peer MN............. 0MKPDU Rx Non-recent Peerlist MN.. 0
Related Commands
clear mka statistics
Clears all MKA statistics or those on a specified interface port-ID or Local TX-SCI.
show mka summary
To display a summary of MACsec Key Agreement (MKA) sessions and global statistics, use the show mka summary command in privileged EXEC mode.
show mka summary
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Examples
This is an example of the show mka summary command output:
Switch# show mka summaryTotal MKA Sessions....... 0Secured Sessions... 0Pending Sessions... 0================================================================================Interface Peer-RxSCI Policy-Name Audit-Session-IDPort-ID Local-TxSCI Key-Svr Status CKN================================================================================MKA Global Statistics=====================MKA Session TotalsSecured.................... 0Reauthentication Attempts.. 0Deleted (Secured).......... 0Keepalive Timeouts......... 0CA StatisticsPairwise CAKs Derived...... 0Pairwise CAK Rekeys........ 0Group CAKs Generated....... 0Group CAKs Received........ 0SA StatisticsSAKs Generated............. 0SAKs Rekeyed............... 0SAKs Received.............. 0SAK Responses Received..... 0MKPDU StatisticsMKPDUs Validated & Rx...... 0"Distributed SAK"..... 0"Distributed CAK"..... 0MKPDUs Transmitted......... 0"Distributed SAK"..... 0"Distributed CAK"..... 0MKA Error Counter Totals========================Session FailuresBring-up Failures................ 0Reauthentication Failures........ 0Duplicate Auth-Mgr Handle........ 0SAK FailuresSAK Generation................... 0Hash Key Generation.............. 0SAK Encryption/Wrap.............. 0SAK Decryption/Unwrap............ 0CA FailuresGroup CAK Generation............. 0Group CAK Encryption/Wrap........ 0Group CAK Decryption/Unwrap...... 0Pairwise CAK Derivation.......... 0CKN Derivation................... 0ICK Derivation................... 0KEK Derivation................... 0Invalid Peer MACsec Capability... 0MACsec FailuresRx SC Creation................... 0Tx SC Creation................... 0Rx SA Installation............... 0Tx SA Installation............... 0MKPDU FailuresMKPDU Tx......................... 0MKPDU Rx Validation.............. 0MKPDU Rx Bad Peer MN............. 0MKPDU Rx Non-recent Peerlist MN.. 0
Related Commands
show power inline
Use the show power inline user EXEC command to display the Power over Ethernet (PoE) status for the specified PoE port or for all PoE ports.
show power inline [police [interface-id] | consumption | dynamic-priority]
Syntax Description
Command Modes
User EXEC
Command History
Examples
This is an example of output from a Catalyst 3560CPD-8PT. It shows the available power and the power required by each connected device.
Switch# show power inlineAvailable:15.4(w) Used:15.4(w) Remaining:0(w)Interface Admin Oper Power Device Class Max(Watts)--------- ------ ---------- ------- ------------------- ----- ----Gi0/1 auto off 0.0 n/a n/a 15.4Gi0/2 auto off 0.0 n/a n/a 15.4Gi0/3 auto off 0.0 n/a n/a 15.4Gi0/4 auto off 0.0 n/a n/a 15.4Gi0/5 auto on 15.4 IP Phone 8961 4 15.4Gi0/6 auto off 0.0 n/a n/a 15.4Gi0/7 auto off 0.0 n/a n/a 15.4Gi0/8 auto off 0.0 n/a n/a 15.4Table 15 describes the output fields.
The Catalyst 3560CG-8TC switch downlink ports cannot provide power to end devices. This is an example of output from the show power inline command on a Catalyst 3560CG-8PT switch:
Switch# show power inlineAvailable:0.0(w) Used:0.0(w) Remaining:0.0(w)Interface Admin Oper Power Device Class Max(Watts)--------- ------ ---------- ------- ------------------- ----- ----This is an example of the outout of the show power inline police privileged EXEC command on a Catalyst 3560CPD-8PT:
Switch# show power inline policeAvailable:5.4(w) Used:15.4(w) Remaining: 0(w)Interface Admin Oper Admin Oper Cutoff OperState State Police Police Power Power--------- ------ ---------- ---------- ---------- ------ -----Gi0/1 auto off none n/a n/a 0.0Gi0/2 auto off none n/a n/a 0.0Gi0/3 auto off none n/a n/a 0.0Gi0/4 auto off none n/a n/a 0.0Gi0/5 auto on none n/a n/a 9.5Gi0/6 auto off none n/a n/a 0.0Gi0/7 auto off none n/a n/a 0.0Gi0/8 auto off none n/a n/a 0.0--------- ------ ---------- ---------- ---------- ------ -----Totals: 9.5Table 16 describes the output fields.
This is an example of output from the show power inline police interface-id command on a switch.
Switch> show power inline police gigabitethernet0/4Interface Admin Oper Admin Oper Cutoff OperState State Police Police Power Power--------- ------ ---------- ---------- ---------- ------ -----Gi0/4 auto power-deny log n/a 4.0 0.0This is an example of output from the show power inline consumption command on all PoE switch ports:
Switch> show power inline consumptionDefault PD consumption : 15400 mWThis is an example of output from the show power inline dynamic-priority command on a switch.
Switch> show power inline dynamic-priorityDynamic Port Priority-----------------------Port OperState Priority--------- --------- --------Gi0/1 off HighGi0/2 off HighGi0/3 off HighGi0/4 off HighGi0/5 off HighGi0/6 off HighGi0/7 off HighGi0/8 off HighRelated Commands
usb
To configure an inactivity timeout on the USB console, use the usb command in console line configuration mode. To remove the inactivity timeout use the no form of this command.
usb inactivity-timeout
no usb inactivity-timeout
Syntax Description
inactivity-timeout
Configures the number of minutes before the console port changes to the RJ-45 port due to inactivity on the USB console. The range is 1 to 240. The default is no timeout.
Defaults
Inactivity timeout is not configured.
Command Modes
Line configuration
Command History
Usage Guidelines
The switch has a configurable timeout inactivity that activates the RJ-45 console if the USB console has been activated but no input activity has occurred on the USB console for a specified time period. When the USB console is deactivated due to an inactivity timeout, you can restore its operation by disconnecting and reconnecting the USB cable.
Examples
This example shows how to configure the inactivity timeout:
Switch# configure terminalSwitch(config)# line console 0Switch(config-line)# usb-inactivity-timeout 60If there is no input on the USB console for 60 minutes, the console changes to RJ-45, and a system message log appears showing the inactivity timeout.
Related Commands
no media-type rj45
Resets the console port as the USB port if it has been manually set to the RJ-45 port.
debug macsec
To enable debugging of 802.1ae Media Access Control Security (MACsec), use the debug macsec command in privileged EXEC mode. To disable debugging, use the no form of this command.
debug macsec [error | events]
no debug macsec [error | events]
Syntax Description
error
(Optional) Displays MACsec error debugging messages.
events
(Optional) Displays MACsec event debugging messages.
Defaults
MACsec debugging is disabled.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Entering the debug macsec command with no keywords starts all MACsec debugging facilities.
The undebug macsec command is the same as the no debug macsec command.
When you enable debugging, it is enabled only on the stack master. To enable debugging on a stack member, you can start a session from the stack master by using the session switch-number privileged EXEC command. Then enter the debug command at the command-line prompt of the stack member. You can use the remote command stack-member-number LINE privileged EXEC command on the stack master switch to enable debugging on a member switch without starting a session.
Related Commands
show debugging
Displays information about the types of debugging that are enabled.
debug mka
To enable debugging of the MACsec Key Agreement (MKA) protocol sessions, use the debug mka command in privileged EXEC mode. To disable debugging, use the no form of this command.
debug mka [errors | events | lli | mli | packets | trace]
no debug mka [errors | events | lli | mli | packets | trace]
Syntax Description
Defaults
MKA debugging is disabled.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Entering the debug mka command with no keywords enables all MKA debugging facilities.
The undebug backup command is the same as the no debug backup command.
When you enable debugging, it is enabled only on the stack master. To enable debugging on a stack member, you can start a session from the stack master by using the session switch-number privileged EXEC command. Then enter the debug command at the command-line prompt of the stack member. You also can use the remote command stack-member-number LINE privileged EXEC command on the stack master switch to enable debugging on a member switch without starting a session.
Related Commands
Related Documentation
These documents with information about the Catalyst 3560-C switches are available on Cisco.com:
http://www.cisco.com/en/US/products/ps11289/tsd_products_support_series_home.html
•
•
•
These documents with information about the Catalyst 3560 switches are available at Cisco.com:
http://www.cisco.com/en/US/products/hw/switches/ps5528/tsd_products_support_series_home.html•
•
•
For other information about related products, see these documents:
•
•
•
•
•
•
http://www.cisco.com/en/US/products/hw/modules/ps5455/prod_installation_guides_list.htmlSFP compatibility matrix documents are available from this Cisco.com site:
http://www.cisco.com/en/US/products/hw/modules/ps5455/products_device_support_tables_list
.htmlObtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.htmlSubscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2011-2012 Cisco Systems, Inc. All rights reserved.
