Cisco IOS XE Software Release 3.2.0SG and Cisco IOS Software Release 15.0(2)SG are the base releases for new extended maintenance on Cisco Catalyst 4500E, 4500-X and Cisco Catalyst 4900M and 4948E/E-F Series Switches.
For detailed information about the features and hardware supported in Extended Maintenance Release Cisco IOS XE Software Release 3.4.0SG and Cisco IOS Software Release 15.1(2)SG, refer to the release notes and support documentation at:
Primary Hardware and Software Service Innovations Delivered in Cisco IOS XE Software Release 3.4.0SG and Cisco IOS Software Release 15.1(2)SG
Cisco IOS Software Release XE3.4.0SG/15.1(2)SG is part of the new software releases on Cisco Catalyst 4500E and 4500-X Series Switches and Cisco Catalyst 4900M and 4948E/E-F Switches. These releases deliver new software and hardware innovations in campus access and aggregation deployments that span across many technologies, including security, high availability, and IP multicast. Each technology is covered in more detail in this product bulletin.
Cisco Virtual Switching System (VSS) for Cisco Catalyst 4500E (Supervisor Engine 7-E and 7L-E) and 4500X Series Switches
Cisco VSS on the Cisco Catalyst 4500E and Cisco Catalyst 4500-X provides the following benefits:
• Simplified network operations:
– Providing a single point of management (with single IP address), it allows any updates, policy changes and configurations to be synchronized between the two switches, eliminating error-prone manual synchronization.
– Forming Multichassis EtherChannel (MEC) to the logical switch, Cisco VSS provides a loop-free topology, no longer needing to rely on Spanning Tree Protocol.
– A single routing instance on the virtual switch eliminates the issues of managing, tuning, and troubleshooting first hop routing protocols such as Hot Standby Router Protocol (HSRP) and Virtual Router Redundancy Protocol (VRRP).
– Cisco Prime™ 4.2.2 now enables one to centrally manage the pair of switches as a single virtual chassis.
– Stateful failover between the supervisor engines on the two chassis provides subsecond failover and transparent failover even to delay-sensitive applications such as voice and video.
– With EtherChannels extended across two physical chassis, it provides for increased resiliency. These links are configured as MEC, minimizing traffic disruption from switch or uplink failure.
• Increased system bandwidth:
– The active-active MEC extended across two physical chassis provides for dual bandwidth utilization, increasing return on investment (ROI) and reducing additional capital expenditures (CapEx) to add capacity.
For Cisco Catalyst 4500E, VSS is supported in IP base and Enterprise services on Supervisor Engine 7-E and in Enterprise services only on Supervisor Engine 7L-E. On Cisco Catalyst 4500-X, VSS is supported in IP base and enterprise services. All 1 Gigabit Ethernet (GE) and 10GE links may be configured for virtual switch links (VSL).
The physical and logical views of VSS are represented in Figures 1 and 2.
Figure 1. VSS Physical View Showing the Physical Connectivity
Figure 2. VSS Physical View Showing the Physical and Logical View
The following are the primary VSS features supported in Release 3.4.0SG:
• Layer 2 MEC
• Enhanced Port Aggregation Protocol (ePAgP) split brain detection method
• Cross-chassis Nonstop Forwarding with Stateful Switchover (NSF/SSO)
• Support for virtual switch link (VSL) on 1 Gigabit and 10 Gigabit links
• All four ports on quad supervisor engine scenario may be used for uplink
The following features are available in standalone mode only and not available in VSS mode:
• VLAN Management Policy Server (VMPS) client
• Unidirectional Ethernet (UDE)
• CFM draft 8.1
• Resilient Ethernet Protocol (REP)
• Per-VLAN MAC learning (PVL)
• Fast unidirectional link detection (UDLD)
• Web Cache Communication Protocol (WCCP)
• dot1Q tunnel and VLAN translation (1:1, 2:1, and 802.1Q tunneling [QinQ])
• Mediatrace and metadata
• Cisco EnergyWise™
Multicast HA (NSF/SSO and ISSU) for IPv4 and IPv6 on Cisco Catalyst 4500E (Supervisor Engines 7E, 7L-E, 6E, and 6L-E) and 4500-X
Releases XE 3.4.0SG and 15.1(2)SG provide IPv4 and IPv6 multicast high-availability (HA) support on the Cisco Catalyst 4500E and 4500-X. These multicast HA capabilities enable Cisco NSF/SSO and ISSU support for IPv4 and IPv6 multicast. When the supervisor engine switchover happens, this facility reduces the reconvergence time of the multicast control plane to a level that is transparent to most multicast-based applications and ISSU support for protocol-independent multicast (PIM).
Figure 3 shows the different components involved in the multicast high availability and the different states through which multicast HA goes in combination with ISSU.
Figure 3. Multicast HA with NSF/SSO
IPv6 First Hop Security (FHS)
With enterprises moving to larger Layer 2 domains and IPv4 addresses running out, IPv6 has been gaining momentum. Cisco has been providing integrated security features for Layer 2 networks. A similar set of characteristics has now been added to address similar characteristics of the IPv6 protocol at the immediate switch (first hop) that connects to the host.
IPv6 FHS provides effective countermeasures for the following types of attacks or misconfiguration errors that could result in denial of service (DoS) or information theft:
These attacks can come from malicious or misconfigured users and could result in severe disruption to users of the Layer 2 domain and to the network in general. Many of the possible attack vectors are now known, with public tools readily available to exploit these vulnerabilities.
Cisco IOS XE Software Releases 3.4.0SG and 15.1(2)SG provide a combination of "snoop-and-guard" IPv6 FHS features on Cisco Catalyst 4500E, 4500-X, 4900M, 4948E, and 4948E-F*, where the switch can inspect (snoop) and block (guard) against undesired traffic. The feature is provided on both generations of supervisor engines: Supervisor Engines 6-E and 6L-E and Supervisor Engines 7-E and 7L-E. (See Figure 4.)
Figure 4. An Illustration of RA Guard
The following set of IPv6 FHS features is included:
• RA Guard: Rogue router advertisements (RAs) can result in host misconfiguration and traffic black holes. RA Guard snoops, validates, and propagates the RA in its network.
• IPv6 Snooping
– Neighbor discovery (ND) inspection: ND cache maintains the binding between an IPv6 address and a link-layer address. This cache is susceptible to ND cache poisoning (NDP). NDP inspection helps to verify Layer 3 and Layer 2 binding before the entry makes it to the ND cache.
– IP device tracking: This feature tracks host liveliness and updates a neighbor table when an IPv6 host disappears or its network access privileges of inactive hosts gets revoked in short interval.
– Address glean: The switch looks at ND and DHCP messages as well as data traffic to learn addresses and to add them to a binding table.
– Per port address limit: Helps enable customers to specify a maximum number of IPv6 addresses allowed on a port of the switch.
• Per ND cache limit: An ND cache that maintains the Layer 3 and Layer 2 binding goes through many stages before it is deemed to be complete and useful. When an ND packet is handled, the datagram is delivered only after the address resolution. This can cause flooding by an attacker. Per ND interface cache limit protects the Cisco Catalyst switch by rate-limiting the number of address resolutions.
• DHCPv6 Guard: Prevents attacks from bogus hosts acting as a DHCP server or relay agents by blocking DHCP replies or advertisements from such hosts based on the device role configured.
• Duplicate Address Detection (DAD) Proxy: Isolated hosts (for example, private VLANs) in a Layer 2 domain can cause address duplication. The switch can act as a proxy for DAD because it is aware of link local address.
• Destination Guard: The switch maintains "incomplete" entries for unresolved addresses in its binding table. Excessive scanning for large address resolution can cause denial of service, leading to binding table exhaustion. Destination guard prevents against this.
• DHCPv6 LDRA1: LDRA helps protect the switch against attacks such as spoofing (forging) of addresses and MAC addresses and address starvation.
*Not all features are supported by all devices. For more information on IPv6 FHS, refer to the Cisco IOS Software configuration guide for this release.
SXP support extended from IP Base to LAN Base
The Security Group Tag (SGT) Exchange Protocol (SXP) is a control protocol for propagating IP-to-SGT binding information across network devices that do not have the capability to tag packets. Starting with Cisco IOS Release 3.4.0SG and 15.1(2)SG, support for SXP has been extended from IP Base to LAN Base feature set.
Lower Total Cost of Ownership and Ease of Use
Smart Install Director Support
Smart Install Director helps simplify management of images and configurations for enterprise switches and stacks in campus and branch networks. The Cisco Catalyst 4500E, 4500X, 4900M, 4948E, and 4948E-F can now act as Smart Install Director, providing a single management point for images and configuration of client switches. It provides for:
• Plug and play in switch deployment
• Zero-touch replacement of switches with the same configuration and image as the switch it is replacing
• Single point of image and configuration management, in which configuration and image management is centralized
• On-demand image and configuration updates using specific CLIs
Smart Install Director (see Figure 5) can reduce a customer's TCO and operational expense, while providing ease of use to the user.
Figure 5. Smart Install Director
Routing and Multicast Enhancements
Policy-Based Routing (PBR) Recursive Next Hop
PBR Recursive Next Hop enhances the ability of route maps to set a next hop that is not directly connected to enable load balancing when PBR is used. With this feature enabled, the routing table will be examined recursively to find the directly connected next hop when PBR is used to set an indirect next hop. If the recursive next-hop IP address is not available, packets are routed using a default route.
The feature includes the new keyword recursive in the currently available set ip next-hop command in the route-map submode.
PIM routers in a domain must be able to map each multicast group to the correct rendezvous point (RP) address. The BSR protocol for PIM sparse mode (PIM SM) provides a dynamic, adaptive mechanism to distribute group-to-RP mapping information rapidly throughout a domain. With the IPv6 BSR feature, if an RP becomes unreachable, it will be detected, and the mapping tables will be modified so that the unreachable RP is no longer used and new tables will be rapidly distributed throughout the domain.
The BSR Scoped Zone Support feature enhances IPv6 BSR, allowing for distributing group to RP mappings in networks using administratively scoped multicast. It allows the operator to configure candidate BSRs and a set of candidate RPs for each administratively scoped region in a domain.
IPv6 Access Control
IPv6 Virtual LAN Access Control List (VACL) and Switched Port Analyzer (SPAN) ACL Filtering for IPv6
VACL controls access to the VLAN for all packets: bridged and routed. Currently, VACL can be configured to filter traffic based on Layer 3 addresses for IPv4. With the prevalence of IPv6, this release adds the capability to filter traffic based on IPv6 addresses to the VACL. This release also extends the IPv6 access filtering support to local SPAN sessions.
For a complete list of new software and hardware features supported with Cisco IOS XE Software 3.4.0SG/Cisco IOS Software 15.1(2)SG, refer to the release notes at:
Support for Cisco 10GBASE-T X2 Pluggable Module for Cisco Catalyst 4500E and 4900M
The release enables software support for the Cisco 10GBASE-T module, which supports link lengths of up to 100m on CAT6A or CAT7 copper cable on the Cisco Catalyst 4500E with Supervisor Engine 6E or 6L-E as also on the WS-X4606-X2-E module. It is also with the Cisco Catalyst 4900M.
Table1 offers a matrix of supported features.
Table 1. Matrix of Supported Features
Cisco Catalyst 4500E (Supervisor Engine 6E and 6L-E)
Cisco Catalyst 4500E (Supervisor Engine 7E and 7L-E)
Cisco Catalyst 4500-X
Cisco Catalyst 4948E
Cisco Catalyst 4948E-F
Cisco Catalyst 4900M
IP Base (7E)
IPV6 First Hop Security
Smart Install Director
Multicast High Availability (NSF/SSO) for IPv4 and IPv6
IPv6 VACL (SPAN) and SPAN ACL Filtering for IPv6
Support for X2-10G Base T
Support for Sup 6E/6L-E and WS-X4606-X2-E
PBR Next Hop Support
BSR Scoped Zone Support
Cisco TrustSec SGT Exchange Protocol (SXP)
Cisco IOS Software Release Trains for the Cisco Catalyst 4500 Series Switches
Cisco IOS Software Release 15.1(2)SG and Cisco IOS XE Software Release 3.4.0SG are part of a scheduled time-based release containing new hardware and software features as shown in Figures 6 and 7.
Tables 2, 3, 4, and 5 provide product numbers and ordering information for Cisco IOS XE Software Release 3.4.0SG and Cisco IOS Software Release 15.1(2)SG on Cisco Catalyst 4500E, 4500-X, and 4900 Series Switches.
Table 2. Cisco IOS XE Software Release 3.4.0SG Product Numbers and Images for Cisco Catalyst 4500E Series Switches with Supervisor Engine 7-E/7L-E
Cisco Catalyst 4500 E Supervisor Engine 7-E and Supervisor Engine 7L-E universal image
Cisco Catalyst 4500 E Supervisor Engine 7-E and Supervisor Engine 7L-E universal crypto image