This product bulletin describes some of the primary hardware and software features supported by Cisco IOS® Software Release 12.2(50)SG for the Cisco® Catalyst® 4500 Supervisor Engine 6-E, Cisco Catalyst 4900 Series Switches, Cisco Catalyst 4900M Switch, Cisco Catalyst 4500 Series Supervisor Engine V-1'0GE, Cisco Catalyst 4500 Supervisor Engine V, Cisco 4500 Supervisor Engine IV, Cisco Catalyst 4500 Series Supervisor II-Plus-10GE , Cisco Catalyst 4500 Series Supervisor Engine II-Plus-TS, and Cisco 4500 Series Supervisor Engine II-Plus.
Primary Hardware and Software Service Innovations Delivered in Release 12.2(50)SG
• New hardware support including X2 10GB pluggable modules, DWDM and ZR Modules
• Cisco IOS Software Release 12.2(50)SG continues to enhance Cisco Identity-based Networking Services (IBNS) with several primary innovations to simplify identity configuration that will support heterogeneous endpoint device environment, transparently integrate with existing network and Internet Protocol Telephony (IPT) infrastructure, and provide IT administrators comprehensive policy enforcement options.
• VLAN Trunking Protocol Version 3 (VTPv3) supports the advertisement of the extended range of VLANS (4094). Configuration changes for the entire VLAN range can be made centrally on one switch and automatically communicated to all other switches in the network.
• Enhance campus and data center network virtualization with Multicast VRF-Lite extending the virtualization capabilities on the Cisco Catalyst 4500 Sup6E and 4900M and providing additional IP VRF-Aware services such as NTP, HSRP,VRRP, Telnet, Ping
• Energy saving features in 12.2(50)SG: Ability to monitor and police power consumption. Automatic Power Optimization: unused ports are powered off resulting in savings of up to 12W per line card. Available with the Supervisor 6-E ,E-Series line cards and 4900M with half cards
• Point to Point Protocol over Ethernet Intermediate Agent (PPPoEIA) enables subscriber line identification over Ethernet during the PPPoE discovery phase. The switch tags PPPoE discovery packets destined for the broadband remote access server with the subscriber's circuit and remote IDs and untags PPPoE discovery packets destined for the subscriber.
• 12.2(50)SG improves operational manageability by delivering additional service enhancements (CNS agents, Config Change tracking ID, Rollback Confirmed Change).
Table 1. Release Overview
Cisco Dense Wavelength-Division Multiplexing X2 Pluggable Module
• The Cisco DWDM X2 supports 10GBASE Ethernet.
• The hot-swappable input/output device plugs into an Ethernet X2 port of a Cisco switch or router to link the port with the network.
• The Cisco DWDM X2 supports the Cisco Quality Identification (ID) feature, which enables a Cisco switch or router to identify whether or not the module is an X2 module certified and tested by Cisco.
• The 32 nontunable X2 modules support the 32 ITU 100-GHz wavelengths compatible with the Cisco ONS DWDM channel plan.
Cisco X2-10GB-ZR Module
Figure 1. Cisco Catalyst 4500 Identity Innovations: Simplifying Identity Deployment
• Flexible authentication sequencing: Flexible authentication sequencing provides a flexible fallback mechanism among IEEE 802.1x, MAC authentication bypass(MAB), and web authentication methods. It also allows switch administrators to control the sequence of the authentication methods. This simplifies the identity configuration by providing a single set of configuration commands to handle different types of endpoints connecting to the switch ports. In addition, it allows users to configure any authentication method on a standalone basis: for example, MAB can be configured without requiring IEEE 802.1X configuration.
Figure 2. Flexible Authentication
• IEEE 802.1x with open access: This feature allows users to have limited network access, such as the Intel Preboot Execution Environment (PXE) boot server, prior to IEEE 802.1x authentication. The limited access is controlled by an access control list (ACL) that is defined by the switch administrator and applied on the switch port.
• IEEE 802.1x, MAB, and web Authentication with downloadable ACL: This feature allows per-user ACLs to be downloaded from the Cisco ACS server as policy enforcement after authentication using IEEE 802.1x, MAC authentication bypass, or web authentication.
• IP Telephony Integration using both the following Identity features
– Cisco Discovery Protocol enhancement for second port disconnect: Cisco Discovery Protocol is enhanced to add a new Type-Length-Value (TLV) for the IP phone to indicate when a PC disconnects from the IP phone. Upon receiving this notification, the switch can clear the security record for the PC.
– Inactivity timer for IEEE 802.1x and MAC authentication bypass: This feature provides a local inactivity timer for IEEE 802.1x and MAC authentication bypass. If the authenticated devices stay idle for longer than defined period, the switch resets the security record of the devices.
Figure 3. IP Telephony Integration
• IEEE 802.1x with multiauth: Multiple authentication allows more than one host to authenticate on an IEEE 802.1x enabled switch port. With multiauth, each host must authenticate individually before it can gain access to the network resources.
• Centralized web authentication: This feature allows the switch to redirect users using HTTP URL redirection to a central web authentication server or a guest access server for authentication before accessing the network resources.
• Web authentication enhancement: Web authentication is enhanced to support inaccessible authentication bypass. In the event that the authentication, authorization, and accounting (AAA) servers are unreachable or non-responsive, user authentication typically fails with the port closed, and the user is denied access. Web authentication inaccessible authentication bypass provides a configurable alternative on the switch to grant a critical port network access in a locally specified VLAN. After the AAA servers become reachable again, those ports will either remain critically authorized or be reinitialized. Inaccessible authentication bypass can be enabled on a per-port basis for access ports, private VLAN host ports, or routed ports. It is typically enabled on ports connected to critical devices, minimizing business effects for the duration of the AAA server outage.
• Common session ID: IEEE 802.1X and MAB will use a session ID identifier for all 802.1X and MAB authenticated sessions. This session ID will be used for all reporting purposes such as show commands, MIBs, syslog, and RADIUS messages and allow users to distinguish messages for one session from others.
• Conditional logging: IEEE 802.1X and MAB will provide a capability to filter debug messages for a range of interfaces, MAC addresses, IP addresses, or session IDs to simplify troubleshooting.
Private VLAN Trunks
A PVLAN trunk port is used to restrict communication between attached hosts (on access ports) and routers (connected via trunk uplinks). Private VLAN trunks are an extension of private VLAN access ports. There are two types of PVLAN trunk ports supported in 12.2(50)SG:
• Private VLAN promiscuous trunk ports: Trunk ports carrying multiple primary VLANs
• Private VLAN (secondary) trunk ports: Trunk ports carrying multiple secondary VLANs, each of which associates to its own unique primary VLAN
VTP version 3 (VTPv3) supports the advertisement of the extended range of VLANs (4094). Configuration changes for the entire 4000 VLAN range can be made centrally on one switch and automatically communicated to all other switches in the network. Additionally, VTPv3 removes the risk of losing or overwriting the domain configuration when introducing a misconfigured or unauthorized server, provides hidden password support for VTP update validation, Multiple Spanning Tree (MST) database propagation, and suspension of VLAN or MST database propagation globally or per trunk port.
IP Routing and Multicast
In a network with IP multicast routing, the IP multicast router acts as the IGMP querier. If the IP-multicast traffic in a VLAN needs to be Layer 2 switched only, an IP multicast router is not required.
When IGMP snooping querier is enabled, the IGMP snooping querier sends out periodic IGMP queries that trigger IGMP report messages from the switch requesting IP multicast traffic. IGMP snooping listens to these IGMP reports to establish appropriate forwarding and prevent multicast flooding.
VRF-Lite has been supported on the Cisco Catalyst 4500 since 12.1(19)EW. Multicast VRF-Lite extends the VPN routing and forwarding (VRF) feature to Layer 3 interfaces or SVIs with IPv4 multicast configured. Up to 64 VRF domains are configurable. PIM, IGMP, and other multicast protocols can now run in the context of a VRF.
Bidirectional PIM was developed to help deploy emerging communication and financial applications that rely on a many-to-many model. Bidir PIM enables these applications by allowing them to easily scale to a very large number of groups and sources by eliminating the maintenance of source state.
Bidir PIM is a variant of the PIM suite of routing protocols for IP multicast. In bidir PIM, the IP address of the RP acts as the crucial to having all routers establish a loop-free spanning tree topology rooted in that IP address. This IP address need not be a router, but can be any unassigned IP address on a network that is reachable throughout the PIM domain. This technique is the preferred configuration method for establishing a redundant RP configuration for bidir PIM.
Membership to a bidirectional group is signaled using explicit join messages. Traffic from the source is unconditionally sent up the shared tree toward the RP and passed down the tree toward the receivers on each branch of the tree.
Bidir PIM is designed to be used for many-to-many applications within individual PIM domains. Multicast groups in bidirectional mode can scale to an arbitrary number of sources without incurring overhead due to the number of sources.
The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) specified in RFC 3315 enables DHCP servers to pass configuration parameters such as IPv6 network addresses/prefixes and DNS server addresses to IPv6 nodes(DHCP clients).
A client locates a DHCP server to request the assignment of configuration information using a reserved, link-scoped multicast address, which suggests that the client and server should be attached to the same link. However in some cases where ease of management, economy, or scalability is the concern, it is desirable to allow a DHCP client to send a message to a DHCP server that is not connected to the same link. To meet the requirement, RFC 3315 defines a DHCP relay agent, which may reside on the client's link and relays messages between the client and server. The operation of the relay agent is transparent.
VRF is an extension of IP routing allowing multiple instances of a routing table to exist on the Layer 3 switch or router simultaneously. VRF-aware services enable the following IP services to be configured for each unique VRF: NTP, HSRP, VRRP, Telnet, Ping, Traceroute, SSH, TFTP, Static ARP, SNMP, Unicast RPF, per-VRF BGP Router ID assignment and Syslog.
Metro Ethernet Features
PPPoE Intermediate Agent
PPPoEIA enables subscriber line identification over Ethernet during the PPPoE discovery phase. The switch tags PPPoE discovery packets destined for the broadband remote access server with the subscriber's circuit and remote IDs and untags PPPoE discovery packets destined for the subscriber. Access, trunk, and private VLAN ports are supported. Per-port and per-port-per-VLAN configuration is supported. Interoperable with DHCP option 82. Circuit and remote IDs are configurable. NSF and SSO capable. SNMP MIB is not supported in this release. Upon release, this feature will be RFC 2516 and DSL Forum TR-101 section 3.9.2 compliant.
The IETF Access Node Client Protocol (ANCP) is being adopted by broadband access providers in DSL and PON deployments. The E-FTTH network deployment can use the same protocol for conditional access, content delivery authentication, policy control, and configuration management. This phase of ANCP client feature on 4500 will be focused on conditional multicast content access for IPTV service delivery. The ANCP client will transparently work with the ANCP servers deployed in PE-Aggregation and N-PE locations.
Power Policing and Monitoring
Power over Ethernet enhancement: Monitor power output on an individual port, card, or chassis basis. Additionally, set thresholds that will shut down a port with a policing action that can automatically shut down a port or log an event if a PD exceeds the allocated port power.
Automatic Power Optimization
This power saving is automatic and not triggered by CLI; unused ports are powered off, resulting in savings of up to 12W per line card.
Working with Cisco Configuration Engine 3.0 CNS agents in Catalyst 4500 will support following operations focused features
• Zero-touch Deployment of Catalyst 4500
• Cisco IOS bulk configuration
• Cisco IOS software image distribution and activation
Configuration Change Tracking ID: Numbers every change to the IOS running configuration and stores it as a checksum. Management applications which focus on configuration tracking for archiving or compliance reasons can request the checksum, compare it with an existing one and if they are different then request configuration upload from network devices.
Rollback Confirmed Change: Enhancement to configuration roll back, users can set a timer before configuration is permanently changed in the network devices.
Reliable Delivery for Syslog: Support for reliable delivery of Syslog over BEEP.
IPSLA for IPv6: IPSLA for support for IPv6 Periodic MIB data collection and transfer mechanism: Bulk MIB data collection at pre-defined interval and export
Cisco Catalyst 4500 Cisco IOS Software Release Trains
Figure 4. Cisco IOS Software 12.2(50)SG Release Train
Cisco Catalyst 4500 Cisco IOS Software Migration Guide
• Customers requiring the latest Cisco Catalyst 4500 Series hardware and software features should migrate to Cisco IOS Software Release 12.2(50)SG.
• Cisco IOS Software Release 12.2(31)SGA will continue offering maintenance releases. The latest release from this maintenance train was 12.2(31)SGA8.
12.2(50)SG Release Summary
Table 2. Cisco IOS Software Release 12.2(50)SG Product Numbers and Images for Cisco Catalyst 4500 Series
Table 3. Cisco IOS Software Release 12.2(50)SG Product Numbers and Images for Cisco Catalyst 4900 Series