Release Notes for Catalyst 2960-X and 2960-XR Switches, Cisco IOS Release 15.2(7)Ex

Switch Models

Optics Modules

The Catalyst 2960-X switches support a wide range of optics. Because the list of supported optics is updated on a regular basis, consult the tables at this URL for the latest SFP+ and SFP module compatibility information:

http://www.cisco.com/en/US/products/hw/modules/ps5455/products_device_support_tables_list.html

Cisco Network Assistant Compatibility

For Cisco IOS Release 15.2(7)E, Cisco Network Assistant support is available on release version 5.8.9 and later.

You can download Cisco Network Assistant from this URL:
http://www.cisco.com/pcgi-bin/tablebuild.pl/NetworkAssistant

For more information about Cisco Network Assistant, see the Release Notes for Cisco Network Assistant on Cisco.com.

Finding the Software Version and Feature Set

The Cisco IOS image is stored as a bin file in a directory that is named with the Cisco IOS release number. The files necessary for web management are contained in a subdirectory. The image is stored on the system board flash device (flash:).

You can use the show version privileged EXEC command to see the software version that is running on your switch.

Note Although the show version output always shows the software image running on the switch, the model name shown at the end of this display is the factory configuration and does not change if you upgrade the software license.

You can also use the dir filesystem : privileged EXEC command to see the directory names of other software images that you might have stored in flash memory.

Software Image

If you have a service support contract and order a software license or if you order a switch, you receive the universal software image and a specific software license.

Guidelines for Upgrade

Before you upgrade to Cisco IOS Release 15.2(7)E3, ensure the following:

• Remove the tacacs-server command configurations using the no form of the command.
• Configure the TACACS Server using the new tacacs server command.
• If the TACACS group server is configured using the server-private CLI, unconfigure the private server and configure a public server using the server name name command.

Web UI

If the Web UI does not load or work properly after the software upgrade, perform the following steps:

Step 1 Specify the authentication method for HTTP server users as local.

Device(config)# ip http authentication local

Step 2 Configure the username and password with privilege 15.

Device(config)# username user privilege 15 password password

Step 3 Clear the browser cache and relaunch the Web UI.

Step 4 Login by entering the privilege 15 username and password.

Ease of Operations

• Cisco Catalyst Smart Operations is a comprehensive set of features that simplify LAN deployment, configuration, and troubleshooting. Catalyst Smart Operations enable zero touch installation and replacement of switches and fast upgrade, as well as ease of troubleshooting with reduced operational cost. Catalyst Smart Operations is a set of features that includes Auto Smartports, Smart Configuration, and Smart Troubleshooting to enhance operational excellence:

– Cisco Auto Smartports provide automatic configuration as devices connect to the switch port, allowing auto detection and plug and play of the device onto the network.

– Cisco Smart Configuration provides a single point of management for a group of switches and in addition adds the ability to archive and back up configuration files to a file server or switch allowing seamless zero touch switch replacement.

– Cisco Smart Troubleshooting is an extensive array of debug diagnostic commands and system health checks within the switch, including Generic Online Diagnostics (GOLD) and Onboard Failure Logging (OBFL).

• Flexible NetFlow enables monitoring, capturing, and recording of network traffic for further analysis. Flexible NetFlow support is available with Cisco ONE for Access or DNA Essentials license on Catalyst 2960-X and 2960-XR Series Switches.
• Cisco Prime Infrastructure is a set of tools that enables you to automate much of the management of your Cisco network. It is supported with device pack1 (2.1) 4.

Network Security

The Cisco Catalyst 2960-X Series Switches provide a range of security features to limit access to the network and mitigate threats.

• In Cisco IOS Release 15.2(7)E3 and later releases, SSH is enabled by default to connect to networks, and Telnet is disabled by default.
• Port security secures the access to an access or trunk port based on MAC address. It limits the number of learned MAC addresses to deny MAC address flooding.
• DHCP snooping to filter untrusted DHCP messages between untrusted hosts and DHCP servers.
• IP source guard to restrict traffic on nonrouted interfaces by filtering traffic based on the DHCP snooping database and IP source bindings.
• Dynamic ARP inspection (DAI) to prevent malicious attacks on the switch by not relaying invalid ARP requests and responses to other ports in the same VLAN.
• Flexible authentication that supports multiple authentication mechanisms including 802.1X, MAC Authentication Bypass and web authentication using a single, consistent configuration.
• Open mode that creates a user friendly environment for 802.1X operations.
• Comprehensive RADIUS Change of Authorization capability for asynchronous policy management.
• Unicast Reverse Path Forwarding (RPF) feature helps mitigate problems caused by the introduction of malformed or forged (spoofed) IP source addresses into a network by discarding IP packets that lack a verifiable IP source address.
• Cisco security VLAN ACLs on all VLANs prevent unauthorized data flows from being bridged within VLANs.
• Cisco standard and extended IP security router ACLs define security policies on routed interfaces for control-plane and data-plane traffic. IPv6 ACLs can be applied to filter IPv6 traffic.
• Port-based ACLs for Layer 2 interfaces allow security policies to be applied on individual switch ports.
• Secure Shell (SSH) Protocol, Kerberos, and Simple Network Management Protocol Version 3.
• (SNMPv3) provide network security by encrypting administrator traffic during Telnet and SNMP sessions. SSH Protocol, Kerberos, and the cryptographic version of SNMPv3 require a special cryptographic software image because of U.S. export restrictions.
• Bidirectional data support on the Switched Port Analyzer (SPAN) port allows Cisco Intrusion Detection.
• System (IDS) to take action when an intruder is detected.
• TACACS+ and RADIUS authentication facilitates centralized control of the switch and restricts unauthorized users from altering the configuration.
• MAC address notification allows administrators to be notified of users added to or removed from the network.
• Multilevel security on console access prevents unauthorized users from altering the switch configuration.
• Bridge protocol data unit (BPDU) Guard shuts down Spanning Tree PortFast-enabled interfaces when BPDUs are received to avoid accidental topology loops.
• Spanning Tree Root Guard (STRG) prevents edge devices not in the network administrator's control from becoming Spanning Tree Protocol root nodes.
• IGMP filtering provides multicast authentication by filtering out non-subscribers and limits the number of concurrent multicast streams available per port.
• TrustSec uses the Security Group Tag Exchange Protocol (SXP) tags to enable network segmentation through identity-based security groups.
• 802.1x monitor mode allows companies to enable authentication across the wired infrastructure in an audit mode without affecting wired users or devices. It helps IT administrators smoothly manage 802.1x transitions by allowing access and logging system messages when a device requires reconfiguration or is missing an 802.1x supplicant.

Deployment and Control Features

• FlexStack-Plus technology creates a resilient single unified system (a stack) of up to eight switches in a homogeneous stack and up to four switches in a mixed stack. With a stack bandwidth of up to 80 Gbps, the stack functions as a single switching unit that is managed by the active switch. If the active switch fails, a new active switch is elected, keeping the stack operational. The new active switch is elected based on factors such as stack member priority value or lowest MAC address.
• Dynamic Host Configuration Protocol (DHCP) Auto-configuration of multiple switches through a boot server eases switch deployment.
• Automatic QoS (AutoQoS) simplifies QoS configuration in voice over IP (VoIP) networks by issuing interface and global switch commands to detect Cisco IP phones, classify traffic, and help enable egress queue configuration.
• Auto-negotiation on all ports automatically selects half- or full-duplex transmission mode to optimize bandwidth.
• Dynamic Trunking Protocol (DTP) facilitates dynamic trunk configuration across all switch ports.
• Port Aggregation Protocol (PAgP) automates the creation of Cisco Fast EtherChannel groups and Gigabit groups.
• EtherChannel groups to link to another switch, router, or server. The LAN Base image supports up to 24 EtherChannels. In a mixed stack, up to six EtherChannels are supported. The IP Lite image supports up to 48 EtherChannels.
• Link Aggregation Control Protocol (LACP) allows the creation of Ethernet channeling with devices that conform to IEEE 802.3ad.
• Unidirectional Link Detection Protocol (UDLD) and Aggressive UDLD allow unidirectional links caused by incorrect fiber-optic wiring or port faults to be detected and disabled on fiber-optic interfaces.
• Switching Database Manager (SDM) templates allow the administrator to automatically optimize the TCAM memory allocation to the desired features based on deployment-specific requirements.
• Local Proxy Address Resolution Protocol (ARP) works in conjunction with Private VLAN Edge to minimize broadcasts and maximize available bandwidth.
• Internet Group Management Protocol (IGMP) v1, v2, v3 Snooping for IPv4. MLD v1 and v2 Snooping provide fast client joins and leaves of multicast streams and limit bandwidth-intensive video traffic to only the requestors.
• Voice VLAN simplifies telephony installations by keeping voice traffic on a separate VLAN for easier administration and troubleshooting.
• Remote Switch Port Analyzer (RSPAN) allows administrators to remotely monitor ports in a Layer 2 switch network from any other switch in the same network.
• The Embedded Remote Monitoring (RMON) software agent supports four RMON groups (history, statistics, alarms, and events) for enhanced traffic management, monitoring, and analysis.
• Layer 2 traceroute eases troubleshooting by identifying the physical path that a packet takes from source to destination.
• Trivial File Transfer Protocol (TFTP) reduces the cost of administering software upgrades by downloading from a centralized location.
• Network Timing Protocol (NTP) provides an accurate and consistent timestamp to all intranet switches.

High Availability

• Cross-Stack EtherChannel provides the ability to configure Cisco EtherChannel technology across different members of the stack for high resiliency.
• FlexLink provides link redundancy with convergence time less than 100 ms.
• IEEE 802.1s/w Rapid Spanning Tree Protocol (RSTP) and Multiple Spanning Tree Protocol (MSTP) provide rapid spanning-tree convergence independent of spanning-tree timers and also offers the benefit of Layer 2 load balancing and distributed processing. Stacked units behave as a single spanning-tree node.
• Per-VLAN Rapid Spanning Tree (PVRST+) allows rapid spanning-tree reconvergence on a per-VLAN spanning-tree basis, without requiring the implementation of spanning-tree instances.
• Switch-port auto-recovery (error-disable) automatically attempts to reactivate a link that is disabled because of a network error.
• FlexStack-Plus provides switch redundancy.

Quality of Service

• MLS QoS provides the ability to configure granular policies and classes on every interface. These policies include policers, markers, and classifiers.
• Cross-stack QoS to enable QoS configuration across the entire stack.
• 802.1p class of service (CoS) and differentiated services code point (DSCP) field classification are provided, using marking and reclassification on a per-packet basis by source and destination IP address, MAC address, or Layer 4 TCP/UDP port number.
• For standalone (non-stacked) setup, up to 8 egress queues per port and strict priority queuing, and finer flow segregation using 3 threshold markers for non-strict-priority queues.
• Shaped Round Robin (SRR) scheduling to ensure differential prioritization of packet flows.
• Strict priority queuing to ensure that the highest-priority packets are serviced ahead of all other traffic.
• Flow-based rate limiting and up to 256 aggregate or individual policers per port.

High Performance Routing (IP Lite Image)

• IP unicast routing protocols (Static, Routing Information Protocol Version 1 (RIPv1), and RIPv2 are supported for small-network routing applications.
• Advanced IP unicast routing protocols (OSPF for routed access) are supported for load balancing and constructing scalable LANs. IPv6 routing (OSPFv3) is supported in hardware for maximum performance.
• Equal-cost routing facilitates Layer 3 load balancing and redundancy across the stack.
• Policy-based routing (PBR) allows superior traffic control by providing flow redirection regardless of the routing protocol configured.
• Hot Standby Routing Protocol (HSRP) and Virtual Router Redundancy Protocol (VRRP) provides dynamic load balancing and failover for routed links.
• Protocol Independent Multicast (PIM) for IP multicast is supported, including PIM sparse mode (PIM-SM), PIM dense mode (PIM-DM), PIM sparse-dense mode, and Source Specific Multicast (SSM).

Features Introduced in Cisco IOS Release 15.2(7)E8

None.

Features Introduced in Cisco IOS Release 15.2(7)E7

Data Sanitization: Supports the use of the National Institute of Standards and Technology (NIST) purge method that renders data unrecoverable through simple, non-invasive data recovery techniques or through state-of-the-art laboratory techniques.

For more information, see the Data Sanitization chapter of the System Management Configuration Guide.

Features Introduced in Cisco IOS Release 15.2(7)E6

None

Features Introduced in Cisco IOS Release 15.2(7)E5

None

Features Introduced in Cisco IOS Release 15.2(7)E4

None.

Features Introduced in Cisco IOS Release 15.2(7)E3

Support for Type 6 AES Encryption password: Beginning with this release, you can specify a Type 6 encrypted key for a TACACS Server. The new command is tacacs server key 6 key-name.

Note Before downgrading from Cisco IOS Release 15.2(7)E3 to an earlier release, ensure that Type 6 encryption is removed from the TACACS Server. (Type 6 encryption is not supported in releases earlier than Cisco IOS Release 15.2(7)E3.)

Features Introduced in Cisco IOS Release 15.2(7)E2

None.

Features Introduced in Cisco IOS Release 15.2(7)E1a

None.

Features Introduced in Cisco IOS Release 15.2(7)E1

AEP MAC Move: New command authentication mac-move deny-uncontrolled command is introduced to disable MAC move from a secure port to an unsecured port.

Features Introduced in Cisco IOS Release 15.2(7)E0a

• IPv6 dACL: Supports IPv6 downloadable ACLs (dACL) for authentication and authorization into the network for end-point clients or devices. Cisco Identity Services Engine (ISE) pushed the dACL to the switch or controller, which in turn attaches it with the end-point.
• Loop Detection: A new method to detect network loops in the absence of Spanning Tree Protocol (STP) is introduced. When an edge switch is connected to an unmanaged switch that does not understand STP or it is part of a network topology where STP is not usable, the loop-detect sub-system sends a frame to the interface, at configured intervals, and detects loops.
• SFTP: The device supports SSH File Transfer Protocol (SFTP). The SFTP client functionality is provided as part of the SSH component and is always enabled on the corresponding device. Therefore, any SFTP server user with the appropriate permission can copy files to and from the device.
• Private VLAN (PVLAN) support for Multicast Traffic: Multicast traffic is routed or bridged across PVLAN boundaries and within a single community VLAN. Multicast traffic is not forwarded between ports in the same isolated VLAN or between ports in different secondary VLANs.

Information About Caveats

If you need information about a specific caveat that does not appear in these release notes, you can use the Cisco Bug Toolkit to find caveats of any severity. Click this URL to browse to the Bug Toolkit:

http://tools.cisco.com/Support/BugToolKit/

If you request a defect that cannot be displayed, the defect number might not exist, the defect might not yet have a customer-visible description, or the defect might be marked Cisco Confidential.

Troubleshooting

For the most up-to-date, detailed troubleshooting information, see the Cisco TAC website at this URL:

http://www.cisco.com/en/US/support/index.html

Click Product Support > Switches. Choose your product and click Troubleshooting to find information on the problem you are experiencing.

Cisco Bug Search Tool

The Bug Search Tool (BST), which is the online successor to Bug Toolkit, is designed to improve the effectiveness in network risk management and device troubleshooting. The BST allows partners and customers to search for software bugs based on product, release, and keyword, and aggregates key data such as bug details, product, and version. The tool has a provision to filter bugs based on credentials to provide external and internal bug views for the search input.

To view the details of a caveat listed in this document:

1. Access the BST (use your Cisco user ID and password) at https://tools.cisco.com/bugsearch/.

2. Enter the bug ID in the Search For: field.

Open Caveats

None.

Resolved Caveats

Caveats Resolved in Cisco IOS Release 15.2(7)E8

Caveats Resolved in Cisco IOS Release 15.2(7)E7

Caveats Resolved in Cisco IOS Release 15.2(7)E6

Caveats Resolved in Cisco IOS Release 15.2(7)E5

Caveats Resolved in Cisco IOS Release 15.2(7)E4

Caveats Resolved in Cisco IOS Release 15.2(7)E3

Caveats Resolved in Cisco IOS Release 15.2(7)E2

Caveats Resolved in Cisco IOS Release 15.2(7)E1a

Caveats Resolved in Cisco IOS Release 15.2(7)E1

Table 14 Resolved Caveats for Cisco IOS Release 15.2(7)E1

Caveats Resolved in Cisco IOS Release 15.2(7)E0a

Table 15 Resolved Caveats for Cisco IOS Release 15.2(7)E0a

Communications, Services, and Additional Information

• To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.
• To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.
• To submit a service request, visit Cisco Support.
• To discover and browse secure, validated enterprise-class apps, products, solutions and services, visit Cisco Marketplace.
• To obtain general networking, training, and certification titles, visit Cisco Press.
• To find warranty information for a specific product or product family, access Cisco Warranty Finder.

Cisco Bug Search Tool

Cisco Bug Search Tool (BST) is a web-based tool that acts as a gateway to the Cisco bug tracking system that maintains a comprehensive list of defects and vulnerabilities in Cisco products and software. BST provides you with detailed defect information about your products and software.