Release Notes for the Catalyst 3750, 3560, and 2970 Switches, Cisco IOS Release 12.2(20)SE
Finding the Software Version and Feature Set
Upgrading a Switch by Using CMS
Upgrading a Switch by Using the CLI
Recovering from a Software Failure
New Features for the Catalyst 3750, 3560, and 2970 Switches
New EMI Features for the Catalyst 3750 and 3560 Switches
New Stacking Features for the Catalyst 3750 Switch
Minimum Cisco IOS Release for Major Features
Cisco IOS Limitations and Restrictions
Stacking (Catalyst 3750 switch stack only)
Cluster Limitations and Restrictions
CMS Limitations and Restrictions
Cisco IOS Caveats Resolved in Cisco IOS Release 12.2(20)SE
Cisco CMS Caveats Resolved in Cisco IOS Release 12.2(20)SE
Corrections to the Catalyst 3750, 3560, and 2970 Switch Software Configuration Guides
Additions to the Catalyst 3750 Switch Software Configuration Guide
Major Version Number Incompatibility Among Switches
Minor Version Number Incompatibility Among Switches
Additions to the Catalyst 3750 Switch Command Reference
Correction to the Catalyst 3750, 3560, and 2970 Switch Hardware Installation Guides
Obtaining Technical Assistance
Cisco Technical Support Website
Definitions of Service Request Severity
Obtaining Additional Publications and Information
The Cisco IOS Release 12.2(20)SE runs on all Catalyst 3750, 3560, and 2970 switches.
The Catalyst 3750 switches support stacking through Cisco StackWise technology. The Catalyst 3560 and 2970 switches do not support switch stacking. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
These release notes include important information about this Cisco IOS release and any limitations, restrictions, and caveats that apply to it. Verify that these release notes are correct for your switch:
For the complete list of Catalyst 3750, 3560, and 2970 switch documentation, see the “Related Documentation” section.
You can download the switch software from these sites:
(for registered Cisco.com users with a login password)
(for nonregistered Cisco.com users)
This software release is part of a special release of Cisco IOS software that is not released on the same 8-week maintenance cycle that is used for other platforms. As maintenance releases and future software releases become available, they will be posted to Cisco.com (previously Cisco Connection Online [CCO]) in the Cisco IOS software area.
This information is in the release notes:
The system requirements are described in these sections:
Table 1 lists the hardware supported on Cisco IOS Release 12.2SE.
12 SFP1 module slots |
||
24 10/100 PoE2 ports and 2 SFP module slots |
||
16 10/100/1000 ports and 1 XENPAK 10-Gigabit Ethernet module port |
||
1000BASE-T, 1000BASE-SX, 1000BASE-LX, 1000BASE-ZX, and CWDM3 |
||
Cisco RPS 300 Redundant Power System (not supported on the Catalyst 3560 switch) |
For hardware requirements, operating system, and browser recommendations for running the Cluster Management Suite (CMS), refer to the “Getting Started with CMS” chapter in the software configuration guide.
This release uses a CMS plug-in to run CMS. You can download the latest CMS plug-in for Windows from this URL:
http://www.cisco.com/pcgi-bin/Support/ClusterMgmtSuite/cms_plugin_redirect.cgi?platform=windows&version=1.1
This release uses a CMS plug-in that replaces the Java plug-in. You can download the latest CMS plug-in for Solaris from this URL:
http://www.cisco.com/pcgi-bin/Support/ClusterMgmtSuite/cms_plugin_redirect.cgi?platform=solaris&version=1.1
This section describes how to choose command and standby command switches when a cluster consists of a mixture of Catalyst switches. When creating a switch cluster or adding a switch to a cluster, follow these guidelines:
Member switch only4 |
||
CMS is not forward-compatible on command switches running Cisco Release IOS 12.1(14)EA1 and earlier. This means that if a member switch is running a release that is earlier than the release running on the command switch, the new features are not available on the member switch. If the member switch is a new device running a release that is later than the release on the command switch, the command switch cannot recognize the member switch, and the Front Panel view displays it as an unknown device. You cannot configure any parameters or generate a report through CMS for that member; instead, you must launch the Device Manager application to configure and to obtain reports for that member.
If you have a cluster with switches that are running different versions of Cisco IOS software, features added on the latest release might not be reflected on switches running the older releases. For example, if you start CMS on a Catalyst 2900 XL switch running Cisco IOS Release 11.2(8)SA6, the windows and functionality can be different from a switch running Cisco IOS Release 12.0(5)WC(1) or later.
Some early Cisco IOS releases do not support clustering.
For more information about clustering and CMS, refer to the software configuration guide.
These are the procedures for downloading software. Before downloading software, read this section for important information:
The Cisco IOS image is stored as a . bin file in a directory that is named with the Cisco IOS release. A subdirectory contains the files needed for web management. The image is stored on the system board flash device (flash:).
You can use the show version privileged EXEC command to see the software version that is running on your switch. The second line of the display shows the version.
Note For Catalyst 3750 and 3560 switches, although the show version output always shows the software image running on the switch, the model name shown at the end of this display is the factory configuration (standard multilayer image [SMI] or enhanced multilayer image [EMI]) and does not change if you upgrade the software image.
You also can use the dir filesystem : privileged EXEC command to see the directory names of other software images that you might have stored in flash memory.
The upgrade procedures in these release notes describe how to perform the upgrade by using a combined tar file. This file contains both the Cisco IOS image file and the files needed for CMS. You must use the combined tar file to upgrade the switch through CMS. To upgrade the switch through the command-line interface (CLI), use the tar file and the archive download-sw privileged EXEC command.
Table 3 lists the filenames for this software release.
Catalyst 3750 SMI file and CMS files. |
|
Catalyst 3750 EMI file and CMS files. |
|
Catalyst 3750 SMI cryptographic file and CMS files. |
|
Catalyst 3750 EMI cryptographic file and CMS files. |
|
Catalyst 3560 SMI file and CMS files. |
|
Catalyst 3560 EMI file and CMS files. |
|
Catalyst 3560 SMI cryptographic file and CMS files. |
|
Catalyst 3560 EMI cryptographic file and CMS files. |
|
Catalyst 2970 image file and CMS files. |
|
Catalyst 2970 cryptographic image file and CMS files. |
You can upgrade switch software by using CMS. From the feature bar, choose Administration > Software Upgrade. For detailed instructions, click Help.
Note When using HTTP to upgrade member switches, the command switch must be running either Cisco IOS 12.1(20)EA2 or Cisco IOS 12.2(20)SE or later. The cluster members that are upgraded must be running Cisco IOS 12.2(20)SE or later.
This procedure is for copying the combined tar file to the switch. You copy the file to the switch from a TFTP server and extract the files. You can download an image file and replace or keep the current image.
To download software, follow these steps:
Step 1 Use Table 3 to identify the file that you want to download.
Step 2 Download the software image file.
http://www.cisco.com/kobayashi/sw-center/sw-lan.shtml
http://www.cisco.com/public/sw-center/sw-lan.shtml
To download the image for a Catalyst 2970 switch, click Catalyst 2970 software. To obtain authorization and to download the cryptographic software files, click Catalyst 2970 3DES Cryptographic Software.
To download the EMI or SMI files for a Catalyst 3560 switch, click Catalyst 3560 software. To obtain authorization and to download the cryptographic software files, click Catalyst 3560 3DES Cryptographic Software.
To download the EMI or SMI files for a Catalyst 3750 switch, click Catalyst 3750 software. To obtain authorization and to download the cryptographic software files, click Catalyst 3750 3DES Cryptographic Software.
Step 3 Copy the image to the appropriate TFTP directory on the workstation, and make sure that the TFTP server is properly configured.
For more information, refer to Appendix B in the software configuration guide for this release.
Step 4 Log into the switch through the console port or a Telnet session.
Step 5 (Optional) Ensure that you have IP connectivity to the TFTP server by entering this privileged EXEC command:
For more information about assigning an IP address and default gateway to the switch, refer to the software configuration guide for this release.
Step 6 Download the image file from the TFTP server to the switch. If you are installing the same version of software that is currently on the switch, overwrite the current image by entering this privileged EXEC command:
The /overwrite option overwrites the software image in flash memory with the downloaded one.
The /reload option reloads the system after downloading the image unless the configuration has been changed and not saved.
For // location, specify the IP address of the TFTP server.
For / directory / image-name .tar, specify the directory (optional) and the image to download. Directory and image names are case sensitive.
This example shows how to download an image from a TFTP server at 198.30.20.19 and to overwrite the image on the switch:
You also can download the image file from the TFTP server to the switch and keep the current image by replacing the /overwrite option with the /leave-old-sw option.
You can assign IP information to your switch by using these methods:
Note If you are upgrading a Catalyst 3750 or a 2950 switch running Cisco IOS Release 12.1(11)AX, which uses the 802.1x feature, you must re-enable 802.1x after upgrading the software. For more information, see the “Cisco IOS Notes” section.
These sections describe the new supported hardware and the new software features provided in this release:
For a list of all supported hardware, see the “Hardware Supported” section.
For a list of default settings after initial switch configuration, including default settings that are changed after the software migration from Cisco IOS Release 12.1 to 12.2, refer to Table 1-1 in Chapter 1 of the software configuration guide.
For a list of commands that have the same function in Cisco IOS Release 12.1(19)EA1 or earlier but different syntax after the 12.2 migration, refer to Table 1-2 in Chapter 1 of the command reference.
This release contains these new Catalyst 3750, 3560, and 2970 switch features or enhancements (available in all software images):
This release contains these new Catalyst 3750 and 3560 switch features or enhancements (available only in the EMI):
This release contains these new Catalyst 3750 switch stacking features or enhancements (available in all software images):
Table 4 lists the minimum software release required to support the major features of the Catalyst 3750, 3560, and 2970 switches.
You should review this section before you begin working with the switch. These are known limitations that will not be fixed, and there is not always a workaround. Some features might not work as documented, and some features could be affected by recent changes to the switch hardware or software.
These sections describe the limitations and restrictions:
Unless otherwise noted, these limitations apply to the Catalyst 3750, 3560, and 2970 switches:
These are the configuration limitations:
This problem occurs under these conditions:
– When the switch is booted without a configuration (no config.text file in flash memory).
– When the switch is connected to a DHCP server that is configured to give an address to it (the dynamic IP address is assigned to VLAN 1).
– When an IP address is configured on VLAN 1 before the dynamic address lease assigned to VLAN 1 expires.
The workaround is to reconfigure the static IP address. (CSCea71176 and CSCdz11708)
Dynamic-access port8 |
|||||
Yes9 |
|||||
Voice VLAN port10 |
|||||
No11 |
|||||
Yes 6 |
|||||
Dynamic ARP12 inspection |
Yes 6 |
||||
8.A VLAN Query Protocol (VQP) port configured with the switchport access vlan dynamic interface configuration command. |
1. Disable auto-QoS on the interface.
2. Change the routed port to a nonrouted port or the reverse.
3. Re-enable auto-QoS on the interface. (CSCec44169)
– (Catalyst 3750 switch) When the Network Time Protocol (NTP) is configured, but the NTP clock is not synchronized. You can check the clock status by entering the show NTP status privileged EXEC command and verifying that the network connection to the NTP server and peer work correctly.
– (Catalyst 3750, 3560, or 2970 switches) The DHCP snooping database file is manually removed from the file system. After enabling the DHCP snooping database by configuring a database URL, a database file is created. If the file is removed manually from the file system, the DHCP snooping database does not create another database file. You need to disable the DHCP snooping database and enable it again to create the database file.
– (Catalyst 3750, 3560, or 2970 switches) The URL for the configured DHCP snooping database was replaced because the original URL is not accessible. The new URL might not take effect after the timeout of the old URL.
No workaround is necessary; these are the designed behaviors. (CSCed50819)
However, when dynamic ARP inspection is not enabled and jumbo MTU is configured, ARP and RARP packets are correctly bridged in hardware. (CSCed79734)
When you are upgrading a switch from a Cisco IOS Release 12.1 image to Cisco IOS Release 12.2(20)SE and you are using a type-7 encrypted password after the upgrade, you no longer need to configure the switch with the same password that you were using before the upgrade.
You might still need to re-configure the switch with the same password in these situations:
– Upgrading from a Cisco IOS 12.1 image to Cisco IOS Release 12.2(18)SE
– Upgrading from Cisco IOS Release 12.2(18)SE to Cisco IOS Release 12.2(20)SE
These are the Ethernet limitations:
These are the fallback bridging limitations:
This is the Hot Standby Routing Protocol (HSRP) limitation:
When the active switch fails in a switch cluster that uses HSRP redundancy, the new active switch might not contain a full cluster member list. The workaround is to ensure that the ports on the standby cluster members are not in the spanning-tree blocking state. To verify that these ports are not in the blocking state, refer to the “Configuring STP” chapter in the software configuration guide. (CSCec76893)
These are the IP telephony limitations:
This is the MAC addressing limitation:
(Catalyst 3750 or 3560 switches) When a MAC address is configured for filtering on the internal VLAN of a routed port, incoming packets from the MAC address to the routed port are not dropped. (CSCeb67937)
These are the multicasting limitations:
Multicast is not supported on tunnel interfaces
error message. IP PIM is not supported on tunnel interfaces. There is no workaround. (CSCeb75366)– If the ALLOW_NEW_SOURCE record is before the BLOCK_OLD_SOURCE record, the switch removes the port from the group.
– If the BLOCK_OLD_SOURCE record is before the ALLOW_NEW_SOURCE record, the switch adds the port to the group.
These are the quality of service (QoS) limitations:
These are the routing limitations:
This error message means there is a temporary memory shortage that normally recovers by itself. You can verify that the switch stack has recovered by entering the show cef line user EXEC command and verifying that the line card states are up
and sync
. No workaround is required because the problem is self-correcting. (CSCea71611)
These are the SPAN and Remote SPAN (RSPAN) limitations:
Decreased egress SPAN rate
. In all cases, normal traffic is not affected; the degradation limits only how much of the original source stream can be egress spanned. If fallback bridging and multicast routing are disabled, egress SPAN is not degraded. There is no workaround. If possible, disable fallback bridging and multicast routing. If possible, use ingress SPAN to observe the same traffic. (CSCeb01216)These are the Catalyst 3750 switch stack limitations:
There is no workaround. (CSCed54150)
IP-3-STCKYARPOVR
appears on the consoles of other default IP gateways. Because sticky ARP is not disabled, the MAC address update caused by the stack master switch-over cannot complete.The workaround is to complete the MAC address update by entering the clear arp privileged EXEC command. (CSCed62409)
Private VLAN is enabled or disabled on a switch stack, depending on whether or not the stack master is running the EMI or the SMI:
– If the stack master is running the EMI, all stack members have private VLAN enabled.
– If the stack master is running SMI, all stack members have private VLAN disabled.
This occurs after a master-switchover (MSO) when the previous stack master was running the EMI and the new stack master is running the SMI. The stack members are configured with private VLAN, but any new switch that joins the stack will have private VLAN disabled.
These are the workarounds. Only one of these is necessary:
– Reload the stack after an EMI to SMI MSO (or the reverse).
– Before an EMI-to-SMI MSO, delete the private-VLAN configuration from the existing stack master. (CSCee06802)
This is the expected behavior of the offline configuration (provisioning) feature. There is no workaround. (CSCee12431)
These are the trunking limitations:
If the number of VLANs times the number of trunk ports exceeds the recommended limit of 13,000, the switch can fail. The workaround is to reduce the number of VLANs or trunks. (CSCeb31087)
These limitations apply to the Catalyst 3750, 3560, and 2970 switches:
These limitations apply to the Catalyst 3750, 3560, and 2970 switches:
These sections describe the important notes related to this software release for the Catalyst 3750, 3560, and 2970 switches:
These notes apply to switch stacks:
These notes apply to Cisco IOS software:
– the no logging on and then the no logging console global configuration commands
– the logging on and then the no logging console global configuration commands
In Cisco IOS Release 12.2(18)SE and later, you can only use the logging on and then the no logging console global configuration commands to disable logging to the console. (CSCec71490)
These notes apply to CMS configuration:
The workaround is to resize the browser window again when CMS is not busy.
– Catalyst 2900 XL or Catalyst 3500 XL member switches running Cisco IOS Release 12.0(5)WC2 or earlier
– Catalyst 2950 member switches running Cisco IOS Release 12.0(5)WC2 or earlier
– Catalyst 3550 member switches running Cisco IOS Release 12.1(6)EA1 or earlier
In the Front Panel view, if the switch is running one of the software releases listed previously, the device LEDs do not appear. In Topology view, if the member is an LRE switch, the CPE devices that are connected to the switch do not appear. The Bandwidth and Link graphs also do not appear in these views.
These sections describe the open caveats with possible unexpected activity in this software release:
Unless otherwise noted, these severity 3 Cisco IOS configuration caveats apply to the Catalyst 3750, 3560, and 2970 switches:
A Catalyst 3750 switch does not work with the User Registration Tool (URT). The PC attempting to connect to the network can log in successfully, but it is not allowed to pass traffic after the port is moved to the user VLAN. The MAC address for that device shows BLOCKED.
Sometimes when sticky secure addresses are configured and some sticky addresses have been learned, and then switches are added to a switch stack, the number of sticky addresses shown is incorrect.
The workaround is to disable sticky addresses by using the no switchport port-security mac-address sticky interface configuration command before adding new stack members.
Some Catalyst 2950, 3550, and 3750 switches do not link up with some media converters running at 100 Mbps. This affects the 10/100BASE-T interfaces on these Catalyst 2950 switches:
This affects the 10/100BASE-T interfaces on these Catalyst 3550 switches:
– Catalyst 3550-24 running the SMI or EMI
– Catalyst 3550-48 running the SMI or EMI
This affects the 10/100BASE-T interfaces on these Catalyst 3750 switches:
– Catalyst 3750-24TS running the SMI or EMI
– Catalyst 3750-48TS running the SMI or EMI
– This problem does not affect any other Catalyst switches. This problem occurs only when the listed switch is running one of these software releases:
– Cisco IOS Release 12.1(13)EA1, Cisco IOS Release 12.1(13)EA1a, Cisco IOS
Release 12.1(13)EA1b, or Cisco IOS Release 12.1(13)EA1c
– Cisco IOS Release 12.1(14)EA1, Cisco IOS Release 12.1(14)EA1a, or Cisco IOS
Release 12.1(14)EA1b
– Cisco IOS Release 12.1(19)EA1, Cisco IOS Release 12.1(19)EA1a, Cisco IOS Release 12.1(19)EA1b, Cisco IOS Release 12.1(19)EA1c, or Cisco IOS Release 12.1(19)EA1d.
The workaround is to use Cisco IOS Release 12.1(12c)EA1 or earlier.
There is a discrepancy between the output of the show controllers ethernet-controller tengigabitethernet1/0/1 and the show interfaces tengigabitethernet1/0/1 privileged EXEC commands on a 10-Gigabit Ethernet interface.
The workaround for 10-Gigabit Ethernet interfaces is to use the show interface privileged EXEC command for the byte count and the number of pause frames received. Use the show controllers ethernet-controller privileged EXEC command for the frame count and the FCS and CRC error-frame count.
When cross-stack UplinkFast (CSUF) is configured and you quickly enter the shutdown interface configuration command followed by the no shutdown interface configuration commands, one of the uplink ports might cause the uplink ports to be blocked in some VLANs for twice the forward-delay time, causing CSUF to not work for some VLANs. The new root port begins forwarding on its own.
There is no workaround. The new root port will go to a forwarding state on its own after twice the forward delay value on the VLANs.
When redundant uplinks are from the same stack member in a switch stack and UplinkFast is configured, dummy multicast packets are not sent.
The workaround is to not have redundant uplinks from the same stack member. Provide uplink connectivity from ports across the switch stack rather than from one switch in the stack.
When port security is enabled and some sticky addresses are known, and a stack master switchover happens before all of the addresses have been propagated through the switch stack, sometimes sticky addresses are lost.
After the stack master fails and another is elected, switch ports on the new stack master lose the hardware configuration of per-user ACLs even though the Cisco IOS software shows the ACL as installed. This problem does not affect stack members.
A spanning-tree loop might occur if all of these conditions are true:
– Port security is enabled with the violation mode set to protected.
– The maximum number of secure addresses is less than the number of switches connected to the port.
– There is a physical loop in the network through a switch whose MAC address has not been secured, and its BPDUs cause a secure violation.
The workaround is to change any one of the listed conditions.
Some ports of a stack member might not be able to communicate with other ports of other stack members even though the switch MAC address table and CEF table from the stack master are correct. Some ports in the affected switch might be able to communicate by using stale CEF entries. The Catalyst 3750 stack member switch fails to download CEF tables from the stack master.
Some invalid ARP packets are not dropped on dynamic ARP inspection-enabled VLANs. Dynamic ARP inspection does not verify that certain ARP fields are valid and does not drop ARP packets with invalid values for those fields. The fields are hardware size, protocol size, and operation type. These packets also are not dropped by the switch on nondynamic ARP-enabled VLANs.
If dynamic ARP inspection is enabled on an internal VLAN used by a routed port, ARP traffic on the routed port is affected by the dynamic ARP inspection processing. For example, ARP packets will be rate-limited.
The workaround is to not enable dynamic ARP inspection on internal VLANs.
A CPUHOG message sometimes appears when you configure a private VLAN. Port security must be enabled on one or more ports affected by the private VLAN configuration.
An EtherChannel is not properly error-disabled if these conditions are true:
– The channel is carrying a VLAN that is enabled for dynamic ARP inspection.
– The channel is configured with a rate limit for dynamic ARP inspection.
– At least one of the ports in the channel is on a stack member.
– ARP packets are received on a port in the channel on a stack member at a higher rate than the configured rate limit for the channel.
Under these circumstances, a system message states that the rate limit was exceeded on the channel, but the channel will not be error-disabled.
The workaround is to use physical ports on the stack master for any EtherChannel that carries dynamic ARP inspection VLANs and has rate limits.
If the VTP password is configured but the VTP domain name is not configured and if the switch reloads twice, the switch does not retain the VLAN information.
– Delete the vlan.dat file, which deletes the VTP password.
– Delete the VTP password by using the no vtp password global configuration command.
When a secondary VLAN is associated and then quickly disassociated, sometimes the MAC address tables across the switch stack become unsynchronized. This is a rare condition that happens when Port Fast is enabled on the host ports and traffic is continuously received on that port.
The workaround is to clear the MAC address table by using the clear mac address-table dynamic privileged EXEC command.
If a secondary VLAN that was mapped to a promiscuous port is disassociated from the primary VLAN, the LED on the port turns from green to amber. This also occurs if the secondary VLAN is deleted.
The workaround is to remove the secondary VLAN from the mapping of the promiscuous port.
Dynamic ARP inspection log entries might be lost after a switch failure. Any log entries that are still in the log buffer (have not been output as a system message) on a switch that fails will be lost.
When you enter the show ip arp inspection log privileged EXEC command, the log entries from all switches in the stack are moved to the switch on which the command was entered.
ARP and reverse ARP (RARP) packets are not properly filtered by a configured VLAN map. If you enable a VLAN for dynamic ARP inspection and a VLAN map is applied to the VLAN, ARP and RARP packets received in that VLAN on stack member ports that should be dropped by the VLAN map are not dropped.
Configuring multiple ports to a static address in a private VLAN is not supported in this release. If you add more than one port to a static address in a private VLAN, the traffic destined to that static address from a host (secondary VLAN) port to promiscuous port might be dropped.
The workaround is to not configure multiple ports to a static address in a private VLAN. You can use the shutdown and no shutdown interface configuration commands on a promiscuous port to resume the flow of traffic.
You can only enter values ranging from 1 to 1023 when configuring the VLAN for an access port from SNMP by using the vlanPortVlan object of the CISCO-STACK-MIB.
– Use the interface vlan global configuration command to configure the VLAN for the access port.
– From SNMP, use the vmVlan object of the CISCO-VLAN-MEMBERSHIP-MIB.
You can use both of these workarounds to enter a value ranging from 1 to 4095.
These CISCO-STACK-MIB objects always return the invalid value of zero:
Port ACLs are not applied to IGMP control packets with IP options.
After a multicast group exceeds the maximum number that a private VLAN can support, the required ternary content addressable memory (TCAM) entries cannot present for the last group, and the forwarding behavior for that multicast group is incorrect.
For a private VLAN multicast group, each group needs 3 TCAM entries (one SFT entry and 2 LFT entries) when IP multicast routing is enabled on the private VLAN primary VLAN. (For a regular VLAN, only 1 SFT TCAM entry is required, and approximately1000 groups can be supported. For the private VLAN group, only one third of the regular groups can be supported.
A Catalyst 3750 switch running Cisco IOS Release 12.1(19)EA1a might continuously show this message:
Auto-RP discovery packets (addressed to 224.0.1.40) received from a mapping agent are not forwarded from the receiving switch when the receiving port is a routed port. This problem does not occur if these packets are received on a port on a VLAN interface.
When static MAC addresses are configured on two isolated ports and then the isolated VLAN is changed to a community VLAN, Layer 2 traffic is blocked between the two private VLAN community ports.
The workaround is to remove the static MAC address by using no mac address-table static mac-addr vlan vlan-id [ interface interface-id ] global configuration command and then to reconfigure that static address by using the mac address-table static mac-addr vlan vlan-id interface interface-id global configuration command.
When an SNMP version 3 user is configured with the encrypted option and password, the switch reloads when the MIB object usmUserAuthKeyChange is set.
The workaround is to configure a user without the encrypted option. (For example, snmp-server user username groupname v3 auth md5 password.)
If you try to add an aggregate policer to a policy map, this message appears:
and the aggregate policer is not added.
The workaround is to delete the policy map by using the no policy-map policy-map-name global configuration command, recreate it with the desired configuration, and then re-attach it to the interfaces by using the service-policy input policy-map-name interface configuration command.
If you modify a policer, this message appears:
If you then attempt to remove an aggregate policer, the removal of the policy map fails, and this message appears:
The workaround is to delete the policy map by using the no policy-map policy-map-name global configuration command, recreate it with the desired configuration, and then re-attach it to the interfaces by using the service-policy input policy-map-name interface configuration command.
When you add an aggregate policer to a policy-map class, the aggregate policer is also added to another policy class within the same policy.
The workaround is to delete the policy map by using the no policy-map policy-map-name global configuration command, recreate it with the desired configuration, and then re-attach it to the interfaces by using the service-policy input policy-map-name interface configuration command.
When enabled, DHCP snooping does not work with secondary VLANs of a private VLAN. DHCP discover messages from the private-VLAN hosts are not broadcast, and private-VLAN hosts cannot communicate with the DHCP server.
When two ports of a Cisco IP Phone are connected to a switch and the higher voice VLAN ID (VVID) is configured on the switch port to which port P3 of the Cisco IP Phone is connected, the phone displays configuring IP and halts.
These are the workarounds. Only one of these is necessary:
– Configure the higher VVID on port P1 of the Cisco IP phone.
– Connect only one port of the Cisco IP Phone to the switch.
Unless otherwise noted, these severity 3 CMS caveats apply to the Catalyst 3750, 3560, and 2970 switches:
When a switch cluster has only one member switch and that member switch is down, CMS does not display the Remove From Cluster option.
When there are Catalyst 2950 and 2955 devices in a cluster, if you launch the QoS Queue Window to configure the devices and then try to view the settings for other devices by using the device selection menu, CMS halts after 20 to 30 selections.
The workaround is to close and then restart CMS.
When an Open Shortest Path First (OSPF) summary address is added for a 10.x.x.x network, a Windows exception error sometimes occurs.
The workaround is to add the address by using the router ospf <process-id>, area <area-id>, and range <address> <mask> configuration commands.
When you change the Spanning Tree Protocol (STP) mode from Rapid PVST+ to PVST+, a Java OutOfBoundsException error sometimes appears.
There is no workaround. The new STP mode is still configured even if the error message appears.
When a Catalyst 3750 stack member leaves or joins the switch stack, the entire stack disappears from the Topology View. Only the stack member that has left the stack should disappear from the Topology view.
When you select a remote device from the VLAN menu, the displayed table sometimes does not show all the connected links between the device selected in the Host Name and the Remote Device lists. This can also occur when you add a new device to a cluster and then open VLAN menu.
1. Click Refresh on the CMS toolbar two or three times, or select View > Refresh two or three times.
2. Click Refresh in VLAN Window.
The Telnet link on the TOOLS page (select TOOLS from the switch home page) does not work on Solaris systems.
The Device Manager Launch button does not work for Catalyst 1900 and 2820 switches.
The workaround is to launch Device Manager for these devices outside of CMS by opening a new browser and manually entering the URL for the switch.
When you click Refresh in the Stack Settings dialog, the latest information switch cluster does not appear.
The workaround is to close and then to reopen the Stack Settings dialog.
A Java exception error occurs when CMS is in read-only mode and you launch the Port Settings dialog. This only occurs on Catalyst 2900 XL, 3500 XL, and 2950 LRE switches.
The workaround is to open the Port Settings dialog with CMS in read-write mode.
When you open the Port Settings dialog for a Power-over-Ethernet (PoE) switch that is a member of a switch stack and the stack master is not a PoE switch, a Java exception error occurs.
The workaround is to configure the PoE switch as the stack master.
These are the caveats that have been resolved in this release.
Unless otherwise noted, these caveats were resolved in this release for the Catalyst 3750, 3560, and 2970 switches:
When multicast VLAN registration (MVR) groups are added or deleted, the receiver port that joined the groups after the addition no longer receives traffic after the group is deleted. MVR data traffic to the group is no longer sent to the receiver port immediately after the no mvr group ip-address global configuration command is entered.
When both the sharing and shaping weights are enabled, the receiving rates now follow the shared bandwidth weight if the priority queue is enabled on the egress queue.
When an ACL that denies packets is configured on an ingress or egress interface, the CPU usage is no longer as high as 70 percent when these packets are forwarded to the CPU to determine if an ICMP-unreachable packet should be generated.
When a configured secure MAC address exists on an interface, you can now change it to a sticky MAC address. Alternatively, if a sticky MAC address exists on an interface, you can now change it to a secure MAC address.
When the CISCO-STP-EXTENSIONS-MIB is polled, unknown indexes are no longer returned for some MIB objects.
A Cisco device running Internetwork Operating System (IOS) and enabled for the Open Shortest Path First (OSPF) Protocol is vulnerable to a Denial of Service (DoS) attack from a malformed OSPF packet. The OSPF protocol is not enabled by default.
The vulnerability is only present in IOS release trains based on 12.0S, 12.2, and 12.3. Releases based on 12.0, 12.1 mainlines and all IOS images prior to 12.0 are not affected. Refer to the Security Advisory for a complete list of affected release trains.
Further details and the workarounds to mitigate the effects are explained in the Security Advisory which is available at the following URL:
http://www.cisco.com/warp/public/707/cisco-sa-20040818-ospf.shtml
When an 802.1x-enabled port is authenticated with a RADIUS-assigned VLAN, if the port is shut down or the link is removed, a traceback message no longer appears.
After a link is up, a switch sends three Extensible Authentication Protocol (EAP) Request/Identity messages to the client. There is a 30-second gap between messages. However, PCs that are running Windows XP or Windows 2000 drop the first message so that the second message that the client receives appears to be the first, which is at least 30 seconds after the link is up. Therefore, a user does not see a password window until at least 30 seconds after the link is up.
Telnet and ping traffic is no longer disrupted during SNMP polling of the VlanTrunkPortTable table in the CISCO-VTP-MIB.
When per-user access control lists (ACLs) are downloaded from a RADIUS server after successful 802.1x authentication, disabling 802.1x now removes the attached per-user ACLs from the interface.
If QoS is enabled and the trust state is not configured on an ingress interface, now only the mapping of the class of service (CoS) value of 0 to the ingress or egress queues takes effect when you enter the mls qos srr-queue input cos-map or the mls qos srr-queue output cos-map global configuration command. Other CoS values DSCP values to queue mapping have no effect on traffic from that interface.
If you change the input priority queue for queue 2 by using the mls qos srr-queue input priority-queue 2 bandwidth global configuration command, the configurations that are generated no longer contain an extra input keyword such as mls qos srr-queue input priority-queue input 2 bandwidth. In previous releases, the extra keyword caused an error message if the command was saved and the switch was reloaded.
When there are many configured secure and sticky MAC addresses on a port, addresses are no longer dropped and removed from the configuration when the switch restarts.
When you configure a unicast MAC address filter that matches a Windows XP 802.1x client MAC address, the Windows XP 802.1x client now no longer repeatedly tries to re-authenticate itself.
Processor memory no longer leaks if you change the policy-based routing (PBR) configuration.
The command switch now discovers candidates more than one CDP hop beyond its routed port.
When the kerberos clients mandatory global configuration command is entered on a switch and the switch is connected to a host that does not support Kerberos through a Telnet session, the switch no longer halts when the you press the Enter key.
When (*,G) and (S,G) entries are created in a multicast routing table on a remote port by Protocol-Independent Multicast-Sparse Mode (PIM-SM) registering, the RPF leak flag is now set for hardware entry for the group.
A topology change on a member switch no longer causes fast-aging of the dynamically learned addresses. In previous releases, this occurred in per-VLAN spanning-tree (PVST) mode when a topology change notification (TCN BPDU) was generated and propagated from a member switch but was not sent from the root port on the master.
Members of a switch stack no longer fail after the debug all privileged EXEC command is entered.
Changing the LACP system-priority, either locally or on the neighbor switch, no longer creates assert failure and traceback error messages for the ports in the EtherChannel if there is a Layer-3 (routed port) Link Aggregation Control Protocol (LACP) EtherChannel on the s tack master,
The switch now accepts duplicate remark statements in named ACLs.
A Catalyst 3750 stack member switch no longer reloads or displays a message similar to this:
A MAC address is now correctly learned on a secure port, ages out, and is then learned on another secure port on a different stack member switch.
Unless otherwise noted, these caveats were resolved in this release for the Catalyst 3750, 3560, and 2970 switches:
In the IP Multicast Wizard, multicast-enabled member devices are now correctly listed in the Enabled Multicast list box instead of in the Current Candidate list box.
These are the updates to the product documentation:
In printed copies of the software configuration guides, the URL listed in the “Privilege Levels” section of the “Getting Started with CMS” chapter is incorrect. The section lists this URL:
This is the correct URL (the closing “/” is required):
In printed copies of the software configuration guides, in the “Classifying Traffic by Using ACLs” section of the “Configuring QoS” chapter, this information in Step 3 to create a Layer 2 MAC ACL is incorrect:
This is the correct information:
The next sections provide updated information for the “Managing Switch Stacks” chapter.
Note The information in the “Major Incompatibility Between Switches” section was retitled and should be replaced with this information.
Switches with different Cisco IOS software versions likely have different stack protocol versions. Switches with different major version numbers are incompatible and cannot exist in the same switch stack.
Note The information in the “Minor Incompatibility Between Switches” section was retitled and should be replaced with this information.
Switches with the same major version number but with a different minor version number as the stack master are considered partially compatible. When connected to a switch stack, a partially compatible switch enters version-mismatch (VM) mode and cannot join the stack as a fully functioning member. The software detects the mismatched software and tries to upgrade (or downgrade) the switch in VM mode with the switch stack image or with a tar file image from the switch stack flash memory. The software uses the automatic upgrade (auto-upgrade) and the automatic advise (auto-advise) features. For more information, see the “Understanding Auto-Upgrade and Auto-Advise” section.
To see if there are switches in VM mode, use the show switch user EXEC command. The port LEDs on switches in VM mode will also stay off. Pressing the Mode button does not change the LED mode.
Note This is a new section, not previously in the “Managing Switch Stacks” chapter.
When the software detects mismatched software and tries to upgrade the switch in VM mode, two software processes are involved:
Auto-upgrade occurs if it is enabled, if there is enough flash memory in the switch in VM mode, and if:
– The software image running on the switch stack is suitable for the switch in VM mode, or
– There is a tar file from the switch stack that is suitable for the switch in VM mode. A switch in VM mode might not run all released software. For example, new switch hardware is not recognized in earlier versions of software.
The auto-upgrade and the auto-copy processes wait for a few minutes before starting.
When the auto-upgrade process is complete, the switch that was in VM mode reloads and joins the stack as a fully functioning member. If you have both StackWise cables connected during the reload, network downtime does not occur because the switch stack operates on two rings.
Note Auto-upgrade performs the upgrade only when the two images are the same type. For example, it does not automatically upgrade a switch in VM mode from EMI to SMI (or the reverse) or from cryptographic to noncryptographic (or the reverse).
The auto-advise software does not give suggestions when the switch stack software and the software of the switch in VM mode do not contain the same feature sets. For example, if the switch stack is running the SMI and you add a switch that is running the EMI, the auto-advise software does not provide a recommendation. The same events occur when cryptographic and noncryptographic images are running.
Note This is a new section, not previously in the “Managing Switch Stacks” chapter.
When you add a switch that has a different minor version number to the switch stack, the software displays messages in sequence (assuming that there are no other system messages generated by the switch).
This example shows that the switch stack detected a new switch that is running a different minor version number than the switch stack. Auto-copy launches, finds suitable software to copy from a stack member to the switch in VM mode, upgrades the switch in VM mode, and then reloads it:
This example shows that the switch stack detected a new switch that is running a different minor version number than the switch stack. Auto-copy launches but cannot find software in the switch stack to copy to the switch in VM mode to make it compatible with the switch stack. The auto-advise process launches and recommends that you download a tar file from the network to the switch in VM mode:
For information about using the archive download-sw privileged EXEC command, refer to the “Working with Software Images” section in Appendix B, “Working with the Cisco IOS File System, Configuration Files, and Software Images.”
Note Auto-advise and auto-copy identify which images are running by examining the info file and by searching the directory structure on the switch stack. If you download your image by using the copy tftp: command instead of by using the archive download-sw privileged EXEC command, the correct directory structure is not properly created. For more information about the info file, see the “tar File Format of Images on a Server or Cisco.com” section in Appendix B, “Working with the Cisco IOS File System, Configuration Files, and Software Images.”
The display for the show controllers ethernet-controller command was enhanced to show the XENPAK module serial EEPROM contents. For information about the EEPROM map and the field descriptions for the display, refer to the XENPAK multisource agreement (MSA) at these URLs:
http://www.xenpak.org/MSA/XENPAK_MSA_R2.1.pdf
http://www.xenpak.org/MSA/XENPAK_MSA_R3.0.pdf
To determine which version of the XENPAK documentation to read, check the XENPAK MSA Version supported field in the display. Version 2.1 is 15 hexadecimal, and Version 3.0 is 1e hexadecimal.
This is an example of output from the show controllers ethernet-controller tengigabitethernet1/0/1 phy command for the 10-Gigabit Ethernet interface:
This is a new step for the “Configuring the Switch Settings” section in the “Using Express Setup” chapter:
Enter a VLAN ID in the Management Interface (VLAN ID) field. This is the management interface through which you manage the switch and to which you assign IP information. The Management Interface field displays 1 by default. The VLAN ID range for this field is 1 to 1001.
These documents provide complete information about the Catalyst 3750, 3560, and 2970 switches and are available at Cisco.com:
You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.com sites and from the telephone numbers listed in the “Obtaining Documentation” section.
These documents provide complete information about the Catalyst 3750 switches:
These documents provide complete information about the Catalyst 3560 switches:
These documents provide complete information about the Catalyst 2970 switches:
For other information about related products, refer to these documents:
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.
You can access the most current Cisco documentation at this URL:
http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL:
You can find instructions for ordering documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can send comments about technical documentation to bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service contract, contact your reseller.
The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, 365 days a year at this URL:
http://www.cisco.com/techsupport
Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:
Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool automatically provides recommended solutions. If your issue is not resolved using the recommended resources, your service request will be assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this URL:
http://www.cisco.com/techsupport/servicerequest
For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
To open a service request by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553 2447
To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.
Severity 1 (S1)—Your network is “down,” or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.
Severity 3 (S3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.
Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.
Information about Cisco products, technologies, and network solutions is available from various online and printed sources.
http://www.cisco.com/go/marketplace/
http://cisco.com/univercd/cc/td/doc/pcat/
http://www.cisco.com/go/iqmagazine
http://www.cisco.com/en/US/learning/index.html