 Feedback
|
Table Of Contents
Release Notes for the
Catalyst 3750 Metro Switch,
Cisco IOS Release 12.1(14)AX4Finding the Software Version and Feature Set
Upgrading a Switch by Using the CLI
Recovering from a Software Failure
Minimum Cisco IOS Release for Major Features
Cisco IOS Limitations and Restrictions
Caveats Resolved in Cisco IOS Release 12.1(14)AX4
Caveats Resolved in Cisco IOS Release 12.1(14)AX3
Caveats Resolved in Cisco IOS Release 12.1(14)AX2
Caveats Resolved in Cisco IOS Release 12.1(14)AX1
Caveats Resolved in Cisco IOS Release 12.1(14)AX
Configuring the Egress Priority Queue
Enabling DSCP Transparency Mode
Cisco Product Security Overview
Reporting Security Problems in Cisco Products
Obtaining Technical Assistance
Cisco Technical Support Website
Definitions of Service Request Severity
Obtaining Additional Publications and Information
Release Notes for the
Catalyst 3750 Metro Switch,
Cisco IOS Release 12.1(14)AX4
May 2005
The Cisco IOS Release 12.1(14)AX4 runs on all Catalyst 3750 Metro switches.
These release notes include important information about this Cisco IOS release and any limitations, restrictions, and caveats that apply to it. Verify that these release notes are correct for your switch:
•
If you are installing a new switch, refer to the Cisco IOS release label on the rear panel of your switch.
•
•
For the complete list of switch documentation, see the "Related Documentation" section.
You can download the switch software from this site:
http://www.cisco.com/kobayashi/sw-center/sw-lan.shtml
This software release is part of a special release of Cisco IOS software that is not released on the same 8-week maintenance cycle that is used for other platforms. As maintenance releases and future software releases become available, they will be posted to Cisco.com (previously Cisco Connection Online [CCO]) in the Cisco IOS software area.
Contents
This information is in the release notes:
•
•
•
•
•
•
•
•
Hardware Supported
Table 1 lists the supported hardware and the minimum Cisco IOS release required.
Table 1 Supported Hardware
Catalyst 3750 Metro 24-AC switch
24 10/100 Ethernet ports, 2 1000X standard SFP1 module slots, 2 1000X ES2 SFP slots, and field-replaceable AC power supply
Cisco IOS Release 12.1(14)AX
Catalyst 3750 Metro 24-DC switch
24 10/100 Ethernet ports, 2 1000X standard SFP module slots, 2 1000X ES SFP slots, and field-replaceable DC power supply
Cisco IOS Release 12.1(14)AX
SFP modules
1000BASE-T, 1000BASE-SX, and1000BASE-LX
1000BASE-ZX and CWDM3
Cisco IOS Release 12.1(14)AX
Cisco IOS Release 12.1(14)AX1
1 SFP = small form-factor pluggable
2 ES = enhanced services
3 CWDM = coarse wavelength-division multiplexer
Downloading Software
These are the procedures for downloading software:
•
•
•
•
Note
Finding the Software Version and Feature Set
The Cisco IOS image is stored as a bin file in a directory that is named with the Cisco IOS release.The image is stored on the system board flash device (flash:).
You can use the show version privileged EXEC command to see the software version that is running on your switch.
You can also use the dir filesystem: privileged EXEC command to see the directory names of other software images that you might have stored in flash memory.
Deciding Which Files to Use
The upgrade procedures in these release notes describe how to perform the upgrade by using a combined tar file. This file contains the Cisco IOS image file. To upgrade the switch through the command-line interface (CLI), use the tar file and the archive download-sw privileged EXEC command.
Table 2 lists the software filename for this software release.
Upgrading a Switch by Using the CLI
This procedure is for copying the tar file to the switch. You copy the file to the switch from a TFTP server and extract the files. You can download an image file and replace or keep the current image.
Download the software from Cisco.com to your management station by following these steps:
Step 1
Step 2
Go to this URL and log in to download the appropriate files:
http://www.cisco.com/kobayashi/sw-center/sw-lan.shtml
To download the files, click the link for your switch platform, and then follow the links on the page to select the correct tar image file.
Step 3
For more information, refer to Appendix B in the software configuration guide for this release.
Step 4
Step 5
Step 6
archive download-sw /overwrite /reload tftp:[[//location]/directory]/image-name.tarThe /overwrite option overwrites the software image in flash memory with the downloaded one.
The /reload option reloads the system after downloading the image unless the configuration has been changed and not been saved.
For //location, specify the IP address of the TFTP server.
For /directory/image-name.tar, specify the directory (optional) and the image to download. Directory and image names are case sensitive.
This example shows how to download an image from a TFTP server at 198.30.20.19 and to overwrite the image on the switch:
Switch# archive download-sw /overwrite tftp://198.30.20.19/c3750me-i5-tar.121-14.AX4.tarYou can also download the image file from the TFTP server to the switch and keep the current image by replacing the /overwrite option with the /leave-old-sw option.
Recovering from a Software Failure
Switch software can be corrupted during an upgrade, by downloading the wrong file to the switch, and by deleting the image file. In all of these cases, the switch does not pass the power-on self-test (POST), and there is no connectivity. You can use the Xmodem protocol to recover from these failures.
For detailed recovery procedures, refer to the "Troubleshooting" chapter in the software configuration guide for this release.
Installation Notes
You can assign IP information to your switch by using these methods:
•
•
•
•
New Features
These are the new supported hardware and the new software features provided this release:
•
•
New Hardware Features
There are no new hardware features in this release.
New Software Features
There are no new software features in Cisco IOS Release 12.1(14)AX2.
Cisco IOS Release 12.1(14)AX2 contained these new switch features or enhancements:
•
•
For information about these features, see the "Documentation Updates" section.
Minimum Cisco IOS Release for Major Features
Table 3 lists the minimum software release required to support the major features on the Catalyst 3750 Metro switch.
Note
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750m/12114ax/3750mscg
/swintro.htm#68019
Table 3 Catalyst 3750 Metro Switch Features and the Minimum Cisco IOS Release Required
QoS egress priority queue
12.1(14)AX2
See the "Documentation Updates" section.
QoS DSCP transparency
12.1(14)AX2
See the "Documentation Updates" section.
Point-to-point Layer 2 protocol tunneling
12.1(14)AX1
See the "Documentation Updates" section.
Limitations and Restrictions
You should review this section before you begin working with the switch. These are known limitations that will not be fixed, and there is not always a workaround. Some features might not work as documented, and some features could be affected by recent changes to the switch hardware or software.
Cisco IOS Limitations and Restrictions
These limitations apply to Cisco IOS configuration:
•
•
•
•
•
•
•
•
This problem occurs under these conditions:
–
–
–
The workaround is to reconfigure the static IP address. (CSCea71176)
•
•
•
•
•
•
The workaround is to set an ARP timeout value higher than 120 seconds. (CSCea21674)
•
•
•
•
•
•
In all cases, normal traffic is not affected; the degradation limits only how much of the original source stream can be egress-spanned. If fallback bridging and multicast routing are disabled, egress-SPAN is not degraded. There is no workaround. If possible, disable fallback bridging and multicast routing. If possible, use ingress-SPAN to observe the same traffic. (CSCeb01216)
•
•
•
•
•
•
•
•
•
•
•
•
•
The workaround is to configure the port for 10 Mbps and half duplex or to connect a hub or a nonaffected device to the switch. (CSCed39091)
•
For example:
Switch(config)# policy-map cos2-policySwitch(config-pmap)# class cos2Switch(config-pmap-c)# bandwidth 50000Switch(config-pmap-c)# queue-limit 32The point at which buffer memory is exhausted depends on the number of queues, the sizes of the queued packets, and whether or not the traffic pattern being sent to the switch allows the queues to drain at all. (CSCed83886)
•
The workaround is to statically configure the MAC address of port 1/0/3 in the CAM table of the switch bound to port 1/0/2 by using the mac address-table static mac-addr vlan vlan-id interface fastethernet1/0/2 global configuration command. (CSCee87864)
Open Caveats
These are the open Cisco IOS configuration caveats:
•
When multicast VLAN registration (MVR) groups are added or deleted, the receiver port that joined the groups after the addition still receives traffic even after the group is deleted. The correct behavior is that MVR data traffic to the group should stop flowing to the receiver port immediately after the no mvr group ip-address global configuration command is entered.
The workaround is to disable MVR by using the no mvr global configuration command and then to re-enable it by using the mvr command. Add and delete the groups that have problems by using the mvr group ip-address and the no mvr group ip-address global configuration commands.
•
Under these conditions, the switch might report a false security violation after an 802.1x supplicant is authenticated and assigned a new VLAN by the RADIUS server:
–
–
–
This problem does not prevent traffic from being forwarded to the 802.1x client, but the show port-security privileged EXEC command output might show that the port is SecureDown when it is actually SecureUp and forwarding traffic correctly.
The workaround is to restart the interfaces that appear to be out of sync by using the shutdown and then the no shutdown interface configuration commands.
•
The switch might not be able to pass Vine (Advanced Research Projects Agency) ARPA frames over bridge groups.
The workaround is to use Subnetwork Access Protocol (SNAP) frames.
•
DVMRP does not correctly forward packets.
There is no workaround.
•
After starting up a switch that has more than 300 VLANs and the maximum number of static Etherchannel groups (12), all interfaces that are part of an Etherchannel might stay down. This occurs because the remote switch detects an Etherchannel misconfiguration and disables its ports. This problem can occur in either per-VLAN-spanning-tree plus (PVST+) or rapid-PVST+ mode.
The workaround is to restart the EtherChannel ports or to configure automatic recovery:
–
–
•
On a voice VLAN port with both 802.1x and port security enabled, dynamic secure addresses might not get deleted when the port is changed from multihost mode to single-host mode. This means that addresses learned in the multihost mode are still allowed after changing to single-host mode. This problem occurs under these conditions:
–
–
–
The workaround is to disable and then re-enable port security on the port.
•
The switch does not work with the User Registration Tool (URT). The PC attempting to connect to the network can login successfully, but is not allowed to pass traffic after the port is moved to the user VLAN. The MAC address for that device shows BLOCKED.
There is no workaround.
•
If an interface on the switch is mapped to queue-set 2, and you disable and then re-enable multilayer QoS globally by using the mls qos global configuration command, the interface is no longer mapped to the correct egress queue-set.
The workaround is to reconfigure the interface queue-set by using the no queue-set interface configuration command followed by the queue-set 2 interface configuration command.
•
If an 802.1x port is configured for forced-unauthorized port control mode and voice VLAN, after you remove the voice VLAN and disable 802.1x on the port, the port no longer passes traffic.
The workaround is to restart the port by using the shutdown and then the no shutdown interface configuration commands.
•
When you configure a policy-rate policer and attach it to an interface, the cdQosPoliceCfg table shows two identical policers when only one has been configured. The cdQosPoliceStats table also contains status for two policers.
The workaround is to ignore the second policer.
•
The cbQosREDCfg, cbQosREDClassCfg and cbQosREDClassStats tables in CISCO-CLASS-BASED-QOS-MIB are unsupported.
The workaround is to use the random-detect policy-map class configuration command to configure Weighted Random Early Detection (WRED) and the show policy-map interface user EXEC command to monitor WRED.
•
When the receive rate is 100 Mbps and the sample interval (historyControlInterval) is more than 45 seconds, the calculation of the SNMP etherHistoryUtilization report is incorrect and shows a much lower utilization than expected. This also occurs at lower receive rates if the interval is long.
The workaround is to set the historyControlInterval to less than 30 seconds. Longer intervals can cause the counters to overflow if the traffic is intense.
•
When a switch boots without a configuration file, you are prompted for a Yes or No response to the Continue with configuration dialog? [yes/no] question. Even after you enter a response, pressing the Mode button for up to 2 seconds puts the switch in Express Setup mode and erases any configuration information that has been entered.
The workaround is to not enter Express Setup mode while working through the initial configuration dialog after configuration information has been entered.
•
The no setup express global configuration command does not appear in the CLI menu when you enter the no ? command.
The workaround is to enter the no setup express global configuration command even though it does not appear in the help.
•
The CLI allows an interface configured for 802.1xwith the dot1x port-control auto interface configuration command to be added to a port-channel group, even though the features are mutually exclusive.
There is no workaround. Do not configure 802.1x on a port channel.
•
If you change the priority queue settings for ingress priority queue 2 by using the mls qos srr-queue input priority-queue 2 bandwidth global configuration command, the command is accepted correctly. However, the configuration resulting from the show running-config privileged EXEC command contains an extra input, for example, mls qos srr-queue input priority-queue input 2 bandwidth. This causes subsequent problems if the command is saved and if the switch is reloaded.
The workaround is to follow these steps:
1.
2.
3.
4.
•
When automatic QoS (auto-QoS) is configured on an interface and that interface is changed from routed mode to switched mode or switched mode to routed mode, the trust policies displayed by the show running-config user EXEC command and the show mls qos interface user EXEC command are incorrect for the new interface type.
The workaround is to disable auto-QoS on the interface by using the no auto qos voip [cisco-phone | trust] interface configuration command, to change the interface to routed or switched mode, and then to reconfigure auto-QoS by using the auto qos voip {cisco-phone | trust} interface configuration command.
•
Changing the STP mode from PVST to MST (by using the spanning-tree mode mst global configuration command) or from MST to PVST (by using the spanning-tree mode pvst global configuration command) causes the LEDs for Layer 3 interfaces to turn amber, even though the ports are up.
The workaround is to use the shutdown and then the no shutdown interface configuration commands on each Layer 3 interface to force the LEDs back into sync.
•
The port bandwidth limit displayed by show mls qos interface user EXEC command is 100 minus the configured value. For example, if the configured value is 70, the display shows 30.
There is no workaround. This is a display issue only; the configured settings work correctly.
•
When the switchport voice vlan {vlan-id | dot1p | none | untagged} interface configuration command and the spanning-tree bpduguard {disable | enable} interface configuration command are configured together on an interface connected to another Catalyst 3750 Metro switch, the interface does not become err-disabled when BPDUs are detected (which is the expected action). If the voice VLAN configuration is removed, the BPDU guard works as expected.
There is no workaround.
•
The switch does not link up with some media converters running at 100 Mbps. This problem occurs on 10/100BASE-T interfaces.
There is no workaround.
•
Layer 2 Protocol tunneling does not function reliably on EtherChannel interfaces.
There is no workaround.
•
When you enter the switchport port-security aging time interface configuration command, the CLI help shows that entering 0 disables the aging time. The help is incorrect; a value of 0 is an invalid option.
The workaround to disable the aging time is to use the no switchport port-security aging time interface configuration command.
•
When an ES port is configured as an ISL trunk port, sending jumbo frames (1500 to 9000 bytes) through the ES port causes the connected link to receive fragments and cyclic redundancy check (CRC) errors on a high percentage of the traffic. After a prolonged traffic run, the ES ports might stop forwarding traffic.
The workaround is to use only 802.1Q encapsulation on ES ports that might carry jumbo frames
•
When an ES port is configured as an ISL trunk port, the interface counters and the show interface user EXEC command display count ISL packets that are within the system MTU size (1500 bytes) as giant packets that were discarded because they exceeded the system MTU.
The workaround is to configure the ES port as an 802.1Q trunk port.
•
When you change the MPLS router ID by entering the mpls ldp router-id [loopback value] force global configuration command, the local router ID is changed, but the label distribution protocol (LDP) does not bind with the LDP neighbor until the loopback interface is shut down and brought back up.
The workaround is to enter a shutdown and then a no shutdown interface configuration command on the loopback interface after you change the MPLS router ID.
•
An EtherChannel configured for 802.1Q tunneling and either the Port Aggregation Protocol (PAgP) or the Link Aggregation Control Protocol (LACP) does not come up.
The workaround is to use channel-group channel-group-number mode on interface configuration command.
•
If a switch has more than one route to reach a remote destination over an MPLS cloud, it does not support an EoMPLS configuration to that remote destination. This applies to both port-mode and VLAN-mode EoMPLS sessions. Trying to configure an EoMPLS session to that destination causes a Layer 2 loop for the EoMPLS session. Any traffic to an unknown destination address or multicast or broadcast traffic enters a permanent loop if both the ES ports (Gigabit Ethernet 1/1/1 and Gigabit Ethernet 1/1/2) are carrying the remote adjacency, either as a switch virtual interface (SVI) or a routed port. The Layer 2 loop is formed due to the internal implementation of EoMPLS.
There is no workaround. This configuration is not supported.
•
The EoMPLS tunneled ports (both port-based and VLAN-based) on a switch do not tunnel Layer 2 protocol packets that are received from the customer switch to the remote (egress) provider edge switch. The Layer 2 protocols packets are either consumed by the switch or, if Layer 2 protocol tunneling is enabled, are passed along by the standard Layer 2 protocol tunneling mechanism (outside the EoMPLS tunnels).
There is no workaround.
•
If you configure hundreds of QoS class maps, the switch might display a SYS-3-CPUHOG message when you apply the service policy to an interface by using the service-policy interface configuration command or when you remove the service policy.
There is no workaround.
•
When an ES interface on a switch is configured as a (Layer 2) switch port and MPLS is configured on a VLAN interface, changing the MPLS MTU on the VLAN interface is not effective.
The workaround is to change the MPLS MTU on the ES interface by entering the mpls mtu bytes interface configuration command.
Note
•
When an MPLS label is added to traffic leaving an ES interface, any Layer 3 "set" operations (for rewriting the IP precedence or DSCP) that should apply to that traffic are not performed.
There is no workaround
•
In order to make Intermediate System-to-Intermediate System (IS-IS) function on an SVI interface, you must manually set the Connectionless Network Service (CLNS) MTU to 1497.
The workaround, when configuring IS-IS on an SVI, is to use the clns mtu 1497 interface configuration command on the SVI to set the CLNS MTU to 1497.
•
The switch reloads when you perform either of these CLI sequences:
Sequence A:
1.
2.
3.
4.
Sequence B:
1.
2.
3.
4.
5.
The workaround is that before deleting a renamed policy or disabling Auto-QoS on an interface to which a policy map is attached, detach the renamed policy from the interface by using the no service-policy input or no service-policy output interface configuration command.
•
If Cisco Express Forwarding (CEF) is disabled due to over-utilization of the switch content-addressable memory (CAM) resources, a subsequent BGP routing update might cause the switch to reload.
The workaround is to use the sdm prefer {default | routing | routing-pbr | vlan} global configuration command to configure the best SDM template for the number of routes and MAC addresses in the system to avoid over-utilizing CAM resources. For example, the routing template supports the largest number of routes and the VLAN template supports the largest number of MAC addresses.
Resolved Caveats
These are the caveats that have been resolved in this release.
•
•
•
•
•
Caveats Resolved in Cisco IOS Release 12.1(14)AX4
These caveats were resolved in Cisco IOS Release 12.1(14)AX4:
•
Certain release trains of Cisco Internetwork Operating System (IOS), when configured to use the IOS Secure Shell (SSH) server in combination with Terminal Access Controller Access Control System Plus (TACACS+) as a means to perform remote management tasks on IOS devices, may contain two vulnerabilities that can potentially cause IOS devices to exhaust resources and reload.
Repeated exploitation of these vulnerabilities can result in a Denial of Service (DoS) condition. Use of SSH with Remote Authentication Dial In User Service (RADIUS) is not affected by these vulnerabilities.
Cisco has made free software available to address these vulnerabilities for all affected customers. There are workarounds available to mitigate the effects of the vulnerability (see the "Workarounds" section of the full advisory for details).
This advisory will be posted at
http://www.cisco.com/warp/public/707/cisco-sa-20050406-ssh.shtml.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1.
2.
3.
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at:
http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
Caveats Resolved in Cisco IOS Release 12.1(14)AX3
These caveats are resolved in Cisco IOS Release 12.1(14)AX3:
•
A specifically crafted Transmission Control Protocol (TCP) connection to a telnet or reverse telnet port of a Cisco device running Internetwork Operating System (IOS) may block further telnet, reverse telnet, Remote Shell (RSH), Secure Shell (SSH), and in some cases Hypertext Transport Protocol (HTTP) access to the Cisco device. Telnet, reverse telnet, RSH and SSH sessions established prior to exploitation are not affected.
All other device services will operate normally.
The detail advisory is available at:
http://www.cisco.com/warp/public/707/cisco-sa-20040827-telnet.shtml
•
When both enhanced services (ES) ports are connected and sending traffic, remotely disconnecting one ES port can no longer cause traffic to stop flowing through the other ES port.
•
The switch now correctly performs checksum calculation when an IP packet using the IP option fields is sent out through an ES port.
•
A Cisco device running Cisco IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DoS) attack from a malformed BGP packet. Only devices with the command bgp log-neighbor-changes configured are vulnerable. The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a malformed packet.
If a misformed packet is received and queued up on the interface, this bug may also be triggered by other means which are not considered remotely exploitable such as the use of the command show ip bgp neighbors or running the command debug ip bgp neighbor updates for a configured BGP neighbor.
Cisco has made free software available to address this problem.
For more details, please refer to this advisory, available at http://www.cisco.com/warp/public/707/cisco-sa-20050126-bgp.shtml
Caveats Resolved in Cisco IOS Release 12.1(14)AX2
These caveats were resolved in Cisco IOS Release 12.1(14)AX2:
•
The Cisco Discovery Protocol (CDP) process no longer causes memory-allocation failed messages.
•
A connection to a faulty Cisco 7935 IP phone no longer might cause the switch to reload.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messagesSuccessful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
•
When IS-IS is configured on an SVI, adjacency with its neighbor is now established.
•
A switch configured as an MPLS VPN provider-edge device no longer incorrectly displays traceback failure messages.
•
In an EoMPLS environment, the default mapping of COS to MPLS experimental bits now correctly copies the COS bits into both the outer Interior Gateway Protocol (IGP) label and the inner virtual connection (VC) label.
•
The switch no longer reloads when you modify a large policy map that is attached to an ES port.
•
The no mpls ip propagate-ttl global configuration command now works correctly on the switch.
•
The switch no longer reloads when you configure a policy map.
•
The switch no longer reloads when you configure Border Gateway Protocol (BGP) authentication.
•
Configuring an IP address on either interface VLAN 27 or interface VLAN 28 no longer causes the switch to reload.
•
The switch no longer reloads after you enter a show policy-map interface interface-id output class class-name user EXEC command.
•
When you configure IS-IS on an SVI the ping clns privileged EXEC command now works correctly.
•
The switch no longer reloads when you enter the spanning-tree bpdufilter enable interface configuration command on a VLAN interface.
•
When the switch is configured as a service provider-edge (PE) device, clients attached to a routed interface can now ping across the MPLS cloud when all VLANs are removed and added back on the uplink trunk.
•
When VPN routing and forwarding (VRF) is configured, if an external devices attempts to ping a loopback interface, the switch now correctly responds to the ping.
•
When PVST+ or MSTP is enabled and the spanning tree root VLAN ages out, a transient loop no longer occurs when the network reconverges.
•
When two Cisco-approved SFP modules are inserted in the switch at the same time, both SFPs are now recognized by the switch.
•
QoS interface statistics now correctly increment on ES ports.
•
Removing the priority action from a class within an egress service-policy on an ES interface by using the no priority policy-map class configuration command causes the service policy to become invalid; however, the switch now properly reverts to the last valid configuration.
•
CPU usage no longer increases to 99 per cent every 5 seconds when a large policy map is attached to an ES port.
•
The switch no longer shuts down if you enter a duplex command in interface-range configuration mode for a range of Fast Ethernet interfaces that belong to a port channel.
•
When MPLS is enabled, the switch now correctly adds the MPLS labels so that the packets are correctly processed by the next-hop routers.
•
When a DSCP mutation map is applied to an ES interface and then removed, the CoS value of the packets are now correct.
•
An EoMPLS connection no longer might stop working if an access port in the EoMPLS VLAN changes administrative state.
•
If a large quantity of traffic is policy-based routed on the switch, this no longer causes an increase in the CPU load.
•
When a switch is configured for MPLS VPN and the ARP entry of the next hop ages out or is manually cleared, packets coming in on a VRF interface are no longer sent out untagged. MPLS VPN site connectivity is not broken.
•
The switch no longer stops tagging packets to the default route learned on a VRF interface when it receives a route update (delete or learn) from one of it BGP neighbors for that VRF.
•
When a switch is used as a pure Layer 2 switch with MPLS disabled, and ES ports are used to connect to the provider-edge routers, this no longer breaks MPLS VPN connectivity.
•
QoS policy-maps now work correctly when you change the policer from a bit rate (police cir policy-map class configuration command) to a percentage (police cir percent policy-map class configuration command) or from a percentage to a bit rate.
•
The switch now correctly handles CDP packets with hostnames that are longer than 255 characters.
Caveats Resolved in Cisco IOS Release 12.1(14)AX1
These caveats are resolved in Cisco IOS Release 12.1(14)AX1:
•
When MPLS traffic has been running long enough for the MPLS byte counters to roll over, entering the show mpls forwarding-table user EXEC command no longer results in a display with large negative bytes.
•
A switch running Routing Information Protocol (RIP) version 1 no longer discards RIP packets destined for directed broadcast addresses.
•
If you paste a configuration that has a large ACL into the running configuration of the switch, the console no longer halts, and the switch no longer reboots.
•
A switch configured to send DHCP unicast requests to a specified DHCP server no longer reloads when it tries to boot up.
•
Address Resolution Protocol (ARP) responses destined to the switch CPU that are received on a Layer 2 interface that has a MAC access list applied to it are no longer dropped, and ARP learning works correctly.
•
The switch no longer reloads when you add an aggregate policer to a new policy map. In previous releases, this happened if the aggregate policer had previously been used in a policy map that was attached to an interface, even if that policy map had been detached and removed from the interface.
•
The switch no longer times out the source and multicast group address (S, G) entries when passing low traffic (such as 3 packets per minute) from the source.
•
The switch now communicates correctly with media converters running at 10 Mbps.
•
The spanning-tree algorithm now blocks a Layer 2 loop if you change the native VLAN or a trunk port to a VLAN that you have not yet created.
•
When you enter the ip default-network global configuration command, all packets that match the default route are no longer sent to the CPU.
•
When using SNMP to poll a switch, the ifHCInOctets and ifHCOutOctets are no longer 0 for Gigabit EtherChannel interfaces.
•
The switch no longer pauses indefinitely when 1-byte frames are received.
•
The dynamic MAC address of the Hot Standby Router Protocol (HSRP) group is now relearned on the standby switch even if several interfaces have the same HSRP standby group.
•
The switch no longer allows Telnet sessions to the device from unauthorized hosts when you apply an access class to inbound vty lines.
•
If there are multiple aggregate policers configured on a switch and one of the policers is used in a policy map that has been applied to an interface, the switch no longer fails if you remove the aggregate policer without first detaching it from the policy map. In previous releases, this occurred when you first applied the command or after you saved the configuration and then reloaded the switch.
•
When the MPLS label range is set to the default, the switch no longer rejects MPLS traffic with a label greater than 8192.
•
MPLS now functions correctly on switch virtual interfaces (SVIs).
•
Converting a Layer 2 port to a Layer 3 port by using the no switchport interface command no longer causes a remote ACL that is applied to the switch SVI to be removed from the ternary content addressable memory (TCAM).
•
You can now set the CLNS MTU to more than 1497 on a routed interface.
•
Layer 2 protocol tunneling packets received through an ES interface are now forwarded correctly.
•
When the switch is running an Any Transport over MPLS (AToM) process and an LDP session starts or stops, the switch no longer experiences a slow memory leak or has to be reloaded.
Caveats Resolved in Cisco IOS Release 12.1(14)AX
These caveats were resolved in release 12.1(14)AX:
•
A Cisco device running IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DOS) attack from a malformed BGP packet. The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a malformed packet. BGP MD5 is a valid workaround for this problem.
Cisco has made free software available to address this problem. For more details, please refer to this advisory, available at http://www.cisco.com/warp/public/707/cisco-sa-20040616-bgp.shtml.
•
A Cisco device running IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DOS) attack from a malformed BGP packet. The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a malformed packet. BGP MD5 is a valid workaround for this problem.
Cisco has made free software available to address this problem. For more details, please refer to this advisory, available at http://www.cisco.com/warp/public/707/cisco-sa-20040616-bgp.shtml.
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
Documentation Updates
Beginning with Cisco IOS Release 12.1(14)AX2, the switch supports these QoS features (see the "New Software Features" section) that were not described in the software documentation. These are the documentation updates for this release.
Software Configuration Guide
These are the documentation updates for the Catalyst 3750 Metro Switch Software Configuration Guide.
Note
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750m/12114ax/ol464602.htm#wp44273This information is part of Chapter 26, "Configuring QoS." For the complete chapter (minus these updates), go to this URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750m/12114ax/3750mscg/swqos.htm
Configuring the Egress Priority Queue
Note
Beginning in Cisco IOS Release 12.1(14)AX2, you can ensure that certain packets have priority over all others by queuing them in the egress priority queue on a port. SRR services this queue until it is empty and before servicing the other queues.
All four queues participate in the SRR unless the egress priority queue is enabled, in which case the first bandwidth weight is ignored and is not used in the ratio calculation. The priority queue is serviced until empty before the other queues are serviced. You enable the priority queue by using the priority-queue out interface configuration command.
Follow these guidelines when the egress priority queue is enabled on a port; otherwise, the egress queues are serviced based on their SRR weights:
•
•
•
On an ES port, you can use LLQ (enabled with the priority policy-map class configuration command) and the egress priority queue (enabled with the priority-queue out interface configuration command). By using these two features, you can give priority to a class of traffic and avoid losing traffic when the switch is congested. In previous releases (before the egress priority queue was supported), you could put a traffic class into the strict-priority queue, but congestion at the egress queue-sets could result in the dropping of that priority traffic. The priority-queue out interface configuration command enables you to prioritize the same traffic class at the egress queue-sets, ensuring that priority traffic reaches the hierarchical queues and is processed with priority.
Beginning in privileged EXEC mode, follow these steps to enable the egress priority queue. This procedure is optional.
To disable the egress priority queue, use the no priority-queue out interface configuration command.
This example shows how to enable the egress priority queue when the SRR weights are configured. The egress expedite queue overrides the configured SRR weights.
Switch(config)# interface gigabitethernet1/0/1Switch(config-if)# srr-queue bandwidth shape 25 0 0 0Switch(config-if)# srr-queue bandwidth share 30 20 25 25Switch(config-if)# priority-queue outSwitch(config-if)# endEnabling DSCP Transparency Mode
Note
By default, in Cisco IOS Release 12.1(14)AX2 or later, the DSCP transparency feature is disabled, and the DSCP value of an incoming packet is modified based on the QoS configuration. If you enable the DSCP transparency feature, the switch does not change (rewrite) the DSCP field of an IP packet at the ingress and egress interfaces. During QoS processing, the switch modifies the CoS value of the packet based on the internal DSCP value and DSCP-to-CoS map.
In software releases earlier than Cisco IOS Release 12.1(14)AX2, if QoS is disabled, the DSCP value of the incoming IP packet is not modified (the default). If QoS is enabled and you configure the interface to trust DSCP, the switch does not modify the DSCP value. If you configure the interface to trust CoS, the switch modifies the DSCP value according to the CoS-to-DSCP map.
If you enable DSCP transparency, these automatic actions occur:
•
Note
Note
•
Beginning in privileged EXEC mode, follow these steps to enable DSCP transparency on a switch:
To configure the switch to modify the DSCP value based on the trust setting or on an ACL by disabling DSCP transparency, use the mls qos rewrite ip dscp global configuration command.
If you disable QoS by using the no mls qos global configuration command, the CoS and DSCP values are not changed (the default QoS setting).
If you enter the no mls qos rewrite ip dscp global configuration command to enable DSCP transparency and then enter the mls qos trust [cos | dscp] interface configuration command, DSCP transparency is disabled.
Command Reference
In the Catalyst 3750 Metro Switch Command Reference, these commands are new or have been modified to support QoS functionality.
mls qos rewrite ip dscp
Note
Use the mls qos rewrite ip dscp global configuration command to configure the switch to change (rewrite) the Differentiated Services Code Point (DSCP) field of an incoming IP packet. Use the no form of this command to configure the switch to not modify the DSCP field of the packet.
mls qos rewrite ip dscp
no mls qos rewrite ip dscp
Syntax Description
This command has no arguments or keywords.
Defaults
DSCP transparency is disabled. The switch changes the DSCP field of the incoming IP packet.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the mls qos rewrite ip dscp command to disable the DSCP transparency feature. The DSCP value of an incoming packet is modified based on the QoS configuration, such the port trust setting, policing and marking, and the DSCP-to-DSCP mutation map.
If you disable DSCP transparency and then enable QoS globally, these automatic actions occur:
•
•
•
To enable the DSCP transparency feature, you must use the no mls qos rewrite ip dscp global configuration command. When DSCP transparency is enabled, the switch does not change (rewrite) the DSCP field of an IP packet at the ingress and egress interfaces. During QoS processing, the switch modifies the CoS value of the packet based on the internal DSCP value and DSCP-to-CoS map.
If you enable DSCP transparency, these automatic actions occur:
•
•
If you disable QoS, the CoS and DSCP values of the incoming IP packet do not change (the default).
Examples
This example shows how to enable DSCP transparency and configure the switch to not change the DSCP value of the incoming IP packet:
Switch(config)# mls qosSwitch(config)# no mls qos rewrite ip dscpSwitch(config)# endThis example shows how to disable DSCP transparency and configure the switch to change the DSCP value of the incoming IP packet:
Switch(config)# mls qosSwitch(config)# mls qos rewrite ip dscpSwitch(config)# endYou can verify your settings by entering the show mls qos interface [interface-id] privileged EXEC command.
Related Commands
mls qos
Enables QoS globally.
show mls qos interface
Displays QoS information at an interface level.
priority-queue
Note
Use the priority-queue interface configuration command to enable the egress priority queue on a port. Use the no form of this command to return to the default setting.
priority-queue out
no priority-queue out
Syntax Description
Defaults
The egress priority queue is disabled.
Command Modes
Interface configuration
Command History
Usage Guidelines
When you configure the priority-queue out command, the shaped round robin (SRR) weight ratios are affected because there is one fewer queue participating in SRR. This means that weight1 in the srr-queue bandwidth shape or the srr-queue bandwidth share interface configuration command is ignored (not used in the ratio calculation). Before servicing the other queues, SRR services the priority queue until it is empty.
Follow these guidelines when the priority queue is enabled; otherwise, the egress queues are serviced based on their SRR weights:
•
•
•
To avoid a loss of priority traffic on an enhanced-services (ES) port when the switch is congested, you can configure both the egress priority queueing and the strict-priority queueing (low-latency queueing [LLQ]) features. Note that when you map certain traffic classes to the egress priority queue, they are not automatically placed into the strict-priority queue. You must configure both the priority-queue out interface configuration and the priority policy-map class configuration commands.
Examples
This example shows how to enable the egress priority queue when the SRR weights are configured. The egress expedite queue overrides the configured SRR weights.
Switch(config)# interface gigabitethernet1/0/2Switch(config-if)# srr-queue bandwidth shape 25 0 0 0Switch(config-if)# srr-queue bandwidth share 30 20 25 25Switch(config-if)# priority-queue outThis example shows how to disable the egress priority queue after the SRR shaped and shared weights are configured. The shaped mode overrides the shared mode.
Switch(config)# interface gigabitethernet1/0/2Switch(config-if)# srr-queue bandwidth shape 25 0 0 0Switch(config-if)# srr-queue bandwidth share 30 20 25 25Switch(config-if)# no priority-queue outYou can verify your settings by entering the show mls qos interface interface-id queueing or the show running-config privileged EXEC command.
Related Commands
Hardware Installation Guide
The Preface for the Catalyst 3750 Metro Switch Hardware Installation Guide does not include the translations for the Warning symbol and explanation (Statement 1071) or a change to the Warning statement about installation for short-circuit (overcurrent) protection (Statement 1005-Circuit Breaker) in Appendix E, "Translated Safety Warnings."
This information is in the Release Notes for the Catalyst 3750 Metro Switch, Cisco IOS Release 12.1(14)AX at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750m/12114ax/ol464601.htm#35851
Related Documentation
These documents provide information about the switch and are available from this Cisco.com site:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750m/index.htm
You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.com sites and from the telephone numbers listed in the "Obtaining Documentation" section.
•
•
•
•
•
Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation at this URL:
http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL:
You can access international Cisco websites at this URL:
http://www.cisco.com/public/countries_languages.shtml
Documentation DVD
Cisco documentation and additional literature are available in a Documentation DVD package, which may have shipped with your product. The Documentation DVD is updated regularly and may be more current than printed documentation. The Documentation DVD package is available as a single unit.
Registered Cisco.com users (Cisco direct customers) can order a Cisco Documentation DVD (product number DOC-DOCDVD=) from the Ordering tool or Cisco Marketplace.
Cisco Ordering tool:
http://www.cisco.com/en/US/partner/ordering/
Cisco Marketplace:
http://www.cisco.com/go/marketplace/
Ordering Documentation
You can find instructions for ordering documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can order Cisco documentation in these ways:
•
http://www.cisco.com/en/US/partner/ordering/
•
Documentation Feedback
You can send comments about technical documentation to bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883We appreciate your comments.
Cisco Product Security Overview
Cisco provides a free online Security Vulnerability Policy portal at this URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
From this site, you can perform these tasks:
•
•
•
A current list of security advisories and notices for Cisco products is available at this URL:
If you prefer to see advisories and notices as they are updated in real time, you can access a Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this URL:
http://www.cisco.com/en/US/products/products_psirt_rss_feed.html
Reporting Security Problems in Cisco Products
Cisco is committed to delivering secure products. We test our products internally before we release them, and we strive to correct all vulnerabilities quickly. If you think that you might have identified a vulnerability in a Cisco product, contact PSIRT:
•
•
Tip
Never use a revoked or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one that has the most recent creation date in this public key server list:
http://pgp.mit.edu:11371/pks/lookup?search=psirt%40cisco.com&op=index&exact=on
In an emergency, you can also reach PSIRT by telephone:
•
•
Obtaining Technical Assistance
For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service contract, contact your reseller.
Cisco Technical Support Website
The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, 365 days a year, at this URL:
http://www.cisco.com/techsupport
Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:
http://tools.cisco.com/RPF/register/register.do
Note
Submitting a Service Request
Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this URL:
http://www.cisco.com/techsupport/servicerequest
For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
To open a service request by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447For a complete list of Cisco TAC contacts, go to this URL:
http://www.cisco.com/techsupport/contacts
Definitions of Service Request Severity
To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.
Severity 1 (S1)—Your network is "down," or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.
Severity 3 (S3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.
Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.
Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online and printed sources.
•
http://www.cisco.com/go/marketplace/
•
•
•
http://www.cisco.com/go/iqmagazine
•
•
http://www.cisco.com/en/US/learning/index.html
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StrataView Plus, TeleRouter, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0502R)
© 2005 Cisco Systems, Inc. All rights reserved.
