Cisco Gigabit Ethernet Switch Module for HP BladeSystem p-Class Release Notes, Cisco IOS Release 12.2(35)SE and later Revised: June 10, 2008 These release notes include important information about this Cisco IOS release for the Cisco Gigabit Ethernet Switch Module (CGESM) for the HP BladeSystem p-Class. This document includes any limitations, restrictions, and caveats that apply to this release. Note The documentation for the CGESM switch refers to IOS Release 12.2(25)SE.
System Requirements • “VLAN Interfaces and MAC Addresses” section on page 12 • “Open Caveats” section on page 13 • “Resolved Caveats” section on page 17 • “Updates to Software Configuration Guide” section on page 22 • “Related Documentation” section on page 35 • “Technical support” section on page 35 System Requirements The system requirements are described in these sections: • “Device Manager System Requirements” section on page 2 • “Cluster Compatibility” section on page 3 Device Manager
Upgrading the Switch Software Table 2 Supported Operating Systems and Browsers Operating System Minimum Service Pack or Patch Microsoft Internet Explorer1 Netscape Navigator Windows 2000 None 5.5 or 6.0 7.1 Windows XP None 5.5 or 6.0 7.1 1. Service Pack 1 or higher is required for Internet Explorer 5.5. Cluster Compatibility You cannot create and manage switch clusters through the device manager. To create and manage switch clusters, use the command-line interface (CLI).
Upgrading the Switch Software Deciding Which Files to Use The upgrade procedures in these release notes describe how to perform the upgrade by using a tar file. This file contains the Cisco IOS image file and the files needed for the embedded device manager. You must use the tar file to upgrade the switch through the device manager. To upgrade the switch through the command-line interface (CLI), use the tar file and the archive download-sw privileged EXEC command.
New Software Feature For more information about assigning an IP address and default gateway to the switch, refer to the software configuration guide for this release. Step 9 Download the image file from the TFTP server to the switch. If you are installing the same version of software that is currently on the switch, overwrite the current image by entering this privileged EXEC command: archive download-sw /overwrite /reload tftp:[[//location]/directory]/image-name.
Major Features Major Features This release supports web authentication for authenticating a supplicant (client) that does not support IEEE 802.1x functionality. For more information, see the “Documentation Updates” section on page 22. Minimum Cisco IOS Release for Major Features Table 3 lists the minimum software release required to support the major features on this switch.
Limitations and Restrictions • “HSRP” section on page 8 • “IP” section on page 8 • “IP Telephony” section on page 8 • “Multicasting” section on page 9 • “QoS” section on page 9 • “SPAN and RSPAN” section on page 9 • “Trunking” section on page 10 • “VLAN” section on page 10 Configuration These are the configuration limitations: • If you run the CLI-based setup program, the IP address that the Dynamic Host Configuration Protocol (DCHP) provides is reflected as a static IP address in the conf
Limitations and Restrictions • When connected to some third-party devices that send early preambles, a switch port operating at 100 Mbps full duplex or 100 Mbps half duplex might bounce the line protocol up and down. The problem is observed only when the switch is receiving frames. The workaround is to configure the port for 10 Mbps and half duplex or to connect a hub or a nonaffected device to the switch.
Limitations and Restrictions Multicasting These are the multicasting limitations: • If the number of multicast routes and Internet Group Management Protocol (IGMP) groups are more than the maximum number specified by the show sdm prefer global configuration command, the traffic received on unknown groups is flooded in the received VLAN even though the show ip igmp snooping multicast-table privileged EXEC command output shows otherwise.
Limitations and Restrictions • Egress SPAN routed packets (both unicast and multicast) show the incorrect source MAC address. For remote SPAN packets, the source MAC address should be the MAC address of the egress VLAN, but instead the packet shows the MAC address of the RSPAN VLAN. For local SPAN packets with native encapsulation on the destination port, the packet shows the MAC address of VLAN 1. This problem does not appear with local SPAN when the encapsulation replicate option is used.
Device Manager Notes Device Manager Limitations and Restrictions These are the device manager limitations and restrictions: • You cannot create and manage switch clusters through the device manager. To create and manage switch clusters, use the CLI. • When you are prompted to accept the security certificate and you click No, you only see a blank screen, and the device manager does not launch. The workaround is to click Yes when you are prompted to accept the certificate.
VLAN Interfaces and MAC Addresses Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify your entries. • The device manager uses the HTTP protocol (the default is port 80) and the default method of authentication (the enable password) to communicate with the switch through any of its Ethernet ports and to allow switch management from a standard web browser.
Documentation Notes By default, VLAN 1 is the interface that connects to the management network. When the switch boots up, the DHCP client (switch) requests an IP address from a DHCP server by using the MAC address of VLAN 1. Documentation Notes This section describes documentation notes related to this IOS release. References to IOS Release Number These documents refer to Release 12.2(25)SE. The correct release is Release 12.2(25)SE1.
Open Caveats If the service config command does not find the configuration files, these error messages appear: %Error %Error %Error %Error opening opening opening opening tftp://255.255.255.255/network-confg (Timed out) tftp://255.255.255.255/cisconet.cfg (Timed out) tftp://255.255.255.255/router-confg (Timed out) tftp://255.255.255.255/ciscortr.cfg (Timed out) These system messages also appear: 00:01:40: %SYS-4-CONFIG_RESOLVE_FAILURE: System config parse from (tftp://255.255.255.
Open Caveats • CSCsd78044 When IGMP snooping is enabled and an EtherChannel member interface goes down, the switch might stop forwarding multicast traffic on the EtherChannel. This problem occurs when the EtherChannel interface is a member of a multicast group that is not directly connected (that is, the multicast group that does not have the C flag set in the show ip mroute privileged EXEC command output).
Open Caveats • CSCsg18176 When dynamic ARP inspection is enabled and IP validation is disabled, the switch drops ARP requests that have a source address of 0.0.0.0. The workaround is to configure an ARP access control list (ACL) that permits IP packets with a source IP address of 0.0.0.0 (and any MAC) address) and apply the ARP ACL to the desired DAI VLANs.
Resolved Caveats • rQm 266129 If you power on a switch that does not have a config.txt file (the factory default file) and leave the switch on for few hours, the switch console appears to be stalled during setup. The workaround is to reload the switch before you continue to configure it.
Resolved Caveats Resolved Caveats in Cisco IOS Release 12.2(35)SE The are the resolved caveats in Cisco IOS Release 12.2(35)SE: • CSCee22376 When an SNMP version 3 user is configured with the encrypted option and password, the switch no longer reloads when the MIB object usmUserAuthKeyChange is set. • CSCef94061 If you entered the letter i by itself in the port description, the VLAN status column no longer displays only i ; this only occurred when you were using Device Manager through Netscape 7.1.
Resolved Caveats Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml. Note Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS.
Resolved Caveats • CSCsb74648 When a Cisco device is configured for Network Admission Control and the EAP over UDP port number changes from its default value and then changes back with the eou default switch configuration command, the port change now takes effect. • CSCsc05371 When you configure a MAC address filter by entering the mac-address-table static vlan drop global configuration command, IEEE 802.1X no longer authenticates supplicants using that address.
Resolved Caveats Note • Another related advisory is posted together with this Advisory. It also describes vulnerabilities related to cryptography that affect Cisco IOS. A combined software table for Cisco IOS only is available at http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml and can be used to choose a software release which fixes all security vulnerabilities published as of May 22, 2007. The related advisory is published at http://www.cisco.
Documentation Updates • CSCse14774 If a switch is connected to a third-party router through an EtherChannel and the EtherChannel is running in Link Aggregation Control Protocol (LACP) mode, the interfaces in the EtherChannel no longer fail after you enter the switchport trunk native vlan vlan-id interface configuration command to change the native VLAN from VLAN 1 (the default) to a different VLAN ID.
Documentation Updates Update to the “Configuring IEEE 802.1x chapter These sections were added to the “Configuring IEEE 802.1x” chapter: Using Web Authentication You can use a web browser to authenticate a client that does not support IEEE 802.1x functionality. You can configure a port to use only web authentication. You can also configure the port to first try and use IEEE 802.1x authentication and then to use web authorization if the client does not support IEEE 802.1x authentication.
Documentation Updates Step 3 Command Purpose aaa authentication login default group radius Use RADIUS authentication. Before you can use this authentication method, you must configure the RADIUS server. For more information, see Chapter 9, “Configuring Switch-Based Authentication.” The console prompts you for a username and password on future attempts to access the switch console after entering the aaa authentication login command.
Documentation Updates Command Purpose Step 3 interface interface-id Specify the port to be configured, and enter interface configuration mode. Step 4 switchport mode access Set the port to access mode. Step 5 ip access-group access-list in Specify the default access control list to be applied to network traffic before web authentication. Step 6 ip admission rule Apply an IP admission rule to the interface. Step 7 end Return to privileged EXEC mode.
Documentation Updates Command Purpose Step 11 exit Return to privileged EXEC mode. Step 12 show dot1x interface interface-id Verify your configuration. Step 13 copy running-config startup-config (Optional) Save your entries in the configuration file. This example shows how to configure IEEE 802.1x authentication with web authentication as a fallback method.
Documentation Updates dot1x fallback Use the dot1xfallback interface configuration command on the switch stack or on a standalone switch to configure a port to use web authentication as a fallback method for clients that do not support IEEE 802.1x authentication. To return to the default setting, use the no form of this command. dot1x fallback profile no dot1x fallback Syntax Description profile Defaults No fallback is enabled.
Documentation Updates fallback profile Use the fallback profile global configuration command on the switch stack or on a standalone switch to create a fallback profile for web authentication. To return to the default setting, use the no form of this command. fallback profile profile no fallback profile Syntax Description profile Defaults No fallback profile is configured. Command Modes Global configuration Command History Release Modification 12.2(35)SE This command was introduced.
Documentation Updates Related Commands Command Description dot1x fallback Configure a port to use web authentication as a fallback method for clients that do not support IEEE 802.1x authentication. ip admission Enable web authentication on a switch port ip admission name proxy http Enable web authentication globally on a switch shot dot1x [interface interface-id] Displays IEEE 802.1x status for the specified port. show fallback profile Display the configured profiles on a switch.
Documentation Updates Related Commands Command Description dot1x fallback Configure a port to use web authentication as a fallback method for clients that do not support IEEE 802.1x authentication. fallback profile Enable web authentication on a port ip admission name proxy http Enable web authentication globally on a switch show ip admission Displays information about NAC cached entries or the NAC configuration.
Documentation Updates This example shows how to configure IEEE 802.1x authentication with web authentication as a fallback mechanism on a switchport.
Documentation Updates Usage Guidelines Use the show fallback profile privileged EXEC command to display profiles that are configured on the switch. Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output are not displayed, but the lines that contain Output are displayed.
Documentation Updates Error Message DOT1X_SWITCH-5-ERR_VLAN_EQ_VVLAN: Data VLAN [dec] on port [chars] cannot be equivalent to the Voice VLAN. Explanation The IEEE 802.1x-assigned VLAN on a port cannot be the same as the voice VLAN. [dec] is the data VLAN ID, and [chars] is the port. Recommended Action Configure either a different voice VLAN or a different IEEE 802.1x-assigned access VLAN on the interface. The authentication then proceeds normally on the next retry.
Documentation Updates Error Message PHY-4-UNSUPPORTED_SFP_CARRIER: Unsupported SFP carrier module found in [chars] Explanation The switch has identified the small form-factor pluggable (SFP) module as an unsupported non-Cisco SFP module. [chars] is the interface. Recommended Action Remove the unsupported SFP module, and use a supported module. Error Message PORT_SECURITY-6-ADDR_REMOVED: Address [dec]:[enet] exists on port [chars]. It has been removed from port [chars].
Related Documentation Error Message PORT_SECURITY-6-VLAN_REMOVED: VLAN [int] is no longer allowed on port [chars]. Its port security configuration has been removed. Explanation A configured VLAN has been excluded either due to a port-mode change or an allowed VLAN list change and is removed from the configuration. [int] is the VLAN ID, and [chars] is the switch port assigned to the VLAN. Recommended Action No action is required.
Technical support • Third-party hardware or software • Operating system type and revision level HP contact information For the name of the nearest HP authorized reseller: • In the United States, see the HP US service locator webpage (http://www.hp.com/service_locator). • In other locations, see the Contact HP worldwide (in English) webpage (http://welcome.hp.com/country/us/en/wwcontact.html).
