Release Notes for the Catalyst 3750, 3560, and 2970 Switches, Cisco IOS Release 12.2(20)SE3
Finding the Software Version and Feature Set
Upgrading a Switch by Using CMS
Upgrading a Switch by Using the CLI
Recovering from a Software Failure
Minimum Cisco IOS Release for Major Features
Cisco IOS Limitations and Restrictions
Stacking (Catalyst 3750 switch stack only)
Cluster Limitations and Restrictions
CMS Limitations and Restrictions
Cisco IOS Caveats Resolved in Cisco IOS Release 12.2(20)SE3
Cisco IOS Caveat Resolved in Cisco IOS Release 12.2(20)SE2
Cisco IOS Caveats Resolved in Cisco IOS Release 12.2(20)SE1
Cisco CMS Caveats Resolved in Cisco IOS Release 12.2(20)SE1
Cisco IOS Caveats Resolved in Cisco IOS Release 12.2(20)SE
Cisco CMS Caveats Resolved in Cisco IOS Release 12.2(20)SE
Documentation Updates for Catalyst 3750 Switches Running CiscoIOSRelease12.2(20)SE3
debug platform frontend-controller
system env temperature threshold yellow
show platform frontend-controller
Documentation Updates for Catalyst 3560 Switches Running CiscoIOSRelease12.2(20)SE3
debug platform frontend-controller
system env temperature threshold yellow
show platform frontend-controller
Documentation Updates for Cisco IOS Release 12.2(20)SE1
Addition to the Catalyst 3750 and 3560 Switch Software Configuration Guides
Revisions to the Catalyst 3750, 3560, and 2970 Switch Command References
Revisions to the Catalyst 3750 and 3560 System Message Guides
Addition to the Catalyst 3750 Switch System Message Guide
Additions to the Catalyst 3560 Switch System Message Guide
Documentation Updates for Cisco IOS Release 12.2(20)SE
Corrections to the Catalyst 3750, 3560, and 2970 Switch Software Configuration Guides
Additions to the Catalyst 3750 Switch Software Configuration Guide
Additions to the Catalyst 3750 Switch Command Reference
Obtaining Technical Assistance
Cisco Technical Support Website
Definitions of Service Request Severity
Obtaining Additional Publications and Information
The Cisco IOS Release 12.2(20)SE3 runs on Catalyst 3750, 3560, and 2970 switches.
The Catalyst 3750 switches support stacking through Cisco StackWise technology. The Catalyst 3560 and 2970 switches do not support switch stacking. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
These release notes include important information about this Cisco IOS release and any limitations, restrictions, and caveats that apply to it. Verify that these release notes are correct for your switch:
For the complete list of Catalyst 3750, 3560, and 2970 switch documentation, see the “Related Documentation” section.
You can download the switch software from these sites:
(for registered Cisco.com users with a login password)
(for nonregistered Cisco.com users)
This software release is part of a special release of Cisco IOS software that is not released on the same 8-week maintenance cycle that is used for other platforms. As maintenance releases and future software releases become available, they will be posted to Cisco.com (previously Cisco Connection Online [CCO]) in the Cisco IOS software area.
This information is in the release notes:
The system requirements are described in these sections:
Table 1 lists the hardware supported on Cisco IOS Release 12.2SE.
12 SFP1 module slots |
||
24 10/100 PoE2 ports and 2 SFP module slots |
||
16 10/100/1000 ports and 1 XENPAK 10-Gigabit Ethernet module port |
||
1000BASE-T, 1000BASE-SX, 1000BASE-LX, 1000BASE-ZX, and CWDM3 100BASE-FX MMF4 |
||
For hardware requirements, operating system, and browser recommendations for running the Cluster Management Suite (CMS), refer to the “Getting Started with CMS” chapter in the software configuration guide.
This release uses a CMS plug-in to run CMS. You can download the latest CMS plug-in for Windows from this URL:
http://www.cisco.com/pcgi-bin/Support/ClusterMgmtSuite/cms_plugin_redirect.cgi?platform=windows&version=1.1
This release uses a CMS plug-in that replaces the Java plug-in. You can download the latest CMS plug-in for Solaris from this URL:
http://www.cisco.com/pcgi-bin/Support/ClusterMgmtSuite/cms_plugin_redirect.cgi?platform=solaris&version=1.1
This section describes how to choose command and standby command switches when a cluster consists of a mixture of Catalyst switches. When creating a switch cluster or adding a switch to a cluster, follow these guidelines:
Member switch only5 |
||
CMS is not forward-compatible on command switches running Cisco Release IOS 12.1(14)EA1 and earlier. This means that if a member switch is running a release that is earlier than the release running on the command switch, the new features are not available on the member switch. If the member switch is a new device running a release that is later than the release on the command switch, the command switch cannot recognize the member switch, and the Front Panel view displays it as an unknown device. You cannot configure any parameters or generate a report through CMS for that member; instead, you must launch the Device Manager application to configure and to obtain reports for that member.
If you have a cluster with switches that are running different versions of Cisco IOS software, features added on the latest release might not be reflected on switches running the older releases. For example, if you start CMS on a Catalyst 2900 XL switch running Cisco IOS Release 11.2(8)SA6, the windows and functionality can be different from a switch running Cisco IOS Release 12.0(5)WC(1) or later.
Some early Cisco IOS releases do not support clustering.
For more information about clustering and CMS, refer to the software configuration guide.
These are the procedures for downloading software. Before downloading software, read this section for important information:
The Cisco IOS image is stored as a . bin file in a directory that is named with the Cisco IOS release. A subdirectory contains the files needed for web management. The image is stored on the system board flash device (flash:).
You can use the show version privileged EXEC command to see the software version that is running on your switch. The second line of the display shows the version.
Note For Catalyst 3750 and 3560 switches, although the show version output always shows the software image running on the switch, the model name shown at the end of this display is the factory configuration (standard multilayer image [SMI] or enhanced multilayer image [EMI]) and does not change if you upgrade the software image.
You also can use the dir filesystem : privileged EXEC command to see the directory names of other software images that you might have stored in flash memory.
The upgrade procedures in these release notes describe how to perform the upgrade by using a combined tar file. This file contains both the Cisco IOS image file and the files needed for CMS. You must use the combined tar file to upgrade the switch through CMS. To upgrade the switch through the command-line interface (CLI), use the tar file and the archive download-sw privileged EXEC command.
Table 3 lists the filenames for this software release.
You can upgrade switch software by using CMS. From the feature bar, choose Administration > Software Upgrade. For detailed instructions, click Help.
Note When using HTTP to upgrade member switches, the command switch must be running either Cisco IOS 12.1(20)EA2 or Cisco IOS 12.2(20)SE or later. The cluster members that are upgraded must be running Cisco IOS 12.2(20)SE or later.
This procedure is for copying the combined tar file to the switch. You copy the file to the switch from a TFTP server and extract the files. You can download an image file and replace or keep the current image.
To download software, follow these steps:
Step 1 Use Table 3 to identify the file that you want to download.
Step 2 Download the software image file.
http://www.cisco.com/kobayashi/sw-center/sw-lan.shtml
http://www.cisco.com/public/sw-center/sw-lan.shtml
To download the image for a Catalyst 2970 switch, click Catalyst 2970 software. To obtain authorization and to download the cryptographic software files, click Catalyst 2970 3DES Cryptographic Software.
To download the EMI or SMI files for a Catalyst 3560 switch, click Catalyst 3560 software. To obtain authorization and to download the cryptographic software files, click Catalyst 3560 3DES Cryptographic Software.
To download the EMI or SMI files for a Catalyst 3750 switch, click Catalyst 3750 software. To obtain authorization and to download the cryptographic software files, click Catalyst 3750 3DES Cryptographic Software.
Step 3 Copy the image to the appropriate TFTP directory on the workstation, and make sure that the TFTP server is properly configured.
For more information, refer to Appendix B in the software configuration guide for this release.
Step 4 Log into the switch through the console port or a Telnet session.
Step 5 (Optional) Ensure that you have IP connectivity to the TFTP server by entering this privileged EXEC command:
For more information about assigning an IP address and default gateway to the switch, refer to the software configuration guide for this release.
Step 6 Download the image file from the TFTP server to the switch. If you are installing the same version of software that is currently on the switch, overwrite the current image by entering this privileged EXEC command:
The /overwrite option overwrites the software image in flash memory with the downloaded one.
The /reload option reloads the system after downloading the image unless the configuration has been changed and not saved.
For // location, specify the IP address of the TFTP server.
For / directory / image-name .tar, specify the directory (optional) and the image to download. Directory and image names are case sensitive.
This example shows how to download an image from a TFTP server at 198.30.20.19 and to overwrite the image on the switch:
You also can download the image file from the TFTP server to the switch and keep the current image by replacing the /overwrite option with the /leave-old-sw option.
You can assign IP information to your switch by using these methods:
Note If you are upgrading a Catalyst 3750 or a 2950 switch running Cisco IOS Release 12.1(11)AX, which uses the 802.1x feature, you must re-enable 802.1x after upgrading the software. For more information, see the “Cisco IOS Notes” section.
Note When upgrading or downgrading from Cisco IOS Release 12.2(18)SE, you might need to reconfigure the switch with the same password that you were using when running 12.2(18)SE. This problem only occurs when changing from Cisco IOS Release 12.2(18)SE to any other release. (CSCed88768)
These sections describe the supported hardware and the software features provided in this release:
For a list of all supported hardware, see the “Hardware Supported” section.
This release contains support for the temperature monitoring, fan control, and cable diagnostics features on Catalyst 3750G-24TS-1U, 3750G-48TS, 3750G-24PS, 3750G-48PS, 3560G-24TS, 3560G-24PS, 3560G-48TS, and 3560G-48PS switches.
For more information about these updates, see the “Documentation Updates for Catalyst 3750 Switches Running Cisco IOS Release 12.2(20)SE3” section and the “Documentation Updates for Catalyst 3560 Switches Running Cisco IOS Release 12.2(20)SE3” section.
This release contains support for the temperature monitoring, cable diagnostics, front-end controller, and PoE features on Catalyst 3750G-24TS-1U, 3750G-48TS, 3750G-24PS, 3750G-48PS, 3560G-24TS, 3560G-24PS, 3560G-48TS, and 3560G-48PS switches..
For more information about these updates, see the “Documentation Updates for Catalyst 3750 Switches Running Cisco IOS Release 12.2(20)SE3” section.
Table 4 lists the minimum software release required to support the major features of the Catalyst 3750, 3560, and 2970 switches.
You should review this section before you begin working with the switch. These are known limitations that will not be fixed, and there is not always a workaround. Some features might not work as documented, and some features could be affected by recent changes to the switch hardware or software.
These sections describe the limitations and restrictions:
Unless otherwise noted, these limitations apply to the Catalyst 3750, 3560, and 2970 switches:
These are the configuration limitations:
The workaround is to configure the port for 10 Mbps and half duplex or to connect a hub or a nonaffected device to the switch. (CSCed39091)
This problem occurs under these conditions:
– When the switch is booted without a configuration (no config.text file in flash memory).
– When the switch is connected to a DHCP server that is configured to give an address to it (the dynamic IP address is assigned to VLAN 1).
– When an IP address is configured on VLAN 1 before the dynamic address lease assigned to VLAN 1 expires.
The workaround is to reconfigure the static IP address. (CSCea71176 and CSCdz11708)
Dynamic-access port8 |
|||||
Yes9 |
|||||
Voice VLAN port10 |
|||||
No11 |
|||||
Yes 6 |
|||||
Dynamic ARP12 inspection |
Yes 6 |
||||
8.A VLAN Query Protocol (VQP) port configured with the switchport access vlan dynamic interface configuration command. |
1. Disable auto-QoS on the interface.
2. Change the routed port to a nonrouted port or the reverse.
3. Re-enable auto-QoS on the interface. (CSCec44169)
– (Catalyst 3750 switch) When the Network Time Protocol (NTP) is configured, but the NTP clock is not synchronized. You can check the clock status by entering the show NTP status privileged EXEC command and verifying that the network connection to the NTP server and peer work correctly.
– (Catalyst 3750, 3560, or 2970 switches) The DHCP snooping database file is manually removed from the file system. After enabling the DHCP snooping database by configuring a database URL, a database file is created. If the file is removed manually from the file system, the DHCP snooping database does not create another database file. You need to disable the DHCP snooping database and enable it again to create the database file.
– (Catalyst 3750, 3560, or 2970 switches) The URL for the configured DHCP snooping database was replaced because the original URL is not accessible. The new URL might not take effect after the timeout of the old URL.
No workaround is necessary; these are the designed behaviors. (CSCed50819)
However, when dynamic ARP inspection is not enabled and jumbo MTU is configured, ARP and RARP packets are correctly bridged in hardware. (CSCed79734)
The workaround is to configure the port for 10 Mbps and half duplex or to connect a hub or a nonaffected device to the switch. (CSCed390310)
These are the Ethernet limitations:
These are the fallback bridging limitations:
This is the Hot Standby Routing Protocol (HSRP) limitation:
When the active switch fails in a switch cluster that uses HSRP redundancy, the new active switch might not contain a full cluster member list. The workaround is to ensure that the ports on the standby cluster members are not in the spanning-tree blocking state. To verify that these ports are not in the blocking state, refer to the “Configuring STP” chapter in the software configuration guide. (CSCec76893)
These are the IP telephony limitations:
This is the MAC addressing limitation:
(Catalyst 3750 or 3560 switches) When a MAC address is configured for filtering on the internal VLAN of a routed port, incoming packets from the MAC address to the routed port are not dropped. (CSCeb67937)
These are the multicasting limitations:
Multicast is not supported on tunnel interfaces
error message. IP PIM is not supported on tunnel interfaces. There is no workaround. (CSCeb75366)– If the ALLOW_NEW_SOURCE record is before the BLOCK_OLD_SOURCE record, the switch removes the port from the group.
– If the BLOCK_OLD_SOURCE record is before the ALLOW_NEW_SOURCE record, the switch adds the port to the group.
These are the QoS limitations:
These are the routing limitations:
This error message means there is a temporary memory shortage that normally recovers by itself. You can verify that the switch stack has recovered by entering the show cef line user EXEC command and verifying that the line card states are up
and sync
. No workaround is required because the problem is self-correcting. (CSCea71611)
These are the SPAN and Remote SPAN (RSPAN) limitations:
Decreased egress SPAN rate
. In all cases, normal traffic is not affected; the degradation limits only how much of the original source stream can be egress spanned. If fallback bridging and multicast routing are disabled, egress SPAN is not degraded. There is no workaround. If possible, disable fallback bridging and multicast routing. If possible, use ingress SPAN to observe the same traffic. (CSCeb01216)A spanning-tree loop might occur if all of these conditions are true:
– Port security is enabled with the violation mode set to protected.
– The maximum number of secure addresses is less than the number of switches connected to the port.
– There is a physical loop in the network through a switch whose MAC address has not been secured, and its BPDUs cause a secure violation.
The workaround is to change any one of the listed conditions. (CSCed53633)
These are the Catalyst 3750 switch stack limitations:
There is no workaround. (CSCed54150)
IP-3-STCKYARPOVR
appears on the consoles of other default IP gateways. Because sticky ARP is not disabled, the MAC address update caused by the stack master switch-over cannot complete.The workaround is to complete the MAC address update by entering the clear arp privileged EXEC command. (CSCed62409)
Private VLAN is enabled or disabled on a switch stack, depending on whether or not the stack master is running the EMI or the SMI:
– If the stack master is running the EMI, all stack members have private VLAN enabled.
– If the stack master is running SMI, all stack members have private VLAN disabled.
This occurs after a master-switchover (MSO) when the previous stack master was running the EMI and the new stack master is running the SMI. The stack members are configured with private VLAN, but any new switch that joins the stack will have private VLAN disabled.
These are the workarounds. Only one of these is necessary:
– Reload the stack after an EMI to SMI MSO (or the reverse).
– Before an EMI-to-SMI MSO, delete the private-VLAN configuration from the existing stack master. (CSCee06802)
This is the expected behavior of the offline configuration (provisioning) feature. There is no workaround. (CSCee12431)
These are the trunking limitations:
If the number of VLANs times the number of trunk ports exceeds the recommended limit of 13,000, the switch can fail. The workaround is to reduce the number of VLANs or trunks. (CSCeb31087)
These limitations apply to the Catalyst 3750, 3560, and 2970 switches:
These limitations apply to the Catalyst 3750, 3560, and 2970 switches:
The workaround is to add the address by using the router ospf <process-id>, area <area-id>, and range <address> <mask> configuration commands. (CSCed87031)
There is no workaround. (CSCee11710)
The workaround is to open the Port Settings dialog with CMS in read-write mode. (CSCee25870)
These sections describe the important notes related to this software release for the Catalyst 3750, 3560, and 2970 switches:
These notes apply to switch stacks:
These notes apply to Cisco IOS software:
– the no logging on and then the no logging console global configuration commands
– the logging on and then the no logging console global configuration commands
In Cisco IOS Release 12.2(18)SE and later, you can only use the logging on and then the no logging console global configuration commands to disable logging to the console. (CSCec71490)
These notes apply to CMS configuration:
The workaround is to resize the browser window again when CMS is not busy.
– Catalyst 2900 XL or Catalyst 3500 XL member switches running Cisco IOS Release 12.0(5)WC2 or earlier
– Catalyst 2950 member switches running Cisco IOS Release 12.0(5)WC2 or earlier
– Catalyst 3550 member switches running Cisco IOS Release 12.1(6)EA1 or earlier
In the Front Panel view, if the switch is running one of the software releases listed previously, the device LEDs do not appear. In Topology view, if the member is an LRE switch, the CPE devices that are connected to the switch do not appear. The Bandwidth and Link graphs also do not appear in these views.
These sections describe the open caveats with possible unexpected activity in this software release:
Unless otherwise noted, these severity 3 Cisco IOS configuration caveats apply to the Catalyst 3750, 3560, and 2970 switches:
When both 802.1x and port security are enabled on a voice VLAN port, dynamic secure addresses might not be cleared when the port changes from multihosts mode to single-host mode under these conditions:
– The port is in the authorized state.
– Multiple hosts were learned on the port before the mode change.
– VLAN assignment is not enabled for the authorized host.
MAC addresses that were learned before mode change (when the port was in multihosts mode) are still allowed, even though the port is now in single-host mode.
The workaround is to disable and re-enable port security on the port.
A Catalyst 3750 switch does not work with the User Registration Tool (URT). The PC attempting to connect to the network can log in successfully, but it is not allowed to pass traffic after the port is moved to the user VLAN. The MAC address for that device shows BLOCKED.
Memory allocation (malloc) and remote-procedure call (RPC) throttle messages sometimes appear when a large number of access control lists (ACLs) are pasted to the console window.
The workaround is to save the configuration and reload the switch stack.
There is a discrepancy between the output of the show controllers ethernet-controller tengigabitethernet1/0/1 and the show interfaces tengigabitethernet1/0/1 privileged EXEC commands on a 10-Gigabit Ethernet interface.
The workaround for 10-Gigabit Ethernet interfaces is to use the show interface privileged EXEC command for the byte count and the number of pause frames received. Use the show controllers ethernet-controller privileged EXEC command for the frame count and the FCS and CRC error-frame count.
When redundant uplinks are from the same stack member in a switch stack and UplinkFast is configured, dummy multicast packets are not sent.
The workaround is to not have redundant uplinks from the same stack member. Provide uplink connectivity from ports across the switch stack rather than from one switch in the stack.
Some invalid ARP packets are not dropped on dynamic ARP inspection-enabled VLANs. Dynamic ARP inspection does not verify that certain ARP fields are valid and does not drop ARP packets with invalid values for those fields. The fields are hardware size, protocol size, and operation type. These packets also are not dropped by the switch on nondynamic ARP-enabled VLANs.
If dynamic ARP inspection is enabled on an internal VLAN used by a routed port, ARP traffic on the routed port is affected by the dynamic ARP inspection processing. For example, ARP packets will be rate-limited.
The workaround is to not enable dynamic ARP inspection on internal VLANs.
An EtherChannel is not properly error-disabled if these conditions are true:
– The channel is carrying a VLAN that is enabled for dynamic ARP inspection.
– The channel is configured with a rate limit for dynamic ARP inspection.
– At least one of the ports in the channel is on a stack member.
– ARP packets are received on a port in the channel on a stack member at a higher rate than the configured rate limit for the channel.
Under these circumstances, a system message states that the rate limit was exceeded on the channel, but the channel will not be error-disabled.
The workaround is to use physical ports on the stack master for any EtherChannel that carries dynamic ARP inspection VLANs and has rate limits.
If the VTP password is configured but the VTP domain name is not configured and if the switch reloads twice, the switch does not retain the VLAN information.
– Delete the vlan.dat file, which deletes the VTP password.
– Delete the VTP password by using the no vtp password global configuration command.
When a secondary VLAN is associated and then quickly disassociated, sometimes the MAC address tables across the switch stack become unsynchronized. This is a rare condition that happens when Port Fast is enabled on the host ports and traffic is continuously received on that port.
The workaround is to clear the MAC address table by using the clear mac address-table dynamic privileged EXEC command.
If a secondary VLAN that was mapped to a promiscuous port is disassociated from the primary VLAN, the LED on the port turns from green to amber. This also occurs if the secondary VLAN is deleted.
The workaround is to remove the secondary VLAN from the mapping of the promiscuous port.
Dynamic ARP inspection log entries might be lost after a switch failure. Any log entries that are still in the log buffer (have not been output as a system message) on a switch that fails will be lost.
When you enter the show ip arp inspection log privileged EXEC command, the log entries from all switches in the stack are moved to the switch on which the command was entered.
ARP and reverse ARP (RARP) packets are not properly filtered by a configured VLAN map. If you enable a VLAN for dynamic ARP inspection and a VLAN map is applied to the VLAN, ARP and RARP packets received in that VLAN on stack member ports that should be dropped by the VLAN map are not dropped.
Configuring multiple ports to a static address in a private VLAN is not supported in this release. If you add more than one port to a static address in a private VLAN, the traffic destined to that static address from a host (secondary VLAN) port to promiscuous port might be dropped.
The workaround is to not configure multiple ports to a static address in a private VLAN. You can use the shutdown and no shutdown interface configuration commands on a promiscuous port to resume the flow of traffic.
You can only enter values ranging from 1 to 1023 when configuring the VLAN for an access port from SNMP by using the vlanPortVlan object of the CISCO-STACK-MIB.
– Use the interface vlan global configuration command to configure the VLAN for the access port.
– From SNMP, use the vmVlan object of the CISCO-VLAN-MEMBERSHIP-MIB.
You can use both of these workarounds to enter a value ranging from 1 to 4095.
Port ACLs are not applied to IGMP control packets with IP options.
After a multicast group exceeds the maximum number that a private VLAN can support, the required ternary content addressable memory (TCAM) entries cannot present for the last group, and the forwarding behavior for that multicast group is incorrect.
For a private VLAN multicast group, each group needs 3 TCAM entries (one SFT entry and 2 LFT entries) when IP multicast routing is enabled on the private VLAN primary VLAN. (For a regular VLAN, only 1 SFT TCAM entry is required, and approximately1000 groups can be supported. For the private VLAN group, only one third of the regular groups can be supported.
A Catalyst 3750 switch running Cisco IOS Release 12.1(19)EA1a might continuously show this message:
When an SNMP version 3 user is configured with the encrypted option and password, the switch reloads when the MIB object usmUserAuthKeyChange is set.
The workaround is to configure a user without the encrypted option. (For example, snmp-server user username groupname v3 auth md5 password.)
If you try to add an aggregate policer to a policy map, this message appears:
and the aggregate policer is not added.
The workaround is to delete the policy map by using the no policy-map policy-map-name global configuration command, recreate it with the desired configuration, and then re-attach it to the interfaces by using the service-policy input policy-map-name interface configuration command.
If you modify a policer, this message appears:
If you then attempt to remove an aggregate policer, the removal of the policy map fails, and this message appears:
The workaround is to delete the policy map by using the no policy-map policy-map-name global configuration command, recreate it with the desired configuration, and then re-attach it to the interfaces by using the service-policy input policy-map-name interface configuration command.
When you add an aggregate policer to a policy-map class, the aggregate policer is also added to another policy class within the same policy.
The workaround is to delete the policy map by using the no policy-map policy-map-name global configuration command, recreate it with the desired configuration, and then re-attach it to the interfaces by using the service-policy input policy-map-name interface configuration command.
Auto-upgrade fails under either of these conditions:
– The stack is running a cryptographic image and a version-mismatch member switch that is running a non-cryptographic image of the same type (both are EMI or SMI) joins the stack, or the reverse.
– If the stack is running a Cisco IOS 12.1 crypto image and a member switch running a Cisco IOS 12.2 crypto image of the same type joins the stack, or the reverse.
In both cases, the newly added member switch remains in the version mismatch state, and you must manually upgrade the member switch to run a compatible Cisco IOS image.
The workaround is to remove the 3750 member switch from the switch stack and to load a cryptographic image on the switch before adding it to the stack.
When enabled, DHCP snooping does not work with secondary VLANs of a private VLAN. DHCP discover messages from the private-VLAN hosts are not broadcast, and private-VLAN hosts cannot communicate with the DHCP server.
You cannot use the Mode button to detect the presence of a switch stack member if a small form-factor (SFP) module is not in the module slot for that port on the member.
The workaround is to insert an SFP module into the port.
When you reload a stack master, the SFP module slots are unable to establish a link after the old stack master comes up as a member switch.
The workaround is to manually configure the port by entering the no speed nonegotiate, shut, and no shut interface configuration commands.
After a stack master fail-over, any per-user access control lists (ACLs) applied on authenticated 802.1x ports might appear twice when you enter the show ip access-list privileged EXEC command.
This occurs when the authenticated port is on a member switch that becomes the stack master during fail-over. The duplicate display does not affect the functional behavior of the ACL.
When a local network link comes up, a MAC address that is defined in the static ARP table does not install the adjacency table immediately, causing a temporary Cisco Express Forwarding (CEF) drop. The maximum installation delay is about 60 seconds.
When two ports of a Cisco IP Phone are connected to a switch and the higher voice VLAN ID (VVID) is configured on the switch port to which port P3 of the Cisco IP Phone is connected, the phone displays configuring IP and halts.
These are the workarounds. Only one of these is necessary:
– Configure the higher VVID on port P1 of the Cisco IP phone.
– Connect only one port of the Cisco IP Phone to the switch.
Unless otherwise noted, these severity 3 CMS caveats apply to the Catalyst 3750, 3560, and 2970 switches:
When a Catalyst 3750 stack member leaves or joins the switch stack, the entire stack disappears from the Topology View. Only the stack member that has left the stack should disappear from the Topology view.
When you click Refresh in the Stack Settings dialog, the latest information for the switch cluster does not appear.
The workaround is to close and then to reopen the Stack Settings dialog.
These are the caveats that have been resolved.
Unless otherwise noted, these caveats were resolved in this release for the Catalyst 3750, 3560, and 2970 switches:
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled “ICMP Attacks Against TCP” (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP “hard” error messages
2. Attacks that use ICMP “fragmentation needed and Don’t Fragment (DF) bit set” messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP “source quench” messages
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
A Cisco device running Cisco IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DoS) attack from a malformed BGP packet. Only devices with the command bgp log-neighbor-changes configured are vulnerable. The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a malformed packet.
If a misformed packet is received and queued up on the interface, this bug may also be triggered by other means which are not considered remotely exploitable such as the use of the command show ip bgp neighbors or running the command debug ip bgp neighbor updates for a configured bgp neighbor.
Cisco has made free software available to address this problem.
For more details, please refer to this advisory, available at http://www.cisco.com/warp/public/707/cisco-sa-20050126-bgp.shtml
The switch no longer experiences memory leak during the IP Routing Information Base (RIB) update process.
A switch no longer reloads if it generates a large number of proxy ARP entries.
If a connected device sends a SNAP Address Resolution Protocol (ARP) request to a switch, communication no longer stops between the devices.
The switch no longer reloads when you disable the 802.1x feature by using the no dot1x system-auth-control global configuration command on the master switch.
A switch configured for 802.1x accounting no longer reloads after losing connectivity to the RADIUS server.
During 802.1x machine authentication, the switch no longer prompts the supplicant to authenticate twice.
If an interface on a switch is configured with the no switchport interface configuration command, you can now use SNMP with the MIB object ipNetToMediaTable to create an ARP table for the interface information.
The Enhanced Interior Gateway Routing Protocol (EIGRP) Stub Routing feature is no longer missing from the switch configuration when it is restarted.
High CPU utilization no longer occurs on a switch when the logging synchronous global configuration command is configured for line con 0.
When a switch is configured for 802.1x authentication and a large number of authentication requests are received in a short period of time, new devices can now authenticate.
The switch now sends EAPOL-Id-Request frames to supplicants after the 802.1x state machine moves to the DISCONNECTING state.
If a switch stack is load balanced through two trunk uplinks, and one of the uplinks goes down, the packets are no longer forwarded to the wrong VLAN upon recovery of the failed uplink.
Incomplete ARP entries are no longer created when a switch receives an ARP request and sends a reply by using proxy ARP.
A switch no longer sends out an EAP success frame before assigning a corresponding VLAN on a port.
An 802.1x client no longer fails to authenticate on a switch when State(24) Field values change from Challenge to Request.
A switch configured for 802.1x authentication no longer fails to authenticate supplicants because no AAA process slots are available.
Cisco IOS® devices running branches of Cisco IOS version 12.2S that have Dynamic Host Configuration Protocol (DHCP) server or relay agent enabled, even if not configured, are vulnerable to a denial of service where the input queue becomes blocked when receiving specifically crafted DHCP packets. Cisco is providing free fixed software to address this issue. There are also workarounds to mitigate this vulnerability. This issue was introduced by the fix included in CSCdx46180 and is being tracked by Cisco Bug ID CSCee50294.
http://www.cisco.com/warp/public/707/cisco-sa-20041110-dhcp.shtml
This caveat was resolved in this release:
This error message no longer appears, and the switch no longer and loops indefinitely after you upgrade and then reload a Catalyst 3750 switch:
Note There is no code change in Cisco IOS Release 12.2(20)SE2. The SMI cryptographic images on CCO for Cisco IOS Release 12.2(20)SE1 were corrupt. If you have downloaded a corrupted image and are seeing this error message, refer to the “Recovering from Corrupted Software By Using the Xmodem Protocol” section of the software configuration guide at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12220se/
3750scg/swtrbl.htm#wp1099467
Unless otherwise noted, these caveats were resolved in this release for the Catalyst 3750, 3560, and 2970 switches:
Catalyst switches running Cisco IOS Release 12.1(14)EA1 through 12.1(19)EA1d or Cisco IOS Release 12.2(18)SE through 12.2(20)SE now correctly link up with media converters running at 100 Mbps.
After the stack master fails and another is elected, switch ports on the new stack master no longer lose the hardware configuration of 802.1x per-user access control lists (ACLs).
A Catalyst 3750 stack member switch now reliably downloads CEF tables from the stack master.
These CISCO-STACK-MIB objects now return the correct values:
Power is no longer applied to a port after a Power over Ethernet (PoE) switch powered device, such as a Cisco IP Phone, is removed from that port. In previous releases, power was sometimes still applied to the port even after the device was removed. This could have damaged a non-PoE switch-powered device when it was later connected to that port.
Unless otherwise noted, these caveats were resolved in this release for the Catalyst 3750, 3560, and 2970 switches:
When you open the Port Settings dialog for a Power-over-Ethernet (PoE) switch that is a member of a switch stack and the stack master is not a PoE switch, a Java exception error no longer occurs.
When a switch cluster has only one member switch and that member switch is down, CMS now displays the Remove From Cluster option.
Unless otherwise noted, these caveats were resolved in this release for the Catalyst 3750, 3560, and 2970 switches:
When multicast VLAN registration (MVR) groups are added or deleted, the receiver port that joined the groups after the addition no longer receives traffic after the group is deleted. MVR data traffic to the group is no longer sent to the receiver port immediately after the no mvr group ip-address global configuration command is entered.
When both the sharing and shaping weights are enabled, the receiving rates now follow the shared bandwidth weight if the priority queue is enabled on the egress queue.
When an ACL that denies packets is configured on an ingress or egress interface, the CPU usage is no longer as high as 70 percent when these packets are forwarded to the CPU to determine if an ICMP-unreachable packet should be generated.
When a configured secure MAC address exists on an interface, you can now change it to a sticky MAC address. Alternatively, if a sticky MAC address exists on an interface, you can now change it to a secure MAC address.
When the CISCO-STP-EXTENSIONS-MIB is polled, unknown indexes are no longer returned for some MIB objects.
A Cisco device running Internetwork Operating System (IOS) and enabled for the Open Shortest Path First (OSPF) Protocol is vulnerable to a Denial of Service (DoS) attack from a malformed OSPF packet. The OSPF protocol is not enabled by default.
The vulnerability is only present in IOS release trains based on 12.0S, 12.2, and 12.3. Releases based on 12.0, 12.1 mainlines and all IOS images prior to 12.0 are not affected. Refer to the Security Advisory for a complete list of affected release trains.
Further details and the workarounds to mitigate the effects are explained in the Security Advisory which is available at the following URL:
http://www.cisco.com/warp/public/707/cisco-sa-20040818-ospf.shtml
When an 802.1x-enabled port is authenticated with a RADIUS-assigned VLAN, if the port is shut down or the link is removed, a traceback message no longer appears.
After a link is up, a switch sends three Extensible Authentication Protocol (EAP) Request/Identity messages to the client. There is a 30-second gap between messages. However, PCs that are running Windows XP or Windows 2000 drop the first message so that the second message that the client receives appears to be the first, which is at least 30 seconds after the link is up. Therefore, a user does not see a password window until at least 30 seconds after the link is up.
Telnet and ping traffic is no longer disrupted during SNMP polling of the VlanTrunkPortTable table in the CISCO-VTP-MIB.
When per-user access control lists (ACLs) are downloaded from a RADIUS server after successful 802.1x authentication, disabling 802.1x now removes the attached per-user ACLs from the interface.
If QoS is enabled and the trust state is not configured on an ingress interface, now only the mapping of the class of service (CoS) value of 0 to the ingress or egress queues takes effect when you enter the mls qos srr-queue input cos-map or the mls qos srr-queue output cos-map global configuration command. Other CoS values DSCP values to queue mapping have no effect on traffic from that interface.
If you change the input priority queue for queue 2 by using the mls qos srr-queue input priority-queue 2 bandwidth global configuration command, the configurations that are generated no longer contain an extra input keyword such as mls qos srr-queue input priority-queue input 2 bandwidth. In previous releases, the extra keyword caused an error message if the command was saved and the switch was reloaded.
When there are many configured secure and sticky MAC addresses on a port, addresses are no longer dropped and removed from the configuration when the switch restarts.
When you configure a unicast MAC address filter that matches a Windows XP 802.1x client MAC address, the Windows XP 802.1x client now no longer repeatedly tries to re-authenticate itself.
Processor memory no longer leaks if you change the policy-based routing (PBR) configuration.
The command switch now discovers candidates more than one CDP hop beyond its routed port.
When the kerberos clients mandatory global configuration command is entered on a switch and the switch is connected to a host that does not support Kerberos through a Telnet session, the switch no longer halts when the you press the Enter key.
When (*,G) and (S,G) entries are created in a multicast routing table on a remote port by Protocol-Independent Multicast-Sparse Mode (PIM-SM) registering, the RPF leak flag is now set for hardware entry for the group.
A topology change on a member switch no longer causes fast-aging of the dynamically learned addresses. In previous releases, this occurred in per-VLAN spanning-tree (PVST) mode when a topology change notification (TCN BPDU) was generated and propagated from a member switch but was not sent from the root port on the master.
Members of a switch stack no longer fail after the debug all privileged EXEC command is entered.
Changing the LACP system-priority, either locally or on the neighbor switch, no longer creates assert failure and traceback error messages for the ports in the EtherChannel if there is a Layer-3 (routed port) Link Aggregation Control Protocol (LACP) EtherChannel on the s tack master,
The switch now accepts duplicate remark statements in named ACLs.
A Catalyst 3750 stack member switch no longer reloads or displays a message similar to this:
A MAC address is now correctly learned on a secure port, ages out, and is then learned on another secure port on a different stack member switch.
Unless otherwise noted, these caveats were resolved in this release for the Catalyst 3750, 3560, and 2970 switches:
When you open the Port Settings dialog for a Power-over-Ethernet (PoE) switch that is a member of a switch stack and the stack master is not a PoE switch, a Java exception error no longer occurs.
When a switch cluster has only one member switch and that member switch is down, CMS now displays the Remove From Cluster option.
These are the updates to the product documentation:
The following commands are supported on the Catalyst 3750G-24TS-1U, 3750G-24PS, 3750G-48TS, and 3750G-48PS switches and will be included in the next version of the Catalyst 3750 command reference.
Use the debug platform frontend-controller privileged EXEC command to enable debugging of front-end controller activity. Use the no form of this command to disable debugging.
debug platform frontend-controller { all | image | led | manager | poe | register | thermal }
no debug platform frontend-controller { all | image | led | manager | poe | register | thermal }
This command is supported only on Catalyst 3750G-48TS, 3750G-48PS, 3750G-24TS-1U, and 3750G-24PS switches.
Note Debug privileged EXEC commands are helpful in diagnosing and resolving internetworking problems and should be used only under the guidance of Cisco technical support staff.
The undebug platform frontend-controller command is the same as the no debug platform frontend-controller command.
When you enable debugging, it is enabled only on the stack’s active switch. To enable debugging on a stack member, start a session from the stack’s active switch by using the session switch-number privileged EXEC command. Then enter the debug command at the command-line prompt of the stack member. You can also use the remote command stack-member-number LINE privileged EXEC command on the stack’s active switch to enable debugging on a member switch without first starting a session.
Use the show cable-diagnostics tdr privileged EXEC command to display the Time Domain Reflector (TDR) results.
show cable-diagnostics tdr interface interface-id [ | { begin | exclude | include } expression ]
TDR is supported only on copper Ethernet 10/100/1000 ports. It is not supported on 10/100 ports, 10-Gigabit module ports, or small form-factor pluggable (SFP)-module ports. For more information about TDR, see the software configuration guide for this release.
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
This is an example of output from the show cable-diagnostics tdr interface interface-id command on a switch other than a Catalyst 3750G-24PS or 3750G-48PS switch:
This is an example of output from the show cable-diagnostics tdr interface interface-id command on a Catalyst 3750G-24PS or 3750G-48PS switch:
Table 6 lists the descriptions of the fields in the show cable-diagnostics tdr command output.
This is an example of output from the show interface interface-id command when TDR is running:
This is an example of output from the show cable-diagnostics tdr interface interface-id command when TDR is not running:
Use the show controllers power inline user EXEC command to display the values in the registers of the specified Power over Ethernet (PoE) controller.
show controllers power inline [ instance ] [ module switch-number ] [ | { begin | exclude | include } expression ]
For the Catalyst 3750-48PS and 3750G-48PS switches, the instance range is 0 to 11.
For the Catalyst 3750-24PS and 3750G-24PS switches, the instance range is 0 to 5.
Though visible on all switches, this command is valid only for PoE switches. It provides no information for switches that do not support PoE.
The output provides information that might be useful for Cisco technical support representatives troubleshooting the switch.
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
This is an example of output from the show controllers power inline command on a Catalyst 3750-48PS switch:
This is an example of output from the show controllers power inline command on a Catalyst 3750G-48PS switch:
Use the show env user EXEC command to display fan, temperature, redundant power system (RPS) availability, and power information for the switch being accessed (standalone switch, active switch, or member switches). Use with the stack keyword to display all information for the stack or for a specified switch in the stack.
show env { all | fan | power | rps | stack [ switch-number ] | temperature [ status ]} [ | { begin | exclude | include } expression ]
Use the show access-lists privileged EXEC command to access information from a specific switch other than the active switch.
You can use the show env stack [ switch-number ] command to display information about any switch in the stack from any member switch.
Though visible on all switches, the show env temperature status command is valid only for the Catalyst 3750G-48TS, 3750G-48PS, 3750G-24TS-1U, and 3750G-24PS switches. If you enter this command on these switches, the command output shows the switch temperature states and the threshold levels. The switch temperature is the temperature in the switch, not the external temperature. If you enter the command on a switch other than those four, the output field shows Not Applicable
.
On a Catalyst 3750G-48PS or 3750G-24PS switch, you can also use the show env temperature command to display the switch temperature status. The command output shows the green and yellow states as OK and the red state as FAULTY. If you enter the show env all command on this switch, the command output is the same as the show env temperature status command output.
For more information about the threshold levels, see the software configuration guide for this release.
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output are not displayed, but the lines that contain Output are displayed.
This is an example of output from the show env all command entered from the active switch or a standalone switch:
This is an example of output from the show env fan command:
This is an example of output from the show env stack command:
This example shows how to display information about stack member 3 from the active switch:
This example shows how to display the temperature value, state, and the threshold values. Table 7 describes the temperature states in the command output.
Use the system env temperature threshold yellow global configuration command on the switch stack or on a standalone switch to specify the difference between the yellow and red temperature thresholds and to configure the yellow threshold. Use the no form of this command to return to the default value.
Though visible on all switches, this command is only valid on these switches:
You cannot configure the green and red thresholds but can configure the yellow threshold. Use the system env temperature threshold yellow value global configuration command to specify the difference between the yellow and red thresholds and to configure the yellow threshold. For example, if the red threshold is 66 degrees C and you want to configure the yellow threshold as 51 degrees C, set the difference between the thresholds as 15 by using the system env temperature threshold yellow 15 command.
Note The internal temperature sensor in the switch measures the internal system temperature and might vary ±5 degrees C.
show env temperature status |
Use the show platform frontend-controller privileged EXEC command to display counter and status information for the front-end controller manager and subordinate applications and to display the hardware and software information for the front-end controller.
show platform frontend-controller { buffer | generic | manager number | subordinate number | version number } [ | { begin | exclude | include } expression ]
This command is supported only on Catalyst 3750G-48TS, 3750G-48PS, 3750G-24TS-1U, and 3750G-24PS switches.
Note Show platform privileged EXEC commands display information helpful in diagnosing and resolving internetworking problems and should be used only under the guidance of Cisco technical support staff.
On the Catalyst 3750G-48TS and 3750G-48PS switches, the subordinate number range is 0 to 2.
On the Catalyst 3750G-24TS-1U and 3750G-24PS switches, the subordinate number range is 0 to 1.
You should use this command only when you are working directly with a technical support representative while troubleshooting a problem. Do not use this command unless a technical support representative asks you to do so.
Expressions are case sensitive. For example, if you enter | exclude outpu t, the lines that contain output do not appear, but the lines that contain Output appear.
The following commands are supported on the Catalyst 3560G-24PS, 3560G-24TS, 3560G-48PS, and 3560G-48TS switches and will be included in the next version of the Catalyst 3560 command reference.
The test cable-diagnostics tdr privileged EXEC command is also supported on the Catalyst 3560G-24PS, 3560G-24TS, 3560G-48PS, and 3560G-48TS switches beginning with Cisco IOS Release 12.2(20)SE3.
Use the debug platform frontend-controller privileged EXEC command to enable debugging of front-end controller activity. Use the no form of this command to disable debugging.
debug platform frontend-controller { all | image | led | manager | poe | register | thermal }
no debug platform frontend-controller { all | image | led | manager | poe | register | thermal }
This command is supported only on Catalyst 3560G-48TS, 3560G-48PS, 3560G-24TS, and 3560G-24PS switches.
Note Debug privileged EXEC commands are helpful in diagnosing and resolving internetworking problems and should be used only under the guidance of Cisco technical support staff.
The undebug platform frontend-controller command is the same as the no debug platform frontend-controller command.
Use the show cable-diagnostics tdr privileged EXEC command to display the Time Domain Reflector (TDR) results.
show cable-diagnostics tdr interface interface-id [ | { begin | exclude | include } expression ]
TDR is supported only on copper Ethernet 10/100/1000 ports. It is not supported on 10/100 ports, 10-Gigabit module ports, or small form-factor pluggable (SFP)-module ports. For more information about TDR, see the software configuration guide for this release.
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
This is an example of output from the show cable-diagnostics tdr interface interface-id command on a switch other than a Catalyst 3560G-24PS or 3560G-48PS switch:
This is an example of output from the show cable-diagnostics tdr interface interface-id command on a Catalyst 3560G-24PS or 3560G-48PS switch:
Table 9 lists the descriptions of the fields in the show cable-diagnostics tdr command output.
This is an example of output from the show interface interface-id command when TDR is running:
This is an example of output from the show cable-diagnostics tdr interface interface-id command when TDR is not running:
Use the show controllers power inline user EXEC command to display the values in the registers of the specified Power over Ethernet (PoE) controller.
show controllers power inline [ instance ] [ | { begin | exclude | include } expression ]
For the Catalyst 3560-48PS and 3560G-48PS switches, the instance range is 0 to 11.
For the Catalyst 3560-24PS and 3560G-24PS switches, the instance range is 0 to 5.
Though visible on all switches, this command is valid only for PoE switches. It provides no information for switches that do not support PoE.
The output provides information that might be useful for Cisco technical support representatives troubleshooting the switch.
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
This is an example of output from the show controllers power inline command on a Catalyst 3560-48PS switch:
This is an example of output from the show controllers power inline command on a Catalyst 3560G-48PS switch:
Use the show env user EXEC command to display fan, temperature, redundant power system (RPS) availability, and power information for the switch.
show env { all | fan | power | rps | temperature [ status ]} [ | { begin | exclude | include } expression ]
Though visible on all switches, the show env temperature status command is valid only for the Catalyst 3560G-48TS, 3560G-48PS, 3560G-24TS, and 3560G-24PS switches. If you enter this command on these switches, the command output shows the switch temperature states and the threshold levels. The switch temperature is the temperature in the switch, not the external temperature. If you enter the command on a switch other than those four, the output field shows Not Applicable
.
On a Catalyst 3560G-48PS or 3560G-24PS switch, you can also use the show env temperature command to display the switch temperature status. The command output shows the green and yellow states as OK and the red state as FAULTY. If you enter the show env all command on this switch, the command output is the same as the show env temperature status command output.
For more information about the threshold levels, see the software configuration guide for this release.
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output are not displayed, but the lines that contain Output are displayed.
This is an example of output from the show env all command entered:
This is an example of output from the show env fan command:
This example shows how to display the temperature value, state, and the threshold values. Table 10 describes the temperature states in the command output.
Use the system env temperature threshold yellow global configuration command to specify the difference between the yellow and red temperature thresholds and to configure the yellow threshold. Use the no form of this command to return to the default value.
Though visible on all switches, this command is only valid on these switches:
You cannot configure the green and red thresholds but can configure the yellow threshold. Use the system env temperature threshold yellow value global configuration command to specify the difference between the yellow and red thresholds and to configure the yellow threshold. For example, if the red threshold is 66 degrees C and you want to configure the yellow threshold as 51 degrees C, set the difference between the thresholds as 15 by using the system env temperature threshold yellow 15 command.
Note The internal temperature sensor in the switch measures the internal system temperature and might vary ±5 degrees C.
show env temperature status |
Use the show platform frontend-controller privileged EXEC command to display counter and status information for the front-end controller manager and subordinate applications and to display the hardware and software information for the front-end controller.
show platform frontend-controller { buffer | generic | manager number | subordinate number | version number } [ | { begin | exclude | include } expression ]
This command is supported only on Catalyst 3560G-48TS, 3560G-48PS, 3560G-24TS, and 3560G-24PS switches.
Note Show platform privileged EXEC commands display information helpful in diagnosing and resolving internetworking problems and should be used only under the guidance of Cisco technical support staff.
On the Catalyst 3560G-48TS and 3560G-48PS switches, the subordinate number range is 0 to 2.
On the Catalyst 3560G-24TS and 3560G-24PS switches, the subordinate number range is 0 to 1.
You should use this command only when you are working directly with a technical support representative while troubleshooting a problem. Do not use this command unless a technical support representative asks you to do so.
Expressions are case sensitive. For example, if you enter | exclude outpu t, the lines that contain output do not appear, but the lines that contain Output appear.
These updates were added for Cisco IOS Release 12.2(20)SE1:
This section was added to the “Troubleshooting Power over Switch Ethernet Switch Ports” section of the Catalyst 3750 and 3560 “Troubleshooting” chapters.
If a Power over Ethernet (PoE) switch powered device, such as a Cisco IP Phone, is connected to a port and you configure the port by using the power inline never interface configuration command, a false link up can place the port into an error-disabled state. To take the port out of the error-disabled state, enter the shutdown and no shutdown i nterface configuration commands.
You should not connect a PoE-powered device to a port on a PoE switch if that port has been configured with the power inline never command.
These commands were revised for the Catalyst 3750, 3560, and 2970 switch command references:
This example shows how to set a port to autonegotiate at only 10 Mbps:
This example shows how to set a port to autonegotiate at only 10 or 100 Mbps:
If a port has a device that is powered by a PoE switch connected to it, you should not use the power inline never command to configure the port. A false link up can occur on the port and place it into an error-disabled state.
In releases earlier than Cisco IOS Release 12.2(20)SE1, power was sometimes still applied to a PoE switch port even after a PoE-powered device was removed. This could cause damage to a non-PoE-powered device when it was later connected to that port. Make sure that your switch is running Cisco IOS Release 12.2(20)SE1 or later.
This is an example of output from the show interfaces transceiver properties command. If you do not specify an interface, the output of the command shows the status on all switch ports:
This is an example of output from the show interfaces module number transceiver properties command for a specific interface:
These messages have been revised in the “Catalyst 3750 Switch System Message Guide” and the “Catalyst 3560 Switch System Message Guide.”
Error Message ETHCNTR-3-HALF_DUX_COLLISION_EXCEED_THRESHOLD: Collision at [chars] exceed threshold. Consider as loop-back.Explanation This message means that the collisions at a half-duplex port exceeded the threshold, and the port is considered as a loopback. On switches that support Power over Ethernet (PoE), this message might be displayed when a device that can be powered by either a PoE switch port or by AC power is not being powered by an external AC power source and is connected to a port that has been configured with the power inline never interface configuration command. [chars] is the port where the threshold was exceeded.
Recommended Action On switches that support PoE, remove the device or configure the port by entering the power inline auto, shutdown, and no shutdown interface configuration commands. No action is required on non-PoE switches. The port goes into error-disabled mode until the problem is resolved.
Error Message ETHCNTR-3-LOOP_BACK_DETECTED: Loop-back detected on [chars].Explanation This message means that a loopback condition might be the result of a balun cable incorrectly connected into a port. On PoE switches, this message might be displayed when device that can be powered by either a PoE switch port or by AC power is not being powered by an external AC power source and is connected to a port that has been configured with the power inline never interface configuration command. [chars] is the interface name.
Recommended Action On non-PoE switches, check the cables. If a balun cable is connected and the loopback condition is desired, no action is required. Otherwise, connect the correct cable, and then enable the port. On PoE switches, remove the device or configure the port by entering the power inline auto, shutdown, and no shutdown interface configuration commands.
Error Message PM-4-ERR_DISABLE: [chars] error detected on [chars], putting [chars] in err-disable state.Explanation This message means that the port manager detected a misconfiguration or misbehavior and placed the interface in an error-disabled state. A recovery is attempted after the configured retry time (the default is 5 minutes). On PoE switches, this message might appear when a device that can be powered by either a PoE switch port or by AC power is not being powered by an external AC power source and is connected to a port that has been configured with the power inline never interface configuration command. [chars] is the port where the threshold was exceeded. The first [chars] is the error, and the second and third [chars] are the affected interfaces.
Recommended Action On non-PoE switches, copy the message exactly as it appears on the console or in the system log. Research and attempt to resolve the error by using the Output Interpreter. Enter the show tech-support user EXEC command to gather data that might help identify the nature of the error. Use the Bug Toolkit to look for similar reported problems. On PoE switches, remove the device or configure the port by entering the power inline auto, shutdown, and no shutdown interface configuration commands. If you still require assistance, open a case with the TAC, or contact your Cisco technical support representative, and provide the representative with the gathered information. For more information about these online tools and about contacting Cisco, see the see the “Error Message Traceback Reports” section.
Error Message ILPOWER-5-IEEE-DISCONNECT: Interface [chars]: PD removed.Explanation This message means that the powered device is no longer connected to the switch or that the connected powered device is being powered by an external AC power source. The switch is no longer providing power to the port. [chars] is the interface.
This is a new message for the “Catalyst 3750 Switch System Message Guide.”
This section contains the BADTRANSCEIVER message.
Error Message BADTRANSCEIVER, PHY, LOG_WARNING: An inappropriate transceiver has been inserted in interface [chars].Explanation This message means that a defective module is installed in the specified interface. [chars] is the interface.
Recommended Action Remove the transceiver. If it was purchased from Cisco, contact your Cisco representative to have the transceiver replaced.
These are new messages for the “Catalyst 3560 Switch System Message Guide”.
Error Message ILPOWER-3-CONTROLLER_ERR: Controller error, Controller number [dec]: [chars].Explanation This message means that an error reported or caused by the PoE controller is detected. [dec] is the controller instance, which is 0 to 5 on a 24-port PoE switch and 0 to 11 on a 48-port PoE switch. [chars] describes the error.
Recommended Action Copy the message exactly as it appears on the console or in the system log. Research and attempt to resolve the error by using the Output Interpreter. Enter the show tech-support user EXEC command to gather data that might help identify the nature of the error. Use the Bug Toolkit to look for similar reported problems. If you still require assistance, open a case with the TAC, or contact your Cisco technical support representative, and provide the representative with the gathered information. For more information about these online tools and about contacting Cisco, see the see the “Error Message Traceback Reports” section.
Error Message ILPOWER-3-CONTROLLER_IF_ERR: Controller interface error, [chars] [chars].Explanation This message means that an interface error is detected between the PoE controller and the system. The first [chars] is the interface. The second [chars] describes the error.
Recommended Action Copy the message exactly as it appears on the console or in the system log. Research and attempt to resolve the error by using the Output Interpreter. Enter the show tech-support user EXEC command to gather data that might help identify the nature of the error. Use the Bug Toolkit to look for similar reported problems. If you still require assistance, open a case with the TAC, or contact your Cisco technical support representative, and provide the representative with the gathered information. For more information about these online tools and about contacting Cisco, see the see the “Error Message Traceback Reports” section.
Error Message ILPOWER-3-CONTROLLER_PORT_ERR: Controller port error, Interface [chars]: [chars]Explanation This message means that a port error reported by the PoE controller is detected. The first [chars] is the interface. The second [chars] describes the error.
Recommended Action Copy the message exactly as it appears on the console or in the system log. Research and attempt to resolve the error by using the Output Interpreter. Enter the show tech-support user EXEC command to gather data that might help identify the nature of the error. Use the Bug Toolkit to look for similar reported problems. If you still require assistance, open a case with the TAC, or contact your Cisco technical support representative, and provide the representative with the gathered information. For more information about these online tools and about contacting Cisco, see the “Error Message Traceback Reports” section.
Error Message ILPOWER-3-ILPOWER_INTERNAL_IF_ERROR: Inline Power internal error, interface [chars]: [chars].Explanation This message means that a software check failed during PoE processing. The first [chars] is the interface. The second [chars] describes the error.
Recommended Action Copy the message exactly as it appears on the console or in the system log. Research and attempt to resolve the error by using the Output Interpreter. Enter the show tech-support user EXEC command to gather data that might help identify the nature of the error. Use the Bug Toolkit to look for similar reported problems. If you still require assistance, open a case with the TAC, or contact your Cisco technical support representative, and provide the representative with the gathered information. For more information about these online tools and about contacting Cisco, see the “Error Message Traceback Reports” section.
Error Message ILPOWER-5-IEEE_DISCONNECT: Interface [chars]: AC disconnectExplanation This message means that the powered device is no longer connected to the switch or that the connected powered device is being powered by an external AC power source. No power is on the switch PoE port. [chars] is the interface.
Recommended Action No action is required.
Error Message ILPOWER-5-ILPOWER_POWER_DENY: Interface [chars]: inline power denied.Explanation This message means that there is not enough power remaining in the switch to supply to the PoE port. [chars] is the interface.
Recommended Action Connect the powered device to an external AC power source.
Error Message ILPOWER-5-POWER_GRANTED: Interface [chars]: Power granted.Explanation This message means that there is enough power available in the switch and that power is on the PoE port. [chars] is the interface.
Recommended Action No action is required.
Error Message ILPOWER-7-DETECT: Interface [chars]: Power Device detected:[chars].Explanation This message means that the switch has detected the attached powered device. The first [chars] is the interface. The second [chars] is the Cisco pre-standard powered device or the IEEE-compliant powered device.
In printed copies of the software configuration guides, the URL listed in the “Privilege Levels” section of the “Getting Started with CMS” chapter is incorrect. The section lists this URL:
This is the correct URL (the closing “/” is required):
In printed copies of the software configuration guides, in the “Classifying Traffic by Using ACLs” section of the “Configuring QoS” chapter, this information in Step 3 to create a Layer 2 MAC ACL is incorrect:
This is the correct information:
The next sections provide updated information for the “Managing Switch Stacks” chapter.
Note The information in the “Major Incompatibility Between Switches” section was retitled and should be replaced with this information.
Switches with different Cisco IOS software versions likely have different stack protocol versions. Switches with different major version numbers are incompatible and cannot exist in the same switch stack.
Note The information in the “Minor Incompatibility Between Switches” section was retitled and should be replaced with this information.
Switches with the same major version number but with a different minor version number as the stack’s active switch are considered partially compatible. When connected to a switch stack, a partially compatible switch enters version-mismatch (VM) mode and cannot join the stack as a fully functioning member. The software detects the mismatched software and tries to upgrade (or downgrade) the switch in VM mode with the switch stack image or with a tar file image from the switch stack flash memory. The software uses the automatic upgrade (auto-upgrade) and the automatic advise (auto-advise) features. For more information, see the “Understanding Auto-Upgrade and Auto-Advise” section.
To see if there are switches in VM mode, use the show switch user EXEC command. The port LEDs on switches in VM mode will also stay off. Pressing the Mode button does not change the LED mode.
Note This is a new section, not previously in the “Managing Switch Stacks” chapter.
When the software detects mismatched software and tries to upgrade the switch in VM mode, two software processes are involved:
Auto-upgrade occurs if it is enabled, if there is enough flash memory in the switch in VM mode, and if:
– The software image running on the switch stack is suitable for the switch in VM mode, or
– There is a tar file from the switch stack that is suitable for the switch in VM mode. A switch in VM mode might not run all released software. For example, new switch hardware is not recognized in earlier versions of software.
The auto-upgrade and the auto-copy processes wait for a few minutes before starting.
When the auto-upgrade process is complete, the switch that was in VM mode reloads and joins the stack as a fully functioning member. If you have both StackWise cables connected during the reload, network downtime does not occur because the switch stack operates on two rings.
Note Auto-upgrade performs the upgrade only when the two images are the same type. For example, it does not automatically upgrade a switch in VM mode from EMI to SMI (or the reverse) or from cryptographic to noncryptographic (or the reverse).
The auto-advise software does not give suggestions when the switch stack software and the software of the switch in VM mode do not contain the same feature sets. For example, if the switch stack is running the SMI and you add a switch that is running the EMI, the auto-advise software does not provide a recommendation. The same events occur when cryptographic and noncryptographic images are running.
Note This is a new section, not previously in the “Managing Switch Stacks” chapter.
When you add a switch that has a different minor version number to the switch stack, the software displays messages in sequence (assuming that there are no other system messages generated by the switch).
This example shows that the switch stack detected a new switch that is running a different minor version number than the switch stack. Auto-copy launches, finds suitable software to copy from a stack member to the switch in VM mode, upgrades the switch in VM mode, and then reloads it:
This example shows that the switch stack detected a new switch that is running a different minor version number than the switch stack. Auto-copy launches but cannot find software in the switch stack to copy to the switch in VM mode to make it compatible with the switch stack. The auto-advise process launches and recommends that you download a tar file from the network to the switch in VM mode:
For information about using the archive download-sw privileged EXEC command, refer to the “Working with Software Images” section in Appendix B, “Working with the Cisco IOS File System, Configuration Files, and Software Images.”
Note Auto-advise and auto-copy identify which images are running by examining the info file and by searching the directory structure on the switch stack. If you download your image by using the copy tftp: command instead of by using the archive download-sw privileged EXEC command, the correct directory structure is not properly created. For more information about the info file, see the “tar File Format of Images on a Server or Cisco.com” section in Appendix B, “Working with the Cisco IOS File System, Configuration Files, and Software Images.”
The display for the show controllers ethernet-controller command was enhanced to show the XENPAK module serial EEPROM contents. For information about the EEPROM map and the field descriptions for the display, refer to the XENPAK multisource agreement (MSA) at these URLs:
http://www.xenpak.org/MSA/XENPAK_MSA_R2.1.pdf
http://www.xenpak.org/MSA/XENPAK_MSA_R3.0.pdf
To determine which version of the XENPAK documentation to read, check the XENPAK MSA Version supported field in the display. Version 2.1 is 15 hexadecimal, and Version 3.0 is 1e hexadecimal.
This is an example of output from the show controllers ethernet-controller tengigabitethernet1/0/1 phy command for the 10-Gigabit Ethernet interface:
These documents provide complete information about the Catalyst 3750, 3560, and 2970 switches and are available at Cisco.com:
You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.com sites and from the telephone numbers listed in the “Obtaining Documentation” section.
These documents provide complete information about the Catalyst 3750 switches:
These documents provide complete information about the Catalyst 3560 switches:
These documents provide complete information about the Catalyst 2970 switches:
For other information about related products, refer to these documents:
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.
You can access the most current Cisco documentation at this URL:
http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL:
You can find instructions for ordering documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can send comments about technical documentation to bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service contract, contact your reseller.
The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, 365 days a year at this URL:
http://www.cisco.com/techsupport
Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:
Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool automatically provides recommended solutions. If your issue is not resolved using the recommended resources, your service request will be assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this URL:
http://www.cisco.com/techsupport/servicerequest
For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
To open a service request by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553 2447
To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.
Severity 1 (S1)—Your network is “down,” or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.
Severity 3 (S3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.
Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.
Information about Cisco products, technologies, and network solutions is available from various online and printed sources.
http://www.cisco.com/go/marketplace/
http://cisco.com/univercd/cc/td/doc/pcat/
http://www.cisco.com/go/iqmagazine
http://www.cisco.com/en/US/learning/index.html