Table Of Contents
Device Manager System Requirements
Finding the Software Version and Feature Set
Deciding Which Files to Download from the Web
Upgrading a Switch by Using the CLI
Recovering from Software Failure
Cisco IOS Limitations and Restrictions
Device Manager Limitations and Restrictions
Software Configuration Guide Updates
"Configuring IEEE 802.1x Port-Based Authentication" Chapter
"Configuring Network Security with ACLs" Chapter
"Assigning the Switch IP Address and Default Gateway" Chapter
platform chassis-management protected-mode
Getting Help and Technical Assistance
Getting Help and Information from the World Wide Web
Release Notes for the Cisco Systems
Intelligent Gigabit Ethernet Switch Modules
for the IBM BladeCenter
July 15, 2008
This document provides important information about the Cisco Systems Intelligent Gigabit Ethernet Switch Modules, hereafter referred to as the switch, running Cisco IOS Release 12.1(22)EA12. Review the new software features, open caveats, and resolved caveats sections for information specific to your switch.
These release notes include important information about this release and any limitations, restrictions, and caveats that apply to it. To verify that these are the correct release notes for your switch:
•If your switch is running, you can use the show version user EXEC command. See the "Finding the Software Version and Feature Set" section.
•If you are upgrading to a new release, see the software upgrade filename for the Cisco IOS version.
For the complete list of switch documentation, see the "Related Documentation" section.
Contents
This information is in the release notes:
•"System Requirements" section
•"Upgrading the Switch Software" section
•"Limitations and Restrictions" section
•"Documentation Updates" section
•"Related Documentation" section
•"Getting Help and Technical Assistance" section
System Requirements
The system requirements for this release are described in these sections:
•"Device Manager System Requirements" section
Hardware Supported
These switches are supported by Cisco IOS Release 12.1(22)EA12
•Cisco Systems Intelligent Gigabit Ethernet Switch Module for the IBM BladeCenter
•Cisco Systems Intelligent Gigabit Fiber Ethernet Switch Module for the IBM BladeCenter
Device Manager System Requirements
These sections describe the hardware and software requirements for using the device manager:
•"Hardware Requirements" section
•"Software Requirements" section
Hardware Requirements
Table 1 lists the minimum hardware requirements for running the device manager.
Table 1 Minimum Hardware Requirements
Processor Speed DRAM Number of Colors Resolution Font SizeIntel Pentium II1
64 MB2
256
1024 x 768
Small
1 We recommend Intel Pentium 4.
2 We recommend 256-MB DRAM.
Software Requirements
The device manager supports Windows 2000 and Windows XP operating systems and these browsers:
•Microsoft Internet Explorer 6.0 or 5.5 with Service Pack 1 or higher
•Netscape Navigator 7.1
The device manager verifies the browser version when starting a session to ensure that the browser is supported.
Note The device manager does not require a plug-in.
Upgrading the Switch Software
Before downloading software, read this section for important information. This section describes these procedures for downloading software:
•"Finding the Software Version and Feature Set" section
•"Deciding Which Files to Download from the Web" section
•"Recovering from Software Failure" section
When you upgrade a switch, the switch continues to operate while the new software is copied to flash memory. If flash memory has enough space, the new image is copied to the selected switch but does not replace the running image until you reboot the switch. If a failure occurs during the copy process, you can still reboot your switch by using the old image. If flash memory does not have enough space for two images, the new image is copied over the existing one. Features provided by the new software are not available until you reload the switch.
If a failure occurs while copying a new image to the switch, and the old image has already been deleted, see the "Recovering from Corrupted Software" section in the "Troubleshooting" chapter of the software configuration guide for this release.
Caution Do not power cycle the switch while you are copying an image to the switch. If a power failure occurs while you are copying the software image to the switch, and there are no other images on the switch, see the "Troubleshooting" chapter in the software configuration guide for detailed recovery procedures.
Finding the Software Version and Feature Set
The image is stored as a bin file in a directory that is named with the Cisco IOS release. A subdirectory contains the files needed for web management. The image is stored on the system board flash device (flash:).
You can use the show version user EXEC command to see the software version that is running on your switch. In the display, check the line that begins with System image file is. This line shows the directory name in flash memory where the image is stored.
Although the show version output always shows the software version running on the switch, the model name shown at the end of this display is the factory configuration and does not change if you upgrade the software image.
You can also use the dir filesystem: privileged EXEC command to see the directory names of other software images that you might have stored in flash memory.
Deciding Which Files to Download from the Web
Table 2 lists the software filenames for this release.
Upgrading a Switch by Using the CLI
The upgrade procedure in this section describes how to perform the upgrade by using a combined tar file. The procedure assumes that you have already downloaded the tar file for this release from ibm.com to your TFTP server or management station. The tar file is an archive file from which you can extract files by using the archive download-sw command.
For information about where to access the tar files on ibm.com and the names of the tar files for this release, see the "Deciding Which Files to Download from the Web" section.
Caution Do not power cycle the switch while you are copying an image to the switch. If a power failure occurs while you are copying the software image to the switch, call your technical support representative immediately.
The upgrade procedure uses the archive download-sw privileged EXEC command to automatically extract and download the images to the switch. The archive download-sw command automatically deletes the old version and copies the new version to flash memory if the flash memory does not have space to store the old and new versions simultaneously. The archive download-sw command initiates this process:
•It verifies adequate space on the flash memory before downloading the new image.
•If there is insufficient space on the flash memory to hold both the old and the new images, it deletes the old image. The image is always stored in a subdirectory on the flash memory. The subdirectory name is the same as the image release name, for example cigesm-i6q2l2q4-tar.121-22.EA9.tar.
•After the new image is downloaded, it automatically sets the BOOT environment variable. You do not have to change the names of old file names to new file names.
•If you enter the command with the /reload or the /force-reload option, it automatically reloads the switch after the upgrade.
For more information on using these commands, see the command reference for this release.
Follow these steps to upgrade the switch software by using the CLI:
Step 1 If your PC or workstation cannot act as a TFTP server, copy the file to a TFTP server to which you have access.
Step 2 Access the CLI by starting a Telnet session or by connecting to the switch service port.
To start a Telnet session on your PC or workstation, enter this command:
server% telnet switch_ip_addressEnter the Telnet username and password if you are prompted to do so.
Step 3 Enter privileged EXEC mode:
switch> enableswitch#Enter the password if you are prompted to do so.
Step 4 Display the name of the running (default) image file (BOOT path-list). This example shows the name in italic:
switch# show bootBOOT path-list: flash:current_imageConfig file: flash:config.textEnable Break: 1Manual Boot: noHELPER path-list:NVRAM/Config filebuffer size: 32768Step 5 If there is no software image defined in the BOOT path-list, enter dir flash: to display the contents of flash memory.
Step 6 Enter the archive download-sw /reload command.
Step 7 Press Return to confirm the reload.
Your Telnet session ends when the switch resets.
Step 8 After the switch reboots, use Telnet to return to the switch, and enter the show version user EXEC command to verify the upgrade procedure. If you have a previously opened browser session to the upgraded switch, close the browser, and start it again to ensure that you are using the latest HTML files.
Recovering from Software Failure
If the software fails, you can reload the software. For detailed recovery procedures, see the "Troubleshooting" chapter in the software configuration guide for your switch.
Installation Notes
Use the BladeCenter Management Module web page to assign IP information to the switch. For more information, refer to the Cisco Systems Intelligent Gigabit Ethernet Switch Module for the IBM BladeCenter Installation Guide or the Cisco Systems Intelligent Gb Fiber Ethernet Switch Module for the IBM BladeCenter Installation Guide.
New Features
These sections describe the new supported hardware and the new software features provided in this release:
•"New Hardware Features" section
•"New Software Features" section
New Hardware Features
For a complete list of supported hardware, see the "Hardware Supported" section.
New Software Features
There are no new software features in this release.
Limitations and Restrictions
You should review this section before you begin working with the switches. These are known limitations that will not be fixed, and there is not always a workaround. Some features might not work as documented, and some features could be affected by recent changes to the switch hardware or software.
Note These limitations and restrictions apply to all switches unless otherwise noted.
These sections describe the limitations and restrictions:
•"Cisco IOS Limitations and Restrictions" section
•"Device Manager Limitations and Restrictions" section
Cisco IOS Limitations and Restrictions
These limitations and restrictions apply to the Cisco IOS configuration:
•Root guard is inconsistent when configured on a port that is in the STP blocked state at the time of configuration. (CSCdp85954)
•Aging of dynamic addresses does not always occur exactly after the specified aging time elapses. It might take up to three times this time period before the entries are removed from the table. (CSCdr96565)
•Internal loopback in half-duplex mode causes input errors. We recommend that you configure the PHY to operate in full duplex before setting the internal loopback. (CSCds20365)
•A source-based distribution port group does not share the broadcast with all the group members. When the destination of the packets is a broadcast, or an unknown unicast, or a multicast, the packets are forwarded on only one port member of a port group, not being shared among all members of the port group. (CSCdt24814)
•When you enter the show controllers ethernet-controller interface-id or show interfaces interface-id counters privileged EXEC command and a large number of erroneous frames are received on an interface, the receive-error counts might be smaller than the actual values, and the receive-unicast frame count might be larger than the actual frame count. (CSCdt27223)
•Two problems occur when a switch is in transparent mode:
–If the switch is a leaf switch, any new VLANs added to it are not propagated upstream through VTP messages. As a result, the switch does not receive flooded traffic for that VLAN.
–If the switch is connected to two VTP servers, it forwards their pruning messages. If the switch has a port on a VLAN that is not requested by other servers through their pruning messages, it does not receive flooded traffic for that VLAN.
There is no workaround. (CSCdt48011)
•The receive count output for the show controllers ethernet-controller interface-id privileged EXEC command shows the incoming packets count before the ASIC either drops or allows the packet or not. Therefore, for ports in the STP blocking states, even though the receive count shows incoming frames, the packet is not forwarded to the other port. (CSCdu83640)
•In some network topologies, when UplinkFast is enabled on all switches but BackboneFast is not enabled on all switches, a temporary loop might occur when the STP root switch is changed.
The workaround is to enable BackboneFast on all switches. (CSCdv02941)
•At times, the Window XP pop-up window might not appear while authenticating a client (supplicant) because the user information is already stored in Windows XP. However, the Extensible Authentication Protocol over LAN (EAPOL) response to the switch (authenticator) might have an empty user ID that causes the IEEE 802.1x port to be unauthenticated.
The workaround is to manually re-initiate authentication by either logging off or by detaching the link and then reconnecting it. (CSCdv19671)
•If two switches are connected and access ports connect two VLANs whose VLAN IDs are separated by the correct multiple of 64, the two switches might use the same bridge ID in the same spanning-tree instances. This might cause a loss of connectivity in the VLANs as the spanning tree blocks the ports that should be forwarding.
The workaround is to not cross-connect VLANs. For example, do not use an access port to connect VLAN 1 to VLAN 65 on either the same switch or from one switch to another switch. (CSCdv27247)
•You can configure up to 256 multicast VLAN registration (MVR) groups by using the mvr vlan group interface configuration command, but only 255 groups are supported on a switch at one time. If you statically add a 256th group, and 255 groups are already configured, the switch continues trying (and failing) to add the new group.
The workaround is to set the mode to dynamic for switches that are connected to IGMP-capable devices. The new group can join the multicast stream if another stream is dynamically removed from the group. (CSCdv45190)
•The ip http authentication enable global configuration command is not saved to the configuration file. Therefore, this configuration is lost after a reboot.
The workaround is to manually enter the command again after a reboot. (CSCdv67047)
•If a port is configured as a secure port with the violation mode as restrict, the secure ports might process packets even after the maximum number of MAC addresses is reached, but those packets are not forwarded to other ports. (CSCdw02638)
•If the STP root port changes on the switch, the connections between the switch and the internal
100 Mbps management module ports (ports 15 and 16) do not immediately change to the forwarding state. They remain in the listening state for a few seconds, during which time any traffic between the switch and management module is lost. This occurs if all of these conditions exist:–The switch is in IEEE 802.1w rapid STP (RSTP) mode.
–An EtherChannel is configured between the switch external ports and any directly connected switches.
–The STP root port is part of the EtherChannel group.
There is no workaround. (CSCed89186)
•You can apply ACLs to a management VLAN or to any traffic that is going directly to the CPU, such as SNMP, Telnet, or web traffic. For information on creating ACLs for these interfaces, see the "Configuring IP Services" section of the Cisco IOS IP and IP Routing Configuration Guide for Cisco IOS Release 12.1 and the Cisco IOS IP and IP Routing Command Reference for Cisco IOS Release 12.1.
•The SSH feature uses a large amount of switch memory, which limits the number of VLANs, trunk ports, and cluster members that you can configure on the switch. Before you download the cryptographic software image, your switch configuration must meet these conditions:
–The number of trunk ports multiplied by the number of VLANs on the switch must be less than or equal to 128. These are examples of switch configurations that meet this condition:
If the switch has 2 trunk ports, it can have up to 64 VLANs.
If the switch has 32 VLANs, it can have up to 4 trunk ports.
If your switch has a saved configuration that does not meet these conditions and you upgrade the switch software to the cryptographic software image, the switch might run out of memory. If this happens, the switch does not operate properly. For example, it might continuously reload.
If the switch runs out of memory, this message appears:
%SYS-2-MALLOCFAIL: Memory allocation of (number_of_bytes) bytes failed ...The workaround is to check your switch configuration and to ensure that it meets the previous conditions. (CSCdw66805)
•When you use the policy-map global configuration command to create a policy map and do not specify any action for a class map, the association between that class map and policy map is not saved when you exit policy-map configuration mode.
The workaround is to specify an action in the policy map. (CSCdx75308)
•When the Internet Group Management Protocol (IGMP) Immediate Leave is configured, new ports are added to the group membership each time a join message is received, and ports are pruned (removed) each time a leave message is received.
If the join and leave messages arrive at high rate, the CPU can become busy processing these messages. For example, the CPU usage is approximately 50 percent when 50 pairs of join and leave messages are received each second. Depending on the rate at which join and leave messages are received, the CPU usage can go very high, even up to 100 percent, as the switch continues processing these messages.
The workaround is to only use the Immediate Leave processing feature on VLANs where a single host is connected to each port. (CSCdx95638)
•In a Remote Switched Port Analyzer (RSPAN) session, if at least one switch is used as an intermediate or destination switch and if traffic for a port is monitored in both directions, traffic does not reach the destination switch.
These are the workarounds:
–Use a Catalyst 3550 or Catalyst 6000 switch as an intermediate or destination switch.
–Monitor traffic in only one direction if a switch module is used as an intermediate or destination switch. (CSCdy38476)
•If you assign a nonexistent VLAN ID to a static-access EtherChannel by setting the ciscoVlanMembershipMIB:vmVlan object, the switch does not create the VLAN in the VLAN database. (CSCdy65850)
•When you configure a dynamic switch port by using the switchport access vlan dynamic interface configuration command, the port might allow unauthorized users to access network resources if the interface changes from access mode to trunk mode through Dynamic Trunking Protocol (DTP) negotiation.
The workaround is to configure the port as a static access port. (CSCdz32556)
•The output from the show stack privileged EXEC command might show a large number of false interrupts.
There is no workaround. The number of interrupts does not affect the switch functionality. (CSCdz34545)
•If you configure a static secure MAC address on an interface before enabling port security on the interface, the same MAC address is allowed on multiple interfaces. If the same MAC address is added on multiple ports before enabling port security and port security is later enabled on those ports, only the first MAC address can be added to the hardware database. If port security is first enabled on the interface, the same static MAC address is not allowed on multiple interfaces. (CSCdz74685)
•If you press and hold the spacebar while the output of any show user EXEC command is being displayed, the Telnet session stops, and you can no longer communicate with the management VLAN.
These are the workarounds:
–Enter the show commands from privileged EXEC mode, and use this command to set the terminal length to zero:
switch#
terminal length 0–Open a Telnet session directly from a PC or workstation to the switch.
–Do not hold down the spacebar while scrolling through the output of a show user EXEC command. Instead, slowly press and release the spacebar. (CSCea12888)
•When you connect a switch to another switch through a trunk port and the number of VLANs on the first switch is lower than the number on the connected switch, interface errors are received on the management VLAN of the first switch.
The workaround is to match the configured VLANs on each side of the trunk port. (CSCea23138)
•When you enable Port Fast on a static-access port and then change the port to dynamic, Port Fast remains enabled. However, if you change the port back to static, Port Fast is disabled.
The workaround is to configure Port Fast globally by using the spanning-tree portfast global configuration command. (CSCea24969)
•When using the SPAN feature, the monitoring port receives copies of sent and received traffic for all monitored ports. If the monitoring port is oversubscribed, it will probably become congested. This might also affect how one or more of the monitored ports forwards traffic.
•If there is not a good distribution of MAC addresses on a port channel, the switch might drop packets even though the port-channel has not reached 100 percent utilization.
The workaround is to use a different load balancing method (for example, use destination-based forwarding instead of source-based forwarding). (CSCeb75386)
•If the switch has learned over 4000 MAC addresses, the clear mac address-table dynamic user EXEC command does not clear all of the addresses from the MAC address table.
The workaround is to repeatedly enter the clear mac address-table dynamic user EXEC command until the address table is cleared. (CSCec02055)
•Port security is not supported on the internal 100 Mbps management module ports (ports 15 and 16). Preventing port security on these ports prevents the blocking of communication between the management module and the switch. (CSCec10814)
•After a topology change in STP, some server or workstations connected to the management VLAN can transfer data because the affected switch ports start forwarding before they move to the forwarding state.
Note If the terminal does not belong to management VLAN, this failure does not occur.
The workaround is to place the ports in static-access mode for a single VLAN if the topology supports this configuration. (CSCec13986)
•The output of the show flowcontrol user EXEC command incorrectly shows that the switch is not receiving and sending pause frames.
The workaround is to use the show controllers ethernet-controller privileged EXEC command to display the sent and received pause packets for a specific port. (CSCec74979)
•If the internal 100 Mbps management module ports (ports 15 and 16) and the external 10/100/1000 ports (ports 17 to 20) are members of a VLAN or multiple VLANs, the spanning-tree states incorrectly show that a Layer 2 loop has occurred. In reality, there is no STP loop. (CSCed03370)
•The Ethernet ports on the management module have a fixed static trunk configuration. This configuration cannot be changed. IP phones should not be connected to these management module ports. (CSCed11638)
•The monitor session is placed in inactive state if a port is configured to be a Switched Port Analyzer (SPAN) destination port in a SPAN session and if a source port is not configured. While in this state, the source port cannot send and receive traffic, and no address learning occurs on the destination port. (CSCed20563)
These are the workarounds:
–Identify a source port for the SPAN session.
–Disable the SPAN session, and remove the designation of destination port for the port.
–Use the shutdown and no shutdown interface configuration commands on the designated destination port.
•Note that the switch default native vlan is VLAN 2, not VLAN 1, on the switch external 10/100/1000 ports (ports 17 to 20). The native VLAN of a trunk interface can be removed from the allowed VLAN list. This can affect IP connectivity to the switch management VLAN.
The workaround is to add the native VLAN back to the allowed VLAN list on the trunk interface. (CSCed25956)
•When connected to some third-party devices that send early preambles, a switch port operating at 100 Mbps full duplex or 100 Mbps half duplex might bounce the line protocol up and down. The problem occurs only when the switch is receiving frames.
The workaround is to configure the port for 1000 Mbps and full duplex or to connect a hub or a nonaffected device to the switch. (CSCed39091)
•If the switch is running IEEE 802.1w rapid STP (RSTP) mode and a directly connected switch is running IEEE 802.1D per-VLAN spanning-tree plus (PVST+), the switch runs PVST+ as expected. However, if the connected switch changes its configuration to RSTP, the switch continues to send IEEE 802.1D BPDUs instead of sending IEEE 802.1w BPDUs.
The workaround is to use the clear spanning-tree detected-protocols privileged EXEC command to restart the protocol migration process (force the renegotiation with neighboring switches). (CSCed40295)
•All unknown unicast and broadcast traffic in an EtherChannel are sent to the port configured as the designated port. If this is the only type of traffic on the EtherChannel, it could reduce the aggregate bandwidth and speed on this port. (CSCed47701)
•When using the police policy-map class configuration command on Gigabit-capable Ethernet ports, a value less than 8192 can cause the service policy configuration to fail.
The workaround is to enter a burst-byte value that is greater than or equal to 8192. (CSCed63013)
•If a switch receives STP packets and non-STP packets that have a CoS value of 6 or 7 and all of these packets belong to the same management VLAN, a loop might occur.
These are the workarounds:
–Change the CoS value of the non-STP packets to a value other than 6 or 7.
–If the CoS value of the non-STP packets must be 6 or 7, configure these packets to belong to a VLAN other than the management VLAN. (CSCed88622)
•If the switch does not receive traffic from stations in the network, it prematurely removes and then re-adds their dynamic MAC addresses from the MAC address table. This causes temporary flooding when the switch receives a packet for the affected addresses.
There is no workaround. (CSCed92062)
•Using the spanning-tree bpduguard enable interface configuration command on the internal management module ports (ports 15 and 16) might change the port state to error -disabled. Because the switch does not allow the administrative state on the management module ports to be changed through the CLI, HTTP, or SNMP, the internal management module port remains in the error-disabled state. An entry in the system message log is added.
This problem only occurs when there are two switches in the BladeCenter chassis. The first switch sends out the BPDU packet on its interface, and it is received by the second switch being monitored. If there are no other switches present in the chassis, the interface does not go into error-disabled state.
The workaround is to reboot the switch after disabling BPDU guard on the switch or on the internal management module ports. Make sure that the saved configuration for the switch does not have BPDU guard enabled. (CSCee27729)
•When a PC is attached to a switch through a hub, is authenticated on an IEEE 802.1x multiple-hosts port, is moved to another port, and is then attached through another hub, the switch does not authenticate the PC.
The workaround is to decrease the number of seconds between re-authentication attempts by entering the dot1x timeout reauth-period seconds interface configuration command. (CSCeg41561)
•The bootloader on a switch can take a long time to load the IOS image (longer than 40 seconds), even when there is a valid image pointed to by the bootloader.
There is no workaround. (CSCeh01976)
•IP connectivity and VLAN access to a switch are lost under these conditions:
–The switch is restored to the factory defaults.
–The switch is reloaded.
–A saved configuration file that has the VTP domain name set to something other than null is transferred to the switch using TFTP.
These are the workarounds. You only need to do one of these
–After resetting the factory defaults on the switch, edit the switch configuration file and change the VTP domain name so that it matches the VTP name in the saved configuration file you are going to TFTP onto the switch.
–Before using TFTP to transfer the saved configuration file onto the switch, use a text editor to remove the VTP domain name in the saved configuration file. After you transfer the file and reload the switch, edit the configuration file and change the VTP domain name back to the desired name.
–If you are starting from a switch that is set to the factory defaults, transfer the configuration file with TFTP and reload the switch. Connect to the switch through the console port and reload the switch again.
–Instead of transferring the configuration file by TFTP, use a text editor to open the configuration file on the switch and copy and paste in the new configuration file. (CSC54813)
•When the switch is fast aging MAC addresses or learning MAC addresses at an extremely high rate, frames are lost for about one or two seconds when the switch is updating the MAC address table. A Topology Change Notification can contribute to the occurrence of this symptom.
The workaround to reduce unnecessary Topology Change Notifications is to use the spanning-tree portfast [trunk] interface configuration command to configure Port Fast on all switch ports in the entire VLAN that are connected to end-stations. (CSCei63842)
•When the switch restarts, the VLAN 1 interface is placed in the administrative down (shutdown) state even though VLAN 1 is configured as administrative up (no shutdown).
These are workarounds:
–Place the VLAN 1 interface in the administrative up state by using the no shutdown interface command after the switch restarts.
–Designate the VLAN 1 interface as the primary management VLAN by using the management interface configuration command.
–Do not use the VLAN 1 interface for managing the switch.(CSCsc78651)
•This switch does not support the following IOS commands:
–aaa authentication feature default enable (CSCse26670)
–aaa authentication feature default line (CSCse26670)
–file verify auto (CSCse43963)
•Certain combinations of features create conflicts with the port security feature. In Table 3, No means that port security cannot be enabled on a port if the referenced feature is also running on the same port. Yes means that both port security and the referenced feature can be enabled on the same port at the same time.
Table 3 Port Security Incompatibility with Other Switch Features
No
Trunk port
No
Dynamic-access port3
No
SPAN source port
Yes
SPAN destination port
No
EtherChannel
No
Protected port
Yes
IEEE 802.1x port
Yes
1 DTP = Dynamic Trunking Protocol
2 A port configured with the switchport mode dynamic interface configuration command
3 A VLAN Query Protocol (VQP) port configured with the switchport access vlan dynamic interface configuration command
Device Manager Limitations and Restrictions
These are the device manager limitations and restrictions:
•Clustering is not supported in releases later than Cisco IOS 12.1(14)AY4.
•When you are prompted to accept the security certificate and you click No, you see only a blank screen, and the device manager does not start.
The workaround is to click Yes when you are prompted to accept the certificate. (CSCef45718)
•In the device manager express setup page, Telnet access is shown as disabled. Telnet access is enabled on the device by configuring the username and then login local on the vty lines.
The workaround is to use the CLI to check for Telnet status or to configure passwords on vty lines to enable Telnet access. (CSCeh28776)
•The duplex setting shown by the device manager for an Ethernet interface is not the same as the duplex setting in the running configuration. This occurs when you change the only duplex setting on the device manager from Auto to Full. The speed setting remains Auto. When the device manager page is refreshed after the configuration change, the duplex setting is reported as Auto.
The workaround is to configure the Ethernet interface at 10, 100, or 1000 Mbps, remove the full duplex setting on the Ethernet interface and let the duplex return to Auto. If you had configured full duplex because the Ethernet interface was autonegotiating to half duplex, configure the speed and duplex settings on both link partners. (CSCeh58774)
Important Notes
These important notes apply to all switches unless otherwise noted.
This section describes important information related to this release:
•"Device Manager Notes" section
Cisco IOS Notes
These are the Cisco IOS configuration notes related to this release:
•IGMP filtering controls only group specific query and membership reports, including join and leave reports. It does not control general IGMP queries.
•When an IEEE 802.1x-authenticated client is disconnected from an IP phone, hub, or switch and does not send an EAPOL-Logoff message, the switch interface does not change to the unauthorized state. If this happens, it can take up to 60 minutes for the interface to change to the unauthorized state when the re-authentication time is the default value (3600 seconds).
The workaround is to change the number of seconds between re-authentication attempts by using the dot1x timeout re-authperiod seconds global configuration command. (CSCdz38483)
•The guest VLAN might not assign a DHCP address to some clients. This is a problem with the IEEE 802.1x client, not with the switch.
The workaround is to either release and renew the IP address or to change the default timers. These examples show typical interface timer changes:
dot1x timeout quiet-period 3
dot1x timeout tx-period 5•The transmit-interface type number interface configuration command is not supported.
Device Manager Notes
These notes apply to the device manager:
•We recommend this browser setting to speed up the time to display the device manager from Microsoft Internet Explorer.
From Microsoft Internet Explorer:
1. Choose Tools > Internet Options.
2. Click Settings in the "Temporary Internet files" area.
3. From the Settings window, choose Automatically.
4. Click OK.
5. Click OK to exit the Internet Options window.
•The HTTP server interface must be enabled to display the device manager. By default, the HTTP server is enabled on the switch. Use the show running-config privileged EXEC command to see if the HTTP server is enabled or disabled.
Beginning in privileged EXEC mode, follow these steps to configure the HTTP server interface:
•The device manager uses the HTTP protocol (the default is port 80) and the default method of authentication (the enable password) to communicate with the switch through any of its Ethernet ports and to allow switch management from a standard web browser.
If you change the HTTP port, you must include the new port number when you enter the IP address in the browser Location or Address field (for example, http://10.1.126.45:184 where 184 is the new HTTP port number). You should write down the port number through which you are connected. Use care when changing the switch IP information.
If you are not using the default method of authentication (the enable password), you need to configure the HTTP server interface with the method of authentication used on the switch.
Beginning in privileged EXEC mode, follow these steps to configure the HTTP server interface:
•If you use Internet Explorer Version 5.5 and select a URL with a nonstandard port at the end of the address (for example, www.cisco.com:84), you must enter http:// as the URL prefix. Otherwise, you cannot start the device manager.
Open Caveats
There are no open caveats in this release.
Resolved Caveats
These caveats were resolved in Cisco IOS Release 12.1(22)EA12:
•CSCso23104
This error message no longer appears when you log in to the switch:
SCHAN ERROR INTR: unit=0 SRC=13 DST=15 OPCODE=20 ERRCODE=66•CSCso70964
The switch now correctly saves the no errdisable detect cause dhcp-rate-limit global configuration command to the saved configuration. (In previous releases, the command was not in the saved configuration after you reloaded the switch.)
•CSCsm71433
When the guest VLAN is an access VLAN and the dot1x control-direction in interface configuration command is configured on a port, a new device is now placed in the guest VLAN when a supplicant is not available.
•CSCsl98167
A port now passes packets when both an access control list (ACL) and a service policy are configured on the port.
•CSCsl63734
When the Cisco IGESM switch is connected to an Advanced Management Module (AMM) and both are in protected mode, the link no longer stays down after the AMM reboots.
Documentation Updates
This section provides updates to the product documentation:
•"Software Configuration Guide Updates" section
•"Command Reference Updates" section
•"System Message Guide Updates" section
These changes will be included in the next revision of the Cisco IGESM blade switch documentation.
Software Configuration Guide Updates
The switch does not support the verify user EXEC command.
These corrections apply to the software configuration guide in the referenced chapter.
"Configuring IEEE 802.1x Port-Based Authentication" Chapter
This information about the dot1x timeout tx-period seconds interface configuration command is incorrect:
The range for seconds is from 5 to 65535.
The correct range is from 1 to 65535 seconds.
"Configuring Network Security with ACLs" Chapter
This information was corrected in the Applying ACLs to a Physical Interface section:
This example shows how to apply access list 2 on an interface to filter packets entering the interface:
Switch(config)# interface gigabitethernet0/20Switch(config-if)# ip access-group 2 in"Assigning the Switch IP Address and Default Gateway" Chapter
This information was added to the chapter:
Configuring Protected Mode
By default, protected mode is disabled, and the BladeCenter chassis management module controls the CIGESM blade switch. In Cisco IOS Release 12.1(22)EA9 and later, you can enable protected mode to prevent the management module from controlling the blade switch. By locking out the management module from control of the switch, server administrators cannot manage the switch from the management module. When protected mode is enabled, the chassis management module cannot control or configure these features and functions of the CIGESM blade switch:
•IP addresses
•Administration of external ports
•Whether the blade switch can be managed with traffic received over external ports
•That the CIGESM will not revert to the manufacturing default configuration
Note To prevent physical damage to the blade switch, the management module can still reboot or power down the blade switch if the switch is in protected mode and an over-temperature or over-current condition is detected by the module.
Protected Mode Guidelines and Restrictions
These guidelines and restrictions apply to protected mode:
•Protected mode must be enabled on the chassis management module before you enter this command on the blade switch. For information about enabling protected mode on the chassis management module, see the management module documentation at this URL:
http://www-03.ibm.com/servers/eserver/support/bladecenter/index.html
•After protected mode is operational on the switch, the management module cannot configure or administer the blade switch.
•The blade switch must be rebooted for protected mode to become operational.
•Protected mode remains active even when the switch is moved to another chassis.
•Recovery from lost passwords requires direct access through the external serial port on the switch.
Beginning in privileged EXEC mode, follow these steps to enable protected mode and prevent the management module from controlling the switch:
To disable protected mode and return control of the blade switch to the management module, enter the no platform chassis-management protected-mode.
Command Reference Updates
These changes were made to the command reference.
•This information about the dot1x timeout tx-period seconds interface configuration command is incorrect:
The range for seconds is from 5 to 65535.
The correct range is from 1 to 65535 seconds.
•The usage guidelines for the set and unset bootloader commands in the command reference are incorrect.
These are the correct usage guidelines for the set command:
Environment variables are case sensitive and must be entered as documented.
Environment variables that have values are stored in flash memory outside of the flash file system.
Under normal circumstances, it is not necessary to alter the setting of the environment variables.
The MANUAL_BOOT environment variable can also be set by using the boot manual global configuration command.
The BOOT environment variable can also be set by using the boot system filesystem:/file-url global configuration command.
The ENABLE_BREAK environment variable can also be set by using the boot enable-break global configuration command.
The HELPER environment variable can also be set by using the boot helper filesystem:/file-url global configuration command.
The CONFIG_FILE environment variable can also be set by using the boot config-file flash:/file-url global configuration command.
The HELPER_CONFIG_FILE environment variable can also be set by using the boot helper-config-file filesystem:/file-url global configuration command.
The HELPER_CONFIG_FILE environment variable can also be set by using the boot helper-config-file filesystem:/file-url global configuration command.
The bootloader prompt string (PS1) can be up to 120 printable characters except the equal sign (=).
These are the correct guidelines for the unset command:
Under normal circumstances, it is not necessary to alter the setting of the environment variables.
The MANUAL_BOOT environment variable can also be reset by using the no boot manual global configuration command.
The BOOT environment variable can also be reset by using the no boot system global configuration command.
The ENABLE_BREAK environment variable can also be reset by using the no boot enable-break global configuration command.
The HELPER environment variable can also be reset by using the no boot helper global configuration command.
The CONFIG_FILE environment variable can also be reset by using the no boot config-file global configuration command.
The HELPER_CONFIG_FILE environment variable can also be reset by using the no boot helper-config-file global configuration command.
These commands were added to the command reference:
•platform chassis-management protected-mode
platform chassis-management protected-mode
Use the platform chassis-management protected-mode global configuration command to enable protected mode on the CIGESM blade switch. Use the no form of this command to return to the default setting.
platform chassis-management protected-mode
no platform chassis-management protected-mode
Syntax Description
This command has no arguments or keywords.
Defaults
Protected mode is turned off.
Command Modes
Global configuration
Command History
Usage Guidelines
By default, the IBM management module controls the blade switch. When you enter this command, control of the blade switch by the management module is disabled.
Protected mode must be enabled on the chassis management module before you enter this command on the blade switch. For information about enabling protected mode on the chassis management module, see the management module documentation at this URL:
http://www-03.ibm.com/servers/eserver/support/bladecenter/index.html
You must reboot the blade switch after entering the command.
The switch blocks this command if, after rebooting, an IP-manageable interface on the switch module is not reachable from an external interface. (This prevents the switch module from being unmanageable after reboot.)
Related Commands
Command Descriptionshow platform summary
Displays information about how the switch status interacts with the BladeCenter chassis.
show platform summary
Use the show platform summary user EXEC command to display information about how the switch interprets its interface with the BladeCenter chassis.
show platform summary
Syntax Description
This command has no arguments or keywords.
Command Modes
User EXEC
Command History
Release Modification12.1(14)AY
This command was introduced.
12.1(22)EA9
Support for status of protected mode was added.
Examples
This is an example of output from the show platform summary command:
Switch# show platform summaryPlatform Summary:Switch Slot: 2Chassis Type: BladeCenterCurrent IP Addr: 10.10.139.221, 255.255.255.224, gw: 10.10.139.193Default IP Addr: 10.10.10.92, 255.255.255.0, gw: 0.0.0.0IP Fields read from VPD: 10.10.139.221, 255.255.255.224, gw: 10.10.139.193Static IP Fields in VPD: 10.10.139.221 255.255.255.224 10.10.139.193IP Acquisition Method used: staticActive Mgmt Module in Mgmt Slot: 1Native Vlan for Mgmt Module Ethernet ports: 1External Mgmt over Extern ports DisabledMgmt Module Protected Mode: Not operationalMgmt Module Protected Mode configured on switch: FALSEMgmt Module enabled Protected Mode: FALSEESM_SFP_3_#Related Commands
System Message Guide Updates
These messages were added to the system message guide:
Error Message ETHCNTR-3-LOOP_BACK_DETECTED: Loop-back detected on [chars].Explanation A loopback condition might be the result of a balun cable incorrectly connected to a port. [chars] is the interface name.
Recommended Action Check the cables. If a balun cable is connected and the loopback condition is desired, no action is required. Otherwise, connect the correct cable, and then enable the port.
Error Message DOT1X-5-ERR_INVALID_AAA_MANDATORY_AV: Received unknown mandatory AV: [chars]=[chars]Explanation During authentication, authorization, and accounting (AAA) authorization, the switch received an unexpected mandatory Attribute-Value (AV) pair. The first [chars] is the AV pair name, and the second [chars] is the type of packet.
Recommended Action Check the RADIUS server configuration and ensure that the switch does not send the AV pair to the RADIUS server as part of the user profile information.
Error Message HARDWARE-2-FAN_ERROR: Fan [chars] FailureExplanation The switch fan is not working. [chars] is the fan name.
Recommended Action This is a hardware failure. The fan might recover automatically. If the fan failure persists, copy the message exactly as it appears on the console or in the system log. Research and attempt to resolve the error by using the Output Interpreter. Use the Bug Toolkit to look for similar reported problems.If you still require assistance, contact Cisco technical support and provide the representative with the gathered information. For more information about the online tools and about contacting Cisco, see the "Error Message Traceback Reports" section in the "System Message Overview" chapter.
Error Message RADIUS-3-NOACCOUNTINGRESPONSE: Accounting message [chars] for session [chars] failed to receive Accounting Response.Recommended Action The RADIUS server has not responded after the maximum number of retransmissions. The first [chars] is the type of accounting message, and the second [chars] is the accounting session identifier.
Explanation Make sure that there is network connectivity between the switch and the RADIUS server and that the server is running.
Error Message SPANTREE-7-PORTDEL_SUCCESS: [chars] deleted from Vlan [dec]Explanation The interface has been deleted from specified VLAN. [chars] is the interface, and [dec] is the VLAN ID.
Recommended Action No action is required.
Related Documentation
In addition to this document, the following related documentation comes with the switch modules:
•Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter Software Configuration Guide
This Cisco document is in PDF format on the IBM BladeCenter Documentation CD. It has software configuration information for the switch modules. It provides:
–Configuration instructions
–Information about features
–Information about getting help
–Guidance for planning, implementing, and administering LAN operating system software
–Usage examples
–Troubleshooting information
•Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter System Command Reference
This document is in PDF format on the IBM BladeCenter Documentation CD. It includes:
–Command-line interface (CLI) modes
–CLI commands and examples
–Syntax description
–Defaults
–Command history
–Usage guidelines
–Related commands
•Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter System Message Guide
This document is in PDF format on the IBM BladeCenter Documentation CD. It has information about the switch-specific system messages. During operation, the system software sends these messages to the console or logging server on another system. Not all system messages indicate problems with the system. Some messages are informational, while others can help diagnose problems with communication lines, internal hardware, or the system software. This document also includes error messages that display when the system fails.
•Cisco Systems Intelligent Gigabit Ethernet Switch Module for the IBM BladeCenter Installation Guide
•Cisco Systems Intelligent Gb Fiber Ethernet Switch Module for the IBM BladeCenter Installation Guide
These documents contain installation and configuration instructions for the modules. They also provide general information about your module, including warranty information, and how to get help. These documents are also on the IBM BladeCenter Documentation CD.
•BladeCenter Type 8677 Installation and User's Guide
This document is in PDF format on the IBM BladeCenter Documentation CD. It contains general information about your BladeCenter unit, including:
–Information about features
–How to set up, cable, and start the BladeCenter unit
–How to install options on the BladeCenter unit
–How to configure the BladeCenter unit
–How to perform basic troubleshooting of the BladeCenter unit
–How to get help
•BladeCenter Management Module User's Guide
This document is in PDF format on the IBM BladeCenter Documentation CD. It provides general information about the management module, including:
–Information about features
–How to start the management module
–How to install the management module
–How to configure and use the management module
•BladeCenter HS20 Installation and User's Guide (for each blade server type)
These documents are in PDF format on the IBM BladeCenter Documentation CD. Each provides general information about a blade server, including:
–Information about features
–How to set up and start your blade server
–How to install options on your blade server
–How to configure your blade server
–How to install an operating system on your blade server
–How to perform basic troubleshooting of your blade server
–How to get help
•Cisco IOS Release 12.1 documentation at
http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/tsd_products_support_series_home.html
For information about related products, see this document:
Cisco Small Form-Factor Pluggable Modules Installation Notes
Getting Help and Technical Assistance
If you need help, service, or technical assistance or just want more information about IBM products, you will find a wide variety of sources available from IBM to assist you. This appendix contains information about where to go for additional information about IBM and IBM products, what to do if you experience a problem with your BladeCenter system, and whom to call for service, if it is necessary.
Before You Call
Before you call, make sure that you have taken these steps to try to solve the problem yourself:
•Check all cables to make sure that they are connected.
•Check the power switches to make sure that the system is turned on.
•Use the troubleshooting information in your system documentation, and use the diagnostic tools that come with your system. Information about diagnostic tools is in the Hardware Maintenance Manual and Troubleshooting Guide on the IBM BladeCenter Documentation CD or at the IBM Support Web site.
•Go to the IBM Support Web site at this URL to check for technical information, hints, tips, and new device drivers:
http://www-304.ibm.com/jct01004c/systems/support/
You can solve many problems without outside assistance by following the troubleshooting procedures that IBM provides in the online help or in the publications that are provided with your system and software. The information that comes with your system also describes the diagnostic tests that you can perform. Most xSeries and IntelliStation® systems, operating systems, and programs come with information that contains troubleshooting procedures and explanations of error messages and error codes. If you suspect a software problem, see the information for the operating system or program.
Using the Documentation
Information about your IBM BladeCenter, xSeries, or IntelliStation system and preinstalled software, if any, is available in the documentation that comes with your system. That documentation includes printed books, online books, readme files, and help files. See the troubleshooting information in your system documentation for instructions for using the diagnostic programs. The troubleshooting information or the diagnostic programs might tell you that you need additional or updated device drivers or other software. IBM maintains pages on the World Wide Web where you can get the latest technical information and download device drivers and updates. To access these pages, go to this URL:
http://www-304.ibm.com/jct01004c/systems/support/
Also, you can order publications through the IBM Publications Ordering System at this URL:
http://www.ibm.com/shop/publications/order/
Getting Help and Information from the World Wide Web
On the World Wide Web, the IBM Web site has up-to-date information about IBM BladeCenter, xSeries, and IntelliStation products, services, and support. The address for IBM BladeCenter and xSeries information is http://www.ibm.com/xseries/. The address for IBM IntelliStation information is http://www.ibm.com/pc/intellistation/
You can find service information for your IBM products, including supported options, at
http://www-304.ibm.com/jct01004c/systems/support/
Software Service and Support
For more information about Support Line and other IBM services, go to http://www.ibm.com/services/, or go to http://www.ibm.com/planetwide/ for support telephone numbers. In the U.S. and Canada, call 1-800-IBM-SERV (1-800-426-7378).
Hardware Service and Support
You can receive hardware service through IBM Integrated Technology Services or through your IBM reseller, if your reseller is authorized by IBM to provide warranty service. Go to http://www.ibm.com/planetwide/ for support telephone numbers, or in the U.S. and Canada, call 1-800-IBM-SERV (1-800-426-7378).
In the U.S. and Canada, hardware service and support is available 24 hours a day, 7 days a week. In the U.K., these services are available Monday through Friday, from 9 a.m. to 6 p.m.
Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product, and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Edition Notice
© Copyright International Business Machines Corporation 2008. All rights reserved.
U.S. Government Users Restricted Rights — Use, duplication, or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Trademarks
The following terms are trademarks of International Business Machines Corporation in the United States, other countries, or both:
Cisco, Cisco IOS, Cisco Systems, the Cisco Systems logo, Catalyst, EtherChannel, IOS, IP/TV, Packet, and SwitchProbe are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Intel, MMX, and Pentium are trademarks of Intel Corporation in the United States, other countries, or both.
Microsoft, Windows, and Windows NT are trademarks of Microsoft Corporation in the United States, other countries, or both.
Red Hat, the Red Hat "Shadow Man" logo, and all Red Hat-based trademarks and logos are trademarks or registered trademarks of Red Hat, Inc., in the United States and other countries.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Other company, product, or service names may be trademarks or service marks of others.