Table Of Contents
Release Notes for the Catalyst 3750 Metro Switch
Cisco IOS Release 12.2(25)SEE and LaterFinding the Software Version and Feature Set
Upgrading a Switch by Using the CLI
Recovering from a Software Failure
Minimum Cisco IOS Release for Major Features
Caveats Resolved in Cisco IOS Release 12.2(25)SEE4
Caveats Resolved in Cisco IOS Release 12.2(25)SEE
Updates for the Software Configuration Guide
Upgrading Devices with Cisco IOS Image Agent
Configuring IP Unicast Routing Chapter
Configuring DHCP Features and IP Source Guard Chapter
Configuring Port-Based Traffic Control Chapter
Configuring Network Security with ACLs Chapter
Updates for the Command Reference
ip dhcp snooping information option format remote-id
ip dhcp snooping vlan information option format-type circuit-id string
Updates for the Hardware Installation Guide
Statement 361—VoIP and Emergency Calling Services do not Function if Power Fails
Obtaining Documentation, Obtaining Support, and Security Guidelines
Release Notes for the Catalyst 3750 Metro Switch
Cisco IOS Release 12.2(25)SEE and Later
Revised June 10, 2008
Cisco IOS Release 12.2(25)SEE and 12.2(25)SEE4 run on all Catalyst 3750 Metro switches.
These release notes include important information about Cisco IOS Release 12.2(25)SEE, 12.2(25)SEE4, and any limitations, restrictions, and caveats that apply to the releases.
Verify that these release notes are correct for your switch:
•
If you are installing a new switch, see the Cisco IOS release label on the rear panel of your switch.
•
•
For the complete list of switch documentation, see the "Related Documentation" section.
You can download the switch software from this site:
http://www.cisco.com/public/sw-center/sw-lan.shtml
This software release is part of a special release of Cisco IOS software that is not released on the same 8-week maintenance cycle that is used for other platforms. As maintenance releases and future software releases become available, they will be posted to Cisco.com in the Cisco IOS software area.
Cisco IOS Release 12.2(25)SEE is based on Cisco IOS Release 12.2(25)S. Open caveats in Cisco IOS Release 12.2(25)S also affect Cisco IOS Release 12.2(25)SEE, unless they are listed in the Cisco IOS Release 12.2(25)SEE resolved caveats list. The list of open caveats in Cisco IOS Release 12.2(25)S is available at this URL:
/en/US/docs/ios/12_2s/release/notes/122Srn.html#wp2367913
Contents
This information is in the release notes:
•
•
•
•
•
•
Hardware Supported
Table 1 lists the supported hardware and the minimum Cisco IOS release required.
Table 1 Supported Hardware
Catalyst 3750 Metro 24-AC switch
24 10/100 Ethernet ports, 2 1000X standard SFP1 module slots, 2 1000X ES2 SFP slots, and field-replaceable AC power supply
Cisco IOS Release 12.1(14)AX
Catalyst 3750 Metro 24-DC switch
24 10/100 Ethernet ports, 2 1000X standard SFP module slots, 2 1000X ES SFP slots, and field-replaceable DC power supply
Cisco IOS Release 12.1(14)AX
SFP modules
1000BASE-T, 1000BASE-SX, and1000BASE-LX
1000BASE-ZX and CWDM3
100BASE-FX MMF4
1000BASE-BX
Cisco IOS Release 12.1(14)AX
Cisco IOS Release 12.1(14)AX1Cisco IOS Release 12.2(25)EY
Cisco IOS Release 12.2(25)EY2
1 SFP = small form-factor pluggable
2 ES = enhanced services
3 CWDM = coarse wavelength-division multiplexer
4 MMF = multimode fiber
Upgrading the Switch Software
These are the procedures for downloading software:
•
•
•
•
•
Note
Finding the Software Version and Feature Set
The Cisco IOS image is stored as a bin file in a directory that is named with the Cisco IOS release. The image is stored on the system board flash device (flash:).
You can use the show version privileged EXEC command to see the software version that is running on your switch.
You can also use the dir filesystem: privileged EXEC command to see the directory names of other software images that you might have stored in flash memory.
Deciding Which Files to Use
The upgrade procedures in these release notes describe how to perform the upgrade by using a combined tar file. This file contains the Cisco IOS image file. To upgrade the switch through the command-line interface (CLI), use the tar file and the archive download-sw privileged EXEC command.
Table 2 lists the software filename for this software release.
Table 2 Cisco IOS Software Image Files for Catalyst 3750 Metro Switches
Filename
c3750me-i5-tar.122-25.SEE4.tar
Cisco IOS image tar file.
This image has Layer 2+ and Layer 3 features.c3750me-i5k91-tar.122-25.SEE4.tar
Cisco IOS cryptographic image tar file.
This image has the Kerberos, SSH1 , SSL2 , Layer 2+, and Layer 3 features.
1 SSH = Secure Shell
2 SSL = Secure Socket Layer
Archiving Software Images
Before upgrading your switch software, make sure that you have archived copies of the current Cisco IOS release and the Cisco IOS release to which you are upgrading. You should keep these archived images until you have upgraded all devices in the network to the new Cisco IOS image and until you have verified that the new Cisco IOS image works properly in your network.
Cisco routinely removes old Cisco IOS versions from Cisco.com. See Product Bulletin 2863 for more information:
http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps5187/prod_bulletin0900aecd80281c0e.
HtmlYou can copy the bin software image file on the flash memory to the appropriate TFTP directory on a host by using the copy flash: tftp: privileged EXEC command.
Note
You can also configure the switch as a TFTP server to copy files from one switch to another without using an external TFTP server by using the tftp-server global configuration command. For more information about the tftp-server command, see the "Basic File Transfer Services Commands" section of the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 at this URL:
/en/US/docs/ios/12_2/configfun/command/reference/frf011.html#wp1018426
Upgrading a Switch by Using the CLI
This procedure is for copying the tar file to the switch. You copy the file to the switch from a TFTP server and extract the files. You can download an image file and replace or keep the current image.
Download the software from Cisco.com to your management station by following these steps:
Step 1
Step 2
Go to this URL and log in to download the appropriate files:
http://www.cisco.com/public/sw-center/sw -lan.shtml
To download the files, click the link for your switch platform, and then follow the links on the page to select the correct tar image file.
Step 3
For more information, see Appendix B in the software configuration guide for this release.
Step 4
Step 5
Step 6
archive download-sw /overwrite /reload tftp:[[//location]/directory]/image-name.tarThe /overwrite option overwrites the software image in flash memory with the downloaded one.
The /reload option reloads the system after downloading the image unless the configuration has been changed and not been saved.
For //location, specify the IP address of the TFTP server.
For /directory/image-name.tar, specify the directory (optional) and the image to download. Directory and image names are case sensitive.
This example shows how to download an image from a TFTP server at 198.30.20.19 and to overwrite the image on the switch:
Switch# archive download-sw /overwrite tftp://198.30.20.19/c3750me-i5-tar.122-25.SEE.tarYou can also download the image file from the TFTP server to the switch and keep the current image by replacing the /overwrite option with the /leave-old-sw option.
Recovering from a Software Failure
Switch software can be corrupted during an upgrade, by downloading the wrong file to the switch, and by deleting the image file. In all of these cases, the switch does not pass the power-on self-test (POST), and there is no connectivity. You can use the Xmodem protocol to recover from these failures.
For detailed recovery procedures, see the "Troubleshooting" chapter in the software configuration guide for this release.
Installation Notes
You can assign IP information to your switch by using these methods:
•
•
•
•
New Features
These are the new supported hardware and the new software features provided this release:
•
•
New Hardware Features
For a list of all supported hardware, see the "Hardware Supported" section.
New Software Features
This release contains these new switch features (available in all software images):
•
•
•
•
•
•
•
Minimum Cisco IOS Release for Major Features
Table 3 lists the minimum software release required to support the major features on the Catalyst 3750 Metro switch.
Note
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750m/12225ey/3750mscg
/swintro.htm
Limitations and Restrictions
You should review this section before you begin working with the switch. These are known limitations that will not be fixed, and there is not always a workaround. Some features might not work as documented, and some features could be affected by recent changes to the switch hardware or software.
Configuration
These are the configuration limitations:
•
This problem occurs under these conditions:
–
–
–
The workaround is to reconfigure the static IP address. (CSCea71176)
•
The workaround is to upgrade to Cisco IOS Release 12.2(25)EY. (CSCec35100)
•
These are the workarounds:
1.
2.
3.
•
–
–
–
No workaround is necessary; these are the designed behaviors. (CSCed50819)
•
However, when dynamic ARP inspection is not enabled and jumbo MTU is configured, ARP and RARP packets are correctly bridged in hardware. (CSCed79734)
•
The workaround is to configure the port for 10 Mbps and half duplex or to connect a hub or a nonaffected device to the switch. (CSCed39091)
•
When you enter the show ip arp inspection log privileged EXEC command, the log entries from all switches in the stack are moved to the switch on which the command was entered.
There is no workaround. (CSCed95822)
•
The workaround is to enter the no switchport block unicast interface configuration command for that specific interface. (CSCee93822)
•
The workaround is to statically configure the MAC address of port 1/0/3 in the CAM table of the switch bound to port 1/0/2 by using the mac address-table static mac-addr vlan vlan-id interface fastethernet1/0/2 global configuration command. (CSCee87864)
•
There is no workaround. This is a cosmetic error and does not affect the functionality of the switch. (CSCef59331)
•
2d20h: %PLATFORM_UCAST-3-LB: PI<->PD handles out of sync for Adj 222.1.1.1 LB -Traceback= 252620 A919CC A847E0 A85BE0 A927FC AA2D28 A965E0 A89C08 A78744 B08F48 ADF504 ADDC4C AE3460 AD25CC B94AA0 B94F20
There is no workaround. (CSCeh13477)
Ethernet
This is the Ethernet limitation:
SNAP-encapsulated IP packets are dropped without an error message being reported at the interface. The switch does not support SNAP-encapsulated IP packets. There is no workaround. (CSCdz89142)
Fallback Bridging
These are the fallback bridging limitations:
•
The workaround is to remove the VLAN from the bridge group or to remove the static MAC address from the VLAN. (CSCdw81955)
•
The workaround is to disable fallback bridging. To remove an interface from a bridge group and to remove the bridge group, use the no bridge-group bridge-group interface configuration command. Another workaround is to disable port security on all ports in all VLANs participating in fallback bridging by using the no switchport port-security interface configuration command. (CSCdz80499)
HSRP
These are the Hot Standby Routing Protocol (HSRP) limitations:
•
The workaround is to ensure that the ports on the standby cluster members are not in the spanning-tree blocking state. To verify that these ports are not in the blocking state, see the "Configuring STP" chapter in the software configuration guide. (CSCec76893)
•
There is no workaround. Do not configure HSRP on MPLS interfaces. (CSCeg76540)
IP
These are the IP limitations:
•
The workaround is to set an ARP timeout value higher than 120 seconds. (CSCea21674)
•
The workaround is to use rate limiting on DHCP traffic to prevent a denial of service attack from occurring. (CSCeb59166)
IP Telephony
These are the IP telephony limitations:
•
The workaround is to power the AP by using an AC wall adaptor. (CSCin69533)
•
There is no workaround. (CSCea85312)
MAC Addressing
This is the MAC addressing limitation:
When a MAC address is configured for filtering on the internal VLAN of a routed port, incoming packets from the MAC address to the routed port are not dropped. (CSCeb67937)
MPLS and EoMPLS
These are the multiprotocol label switching (MPLS) and Ethernet over MPLS (EoMPLS) limitations:
•
The workaround is to configure the incoming ports as an IEEE 802.1Q trunk or as an access port. (CSCeb44014)
•
The workaround is to use the show mpls ldp parameter user EXEC command to see the configured value. (CSCeb76775)
•
There is no workaround. (CSCec13655)
Multicasting
These are the multicasting limitations:
•
•
There is no workaround because non-RPF traffic is continuous in certain topologies. As long as the trunk port is a member on a trunk port in at least one VLAN, this problem for the non-RPF traffic occurs. (CSCdu25219)
•
The workaround is to reduce the number of multicast routes and IGMP snooping groups to less than the maximum supported value. (CSCdy09008)
•
There is no workaround. (CSCdy82818)
•
The workaround is to not apply a router ACL configured to deny access to a VLAN interface. Apply the security through other means; for example, apply VLAN maps to the VLAN instead of using a router ACL for the group. (CSCdz86110)
•
There is no workaround. (CSCeb75366)
•
–
–
There is no workaround. (CSCec20128)
•
The switchport block multicast interface configuration command is only applicable to non-IP multicast traffic.
There is no workaround. (CSCee16865)
•
–
–
The workaround is to enter clear ip mroute privileged EXEC command on the interface. (CSCef42436)
•
There is no workaround. (CSCef67261)
QoS
These are the QoS limitations:
•
The workaround is to choose compatible buffer sizes and threshold levels. (CSCea76893)
•
There is no workaround. (CSCeb75230)
•
There is no workaround. (CSCeb80223)
•
There is no workaround. (CSCeb80300)
•
There is no workaround. (CSCec08205)
•
The workaround is to configure explicit matches for traffic that requires priority treatment. (CSCec38901)
•
The workaround is to detach the service policy from the port while making the modifications and then to re-attach the service policy. (CSCec75945)
•
If this becomes a problem, you can change switch behavior by using the queue-limit policy-map class configuration command at the class level to set shorter queue depths. Each shaper has an associated buffer queue with a default depth of 128 packets.
For example:
Switch(config)# policy-map cos2-policySwitch(config-pmap)# class cos2Switch(config-pmap-c)# bandwidth 50000Switch(config-pmap-c)# queue-limit 32The point at which buffer memory is exhausted depends on the number of queues, the sizes of the queued packets, and whether or not the traffic pattern being sent to the switch allows the queues to drain at all.
Upgrading your switch to Cisco IOS Release 12.2(25)EY greatly reduces the possibility of this situation happening, although it can still occur with some configurations and traffic patterns. (CSCed83886)
•
There is no workaround. (CSCee22591)
Routing
These are the routing limitations:
•
•
There is no workaround. (CSCea52915)
•
–
–
–
The workaround is to change any one of the listed conditions. (CSCed53633)
SPAN and RSPAN
These are the SPAN and Remote SPAN (RSPAN) limitations:
•
•
The workaround is to use the encapsulate replicate keywords in the monitor session global configuration command. This is a hardware limitation. (CSCdy81521)
•
The workaround is to configure only one RSPAN source session. (CSCea72326)
•
In all cases, normal traffic is not affected; the degradation limits only how much of the original source stream can be monitored. If fallback bridging and multicast routing are disabled, egress-SPAN monitoring is not degraded.
There is no workaround. If possible, disable fallback bridging and multicast routing. If possible, use ingress-SPAN to observe the same traffic. (CSCeb01216)
•
There is no workaround. (CSCeb23352)
•
The workaround is to use the monitor session session_number destination {interface interface-id encapsulation replicate} global configuration command for a local SPAN session. (CSCed24036)
Trunking
These are the trunking limitations:
•
There is no workaround. (CSCdz33708)
•
There is no workaround. (CSCdz42909)
•
There is no workaround. (CSCec35100).
•
3d20h: %PLATFORM_UCAST-3-LB: PI<->PD handles out of sync for Adj 222.1.1.1 LB -Traceback= 252620 A9204C A84E60 A86260 A92E7C AA36A0 AA3520 A96C60 A8A288 A78DC4 B095C8
There is no workaround. This does not affect switch functionality. (CSCeh20081)
Tunneling
This is the tunneling limitation:
•
The workaround is to configure identical VLAN mappings on both ES ports if they are going to be bundled into an EtherChannel. (CSCec49520)
VLAN
These are the VLAN limitations:
•
The workaround is to reduce the number of VLANs or trunks. (CSCeb31087)
•
There is no workaround. (CSCed71422)
•
The workaround is to define another policy-map name for the second-level policy-map with the same configuration to be used for another policy-map. (CSCef47377)
Important Notes
These are the important notes related to this software release:
•
–
–
In Cisco IOS Release 12.2(18)SE and later, you can only use the logging on and then the no logging console global configuration commands to disable logging to the console. (CSCec71490)
•
•
Note
•
Note
•
This information is part of Chapter 26, "Configuring QoS." For the complete chapter (minus these updates), go to this URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750m/12114ax/3750mscg/swqos.htm
Open Caveats
These are the Cisco IOS severity-3 open configuration caveats with possible unexpected activity in this software release:
•
When an IP phone is connected to the switch, the port VLAN ID (PVID) and the voice VLAN ID (VVID) both learn its MAC address. However, after dynamic MAC addresses are deleted, only VVID relearns the IP phone MAC address. MAC addresses are deleted manually or automatically for a topology change or when port security or an IEEE 802.1x feature is enabled or disabled.
There is no workaround.
•
When configured for a Voice VLAN, the phone sends untagged Cisco Discovery Protocol (CDP) packets and tagged voice packets. All frames from any devices connected to the Cisco IP Phone are sent tagged with the access VLAN ID. Catalyst 2970, 3560, and 3750 switches do not populate the secure address-table with the source MAC address from CDP packets.
The workaround when using Cisco IP Phones with the fix for CSCed84163 and port-security configured on the switchport is to configure switches with one secure address for the phone, plus additional MAC addresses for any devices connected to the Cisco IP Phone.
•
A Catalyst ME 3750 running Release 12.1(14)AX2 does not learn the source MAC address of a Cisco Discovery Protocol (CDP) frame when CDP is disabled on the port.
There is no workaround.
•
When an IEEE 802.1x restricted VLAN is configured on a port and a hub with multiple devices is connected to that port, no syslog messages are generated.
This is not a supported configuration. Only one host should be connected to an IEEE 802.1x restricted VLAN port.
•
When configuring a hierarchical policy map, changes to the match criteria of the VLAN level class-map do not take effect until the policy map is detached and reapplied.
The workaround is to detach the policy map from the interface, make the VLAN-level changes, and reapply the policy map.
•
There is an extra index in the port table of the ciscoStpExtensions MIB that does not exist in the portCrossIndex MIB. For example, extra indexes like 1000-16/40 are seen in stpxRootGuardConfigEnabled displays that do not exist in portCrossIndex, and they appear during an SNMP walk operation.
There is no workaround.
•
When a stack master fails or leaves the stack, a cross-stack EtherChannel in trunk mode running Link Aggregation Control Protocol (LACP) protocol might stop forwarding traffic on some VLANs.
The workaround is to enable the stack-mac persistent feature by using the stack-mac persistent timer global configuration command. You can also use the shutdown interface configuration command and then the no shutdown command on the EtherChannel interface.
•
During IEEE 802.1x authentication, a RADIUS server might download a per-user IP address access control list (ACL) or a MAC address ACL that is applied to the interface as part of the Access-Accept message. If the ACL is too large, the switch might not be able to apply it, and authentication fails and starts over.
The workaround is to reduce the size of the per-user ACL access control entries (ACEs) to less than 20 if ACLs are downloaded as part of IEEE 802.1x authorization.
•
If the re-authentication timer and re-authentication action is downloaded from the RADIUS server using the Session-Timeout and Termination-Action RADIUS attributes, the switch performs the termination action even when the port is not configured with the dot1x timeout reauth server global configuration command and uses the Termination-Action downloaded from a RADIUS server as part of IEEE 802.1x authorization.
The workaround is to remove the Termination-Action attribute from the IEEE 802.1x policy on the RADIUS server if dot1x timeout reauth server is not configured on the port.
•
MAC address notification traps do not work when port security is enabled on the interface.
The workaround is to disable port security on the interface.
•
The switch does not forward an IEEE802.1x request that has null credentials.
There is no workaround.
•
When a source port for a SPAN session has IEEE 802.1x enabled, Extensible Authentication Protocol over LAN (EAPOL) packets are not visible to the packet sniffing tool.
The workaround is to enable a voice VLAN on the SPAN source port.
•
The switch fails when the VPN Routing and Forwarding (VRF) configuration is removed under these conditions:
–
–
–
–
The failure occurs when the second VRF is removed.
The workaround is to remove the static ARP entries configured on a VRF prior to deleting it.
Resolved Caveats
These sections describe the caveats that have been resolved in these releases:
•
•
Caveats Resolved in Cisco IOS Release 12.2(25)SEE4
These caveats are resolved in Cisco IOS Release 12.2(25)SEE4:
•
Multiple Cisco products contain either of two authentication vulnerabilities in the Simple Network Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can be exploited when processing a malformed SNMPv3 message. These vulnerabilities could allow the disclosure of network information or may enable an attacker to perform configuration changes to vulnerable devices. The SNMP server is an optional service that is disabled by default. Only SNMPv3 is impacted by these vulnerabilities. Workarounds are available for mitigating the impact of the vulnerabilities described in this document.
The United States Computer Emergency Response Team (US-CERT) has assigned Vulnerability Note VU#878044 to these vulnerabilities.
Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0960 has been assigned to these vulnerabilities.
This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml
•
The switch no longer incorrectly overwrites the class of service (CoS) packets of internally generated Multicast Listener Discovery (MLD) queries and other control packets.
•
The switch no longer reloads when the write core privileged EXEC command is entered when testing a core dump configuration and FTP is selected as the file transfer protocol.
•
When OSPF SNMP is enabled on the switch, this message no longer appears on the console:
%ALIGN-3-SPURIOUS: Spurious memory access made at xxx reading yyy
Caveats Resolved in Cisco IOS Release 12.2(25)SEE
These caveats were resolved in Cisco IOS Release 12.2(25)SEE:
•
Open Shortest Path First (OSPF) routes now appear in the routing table after a topology change when Incremental SPF (iSPF) is enabled.
•
Policy-based routing (PBR) for IP Version 4 (IPv4) traffic is available when you run IPv4 and IPv6 traffic on the switch because the Dual IPv4-IPv6 Switch Database Management (SDM) templates now have resource provisions for PBR.
•
The cross-stack UplinkFast feature is no longer delayed by 30 seconds when all the interfaces on the root switch are configured with the no shutdown interface configuration command.
•
Configuring static IP routes with new distance values no longer causes routes to disappear from the routing table.
•
If two VLANs are configured on the same switch (for example, VLAN 1 and VLAN 2) with an SVI configured in VLAN 1 and an external bridging device connected to the switch, traffic sent from VLAN 2 to the SVI in VLAN 1 is no longer dropped.
•
The hierarchical per-VLAN policy-map police action now works correctly when a child policy-map is not configured in the first class-map.
Documentation Updates
This section provides these updates to the product documentation:
•
•
•
Updates for the Software Configuration Guide
These are the documentation updates for the software configuration guides for this release:
•
•
•
•
Link-State Tracking
In the "Overview" chapter, this information will be added in the "Redundancy" section:
In Cisco IOS Release 12.2(25)SEE or later, link-state tracking mirrors the state of the ports that carry upstream traffic from connected hosts, servers, and other downstream devices. This feature allows the failover of the downstream traffic traffic to an operational link on another Cisco Ethernet switch.
Understanding Link-State Tracking
Beginning with Cisco IOS Release 12.2(25)SEE, link-state tracking, also known as trunk failover, is a feature that binds the link state of multiple interfaces. For example, link-state tracking provides redundancy in the network when used with Flex Links. If the link is lost on the primary interface, connectivity is transparently switched to the secondary interface.
As shown in Figure 1, Catalyst 3750 Metro switches are used as user-facing provider edge (UPE) switches in a customer site at the edge of the provider network connected to a customer premises equipment (CPE) switch. The UPE switches are connected to the provider edge (PE) switches in the service provider (SP) network. Customer devices, such as clients, connected to the CPE switch have multiple connections to the SP network. This configuration ensures that the traffic flow is balanced from the customer site to the SP and the reverse. Ports connected to the CPE are referred to as downstream ports, and ports connected to PE switches are referred to as upstream ports.
•
•
When you enable link-state tracking on the switch, the link state of the downstream ports is bound to the link state of one or more of the upstream ports. After you associate a set of downstream ports to a set of upstream ports, if all of the upstream ports become unavailable, link-state tracking automatically puts the associated downstream ports in an error-disabled state. This causes the CPE primary interface to failover to the secondary interface.
If the PE switch fails, the cables are disconnected, or the link is lost, the upstream interfaces can lose connectivity. When link-state tracking is not enabled and the upstream interfaces lose connectivity, the link state of the downstream interfaces remain unchanged. The CPE is not aware that upstream connectivity has been lost and does not failover to the secondary interface.
An interface can be an aggregation of ports (an EtherChannel), a single physical port in access or trunk mode, or routed ports. These interfaces can be bundled together, and each downstream interface can be associated with a single group consisting of multiple upstream interfaces, referred to as a link-state group.
The link state of the downstream interfaces is dependent on the link state of the upstream interfaces in the associated link-state group. If all of the upstream interfaces in a link-state group are in a link-down state, the associated downstream interfaces are forced into a link-down state. If any one of the upstream interfaces in the link-state group is in a link-up state, the associated downstream interfaces are allowed to change to, or remain in, a link-up state.
For example, in Figure 1, downstream interfaces 1 and 2 on UPE switch A are defined in link-state group 1 with upstream interfaces 3 and 4. Similarly, downstream interfaces 1 and 2 on UPE switch B are defined in link-state group 2 with upstream interfaces 3 and 4.
If the link is lost on upstream interface 3, the link state of downstream interfaces 1 and 2 does not change. If upstream interface 4 also loses link, downstream interfaces 1 and 2 go into a link-down state. The CPE switch stops forwarding traffic to PE switch A and starts to forward traffic to PE switch B.
You can recover a downstream interface link-down condition by removing the failed downstream port from the link-state group. You can also enable one of the upstream interfaces in the group to change to the link-up state. To recover multiple downstream interfaces, disable the link-state group.
Figure 1 Typical Link-State Tracking Configuration
Configuring Link-State Tracking
These sections describe how to configure link-state tracking ports:
•
•
•
Default Link-State Tracking Configuration
There are no link-state groups defined, and link-state tracking is not enabled for any group.
Link-State Tracking Configuration Guidelines
Follow these guidelines to avoid configuration problems:
•
•
•
Configuring Link-State Tracking
Beginning in privileged EXEC mode, follow these steps to configure a link-state group and to assign an interface to a group:
This example shows how to create a link-state group and configure the interfaces:
Switch# configure terminalSwitch(config)# link state track 1Switch(config)# interface range fastethernet1//0/9 -10Switch(config-if)# link state group 1 upstreamSwitch(config-if)# interface fastethernet1//0/1Switch(config-if)# link state group 1 downstreamSwitch(config-if)# interface fastethernet1//0/3Switch(config-if)# link state group 1 downstreamSwitch(config-if)# interface fastethernet1//0/5Switch(config-if)# link state group 1 downstreamSwitch(config-if)# endTo disable a link-state group, use the no link state track number global configuration command.
Displaying Link-State Tracking Status
Use the show link state group command to display the link-state group information. Enter this command without keywords to display information about all link-state groups. Enter the group number to display information specific to the group. Enter the detail keyword to display detailed information about the group.
This is an example of output from the show link state group 1 command:
Switch> show link state group 1Link State Group: 1 Status: Enabled, DownThis is an example of output from the show link state group detail command:
Switch> show link state group detail(Up):Interface up (Dwn):Interface Down (Dis):Interface disabledLink State Group: 1 Status: Enabled, Down Upstream Interfaces : Fa1/0/15(Dwn) Fa1/0/16(Dwn) Downstream Interfaces : Fa1/0/11(Dis) Fa1/0/12(Dis) Fa1/0/13(Dis) Fa1/0/14(Dis)Link State Group: 2 Status: Enabled, Down Upstream Interfaces : Fa1/0/15(Dwn) Fa1/0/16(Dwn) Fa1/0/17(Dwn) Downstream Interfaces : Fa1/0/11(Dis) Fa1/0/12(Dis) Fa1/0/13(Dis) Fa1/0/14(Dis)(Up):Interface up (Dwn):Interface Down (Dis):Interface disabledFor detailed information about the fields in the display, see the command reference for this release.
Upgrading Devices with Cisco IOS Image Agent
Administrators maintaining large networks of Cisco IOS devices need an automated mechanism to load image files onto large numbers of remote devices. Existing network management applications are useful to determine which images to run and how to manage images received from the Cisco online software center. Other image distribution solutions do not scale to cover thousands of devices and cannot distribute images to devices behind a firewall or using Network Address Translation (NAT). The CNS image agent enables the managed device to initiate a network connection and request an image download allowing devices using NAT, or behind firewalls, to access the image server.
You can use image agent to download one or more devices. The switches must have the image agent running on them.
Prerequisites for the CNS Image Agent
Confirm these prerequisites before upgrading one or more devices with image agent:
•
•
•
Restrictions for the CNS Image Agent
During automated image loading operations you must try to prevent the Cisco IOS device from losing connectivity with the file server that is providing the image. Image reloading is subject to memory issues and connection issues. Boot options must also be configured to allow the Cisco IOS device to boot another image if the first image reload fails.
These other restrictions apply to the image agent running on a the switch:
•
•
•
For more details, see your CNS IE2100 documentation and see the "File Management" section of the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2.
Beginning in privileged EXEC mode, follow these steps to initiate the image agent to check for a new image and upgrade a device:
Note
Switch(config)> configure terminalSwitch(config)# ip host cns-dsbu.cisco.com 172.20.249.20Switch(config)# cns trusted-server all-agents cns-dsbu.cisco.comSwitch(config)# no cns aaa enable cns event 172.20.249.20 22022Switch(config)# cns image retry 1Switch(config)# cns image server http://172.20.249.20:80/cns/HttpMsgDispatcher status http://172.20.249.20:80/cns/HttpMsgDispatcherSwitch(config)#endYou can check the status of the image download by using the show cns image status user EXEC command.
Configuring IP Unicast Routing Chapter
Configuring OSPF Network Types
Note
OSPF classifies different media into the three types of networks by default:
•
•
•
You can also configure network interfaces as either a broadcast or an NBMA network and as point-to point or point-to-multipoint, regardless of the default media type.
Configuring OSPF for Nonbroadcast Networks
Because many routers might be attached to an OSPF network, a designated router is selected for the network. If broadcast capability is not configured in the network, the designated router selection requires special configuration parameters. You need to configure these parameters only for devices that are eligible to become the designated router or backup designated router (in other words, routers with a nonzero router priority value).
Beginning in privileged EXEC mode, follow these steps to configure routers that interconnect to nonbroadcast networks:
On point-to-multipoint, nonbroadcast networks, you then use the neighbor router configuration command to identify neighbors. Assigning a cost to a neighbor is optional.
Configuring Network Types for OSPF Interfaces
You can configure network interfaces as either broadcast or NBMA and as point-to point or point-to-multipoint, regardless of the default media type.
An OSPF point-to-multipoint interface is defined as a numbered point-to-point interface with one or more neighbors. On point-to-multipoint broadcast networks, specifying neighbors is optional. When you configure an interface as point-to-multipoint when the media does not support broadcast, you should use the neighbor command to identify neighbors.
Beginning in privileged EXEC mode, follow these steps to configure OSPF network type for an interface:
Use the no form of the ip ospf network command to return to the default network type for the media.
EIGRP Stub Routing
The EIGRP stub routing feature, available in all images, reduces resource utilization by moving routed traffic closer to the end user.
Note
In a network using EIGRP stub routing, the only route for IP traffic to follow to the user is through a switch that is configured with EIGRP stub routing. The switch sends the routed traffic to interfaces that are configured as user interfaces or are connected to other devices.
When using EIGRP stub routing, you need to configure the distribution and remote routers to use EIGRP and to configure only the switch as a stub. Only specified routes are propagated from the switch. The switch responds to all queries for summaries, connected routes, and routing updates.
Any neighbor that receives a packet informing it of the stub status does not query the stub router for any routes, and a router that has a stub peer does not query that peer. The stub router depends on the distribution router to send the proper updates to all peers.
In Figure 2, switch B is configured as an EIGRP stub router. Switches A and C are connected to the rest of the WAN. Switch B advertises connected, static, redistribution, and summary routes to switch A and C. Switch B does not advertise any routes learned from switch A (and the reverse).
Figure 2 EIGRP Stub Router Configuration
For more information about EIGRP stub routing, see "Configuring EIGRP Stub Routing" part of the Cisco IOS IP Configuration Guide, Volume 2 of 3: Routing Protocols, Release 12.2.
Enabling Directed Broadcast-to-Physical Broadcast Translation
By default, IP directed broadcasts are dropped; they are not forwarded. Dropping IP-directed broadcasts makes routers less susceptible to denial-of-service attacks.
You can enable forwarding of IP-directed broadcasts on an interface where the broadcast becomes a physical (MAC-layer) broadcast. Only those protocols configured by using the ip forward-protocol global configuration command are forwarded.
You can specify an access list to control which broadcasts are forwarded. When an access list is specified, only those IP packets permitted by the access list are eligible to be translated from directed broadcasts to physical broadcasts. For more information on access lists, see the "Configuring Network Security with ACLS" chapter of the software configuration guide for this release.
Beginning in privileged EXEC mode, follow these steps to enable forwarding of IP-directed broadcasts on an interface:
Use the no ip directed-broadcast interface configuration command to disable translation of directed broadcast to physical broadcasts. Use the no ip forward-protocol global configuration command to remove a protocol or port.
Configuring the Number of Equal-Cost Routing Paths
When a router has two or more routes to the same network with the same metrics, these routes can be thought of as having an equal cost. The term parallel path is another way to see occurrences of equal-cost routes in a routing table. If a router has two or more equal-cost paths to a network, it can use them concurrently. Parallel paths provide redundancy in case of a circuit failure and also enable a router to load balance packets over the available paths for more efficient use of available bandwidth.
Even though the router automatically learns about and configures equal-cost routes, you can control the maximum number of parallel paths supported by an IP routing protocol in its routing table. Although the switch software allows a maximum of 32 equal-cost routes, the switch hardware will never use more than 16 paths per route.
Beginning in privileged EXEC mode, follow these steps to change the maximum number of parallel paths installed in a routing table from the default:
Use the no maximum-paths router configuration command to restore the default value.
Configuring DHCP Features and IP Source Guard Chapter
Option-82 Data Insertion
When you enable the DHCP snooping information option 82 on the switch, this sequence of events occurs:
•
•
•
•
•
•
In the default suboption configuration, when the previously described sequence of events occurs, the values in these fields in Figure 3 do not change:
•
–
–
–
–
•
–
–
–
–
In the port field of the circuit ID suboption, the port numbers start at 3. For example, on the switch, port 3 is the Fast Ethernet 1/0/1 port, port 4 is the Fast Ethernet 1/0/2 port, port 5 is the Fast Ethernet 1/0/3 port, and so on. Port 27 is the small form-factor pluggable (SFP) module slot 1/0/1, and port 28 is the SFP module slot 2/0/2, and so on.
Figure 3 shows the packet formats for the default configuration of the remote ID suboption and the circuit ID suboption. For the circuit ID suboption, the module number corresponds to the switch number in the stack. The switch uses the packet formats when DHCP snooping is globally enabled and when the ip dhcp snooping information option global configuration command is entered.
Figure 3 Default Suboption Packet Formats
Figure 4 shows the packet formats for user-configured remote-ID and circuit-ID suboptions The switch uses these packet formats when DHCP snooping is globally enabled and when the ip dhcp snooping information option format remote-id global configuration command and the ip dhcp snooping vlan information option format-type circuit-id string interface configuration command are entered.
The values for the following fields in the packets change from the default values, when you configure the remote-ID and circuit_ID suboptions:
•
–
–
•
–
–
Figure 4 User-Configured Suboption Packet Formats
DHCP Snooping Configuration Guidelines
When configuring a large number of circuit IDs on a switch, consider the impact of lengthy character strings on the NVRAM or flash memory. If the circuit-ID configurations, combined with other data, exceed the capacity of the NVRAM or flash memory, an error message appears.
Enabling DHCP Snooping and Option 82
Beginning in privileged EXEC mode, follow these steps to enable DHCP snooping on the switch.
To disable DHCP snooping, use the no ip dhcp snooping global configuration command. To disable DHCP snooping on a VLAN or range of VLANs, use the no ip dhcp snooping vlan vlan-range global configuration command. To disable the insertion and removal of the option-82 field, use the no ip dhcp snooping information option global configuration command. To configure an aggregation switch to drop incoming DHCP snooping packets with option-82 information from an edge switch, use the no ip dhcp snooping information option allowed-untrusted global configuration command.
This example shows how to enable DHCP snooping globally and on VLAN 10 and to configure a rate limit of 100 packets per second on a port:
Switch(config)# ip dhcp snoopingSwitch(config)# ip dhcp snooping vlan 10Switch(config)# ip dhcp snooping information optionSwitch(config)# interface gigabitethernet1/0/1Switch(config-if)# ip dhcp snooping limit rate 100Configuring Port-Based Traffic Control Chapter
Configuration Guidelines
When you enable port security on an interface that is also configured with a voice VLAN, set the maximum allowed secure addresses on the port to two. When the port is connected to a Cisco IP phone, the IP phone requires one MAC address. The Cisco IP phone address is learned on the voice VLAN, but is not learned on the access VLAN. If you connect a single PC to the Cisco IP phone, no additional MAC addresses are required. If you connect more than one PC to the Cisco IP phone, you must configure enough secure addresses to allow one for each PC and one for the phone.
Enabling and Configuring Port Security Section (Step 5)
(Optional) Set the maximum number of secure MAC addresses for the interface. If an interface is configured for voice VLAN, configure a maximum of two secure MAC addresses.
Configuring Network Security with ACLs Chapter
the note in Step 3 of the "Configuring VLAN Maps" section is inaccurate. The correct text is:
Note
Configuring QoS Chapter
Classifying, Policing, and Marking Traffic on SVIs by Using Hierarchical Policy Maps
In Cisco IOS Release 12.2(25)SE or later, you can configure hierarchical policy maps on SVIs, (but not on other types of interfaces). Hierarchical policing combines the VLAN- and interface-level policy maps to create a single policy map.
Supported MIBs Chapter
MIB List Section
•
•
•
Updates for the Command Reference
These are updates to the command reference:
•
This is an example of output from the show ip dhcp snooping command:
Switch> show ip dhcp snoopingSwitch DHCP snooping is enabledDHCP snooping is configured on following VLANs:40-42Insertion of option 82 is enabledcircuit-id format: vlan-mod-portremote-id format: stringOption 82 on untrusted port is not allowedVerification of hwaddr field is enabledInterface Trusted Rate limit (pps)------------------------ ------- ----------------GigabitEthernet1/0/1 yes unlimitedGigabitEthernet1/0/2 yes unlimitedGigabitEthernet2/0/3 no 2000GigabitEthernet2/0/4 yes unlimitedGigabitEthernet0/1 yes unlimitedGigabitEthernet0/2 yes unlimited•
Note
•
This command can only be used in the child-level policy map, and must be the only match condition in the child-level policy map.
•
Switch> show mls qos interface fastethernet1/0/7 queueingGigabitEthernet1/0/7Egress Priority Queue :enabledShaped queue weights (absolute) : 25 0 0 0Shared queue weights : 25 25 25 25The port bandwidth limit : 100 (Operational Bandwidth:100.0)The port is mapped to qset : 1•
–
–
ip dhcp snooping information option format remote-id
Use the ip dhcp snooping information option format remote-id global configuration command on the switch stack or on a standalone switch to configure the option-82 remote-ID suboption. Use the no form of this command to configure the default remote-ID suboption.
ip dhcp snooping information option format remote-id [string ASCII-string | hostname]
no ip dhcp snooping information option format remote-id
Syntax Description
string ASCII-string
Specify a remote ID, using from 1 to 63 ASCII characters (no spaces).
hostname
Specify the switch hostname as the remote ID.
Defaults
The switch MAC address is the remote ID.
Command Modes
Global configuration
Command History
Usage Guidelines
You must globally enable DHCP snooping by using the ip dhcp snooping global configuration command for any DHCP snooping configuration to take effect.
When the option-82 feature is enabled, the default remote-ID suboption is the switch MAC address. You can use this command to configure either the switch hostname or a string of up to 63 ASCII characters (but no spaces) to be the remote ID.
Note
Examples
This example shows how to configure the option-82 remote-ID suboption:
Switch(config)# ip dhcp snooping information option format remote-id hostnameYou can verify your settings by entering the show ip dhcp snooping user EXEC command.
Related Commands
ip dhcp snooping vlan information option format-type circuit-id string
Configure the option-82 circuit-ID suboption.
show ip dhcp snooping
Displays the DHCP snooping configuration.
ip dhcp snooping vlan information option format-type circuit-id string
Use the ip dhcp snooping information option format remote-id interface configuration command on the switch stack or on a standalone switch to configure the option-82 circuit-ID suboption. Use the no form of this command to configure the default circuit-ID suboption.
ip dhcp snooping vlan vlan information option format-type circuit-id string ASCII-string
no ip dhcp snooping vlan vlan information option format-type circuit-id string
Syntax Description
vlan vlan
Specify the VLAN ID. The range is 1-4094.
string ASCII-string
Specify a circuit ID, using from 3 to 63 ASCII characters (no spaces).
Defaults
The switch VLAN and the port identifier, in the format vlan-mod-port, is the default circuit ID.
Command Modes
Interface configuration
Command History
Usage Guidelines
You must globally enable DHCP snooping by using the ip dhcp snooping global configuration command for any DHCP snooping configuration to take effect.
When the option-82 feature is enabled, the default circuit-ID suboption is the switch VLAN and the port identifier, in the format vlan-mod-port. You can use this command to configure a string of ASCII characters to be the circuit ID.
Note
Examples
This example shows how to configure the option-82 circuit-ID suboption:
Switch(config-if)# ip dhcp snooping vlan 250 information option format-type circuit-id string customerABC-250-0-0You can verify your settings by entering the show ip dhcp snooping user EXEC command.
Note
Related Commands
Configure the option-82 remote-ID suboption.
show ip dhcp snooping
Displays the DHCP snooping configuration.
link state group
Use the link state group interface configuration command to configure a port as a member of a link-state group. Use the no form of this command to remove the port from the link-state group.
link state group [number] {upstream | downstream}
no link state group [number] {upstream | downstream}
Syntax Description
Defaults
The default group is group 1.
Command Modes
Interface configuration
Command History
Usage Guidelines
Use the link state group interface configuration command to configure a port as an upstream or downstream port for a specific link-state group. If the group number is omitted, the default group is assumed.
An interface can be an aggregation of ports (an EtherChannel), a single switch port in access or trunk mode, or a routed port. Each downstream interface can be associated with one or more upstream interfaces. Upstream interfaces can be bundled together, and each downstream interface can be associated with a single group consisting of multiple upstream interfaces, referred to as link-state groups.
The link state of the downstream interfaces are dependent on the link state of the upstream interfaces in the associated link-state group. If all of the upstream interfaces in a link-state group are in a link-down state, the associated downstream interfaces are forced into a link-down state. If any one of the upstream interfaces in the link-state group is in a link-up state, the associated downstream interfaces are allowed to change to, or remain in, a link-up state.
Follow these guidelines to avoid configuration problems:
•
•
•
Examples
This example shows how to configure the interfaces as upstream in group 2:
Switch# configure terminalSwitch(config)# interface range fastethernet1/0/11 - 14Switch(config-if-range)# link state group 2 downstreamSwitch(config-if-range)# endSwitch(config-if)# endYou can verify your settings by entering the show running-config privileged EXEC command.
Related Commands
link state track
Use the link state track user EXEC command to enable a link-state group. Use the no form of this command to disable a link-state group.
link state track [number]
no link state track [number]
Syntax Description
number
(Optional) Specify the link-state group number. The group number can be 1 to 10. The default is 1.
Defaults
Link-state tracking is disabled for all groups.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the link state track global configuration command to enable a link-state group.
Examples
This example shows how enable link-state group 2:
Switch(config)# link state track 2You can verify your settings by entering the show running-config privileged EXEC command.
Related Commands
show link state group
Use the show link state group global configuration command to display the link-state group information.
show link state group [number] [detail] [ | {begin | exclude | include} expression]
Syntax Description
Defaults
There is no default.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use the show link state group command to display the link-state group information. Enter this command without keywords to display information about all link-state groups. Enter the group number to display information specific to the group. Enter the detail keyword to display detailed information about the group.
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output are not displayed, but the lines that contain Output are displayed.
Examples
This is an example of output from the show link state group 1 command:
Switch> show link state group 1Link State Group: 1 Status: Enabled, DownThis is an example of output from the show link state group detail command:
Switch> show link state group detailLink State Group: 1 Status: Enabled, Down Upstream Interfaces : Fa1/0/15(Dwn) Fa1/0/16(Dwn) Downstream Interfaces : Fa1/0/11(Dis) Fa1/0/12(Dis) Fa1/0/13(Dis) Fa1/0/14(Dis)Link State Group: 2 Status: Enabled, Down Upstream Interfaces : Fa1/0/15(Dwn) Fa1/0/16(Dwn) Fa1/0/17(Dwn) Downstream Interfaces : Fa1/0/11(Dis) Fa1/0/12(Dis) Fa1/0/13(Dis) Fa1/0/14(Dis)(Up):Interface up (Dwn):Interface Down (Dis):Interface disabledRelated Commands
Updates for the Hardware Installation Guide
The preface for the Catalyst 3750 Metro Switch Hardware Installation Guide does not include the translations for the warning symbol and explanation (Statement 1071) or a change to the warning statement about installation for short-circuit (overcurrent) protection (Statement 1005-Circuit Breaker) in Appendix E, "Translated Safety Warnings."
This information is in the Release Notes for the Catalyst 3750 Metro Switch, Cisco IOS Release 12.1(14)AX at this URL:
This warning was added to the Catalyst 3750 Metro Switch Hardward Installation Guide:
Statement 361—VoIP and Emergency Calling Services do not Function if Power Fails
Related Documentation
These documents provide information about the switch and are available from this Cisco.com site:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750m/index.htm
You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.com sites and from the telephone numbers listed in the "Obtaining Documentation, Obtaining Support, and Security Guidelines" section.
•
•
•
•
•
Obtaining Documentation, Obtaining Support, and Security Guidelines
For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
CCVP, the Cisco logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networking Academy, Network Registrar, Packet, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0705R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
Copyright © 2007 Cisco Systems, Inc. All rights reserved.
Guest
