 Feedback
|
Table Of Contents
Device Manager System Requirements
Finding the Software Version and Feature Set
Upgrading a Switch by Using the Device Manager or Network Assistant
Upgrading a Switch by Using the CLI
Recovering from a Software Failure
Minimum Cisco IOS Release for Major Features
Stacking (Catalyst 3750 or Cisco EtherSwitch service module switch stack only)
Catalyst 2960-S Control Plane Protection
Caveats Resolved in Cisco IOS Release 15.0(1)SE3
Caveats Resolved in Cisco IOS Release 15.0(1)SE1
Caveats Resolved in Cisco IOS Release 15.0(1)SE
Updates to the Catalyst 3750, 3560, and 2960 and 2960-S Software Configuration Guides
Information Added to the "Administering the Switch" Chapter
Correction to the "Clustering Switches" Chapter
Correction to the "Configuring Network Security with ACLs" Chapter
Correction to the "Managing Switch Stacks" Chapter
Correction to the "Unsupported Commands" Chapter
Information Added to the "Configuring IEEE 802.1x Port-Based Authentication" Chapter
Update to the Catalyst 3750 Software Configuration Guide
Update to the Catalyst 3750 and 2960-S Software Configuration Guide
Updates to the Catalyst 2960 and 2960-S Software Configuration Guide
Correction to the "Configuring SDM Templates" Chapter
Correction: the "Configuring IPv6 ACLs" Chapter
Updates to the Catalyst 3750, 3560, and 2960 and 2960-S Command References
dot1x supplicant controlled transient
Updates to the System Message Guides
Updates to the Catalyst 2960 Hardware Installation Guide
Update to the Getting Started Guide
Update to the Catalyst 2960-S Switch Getting Started Guide
Obtaining Documentation and Submitting a Service Request
Release Notes for the Catalyst 3750, 3560, 2960-S, and 2960 Switches, Cisco IOS Release 15.0(1)SE and Later
Revised June 7, 2012
Cisco IOS Release 15.0(1)SE runs on Catalyst 3750, 3560, 2960-S, and 2960 switches and on Cisco EtherSwitch service modules.
Note
Not all Catalyst 3750 and 3560 switches can run this release. These models are not supported in Cisco IOS Release 12.2(58)SE1 and later: WS-C3560-24TS, WS-C3560-24PS. WS-C3560-48PS, WS-C3560-48TS, WS-C3750-24PS, WS-C3750-24TS, WS-C3750-48PS, WS-C3750-48TS, WS-3750G-24T, WS-C3750G-12S, WS-C3750G-24TS, WS-C3750G-16TD. For ongoing maintenance rebuilds for these models, use Cisco IOS Release 12.2(55)SE and later (SE1, SE2, and so on).
The Catalyst 3750 switches and the Cisco EtherSwitch service modules support stacking through Cisco StackWise technology. The Catalyst 3560 and 2960 switches do not support switch stacking. Catalyst 2960-S does support stacking. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
These release notes include important information about Cisco IOS Release 15.0(1)SE and any limitations, restrictions, and caveats that apply to the releases. Verify that these release notes are correct for your switch:
•
•
•
You can download the switch software from this site (registered Cisco.com users with a login password):
http://www.cisco.com/cisco/web/download/index.htmlContents
•
•
•
System Requirements
•
Supported Hardware
Table 1 Catalyst 3750 and Cisco EtherSwitch Service Modules Supported
Catalyst 3750G-24WS-S25
24 10/100/1000 PoE1 ports, 2 SFP2 module slots, and an integrated wireless LAN controller supporting up to 25 access points.
Cisco IOS Release 12.2(25)FZ or Cisco IOS Release 12.2(35)SE
Catalyst 3750G-24WS-S50
24 10/100/1000 PoE ports, 2 SFP module slots, and an integrated wireless LAN controller supporting up to 50 access points
Cisco IOS Release 12.2(25)FZ or Cisco IOS Release 12.2(35)SE
Catalyst 3750-24FS
24 100BASE-FX ports and 2 SFP module slots
Cisco IOS Release 12.2(25)SEB
Catalyst 3750G-24PS
24 10/100/1000 PoE ports and 4 SFP module slots
Cisco IOS Release 12.2(20)SE3
Catalyst 3750G-24TS-1U
24 10/100/1000 Ethernet ports and 4 SFP module slots
Cisco IOS Release 12.2(20)SE3
Catalyst 3750G-48PS
48 10/100/1000 PoE ports and 4 SFP module slots
Cisco IOS Release 12.2(20)SE3
Catalyst 3750G-48TS
48 10/100/1000 Ethernet ports and 4 SFP module slots
Cisco IOS Release 12.2(20)SE3
Catalyst 3750V2-24PS
24 10/100 PoE ports and 2 SFP module slots
Cisco IOS Release 12.2(50)SE1
Catalyst 3750V2-24TS
24 10/100 ports and 2 SFP module slots
Cisco IOS Release 12.2(50)SE1
Catalyst 3750V2-48PS
48 10/100 PoE ports and 2 SFP module slots
Cisco IOS Release 12.2(50)SE1
Catalyst 3750V2-48TS
48 10/100 ports and 2 SFP module slots
Cisco IOS Release 12.2(50)SE1
Catalyst 3750V2-24FS
24 SFP module slots and 2 SFP module slots
Cisco IOS Release 12.2(55)EY
NME-16ES-1G3
16 10/100 ports, 1 10/100/1000 Ethernet port, no StackWise connector ports, single-wide
Cisco IOS Release 12.2(25)SEC
NME-16ES-1G-P4
16 10/100 PoE ports, 1 10/100/1000 Ethernet port, no StackWise connector ports, single-wide
Cisco IOS Release 12.2(25)EZ
NME-X-23ES-1G4
23 10/100 ports, 1 10/100/1000 PoE port, no StackWise connector ports, extended single-wide
Cisco IOS Release 12.2(25)SEC
NME-X-23ES-1G-P4
23 10/100 PoE ports, 1 10/100/1000 PoE port, no StackWise connector ports, extended single-wide
Cisco IOS Release 12.2(25)EZ
NME-XD-24ES-1S-P4
24 10/100 PoE ports, 1 SFP module port, 2 StackWise connector ports, extended double-wide
Cisco IOS Release 12.2(25)EZ
NME-XD-48ES-2S-P4
48 10/100 PoE ports, 2 SFP module ports, no StackWise connector ports, extended double-wide
Cisco IOS Release 12.2(25)EZ
1 PoE = Power over Ethernet
2 SFP = small form-factor pluggable
3 Cisco EtherSwitch service module
Table 2 Catalyst 3560 Switches Supported
Catalyst 3560-8PC
8 10/100 PoE ports and 1 dual-purpose port1 (one 10/100/1000BASE-T copper port and one SFP module slot)
Cisco IOS Release 12.2(35)SE
Catalyst 3560G-24PS
24 10/100 PoE ports and 4 SFP module slots
Cisco IOS Release 12.2(20)SE3
Catalyst 3560G-24TS
24 10/100/1000 Ethernet ports and 4 SFP module slots
Cisco IOS Release 12.2(20)SE3
Catalyst 3560G-48PS
48 10/100/1000 PoE ports and 4 SFP module slots
Cisco IOS Release 12.2(20)SE3
Catalyst 3560G-48TS
48 10/100/1000 Ethernet ports and 4 SFP module slots
Cisco IOS Release 12.2(20)SE3
Catalyst 3560-12PC Compact Switch
12 Ethernet 10/100 ports with PoE and 1 dual-purpose 10/100/1000 or SFP uplink
Cisco IOS Release 12.2(50)SE
Catalyst 3560V2-24PS
24 10/100 PoE ports and 2 SFP module slots
Cisco IOS Release 12.2(50)SE1
Catalyst 3560V2-24TS
24 10/100 ports and 2 SFP module slots
Cisco IOS Release 12.2(50)SE1
Catalyst 3560V2-48PS
48 10/100 PoE ports and 2 SFP module slots
Cisco IOS Release 12.2(50)SE1
Catalyst 3560V2-48TS
48 10/100 ports and 2 SFP module slots
Cisco IOS Release 12.2(50)SE1
Catalyst 3560V2-24TS-SD
24 10/100 ports and 2 SFP module slots
Cisco IOS Release 12.2(50)SE1
1 Each uplink port is considered a single interface with dual front ends (RJ-45 connector and SFP module slot). The dual front ends are not redundant interfaces, and only one port of the pair is active.
Table 3 Catalyst 2960, and 2960-S Switches Supported
Catalyst 2960-48PST-S
48 10/100 PoE ports, 2 10/100/1000 ports, and 2 SFP module slots
Cisco IOS Release 12.2(50)SE2
Catalyst 2960-24PC-S
24 10/100 PoE ports and 2 dual-purpose ports
(2 10/100/1000BASE-T copper ports and 2 SFP module slots)Cisco IOS Release 12.2(50)SE2
Catalyst 2960-24LC-S
24 10/100 ports (8 of which are PoE) and 2 dual-purpose ports
(2 10/100/1000BASE-T copper ports and 2 SFP module slots)Cisco IOS Release 12.2(50)SE2
Catalyst 2960-8TC-S
8 10/100 ports and 1 dual-purpose port3 (1 10/100/1000BASE-T copper port and1 SFP module slot)
Cisco IOS Release 12.2(46)SE
Catalyst 2960-48TT-S
48 10/100 ports and 1 10/100/1000 ports
Cisco IOS Release 12.2(46)SE
Catalyst 2960-48PST-L
48 10/100 PoE ports, 1 10/100/1000 ports and 2 SFP module slots
Cisco IOS Release 12.2(46)SE
Catalyst 2960-24-S
24 10/100 BASE-TX Ethernet ports
Cisco IOS Release 12.2(37)EY
Catalyst 2960-24TC-S
24 10/100BASE-T Ethernet ports and 2 dual-purpose ports (two 10/100/1000BASE-T copper ports and two SFP module slots)
Cisco IOS Release 12.2(37)EY
Catalyst 2960-48TC-S
48 10/100BASE-T Ethernet ports and 2 dual-purpose ports (two 10/100/1000BASE-T copper ports and two SFP module slots)
Cisco IOS Release 12.2(37)EY
Catalyst 2960PD-8TT-L
8 10/100 ports and 1 10/100/1000 port that receives power
Cisco IOS Release 12.2(44)SE
Catalyst 2960-8TC-L
8 10/100 Ethernet ports and 1 dual-purpose port (one 10/100/1000BASE-T copper port and one SFP module slot)
Cisco IOS Release 12.2(35)SE
Catalyst 2960G-8TC-L
7 10/100/1000 Ethernet ports and 1 dual-purpose port (one 10/100/1000BASE-T copper port and one SFP module slot)
Cisco IOS Release 12.2(35)SE
Catalyst 2960-24LT-L
24 10/100 ports, 8 of which are PoE, and 2 10/100/1000 ports
Cisco IOS Release 12.2(44)SE
Catalyst 2960-48TC-L
48 10/100BASE-TX Ethernet ports and 2 dual-purpose ports
Cisco IOS Release 12.2(25)FX
Catalyst 2960-24TC-L
24 10/100BASE-TX Ethernet ports and 2 dual-purpose ports
Cisco IOS Release 12.2(25)FX
Catalyst 2960-24PC-L
24 10/100 Power over Ethernet (PoE) ports and 2 dual-purpose ports (2 10/100/1000BASE-T copper ports and 2 small form-factor pluggable [SFP] module slots)
Cisco IOS Release 12.2(44)SE
Catalyst 2960-24TT-L
24 10/100BASE-T Ethernet ports and 2 10/100/1000BASE-T Ethernet ports
Cisco IOS Release 12.2(25)FX
Catalyst 2960-48TT-L
48 10/100BASE-T Ethernet ports 2 10/100/1000BASE-T Ethernet ports
Cisco IOS Release 12.2(25)FX
Catalyst 2960G-24TC-L
24 10/100/1000BASE-T Ethernet ports, including 4 dual-purpose ports (four 10/100/1000BASE-T copper ports and four SFP module slots)
Cisco IOS Release 12.2(25)FX
Catalyst 2960G-48TC-L
48 10/100/1000BASE-T Ethernet ports, including 4 dual-purpose ports (four 10/100/1000BASE-T copper ports and four SFP module slots)
Cisco IOS Release 12.2(25)SEE
Catalyst 2960S-48FPD-L1
48 10/100/1000 Power over Ethernet Plus (PoE+) ports (PoE budget of 740 W) and 2 SFP+2 module slots
Cisco IOS Release 12.2(53)SE1
Catalyst 2960S-48LPD-L1
48 10/100/1000 PoE+ ports (PoE budget of 370 W) and 2 SFP+ module slots
Cisco IOS Release 12.2(53)SE1
Catalyst 2960S-24PD-L1
24 10/100/1000 PoE+ ports (PoE budget of 370 W) and 2 SFP+ module slots
Cisco IOS Release 12.2(53)SE1
Catalyst 2960S-48TD-L1
48 10/100/1000 ports and 2 SFP+ module slots
Cisco IOS Release 12.2(53)SE1
Catalyst 2960S-24TD-L1
24 10/100/1000 ports and 2 SFP+ module slots
Cisco IOS Release 12.2(53)SE1
Catalyst 2960S-48FPS-L1
48 10/100/1000 PoE+ ports (PoE budget of 740 W) and 4 SFP module slots
Cisco IOS Release 12.2(53)SE1
Catalyst 2960S-48LPS-L1
48 10/100/1000 PoE+ ports (PoE budget of 370 W) and 4 SFP module slots
Cisco IOS Release 12.2(53)SE1
Catalyst 2960S-24PS-L1
24 10/100/1000 PoE+ ports (PoE budget of 370 W) and 4 SFP module slots
Cisco IOS Release 12.2(53)SE1
Catalyst 2960S-48TS-L1
48 10/100/1000 ports and 4 SFP module slots
Cisco IOS Release 12.2(53)SE1
Catalyst 2960S-24TS-L1
24 10/100/1000 ports and 4 SFP module slots
Cisco IOS Release 12.2(53)SE1
Table 4 Other Supported Hardware
SFP modules (Catalyst 3750 and 3560)
1000BASE-CWDM1 , -LX, SX, -T, -ZX
100BASE-FX MMF2
Support for eight additional DWDM SFP optical modules. For a complete list of supported SFPs and part numbers, see the data sheet:
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps5023/product_data_sheet0900aecd80371991.htmlCisco IOS Release 12.2(18)SE
Cisco IOS Release 12.2(20)SE
SFP modules (Catalyst 2960)
1000BASE-BX, -CWDM, -LX/LH, -SX, -ZX
100BASE-BX, FX, -LX
Cisco IOS Release 12.2(25)FX
XENPAK modules3
XENPAK-10-GB-ER, XENPAK-10-GB-LR, and XENPAK-10-GB-SR
Cisco IOS Release 12.2(18)SE
Redundant power systems
Cisco RPS 675 Redundant Power System
Cisco RPS 300 Redundant Power System (supported only on the Catalyst 2960 switch)
Cisco Redundant Power System 2300
Supported on all software releases
Supported on all software releases
Cisco IOS Release 12.2(35)SE and later
1 CWDM = coarse wavelength-division multiplexer
2 MMF = multimode fiber
3 XENPAK modules are only supported on the Catalyst 3750G-16TD switches.
Device Manager System Requirements
Hardware Requirements
Table 5 Minimum Hardware Requirements
233 MHz minimum1
512 MB2
256
1024 x 768
Small
1 We recommend 1 GHz.
2 We recommend 1 GB DRAM.
Software Requirements
•
•
The device manager verifies the browser version when starting a session and does not require a plug-in.
Cluster Compatibility
You cannot create and manage switch clusters through the device manager. To create and manage switch clusters, use the command-line interface (CLI) or the Network Assistant application.
When creating a switch cluster or adding a switch to a cluster, follow these guidelines:
•
•
•
For additional information about clustering, see Getting Started with Cisco Network Assistant and Release Notes for Cisco Network Assistant (not orderable but available on Cisco.com), the software configuration guide, the command reference, and the Cisco EtherSwitch service module feature guide.
CNA Compatibility
Cisco IOS 12.2(50)SE and later is only compatible with Cisco Network Assistant (CNA) 5.0 and later. You can download Cisco Network Assistant from this URL:
http://www.cisco.com/pcgi-bin/tablebuild.pl/NetworkAssistantFor more information about Cisco Network Assistant, see the Release Notes for Cisco Network Assistant on Cisco.com.
Upgrading the Switch Software
•
•
•
•
Finding the Software Version and Feature Set
The Cisco IOS image is stored as a bin file in a directory that is named with the Cisco IOS release. A subdirectory contains the files needed for web management. The image is stored on the system board flash device (flash:).
You can use the show version privileged EXEC command to see the software version that is running on your switch. The second line of the display shows the version.
Note
You can also use the dir filesystem: privileged EXEC command to see the directory names of other software images that you might have stored in flash memory.
Deciding Which Files to Use
The upgrade procedures in these release notes describe how to perform the upgrade by using a combined tar file. This file contains the Cisco IOS image file and the files needed for the embedded device manager. You must use the combined tar file to upgrade the switch through the device manager. To upgrade the switch through the command-line interface (CLI), use the tar file and the archive download-sw privileged EXEC command.
Table 6 Cisco IOS Software Image Files
Filename
c3750-ipbasek9-tar.150-1.SE.tar
Catalyst 3750 IP base cryptographic image and device manager files. This image has the Kerberos, SSH1 , Layer 2+, and basic Layer 3 routing features. This image also runs on the Cisco EtherSwitch service modules.
c3750-ipservicesk9-tar.150-1.SE.tar
Catalyst 3750 IP services cryptographic image and device manager files. This image has the Kerberos, SSH, Layer 2+, and full Layer 3 features. This image also runs on the Cisco EtherSwitch service modules.
c3560-ipbasek9-tar.150-1.SE.tar
Catalyst 3560 IP base cryptographic image and device manager files. This image has the Kerberos, SSH, and Layer 2+, and basic Layer 3 routing features.
c3560-ipservicesk9-tar.150-1.SE.tar
Catalyst 3560 IP services cryptographic image and device manager files. This image has the Kerberos, SSH, Layer 2+, and full Layer 3 features.
c2960-lanbasek9-tar.150-1.SE.tar
Catalyst 2960 cryptographic image file and device manager files. This image has the Kerberos and SSH features.
c2960-lanlitek9-tar.150-1.SE.tar
Catalyst 2960 LAN lite cryptographic image file and device manager files.
c2960s-universalk9-tar.150-1.SE.tar
LAN Base and LAN Lite crypto image with device manager
1 SSH = Secure Shell.
Archiving Software Images
Before upgrading your switch software, make sure that you have archived copies of the current Cisco IOS release and the Cisco IOS release to which you are upgrading. You should keep these archived images until you have upgraded all devices in the network to the new Cisco IOS image and until you have verified that the new Cisco IOS image works properly in your network.
Cisco routinely removes old Cisco IOS versions from Cisco.com. See Product Bulletin 2863 for more information:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6969/ps1835/
prod_bulletin0900aecd80281c0e.htmlYou can copy the bin software image file on the flash memory to the appropriate TFTP directory on a host by using the copy flash: tftp: privileged EXEC command.
Note
You can also configure the switch as a TFTP server to copy files from one switch to another without using an external TFTP server by using the tftp-server global configuration command. For more information about the tftp-server command, see the "Basic File Transfer Services Commands" section of the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2:
http://www.cisco.com/en/US/docs/ios/fundamentals/command/reference/cf_t1.htmlUpgrading a Switch by Using the Device Manager or Network Assistant
You can upgrade switch software by using the device manager or Network Assistant. For detailed instructions, click Help.
Note
Upgrading a Switch by Using the CLI
This procedure is for copying the combined tar file to the switch. You copy the file to the switch from a TFTP server and extract the files. You can download an image file and replace or keep the current image.
To download software, follow these steps:
Step 1
Step 2
a.
http://www.cisco.com/cisco/web/download/index.html
b.
c.
d.
Download the image you identified in Step 1.
Caution
Step 3
For more information, see Appendix B in the software configuration guide for this release.
Step 4
Step 5
Switch# ping tftp-server-addressFor more information about assigning an IP address and default gateway to the switch, see the software configuration guide for this release.
Step 6
Switch# archive download-sw /overwrite /reload tftp:[[//location]/directory]/image-name.tarThe /overwrite option overwrites the software image in flash memory with the downloaded one.
The /reload option reloads the system after downloading the image unless the configuration has been changed and not saved.
The /allow-feature-upgrade option allows installation of an image with a different feature set (for example, upgrade from the IP base image to the IP services image).
For //location, specify the IP address of the TFTP server.
For /directory/image-name.tar, specify the directory (optional) and the image to download. Directory and image names are case sensitive.
This example shows how to download an image from a TFTP server at 198.30.20.19 and to overwrite the image on the switch:
Switch# archive download-sw /overwrite tftp://198.30.20.19/c3750-ipservices-tar.122-50.SE.tarYou can also download the image file from the TFTP server to the switch and keep the current image by replacing the /overwrite option with the /leave-old-sw option.
Recovering from a Software Failure
For recovery procedures, see the "Troubleshooting" chapter in the software configuration guide for this release.
Installation Notes
Use these methods to assign IP information to your switch:
•
•
•
•
New Software Features
•
See the "Documentation Updates" section.
•
See the "Documentation Updates" section.
•
For more information about Cisco TrustSec, see the "SGT Exchange Protocol over TCP (SXP)" chapter in the Cisco TrustSec Switch Configuration Guide at this URL:
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/sxp_config.html•
•
For more information on Device Sensor, see the Device Sensor Guide at this URL: http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/15.0_1_se/
device_sensor/guide/sensor_guide.htmlMinimum Cisco IOS Release for Major Features
Table 7 lists the minimum software release required to support the major features of the Catalyst 3750, 3560, 2960-S, and 2960 switches and the Cisco EtherSwitch service modules.
1 QoS = quality of service
2 SVIs = switched virtual interfaces
Limitations and Restrictions
You should review this section before you begin working with the switch. These are known limitations that will not be fixed, and there is not always a workaround. Some features might not work as documented, and some features could be affected by recent changes to the switch hardware or software.
Cisco IOS Limitations
Unless otherwise noted, these limitations apply to the Catalyst 3750, and 3560, and 2960 switches and the Cisco EtherSwitch service modules:
•
•
•
•
•
Configuration
•
This problem occurs under these conditions:
–
–
–
The workaround is to reconfigure the static IP address. (CSCea71176 and CSCdz11708)
•
The workaround is to upgrade to Cisco IOS Release 12.1(20)EA1. (CSCec35100)
•
These are the workarounds:
1.
2.
3.
•
The workaround is to configure the port for 10 Mb/s and half duplex or to connect a hub or a nonaffected device to the switch. (CSCed39091)
•
–
–
–
No workaround is necessary; these are the designed behaviors. (CSCed50819)
•
However, when dynamic ARP inspection is not enabled and a jumbo MTU is configured, ARP and RARP packets are correctly bridged in hardware. (CSCed79734)
•
When you enter the show ip arp inspection log privileged EXEC command, the log entries from all switches in the stack are moved to the switch on which you entered the command.
There is no workaround. (CSCed95822)
•
The workaround is to enter the no switchport block unicast interface configuration command on that specific interface. (CSCee93822)
•
There is no workaround. This is a cosmetic error and does not affect the functionality of the switch. (CSCef59331)
•
To change the baud rate, reload the Cisco EtherSwitch service module with the bootloader prompt. You can then change the baud rate and change the speed on the TTY line of the router connected to the Cisco EtherSwitch Service module console.
There is no workaround. (CSCeh50152)
•
15:50:11: %COMMON_FIB-4-FIBNULLHWIDB: Missing hwidb for fibhwidb Port-channel1 (ifindex 1632) -Traceback= A585C B881B8 B891CC 2F4F70 5550E8 564EAC 851338 84AF0C 4CEB50 859DF4 A7BF28 A98260 882658 879A58(CSCsh12472 [Catalyst 3750 and 3560 switches])
•
The workaround is to configure aggressive UDLD. (CSCsh70244).
•
•
The workaround is to always enter a non zero value for the timeout value when you enter the boot host retry timeout timeout-value command. (CSCsk65142)
•
upand sometimes asdown, resulting in conflicts. This status depends on when you respond to the reboot query:
Would you like to enter the initial configuration dialog?–
down. This is the correct state.–
up) occurs if you respond to the query before VLAN 1 line status appears on the console.The workaround is to wait for approximately 1 minute after rebooting and until the VLAN 1 interface line status appears on the console before you respond to the query. (CSCsl02680) (Catalyst 3750 and 3560 switches)
•
–
–
The workaround is to connect the two ports with a straight-through cable. (CSCsr41271) (Catalyst 3750V2 and Catalyst 3560V2 PoE switches and Cisco Etherswitch service modules only)
•
The workaround is to use the session stack-member-number privileged EXEC command. (CSCsz38090)
•
The workaround is to disable authorization and accounting or to enter the configuration change for one interface at a time. (CSCsg80238, CSCti76748)
•
•
Ethernet
•
These are the workarounds:
–
–
–
For more information, enter CSCea77032 in the Bug Toolkit at this URL:
http://www.cisco.com/pcgi-bin/Support/Bugtool/home.pl•
If the Cisco EtherSwitch service module is in access mode, the workaround is to enter the spanning-tree portfast interface configuration command on the internal Gigabit Ethernet interface. If the service module is in trunk mode, there is no workaround.
•
If this happens, uneven traffic distribution will happen on EtherChannel ports.
Changing the load balance distribution method or changing the number of ports in the EtherChannel can resolve this problem. Use any of these workarounds to improve EtherChannel load balancing:
–
–
–
–
For example, with load balance configured as dst-ip with 150 distinct incrementing destination IP addresses, and the number of ports in the EtherChannel set to either 2, 4, or 8, load distribution is optimal.(CSCeh81991)
EtherSwitch Modules
•
There is no workaround. (CSCeh35595)
Fallback Bridging
•
The workaround is to remove the VLAN from the bridge group or to remove the static MAC address from the VLAN. (CSCdw81955)
•
The workaround is to disable fallback bridging or to disable port security on all ports in all VLANs participating in fallback bridging. To remove an interface from a bridge group and to remove the bridge group, use the no bridge-group bridge-group interface configuration command. To disable port security on all ports in all VLANs participating in fallback bridging, use the no switchport port-security interface configuration command. (CSCdz80499)
HSRP
•
The workaround is to ensure that the ports on the standby cluster members are not in the spanning-tree blocking state. To verify that these ports are not in the blocking state, see the "Configuring STP" chapter in the software configuration guide. (CSCec76893)
IP
•
The workaround is to not set an ARP timeout value lower than 120 seconds. (CSCea21674)
•
The workaround is to use rate limiting on DHCP traffic to prevent a denial of service attack from occurring. (CSCeb59166)
IP Telephony
•
No workaround is necessary. (CSCea85312)
•
The workaround for networks with pre-standard powered devices is to leave the maximum wattage set at the default value (15.4 W). You can also configure the maximum wattage for the port for no less than the value the powered device reports as the power consumption through CDP messages. For networks with IEEE Class 0, 3, or 4 devices, do not configure the maximum wattage for the port at less than the default 15.4 W (15,400 milliwatts). (CSCee80668)
•
The workaround is to enter the power inline never interface configuration command on all the Fast Ethernet ports that are not powered by but are connected to IP phones if the problem persists. (CSCef84975, Cisco EtherSwitch service modules only)
•
The workaround is to power the access point by using an AC wall adaptor. (CSCin69533)
•
The workaround is to enable PoE and to configure the switch to recover from the PoE error-disabled state. (CSCsf32300)
MAC Addressing
•
Management
CiscoWorks is not supported on the Catalyst 3750-24FS switch.
Multicasting
•
•
There is no workaround for this problem because non-RPF traffic is continuous in certain topologies. As long as the trunk port is a member of the group in at least one VLAN, this problem occurs for the non-RPF traffic. (CSCdu25219)
•
The workaround is to reduce the number of multicast routes and IGMP snooping groups to less than the maximum supported value. (CSCdy09008)
•
There is no workaround. (CSCdy82818)
•
The workaround is to not apply a router ACL set to deny access to a VLAN interface. Apply the security through other means; for example, apply VLAN maps to the VLAN instead of using a router ACL for the group. (CSCdz86110)
•
There is no workaround. (CSCea71255)
•
Multicast is not supported on tunnel interfaceserror message. IP PIM is not supported on tunnel interfaces.There is no workaround. (CSCeb75366)
•
–
–
There is no workaround. (CSCec20128)
•
The switchport block multicast interface configuration command is only applicable to non-IP multicast traffic.
There is no workaround. (CSCee16865)
•
–
–
The workaround is to enter the clear ip mroute privileged EXEC command on the interface. (CSCef42436)
After you configure a switch to join a multicast group by entering the ip igmp join-group group-address interface configuration command, the switch does not receive join packets from the client, and the switch port connected to the client is removed from the IGMP snooping forwarding table.
Use one of these workarounds:
–
–
Power
•
There is no workaround. You should use the power inline never interface configuration command on Cisco EtherSwitch service module ports that are not connected to PoE devices. (CSCee71979)
•
To display the total power used by a specific EtherSwitch service module, enter the show power inline command on the router. This output appears:
Router# show power inlinePowerSupply SlotNum. Maximum Allocated Status----------- -------- ------- --------- ------INT-PS 0 360.000 121.000 PS1 GOOD PS2 ABSENTInterface Config Device Powered PowerAllocated--------- ------ ------ ------- --------------Gi4/0 auto Unknown On 121.000 WattsThis is not a problem because the display correctly shows the total used power and the remaining power available on the system. (CSCeg74337)
•
The workaround is to enter the shutdown and the no shutdown interface configuration commands on the Fast Ethernet interface of a new IP phone that is attached to the service module port after the internal link is brought up. (CSCeh45465)
QoS
•
The workaround is to choose compatible buffer sizes and threshold levels. (CSCea76893)
•
•
01:01:32: %BIT-4-OUTOFRANGE: bit 1321 is not in the expected range of 0 to 1024There is no impact to switch functionality.
There is no workaround. (CSCtg32101)
RADIUS
•
There is no workaround. (CSCta05071)
Routing
•
•
There is no workaround. (CSCea52915)
•
%SYS-2-MALLOCFAIL: Memory allocation of 4252 bytes failed from 0x179C80, alignment 0Pool: I/O Free: 77124 Cause: Memory fragmentationAlternate Pool: None Free: 0 Cause: No Alternate poolThis error message means there is a temporary memory shortage that normally recovers by itself. You can verify that the switch stack has recovered by entering the show cef line user EXEC command and verifying that the line card states are
upandsync.No workaround is required because the problem is self-correcting. (CSCea71611)
•
–
–
–
The workaround is to change any one of the listed conditions. (CSCed53633)
Smart Install
•
The workaround is to use an on-demand upgrade to upgrade switches in a stack by entering the vstack download config and vstack download image commands. (CSCta64962)
•
When you upgrade the director to Cisco IOS Release 12.2(55)SE, the workaround is to also modify the configuration to include all built-in, custom, and default groups. You should also configure the tar image name instead of the image-list file name in the stored images. (CSCte07949)
•
The workaround is to use the TFTP utility of another server instead of a Windows server or to manually delete the existing backup file before backing up again. (CSCte53737)
•
Use one of these workarounds:
–
–
•
The workaround, if you need to configure a switch in a stack with the backup configuration, is to use the vstack download config privileged EXEC command so that the director performs an on-demand upgrade on the client.
–
–
•
There is no workaround. (CSCtg98656)
•
–
–
There is no workaround. (CSCth35152)
SPAN and RSPAN
•
This is a hardware limitation and only applies to Cisco EtherSwitch service modules (CSCdy72835):
•
This is a hardware limitation and only applies to Cisco EtherSwitch service modules (CSCdy81521):
•
This is a hardware limitation and only applies to Cisco EtherSwitch service modules (CSCea72326):
•
Decreased egress SPAN rate. In all cases, normal traffic is not affected; the degradation limits only how much of the original source stream can be egress spanned. If fallback bridging and multicast routing are disabled, egress SPAN is not degraded.There is no workaround. If possible, disable fallback bridging and multicast routing. If possible, use ingress SPAN to observe the same traffic. (CSCeb01216)
•
There is no workaround. (CSCeb23352)
•
Spanning Tree Protocol
•
When a switch or switch stack running Multiple Spanning Tree (MST) is connected to a switch running Rapid Spanning Tree Protocol (RSTP), the MST switch acts as the root bridge and runs per-VLAN spanning tree (PVST) simulation mode on boundary ports connected to the RST switch. If the allowed VLAN on all trunk ports connecting these switches is changed to a VLAN other than VLAN 1 and the root port of the RSTP switch is shut down and then enabled, the boundary ports connected to the root port move immediately to the forward state without going through the PVST+ slow transition.
There is no workaround.
Stacking (Catalyst 3750 or Cisco EtherSwitch service module switch stack only)
•
•
There is no workaround. (CSCec36644)
•
There is no workaround. (CSCed00328)
•
The workaround is to save the stack configuration before removing or replacing any switch in the stack. (CSCed15939)
•
There is no workaround. (CSCed54150)
•
IP-3-STCKYARPOVRappears on the consoles of other default IP gateways. Because sticky ARP is not disabled, the MAC address update caused by the stack master re-election cannot complete.The workaround is to complete the MAC address update by entering the clear arp privileged EXEC command. (CSCed62409)
•
There is no workaround. (CSCed70894)
•
Private VLAN is enabled or disabled on a switch stack, depending on whether or not the stack master is running the IP services image or the IP base image:
–
–
This occurs after a stack master re-election when the previous stack master was running the IP services image and the new stack master is running the IP base image. The stack members are configured with private VLAN, but any new switch that joins the stack will have private VLAN disabled.
These are the workarounds. Only one of these is necessary:
–
–
•
This is the expected behavior of the offline configuration (provisioning) feature. There is no workaround. (CSCee12431)
•
These are the workarounds:
–
–
•
The workaround is to copy the bootable image to the parent directory or first directory. (CSCei69329)
•
The workaround is to assign a lower path cost to the forwarding port. (CSCsd95246)
•
This can but does not always occur during link flaps and does not last for more than a few milliseconds. This problem can happen for cross-stack EtherChannels with the mode set to ON or LACP.
There is no workaround. No manual intervention is needed. The problem corrects itself within a short interval after the link flap as all the switches in the stack synchronize with the new load-balance configuration. (CSCse75508)
•
The workaround is to reboot the new member switch. Use the remote command all show run privileged EXEC command to compare the running configurations of the stack members. (CSCsf31301)
•
–
–
–
You can use one of these workarounds:
–
–
•
The workaround is to check the flash. If it contains many files, remove the unnecessary ones. Check the lost and found directory in flash and if there are many files, delete them. To check the number of files use the fsck flash: command. (CSCsi69447)
•
1. You configure a Layer 2 protocol tunnel port on the master switch.
2. You configure a Layer 2 protocol tunnel port on the member switch.
3. You add the port channel to the Layer 2 protocol tunnel port on the master switch.
4. You add the port channel to the Layer 2 protocol tunnel port on the member switch.
After this sequence of steps, the member port might stay suspended.
The workaround is to configure the port on the member switch as a Layer 2 protocol tunnel and at the same time also as a port channel. For example:
Switch(config)# interface fastethernet1/0/11Switch(config-if)# l2protocol-tunnel cdpSwitch(config-if)# channel-group 1 mode on (CSCsk96058) (Catalyst 3750 switches)•
The workaround is to enter a shutdown interface configuration command followed by a no shutdown command on the port in the blocked state. (CSCsl64124)
•
The workaround it to enter a shutdown and then a no shutdown interface configuration command on the interface. (CSCsx70643) (Catalyst 3750 switch)
•
There is no workaround.(CSCth00938) (Catalyst 3750 and 2960-S switches)
Trunking
•
There is no workaround. (CSCdz33708)
•
There is no workaround. (CSCdz42909).
•
There is no workaround. (CSCea40988)
•
There is no workaround. (CSCec35100).
VLAN
•
The workaround is to reduce the number of VLANs or trunks. (CSCeb31087)
•
There is no workaround. (CSCed71422)
•
The workaround is to define another policy-map name for the second-level policy-map with the same configuration to be used for another policy-map. (CSCef47377)
•
The workaround is to configure the burst interval to more than 1 second. (CSCse06827, Catalyst 3750 switches only)
•
The workaround is to enter the switchport access vlan dynamic interface configuration command separately on each port. (CSCsi26392)
•
The workaround is to remove unnecessary VLANs to reduce CPU utilization when many links are flapping. (CSCtl04815)
Device Manager Limitations
•
The workaround is to click Yes when you are prompted to accept the certificate. (CSCef45718)
Important Notes
•
•
Switch Stack Notes
•
•
•
Catalyst 2960-S Control Plane Protection
Catalyst 2960-S switches internally support up to 16 different control plane queues. Each queue is dedicated to handling specific protocol packets and is assigned a priority level. For example, STP, routed, and logged packets are sent to three different control plane queues, which are prioritized in corresponding order, with STP having the highest priority. Each queue is allocated a certain amount of processing time based on its priority. The processing-time ratio between low-level functions and high-level functions is allocated as 1-to-2. Therefore, the control plane logic dynamically adjusts the CPU utilization to handle high-level management functions as well as punted traffic (up to the maximum CPU processing capacity). Basic control plane functions, such as the CLI, are not overwhelmed by functions such logging or forwarding of packets.
Cisco IOS Notes
•
00:02:57: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.20.246.206:1645,1646 is not responding.If this message appears, check that there is network connectivity between the switch and the ACS. You should also check that the switch has been properly configured as an AAA client on the ACS
•
AutoQoS Error: ciscophone input service policy was not properly appliedpolicy map AutoQoS-Police-CiscoPhone not configuredIf this happens, enter the no auto qos voip cisco-phone interface command on all interface with this configuration to delete it. Then enter the auto qos voip cisco-phone command on each of these interfaces to reapply the configuration.
Device Manager Notes
•
•
•
•
•
From Microsoft Internet Explorer:
1.
2.
3.
4.
5.
•
If you are not using the default method of authentication (the enable password), you need to configure the HTTP server interface with the method of authentication used on the switch
Beginning in privileged EXEC mode, follow these steps to configure the HTTP server interface:
The device manager uses the HTTP protocol (the default is port 80) and the default method of authentication (the enable password) to communicate with the switch through any of its Ethernet ports and to allow switch management from a standard web browser.
If you change the HTTP port, you must include the new port number when you enter the IP address in the browser Location or Address field (for example, http://10.1.126.45:184 where 184 is the new HTTP port number). You should write down the port number through which you are connected. Use care when changing the switch IP information.
•
Open Caveats
Unless otherwise noted, these caveats apply to the Catalyst 3750, 3560, 2960-S, and 2960 switches and to Cisco EtherSwitch service modules:
•
Cisco Network Assistant displays the LED ports with a light blue color for all switches in a stack that have the Catalyst 3750G-48PS switch as part of the stack.
There is no workaround.
•
Mediatrace does not report statistics on the initiator under these conditions:
–
–
The workaround is to ensure that the mediatrace ingress and egress connections are on the stack master or to configure a Catalyst 3750-E or 3750-X as the stack master and then reload the switch stack.
•
Unicast EIGRP packets destined for the switch are sent to the host queue instead of to the higher priority routing protocol queue.
Note
There is no workaround.
•
The Ethernet management port on the Catalyst 2960-S switch might not behave normally if the port is set to 100 Mb/s and full duplex.
The workaround is to set the Ethernet management port and the device to which it is connected to auto speed and auto duplex.
•
On a switch stack, when an IP phone connected to a member switch has its MAC address authorized using the critical voice VLAN feature, if a master changeover occurs, the voice traffic is dropped. Drop entries for the IP phone appear in the MAC address table management (MATM) table. This occurs because the switch initially drops the voice traffic before reauthenticating critical voice VLAN traffic. The dropped entries are removed when critical voice VLAN authentication occurs.
There is no workaround. The dropped entries are removed when the IP phone is reauthenticated.
•
Port security violations might be ignored when Auto Smartports is enabled and a Smartport macro is applied to a secure port. This behavior occurs because IOS sensor (part of Auto Smartports) sets the host mode to multiple-authentication (multi-host mode) and enables 802.1x in the host access table. In multi-host mode, if the same MAC address in the same VLAN is seen on another port, then it is not allowed. Therefore the packet does not reach port-security module to create the violation.
The workaround is to enter the no macro auto monitor global configuration command to globally disable the IOS sensor (Auto Smartports) feature.
•
When an IP phone is authenticated on a switch port that is running Multidomain authentication (MDA) in the voice VLAN, the switch might experience high CPU usage after continued attempts to re-authenticate a phone that does not have a valid password configuration. Re-authentication can be triggered by:
–
–
The workaround to clear the problem:
–
–
–
To prevent the situation:
–
–
•
The image archive download process does not work if there is an update directory in flash memory, which occurs if a previous download was interrupted or failed.
The workaround is to delete the update directory from the flash memory before executing the archive download-sw privileged EXEC command.
•
When TCP packets in the same VLAN are sent from one switch to another, ACL deny logs appear, even though the ACL is applied on the switch virtual interface (SVI).
The workaround, to stop the messages, is to configure IP unreachables by entering the ip unreachables interface configuration command on the SVI or routed port.
•
ASP now uses a device classifier, which determines the type of device that is connected to the switch. As a result, ASP has no control over the protocol type that is used to detect the device. Therefore, the protocol detection controls are deprecated. When you enter the macro auto global control detection command, the protocol does not show up in the running configuration; however, the filter-spec command is shown in the output.
There is no workaround. To see the deprecated commands, enter the show running config deprecated global and interface configuration command.
•
When the dot1x default interface configuration command is entered, access control for hosts is disabled and the values for the following commands are reset to their default values: authentication host-mode, authentication timer reauthenticate, and authentication port-control.
The workaround is to avoid using the dot1x default command and reset the 802.1x port parameters individually. Another workaround is to enter the dot1x default command, and then reconfigure the incorrectly changed values.
•
This problem occurs when the Enterprise Policy Manager (EPM) for a device connected to an interface is authorized in closed mode and no policies are configured or downloaded. If no port ACL is configured, the auth-default access control list (ACL) is applied to the switch. If another device is connected to this device, restricted VLAN (authentication event interface configuration command) is enabled on the port. The Application Control Engine (ACE) is not configured to permit traffic originating from the connected device, and IP packets are dropped.
The workaround is to configure a port ACL to allow IP traffic for the specific IP range for the connected devices on the interface.
•
This problem occurs when a supplicant device is connected to a switch through a main device, and the interface is enabled with authentication, port security and IP source guard (IPSG). The main and supplicant devices are configured with sticky MAC addresses. In this case, if the port is shut down, traffic originating from the supplicant is dropped.
The workaround is to disable port security on the port.
Resolved Caveats
•
•
•
Caveats Resolved in Cisco IOS Release 15.0(1)SE3
•
A router running as a Layer 2 Tunneling Protocol (L2TP) Network Server (LNS) halts with DHCP-related errors. This problem occurs when DHCP is enabled and sessions receive DHCP information from a RADIUS server.
There is no workaround.
•
When the switch starts, multiple instances of this error message appear on the console:
Yeti2S88gMdioWr:Unknown status for write operation
The workaround is to restart the switch.
•
The switch might occasionally reload after experiencing a CPU overload, regardless of what process is overloading the CPU.
There is no workaround.
•
When authentication is enabled on an open port (for example, when moving from no authentication to authentication port-control auto), Address Resolution Protocol (ARP) and DHCP traffic is dropped.
The workaround is to use the shutdown configuration interface command to disable the port and then use the no shutdown configuration interface command to enable the port. You also can use the clear mac-address-table command to clear the MAC address table.
•
After reloading the switch, Switched Port Analyzer (SPAN) traffic does not arrive at the SPAN destination port.
The workaround is to delete the SPAN configuration and reapply it.
•
On a virtual routing and forwarding (VRF) interface, IP multicast traffic is not forwarded after using the clear ip mroute vrf command.
There is no workaround.
•
When a power supply fails or loses power, the redundant power supply (RPS) (750 W or 1150 W) does not provide Power over Ethernet (PoE) for the powered devices.
There is no workaround.
•
After a rolling stack upgrade, Address Resolution Protocol (ARP) entries are in the INCOMPLETE state.
There is no workaround.
•
After resetting a four-member stacked switch that includes a four-port Gigabit Ethernet network module, Gigabit Ethernet ports do not work.
There is no workaround.
•
The switch halts on start up if power was lost during a previous front-end microcode update.
There is no workaround.
•
Cisco IOS Software contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. An attacker could exploit this vulnerability by sending a single DHCP packet to or through an affected device, causing the device to reload.
Cisco has released free software updates that address this vulnerability. A workaround that mitigates this vulnerability is available. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120926-dhcp
Caveats Resolved in Cisco IOS Release 15.0(1)SE1
•
CPU usage in the switch is high when you configure an EtherChannel and add new domain members or EnergyWise-capable endpoints with a different EnergyWise domain to an existing domain.
The workaround is to disable the port channel where the high CPU usage is seen.
•
If you combine two switches in a FlexStack configuration and set the password for the master switch, the change is not reflected in the show run command after you log out of the switch and log in again.
There is no workaround.
•
A vulnerability in the Multicast Source Discovery Protocol (MSDP) implementation of Cisco IOS Software and Cisco IOS XE Software could allow a remote, unauthenticated attacker to cause a reload of an affected device. Repeated attempts to exploit this vulnerability could result in a sustained denial of service (DoS) condition.
Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-msdp
•
When the ipc_check_qtime_process() processes a message from the Inter-Process Communication (IPC) message table, it might be interrupted by the acknowledgement for that message. In this situation, the message becomes invalid because the interrupt handler returns that message to the message cache, and the switch crashes because it still attempts to access that message.
There is no workaround.
•
The Secure Shell (SSH) server implementation in Cisco IOS Software and Cisco IOS XE Software contains a denial of service (DoS) vulnerability in the SSH version 2 (SSHv2) feature. An unauthenticated, remote attacker could exploit this vulnerability by attempting a reverse SSH login with a crafted username. Successful exploitation of this vulnerability could allow an attacker to create a DoS condition by causing the device to reload. Repeated exploits could create a sustained DoS condition.
The SSH server in Cisco IOS Software and Cisco IOS XE Software is an optional service, but its use is highly recommended as a security best practice for the management of Cisco IOS devices. Devices that are not configured to accept SSHv2 connections are not affected by this vulnerability.
Cisco has released free software updates that address this vulnerability. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-ssh
•
When you configure a web authentication profile with an access control list (ACL) policy on a switch, and also configure port ACL, the port ACL is applied to a host when it falls back to the web ACL.
There is no workaround. To retain the functionality, you can downgrade to Cisco IOS Release 12.2(55)SE.
•
When you enable Dynamic Host Configuration Protocol (DHCP) snooping, the incoming traffic exhausts the I/O memory and the switch crashes.
The workaround is to disable DHCP snooping.
•
A vulnerability exists in the Cisco IOS Software that may allow a remote application or device to exceed its authorization level when authentication, authorization, and accounting (AAA) authorization is used. This vulnerability requires that the HTTP or HTTPS server is enabled on the Cisco IOS device.
Products that are not running Cisco IOS Software are not vulnerable.
Cisco has released free software updates that address these vulnerabilities.
The HTTP server may be disabled as a workaround for the vulnerability described in this advisory.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-pai
•
When a client connection to the web server fails, with each subsequent attempt the HTTP proxy server process is stuck and a new HTTP proxy server is created. To see these processes, enter the show processes command. When the number of processes reach the limit specified in the ip admission http proxy interface configuration command, all subsequent web authentications fail.
The workaround is to reload the switch.
•
A Catalyst 2960 with 64Mb of DRAM might display low memory on the console after you upgrade the switch to 12.2(58)SE or later.
The workaround is to limit the memory that is used by different features on the switch if this release is required. You can reduce memory usage by minimizing the number of trunk ports and VLANs in use on the switch.
•
During local web authentication, the switch crashes and reboots if the user enters his or her credentials and logs in instantly.
The workaround is to enter the user credentials and log in after a pause of 4-5 seconds.
•
Cisco IOS Software contains a vulnerability in the Smart Install feature that could allow an unauthenticated, remote attacker to cause a reload of an affected device if the Smart Install feature is enabled. The vulnerability is triggered when an affected device processes a malformed Smart Install message on TCP port 4786.
Cisco has released free software updates that address this vulnerability. There are no workarounds to mitigate this vulnerability.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20120328-smartinstall•
The router reloads unexpectedly. This issue is seen when you log in to the router using SSH.
The workaround is to log in to the router using Telnet.
•
The switch crashes when users are redirected using central web authentication.
The workaround is to disable central web authentication.
Caveats Resolved in Cisco IOS Release 15.0(1)SE
•
The output from the show sd
m prefer lanbase-routing privileged EXEC command shows some incorrect values. The corrected values are:
number of IPv4 unicast routes: 4.25K should be: 0.75Knumber of directly-connected IPv4 hosts: 4K should be: 0.75Knumber of indirect IPv4 routes: 0.256 should be 16There is no workaround.
•
On a switch running Protocol-Independent Multicast (PIM) and Source Specific Multicast (SSM), multicast traffic might not be sent to the correct port after the switch reloads.
The workaround is to enter the clear ip route privileged EXEC command or reconfigure PIM and SSM after a reload.
•
Neighbor discovery fails for IPv6 hosts connected to the switch when the IPv6 MLD snooping feature is enabled globally on the switch.
The workaround is to disable IPv6 MLD snooping on the switch.
•
When a switch is using a DHCP server to assign IP addresses and an interface on the switch has RIP enabled, if the switch reloads, the interface loses some RIP configuration (specifically RIP authentication mode and RIP authentication key-chain). This does not happen when the IP address is statically configured on the interface. The problem occurs only when you configure RIP before an IP address is assigned by the DHCP server.
There is no workaround, but you can use an embedded event manager (EEM) script to add the interface configuration commands on the interface:
ip rip authentication mode
ip rip key-chain
•
A vulnerability exists in the Smart Install feature of Cisco Catalyst Switches running Cisco IOS Software that could allow an unauthenticated, remote attacker to perform remote code execution on the affected device.
Cisco has released free software updates that address this vulnerability.
There are no workarounds available to mitigate this vulnerability other than disabling the Smart Install feature.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110928-smart-install.shtml.
•
When you configure a port to be in a dynamic VLAN by entering the switchport access vlan dynamic interface configuration command on it, the switch might reload when it processes ARP requests on the port.
The workaround is to configure static VLANs for these ports.
•
The switch might reload when you insert a USB flash device (also known as a thumb drive or a USB key) into the switch USB Type A port.
The workaround is to not insert a USB flash device into the USB Type A port.
Documentation Updates
•
•
•
•
•
•
•
Updates to the Catalyst 3750, 3560, and 2960 and 2960-S Software Configuration Guides
Information Added to the "Administering the Switch" Chapter
In the "Administering the Switch" chapter, this information was added to the "NTP Version 4"section:
You can disable NTP packets from being received on routed ports and VLAN interfaces. You cannot disable NTP packets from being received on access ports. For details, see the "Disabling NTPv4 Services on a Specific Interface" section of the "Implementing NTPv4 in IPv6" chapter of the Cisco IOS IPv6 Configuration Guide, Release 12.4T.
Correction to the "Clustering Switches" Chapter
In the "Candidate Switch and Cluster Member Switch Characteristics" section of the "Clustering Switches" chapter, the requirements should include:
•
Correction to the "Configuring Network Security with ACLs" Chapter
The "Creating a Numbered Extended ACL" section of the "Configuring Network Security with ACLs" chapter has an error. Contrary to the note in this section, ICMP echo-replies can be filtered.
Correction to the "Managing Switch Stacks" Chapter
The "Master Election" section of the "Managing Switch Stacks" chapter in the Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 12.2(58)SE has an error. The fourth factor (highest uptime) is not considered by the Catalyst 2960-S switches.
Correction to the "Unsupported Commands" Chapter
The "Miscellaneous" section of the "Unsupported Commands" chapter should include the logging discriminator global configuration command.
Information Added to the "Configuring IEEE 802.1x Port-Based Authentication" Chapter
Configuring Critical Voice VLAN
When an IP phone connected to a port is authenticated by the access control server (ACS), the phone is put into the voice domain. If the ACS is not reachable, the switch cannot determine if the device is a voice device. If the server is unavailable, the phone cannot access the voice network and therefore cannot operate.
For data traffic, you can configure inaccessible authentication bypass, or critical authentication, to allow traffic to pass through on the native VLAN when the server is not available. If the RADIUS authentication server is unavailable (down) and inaccessible authentication bypass is enabled, the switch grants the client access to the network and puts the port in the critical-authentication state in the RADIUS-configured or the user-specified access VLAN. When the switch cannot reach the configured RADIUS servers and new hosts cannot be authenticated, the switch connects those hosts to critical ports. A new host trying to connect to the critical port is moved to a user-specified access VLAN, the critical VLAN, and granted limited authentication.
With this release, you can enter the authentication event server dead action authorize voice interface configuration command to configure the critical voice VLAN feature. When the ACS does not respond, the port goes into critical authentication mode. When traffic coming from the host is tagged with the voice VLAN, the connected device (the phone) is put in the configured voice VLAN for the port. The IP phones learn the voice VLAN identification through CDP (Cisco devices) or through LLDP or DHCP.
You can configure the voice VLAN for a port by entering the switchport voice vlan vlan-id interface configuration command.
This feature is supported in multidomain and multi-auth host modes. Although you can enter the command when the switch in single-host or multi-host mode, the command has no effect unless the device changes to multidomain or multi-auth host mode.
Beginning in privileged EXEC mode, follow these steps to configure critical voice VLAN on a port and enable the inaccessible authentication bypass feature.
This example shows how to configure the inaccessible authentication bypass feature and configure the critical voice VLAN:
Switch(config)# radius-server dead-criteria time 30 tries 20Switch(config)# radius-server deadtime 60Switch(config)# radius-server host 1.1.1.2 acct-port 1550 auth-port 1560 test username user1 idle-time 30 key abc1234Switch(config)# interface gigabitethernet 1/0/1Switch(config)# radius-server deadtime 60Switch(config-if)# authentication event server dead action reinitialicze vlan 20Switch(config-if)# switchport voice vlanSwitch(config-if)# authentication event server dead action authorize voiceSwitch(config-if)# endNetwork Edge Access Topology (NEAT) Enhancement
NEAT can control traffic exiting the supplicant switch port during the authentication period. When you connect a supplicant switch to an authenticator switch that has BPDU guard enabled, the authenticator port could be error-disabled if it receives a Spanning Tree Protocol (STP) bridge protocol data unit (BPDU) packets before the supplicant switch has authenticated. Beginning with Cisco IOS Release 15.0(1)SE, you can control traffic exiting the supplicant port during the authentication period. Entering the dot1x supplicant controlled transient global configuration command temporarily blocks the supplicant port during authentication to ensure that the authenticator port does not shut down before authentication completes. If authentication fails, the supplicant port opens. Entering the no dot1x supplicant controlled transient global configuration command opens the supplicant port during the authentication period. This is the default behavior.
We strongly recommend using the dot1x supplicant controlled transient command on a supplicant switch when BPDU guard is enabled on the authenticator switch port with the spanning-tree bpduguard enable cinterface configuration command.
Note
Update to the Catalyst 3750 Software Configuration Guide
In the "Managing Switch Stacks" chapter, this information is added.
In a mixed stack that has Catalyst 3750-X, Catalyst 3750-E, and Catalyst 3750 switches, we recommend that a Catalyst 3750-X switch be the master and that all stack members run Cisco IOS Release 12.2(53)SE2 or later. The Catalyst 3750 image is on the Catalyst 3750-X and 3750-E switches to simplify switch management.
To upgrade the stack, use the archive download-sw privileged EXEC command to download images to the master. For example, use the archive download-sw /directory tftp://10.1.1.10/ c3750-ipservicesk9-tar.122-55.SE1.tar c3750e-universalk9-tar.122-55.SE1.tar command to specify a directory, following the command with the list of tar files to download for the members.
•
•
You can display the file list that is in the flash memory:
Switch# dir flash: c3750e-universalk9-tar.122-55.SE1Directory of flash:/c3750e-universalk9-tar.122-55.SE1/5 -rwx 14313645 Mar 1 1993 00:13:55 +00:00 C3750e-universalk9-tar.122-55.SE1.tar6 drwx 5632 Mar 1 1993 00:15:22 +00:00 html443 -rwx 444 Mar 1 1993 00:15:58 +00:00 info444 -rwx 14643200 Mar 1 1993 00:04:32 +00:00 c3750-ipservicesk9-tar.122-55.SE1.tarUpdate to the Catalyst 3750 and 2960-S Software Configuration Guide
In the "Displaying the Spanning-Tree Status" section of the "Configuring STP" chapter, this note should appear:
Note
Updates to the Catalyst 2960 and 2960-S Software Configuration Guide
Correction to the "Configuring SDM Templates" Chapter
In the "Configuring SDM Templates" chapter, the LAN base routing template has incorrect values. The corrected values are:
number of IPv4 unicast routes: 4.25K should be: 0.75Knumber of directly-connected IPv4 hosts: 4K should be: 0.75Knumber of indirect IPv4 routes: 0.256 should be 16Correction: the "Configuring IPv6 ACLs" Chapter
The "Configuring IPv6 ACLs" chapter was omitted in error from the Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 12.2(58)SE. You can find the missing information in the "Configuring IPv6 ACLs" chapter in the Catalyst 3750 Switch Software Configuration Guide, Release 12.2(58)SE.
Updates to the Catalyst 3750, 3560, and 2960 and 2960-S Command References
These commands have been revised or added:
•
authentication event
To set the actions for specific authentication events on the port, use the authentication event interface configuration command. To return to the default settings, use the no form of the command.
authentication event {fail [retry retry count] action {authorize vlan vlan-id | next-method}} | {no-response action authorize vlan vlan-id} | {server {alive action reinitialize} | {dead action {authorize {vlan vlan-id | voice} | reinitialize vlan vlan-id}}
no authentication event {[fail | no-response | {server {alive} | {dead [action {authorize {vlan vlan-id | voice} | reinitialize vlan}] }
Syntax Descriptionno authentication event {fail [action[authorize vlan vlan-id | next-method] {| retry {retry count}]} {no-response action authorize vlan vlan-id} {server {alive action reinitialize} | {dead action [authorize | reinitialize vlan vlan-id]}}
Defaults
No event responses are configured on the port.
Command Modes
Interface configuration
Command History
12.2(53)SE2
This command was introduced.
15.0(1)SE
The voice keyword was added.
Usage Guidelines
Use this command with the fail, no-response, or event keywords to configure the switch response for a specific action.
For authentication-fail events:
•
–
–
The restricted VLAN is supported only in single host mode (the default port mode). When a port is placed in a restricted VLAN, the supplicant MAC address is added to the MAC address table. Any other MAC address on the port is treated as a security violation.
•
Enable re-authentication with restricted VLANs. If re-authentication is disabled, the ports in the restricted VLANs do not receive re-authentication requests.
To start the re-authentication process, the restricted VLAN must receive a link-down event or an Extensible Authentication Protocol (EAP) logoff event from the port. If a host is connected through a hub:
–
–
When you reconfigure a restricted VLAN as a different type of VLAN, ports in the restricted VLAN are also moved and stay in their currently authorized state.
For no-response events:
•
•
•
You can configure any active VLAN except a Remote Switched Port Analyzer (RSPAN) VLAN, a primary private VLAN, or a voice VLAN as an IEEE 802.1x guest VLAN. The guest VLAN feature is supported only on access ports. It is not supported on internal VLANs (routed ports) or trunk ports.
•
–
–
For more information, see the "Using IEEE 802.1x Authentication with MAC Authentication Bypass" section in the "Configuring IEEE 802.1x Port-Based Authentication" chapter of the software configuration guide.
For server-dead events:
•
•
•
You can verify your settings by entering the show authentication privileged EXEC command.
Examples
This example shows how to configure the authentication event fail command:
Switch(config-if)# authentication event fail action authorize vlan 20This example shows how to configure a no-response action:
Switch(config-if)# authentication event no-response action authorize vlan 10This example shows how to configure a server-response action:
Switch(config-if)# authentication event server alive action reinitializeThis example shows how to configure a port to send both new and existing hosts to the critical VLAN when the RADIUS server is unavailable. Use this command for ports in multiple authentication (multi-auth) mode or if the voice domain of the port is in MDA mode:
Switch(config-if)# authentication event server dead action authorize vlan 10This example shows how to configure a port to send both new and existing hosts to the critical VLAN when the RADIUS server is unavailable and if the traffic from the host is tagged with the voice VLAN to put the host in the configured voice VLAN on the port. Use this command for ports in multiple-host or multiauth mode:
Switch(config-if)# authentication event server dead action reinitialize vlan 10Switch(config-if)# authentication event server dead action authorize voiceRelated Commands
dot1x supplicant controlled transient
To control access to an 802.1x supplicant port during authentication, use the dot1x supplicant controlled transient command in global configuration mode. To open the supplicant port during authentication, use the no form of this command
dot1x supplicant controlled transient
no dot1x supplicant controlled transient
Syntax Description
This command has no arguments or keywords.
Defaults
Access is allowed to 802.1x supplicant ports during authentication.
Command Modes
Global configuration
Command History
Usage Guidelines
In the default state, when you connect a supplicant switch to an authenticator switch that has BPCU guard enabled, the authenticator port could be error-disabled if it receives a Spanning Tree Protocol (STP) bridge protocol data unit (BPDU) packets before the supplicant switch has authenticated. Beginning with Cisco IOS Release 15.0(1)SE, you can control traffic exiting the supplicant port during the authentication period. Entering the dot1x supplicant controlled transient global configuration command temporarily blocks the supplicant port during authentication to ensure that the authenticator port does not shut down before authentication completes. If authentication fails, the supplicant port opens. Entering the no dot1x supplicant controlled transient global configuration command opens the supplicant port during the authentication period. This is the default behavior.
We strongly recommend using the dot1x supplicant controlled transient command on a supplicant switch when BPDU guard is enabled on the authenticator switch port with the spanning-tree bpduguard enable cinterface onfiguration command.
Note
Examples
This example shows how to control access to 802.1x supplicant ports on a switch during authentication:
Switch(config)# dot1x supplicant controlled transientRelated Commands
Updates to the System Message Guides
New System Messages
Error Message IP-3-SBINIT: Error initializing [chars] subblock data structure. [chars]Explanation The subblock data structure was not initialized. [chars] is the structure identifier.
Recommended Action No action is required.
Error Message VLMAPLOG-6-ARP: vlan [dec] (port [chars]) denied arp ip [inet] -> [inet], [dec] packet[chars]Explanation A packet from the virtual LAN (VLAN) that matches the VLAN access-map (VLMAP) log criteria was detected. The first [dec] is the VLAN number, the first [chars] is the port name, the first [inet] is the source IP address, the second [inet] is the destination IP address, the second [dec] denotes the number of packets, and the second [chars] represents the letter "s" to indicate more than one packet.
Recommended Action No action is required.
Error Message VLMAPLOG-6-L4: vlan [dec] (port [chars]) denied [chars] [inet]([dec]) -> [inet]([dec]), [dec] packet[chars]Explanation A packet from the VLAN that matches the VLMAP log criteria was detected. The first [dec] is the VLAN number, the first [chars] is the port name, the second [chars] is the protocol, the first [inet] is the source IP address, the second [dec] is the source port, the second [inet] is the destination IP address, the third [dec] is the destination port, the fourth [dec] denotes the number of packets, and the third [chars] represents the letter "s" to indicate more than one packet.
Recommended Action No action is required.
Error Message VLMAPLOG-6-IGMP: vlan [dec] (port [chars]) denied igmp [inet] -> [inet] ([dec]), [dec] packet[chars]Explanation A packet from the VLAN that matches the VLMAP log criteria was detected. The first [dec] is the VLAN number, the first [chars] is the port name, the first [inet] is the source IP address, the second [inet] is the destination IP address, the second [dec] is the Internet Group Management Protocol (IGMP) message type, the third [dec] denotes the number of packets, and the second [chars] represents the letter "s" to indicate more than one packet.
Recommended Action No action is required.
Error Message VLMAPLOG-6-ICMP: vlan [dec] (port [chars]) denied icmp [inet] -> [inet] ([dec]/[dec]), [dec] packet[chars]Explanation A packet from the VLAN that matches the VLMAP log criteria was detected. The first [dec] is the VLAN number, the first [chars] is the port name, the first [inet] is the source IP address, the second [inet] is the destination IP address, the second [dec] is the Internet Control Message Protocol (ICMP) message type, the third [dec] is the ICMP message code, the fourth [dec] denotes the number of packets, and the second [chars] represents the letter "s" to indicate more than one packet.
Recommended Action No action is required.
Error Message VLMAPLOG-6-IP: vlan [dec] (port [chars]) denied ip protocol=[dec] [inet] -> [inet], [dec] packet[chars]Explanation A packet from the VLAN that matches the VLMAP log criteria was detected. The first [dec] is the VLAN number, the first [chars] is the port name, the second [dec] is the protocol number, the first [inet] is the source IP address, the second [inet] is the destination IP address, the third [dec] denotes the number of packets, and the second [chars] represents the letter "s" to indicate more than one packet.
Recommended Action No action is required.
Error Message HARDWARE-2-PSU_THERMAL_WARNING: PSU [chars] temperature has reached warning thresholdExplanation The switch power supply unit (PSU) temperature sensor value has reached the warning level. The external temperature is high. [chars] is the power supply.
Recommended Action Reduce the temperature in the room. (The switch functions normally until the temperature reaches the critical level.)
Error Message HARDWARE-1-PSU_THERMAL_CRITICAL: PSU [chars] temperature has reached critical thresholdExplanation The switch PSU temperature sensor value has reached the critical level, and the switch cannot function normally. The external temperature is very high. [chars] is the power supply.
Recommended Action Immediately reduce the room temperature.
Error Message HARDWARE-5-PSU_THERMAL_NORMAL: PSU [chars] Temperature is within the acceptable limitExplanation The switch PSU temperature sensor value is within normal limits. [chars] is the power supply.
Recommended Action No action is required.
Error Message HARDWARE-2-THERMAL_WARNING: Temperature has reached warning thresholdExplanation The switch temperature sensor value has reached the warning level. The external temperature is high.
Recommended Action Reduce the room temperature. (The switch functions normally until the temperature reaches the critical level.)
Error Message AUTHMGR-7-STOPPING: Stopping '[chars]' for client [enet] on Interface [chars] AuditSessionID [chars]Explanation The authentication process has been stopped. The first [chars] is the authentication method, [enet] is the Ethernet address of the host, the second [chars] is the interface for the host, and the third [chars] is the session ID.
Recommended Action No action is required.
Error Message AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client ([chars]) on Interface [chars] AuditSessionID [chars]Explanation All available authentication methods have been tried. The first [chars] is the client identifier, the second [chars]s is the interface for the client, and the third [chars] is the session ID.
Recommended Action No action is required.
Modified System Messages
Error Message AUTHMGR-5-MACMOVE: MAC address ([enet]) moved from Interface [chars] to Interface [chars]Explanation The client moved to a new interface but did not log off from the first interface. [enet] is the MAC address of the client, the first [chars] is the earlier interface, and the second [chars] is the newer interface.
Recommended Action No action is required.
Error Message AUTHMGR-5-MACREPLACE: MAC address ([enet]) on Interface [chars] is replaced by MAC ([enet])Explanation A new client has triggered a violation that caused an existing client to be replaced. The first [enet] is the first client, [chars] is the interface, the second [enet] is the new client.
Recommended Action No action is required.
Error Message EOU-6-IDENTITY_MATCH: IP=[inet]| PROFILE=EAPoUDP| POLICYNAME=[chars]| AUDITSESSID=[chars]Explanation The router has found the specifed host under the Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP) identity profile. [inet] is the host IP address, the first [chars] is the enforced policy, and the second [chars] is the session ID.
Recommended Action If you do not want the host to be exempt from authentication, remove its entry from the EAPoUDP identity profile.
Error Message EOU-5-RESPONSE_FAILS: Received an EAP failure response from AAA for host=[inet]| AUDITSESSID=[chars]Explanation The router received an EAP failure response from authentication, authorization, and accounting (AAA). The host credentials were not validated. [inet] is the host, and [chars] is the session ID.
Recommended Action Check for causes of unsuccessful AAA validation of host credentials.
Error Message EOU-6-SESSION: IP=[inet]| HOST=[chars]| Interface=[chars]| AUDITSESSID=[chars]Explanation An entry for the host was created or deleted on the specified interface. [inet] is the host IP address, the first [chars] is the host identifier, the second [chars] is the interface, and the third [chars] is the session ID.
Recommended Action No action is required.
Error Message EOU-4-VERSION_MISMATCH: HOST=[inet]| Version=[dec]| AUDITSESSID=[chars]Explanation A mismatch in the EAPoUDP versions was detected from the host. [inet] is the host identifier, [dec] is the EAPoUDP version, and [chars] is the session ID.
Recommended Action Check EAPoUDP versions on peers.
Error Message EOU-6-POSTURE: IP=[inet]| HOST=[chars]| Interface=[chars]|AUDITSESSID=[chars]Explanation The posture validation status for the host. [inet] is the host IP address, the first [chars] is the host identfier, the second [chars] is the host interface, and the third [chars] is the session ID.
Recommended Action No action is required.
Error Message EOU-6-AUTHTYPE: IP=[inet]| AuthType=[chars]| AUDITSESSID=[chars]Explanation The authentication type for the host. [inet] is the host IP address, the first [chars] is the authentication type, and the second [chars] is the session ID.
Recommended Action No action is required.
Error Message EOU-4-UNKN_EVENT_ERR: UNKNOWN Event for HOST=[inet]| Event=[dec]| AUDITSESSID=[chars]Explanation Unknown message for the EAPoUDP process. [inet] is the host identifier, [dec] is the event identifier, and [chars] is the session ID.
Recommended Action File a DDTS with Cisco.
Error Message EOU-5-AAA_DOWN: AAA unreachable. METHODLIST=[chars]| HOST=[inet]| POLICY=[chars].| AUDITSESSID=[chars]Explanation The AAA servers defined by the method list cannot be reached by the host and the applied policy. The first [chars] is the method list identifer, [inet] is the host identifier, the second [chars] is the policy, and the third [chars] is the session ID.
Recommended Action Check the possible causes for unreachable AAA servers.
Error Message MAB-5-FAIL: Authentication failed for client ([chars]) on Interface [chars] AuditSessionID [chars]Explanation Authentication was unsuccessful. The first [chars] is the client, the second [chars] is the interface, and the third [chars] is the session ID.
Recommended Action No action is required.
Error Message MAB-5-SUCCESS: Authentication successful for client ([chars]) on Interface [chars] AuditSessionID [chars]Explanation Authentication was successful. The first [chars] is the client, the second [chars] is the interface, and the third [chars] is the session ID.
Recommended Action No action is required.
Deleted System Messages
Error Message IP-3-STCKYARPOVR: Attempt to overwrite Sticky ARP entry: [inet], hw: [enet] by hw: [enet]\n", MSGDEF_LIMIT_FASTExplanation Multiple stations are configured with the same IP address in a private VLAN. (This could be a case of IP address theft.) [inet] is the IP address that is configured, the first [enet] is the original MAC address associated with the IP address, and the second [enet] is the MAC address that triggered this message.
Recommended Action Change the IP address of one of the two systems.
Updates to the Catalyst 2960 Hardware Installation Guide
Cisco Ethernet Switches are equipped with cooling mechanisms, such as fans and blowers. However, these fans and blowers can draw dust and other particles, causing contaminant buildup inside the chassis, which can result in a system malfunction.
You must install this equipment in an environment as free as possible from dust and foreign conductive material (such as metal flakes from construction activities).
This applies to all Cisco Ethernet switches except for these compact models:
–
–
Update to the Getting Started Guide
When you launch Express Setup, you are prompted for the switch password. Enter the default password, cisco. The switch ignores text in the username field. Before you complete and exit Express Setup, you must change the password from the default password, cisco.
Update to the Catalyst 2960-S Switch Getting Started Guide
This correction applies to the French, Italian, German, Spanish, Japanese, and simplified Chinese versions of the getting started guide:
In the "Unpacking the Switch" section, four number-8 Phillips flat-head screws (48-0655-01) are included with the switch.
Related Documentation
User documentation in HTML format includes the latest documentation updates and might be more current than the complete book PDF available on Cisco.com.
These documents provide complete information about the Catalyst 3750, 3560, 2975, 2960-S and 2960 switches and the Cisco EtherSwitch service modules and are available at Cisco.com:
http://www.cisco.com/en/US/products/hw/switches/ps5023/tsd_products_support_series_home.html
http://www.cisco.com/en/US/products/hw/switches/ps5528/tsd_products_support_series_home.html
http://www.cisco.com/en/US/products/ps10081/tsd_products_support_series_home.html
http://www.cisco.com/en/US/products/ps6406/tsd_products_support_series_home.htmlThese documents provide complete information about the Catalyst 3750 switches and the Cisco EtherSwitch service modules:
•
•
•
•
•
•
•
These documents provide complete information about the Catalyst 3750G Integrated Wireless LAN Controller Switch and the integrated wireless LAN controller and are available at cisco.com:
•
•
•
•
These documents provide complete information about the Catalyst 3560 switches:
•
•
•
•
•
•
These documents provide complete information about the Catalyst 2960 and 2960-S switches and are available on Cisco.com:
•
•
•
•
•
•
•
•
•
For other information about related products, see these documents:
•
•
•
•
•
•
•
•
•
http://www.cisco.com/en/US/products/hw/modules/ps5455/prod_installation_guides_list.htmlSFP compatibility matrix documents are available from this Cisco.com site:
http://www.cisco.com/en/US/products/hw/modules/ps5455/products_device_support_tables_list
.htmlObtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.htmlSubscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.
This document is to be used in conjunction with the documents listed in the "Obtaining Documentation and Submitting a Service Request" section.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2011-2012 Cisco Systems, Inc. All rights reserved.
