 Feedback
|
Table Of Contents
Release Notes for the Cisco Catalyst Blade Switch 3030, Cisco IOS Release 12.2(37)SE and Later
Device Manager System Requirements
Finding the Software Version and Feature Set
Upgrading a Switch by Using the Device Manager
Upgrading a Switch by Using the CLI
Recovering from a Software Failure
Caveats Resolved in Cisco IOS Release 12.2(37)SE1
Caveats Resolved in Cisco IOS Release 12.2(37)SE
Web Authentication with Automatic MAC Check
Obtaining Documentation, Obtaining Support, and Security Guidelines
Release Notes for the Cisco Catalyst Blade Switch 3030, Cisco IOS Release 12.2(37)SE and Later
Revised: August 8, 2007
Cisco IOS Release 12.2(37)SE runs on the Cisco Catalyst Blade Switch 3030.
Unless otherwise noted, the term switch refers to a standalone switch.
These release notes include important information about Cisco IOS Release 12.2(37)SE and any limitations, restrictions, and caveats that apply to them. Verify that these release notes are correct for your switch:
•
If you are installing a new switch, see the Cisco IOS release label on the rear panel of your switch.
•
•
For the complete list of Cisco Catalyst Blade Switch 3030 documentation and of Cisco EtherSwitch service module documentation, see the "Related Documentation" section.
You can download the switch software from this site (registered Cisco.com users with a login password):
http://www.cisco.com/public/sw-center/sw-lan.shtml
Contents
This information is in the release notes:
•
•
•
•
•
•
•
•
System Requirements
The system requirements are described in these sections:
•
Hardware Supported
Table 1 lists the hardware supported on Cisco IOS Release 12.2(37)SE.
Table 1 Cisco Catalyst Blade Switch 3030 Supported Hardware
Cisco Catalyst Blade Switch 3030
Ten internal 1000BASE-TX ports, two external 10/100/1000 ports, and four SFP1 module slots
Cisco IOS Release 12.2(25)SEE
SFP modules
1000BASE-T and 1000BASE-SX
Cisco IOS Release 12.2(25)SEE
1 SFP = small form-factor pluggable
Device Manager System Requirements
These sections describes the hardware and software requirements for using the device manager:
•
•
Hardware Requirements
Table 2 lists the minimum hardware requirements for running the device manager.
Table 2 Minimum Hardware Requirements
Intel Pentium II1
64 MB2
256
1024 x 768
Small
1 We recommend Intel Pentium 4.
2 We recommend 256-MB DRAM.
Software Requirements
Table 3 lists the supported operating systems and browsers for using the device manager. The device manager verifies the browser version when starting a session to ensure that the browser is supported.
Note
Table 3 Supported Operating Systems and Browsers
Windows 98
None
5.5 or 6.0
7.1
Windows NT 4.0
Service Pack 6 or later
5.5 or 6.0
7.1
Windows 2000
None
5.5 or 6.0
7.1
Windows XP
None
5.5 or 6.0
7.1
1 Service Pack 1 or higher is required for Internet Explorer 5.5.
Upgrading the Switch Software
These are the procedures for downloading software. Before downloading software, read this section for important information:
•
•
•
•
•
Finding the Software Version and Feature Set
The Cisco IOS image is stored as a bin file in a directory that is named with the Cisco IOS release. A subdirectory contains the files needed for web management. The image is stored on the system board flash device (flash:).
You can use the show version privileged EXEC command to see the software version that is running on your switch. The second line of the display shows the version.
You can also use the dir filesystem: privileged EXEC command to see the directory names of other software images that you might have stored in flash memory.
Deciding Which Files to Use
The upgrade procedures in these release notes describe how to perform the upgrade by using a combined tar file. This file contains the Cisco IOS image file and the files needed for the embedded device manager. You must use the combined tar file to upgrade the switch through the device manager. To upgrade the switch through the command-line interface (CLI), use the tar file and the archive download-sw privileged EXEC command.
Table 4 lists the filenames for this software release.
Archiving Software Images
Before upgrading your switch software, make sure that you have archived copies of the current Cisco IOS release and the Cisco IOS release to which you are upgrading. You should keep these archived images until you have upgraded all devices in the network to the new Cisco IOS image and until you have verified that the new Cisco IOS image works properly in your network.
Cisco routinely removes old Cisco IOS versions from Cisco.com. See Product Bulletin 2863 for more information:
http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps5187/prod_bulletin0900aecd80281c0e.
HtmlYou can copy the binary software image file (with the .bin suffix) on the flash memory to the appropriate TFTP directory on a host by using the copy flash: tftp: privileged EXEC command.
Note
You can also configure the switch as a TFTP server to copy files from one switch to another without using an external TFTP server by using the tftp-server global configuration command. For more information about the tftp-server command, see the "Basic File Transfer Services Commands" section of the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 at this URL:
Upgrading a Switch by Using the Device Manager
You can upgrade switch software by using the device manager. For detailed instructions, click Help.
Note
Upgrading a Switch by Using the CLI
This procedure is for copying the combined tar file to the switch. You copy the file to the switch from a TFTP server and extract the files. You can download an image file and replace or keep the current image.
To download software, follow these steps:
Step 1
Step 2
http://www.cisco.com/public/sw-center/index.shtml
Click on "Download Software Area," and search for CBS3000 to download the appropriate files:
•
•
Step 3
For more information, see Appendix B in the software configuration guide for this release.
Step 4
Note
See the "Connecting through the DRAC/MC" section of the Cisco Catalyst Blade Switch 3030 Getting Started Guide for instructions on how to connect to the switch by using the DRAC/MC.Step 5
Switch# ping tftp-server-addressFor more information about assigning an IP address and default gateway to the switch, see the software configuration guide for this release.
Step 6
Switch# archive download-sw /overwrite /reload tftp:[[//location]/directory]/image-name.tarThe /overwrite option overwrites the software image in flash memory with the downloaded one.
The /reload option reloads the system after downloading the image unless the configuration has been changed and not saved.
For //location, specify the IP address of the TFTP server.
For /directory/image-name.tar, specify the directory (optional) and the image to download. Directory and image names are case sensitive.
This example shows how to download an image from a TFTP server at 198.30.20.19 and to overwrite the image on the switch:
Switch# archive download-sw /overwrite tftp://198.30.20.19/cbs30x0-lanbasek9-tar.122-25.SEE.tarYou can also download the image file from the TFTP server to the switch and keep the current image by replacing the /overwrite option with the /leave-old-sw option.
Step 7
Switch# dir flash:
Recovering from a Software Failure
For additional recovery procedures, see the "Troubleshooting" chapter in the software configuration guide for this release.
Installation Notes
You can assign IP information to your switch by using these methods:
•
•
•
New Software Features
These are the new software features for this release:
•
•
•
•
•
•
Limitations and Restrictions
You should review this section before you begin working with the switch. These are known limitations that will not be fixed, and there is not always a workaround. Some features might not work as documented, and some features could be affected by recent changes to the switch hardware or software.
This section contains these limitations:
•
•
Cisco IOS Limitations
These limitations apply to the switch:
Configuration
These are the configuration limitations:
•
This problem occurs under these conditions:
–
–
–
The workaround is to reconfigure the static IP address. (CSCea71176 and CSCdz11708)
•
–
–
No workaround is necessary. (CSCed50819)
•
The workaround is to configure the port for 10 Mp/s and half duplex or to connect a hub or a nonaffected device to the switch. (CSCed39091)
•
The workaround is to enter the no switchport block unicast interface configuration command on that specific interface. (CSCee93822)
•
There is no workaround. This is a cosmetic error and does not affect the functionality of the switch. (CSCef59331)
Ethernet
These are the Ethernet limitations:
•
If this happens, uneven traffic distribution happens on EtherChannel ports.
Changing the load balance distribution method or changing the number of ports in the EtherChannel can resolve this problem. Use any of these workarounds to improve EtherChannel load balancing:
–
–
–
–
For example, with load balance configured as dst-ip with 150 distinct incrementing destination IP addresses, and the number of ports in the EtherChannel set to either 2, 4, or 8, load distribution is optimal. (CSCeh81991)
IP
This is the IP limitation:
•
IP Telephony
This is the IP telephony limitation:
After you change the access VLAN on a port that has IEEE 802.1x enabled, the IP phone address is removed. Because learning is restricted on IEEE 802.1x-capable ports, it takes approximately 30 seconds before the address is relearned. No workaround is necessary. (CSCea85312)
Multicasting
These are the multicasting limitations:
•
–
–
There is no workaround. (CSCec20128)
•
The switchport block multicast interface configuration command is only applicable to non-IP multicast traffic.
There is no workaround. (CSCee16865)
QoS
These are the quality of service (QoS) limitations:
•
•
SPAN and RSPAN
This is the SPAN and Remote SPAN (RSPAN) limitation.
Cisco Discovery Protocol (CDP), VLAN Trunking Protocol (VTP), and Port Aggregation Protocol (PAgP) packets received from a SPAN source are not sent to the destination interfaces of a local SPAN session.
The workaround is to use the monitor session session_number destination {interface interface-id encapsulation replicate} global configuration command for local SPAN. (CSCed24036)
Trunking
These are the trunking limitations:
•
•
•
VLAN
This is the VLAN limitation:
If the number of VLANs times the number of trunk ports exceeds the recommended limit of 13,000, the switch can fail.
The workaround is to reduce the number of VLANs or trunks. (CSCeb31087)
Device Manager Limitations
When you are prompted to accept the security certificate and you click No, you only see a blank screen, and the device manager does not launch.
The workaround is to click Yes when you are prompted to accept the certificate. (CSCef45718)
Device Manager Notes
These notes apply to the device manager:
•
From Microsoft Internet Explorer:
1.
2.
3.
4.
5.
•
Beginning in privileged EXEC mode, follow these steps to configure the HTTP server interface:
•
If you change the HTTP port, you must include the new port number when you enter the IP address in the browser Location or Address field (for example, http://10.1.126.45:184 where 184 is the new HTTP port number). You should write down the port number through which you are connected. Use care when changing the switch IP information.
If you are not using the default method of authentication (the enable password), you need to configure the HTTP server interface with the method of authentication used on the switch.
Beginning in privileged EXEC mode, follow these steps to configure the HTTP server interface:
•
Open Caveats
This section describes the open caveats with possible unexpected activity in this software release. Unless otherwise noted, these severity 3 Cisco IOS configuration caveats apply to the switch:
•
If traffic is passing through VMPS ports and you perform a shut operation, a dynamic VLAN is not assigned and a VLAN with a null ID appears.
The workaround is to clear the MAC address table. This forces the VMPS server to correctly reassign the VLAN.
•
A QoS service policy with a policy map containing more than 62 policers cannot be added to an interface by using the service-policy interface configuration command.
The workaround is to use policy maps with 62 or fewer policers.
•
The switch might display tracebacks similar to these examples when a large number of IEEE 802.1x supplicants try to repeatedly log in and log out.
Examples:
Jan 3 17:54:32 L3A3 307: Jan 3 18:04:13.459: %SM-4-BADEVENT: Event 'eapReq' is invalid for the current state 'auth_bend_idle': dot1x_auth_bend Fa9
Jan 3 17:54:32 L3A3 308: -Traceback= B37A84 18DAB0 2FF6C0 2FF260 8F2B64 8E912C Jan 3 19:06:13 L3A3 309: Jan 3 19:15:54.720: %SM-4-BADEVENT: Event 'eapReq_no_reAuthMax' is invalid for the current ate 'auth_restart': dot1x_auth Fa4
Jan 3 19:06:13 L3A3 310: -Traceback= B37A84 18DAB0 3046F4 302C80 303228 8F2B64 8E912C Jan 3 20:41:44 L3A3 315: .Jan 3 20:51:26.249: %SM-4-BADEVENT: Event 'eapSuccess' is invalid for the current state 'auth_restart': dot1x_auth Fa9
Jan 3 20:41:44 L3A3 316: -Traceback= B37A84 18DAB0 304648 302C80 303228 8F2B64 8E912C
There is no workaround.
•
When dynamic ARP inspection is configured on a VLAN, and the ARP traffic on a port in the VLAN is within the configured rate limit, the port might go into an error-disabled state.
The workaround is to configure the burst interval to more than 1 second.
•
When dynamic ARP inspection is enabled and IP validation is disabled, the switch drops ARP requests that have a source address of 0.0.0.0.
The workaround is to configure an ARP access control list (ACL) that permits IP packets with a source IP address of 0.0.0.0 (and any MAC) address) and apply the ARP ACL to the desired DAI VLANs.
•
When MAC addresses are learned on an Etherchannel port, the addresses are incorrectly deleted from the MAC address table even when the MAC address table aging timeout value is configured to be longer than the ARP timeout value. This causes intermittent unicast packet flooding in the network.
•
When you configure an IP address on a switch virtual interface (SVI) with DCHP and enable DHCP snooping on the SVI VLAN, the switch SVI cannot obtain an IP address.
The workaround is to not enable DCHP snooping on the SVI VLAN or to use a static IP address for the SVI.
•
During repeated reauthentication of supplicants on an IEEE 802.1x-enabled switch, if the RADIUS server is repeatedly going out of service and then coming back up, the available switch memory might deplete over time, eventually causing the switch to shut down.
There is no work-around, except to ensure that the RADIUS server is stable.
•
If IEEE 802.1x critical authentication is not enabled and the RADIUS authentication server is temporarily unavailable during a reauthentication, when the RADIUS server comes back up, MAC authentication bypass (MAB) does not authenticate a previously authenticated client.
The workaround is to enter the shutdown interface configuration command followed by the no shutdown command on the port connected to the client. An alternative, to prevent the problem from occurring, is to enable critical authentication by entering the dot1x critical {eapol | recovery delay milliseconds} global configuration command.
•
Changing the spanning tree mode from rapid STP to MSTP can cause tracebacks when the virtual port error-disable feature is enabled when the STP mode is changed.
There is no workaround.
•
An address learned as a supplicant that is aged out by port security aging is never relearned by port security under any of these conditions:
–
–
–
The workaround is to use the dot1x timeout interface configuration command instead of the port security aging timer as the reauthentication timer for IEEE 802.
Resolved Caveats
These sections describe the caveats that have been resolved in these releases:
•
•
Caveats Resolved in Cisco IOS Release 12.2(37)SE1
These caveats are resolved in Cisco IOS Release 12.2.(37)SE1:
•
The server side of the Secure Copy (SCP) implementation in Cisco IOS contains a vulnerability that allows any valid user, regardless of privilege level, to transfer files to and from an IOS device that is configured to be a Secure Copy server. This vulnerability could allow valid users to retrieve or write to any file on the device's filesystem, including the device's saved configuration. This configuration file may include passwords or other sensitive information.
The Cisco IOS Secure Copy Server is an optional service that is disabled by default. Devices that are not specifically configured to enable the Cisco IOS Secure Copy Server service are not affected by this vulnerability.
This vulnerability does not apply to the Cisco IOS Secure Copy Client feature.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20070808-scp.shtml.
•
The SCP (Secure Copy Protocol) support is now correctly included in the image. The show file systems and copy privileged EXEC commands now correctly show scp as an option.
•
The switch no longer drops ARP packets destined to MAC addresses that are close to the MAC address block of the switch.
Caveats Resolved in Cisco IOS Release 12.2(37)SE
These caveats are resolved in Cisco IOS Release 12.2.(37)SE:
•
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.
Note
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
•
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.
Note
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
•
This error message no longer appears during authentication when a method list is used and one of the methods in the method list is removed:
AAA-3-BADMETHODERROR:Cannot process authentication method 218959117•
When you enter the no speed interface configuration command, the Ethernet interface speed now correctly returns to its default setting. This affects interfaces Gigabit Ethernet 0/17 to Gigabit Ethernet 0/20, Gigabit Ethernet 0/23, and Gigabit Ethernet 0/24. This does not affect interfaces Gigabit Ethernet 0/21 and Gigabit Ethernet 0/22.
•
A vulnerability has been discovered in a third party cryptographic library which is used by a number of Cisco products. This vulnerability may be triggered when a malformed Abstract Syntax Notation One (ASN.1) object is parsed. Due to the nature of the vulnerability it may be possible, in some cases, to trigger this vulnerability without a valid certificate or valid application-layer credentials (such as a valid username or password).
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
The vulnerable cryptographic library is used in the following Cisco products:
–
–
–
–
–
This vulnerability is also being tracked by CERT/CC as VU#754281.
Cisco has made free software available to address this vulnerability for affected customers. There are no workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml.
Note
•
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.
Note
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
•
When dynamic ARP inspection is enabled and IP validation is disabled, the switch no longer drops ARP requests that have a source address of 0.0.0.0.
•
When you configure an IP address on a switch virtual interface (SVI) with DCHP and enable DHCP snooping on the SVI VLAN, the switch SVI now obtains an IP address.
•
When trunk ports are participating in a Flex Link configuration, entering a shutdown or no shutdown interface configuration command on the port no longer causes the switch to reload.
•
Online insertion and removal (OIR) of an SFP module no longer causes error-disabled ports to change to Up or Standby states, resulting in lost data.
•
When IGMP snooping is enabled, multicast traffic no longer is dropped after a port channel interface link flaps.
•
The switch no longer halts when configuring link-state tracking with EtherChannel downstream ports or when booting up a switch already configured with link-state tracking with EtherChannel downstream ports.
Documentation Updates
This section was added to the Configuring IEEE 802.1x chapter of the software configuration guide.
Web Authentication with Automatic MAC Check
You can use web authentication with automatic MAC check to authenticate a client that does not support IEEE 802.1x or web browser functionality. This allows end hosts, such as printers, to automatically authenticate by using the MAC address without any additional required configuration.
Web authentication with automatic MAC check only works in web authentication standalone mode. You cannot use this if web authentication is configured as a fallback to IEEE 802.1x authentication.
The MAC address of the device must be configured in the Access Control Server (ACS) for the automatic MAC check to succeed. The automatic MAC check allows managed devices, such as printers, to skip web authentication.
Note
Related Documentation
These documents provide complete information about the Cisco Catalyst Blade Switch 3030 and are available at Cisco.com:
http://www.cisco.com/en/US/products/ps6748/tsd_products_support_series_home.html
You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.com sites and from the telephone numbers listed in the URL referenced in the "Obtaining Documentation, Obtaining Support, and Security Guidelines" section.
These documents provide complete information about the Cisco Catalyst Blade Switch 3030:
•
•
•
•
•
•
•
•
Obtaining Documentation, Obtaining Support, and Security Guidelines
For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
CCVP, the Cisco Logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networking Academy, Network Registrar, Packet, PIX, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0704R)
