The Catalyst 2960-L switches are Ethernet switches to which you can connect devices such as Cisco IP Phones, Cisco Wireless Access Points, workstations, and other network devices such as servers, routers, and other switches.
Table 1 Catalyst 2960-L Switch Models
Cisco IOS Image
Cisco Catalyst 2960-L switch with 8 10/100/1000 Ethernet ports and 2 SFP module slots
Cisco Catalyst 2960-L PoE switch with 8 10/100/1000 Ethernet ports and 2 SFP module slots
Cisco Catalyst 2960-L switch with 16 10/100/1000 Ethernet ports and 2 SFP module slots
Cisco Catalyst 2960-L PoE switch with 16 10/100/1000 Ethernet ports and 2 SFP module slots
Cisco Catalyst 2960-L switch with 24 10/100/1000 Ethernet ports and 4 SFP module slots
Cisco Catalyst 2960-L PoE switch with 24 10/100/1000 Ethernet ports and 4 SFP module slots
Cisco Catalyst 2960-L switch with 48 10/100/1000 Ethernet ports and 4 SFP module slots
Cisco Catalyst 2960-L PoE switch with 48 10/100/1000 Ethernet ports and 4 SFP module slots, without fan
The Catalyst 2960-L switches support a wide range of optics. Because the list of supported optics is updated on a regular basis, consult the tables at this URL for the latest SFP+ and SFP module compatibility information:
The Cisco IOS image is stored as a bin file in a directory that is named with the Cisco IOS release number. The files necessary for web management are contained in a subdirectory. The image is stored on the system board flash device (flash:).
You can use the show version privileged EXEC command to see the software version that is running on your switch.
Note Although the show version output always shows the software image running on the switch, the model name shown at the end of this display is the factory configuration and does not change if you upgrade the software license.
You can also use the dir filesystem : privileged EXEC command to see the directory names of other software images that you might have stored in flash memory.
If you have a service support contract and order a software license or if you order a switch, you receive the universal software image and a specific software license.
Table 3 Software Image for Cisco Catalyst 2960-L
LAN Lite image
LAN Lite cryptographic image with Device Manager.
Features of the Switch
The Catalyst 2960-L switch supports the LAN Lite+ feature set. This provides standard Layer 2 security and quality of service (QoS) features, and up to 256 active VLANs. The switch models have reduced functionality and scalability with entry level features in Layer 2, and support Virtual Stacking.
Specific differences between the two feature sets are described in the following sections.
Cisco Catalyst Smart Operations is a comprehensive set of features that simplify LAN deployment, configuration, and troubleshooting. Catalyst Smart Operations enable zero touch installation and replacement of switches and fast upgrade, as well as ease of troubleshooting with reduced operational cost. Catalyst Smart Operations is a set of features that includes Smart Install, Auto Smartports, Smart Configuration, and Smart Troubleshooting to enhance operational excellence:
– Cisco Smart Install is a transparent plug-and-play technology that can configure the Cisco IOS software image and switch configuration without user intervention. Smart Install uses dynamic IP address allocation and the assistance of other switches to facilitate installation.
– Cisco Auto Smartports provide automatic configuration as devices connect to the switch port, allowing auto detection and plug and play of the device onto the network.
– Cisco Smart Configuration provides a single point of management for a group of switches and in addition adds the ability to archive and back up configuration files to a file server or switch allowing seamless zero touch switch replacement.
– Cisco Smart Troubleshooting is an extensive array of debug diagnostic commands and system health checks within the switch, including Generic Online Diagnostics (GOLD) and Onboard Failure Logging (OBFL).
– Auto Configuration determines the level of network access provided to an endpoint based on the type of the endpoint device.
Cisco Prime Infrastructure is a set of tools that enables you to automate much of the management of your Cisco network. It is supported with device pack1 (2.1) 4.
Interface templates provide a mechanism to configure multiple commands at the same time and associate it with a target (such as an interface). An interface template is a container of configurations or policies that can be applied to specific ports.
The Cisco Catalyst 2960-L Series Switches provide a range of security features to limit access to the network and mitigate threats.
Port security secures the access to an access or trunk port based on MAC address. It limits the number of learned MAC addresses to deny MAC address flooding.
DHCP snooping to filter untrusted DHCP messages between untrusted hosts and DHCP servers.
Dynamic ARP inspection (DAI) to prevent malicious attacks on the switch by not relaying invalid ARP requests and responses to other ports in the same VLAN.
Flexible authentication that supports multiple authentication mechanisms including 802.1X, MAC Authentication Bypass and web authentication using a single, consistent configuration.
Open mode that creates a user friendly environment for 802.1X operations.
Comprehensive RADIUS Change of Authorization capability for asynchronous policy management.
Cisco standard and extended IP security router ACLs define security policies on routed interfaces for control-plane and data-plane traffic. IPv6 ACLs can be applied to filter IPv6 traffic.
Port-based ACLs for Layer 2 interfaces allow security policies to be applied on individual switch ports.
Secure Shell (SSH) Protocol and Simple Network Management Protocol Version 3.
(SNMPv3) provide network security by encrypting administrator traffic during Telnet and SNMP sessions. SSH Protocol, Kerberos, and the cryptographic version of SNMPv3 require a special cryptographic software image because of U.S. export restrictions.
Bidirectional data support on the Switched Port Analyzer (SPAN) port allows Cisco Intrusion Detection.
TACACS+ and RADIUS authentication facilitates centralized control of the switch and restricts unauthorized users from altering the configuration.
MAC address notification allows administrators to be notified of users added to or removed from the network.
Multilevel security on console access prevents unauthorized users from altering the switch configuration.
Bridge protocol data unit (BPDU) Guard shuts down Spanning Tree PortFast-enabled interfaces when BPDUs are received to avoid accidental topology loops.
IGMP filtering provides multicast authentication by filtering out non-subscribers and limits the number of concurrent multicast streams available per port.
802.1x monitor mode allows companies to enable authentication across the wired infrastructure in an audit mode without affecting wired users or devices. It helps IT administrators smoothly manage 802.1x transitions by allowing access and logging system messages when a device requires reconfiguration or is missing an 802.1x supplicant.
Deployment and Control Features
Dynamic Host Configuration Protocol (DHCP) Auto-configuration of multiple switches through a boot server eases switch deployment.
Auto-negotiation on all ports automatically selects half- or full-duplex transmission mode to optimize bandwidth.
Dynamic Trunking Protocol (DTP) facilitates dynamic trunk configuration across all switch ports.
Port Aggregation Protocol (PAgP) automates the creation of Cisco Fast EtherChannel groups and Gigabit groups.
Link Aggregation Control Protocol (LACP) allows the creation of Ethernet channeling with devices that conform to IEEE 802.3ad.
Unidirectional Link Detection Protocol (UDLD) and Aggressive UDLD allow unidirectional links caused by incorrect wiring. Also, port faults can be detected and disabled on the interfaces.
Internet Group Management Protocol (IGMP) v1, v2, v3 Snooping for IPv4. MLD v1 and v2 Snooping provide fast client joins and leaves of multicast streams and limit bandwidth-intensive video traffic to only the requestors.
Voice VLAN simplifies telephony installations by keeping voice traffic on a separate VLAN for easier administration and troubleshooting.
The Embedded Remote Monitoring (RMON) software agent supports four RMON groups (history, statistics, alarms, and events) for enhanced traffic management, monitoring, and analysis.
Layer 2 traceroute eases troubleshooting by identifying the physical path that a packet takes from source to destination.
Trivial File Transfer Protocol (TFTP) reduces the cost of administering software upgrades by downloading from a centralized location.
Network Timing Protocol (NTP) provides an accurate and consistent timestamp to all intranet switches.
Storm control for unicast, broadcast and multicast traffic to prevent disruption in the network due to packet flooding on the LAN.
IEEE 802.1s/w Rapid Spanning Tree Protocol (RSTP) and Multiple Spanning Tree Protocol (MSTP) provide rapid spanning-tree convergence independent of spanning-tree timers and also offers the benefit of Layer 2 load balancing and distributed processing.
Switch-port auto-recovery (error-disable) automatically attempts to reactivate a link that is disabled because of a network error.
Limitations and Restrictions
There is limit of 384 ACEs for MAC/IPv4 and 256 ACEs for IPv6. For some scenarios, one ACE entry can lead to 2 TCAM entries. For IPv6, 512 TCAM entries are used per ASIC.
Extension header match options for IPv6 PACLs are not supported on the switch. Also, PACLs not supported in the out direction.
Storm control for multicast with PPS and % may not work.
Features Introduced in Cisco IOS Release 15.2(6)E3
Features Introduced in Cisco IOS Release 15.2(6)E2
IP Source Guard – This feature restricts IP traffic on nonrouted, Layer 2 interfaces by filtering traffic based on the DHCP snooping binding database and on manually configured IP source bindings. It prevents traffic attacks if a host tries to use the IP address of its neighbor and you can enable IP source guard when DHCP snooping is enabled on an untrusted interface.
MAC Authentication Bypass (MAB) and Webauth with downloadable ACLs (dACL) – This feature allows per-user ACLs to be downloaded from the Cisco Access Control Server (ACS) as policy enforcement after authentication using MAB or Web authentication in addition to IEEE 802.1X.
IEEE 802.1x User Distribution – This features enables you to load-balance users with the same group name across multiple different VLANs.
Disable Per VLAN MAC Learning – Use this feature to manage the available MAC address table space by controlling which interfaces or VLANs can learn MAC addresses.
Web Authentication Redirection to Original URL – This feature enables networks to redirect guest users to the URL that they had originally requested.
The Cisco DHCP Option 82 Configurable Circuit ID and Remote ID provides more naming choices in the sub-options. For example, you can use a switch-configured hostname or specify an ASCII text string for the remote ID, and you can configure an ASCII text string to override the circuit ID.
AAA guarantee-first support – A new command guarantees system accounting as the first record.
The number of supported SPAN sessions is increased to four.
SSHv2 allows use of digital certificates for authentication between user and server.
Features Introduced in Cisco IOS Release 15.2(6)E1
Link-state tracking: This feature, also known as trunk failover, binds the link state of multiple interfaces. The server NIC adapters team-up to provide redundancy in the network. When the server NIC adapters are configured in a primary or secondary relationship, and the link is lost on the primary interface, network connectivity is transparently changed to the secondary interface.
802.1x Support with Network Edge Access Topology (NEAT) - This feature extends identity authentication to areas outside the wiring closet (such as conference rooms). You can configure a switch to act as a supplicant to another switch by using the 802.1x supplicant feature and authenticate with the upstream switch for secure connectivity. This allows any type of device to authenticate on the port.
Quality of Service (QoS) through Ingress Policing: This feature allows you to analyze IP service levels for IP applications and services by using active traffic monitoring—generating traffic in a continuous, reliable, and predictable manner—for measuring network performance. The number of ingress policers available per port is 64.
QoS through Differentiated Services Code Point (DSCP) Mapping and Filtering: Each policer decides on a packet-by-packet basis whether the packet is in or out of profile and specifies the actions on the packet. These actions, carried out by the marker, include passing through the packet without modification, dropping the packet, or modifying (marking down) the assigned DSCP of the packet and allowing the packet to pass through.
QoS through Traffic Classification: Class-maps are introduced to classify ingress traffic by naming a specific traffic flow (or class) and to isolate it from all other traffic. The class map defines the criteria used to match against a specific traffic flow to further classify it. You can match traffic based on DSCP, CoS and ACLs.
Trust boundary configuration. Using the mls qos trust configuration option, you can configure the switch to trust all ingress traffic. With this functionality based on DSCP and CoS value, you can enable device based trust. If the device is connected to an interface, it will function on trusted mode.
Auto-QoS: This feature enables you to simplify the deployment of QoS features. It determines the network design and enables QoS configurations so that the switch can prioritize different traffic flows. It automatically classifies traffic based on the traffic type and ingress packet label. The device offers best-effort service to each packet, regardless of the packet contents or size, and sends it from a single queue.
Support for Resilient Ethernet Protocol (REP) - With this Cisco proprietary protocol, you get an alternative to Spanning Tree Protocol (STP) for controlling network loops, handling link failures, and improving convergence time in ring topologies. It provides a basis for constructing more complex networks and supports VLAN load balancing.
AAA command authorization is supported in Plug-n-Play (PnP) Agent: The PnP agent is enhanced to use credentials passed from the PnP server for TACACS or RADIUS authorization to complete PnP provisioning successfully.
Features Introduced in Cisco IOS Release 15.2(6)E
Loop Detection: A new method to detect network loops in the absence of Spanning Tree Protocol (STP) is introduced. When an edge switch is connected to an unmanaged switch that does not understand STP or it is part of a network topology where STP is not usable, the loop-detect sub-system sends a frame to the interface, at configured intervals, and detects loops.
Routing Information Protocol: (LANLite) - RIP is a commonly used routing protocol in small to medium TCP/IP networks. It is supported in both IPv4 and IPv6 network environments.
Service and Support
Information About Caveats
If you need information about a specific caveat that does not appear in these release notes, you can use the Cisco Bug Toolkit to find caveats of any severity. Click this URL to browse to the Bug Toolkit:
The Bug Search Tool (BST), which is the online successor to Bug Toolkit, is designed to improve the effectiveness in network risk management and device troubleshooting. The BST allows partners and customers to search for software bugs based on product, release, and keyword, and aggregates key data such as bug details, product, and version. The tool has a provision to filter bugs based on credentials to provide external and internal bug views for the search input.
To view the details of a caveat listed in this document:
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.