Table Of Contents
Device Manager System Requirements
Finding the Software Version and Feature Set
Upgrading a Switch by Using the Device Manager
Upgrading a Switch by Using the CLI
Recovering from a Software Failure
Minimum Cisco IOS Release for Major Features
Device Manager Limitations and Restrictions
Hardware Limitations and Restrictions
VLAN Interfaces and MAC Addresses
References to Cisco IOS Release 12.2(25)SE
Cisco IOS Caveats Resolved in Cisco IOS Release 12.2(50)SE5
Cisco IOS Caveats Resolved in Cisco IOS Release 12.2(50)SE4
Cisco IOS Caveats Resolved in Cisco IOS Release 12.2(50)SE3
Cisco IOS Caveats Resolved in Cisco IOS Release 12.2(50)SE2
Cisco IOS Caveats Resolved in Cisco IOS Release 12.2(50)SE1
Cisco IOS Caveats Resolved in Cisco IOS Release 12.2(50)SE
Update to the Software Configuration Guide
Release Notes for the Cisco Gigabit Ethernet Switch Module for HP BladeSystem p-Class, Cisco IOS Release 12.2(50)SE and Later
Revised October5, 2010
These release notes include important information about Cisco IOS Release 12.2(50)SE and later for the Cisco Gigabit Ethernet Switch Module (CGESM) for the HP BladeSystem p-Class. This document includes any limitations, restrictions, and caveats that apply to this release.
To verify that these release notes are correct for your switch, use the show version user EXEC command (see the "Finding the Software Version and Feature Set" section).
You can download the switch software from this URL:
Contents
This information is in the release notes:
•"System Requirements" section
•"Upgrading the Switch Software" section
•"New Software Features" section
•"Minimum Cisco IOS Release for Major Features" section
•"Limitations and Restrictions" section
•"Device Manager Notes" section
•"VLAN Interfaces and MAC Addresses" section
•"Documentation Updates" section
•"Related Documentation" section
System Requirements
The system requirements are described in these sections:
•"Device Manager System Requirements" section
•"Cluster Compatibility" section
Device Manager System Requirements
These sections describes the hardware and software requirements for using the device manager:
•"Hardware Requirements" section
•"Software Requirements" section
Hardware Requirements
Table 1 lists the minimum hardware requirements for running the device manager.
Table 1 Minimum Hardware Requirements
Processor Speed DRAM Number of Colors Resolution Font SizeIntel Pentium II1
64 MB2
256
1024 x 768
Small
1 We recommend Intel Pentium 4.
2 We recommend 256-MB DRAM.
Software Requirements
These are the supported operating systems and browsers for the device manager:
•Windows 2000, XP, Vista, and Windows Server 2003.
•Internet Explorer 5.5, 6.0, 7.0, Firefox 1.5, 2.0 or later.
The device manager verifies the browser version when starting a session, and it does not require a plug-in.
Cluster Compatibility
You cannot create and manage switch clusters through the device manager. To create and manage switch clusters, use the command-line interface (CLI).
When creating a switch cluster or adding a switch to a cluster, follow these guidelines:
•When you create a switch cluster, we recommend configuring the highest-end switch in your cluster as the command switch.
•The standby command switch must be the same type as the command switch. For example, if the command switch is a CGESM switch, all standby command switches must be CGESM switches.
Upgrading the Switch Software
These are the procedures for downloading software. Before downloading software, read this section for important information:
•"Finding the Software Version and Feature Set" section
•"Deciding Which Files to Use" section
•"Upgrading a Switch by Using the Device Manager" section
•"Upgrading a Switch by Using the CLI" section
•"Recovering from a Software Failure" section
Finding the Software Version and Feature Set
The Cisco IOS image is stored as a bin file in a directory that is named with the Cisco IOS release. A subdirectory contains the files needed for web management. The image is stored on the system board flash device (flash:).
You can use the show version user EXEC command to display the software version that is running on your switch.
You also can use the dir filesystem: privileged EXEC command to see the directory names of other software images that you might have stored in flash memory.
Deciding Which Files to Use
The upgrade procedures in these release notes describe how to perform the upgrade by using a tar file. This file contains the Cisco IOS image file and the files needed for the embedded device manager. You must use the tar file to upgrade the switch through the device manager. To upgrade the switch through the command-line interface (CLI), use the tar file and the archive download-sw privileged EXEC command.
Here are the filenames for this software release:
•cgesm-lanbase-tar.122-50.SE5.tar
•cgesm-lanbasek9-tar.122-50.SE5.tar
Upgrading a Switch by Using the Device Manager
You can upgrade switch software by using the device manager. From the feature bar, choose Administration > Software Upgrade. For detailed instructions, click Help.
Note When using the device manager to upgrade your switch, do not use or close your browser session after the upgrade process begins. Wait until after the upgrade process completes.
Upgrading a Switch by Using the CLI
This procedure is for copying the tar file to the switch. You copy the file to the switch from a TFTP server and extract the files. You can download an image file and replace or keep the current image. The archive download-sw privileged EXEC command both downloads and extracts the files.
To download the image for a CGESM switch, follow these steps:
Step 1 Go to: http://www.hp.com/support and select the appropriate country or region.
Step 2 From the Support and Drivers page, click the Download drivers and software (and firmware) radio button.
Step 3 Enter CGESM in the product field and press the Right Arrow key.
Step 4 Select an operating system, then click on the desired blade infrastructure or firmware release.
Step 5 Click the download button to download the image.
To download the cryptographic software files, click the software depot link in the Notes section. Once there, search for CGESM or go to the Enhancement releases and patch bundles section.
Step 6 Copy the image to the appropriate TFTP directory on the workstation, and make sure that the TFTP server is properly configured.
For more information, refer to Appendix B in the software configuration guide for this release.
Step 7 Log into the switch through the console port or a Telnet session.
Step 8 (Optional) Ensure that you have IP connectivity to the TFTP server by entering this privileged EXEC command:
ping tftp-server-addressFor more information about assigning an IP address and default gateway to the switch, refer to the software configuration guide for this release.
Step 9 Download the image file from the TFTP server to the switch. If you are installing the same version of software that is currently on the switch, overwrite the current image by entering this privileged EXEC command:
archive download-sw /overwrite /reload tftp:[[//location]/directory]/image-name.tarThe /overwrite option overwrites the software image in flash memory with the downloaded one.
The /reload option reloads the system after downloading the image unless the configuration has been changed and not saved.
For //location, specify the IP address of the TFTP server.
For /directory/image-name.tar, specify the directory (optional) and the image to download. Directory and image names are case sensitive.
This example shows how to download an image from a TFTP server at 198.30.20.19 and to overwrite the image on the switch:
Switch# archive download-sw /overwrite tftp://198.30.20.19/cgesm-i6l2-tar.122-25.SE1.tarYou also can download the image file from the TFTP server to the switch and keep the current image by replacing the /overwrite option with the /leave-old-sw option.
Recovering from a Software Failure
For recovery procedures, see the "Troubleshooting" chapter in the Cisco Gigabit Ethernet Switch Module for HP-Blade System p-Class Software Configuration Guide for this release.
Installation Notes
You can assign IP information to your switch by using these methods:
•The Express Setup program, as described in the Cisco Gigabit Ethernet Switch Module for HP-Blade System p-Class Hardware Installation Guide.
•The CLI-based setup program, as described in the Cisco Gigabit Ethernet Switch Module for HP-Blade System p-Class Hardware Installation Guide.
•The DHCP-based autoconfiguration, as described in the Cisco Gigabit Ethernet Switch Module for HP-Blade System p-Class Software Configuration Guide.
•Manually assigning an IP address, as described in the Cisco Gigabit Ethernet Switch Module for HP-Blade System p-Class Software Configuration Guide.
New Software Features
There are no new software features for this release.
Minimum Cisco IOS Release for Major Features
Table 2 lists the minimum software release required to support the major features on this switch.
Limitations and Restrictions
You should review this section before you begin working with the switch. These are known limitations that will not be fixed, and there is not always a workaround. Some features might not work as documented, and some features could be affected by recent changes to the switch hardware or software.
This section contains these limitations:
•"Cisco IOS Limitations" section
•"Device Manager Limitations and Restrictions" section
•"Hardware Limitations and Restrictions" section
Cisco IOS Limitations
These limitations apply to CGESM switch:
Configuration
These are the configuration limitations:
•If you run the CLI-based setup program, the IP address that the Dynamic Host Configuration Protocol (DCHP) provides is reflected as a static IP address in the config.text file. The workaround is to not run setup if DHCP is required for your configuration.
•If you start and then end the autoinstall program before the DHCP server replies, DHCP requests are ignored. The workaround is to wait until you see the IP address appear when it is provided by the DCHP server.
•A static IP address might be removed when the previously acquired DHCP IP address lease expires.
This problem occurs under these conditions:
–When the switch is booted up without a configuration (no config.text file in flash memory).
–When the switch is connected to a DHCP server that is configured to give an address to it (the dynamic IP address is assigned to VLAN 1).
–When an IP address is configured on VLAN 1 before the dynamic address lease assigned to VLAN 1 expires.
The workaround is to reconfigure the static IP address. (CSCea71176 and CSCdz11708)
1. Disable auto-QoS on the interface.
2. Change the routed port to a nonrouted port or the reverse.
3. Re-enable auto-QoS on the interface. (CSCec44169)
•The DHCP snooping binding database is not written to flash or a remote file in either of these situations:
–The DHCP snooping database file is manually removed from the file system. After you enable the DHCP snooping database by configuring a database URL, a database file is created. If you manually remove the file from the system, the DHCP snooping database does not create another database file. You need to disable the DHCP snooping database and enable it again to create the database file.
–The URL for the configured DHCP snooping database was replaced because the original URL is not accessible. The new URL might not take effect after the timeout of the old URL.
No workaround is necessary; these are the designed behaviors. (CSCed50819)
•When connected to some third-party devices that send early preambles, a switch port operating at 100 Mb/s full duplex or 100 Mb/s half duplex might bounce the line protocol up and down. The problem is observed only when the switch is receiving frames.
The workaround is to configure the port for 10 Mb/s and half duplex or to connect a hub or a nonaffected device to the switch. (CSCed39091)
•When port security is enabled on an interface in restricted mode and the switchport block unicast interface command has been entered on that interface, MAC addresses are incorrectly forwarded when they should be blocked
The workaround is to enter the no switchport block unicast interface configuration command on that specific interface. (CSCee93822)
•A traceback error occurs if a crypto key is generated after an SSL client session.
There is no workaround. This is a cosmetic error and does not affect the functionality of the switch. (CSCef59331)
•When system jumbo MTU size is configured on a switch and the egress ports can support jumbo frames, the egress SPAN jumbo frames are not forwarded to the SPAN destination ports.
There is no workaround. (CSCsj21718)
Ethernet
Subnetwork Access Protocol (SNAP) encapsulated IP packets are dropped without an error message being reported at the interface. The switch does not support SNAP-encapsulated IP packets. There is no workaround. (CSCdz89142)
HSRP
When the active switch fails in a switch cluster that uses HSRP redundancy, the new active switch might not contain a full cluster member list. The workaround is to ensure that the ports on the standby cluster members are not in the spanning-tree blocking state. To verify that these ports are not in the blocking state, see the "Configuring STP" chapter in the software configuration guide. (CSCec76893)
IP
When the rate of received DHCP requests exceeds 2,000 packets per minute for a long time, the response time might be slow when you are using the console. The workaround is to use rate limiting on DHCP traffic to prevent a denial of service attack from occurring. (CSCeb59166)
IP Telephony
This is the IP telephony limitation:
After you change the access VLAN on a port that has 802.1x enabled, the IP Phone address is removed. Because learning is restricted on 802.1x capable ports, it takes approximately 30 seconds before the address is relearned. No workaround is necessary. (CSCea85312)
Multicasting
These are the multicasting limitations:
•If the number of multicast routes and Internet Group Management Protocol (IGMP) groups are more than the maximum number specified by the show sdm prefer global configuration command, the traffic received on unknown groups is flooded in the received VLAN even though the show ip igmp snooping multicast-table privileged EXEC command output shows otherwise. The workaround is to reduce the number of multicast routes and IGMP snooping groups to less than the maximum supported value. (CSCdy09008)
•IGMP filtering is applied to packets that are forwarded through hardware. It is not applied to packets that are forwarded through software. Hence, with multicast routing enabled, the first few packets are sent from a port even when IGMP filtering is set to deny those groups on that port. There is no workaround. (CSCdy82818)
•If an IG MP report packet has two multicast group records, the switch removes or adds interfaces depending on the order of the records in the packet:
–If the ALLOW_NEW_SOURCE record is before the BLOCK_OLD_SOURCE record, the switch removes the port from the group.
–If the BLOCK_OLD_SOURCE record is before the ALLOW_NEW_SOURCE record, the switch adds the port to the group.
There is no workaround. (CSCec20128)
•When IGMP snooping is disabled and you enter the switchport block multicast interface configuration command, IP multicast traffic is not blocked.
The switchport block multicast interface configuration command is only applicable to non-IP multicast traffic.
There is no workaround. (CSCee16865)
QoS
These are the quality of service (QoS) limitations:
•Some switch queues are disabled if the buffer size or threshold level is set too low with the mls qos queue-set output global configuration command. The ratio of buffer size to threshold level should be greater than 10 to avoid disabling the queue. The workaround is to choose compatible buffer sizes and threshold levels. (CSCea76893)
•When auto-QoS is enabled on the switch, priority queuing is not enabled. Instead, the switch uses shaped round robin (SRR) as the queuing mechanism. The auto-QoS feature is designed on each platform based on the feature set and hardware limitations, and the queuing mechanism supported on each platform might be different. There is no workaround. (CSCee22591)
SPAN and RSPAN
These are the SPAN and Remote SPAN (RSPAN) limitations.
•An egress SPAN copy of routed unicast traffic might show an incorrect destination MAC address on both local and remote SPAN sessions. This limitation does not apply to bridged packets. The workaround for local SPAN is to use the replicate option. For a remote SPAN session, there is no workaround.
This is a hardware limitation: (CSCdy72835)
•Egress SPAN routed packets (both unicast and multicast) show the incorrect source MAC address. For remote SPAN packets, the source MAC address should be the MAC address of the egress VLAN, but instead the packet shows the MAC address of the RSPAN VLAN. For local SPAN packets with native encapsulation on the destination port, the packet shows the MAC address of VLAN 1. This problem does not appear with local SPAN when the encapsulation replicate option is used. This limitation does not apply to bridged packets. The workaround is to use the encapsulate replicate keywords in the monitor session global configuration command. Otherwise, there is no workaround.
This is a hardware limitation: (CSCdy81521)
•During periods of very high traffic, when two RSPAN source sessions are configured, the VLAN ID of packets in one RSPAN session might overwrite the VLAN ID of the other RSPAN session. If this occurs, packets intended for one RSPAN VLAN are incorrectly sent to the other RSPAN VLAN. This problem does not affect RSPAN destination sessions. The workaround is to configure only one RSPAN source session.
This is a hardware limitation: (CSCed24036)
•Cisco Discovery Protocol (CDP), VLAN Trunking Protocol (VTP), and Port Aggregation Protocol (PAgP) packets received from a SPAN source are not sent to the destination interfaces of a local SPAN session. The workaround is to use the monitor session session_number destination {interface interface-id encapsulation replicate} global configuration command for local SPAN.
Trunking
These are the trunking limitations:
•The switch treats frames received with mixed encapsulation (802.1Q and Inter-Switch Link [ISL]) as frames with FCS errors, increments the error counters, and causes the LED to blink amber. This happens when an ISL-unaware device receives an ISL-encapsulated packet and forwards the frame to an 802.1Q trunk interface. There is no workaround. (CSCdz33708)
•IP traffic with IP options set is sometimes leaked on a trunk port. For example, a trunk port is a member of an IP multicast group in VLAN X but is not a member in VLAN Y. If VLAN Y is the output interface for the multicast route entry assigned to the multicast group and an interface in VLAN Y belongs to the same multicast group, the IP-option traffic received on an input VLAN interface other than one in VLAN Y is sent on the trunk port in VLAN Y because the trunk port is forwarding in VLAN Y, even though the port has no group membership in VLAN Y. There is no workaround. (CSCdz42909)
•For trunk ports or access ports configured with 802.1Q tagging, inconsistent statistics might appear in the show interfaces counters privileged EXEC command output. Valid 802.1Q frames of 64 to 66 bytes are correctly forwarded even though the port LED blinks amber, and the frames are not counted on the interface statistics. There is no workaround. (CSCec35100)
VLAN
These are the VLAN limitations:
•If the number of VLANs times the number of trunk ports exceeds the recommended limit of 13,000, the switch can fail. The workaround is to reduce the number of VLANs or trunks. (CSCeb31087)
•When dynamic ARP inspection is configured on a VLAN, and the ARP traffic on a port in the VLAN is within the configured rate limit, the port might go into an error-disabled state. (CSCse06827)
Device Manager Limitations and Restrictions
These are the device manager limitations and restrictions:
•You cannot create and manage switch clusters through the device manager. To create and manage switch clusters, use the CLI.
•When you are prompted to accept the security certificate and you click No, you only see a blank screen, and the device manager does not launch.
The workaround is to click Yes when you are prompted to accept the certificate. (CSCef45718)
Hardware Limitations and Restrictions
This is the hardware limitation and restriction:
When using CLC-T SFPs in CGESM switches, the SFP module can be installed too far into the switch. This can prevent links from operating properly.
The workaround is to slightly pull the SFP out of the module slot. (CSCsd17765)
Important Notes
These sections describe the important notes related to this software release:
•"Device Manager Notes" section
Cisco IOS Notes
These notes apply to Cisco IOS software:
•Cisco IOS Release 12.2(40)SE and later
If the switch has interfaces with automatic QoS for voice over IP (VoIP) configured and you upgrade the switch software to Cisco IOS Release 12.2(40)SE (or later), when you enter the auto qos voip cisco-phone interface configuration command on another interface, you might see this message:
AutoQoS Error: ciscophone input service policy was not properly appliedpolicy map AutoQoS-Police-CiscoPhone not configuredIf this happens, enter the no auto qos voip cisco-phone interface command on all interface with this configuration to delete it. Then enter the auto qos voip cisco-phone command on each of these interfaces to reapply the configuration.
Device Manager Notes
These notes apply to the device manager:
•We recommend that you use this browser setting to display the device manager from Microsoft Internet Explorer in the least amount of time.
From Microsoft Internet Explorer:
1. Choose Tools > Internet Options.
2. Click Settings in the "Temporary Internet files" area.
3. From the Settings window, choose Automatically.
4. Click OK.
5. Click OK to exit the Internet Options window.
•The HTTP server interface must be enabled to display the device manager. By default, the HTTP server is enabled on the switch. Use the show running-config privileged EXEC command to see if the HTTP server is enabled or disabled.
If you are not using the default method of authentication (the enable password), you need to configure the HTTP server interface with the method of authentication used on the switch
Beginning in privileged EXEC mode, follow these steps to configure the HTTP server interface:
The device manager uses the HTTP protocol (the default is port 80) and the default method of authentication (the enable password) to communicate with the switch through any of its Ethernet ports and to allow switch management from a standard web browser.
If you change the HTTP port, you must include the new port number when you enter the IP address in the browser Location or Address field (for example, http://10.1.126.45:184 where 184 is the new HTTP port number). You should write down the port number through which you are connected. Use care when changing the switch IP information.
•If you use Internet Explorer Version 5.5 and select a URL with a nonstandard port at the end of the address (for example, www.cisco.com:84), you must enter http:// as the URL prefix. Otherwise, you cannot launch the device manager.
VLAN Interfaces and MAC Addresses
All VLAN interfaces have assigned MAC addresses that are derived from the base MAC address. The base MAC address is the hardware address that is on the switch label. It also appears when you enter the show version privileged EXEC command.
On the first VLAN interface (VLAN 1), the MAC address is the base MAC address + 0 x 40. On the next VLAN interface that you configure, the MAC address is the base MAC address + 0 x 40 +1, and so on for other VLAN interfaces.
You can enter the show interfaces vlan vlan-id privileged EXEC command to show the MAC and IP addresses. The MAC addresses that appear in the show interfaces vlan vlan-id command output are not the same as the MAC address that is printed on the switch label (the base MAC address).
By default, VLAN 1 is the interface that connects to the management network. When the switch boots up, the DHCP client (switch) requests an IP address from a DHCP server by using the MAC address of VLAN 1.
Documentation Notes
This section describes documentation notes related to this IOS release.
References to Cisco IOS Release 12.2(25)SE
These older documents refer to Release 12.2(25)SE. The correct release is Release 12.2(25)SE1.
•Cisco Gigabit Ethernet Switch Module for HP BladeSystem p-Class Software Configuration Guide, Cisco IOS Release 12.2(25)SE
•Cisco Gigabit Ethernet Switch Module for HP BladeSystem p-Class Command Reference Guide, Cisco IOS Release 12.2(25)SE
•Cisco Gigabit Ethernet Switch Module for HP BladeSystem p-Class System Message Guide, Cisco IOS Release 12.2(25)SE
Open Caveats
Open Cisco IOS Caveats
These severity 3 Cisco IOS configuration caveats apply to the CGESM switch:
•CSCso96778
When you use the ipv6 address dhcp interface configuration command on an interface that is configured in router mode, other addresses on the prefix associated with the new address might not be accessible.
The workaround is to use the ipv6 address dhcp interface configuration command on an interface that is configured in host mode, or configure a static route to the prefix through the interface.
•CSCsw68528
When you use the show mvr interface interface members privileged EXEC command to view the Multicast VLAN Registration (MVR) interface group status, the switch incorrectly displays the status ACTIVE for port members that are not connected.
The workaround is to use the show mvr interface interface or show mvr members privileged EXEC command to display the port MVR status.
•CSCta57846
The switch unexpectedly reloads when copying a configuration file from a remote server or from flash memory containing logging file flash:
The workaround is to enter the logging file flash:filename global configuration command to configure logging to flash instead of copying to flash.
•CSCti79385
When a redirect URL is configured for a client on the authentication server and a large number of clients are authenticated, high CPU usage could occur on the switch.
There is no workaround.
Open HP Caveats
These are the HP severity 2 open caveats for this release:
•rQm 263546
Disconnecting the cable from the console port does not end a Telnet session. If you are in privileged EXEC mode when you remove the cable, the next session that is started on the console port will also be in privileged EXEC mode.
The workaround is to end the session before you remove the cable.
•rQm 266129
If you power on a switch that does not have a config.txt file (the factory default file) and leave the switch on for few hours, the switch console appears to be stalled during setup.
The workaround is to reload the switch before you continue to configure it.
Resolved Caveats
•"Cisco IOS Caveats Resolved in Cisco IOS Release 12.2(50)SE5" section
•"Cisco IOS Caveats Resolved in Cisco IOS Release 12.2(50)SE4" section
•"Cisco IOS Caveats Resolved in Cisco IOS Release 12.2(50)SE3" section
•"Cisco IOS Caveats Resolved in Cisco IOS Release 12.2(50)SE2" section
•"Cisco IOS Caveats Resolved in Cisco IOS Release 12.2(50)SE1" section
•"Cisco IOS Caveats Resolved in Cisco IOS Release 12.2(50)SE" section
Cisco IOS Caveats Resolved in Cisco IOS Release 12.2(50)SE5
•CSCte14603
A vulnerability in the Internet Group Management Protocol (IGMP) version 3 implementation of Cisco IOS Software and Cisco IOS XE Software allows a remote unauthenticated attacker to cause a reload of an affected device. Repeated attempts to exploit this vulnerability could result in a sustained denial of service (DoS) condition. Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100922-igmp.shtml.
Note: The September 22, 2010, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. Five of the advisories address vulnerabilities in Cisco IOS Software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each advisory lists the releases that correct the vulnerability or vulnerabilities detailed in the advisory. The table at the following URL lists releases that correct all Cisco IOS Software vulnerabilities that have been published on September 22, 2010, or earlier:
http://www.cisco.com/warp/public/707/cisco-sa-20100922-bundle.shtml
Individual publication links are in "Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication" at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep10.html
Cisco IOS Caveats Resolved in Cisco IOS Release 12.2(50)SE4
•CSCsh59019
Authentication, authorization, and accounting (AAA) fails, preventing authentication and requiring you to recover your password. For example, when you enter the aaa authentication login default group tacacs line global configuration command, AAA fails.
There is no workaround.
•CSCsk85192
When you use an access control server (ACS) to enable command authorization, the ACS does not process a copy command ending with a colon (for example, scp:, ftp:, tftp:, flash:).
This problem affects authentication, authorization, and accounting (AAA) authorization:
–If the ACS denies a copy command ending with a colon, you can use that command on a switch.
–If the ACS permits a copy command ending with a colon, you cannot use that command on a switch.
To workaround is to either deny or permit the copy command without entering any arguments on the ACS.
•CSCsy90265
If you repeatedly enter the show tech-support privileged EXEC command, the switch might leak memory and, in some cases, shut down.
The workaround is to reload the switch to clear the memory after repeated use of the show tech-support command.
•CSCsz66428
When flow control is enabled on a port-channel interface and you enter the flowcontrol receive on interface configuration command, the bundle is not enabled after the switch restarts. The command appears in the port-channel interface running configuration but does not appear in the switch running configuration. A message such as this appears:
%EC-5-CANNOT_BUNDLE2: Gi0/27 is not compatible with Po1 and will be suspended (flow control receive of Gi0/27 is on, Po1 is off)
%EC-5-CANNOT_BUNDLE2: Gi0/28 is not compatible with Po1 and will be suspended (flow control receive of Gi0/28 is on, Po1 is off)
Use one of these workarounds:
–To manually configure the port-channel interface, enter the flowcontrol receive on interface configuration command.
–To add the flow-control configuration to the interface after the switch restarts, use an EEM script similar to this:
event manager applet Add_flowcontrol_on_restart
event syslog pattern SYS-5-RESTART
action 1 cli command "en"
action 2 cli command "conf t"
action 3 cli command "inter port 1"
action 4 cli command "flowcontrol receive on"
For action 3, specify the port-channel interface.
•CSCta47293
On a switch that supports Cisco Discovery Protocol (CDP) bypass, when a Cisco IP phone is connected to an 802.1x-enabled switch port that is in single host mode and that has a guest VLAN, a supplicant that does not send an Extensible Authentication Protocol over LAN (EAPOL)-start frame cannot be authorized.
The workaround is to ensure that the supplicant sends an EAPoL-start frame.
•CSCta57846
The switch unexpectedly reloads when copying a configuration file from a remote server or from flash memory containing logging file flash:
The workaround is to enter the logging file flash:filename global configuration command to configure logging to flash instead of copying to flash.
•CSCta78502
When you have configured a login banner by entering the banner login c message c global configuration command and the switch reloads, the output of banner is missing a carriage return, making the format incorrect.
There is no workaround.
•CSCta87523
When you use Auto Smartports macros on an interface that is connected to an Cisco IP phone, the the quality of service (QoS) configuration for that interface is not completed.
The workaround is to enter the no mls qos vlan-based interface configuration command, and then enable QoS for voice over IP (VoIP) by entering the auto qos voip cisco-phone interface configuration command.
•CSCtb10158
A switch can fail when an SNMP process attempts to configure dot1x authentication when it is already configured.
There is no workaround.
•CSCtb91572
A switch enters a loop in which it continues to fail after it first has failed while starting, and then has failed again while attempting to recover. This failure loop occurs only after you have entered the archive upload-sw privileged EXEC command to write the configuration to a remote server using Secure Copy Protocol (SCP) and when the connection to the remote server is configured for spanning-tree PortFast.
The workaround is to not use SCP to write to the remote server. Use File Transfer Protocol (FTP) or Trivial File Transfer Protocol (TFTP).
•CSCtc39809
A memory leak occurs when there is a stuck in active (SIA) state condition for an Enhanced Interior Gateway Routing Protocol (EIGRP) route.
There is no workaround.
•CSCtc43231
A switch does not receive SNMP trap and inform messages from the correct interface after you have entered the snmp-server trap-source loopback0 and snmp-server source-interface informs loopback0 global configuration commands.
There is no workaround.
•CSCtc57809
When the no mac address-table static mac-addr vlan vlan-id interface interface-id global configuration command is used to remove a dynamically learned MAC address, the switch fails under these conditions:
–The physical interface is in a no shut state.
–The MAC address is first dynamically learned and then changed to static.
There is no workaround.
•CSCtc81879
After all member ports are brought up on a switch stack, MAC authentication bypass (MAB) authenticates the stack master ports but not any member switch ports. The symptom occurs after you have entered both the switchport port-security interface configuration command and the dot1x control-direction interface configuration command on the stack interfaces.
The workaround is to enter either the no switchport port-security interface configuration command or the no dot1x control-direction interface configuration command on the stack interfaces.
•CSCtc90039
A memory leak occurs on a device that uses Enhanced Interior Gateway Routing Protocol (EIGRP) when the external routes are being exchanged.
The workaround is to stabilize the network to minimize the impact of external route advertisement.
•CSCtd17296
When you enter the dot1x pae interface configuration command on a switch access port and then enable an access list in the inbound direction on an ingress switched virtual interface (SVI), the access list does not work, allowing all packets to pass.
The workaround is to enable the access list in the outbound direction on the egress SVI.
•CSCtd30053
When you enter the no spanning-tree etherchannel guard misconfig global configuration command, enter the write memory privileged EXEC command, and then restart the switch, the spanning-tree etherchannel guard misconfig global configuration command is saved instead of the no form of this command.
There is no workaround.
•CSCtd72456
After you have entered the snmp-server host informs global configuration command to enable SNMP informs on a switch, the switch might fail if you enter the show snmp pending user EXEC command.
There is no workaround. Do not enter the show command when SNMP informs are enabled.
•CSCtd72626
A Remote Switched Port Analyzer (RSPAN) does not detect IPv6 multicast packets on an RSPAN destination port.
There is no workaround.
•CSCtd73256
A switch fails when you enter the show ip ospf interface user EXEC command and then stop the command output at the this line:
Backup Designated router (ID) xx.x.x.x, Interface address xx.x.x.x
The failure occurs when the Backup Designated Router (BDR) neighbor of the switch is shut down while you press Enter or the spacebar to advance the command output.
When the switch fails, it sends this error message:
Unexpected exception to CPUvector 2000, PC = 261FC60
There is no workaround.
•CSCte67201
On a switch that is configured for IP routing and that is running Cisco IOS Release 12.2(50)SE or later, Cisco Express Forwarding (CEF) can use a large amount of memory. The IP RIB Update process uses about 2000 bytes for each prefix that CEF uses.
There is no workaround. You can reduce the memory use by reducing the number of routes the switch processes.
•CSCte81321
After you have entered the logging filter global configuration command on a switch to specify a syslog filter module to be used by the Embedded Syslog Manager (ESM), processes logging many system messages retain increasing amounts of processor memory.
The workaround is to enter the no logging filter global configuration command.
Cisco IOS Caveats Resolved in Cisco IOS Release 12.2(50)SE3
•CSCso57496
A switch no longer fails when you enter the configure replace privileged EXEC command, and a banner is already present in the switch configuration.
•CSCsq51052
The output of the show ip ssh privileged EXEC command no longer displays SSH Enabled - version 2.99. Instead, a correct SSH version (1.5, 1.99 or 2.0) now appears.
•CSCsx49718
Re-authentication now occurs on a port under these conditions:
–The port is in single-host mode.
–The port is configured with the authentication event no-response action authorize vlan vlan-number command.
–An EAPOL start packet is sent to the port.
•CSCsy72669
If a link failure occurs on a secondary edge port, preemption now occurs after the link comes up.
•CSCsz12381
When open1x authentication and MAC authentication bypass are enabled on a port, an IP phone is connected to the port, and DHCP snooping is enabled on the switch, DHCP traffic is now forwarded on the voice VLAN before open 1x authentication times out and the switch uses MAC authentication bypass to authorize the port.
•CSCsz13490
The switch no longer reloads when you enter several key strokes while in interface-range configuration mode.
•CSCsz79652
A memory leak no longer occurs when Cisco Network Assistant is polling the switch and the ip http server or ip http-secure-server global configuration command is enabled.
•CSCta32597
A switch no longer fails when a host moves from a dynamically assigned VLAN to a configured VLAN.
•CSCta36155
A switch configured with 802.1x and port security on the same ports no longer might inappropriately put the ports into an error-disabled state.
•CSCta56469
Moving a PC between two IP Phones without disconnecting either phone from the switch no longer triggers a port-security violation.
•CSCta67777
A port security violation error no longer occurs when MAC address sticky learning is enabled on a port and a CDP is enabled on a connected IP Phone.
Cisco IOS Caveats Resolved in Cisco IOS Release 12.2(50)SE2
•CSCsy72726
A switch running 12.2(50)SE or later no longer might unexpectedly restart when Auto Smart Ports is enabled and the switch is configured for SSH or the HTTP secure server is enabled by entering the ip http secure-server global configuration command.
•CSCsy48370
The switch no longer fails when you use the vacant-message line configuration command.
•CSCsz81762
If you enable automatic server testing through the radius-server host ip-address [test username name] global configuration command, the switch no longer sends requests to the RADIUS server if the server is not available.
•CSCsy91579
A switch no longer randomly resets due to memory corruption.
Cisco IOS Caveats Resolved in Cisco IOS Release 12.2(50)SE1
•CSCsb46724
If the connection to a primary AAA server fails, the backup server is now queried for login access.
•CSCsr92741
When a TCP packet with all flags set to zero (at the TCP level) is sent to a remote router, the remote (destination) router no longer returns an ACK/RST packet back to the source of the TCP segment.
•CSCsy24510
The switch now accepts an encrypted secret password.
•CSCsy41470
The switch no longer runs out of memory when an smnpwalk, snmpget, or snmpbulkwalk is run on the CISCO-ENERGYWISE-MIB.
Cisco IOS Caveats Resolved in Cisco IOS Release 12.2(50)SE
This section describes the caveats that have been resolved in this release:
•CSCee08109
If a port-based ACL (PACL) is applied to an 802.1x-enabled port and the client is then disconnected from that port, the PACL is now removed from the port.
•CSCsd86177
When you remove and reconfigure a loopback interface, it now appears in the ifTable.
•CSCse03859
DHCP snooping now works when the switch is in VTP server mode and VLANs with IDs greater than 255 (256 and above) are created.
•CSCsq26873
The server no longer attempts re-authentication every ten minutes when a switch is configured with the dot1x timeout reauth-period server interface configuration command.
•CSCsq67398
Traffic is now forwarded to the interfaces that are configured with static multicast MAC addresses after the switch is reloaded.
Note You cannot configure the static MAC address (unicast or multicast) entries on EtherChannel member interfaces, or add an interface into the EtherChannel if that interface is associated with a static MAC address entry.
•CSCsq89564
If the switch uses 802.1x authentication with VLAN assignment, it no longer uses the VLAN assignment with different authorization attempts, such as user authentication or re-authentication.
•CSCsr50766
When keepalive is disabled on an interface, the interface is no longer put in an error-disabled state when it receives keepalive packets.
•CSCsr64007
The Switched Port Analyzer (SPAN) destination port no longer detects IPv6 multicast packets from a VLAN that is not being monitored by SPAN.
•CSCsr65689
This message no longer appears in the log during the system bootup on a switch that is running
Cisco IOS 12.2(50)SE:%COMMON_FIB-3-FIBIDBINCONS2•CSCsu10065
When SFP ports are configured as status multicast router ports, IPv6 Multicast Listener Discovery (MLD) snooping now works after the switch reloads.
•CSCsu88168
The switch no longer reloads when the Forwarding Information Base (FIB) adjacency table is added.
•CSCsv04836
Multiple Cisco products are affected by denial of service (DoS) vulnerabilities that manipulate the state of Transmission Control Protocol (TCP) connections. By manipulating the state of a TCP connection, an attacker could force the TCP connection to remain in a long-lived state, possibly indefinitely. If enough TCP connections are forced into a long-lived or indefinite state, resources on a system under attack may be consumed, preventing new TCP connections from being accepted. In some cases, a system reboot may be necessary to recover normal system operation. To exploit these vulnerabilities, an attacker must be able to complete a TCP three-way handshake with a vulnerable system.
In addition to these vulnerabilities, Cisco Nexus 5000 devices contain a TCP DoS vulnerability that may result in a system crash. This additional vulnerability was found as a result of testing the TCP state manipulation vulnerabilities.
Cisco has released free software updates for download from the Cisco website that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090908-tcp24.shtml.
•CSCsv30429
A Cisco IP Phone connected to a Catalyst switch no longer becomes unauthorized when it transitions from the data authorization domain to the voice authorization domain.
•CSCsv64023
A switch port configured for IGMP snooping no longer loses its group membership when the port receives a query comes from an upstream device that is not configured for IGMP snooping.
•CSCsv89005
A switch configured with class-based policies that are applied and active on at least one interface no longer might reload or display CPU hog messages during SNMP polling for the ciscoCBQosMIB.
•CSCsv91358
When you have entered the vlan dot1q tag native global configuration command to configure a switch to tag native VLAN frames on 802.1Q trunk ports, and you configure a new voice VLAN on an access port, the MAC address of a connected PC is now correctly relearned.
•CSCsw30249
When a switch virtual interface (SVI) is configured as unnumbered and is pointing to a loopback interface, the switch no longer fails when the SVI receives a packet.
•CSCsw45337
When LLDP is enabled and a voice VLAN is configured, the L2 Priority and DSCP Value fields in the LLDP type, length, and value descriptions (TLVs) are now correctly marked to give the voice traffic the correct DSCP and Layer 2 priority.
•CSCsw65548
Switch ports no longer attempt authentication at the interval configured for the port security timer instead of the configured IEEE 802.1x timer.
Documentation Updates
This section provides updates to the product documentation:
•"Update to the Software Configuration Guide" section
•"System Messages Guide" section
Update to the Software Configuration Guide
This text was updated in the "Using IEEE 802.1x Authentication with Guest VLAN section of the software configuration guide:
If the switch is trying to authorize an IEEE 802.1x-capable voice device and the AAA server is unavailable, the authorization attempt fails, but the detection of the EAPOL packet is saved in the EAPOL history. When the AAA server becomes available, the switch authorizes the voice device. However, the switch no longer allows other devices access to the guest VLAN. To prevent this situation, use one of these command sequences:
•Enter the dot1x guest-vlan supplicant global configuration command to allow access to the guest VLAN.
•Enter the shutdown interface configuration command followed by the no shutdown interface configuration command to restart the port.
System Messages Guide
These are the documentation updates for the system modesties guide:
•"New System Messages" section
•"Changed System Messages" section
•"Deleted System Messages" section
New System Messages
Error Message DOT1X_SWITCH-5-ERR_ADDING_ADDRESS: Unable to add address [enet] on [chars]Explanation The client MAC address could not be added to the MAC address table because the hardware memory is full or the address is a secure address on another port. [enet] is the supplicant MAC address, and [chars] is the interface. This message might appear if the IEEE 802.1x feature is enabled.
Recommended Action If the hardware memory is full, remove some of the dynamic MAC addresses. If the client address is on another port, manually remove it from that port.
Error Message %PAGP_DUAL_ACTIVE-3-OBJECT_CREATE_FAILED: Unable to create [chars]Explanation The switch cannot create the specified managed object. [chars] is the object name.
Recommended Action No action is required.
Error Message %PAGP_DUAL_ACTIVE-3-RECOVERY_TRIGGER: PAgP running on [chars] informing virtual switches of dual-active: new active id [enet], old id [enet]Explanation Port Aggregation Protocol (PAgP) received a new active ID on the specified interface, which means that all virtual switches are in a dual-active scenario. The interface is informing virtual switches of this, which causes one switch to go into recovery mode. [chars] is the interface. The first [enet] is the new active ID. The second [enet] is the ID that it replaces.
Recommended Action No action is required.
Error Message %PAGP_DUAL_ACTIVE-3-REGISTRY_ADD_ERR: Failure in adding to [chars] registryExplanation The switch could not add a function to the registry. [chars] is the registry name.
Recommended Action No action is required.
Error Message %PM-6-EXT_VLAN_ADDITION: Extended VLAN is not allowed to be configured in VTP CLIENT mode.Explanation The switch did not add a VLAN in VTP client mode.
Recommended Action Copy the message exactly as it appears on the console or in the system log. Research and attempt to resolve the error by using the Output Interpreter. Use the Bug Toolkit to look for similar reported problems. If you still require assistance, open a case with the TAC, or contact your Cisco technical support representative, and provide the representative with the gathered information. For more information about these online tools and about contacting Cisco, see the "Error Message Traceback Reports" section in the system message guides.
Error Message SPANTREE-6-PORTADD_ALL_VLANS: [chars] added to all VlansExplanation The interface has been added to all VLANs. [chars] is the added interface.
Recommended Action No action is required.
Error Message SPANTREE-6-PORTDEL_ALL_VLANS: [chars] deleted from all VlansExplanation The interface has been deleted from all VLANs. [chars] is the deleted interface.
Recommended Action No action is required.
Error Message SW_VLAN-6-VTP_DOMAIN_NAME_CHG: VTP domain name changed to [chars].Explanation The VLAN Trunking Protocol (VTP) domain name was changed through the configuration to the name specified in the message. [chars] is the changed domain name.
Recommended Action No action is required.
Error Message VQPCLIENT-2-TOOMANY: Interface [chars] shutdown by active host limit.Explanation The system has shut down the specified interface because too many hosts have requested access to that interface. [chars] is the interface name.
Recommended Action To enable the interface, remove the excess hosts, and enter the no shutdown interface configuration command.
Error Message VQPCLIENT-3-VLANNAME: Invalid VLAN [chars] in response.Explanation The VLAN membership policy server (VMPS) has specified a VLAN name that is unknown to the switch. [chars] is the VLAN name.
Recommended Action Ensure that the VLAN exists on the switch. Verify the VMPS configuration by entering the show vmps privileged EXEC command.
Error Message WCCP-5-CACHEFOUND: Web Cache [IP_address] acquired.Explanation The switch has acquired the specified web cache. [IP_address] is the web cache IP address.
Recommended Action No action is required.
Error Message WCCP-1-CACHELOST: Web Cache [IP_address] lost.Explanation The switch has lost contact with the specified web cache. [IP_address] is the web cache IP address.
Recommended Action Verify the operation of the web cache by entering the show ip wccp web-cache privileged EXEC command.
Changed System Messages
This system message has changed (both explanation and action).
Error Message EC-5-CANNOT_BUNDLE1: Port-channel [chars] is down, port [chars] will remain stand-alone.Explanation The aggregation port is down. The port remains standalone until the aggregation port is up. The first [chars] is the EtherChannel. The second [chars] is the port number.
Recommended Action Ensure that the other ports in the bundle have the same configuration.
Deleted System Messages
These system messages have been deleted.
Error Message %VQPCLIENT-2-INITFAIL: Platform-specific VQP initialization failed. QuittingError Message %VQPCLIENT-2-IPSOCK: Could not obtain IP socketError Message %VQPCLIENT-7-NEXTSERV: Trying next VMPS [IP_address]Error Message %VQPCLIENT-7-PROBE: Probing primary server [IP_address]Error Message %VQPCLIENT-2-PROCFAIL: Could not create process for VQP. QuittingError Message %VQPCLIENT-7-RECONF: Reconfirming VMPS responsesError Message %VQPCLIENT-2-SHUTDOWN: Interface [chars] shutdown by VMPSError Message %VQPCLIENT-3-THROTTLE: Throttling VLAN change on [chars]Related Documentation
These documents provide complete information about the switch and are available from the HP web site:
•Cisco Gigabit Ethernet Switch Module for HP BladeSystem p-Class Release Notes
(part number 383623-001)•Cisco Gigabit Ethernet Switch Module for HP BladeSystem p-Class Software Configuration Guide (part number 380261-001)
•Cisco Gigabit Ethernet Switch Module for HP BladeSystem p-Class System Message Guide
(part number 380260-001)•Cisco Gigabit Ethernet Switch Module for HP BladeSystem p-Class Hardware Installation Guide (part number 380264-001)
•Cisco Gigabit Ethernet Switch Module for HP BladeSystem p-Class Quick Setup Instructions
(part number 380263-001)•Cisco Small Form-Factor Pluggable Modules Installation Instructions (part number 380-263-001)
•HP BladeSystem p-Class SAN Connectivity Kit Quick Setup Instructions For Installing in Cisco Gigabit Ethernet Switch Module (part number 380262-001)
Cisco IOS Release 12.2 documentation is available at
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/index.html
Technical support
Before you contact HP
Be sure to have the following information available before you call HP:
•Technical support registration number (if applicable)
•Product serial number
•Product model name and number
•Applicable error messages
•Add-on boards or hardware
•Third-party hardware or software
•Operating system type and revision level
HP contact information
For the name of the nearest HP authorized reseller:
•In the United States, see the HP US service locator webpage (http://www.hp.com/service_locator).
•In other locations, see the Contact HP worldwide (in English) webpage (http://welcome.hp.com/country/us/en/wwcontact.html).
For HP technical support:
•In the United States, for contact options see the Contact HP United States webpage (http://welcome.hp.com/country/us/en/contact_us.html). To contact HP by phone:
–Call 1-800-HP-INVENT (1-800-474-6836). This service is available 24 hours a day, 7 days a week. For continuous quality improvement, calls may be recorded or monitored.
–If you have purchased a Care Pack (service upgrade), call 1-800-633-3600. For more information about Care Packs, refer to the HP website (http://www.hp.com).
•In other locations, see the Contact HP worldwide (in English) webpage (http://welcome.hp.com/country/us/en/wwcontact.html).