Cisco catalyst 2970 series

Release Notes for the Catalyst 3750, 3560, and 2970 Switches, Cisco IOS Release 12.2(20)SE3

Available Languages

Download Options

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Table of Contents

Release Notes for the Catalyst 3750, 3560, and 2970 Switches, Cisco IOS Release 12.2(20)SE3

Revised November 2004

The Cisco IOS Release 12.2(20)SE3 runs on Catalyst 3750, 3560, and 2970 switches.

The Catalyst 3750 switches support stacking through Cisco StackWise technology. The Catalyst 3560 and 2970 switches do not support switch stacking. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.

These release notes include important information about this Cisco IOS release and any limitations, restrictions, and caveats that apply to it. Verify that these release notes are correct for your switch:

• If you are installing a new switch, refer to the Cisco IOS release label on the rear panel of your switch.
• If your switch is on, use the show version privileged EXEC command. See the “Finding the Software Version and Feature Set” section.
• If you are upgrading to a new release, refer to the software upgrade filename for the software version. See the “Deciding Which Files to Use” section.

For the complete list of Catalyst 3750, 3560, and 2970 switch documentation, see the “Related Documentation” section.

You can download the switch software from these sites:

(for registered Cisco.com users with a login password)

(for nonregistered Cisco.com users)

This software release is part of a special release of Cisco IOS software that is not released on the same 8-week maintenance cycle that is used for other platforms. As maintenance releases and future software releases become available, they will be posted to Cisco.com (previously Cisco Connection Online [CCO]) in the Cisco IOS software area.

Contents

This information is in the release notes:

System Requirements

The system requirements are described in these sections:

Hardware Supported

Table 1 lists the hardware supported on Cisco IOS Release 12.2SE.

Table 1 Catalyst 3750, 3560, and 2970 Supported Hardware

12 SFP 1 module slots

Cisco IOS Release 12.2(18)SE

24 10/100 Ethernet ports and 2 SFP module slots

Cisco IOS Release 12.2(18)SE

24 10/100/1000 Ethernet ports

Cisco IOS Release 12.2(18)SE

24 10/100/1000 Ethernet ports and 4 SFP module slots

Cisco IOS Release 12.2(18)SE

48 10/100 Ethernet ports and 4 SFP module slots

Cisco IOS Release 12.2(18)SE

24 10/100 PoE 2 ports and 2 SFP module slots

Cisco IOS Release 12.2(18)SE

48 10/100 PoE ports and 4 SFP module slots

Cisco IOS Release 12.2(18)SE

16 10/100/1000 ports and 1 XENPAK 10-Gigabit Ethernet module port

Cisco IOS Release 12.2(18)SE1

24 10/100 PoE ports and 2 SFP module slots

Cisco IOS Release 12.2(18)SE

48 10/100 PoE ports and 4 SFP module slots

Cisco IOS Release 12.2(18)SE

24 10/100/1000 Ethernet ports

Cisco IOS Release 12.2(18)SE

24 10/100/1000 Ethernet ports and 4 SFP module slots

Cisco IOS Release 12.2(18)SE

1000BASE-T, 1000BASE-SX, 1000BASE-LX, 1000BASE-ZX, and CWDM 3

Cisco IOS Release 12.2(18)SE

Cisco IOS Release 12.2(20)SE1

Redundant power systems

Cisco RPS 675 Redundant Power System

Supported on all software releases

1. SFP = small form-factor pluggable

2. PoE = Power over Ethernet

3. CWDM = coarse wavelength-division multiplexer

4. MMF = multimode fiber

Software Compatibility

For hardware requirements, operating system, and browser recommendations for running the Cluster Management Suite (CMS), refer to the “Getting Started with CMS” chapter in the software configuration guide.

Windows

This release uses a CMS plug-in to run CMS. You can download the latest CMS plug-in for Windows from this URL:

Solaris

This release uses a CMS plug-in that replaces the Java plug-in. You can download the latest CMS plug-in for Solaris from this URL:

Cluster Compatibility

This section describes how to choose command and standby command switches when a cluster consists of a mixture of Catalyst switches. When creating a switch cluster or adding a switch to a cluster, follow these guidelines:

• When you create a switch cluster, Cisco recommends configuring the highest-end switch in your cluster as the command switch. Table 2 lists the cluster capabilities and Cisco IOS releases for the switches. The switches are listed from the highest to lowest end.
• If you are managing the cluster through CMS, the switch that has the latest software should be the command switch, unless your command switch is running Cisco IOS Release 12.1(19)EA1 or later.
• The standby command switch must be the same type as the command switch. For example, if the command switch is a Catalyst 3750 switch, all standby command switches must be Catalyst 3750 switches.

Table 2 Switch Software and Cluster Capability

12.1(11)AX or later

Member or command switch

12.1(19)EA1b or later

Member or command switch

12.1(4)EA1 or later

Member or command switch

12.1(11)AX or later

Member or command switch

12.1(12c)EA1 or later

Member or command switch

12.0(5.2)WC(1) or later

Member or command switch

Catalyst 2950 LRE

12.1(11)JY or later

Member or command switch

12.1(13)AY or later

Member or command switch

Catalyst 3500 XL

12.0(5.1)XU or later

Member or command switch

Catalyst 2900 XL (8-MB switches)

12.0(5.1)XU or later

Member or command switch

Catalyst 2900 XL (4-MB switches)

Member switch only 5

Catalyst 1900 and 2820

9.00(-A or -EN) or later

Member switch only

5. Catalyst 2900 XL (4-MB) switches appear in the front-panel and topology views of the CMS. However, CMS does not support the configuration or the monitoring of these switches.

CMS is not forward-compatible on command switches running Cisco Release IOS 12.1(14)EA1 and earlier. This means that if a member switch is running a release that is earlier than the release running on the command switch, the new features are not available on the member switch. If the member switch is a new device running a release that is later than the release on the command switch, the command switch cannot recognize the member switch, and the Front Panel view displays it as an unknown device. You cannot configure any parameters or generate a report through CMS for that member; instead, you must launch the Device Manager application to configure and to obtain reports for that member.

If you have a cluster with switches that are running different versions of Cisco IOS software, features added on the latest release might not be reflected on switches running the older releases. For example, if you start CMS on a Catalyst 2900 XL switch running Cisco IOS Release 11.2(8)SA6, the windows and functionality can be different from a switch running Cisco IOS Release 12.0(5)WC(1) or later.

Some early Cisco IOS releases do not support clustering.

For more information about clustering and CMS, refer to the software configuration guide.

Downloading Software

These are the procedures for downloading software. Before downloading software, read this section for important information:

Finding the Software Version and Feature Set

The Cisco IOS image is stored as a . bin file in a directory that is named with the Cisco IOS release. A subdirectory contains the files needed for web management. The image is stored on the system board flash device (flash:).

You can use the show version privileged EXEC command to see the software version that is running on your switch. The second line of the display shows the version.

Note For Catalyst 3750 and 3560 switches, although the show version output always shows the software image running on the switch, the model name shown at the end of this display is the factory configuration (standard multilayer image [SMI] or enhanced multilayer image [EMI]) and does not change if you upgrade the software image.

You also can use the dir filesystem : privileged EXEC command to see the directory names of other software images that you might have stored in flash memory.

Deciding Which Files to Use

The upgrade procedures in these release notes describe how to perform the upgrade by using a combined tar file. This file contains both the Cisco IOS image file and the files needed for CMS. You must use the combined tar file to upgrade the switch through CMS. To upgrade the switch through the command-line interface (CLI), use the tar file and the archive download-sw privileged EXEC command.

Table 3 lists the filenames for this software release.

Table 3 Cisco IOS Software Image Files

Catalyst 3750 SMI file and CMS files

Catalyst 3750 EMI file and CMS files

Catalyst 3750 SMI cryptographic file and CMS files

Catalyst 3750 EMI cryptographic file and CMS files

Catalyst 3560 SMI file and CMS files

Catalyst 3560 EMI file and CMS files

Catalyst 3560 SMI cryptographic file and CMS files

Catalyst 3560 EMI cryptographic file and CMS files

Catalyst 2970 image file and CMS files

Catalyst 2970 cryptographic image file and CMS files

Upgrading a Switch by Using CMS

You can upgrade switch software by using CMS. From the feature bar, choose Administration > Software Upgrade. For detailed instructions, click Help.

Note When using HTTP to upgrade member switches, the command switch must be running either Cisco IOS 12.1(20)EA2 or Cisco IOS 12.2(20)SE or later. The cluster members that are upgraded must be running Cisco IOS 12.2(20)SE or later.

Upgrading a Switch by Using the CLI

This procedure is for copying the combined tar file to the switch. You copy the file to the switch from a TFTP server and extract the files. You can download an image file and replace or keep the current image.

To download software, follow these steps:

Step 1 Use Table 3 to identify the file that you want to download.

Step 2 Download the software image file.

• If you have a SmartNet support contract, go to this URL, and log in to download the appropriate files:

• If you do not have a SmartNet contract, go to this URL, and follow the instructions to register on Cisco.com and download the appropriate files:

To download the image for a Catalyst 2970 switch, click Catalyst 2970 software. To obtain authorization and to download the cryptographic software files, click Catalyst 2970 3DES Cryptographic Software.

To download the EMI or SMI files for a Catalyst 3560 switch, click Catalyst 3560 software. To obtain authorization and to download the cryptographic software files, click Catalyst 3560 3DES Cryptographic Software.

To download the EMI or SMI files for a Catalyst 3750 switch, click Catalyst 3750 software. To obtain authorization and to download the cryptographic software files, click Catalyst 3750 3DES Cryptographic Software.

Step 3 Copy the image to the appropriate TFTP directory on the workstation, and make sure that the TFTP server is properly configured.

For more information, refer to Appendix B in the software configuration guide for this release.

Step 4 Log into the switch through the console port or a Telnet session.

Step 5 (Optional) Ensure that you have IP connectivity to the TFTP server by entering this privileged EXEC command:

For more information about assigning an IP address and default gateway to the switch, refer to the software configuration guide for this release.

Step 6 Download the image file from the TFTP server to the switch. If you are installing the same version of software that is currently on the switch, overwrite the current image by entering this privileged EXEC command:

The /overwrite option overwrites the software image in flash memory with the downloaded one.

The /reload option reloads the system after downloading the image unless the configuration has been changed and not saved.

For // location, specify the IP address of the TFTP server.

For / directory / image-name .tar, specify the directory (optional) and the image to download. Directory and image names are case sensitive.

This example shows how to download an image from a TFTP server at 198.30.20.19 and to overwrite the image on the switch:

You also can download the image file from the TFTP server to the switch and keep the current image by replacing the /overwrite option with the /leave-old-sw option.

Recovering from a Software Failure

For detailed recovery procedures, refer to the “Troubleshooting” chapter in the software configuration guide for this release.

Installation Notes

You can assign IP information to your switch by using these methods:

• The Express Setup program (refer to the hardware installation guide . )
• The CLI-based setup program (refer to the hardware installation guide.)
• The DHCP-based autoconfiguration (refer to the software configuration guide.)
• Manually assigning an IP address (refer to the software configuration guide.)

Note If you are upgrading a Catalyst 3750 or a 2950 switch running Cisco IOS Release 12.1(11)AX, which uses the 802.1x feature, you must re-enable 802.1x after upgrading the software. For more information, see the “Cisco IOS Notes” section.

Note When upgrading or downgrading from Cisco IOS Release 12.2(18)SE, you might need to reconfigure the switch with the same password that you were using when running 12.2(18)SE. This problem only occurs when changing from Cisco IOS Release 12.2(18)SE to any other release. (CSCed88768)

New Features

These sections describe the supported hardware and the software features provided in this release:

New Hardware Features

For a list of all supported hardware, see the “Hardware Supported” section.

Minimum Cisco IOS Release for Major Features

Table 4 lists the minimum software release required to support the major features of the Catalyst 3750, 3560, and 2970 switches.

Table 4 Catalyst 3750, 3560, and 2970 Switch Features and the Minimum Cisco IOS Release Required

802.1x accounting and MIBs (IEEE8021-PAE-MIB and CISCO-PAE-MIB)

Dynamic ARP inspection (EMI only)

HTTP upgrade (CMS only)

IP source guard (EMI only)

Private VLAN (EMI only)

SFP module diagnostic management interface

Switch stack offline configuration

Stack-ring activity statistics

Limitations and Restrictions

You should review this section before you begin working with the switch. These are known limitations that will not be fixed, and there is not always a workaround. Some features might not work as documented, and some features could be affected by recent changes to the switch hardware or software.

These sections describe the limitations and restrictions:

Cisco IOS Limitations and Restrictions

Unless otherwise noted, these limitations apply to the Catalyst 3750, 3560, and 2970 switches:

Configuration

These are the configuration limitations:

• A static IP address might be removed when the previously acquired DHCP IP address lease expires.

This problem occurs under these conditions:

– When the switch is booted without a configuration (no config.text file in flash memory).

– When the switch is connected to a DHCP server that is configured to give an address to it (the dynamic IP address is assigned to VLAN 1).

– When an IP address is configured on VLAN 1 before the dynamic address lease assigned to VLAN 1 expires.

The workaround is to reconfigure the static IP address. (CSCea71176 and CSCdz11708)

• Certain combinations of features and switches create conflicts with the port security feature. In Table 5 , No means that port security cannot be enabled on a port on the referenced switch if the referenced feature is also running on the same port. Yes means that both port security and the referenced feature can be enabled on the same port on a switch at the same time. A dash means not applicable.

Table 5 Port Security Incompatibility with Other Switch Features

SPAN source port

SPAN destination port

Voice VLAN port 10

Private VLAN port

IP source guard

Dynamic ARP 12 inspection

6. DTP = Dynamic Trunking Protocol

7. A port configured with the switchport mode dynamic interface configuration command.

8. A VLAN Query Protocol (VQP) port configured with the switchport access vlan dynamic interface configuration command.

9. The switch must be running the enhanced software image (EI).

10. You must set the maximum allowed secure addresses on the port to two plus the maximum number of secure addresses allowed on the access VLAN.

11. The switch must be running the enhanced multilayer image (EMI).

12. ARP = Address Resolution Protocol

• (Catalyst 3750 or 3560 switches) When the show interface privileged EXEC is entered on a port that is running 802.1Q, inconsistent statistics from ports running 802.1Q might be reported. The workaround is to upgrade to Cisco IOS Release 12.1(20)EA1. (CSCec35100)
• (Catalyst 3750 or 3560 switches) When you change a port from a nonrouted port to a routed port or the reverse, the applied auto-QoS setting is not changed or updated when you verify it by using the show running interface or show mls qos interface user EXEC commands. These are the workarounds:

1. Disable auto-QoS on the interface.

2. Change the routed port to a nonrouted port or the reverse.

3. Re-enable auto-QoS on the interface. (CSCec44169)

• The DHCP snooping binding database is not written to flash or a remote file in any of these situations:

– (Catalyst 3750 switch) When the Network Time Protocol (NTP) is configured, but the NTP clock is not synchronized. You can check the clock status by entering the show NTP status privileged EXEC command and verifying that the network connection to the NTP server and peer work correctly.

– (Catalyst 3750, 3560, or 2970 switches) The DHCP snooping database file is manually removed from the file system. After enabling the DHCP snooping database by configuring a database URL, a database file is created. If the file is removed manually from the file system, the DHCP snooping database does not create another database file. You need to disable the DHCP snooping database and enable it again to create the database file.

– (Catalyst 3750, 3560, or 2970 switches) The URL for the configured DHCP snooping database was replaced because the original URL is not accessible. The new URL might not take effect after the timeout of the old URL.

No workaround is necessary; these are the designed behaviors. (CSCed50819)

• (Catalyst 3750 or 3560 switches) When dynamic ARP inspection is enabled on a switch or switch stack, ARP and RARP packets greater than 2016 bytes are dropped by the switch or switch stack. This is a hardware limitation.

However, when dynamic ARP inspection is not enabled and jumbo MTU is configured, ARP and RARP packets are correctly bridged in hardware. (CSCed79734)

• When connected to some third-party devices that send early preambles, a Catalyst 3750 switch port operating at 100 Mbps full duplex or 100 Mbps half duplex might bounce the line protocol up and down. The problem is observed only when the Catalyst 3750 switch is receiving frames.

The workaround is to configure the port for 10 Mbps and half duplex or to connect a hub or a nonaffected device to the switch. (CSCed390310)

Ethernet

These are the Ethernet limitations:

• Subnetwork Access Protocol (SNAP) encapsulated IP packets are dropped without an error message being reported at the interface. The switch does not support SNAP-encapsulated IP packets. There is no workaround. (CSCdz89142)
• (Catalyst 3750 or 2970 switches) A Gigabit Ethernet connection between a Serial Gigabit Media Independent Interface SGMII) port (3/4, 7/8, 11/12, 15/16, 19/20, and 23/24) and an Intel Pro/1000T Server Adapter NIC might lose connectivity on the Catalyst 3750G-24T and 3750G-24TS switches. The link activates correctly, but might subsequently stop exchanging data. This is an Intel product defect. The workaround is to use Reduced Gigabit Media Independent Interface (RGMII) ports (1/2, 5/6, 9/10, 13/14, 17/18, and 21/22) instead of SGMII ports. You can also use the speed 1000 interface configuration command to force the speed of the port to 1000 Mbps. (CSCea77032)

Fallback Bridging

These are the fallback bridging limitations:

• (Catalyst 3750 or 3560 switches) If a bridge group contains a VLAN to which a static MAC address is configured, all non-IP traffic in the bridge group with this MAC address destination is sent to all ports in the bridge group. The workaround is to remove the VLAN from the bridge group or to remove the static MAC address from the VLAN. (CSCdw81955)
• (Catalyst 3750 or 3560 switches) Known unicast (secured) addresses are flooded within a bridge group if secure addresses are learned or configured on a port and the VLAN on this port is part of a bridge group. Non-IP traffic destined to the secure addresses is flooded within the bridge group. The workaround is to disable fallback bridging or to disable port security on all ports in all VLANs participating in fallback bridging. To remove an interface from a bridge group and to remove the bridge group, use the no bridge-group bridge-group interface configuration command. To disable port security on all ports in all VLANs participating in fallback bridging, use the no switchport port-security interface configuration command. (CSCdz80499)

This is the Hot Standby Routing Protocol (HSRP) limitation:

When the active switch fails in a switch cluster that uses HSRP redundancy, the new active switch might not contain a full cluster member list. The workaround is to ensure that the ports on the standby cluster members are not in the spanning-tree blocking state. To verify that these ports are not in the blocking state, refer to the “Configuring STP” chapter in the software configuration guide. (CSCec76893)

These are the IP limitations:

• (Catalyst 3750 or 3560 switches) The switch does not create an adjacent table entry when the ARP timeout value is 15 seconds and the ARP request times out. The workaround is to not set an ARP timeout value lower than 120 seconds. (CSCea21674)
• When the rate of received DHCP requests exceeds 2,000 packets per minute for a long time, the response time might be slow when you are using the console. The workaround is to use rate limiting on DHCP traffic to prevent a denial of service attack from occurring. (CSCeb59166)
• Some access point (AP)-350 devices are incorrectly discovered as IEEE 802.3af Class 1 devices. These APs should be discovered as Cisco pre-standard devices. The show power inline user EXEC command shows the AP-350 as an IEEE Class 1 device. The workaround is to power the AP by using an AC wall adaptor. (CSCin69533)

IP Telephony

These are the IP telephony limitations:

• When a Cisco IP Phone is connected to the switch, the port VLAN ID (PVID) and the voice VLAN ID (VVID) both learn its MAC address. However, after dynamic MAC addresses are deleted, only the VVID relearns the phone MAC address. MAC addresses are manually or automatically deleted when a topology change occurs or when port security or an 802.1x feature is enabled or disabled. There is no workaround. (CSCea80105)
• After you change the access VLAN on a port that has 802.1x enabled, the IP Phone address is removed. Because learning is restricted on 802.1x capable ports, it takes approximately 30 seconds before the address is relearned. No workaround is necessary. (CSCea85312)

MAC Addressing

This is the MAC addressing limitation:

(Catalyst 3750 or 3560 switches) When a MAC address is configured for filtering on the internal VLAN of a routed port, incoming packets from the MAC address to the routed port are not dropped. (CSCeb67937)

Multicasting

These are the multicasting limitations:

• (Catalyst 3750 or 3560 switches) The switch does not support tunnel interfaces for unicast routed traffic. Only Distance Vector Multicast Routing Protocol (DVMRP) tunnel interfaces are supported for multicast routing.
• (Catalyst 3750 or 3560 switches) Nonreverse-path forwarded (RPF) IP multicast traffic to a group that is bridged in a VLAN is leaked onto a trunk port in the VLAN even if the port is not a member of the group in the VLAN, but it is a member of the group in another VLAN. Because unnecessary traffic is sent on the trunk port, it reduces the bandwidth of the port. There is no workaround for this problem because non-RPF traffic is continuous in certain topologies. As long as the trunk port is a member of the group in at least one VLAN, this problem for the non-RPF traffic occurs. (CSCdu25219)
• If the number of multicast routes and Internet Group Management Protocol (IGMP) groups are more than the maximum number specified by the show sdm prefer global configuration command, the traffic received on unknown groups is flooded in the received VLAN even though the show ip igmp snooping multicast-table privileged EXEC command output shows otherwise. The workaround is to reduce the number of multicast routes and IGMP snooping groups to less than the maximum supported value. (CSCdy09008)
• IGMP filtering is applied to packets that are forwarded through hardware. It is not applied to packets that are forwarded through software. Hence, with multicast routing enabled, the first few packets are sent from a port even when IGMP filtering is set to deny those groups on that port. There is no workaround. (CSCdy82818)
• (Catalyst 3750 or 3560 switches) When you use the ip access-group interface configuration command with a router access control list (ACL) to deny access to a group in a VLAN, multicast data to the group that is received in the VLAN is always flooded in the VLAN, regardless of IGMP group membership in the VLAN. This provides reachability to directly connected clients, if any, in the VLAN. The workaround is to not apply a router ACL set to deny access to a VLAN interface. Apply the security through other means; for example, apply VLAN maps to the VLAN instead of using a router ACL for the group. (CSCdz86110)
• (Catalyst 3750 switch stack) If the stack master is power cycled immediately after the ip mroute global configuration command is entered, there is a slight chance that this configuration change might be lost after the stack master changes. This occurs because the stack master did not have time to propagate the running configuration to all the stack members before it was powered down. This problem might also affect other configuration commands. There is no workaround. (CSCea71255)
• (Catalyst 3750 switches) When IP Protocol-Independent Multicast (PIM) is enabled on a tunnel interface, the switch incorrectly displays the Multicast is not supported on tunnel interfaces error message. IP PIM is not supported on tunnel interfaces. There is no workaround. (CSCeb75366)
• If an IG MP report packet has two multicast group records, the switch removes or adds interfaces depending on the order of the records in the packet:

– If the ALLOW_NEW_SOURCE record is before the BLOCK_OLD_SOURCE record, the switch removes the port from the group.

– If the BLOCK_OLD_SOURCE record is before the ALLOW_NEW_SOURCE record, the switch adds the port to the group.

There is no workaround. (CSCec20128)

• (Catalyst 3750 switches) Although the switchport block multicast interface configuration command appears in the CLI, it is not supported on the Catalyst 3750 switches. There is no workaround. (CSCee16865)

These are the quality of service (QoS) limitations:

• Some switch queues are disabled if the buffer size or threshold level is set too low with the mls qos queue-set output global configuration command. The ratio of buffer size to threshold level should be greater than 10 to avoid disabling the queue. The workaround is to choose compatible buffer sizes and threshold levels. (CSCea76893)
• When auto-QoS is enabled on the switch, priority queuing is not enabled. Instead, the switch uses shaped round robin (SRR) as the queuing mechanism. The auto-QoS feature is designed on each platform based on the feature set and hardware limitations, and the queuing mechanism supported on each platform might be different. There is no workaround. (CSCee22591)

Routing

These are the routing limitations:

• (Catalyst 3750 or 3560 switches) The switch does not support tunnel interfaces for unicast routed traffic. Only Distance Vector Multicast Routing Protocol (DVMRP) tunnel interfaces are supported for multicast routing.
• (Catalyst 3750 or 3560 switches) A route map that has an ACL with a Differentiated Services Code Point (DSCP) clause cannot be applied to a Layer 3 interface. The switch rejects this configuration and displays a message that the route map is unsupported. There is no workaround. (CSCea52915)
• On a Catalyst 3750 switch stack with a large number of switched virtual interfaces (SVIs), routes, or both on a fully populated nine-member switch stack, this message might appear when you reload the switch stack or add a switch to the stack:

This error message means there is a temporary memory shortage that normally recovers by itself. You can verify that the switch stack has recovered by entering the show cef line user EXEC command and verifying that the line card states are up and sync . No workaround is required because the problem is self-correcting. (CSCea71611)

SPAN and RSPAN

These are the SPAN and Remote SPAN (RSPAN) limitations:

• (Catalyst 3750 or 3560 switches) An egress SPAN copy of routed unicast traffic might show an incorrect destination MAC address on both local and remote SPAN sessions. This limitation does not apply to bridged packets. The workaround for local SPAN is to use the replicate option. For a remote SPAN session, there is no workaround. This is a hardware limitation. (CSCdy72835)
• (Catalyst 3750 or 3560 switches) Egress SPAN routed packets (both unicast and multicast) show the incorrect source MAC address. For remote SPAN packets, the source MAC address should be the MAC address of the egress VLAN, but instead the packet shows the MAC address of the RSPAN VLAN. For local SPAN packets with native encapsulation on the destination port, the packet shows the MAC address of VLAN 1. This problem does not appear with local SPAN when the encapsulation replicate option is used. This limitation does not apply to bridged packets. The workaround is to use the encapsulate replicate keywords in the monitor session global configuration command. Otherwise, there is no workaround. This is a hardware limitation. (CSCdy81521)
• During periods of very high traffic, when two RSPAN source sessions are configured, the VLAN ID of packets in one RSPAN session might overwrite the VLAN ID of the other RSPAN session. If this occurs, packets intended for one RSPAN VLAN are incorrectly sent to the other RSPAN VLAN. This problem does not affect RSPAN destination sessions. The workaround is to configure only one RSPAN source session. (CSCea72326)
• (Catalyst 3750 or 3560 switches) The egress SPAN data rate might degrade when fallback bridging or multicast routing is enabled. The amount of degradation depends on the processor loading. Typically, the switch can egress SPAN up to 40,000 packets per second (64-byte packets). As long as the total traffic being monitored is below this limit, there is no degradation. However, if the traffic being monitored exceeds the limit, only a portion of the source stream is spanned. When this occurs, the following console message appears: Decreased egress SPAN rate . In all cases, normal traffic is not affected; the degradation limits only how much of the original source stream can be egress spanned. If fallback bridging and multicast routing are disabled, egress SPAN is not degraded. There is no workaround. If possible, disable fallback bridging and multicast routing. If possible, use ingress SPAN to observe the same traffic. (CSCeb01216)
• On Catalyst 3750 switches running Cisco IOS Release 12.1(14)EA1 and later and on Catalyst 3560 switches running Cisco IOS release 12.1(19)EA1 or later, some IGMP report and query packets with IP options might not be ingress-spanned. Packets that are susceptible to this problem are IGMP packets containing 4 bytes of IP options (IP header length of 24). An example of such packets would be IGMP reports and queries having the router alert IP option. Ingress-spanning of such packets is not accurate and can vary with the traffic rate. Typically, very few or none of these packets are spanned. There is no workaround. (CSCeb23352)
• Cisco Discovery Protocol (CDP), VLAN Trunking Protocol (VTP), and Port Aggregation Protocol (PAgP) packets received from a SPAN source are not sent to the destination interfaces of a local SPAN session. The workaround is to use the monitor session session_number destination< interfaceinterface-id encapsulation replicate> global configuration command for local SPAN. (CSCed24036)
• (Catalyst 3750 switches)

A spanning-tree loop might occur if all of these conditions are true:

– Port security is enabled with the violation mode set to protected.

– The maximum number of secure addresses is less than the number of switches connected to the port.

– There is a physical loop in the network through a switch whose MAC address has not been secured, and its BPDUs cause a secure violation.

The workaround is to change any one of the listed conditions. (CSCed53633)

Stacking (Catalyst 3750 switch stack only)

These are the Catalyst 3750 switch stack limitations:

• If the stack master is immediately reloaded after adding multiple VLANs, the new stack master might fail. The workaround is to wait a few minutes after adding VLANs before reloading the stack master. (CSCea26207)
• If the console speed is changed on a stack, the configuration file is updated, but the baud rate is not. When the switch is reloaded, meaningless characters might appear on the console during bootup before the configuration file is parsed and the console speed is set to the correct value. If manual boot is enabled or the startup configuration is deleted after you change the console speed, you cannot access the console after the switch reboots. There is no workaround. (CSCec36644)
• If a switch is forwarding traffic from a Gigabit ingress interface to a 100 Mbps egress interface, the ingress interface might drop more packets due to oversubscription if the egress interface is on a Fast Ethernet switch (such as a Catalyst 3750-24TS or 3750-48TS switch) than if it is on a Gigabit Ethernet switch (such as a Catalyst 3750G-24T or 3750G-24TS switch). There is no workaround. (CSCed00328)
• If a stack member is removed from a stack and either the configuration is not saved or another switch is added to the stack at the same time, the configuration of the first member switch might be lost. The workaround is to save the stack configuration before removing or replacing any switch in the stack. (CSCed15939)
• When the switchport and no switchport interface configuration commands are entered more than 20,000 times on a port of a Catalyst 3750 switch, all available memory is used, and the switch halts.

There is no workaround. (CSCed54150)

• In a private-VLAN domain, only the default private-VLAN IP gateways have sticky ARP enabled. The intermediate Layer 2 switches that have private VLAN enabled disable sticky ARP. When a stack master switch-over occurs on one of the Catalyst 3750 default IP gateways, the message IP-3-STCKYARPOVR appears on the consoles of other default IP gateways. Because sticky ARP is not disabled, the MAC address update caused by the stack master switch-over cannot complete.

The workaround is to complete the MAC address update by entering the clear arp privileged EXEC command. (CSCed62409)

• When a Catalyst 3750 switch is being reloaded in a switch stack, packet loss might occur for up to 1 minute while the Cisco Express Forwarding (CEF) table is downloaded to the switch. This only impacts traffic that will be routed through the switch that is being reloaded. There is no workaround. (CSCed70894)
• Inconsistent private-VLAN configuration can occur on a switch stack if a new stack master is running the SMI and the old stack master was running the EMI.

Private VLAN is enabled or disabled on a switch stack, depending on whether or not the stack master is running the EMI or the SMI:

– If the stack master is running the EMI, all stack members have private VLAN enabled.

– If the stack master is running SMI, all stack members have private VLAN disabled.

This occurs after a master-switchover (MSO) when the previous stack master was running the EMI and the new stack master is running the SMI. The stack members are configured with private VLAN, but any new switch that joins the stack will have private VLAN disabled.

These are the workarounds. Only one of these is necessary:

– Reload the stack after an EMI to SMI MSO (or the reverse).

– Before an EMI-to-SMI MSO, delete the private-VLAN configuration from the existing stack master. (CSCee06802)

• Port configuration information is lost when changing from switchport to no switchport modes on Catalyst 3750 switches.

This is the expected behavior of the offline configuration (provisioning) feature. There is no workaround. (CSCee12431)

Trunking

These are the trunking limitations:

• The switch treats frames received with mixed encapsulation (802.1Q and Inter-Switch Link [ISL]) as frames with FCS errors, increments the error counters, and causes the LED to blink amber. This happens when an ISL-unaware device receives an ISL-encapsulated packet and forwards the frame to an 802.1Q trunk interface. There is no workaround. (CSCdz33708)
• IP traffic with IP options set is sometimes leaked on a trunk port. For example, a trunk port is a member of an IP multicast group in VLAN X but is not a member in VLAN Y. If VLAN Y is the output interface for the multicast route entry assigned to the multicast group and an interface in VLAN Y belongs to the same multicast group, the IP-option traffic received on an input VLAN interface other than one in VLAN Y is sent on the trunk port in VLAN Y because the trunk port is forwarding in VLAN Y, even though the port has no group membership in VLAN Y. There is no workaround. (CSCdz42909).
• If a Catalyst 3750 switch stack is connected to a designated bridge and the root port of the switch stack is on a different switch than the alternate root port, changing the port priority of the designated ports on the designated bridge has no effect on the root port selection for the Catalyst 3750 switch stack. There is no workaround. (CSCea40988)
• For trunk ports or access ports configured with 802.1Q tagging, inconsistent statistics might appear in the show interfaces counters privileged EXEC command output. Valid 802.1Q frames of 64 to 66 bytes are correctly forwarded even though the port LED blinks amber, and the frames are not counted on the interface statistics. There is no workaround. (CSCec35100).

This is the VLAN limitation:

If the number of VLANs times the number of trunk ports exceeds the recommended limit of 13,000, the switch can fail. The workaround is to reduce the number of VLANs or trunks. (CSCeb31087)

Cluster Limitations and Restrictions

These limitations apply to the Catalyst 3750, 3560, and 2970 switches:

• When there is a transition from the cluster active command switch to the standby command switch, Catalyst 1900, 2820, and 2900 4-MB switches that are cluster members might lose their cluster configuration. You must manually add these switches back to the cluster.
  (CSCds32517 and CSCds55711)
• When a Catalyst 2900 XL or 3500 XL cluster command switch is connected to a Catalyst 3550 or to a 3750 switch, the command switch does not find any cluster candidates beyond the Catalyst 3550 or the 3750 switch if it is not a member of the cluster. You must add the Catalyst 3550 or the 3750 switch to the cluster. You can then see any cluster candidates connected to it. (CSCdt09918)
• If both the active command switch and the standby command switch fail at the same time, the cluster is not automatically recreated. Even if there is a third passive command switch, it might not recreate all cluster members because it might not have all the latest cluster configuration information. You must manually recreate the cluster if both the active and standby command switches simultaneously fail. (CSCdt43501)

CMS Limitations and Restrictions

These limitations apply to the Catalyst 3750, 3560, and 2970 switches:

• The device manager Launch button does not work for Catalyst 1900 and 2820 switches. The workaround is to launch device manager for these devices outside of CMS by opening a new browser and manually entering the URL for the switch. (CSCee15761)
• CMS performance degrades if the Topology View is open for several hours on a Solaris machine. The cause might be a memory leak.The workaround is to close the browser, reopen it, and launch CMS again. (CSCds29230)
• If you are printing a Topology View or Front Panel View that contains many devices and are running Solaris 2.6 with JDK1.2.2, you might get an Out of Memory error message. The workaround is to close the browser, re-open it, and launch CMS again. Before you perform any other task, open the view that you want to print, and click Print in the CMS menu. (CSCds80920)
• A red border appears around the text-entering area of some CMS dialogs. The color of the border changes to green when text is entered. This is only a cosmetic error. The colored border does not prevent you from entering text. (CSCdv82352)
• You cannot switch modes (for example, from Guide Mode to Expert Mode) for an open CMS window. The workaround is to close the open window, select the mode that you want, and then reopen the CMS window. For the mode change to take effect on any other CMS window that is open, you need to close that window and then reopen it after you select the new mode. (CSCdw87550)
• If you open a window in which you can enter text, open another window, and return to the first window, right-clicking in the text field might make the cursor in this field disappear. You can still enter text in the field. (CSCdy44189)
• CMS fails when a switch is running the cryptographic software image and the vty lines have been configured to use only SSH using the transport input ssh and line vty 0 15 global configuration commands. The workaround is to allow SSH and Telnet access through the vty lines by using the transport input ssh telnet and line vty 0 15 global configuration command. (CSCdz01037)
• When you add a new member with a username and password that is different from the existing cluster member usernames and passwords, CMS produces an exception error because of an authentication failure. The workaround is to add the new member without any username and password. When the new member is added to the cluster, remove the existing username and password from the Username and Password fields, enter a new username and password, and then apply it to all cluster members. (CSCdz07957)
• When the Link Graphs application has run for hours displaying packet drop and error information, sometimes the X-axis crosses the Y-axis at a negative y value instead of at y = 0. This condition occurs with all supported operating systems, browsers, and Java plug-ins. There is no workaround. (CSCdz32584)
• After you click Apply or Refresh in the Simple Network Management Protocol (SNMP) window, the window size changes. (CSCdz75666, CSCdz84255)
• When you enable log scaling for Link Graphs, the Y-axis scale becomes illegible. There is no workaround. (CSCdz81086)
• The CMS window does not return to full size after resizing the browser when you are using Netscape version 6.xx on Solaris and Linux. This is a Netscape browser problem. There is no workaround. (CSCea01179)
• CMS sometimes halts after you click Apply when using Netscape 4.7 on the Japanese version of Windows 98 or Windows ME. The workaround is to use Microsoft Internet Explorer or Netscape 6.0 or later. (CSCea27408)
• Changing the password or current authentication while CMS is running causes HTTP requests to fail. The workaround is to close all browser sessions and then relaunch CMS. (CSCeb33995)
• The CMS plug-in is not supported in Netscape 4.7x. The workaround is to use a supported browser, such as Netscape 7.1 or Internet Explorer 5.5 or 6.0. (CSCed21655)
• When TACACS authentication is only enabled on a command switch, member switches cannot be configured. The workaround is to enable TACACS authentication on the member switches. (CSCed27723)
• If an ACL is deleted from a device, all QoS classes that use this ACL for traffic classification become unusable (only on Catalyst 2970 and 3750 switches). The modification of these classes to use any other traffic classification (match statement) fails. The workaround is to delete the QoS class that uses the undefined ACL and then recreate it with the intended traffic classification (match statement). (CSCed40866)
• When an Open Shortest Path First (OSPF) summary address is added for a 10.x.x.x network, a Windows exception error sometimes occurs.

The workaround is to add the address by using the router ospf

• The Telnet link on the TOOLS page (select TOOLS from the switch home page) does not work on Solaris systems.

There is no workaround. (CSCee11710)

• A Java exception error occurs when CMS is in read-only mode and you launch the Port Settings dialog. This only occurs on Catalyst 2900 XL, 3500 XL, and 2950 LRE switches.

The workaround is to open the Port Settings dialog with CMS in read-write mode. (CSCee25870)

• Host names and Domain Name System (DNS) server names that contain commas on a cluster command switch, member switch, or candidate switch can cause CMS to behave unexpectedly. You can avoid this instability in the interface by not using commas in host names or DNS names. Do not enter commas when also entering multiple DNS names in the IP Configuration tab of the IP Management window in CMS.
• Access control entries (ACEs) that contain the host keyword precede all other ACEs in standard ACLs. You can reposition the ACEs in a standard ACL with one restriction: No ACE with the any keyword or a wildcard mask can precede an ACE with the host keyword.

Important Notes

These sections describe the important notes related to this software release for the Catalyst 3750, 3560, and 2970 switches:

Switch Stack Notes

These notes apply to switch stacks:

• Always power off a switch before adding or removing it from a switch stack.
• The Catalyst 3560 and 2970 switches do not support switch stacking. However, the show processes privileged EXEC command still lists stack-related processes. This occurs because these switches share common code with other switches that do support stacking.

Cisco IOS Notes

These notes apply to Cisco IOS software:

• The 802.1x feature in Cisco IOS Release 12.1(14)EA1 and later is not fully backward-compatible with the same feature in Cisco IOS Release 12.1(11)AX. If you are upgrading a Catalyst 3750 or a 2970 switch running Cisco IOS Release 12.1(11)AX that has 802.1x configured, you must re-enable 802.1x after the upgrade by using the dot1x system-auth-control global configuration command. This global command does not exist in Cisco IOS Release 12.1(11)AX. Failure to re-enable 802.1x weakens security because some hosts can then access the network without authentication.
• The behavior of the no logging on global configuration command changed in Cisco IOS Release 12.2(18)SE and later. In Cisco IOS Release 12.1(19)EA and earlier, both of these command pairs disabled logging to the console:

– the no logging on and then the no logging console global configuration commands

– the logging on and then the no logging console global configuration commands

In Cisco IOS Release 12.2(18)SE and later, you can only use the logging on and then the no logging console global configuration commands to disable logging to the console. (CSCec71490)

CMS Notes

These notes apply to CMS configuration:

• If you use CMS on Windows 2000, it might not apply configuration changes if the enable password is changed from the CLI during your CMS session. You have to restart CMS and enter the new password when prompted. Platforms other than Windows 2000 prompt you for the new enable password when it is changed.
• CMS does not display QoS classes that are created through the CLI if these classes have multiple match statements. When using CMS, you cannot create classes that match more than one match statement. CMS does not display policies that have such classes.
• If you use Internet Explorer Version 5.5 and select a URL with a nonstandard port at the end of the address (for example, www. cisco.com :84), you must enter http:// as the URL prefix. Otherwise, you cannot launch CMS.
• Within an ACL, you can change the sequence of ACEs that have the host keyword. However, because such ACEs are independent of each other, the change has no effect on the way the ACL filters traffic.
• If you have a proxy server configured on your web browser, CMS can run slowly and take 2 to 3 minutes to process each command that is entered.
• If you use the Netscape browser to view the CMS GUI and you resize the browser window while CMS is initializing, CMS does not resize to fit the window.

The workaround is to resize the browser window again when CMS is not busy.

• In the Front Panel view or Topology view, CMS does not display error messages in read-only mode for these switches:

– Catalyst 2900 XL or Catalyst 3500 XL member switches running Cisco IOS Release 12.0(5)WC2 or earlier

– Catalyst 2950 member switches running Cisco IOS Release 12.0(5)WC2 or earlier

– Catalyst 3550 member switches running Cisco IOS Release 12.1(6)EA1 or earlier

In the Front Panel view, if the switch is running one of the software releases listed previously, the device LEDs do not appear. In Topology view, if the member is an LRE switch, the CPE devices that are connected to the switch do not appear. The Bandwidth and Link graphs also do not appear in these views.

Open Caveats

These sections describe the open caveats with possible unexpected activity in this software release:

Open Cisco IOS Caveats

Unless otherwise noted, these severity 3 Cisco IOS configuration caveats apply to the Catalyst 3750, 3560, and 2970 switches:

When both 802.1x and port security are enabled on a voice VLAN port, dynamic secure addresses might not be cleared when the port changes from multihosts mode to single-host mode under these conditions:

– The port is in the authorized state.

– Multiple hosts were learned on the port before the mode change.

– VLAN assignment is not enabled for the authorized host.

MAC addresses that were learned before mode change (when the port was in multihosts mode) are still allowed, even though the port is now in single-host mode.

The workaround is to disable and re-enable port security on the port.

• CSCeb42949 (Catalyst 3750 switches)

A Catalyst 3750 switch does not work with the User Registration Tool (URT). The PC attempting to connect to the network can log in successfully, but it is not allowed to pass traffic after the port is moved to the user VLAN. The MAC address for that device shows BLOCKED.

There is no workaround.

• CSCec68807 (Catalyst 3750 switches)

Memory allocation (malloc) and remote-procedure call (RPC) throttle messages sometimes appear when a large number of access control lists (ACLs) are pasted to the console window.

The workaround is to save the configuration and reload the switch stack.

• CSCec88895 (Catalyst 3750 switches)

There is a discrepancy between the output of the show controllers ethernet-controller tengigabitethernet1/0/1 and the show interfaces tengigabitethernet1/0/1 privileged EXEC commands on a 10-Gigabit Ethernet interface.

The workaround for 10-Gigabit Ethernet interfaces is to use the show interface privileged EXEC command for the byte count and the number of pause frames received. Use the show controllers ethernet-controller privileged EXEC command for the frame count and the FCS and CRC error-frame count.

• CSCed12889 (Catalyst 3750 switches)

When redundant uplinks are from the same stack member in a switch stack and UplinkFast is configured, dummy multicast packets are not sent.

The workaround is to not have redundant uplinks from the same stack member. Provide uplink connectivity from ports across the switch stack rather than from one switch in the stack.

• CSCed65309 (Catalyst 3750 or 3560 switches)

Some invalid ARP packets are not dropped on dynamic ARP inspection-enabled VLANs. Dynamic ARP inspection does not verify that certain ARP fields are valid and does not drop ARP packets with invalid values for those fields. The fields are hardware size, protocol size, and operation type. These packets also are not dropped by the switch on nondynamic ARP-enabled VLANs.

There is no workaround.

• CSCed65410 (Catalyst 3750 or 3560 switches)

If dynamic ARP inspection is enabled on an internal VLAN used by a routed port, ARP traffic on the routed port is affected by the dynamic ARP inspection processing. For example, ARP packets will be rate-limited.

The workaround is to not enable dynamic ARP inspection on internal VLANs.

• CSCed74349 (Catalyst 3750 switches)

An EtherChannel is not properly error-disabled if these conditions are true:

– The channel is carrying a VLAN that is enabled for dynamic ARP inspection.

– The channel is configured with a rate limit for dynamic ARP inspection.

– At least one of the ports in the channel is on a stack member.

– ARP packets are received on a port in the channel on a stack member at a higher rate than the configured rate limit for the channel.

Under these circumstances, a system message states that the rate limit was exceeded on the channel, but the channel will not be error-disabled.

The workaround is to use physical ports on the stack master for any EtherChannel that carries dynamic ARP inspection VLANs and has rate limits.

If the VTP password is configured but the VTP domain name is not configured and if the switch reloads twice, the switch does not retain the VLAN information.

Use of these workarounds:

– Delete the vlan.dat file, which deletes the VTP password.

– Delete the VTP password by using the no vtp password global configuration command.

– Assign a VTP domain name.

• CSCed91730 (Catalyst 3750 switches)

When a secondary VLAN is associated and then quickly disassociated, sometimes the MAC address tables across the switch stack become unsynchronized. This is a rare condition that happens when Port Fast is enabled on the host ports and traffic is continuously received on that port.

The workaround is to clear the MAC address table by using the clear mac address-table dynamic privileged EXEC command.

• CSCed94657 (Catalyst 3750 or 3560 switches)

If a secondary VLAN that was mapped to a promiscuous port is disassociated from the primary VLAN, the LED on the port turns from green to amber. This also occurs if the secondary VLAN is deleted.

The workaround is to remove the secondary VLAN from the mapping of the promiscuous port.

• CSCed95822 (Catalyst 3750 switches)

Dynamic ARP inspection log entries might be lost after a switch failure. Any log entries that are still in the log buffer (have not been output as a system message) on a switch that fails will be lost.

When you enter the show ip arp inspection log privileged EXEC command, the log entries from all switches in the stack are moved to the switch on which the command was entered.

There is no workaround.

• CSCee07107 (Catalyst 3750 switches)

ARP and reverse ARP (RARP) packets are not properly filtered by a configured VLAN map. If you enable a VLAN for dynamic ARP inspection and a VLAN map is applied to the VLAN, ARP and RARP packets received in that VLAN on stack member ports that should be dropped by the VLAN map are not dropped.

There is no workaround.

Configuring multiple ports to a static address in a private VLAN is not supported in this release. If you add more than one port to a static address in a private VLAN, the traffic destined to that static address from a host (secondary VLAN) port to promiscuous port might be dropped.

The workaround is to not configure multiple ports to a static address in a private VLAN. You can use the shutdown and no shutdown interface configuration commands on a promiscuous port to resume the flow of traffic.

• CSCee11197 (Catalyst 3750 switches)

You can only enter values ranging from 1 to 1023 when configuring the VLAN for an access port from SNMP by using the vlanPortVlan object of the CISCO-STACK-MIB.

These are the workarounds:

– Use the interface vlan global configuration command to configure the VLAN for the access port.

– From SNMP, use the vmVlan object of the CISCO-VLAN-MEMBERSHIP-MIB.

You can use both of these workarounds to enter a value ranging from 1 to 4095.

• CSCee14018 (Catalyst 3750 or 3560 switches)

Port ACLs are not applied to IGMP control packets with IP options.

There is no workaround.

• CSCee14293 (Catalyst 3750 or 3560 switches)

After a multicast group exceeds the maximum number that a private VLAN can support, the required ternary content addressable memory (TCAM) entries cannot present for the last group, and the forwarding behavior for that multicast group is incorrect.

For a private VLAN multicast group, each group needs 3 TCAM entries (one SFT entry and 2 LFT entries) when IP multicast routing is enabled on the private VLAN primary VLAN. (For a regular VLAN, only 1 SFT TCAM entry is required, and approximately1000 groups can be supported. For the private VLAN group, only one third of the regular groups can be supported.

There is no workaround.

• CSCee14673 (Catalyst 3750 switches)

A Catalyst 3750 switch running Cisco IOS Release 12.1(19)EA1a might continuously show this message:

There is no workaround.

When an SNMP version 3 user is configured with the encrypted option and password, the switch reloads when the MIB object usmUserAuthKeyChange is set.

The workaround is to configure a user without the encrypted option. (For example, snmp-server user username groupname v3 auth md5 password.)

If you try to add an aggregate policer to a policy map, this message appears:

and the aggregate policer is not added.

The workaround is to delete the policy map by using the no policy-map policy-map-name global configuration command, recreate it with the desired configuration, and then re-attach it to the interfaces by using the service-policy input policy-map-name interface configuration command.

If you modify a policer, this message appears:

If you then attempt to remove an aggregate policer, the removal of the policy map fails, and this message appears:

The workaround is to delete the policy map by using the no policy-map policy-map-name global configuration command, recreate it with the desired configuration, and then re-attach it to the interfaces by using the service-policy input policy-map-name interface configuration command.

When you add an aggregate policer to a policy-map class, the aggregate policer is also added to another policy class within the same policy.

The workaround is to delete the policy map by using the no policy-map policy-map-name global configuration command, recreate it with the desired configuration, and then re-attach it to the interfaces by using the service-policy input policy-map-name interface configuration command.

• CSCee41566 (Catalyst 3750 switches)

Auto-upgrade fails under either of these conditions:

– The stack is running a cryptographic image and a version-mismatch member switch that is running a non-cryptographic image of the same type (both are EMI or SMI) joins the stack, or the reverse.

– If the stack is running a Cisco IOS 12.1 crypto image and a member switch running a Cisco IOS 12.2 crypto image of the same type joins the stack, or the reverse.

In both cases, the newly added member switch remains in the version mismatch state, and you must manually upgrade the member switch to run a compatible Cisco IOS image.

The workaround is to remove the 3750 member switch from the switch stack and to load a cryptographic image on the switch before adding it to the stack.

• CSCee53804 (Catalyst 3750 or 3560 switches)

When enabled, DHCP snooping does not work with secondary VLANs of a private VLAN. DHCP discover messages from the private-VLAN hosts are not broadcast, and private-VLAN hosts cannot communicate with the DHCP server.

There is no workaround.

• CSCee75231 (Catalyst 3750-G12S switches)

You cannot use the Mode button to detect the presence of a switch stack member if a small form-factor (SFP) module is not in the module slot for that port on the member.

The workaround is to insert an SFP module into the port.

• CSCee75389 (Catalyst 3750 switches)

When you reload a stack master, the SFP module slots are unable to establish a link after the old stack master comes up as a member switch.

The workaround is to manually configure the port by entering the no speed nonegotiate, shut, and no shut interface configuration commands.

• CSCee88546 (Catalyst 3750 switches)

After a stack master fail-over, any per-user access control lists (ACLs) applied on authenticated 802.1x ports might appear twice when you enter the show ip access-list privileged EXEC command.

This occurs when the authenticated port is on a member switch that becomes the stack master during fail-over. The duplicate display does not affect the functional behavior of the ACL.

There is no workaround.

• CSCee89040 (Catalyst 3750 switches)

When a local network link comes up, a MAC address that is defined in the static ARP table does not install the adjacency table immediately, causing a temporary Cisco Express Forwarding (CEF) drop. The maximum installation delay is about 60 seconds.

There is no workaround.

• CSCin68965 (Catalyst 3750 or 3560 switches)

When two ports of a Cisco IP Phone are connected to a switch and the higher voice VLAN ID (VVID) is configured on the switch port to which port P3 of the Cisco IP Phone is connected, the phone displays configuring IP and halts.

These are the workarounds. Only one of these is necessary:

– Configure the higher VVID on port P1 of the Cisco IP phone.

– Connect only one port of the Cisco IP Phone to the switch.

Open CMS Caveats

Unless otherwise noted, these severity 3 CMS caveats apply to the Catalyst 3750, 3560, and 2970 switches:

When a Catalyst 3750 stack member leaves or joins the switch stack, the entire stack disappears from the Topology View. Only the stack member that has left the stack should disappear from the Topology view.

There is no workaround.

When you click Refresh in the Stack Settings dialog, the latest information for the switch cluster does not appear.

The workaround is to close and then to reopen the Stack Settings dialog.

Resolved Caveats

These are the caveats that have been resolved.

Cisco IOS Caveats Resolved in Cisco IOS Release 12.2(20)SE3

Unless otherwise noted, these caveats were resolved in this release for the Catalyst 3750, 3560, and 2970 switches:

• CSCef35924 (Catalyst 3750 and 3560)

The switch no longer experiences memory leak during the IP Routing Information Base (RIB) update process.

• CSCef37743 (Catalyst 3750 and 3560)

A switch no longer reloads if it generates a large number of proxy ARP entries.

• CSCef78081 (Catalyst 3750 and 3560)

If a connected device sends a SNAP Address Resolution Protocol (ARP) request to a switch, communication no longer stops between the devices.

The switch no longer reloads when you disable the 802.1x feature by using the no dot1x system-auth-control global configuration command on the master switch.

A switch configured for 802.1x accounting no longer reloads after losing connectivity to the RADIUS server.

During 802.1x machine authentication, the switch no longer prompts the supplicant to authenticate twice.

• CSCef97610 (Catalyst 3750 and 3560)

If an interface on a switch is configured with the no switchport interface configuration command, you can now use SNMP with the MIB object ipNetToMediaTable to create an ARP table for the interface information.

• CSCea90941 (Catalyst 3750 and 3560)

The Enhanced Interior Gateway Routing Protocol (EIGRP) Stub Routing feature is no longer missing from the switch configuration when it is restarted.

High CPU utilization no longer occurs on a switch when the logging synchronous global configuration command is configured for line con 0.

When a switch is configured for 802.1x authentication and a large number of authentication requests are received in a short period of time, new devices can now authenticate.

The switch now sends EAPOL-Id-Request frames to supplicants after the 802.1x state machine moves to the DISCONNECTING state.

• CSCef27245 (Catalyst 3750 and 3560)

If a switch stack is load balanced through two trunk uplinks, and one of the uplinks goes down, the packets are no longer forwarded to the wrong VLAN upon recovery of the failed uplink.

Incomplete ARP entries are no longer created when a switch receives an ARP request and sends a reply by using proxy ARP.

A switch no longer sends out an EAP success frame before assigning a corresponding VLAN on a port.

An 802.1x client no longer fails to authenticate on a switch when State(24) Field values change from Challenge to Request.

A switch configured for 802.1x authentication no longer fails to authenticate supplicants because no AAA process slots are available.

Cisco IOS® devices running branches of Cisco IOS version 12.2S that have Dynamic Host Configuration Protocol (DHCP) server or relay agent enabled, even if not configured, are vulnerable to a denial of service where the input queue becomes blocked when receiving specifically crafted DHCP packets. Cisco is providing free fixed software to address this issue. There are also workarounds to mitigate this vulnerability. This issue was introduced by the fix included in CSCdx46180 and is being tracked by Cisco Bug ID CSCee50294.

This advisory is available at

Cisco IOS Caveat Resolved in Cisco IOS Release 12.2(20)SE2

This caveat was resolved in this release:

This error message no longer appears, and the switch no longer and loops indefinitely after you upgrade and then reload a Catalyst 3750 switch:

Note There is no code change in Cisco IOS Release 12.2(20)SE2. The SMI cryptographic images on CCO for Cisco IOS Release 12.2(20)SE1 were corrupt. If you have downloaded a corrupted image and are seeing this error message, refer to the “Recovering from Corrupted Software By Using the Xmodem Protocol” section of the software configuration guide at this URL:

Cisco IOS Caveats Resolved in Cisco IOS Release 12.2(20)SE1

Unless otherwise noted, these caveats were resolved in this release for the Catalyst 3750, 3560, and 2970 switches:

Catalyst switches running Cisco IOS Release 12.1(14)EA1 through 12.1(19)EA1d or Cisco IOS Release 12.2(18)SE through 12.2(20)SE now correctly link up with media converters running at 100 Mbps.

• CSCed46277 (Catalyst 3750 switches)

After the stack master fails and another is elected, switch ports on the new stack master no longer lose the hardware configuration of 802.1x per-user access control lists (ACLs).

• CSCed63521 (Catalyst 3750 switches)

A Catalyst 3750 stack member switch now reliably downloads CEF tables from the stack master.

• CSCee11587 (Catalyst 3750 switches)

These CISCO-STACK-MIB objects now return the correct values:

– vlanPortSwitchLevel

– vlanPortIslAdminStatus

– vlanPortIslOperStatus

– vlanPortAdminStatus

• CSCee89456 (Catalyst 3750-PWR and 3560 switches)

Power is no longer applied to a port after a Power over Ethernet (PoE) switch powered device, such as a Cisco IP Phone, is removed from that port. In previous releases, power was sometimes still applied to the port even after the device was removed. This could have damaged a non-PoE switch-powered device when it was later connected to that port.

Cisco CMS Caveats Resolved in Cisco IOS Release 12.2(20)SE1

Unless otherwise noted, these caveats were resolved in this release for the Catalyst 3750, 3560, and 2970 switches:

When you open the Port Settings dialog for a Power-over-Ethernet (PoE) switch that is a member of a switch stack and the stack master is not a PoE switch, a Java exception error no longer occurs.

When a switch cluster has only one member switch and that member switch is down, CMS now displays the Remove From Cluster option.

Cisco IOS Caveats Resolved in Cisco IOS Release 12.2(20)SE

Unless otherwise noted, these caveats were resolved in this release for the Catalyst 3750, 3560, and 2970 switches:

• CSCdz30046 (Catalyst 3560 switches)

When multicast VLAN registration (MVR) groups are added or deleted, the receiver port that joined the groups after the addition no longer receives traffic after the group is deleted. MVR data traffic to the group is no longer sent to the receiver port immediately after the no mvr group ip-address global configuration command is entered.

When both the sharing and shaping weights are enabled, the receiving rates now follow the shared bandwidth weight if the priority queue is enabled on the egress queue.

• CSCec07637 (Catalyst 3560 switches)

When an ACL that denies packets is configured on an ingress or egress interface, the CPU usage is no longer as high as 70 percent when these packets are forwarded to the CPU to determine if an ICMP-unreachable packet should be generated.

• CSCec11048 (Catalyst 3560 switches)

When a configured secure MAC address exists on an interface, you can now change it to a sticky MAC address. Alternatively, if a sticky MAC address exists on an interface, you can now change it to a secure MAC address.

• CSCec12147 (Catalyst 3560 switches)

When the CISCO-STP-EXTENSIONS-MIB is polled, unknown indexes are no longer returned for some MIB objects.

• CSCec16481 (Catalyst 3750 or 3560 switches)

A Cisco device running Internetwork Operating System (IOS) and enabled for the Open Shortest Path First (OSPF) Protocol is vulnerable to a Denial of Service (DoS) attack from a malformed OSPF packet. The OSPF protocol is not enabled by default.

The vulnerability is only present in IOS release trains based on 12.0S, 12.2, and 12.3. Releases based on 12.0, 12.1 mainlines and all IOS images prior to 12.0 are not affected. Refer to the Security Advisory for a complete list of affected release trains.

Further details and the workarounds to mitigate the effects are explained in the Security Advisory which is available at the following URL:

• CSCec21040 (Catalyst 3560 switches)

When an 802.1x-enabled port is authenticated with a RADIUS-assigned VLAN, if the port is shut down or the link is removed, a traceback message no longer appears.

• CSCec21320 (Catalyst 3560 switches)

After a link is up, a switch sends three Extensible Authentication Protocol (EAP) Request/Identity messages to the client. There is a 30-second gap between messages. However, PCs that are running Windows XP or Windows 2000 drop the first message so that the second message that the client receives appears to be the first, which is at least 30 seconds after the link is up. Therefore, a user does not see a password window until at least 30 seconds after the link is up.

• CSCec22431 (Catalyst 3560 switches)

Telnet and ping traffic is no longer disrupted during SNMP polling of the VlanTrunkPortTable table in the CISCO-VTP-MIB.

• CSCec22572 (Catalyst 3560 switches)

When per-user access control lists (ACLs) are downloaded from a RADIUS server after successful 802.1x authentication, disabling 802.1x now removes the attached per-user ACLs from the interface.

• CSCec27421 (Catalyst 3560 switches)

If QoS is enabled and the trust state is not configured on an ingress interface, now only the mapping of the class of service (CoS) value of 0 to the ingress or egress queues takes effect when you enter the mls qos srr-queue input cos-map or the mls qos srr-queue output cos-map global configuration command. Other CoS values DSCP values to queue mapping have no effect on traffic from that interface.

• CSCec29970 (Catalyst 3560 switches)

If you change the input priority queue for queue 2 by using the mls qos srr-queue input priority-queue 2 bandwidth global configuration command, the configurations that are generated no longer contain an extra input keyword such as mls qos srr-queue input priority-queue input 2 bandwidth. In previous releases, the extra keyword caused an error message if the command was saved and the switch was reloaded.

• CSCec31436 (Catalyst 3560 switches)

When there are many configured secure and sticky MAC addresses on a port, addresses are no longer dropped and removed from the configuration when the switch restarts.

• CSCec32453 (Catalyst 3560 switches)

When you configure a unicast MAC address filter that matches a Windows XP 802.1x client MAC address, the Windows XP 802.1x client now no longer repeatedly tries to re-authenticate itself.

• CSCec35148 (Catalyst 3560 switches)

Processor memory no longer leaks if you change the policy-based routing (PBR) configuration.

• CSCec89120 (Catalyst 3750 or 3560 switches)

The command switch now discovers candidates more than one CDP hop beyond its routed port.

When the kerberos clients mandatory global configuration command is entered on a switch and the switch is connected to a host that does not support Kerberos through a Telnet session, the switch no longer halts when the you press the Enter key.

• CSCed18488 (Catalyst 3750 or 3560 switches)

When (*,G) and (S,G) entries are created in a multicast routing table on a remote port by Protocol-Independent Multicast-Sparse Mode (PIM-SM) registering, the RPF leak flag is now set for hardware entry for the group.

• CSCed30095 (Catalyst 3750 switches)

A topology change on a member switch no longer causes fast-aging of the dynamically learned addresses. In previous releases, this occurred in per-VLAN spanning-tree (PVST) mode when a topology change notification (TCN BPDU) was generated and propagated from a member switch but was not sent from the root port on the master.

• CSCed33792 (Catalyst 3750 switches)

Members of a switch stack no longer fail after the debug all privileged EXEC command is entered.

• CSCed34921 (Catalyst 3750 switches)

Changing the LACP system-priority, either locally or on the neighbor switch, no longer creates assert failure and traceback error messages for the ports in the EtherChannel if there is a Layer-3 (routed port) Link Aggregation Control Protocol (LACP) EtherChannel on the s tack master,

• CSCed54175 (Catalyst 3750 or 3560 switches)

The switch now accepts duplicate remark statements in named ACLs.

• CSCee02006 (Catalyst 3750 switches)

A Catalyst 3750 stack member switch no longer reloads or displays a message similar to this:

A MAC address is now correctly learned on a secure port, ages out, and is then learned on another secure port on a different stack member switch.

Cisco CMS Caveats Resolved in Cisco IOS Release 12.2(20)SE

Unless otherwise noted, these caveats were resolved in this release for the Catalyst 3750, 3560, and 2970 switches:

When you open the Port Settings dialog for a Power-over-Ethernet (PoE) switch that is a member of a switch stack and the stack master is not a PoE switch, a Java exception error no longer occurs.

When a switch cluster has only one member switch and that member switch is down, CMS now displays the Remove From Cluster option.

Documentation Updates

These are the updates to the product documentation:

Documentation Updates for Cisco IOS Release 12.2(20)SE1

These updates were added for Cisco IOS Release 12.2(20)SE1:

Addition to the Catalyst 3750 and 3560 Switch Software Configuration Guides

This section was added to the “Troubleshooting Power over Switch Ethernet Switch Ports” section of the Catalyst 3750 and 3560 “Troubleshooting” chapters.

Disabled Port Caused by False Link Up

If a Power over Ethernet (PoE) switch powered device, such as a Cisco IP Phone, is connected to a port and you configure the port by using the power inline never interface configuration command, a false link up can place the port into an error-disabled state. To take the port out of the error-disabled state, enter the shutdown and no shutdown i nterface configuration commands.

You should not connect a PoE-powered device to a port on a PoE switch if that port has been configured with the power inline never command.

Revisions to the Catalyst 3750, 3560, and 2970 Switch Command References

These commands were revised for the Catalyst 3750, 3560, and 2970 switch command references:

• You can now configure the duplex setting when the speed is set to auto. In previous releases, you could not configure the duplex setting when an interface was configured to autonegotiate.
• You can now specify the speed at which a port autonegotiates.

This example shows how to set a port to autonegotiate at only 10 Mbps:

This example shows how to set a port to autonegotiate at only 10 or 100 Mbps:

• When you configure a port by using the power inline auto interface configuration command, the port autonegotiates by using the configured speed and duplex settings. This is necessary to determine the power requirements of the connected device (whether or not it is a powered device). After the power requirements have been determined, the switch hardcodes the interface by using the configured speed and duplex settings without resetting the interface.
• When you configure a port by using the power inline never command, the port reverts to the configured speed and duplex settings.

If a port has a device that is powered by a PoE switch connected to it, you should not use the power inline never command to configure the port. A false link up can occur on the port and place it into an error-disabled state.

In releases earlier than Cisco IOS Release 12.2(20)SE1, power was sometimes still applied to a PoE switch port even after a PoE-powered device was removed. This could cause damage to a non-PoE-powered device when it was later connected to that port. Make sure that your switch is running Cisco IOS Release 12.2(20)SE1 or later.

• You can use the show interfaces transceiver properties privileged EXEC command to show the speed, duplex, and inline power status PoE switches for an interface.

This is an example of output from the show interfaces transceiver properties command. If you do not specify an interface, the output of the command shows the status on all switch ports:

Источник