Cisco announces Cisco® IOS® Software updates for Cisco Catalyst® 3750-E, 3750, 3560-E, 3560, and 2960 Series Switches, Cisco Industrial Ethernet 3000 Series Switches, Cisco Catalyst Blade Switch 3000 and 3100 Series. This release introduces Cisco EnergyWise technology, and adds several enhancements in the areas of identity-based networking services and ease of use with Auto Smartports.
This product bulletin contains content and delivery information for Cisco IOS Software Release 12.2(50)SE.
New Features
The following new features for enterprise switches are available with this Cisco IOS Software release:
• Cisco EnergyWise: The inclusion of Cisco EnergyWise technology in this release enables companywide optimization of greenhouse gas (GhG) emissions by measuring, reporting, and reducing energy consumption across the entire corporate infrastructure.
• Identity-based networking: This release continues to enhance Cisco Identity-based Networking Services (IBNS) with several primary innovations to simplify configurations that support heterogeneous endpoint device environments. The release also includes innovations to transparently integrate with existing network and Internet Protocol Telephony (IPT) infrastructure and to provide IT administrators comprehensive policy enforcement options. These enhancements are covered in detail under "Security and Identity Enhancements" section.
• Auto Smartports: This release extends Smartports to allow dynamic switch port provisioning. The switch uses Cisco Discovery Protocol to determine the type of the device connected to the switch and automatically provisions the port based on the predefined macros. The switch integrates with RADIUS for device authentication and applies the macro based on the RADIUS-assigned tag.
• Wired location services: This enhancement enables switch port tracking of hosts or users connected to switches. As part of the location service, the switch integrates with Cisco wireless Mobility Services Engine, which can be used for host/user lookup in determining the switch connectivity for troubleshooting purposes.
• Cisco Catalyst 3750 Series with Cisco StackWise® enhancements for troubleshooting: This release provides new command-line interface (CLI) for StackWise stats and counters to aid in troubleshooting.
• LLDP-MED integration for class of service/diff services code point (CoS/DSCP): Switch will signal CoS/DSCP settings to connected IP telephone using Link Layer Discovery Protocol for Media Endpoint Devices (LLDP-MED) (so that the IP telephone can use the values for communication)
• Link Layer Discovery Protocol (LLDP) MIB: This release provides manageability for LLDP including local and remote MIBs.
• Secure copy (SCP) support for Configuration Copy Management Information Base (Config-Copy-MIB). This feature provides secure configuration copy capability.
• IP Source Guard (IPSG) and Dynamic Address Resolution Protocol (ARP) Inspection (DAI) support for Cisco Catalyst 2960 Series Switches with LAN Base software: This release introduces IPSG and DAI capabilities for Layer 2 security.
• Cisco Catalyst 2960 Series authentication-failed VLAN. This feature is now also available in LAN Lite package. Previously it was available only in LAN Base package.
• Cisco Configuration Engine support: Catalyst switches can be managed from Cisco Configuration Engine for zero-touch deployment.
• IS-ISv4: This release introduces Integrated Intermediate System-to-Intermediate System (IS-IS) routing protocol for IPv4 networks.
• RADIUS Server load balancing: This release allows access and authentication requests to be distributed evenly across all RADIUS servers in a server group.
• Cisco Entity Sensor MIB: This release adds manageability for Digital Optical Monitoring (DOM)-capable modules.
• Support for 64 EtherChannel ports: This release increases EtherChannel scaling to 64 per switch. Available only on Cisco Catalyst 3100 Series blade switches
• Resilient Ethernet Protocol (REP) for the Cisco Industrial Ethernet (IE) 3000 Series: This protocol provides fast convergence for Layer 2 ring topologies.
• IPv6 packaging changes: Cisco has announced the end of life for Advanced IP Services (AIS). Functionality previously available in AIS has been migrated to IP Services or IP Base as documented in Table 1.
Table 1. Feature Migration for Catalyst 3k Advanced IP Services
Feature
Current IPv6 Features before EOL
Location of IPv6 after EOL
EIGRPv6, OSPFv3
Advanced IP Services
IP Services
ACL
Advanced IP Services
IP Base
HSRPv6
Advanced IP Services
IP Base
DHCP Server/Client/Relay
Advanced IP Services
IP Base
RIPng
Advanced IP Services
IP Base
Static Routes
Advanced IP Services
IP Base
Security and Identity Enhancements
The following security and identity enhancements are included in this release.
Flexible Authentication Sequencing
Flexible authentication sequencing (Figure 1) provides a flexible fallback mechanism among IEEE 802.1X, MAC authentication bypass (MAB), and web authentication methods. It also allows switch administrators to control the sequence of the authentication methods. This simplifies identity configuration by providing a single set of configuration commands to handle different types of endpoints connecting to the switch ports. In addition, it allows users to configure any authentication method on a standalone basis. For example, MAB can be configured without IEEE 802.1X configuration required.
Figure 1. Flexible Authentication
IEEE 802.1X with Open Access
This feature allows users to have limited network access, such as the Intel Preboot Execution Environment (PXE) boot server, prior to IEEE 802.1X authentication. The limited access is controlled by an access control list (ACL) that is defined by the switch administrator and applied on the switch port.
IEEE 802.1X, MAB, and Web Authentication with Downloadable ACL
This feature allows per-user ACLs to be downloaded from the Cisco Access Control Server (ACS) as policy enforcement after authentication using IEEE 802.1X, MAC authentication bypass, or web authentication.
Cisco Discovery Protocol Enhancement for Second Port Disconnect
For IP telephony environments, Cisco Discovery Protocol is enhanced to add a new Type-Length-Value (TLV) for the IP phone to indicate when a PC disconnects from the IP phone. Upon receiving this notification, the switch can clear the security record for the PC.
IEEE 802.1X with Multiple Authentication
Multiple authentication (multiauth) allows more than one host to authenticate on an IEEE 802.1X enabled switch port. With multiauth, each host must authenticate individually before it can gain access to the network resources. Multiauth is limited to eight hosts per port on Catalyst 3000 and 2000 Series Switches.
Centralized Web Authentication
This feature allows the switch to redirect users using HTTP URL redirection to a central web authentication server or a guest access server for authentication before accessing the network resources.
Common Session ID
IEEE 802.1X and MAB use a session ID identifier for all 802.1X and MAB authenticated sessions. The session ID is used for all reporting purposes such as show commands, MIBs, and RADIUS messages. The ID allows users to distinguish messages for one session from messages for other sessions.
Conditional Logging
To simplify troubleshooting, IEEE 802.1X and MAB provide a capability to filter debug messages for a range of interfaces.
802.1X Switch Supplicant with Network Edge Access Topology (NEAT)
NEAT extends identity to areas outside the wiring closet (such as conference rooms) through the following.
• 802.1X switch supplicant : switch with 802.1X supplicant authenticates with upstream switch for secure connectivity, protecting the network against rogue switches. Switch supplicant also supports authentication over trunk ports.
• Host Authorization : NEAT also ensures only traffic from authorized hosts (connecting to the switch with supplicant) is allowed on the network mitigating man-in-middle attacks.
• Auto enablement. Automatically enables trunk configuration on the authenticator switch, allowing user traffic from multiple VLANs.
Authentication Framework Manager and MAC Authentication MIBs
These features make it possible to manage the identity enhancements described earlier.
Table 2 describes product support for new features of Cisco IOS Software Release 12.2(50)SE for Cisco Catalyst 3750, 3750-E, 3560 and 3560-E Series Switches.
Table 2. New Features in Cisco IOS Software Release 12.2(50)SE for Cisco Catalyst 3750, 3750-E, 3560 and 3560-E Series Switches
Feature
3750 and 3750-E IP Base Feature Set
3750 and 3750-E IP Services Feature Set
3560 and 3560-E IP Base Feature Set
3560 and 3560-E IP Services Feature Set
EnergyWise
Yes
Yes
Yes
Yes
Flexible authentication
Yes
Yes
Yes
Yes
802.1X switch supplicant
Yes
Yes
Yes
Yes
802.1X over trunk port
(between switch supplicant and authenticator)
Yes
Yes
Yes
Yes
802.1X with open access
Yes
Yes
Yes
Yes
802.1X, MAB, and web authentication with downloadable ACL
Yes
Yes
Yes
Yes
Cisco Discovery Protocol enhancement for second port disconnect
Yes
Yes
Yes
Yes
802.1X with multiauth
Yes
Yes
Yes
Yes
Centralized web authentication
Yes
Yes
Yes
Yes
Common session ID
Yes
Yes
Yes
Yes
Conditional logging
Yes
Yes
Yes
Yes
Authentication Framework Manager and MAC authentication MIBs
Yes
Yes
Yes
Yes
Auto Smartports
Yes
Yes
Yes
Yes
Wired location services
Yes
Yes
Yes
Yes
StackWise enhancements for troubleshooting
Yes
Yes
No
No
LLDP_MED integration for CoS/DSCP
Yes
Yes
Yes
Yes
Secure copy support for Config-Copy MIB
Yes
Yes
Yes
Yes
Configuration Engine support
Yes
Yes
Yes
Yes
IS-ISv4
No
Yes
No
Yes
IPv6 packaging changes
Yes
Yes
Yes
Yes
RADIUS server load balancing
Yes
Yes
Yes
Yes
LLDP MIB
Yes
Yes
Yes
Yes
X2 ZR
Yes
Yes
Yes
Yes
Cisco Entity Sensor MIB
Yes
Yes
Yes
Yes
EEM 2.4
No
Yes
No
Yes
Table 3 describes product support for new features of Cisco IOS Software Release 12.2(50)SE for Cisco Catalyst 2960, Cisco Industrial Ethernet Switches, and Cisco Catalyst Blade Switch Series
Table 3. New Features in Cisco IOS Software Release 12.2(50)SE for Cisco Catalyst 2960, Cisco Industrial Ethernet Switches, and Cisco Catalyst Blade Switch Series
Feature
2960 Series LAN Base Feature Set
2960Series LAN Lite Feature Set
Industrial Ethernet 3000 Series
Catalyst Blade Switch 3000 Series
CBS 3100 Series IP Base Feature Set
CBS 3100 Series IP Services Feature Set
EnergyWise
Yes
No
Yes
Yes
Yes
Yes
Flexible authentication
Yes
No
Yes
Yes
Yes
Yes
802.1X switch supplicant
Yes
No
Yes
Yes
Yes
Yes
802.1X over trunk port
(between switch supplicant and authenticator)
Yes
No
Yes
Yes
Yes
Yes
802.1X with open access
Yes
No
Yes
Yes
Yes
Yes
802.1X, MAB, and web authentication with downloadable ACL
Yes
No
Yes
Yes
Yes
Yes
Cisco Discovery Protocol enhancement for second port disconnect
Yes
No
Yes
Yes
Yes
Yes
802.1X with multiauth
Yes
No
Yes
Yes
Yes
Yes
Centralized web authentication
Yes
No
Yes
Yes
Yes
Yes
Common session ID
Yes
No
Yes
Yes
Yes
Yes
Conditional logging
Yes
No
Yes
Yes
Yes
Yes
Authentication Framework Manager and MAC authentication MIBs
Yes
No
Yes
Yes
Yes
Yes
Auto Smartports
Yes
No
Yes
Yes
Yes
Yes
Wired location services
Yes
No
Yes
Yes
Yes
Yes
IPSG and DAI
Yes
No
Yes
Existing support
Existing support
Existing support
Authentication Fail VLAN
Existing support
Yes
Yes
Existing support
Existing support
Existing support
StackWise enhancements for troubleshooting
No
No
No
No
Yes
Yes
LLDP_MED Integration for Cos/DSCP
Yes
No
Yes
Yes
Yes
Yes
Secure copy support for Config-Copy MIB
Yes
Yes
Yes
Yes
Yes
Yes
Configuration Engine support
Yes
Yes
Yes
Yes
Yes
Yes
IS-ISv4
No
No
No
No
No
Yes
IPv6 packaging changes
No
No
No
Yes
Yes
Yes
RADIUS server load balancing
Yes
No
Yes
Yes
Yes
Yes
LLDP MIB
Yes
Yes
Yes
Yes
Yes
Yes
X2 ZR support
No
No
No
No
No
No
Cisco Entity Sensor MIB
No
No
No
No
No
No
EEM 2.4
No
No
No
No
No
Yes
64 Etherchannel support
No
No
No
No
Yes
Yes
REP
No
No
Yes
No
No
No
Table 4 lists the part numbers for the switches supported by Cisco IOS Software Release 12.2(50)SE.
Table 4. Part Numbers for Cisco Catalyst Switches Software Licenses Supported by Cisco IOS Software Release 12.2(50)SE
Cisco Catalyst 3750-E and 3560-E Series License Part Numbers
Cisco Catalyst 3750-E Series IP Services Part Numbers
Cisco Catalyst 3750-E Series IP Base Part Numbers
Cisco Catalyst 3560-E Series IP Services Part Numbers
Cisco Catalyst 3750 and 3560 Series License CD Part Numbers
• 3750E-LIC=
• 3750E-IPSLCB-QTY
• 3750E48-IPSLCB-QTY
• 3560E-LIC=
• 3560E-IPSLCB-QTY
• 3750E-24TD-E
• 3750E-24PD-E
• 3750E-48TD-E
• 3750E-48PD-E
• 3750E-48PD-EF
• 3750E-24TD-S
• 3750E-24PD-S
• 3750E-48TD-S
• 3750E-48PD-S
• 3750E-48PD-SF
• 3560E-24TD-E
• 3750E-24PD-E
• 3560E-48TD-E
• 3560E-48PD-E
• 3560E-48PD-EF
• WS-C3560E-12D-E
• WS-C3560E-12SD-E
• CD-3750-EMI=
• CD-3750G-EMI=
• CD-3750G-48EMI=
• CD-3560-EMI=
• CD-3560G-EMI=
• CD-3750V2-EMI=
• CD-3560V2-EMI=
Cisco Catalyst 3750 Series IP Services Part Numbers
Cisco Catalyst 3750 Series IP Base Part Numbers
Cisco Catalyst 3560 Series IP Services Part Numbers
Cisco Catalyst 2960 Series Part Numbers
Cisco Catalyst Blade Switches Part Numbers
• 3750-48TS-E
• 3750-24TS-E
• 3750G-24T-E
• 3750G-48TS-E
• 3750G-24TS-E
• 3750G-12S-E
• 3750G-16TD-E
• 3750-48PS-E
• 3750-24PS-E
• 3750G-24TS-1U-E
• 3750G-24PS-E
• 3750G-48PS-E
• 3750V2-48TS-E
• 3750V2-24TS-E
• 3750V2-48PS-E
• 3750V2-24PS-E
• 3750-48TS-S
• 3750-24TS-S
• 3750G-24T-S
• 3750-24FS-S
• 3750G-48TS-S
• 3750G-24TS-S
• 3750G-12S-S
• 3750G-16TD-S
• 3750-48PS-S
• 3750-24PS-S
• 3750G-24TS-1U-S
• 3750G-24PS-S
• 3750G-48PS-S
• 3750G-24WS-S50
• 3750G-24WS-S25
• 3750V2-48TS-S
• 3750V2-24TS-S
• 3750V2-48PS-S
• 3750V2-24PS-S
• 3560-24TS-E
• 3560-48TS-E
• 3560-48PS-E
• 3560-24PS-E
• 3560G-48PS-E
• 3560G-24PS-E
• 3560G-48TS-E
• 3560G-24TS-E
• 3560V2-24TS-E
• 3560V2-48TS-E
• 3560V2-24PS-E
• 3560V2-48PS-E
• 2960PD-8TT-L
• 2960-8TC-L
• 2960-24TT-L
• 2960-24TC-L
• 2960-24PC-L
• 2960-24LT-L
• 2960-48TT-L
• 2960-48TC-L
• 2960-48PST-L
• 2960G-8TC-L
• 2960G-24TC-L
• 2960G-48TC-L
• 2960-24-S
• 2960-24TC-S
• 2960-48TC-S
• C2960-48TT-S
• C2960-8TC-S
• WS-CBS3130X-S
• WS-CBS3130X-S-F
• WS-CBS3130G-S
• WS-CBS3130G-S-F
• WS-CBS3110X-S
• WS-CBS3110X-S-I
• WS-CBS3110G-S
• WS-CBS3110G-S-I
• 3110-IPS-LIC
• 3110-IPS-IBM
• WS-CBS3120G-S
• WS-CBS3120X-S
• 3120-IPS-LIC
• WS-CBS3032-DEL
• WS-CBS3032-DEL-F
• WS-CBS3020-HPQ
• WS-CBS3012-IBM
• WS-CBS3012-IBM-I
• WS-CBS3125G-S
• WS-CBS3125X-S
• WS-CBS3120G-S
• WS-CBS3120X-S
Additional Resources
Software Download
Software is available for download from the following sites:
You must purchase the EMI/IP Services software upgrade kit when upgrading a switch from SMI/IP Base to EMI/IP Services software. Downloads of SMI/IP Base, EMI/IP Services files are monitored for adherence to this requirement. The Cisco Catalyst 3750-E and 3560-E Series Switches support the new Cisco IOS Software licensing infrastructure, which authorizes and enables the use of the two existing Cisco IOS Software feature sets. A special file contained in the switch's flash memory, called a license file, is examined by Cisco IOS Software when the switch is powered on. Based on the license's type, Cisco IOS Software enables the appropriate Cisco IOS Software feature set.
Because of export restrictions on strong cryptography software, a separate image is required for the cryptographic features (Secure Shell [SSH] Protocol, Simple Network Management Protocol [SNMP] v3, and Kerberos Protocol). These software images can be downloaded from the corresponding Triple Data Encryption Standard (3DES) area of the links provided in this section. Note that the Cisco Advanced IP Services license is available only in cryptographic format.
Product Information
Additional product information is available at the following sites:
Figure 2 displays Cisco IOS Software Release 12.2(46)SE functions relative to the 12.2S and 12.2SE releases and identifies the recommended migration path.
