PDF(731.0 KB) View with Adobe Reader on a variety of devices
Updated:May 31, 2019
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Catalyst 3850 switches are the next generation of enterprise class stackable access layer switches that provide full convergence between wired and wireless networks on a single platform. This convergence is built on the resilience of new and improved 480-Gbps StackWise-480 and Cisco StackPower. Wired and wireless security and application visibility and control are natively built into the switch.
The Catalyst 3850 switches also support full IEEE 802.3at Power over Ethernet Plus (PoE+), modular and field replaceable network modules, redundant fans, and power supplies. The Catalyst 3850 switches enhance productivity by enabling applications such as IP telephony, wireless, and video for a true borderless network experience.
The Cisco IOS XE software represents the continuing evolution of the preeminent Cisco IOS operating system. The Cisco IOS XE architecture and well-defined set of APIs extend the Cisco IOS software to improve portability across platforms and extensibility outside the Cisco IOS environment. The Cisco IOS XE software retains the same look and feel of the Cisco IOS software, while providing enhanced future-proofing and improved functionality.
Support for –B Domain—The FCC (USA) rule making on 5 GHz released on April 1, 2014 (FCC 14-30 Report and Order) goes into effect for products that are sold or shipped on or after June 2, 2016. Cisco APs and Cisco WLCs will comply with the new rules by supporting the new regulatory domain (– for the US and will create new AP SKUs that are certified under the new rules. Examples of new rules include new 5-GHz band channels permitted for outdoor use, and transmission (Tx) power level increased to 1W for indoor, outdoor, and point-to-point transmissions.
Note Cisco APs and Cisco WLCs that are in the –A domain category can continue to operate and even coexist with –B domain devices without any issues.
We recommend that you upgrade Cisco APs and Cisco WLCs to the appropriate software release that supports –B domain.
Beginning with Cisco Wireless Release 8.1 and later, Mobility Agent related CLI/WebUI from AireOS-based controllers as Mobility Controller is no longer supported.
Pairing of 3850, 3650 switches, or 4500E Sup-8E, as Mobility Agent is not supported with Cisco Wireless Release 8.1 and later releases.
The TACACS+ login procedure using custom method list is simplified wherein configuring a default method list is no longer required when the same server group is used.
Support for Catalyst Switch models WS-C3850-48U-L, WS-C3850-48U-S and WS-C3850-48U-E
What’s New in Cisco IOS XE Release 3.6.3E
CDP Bypass—The sessions are established in single and multi-host modes for IP Phones. However, if voice VLAN and 802.1x on an interface port is enabled, then the CDP Bypass is enabled when the host mode is set to single or multi host mode.
Note By default the host mode is set to single mode in <legacy> mode and multi-authentication in the edge mode.
Use the following commands to configure CDP bypass:
Switch(config-if)# authentication port-control auto
Switch(config-if)# authentication host-mode single | multi-host
Switch(config-if)# dot1x pae authenticator
WebAuth sleeping client—Allows successfully authenticated devices to stay logged in for a configured period without reauthentication.
The following CLI is added under the webauth parameter map:
sleeping-client timeout timeout-in-minutes
Restrictions:
– There is one-to-one mapping between device MAC and username/password. Once an entry is added to sleeping-client cache, the device/user gets policies for the user stored in the cache. Therefore, any other user using the device also gets the same policies as the user stored in the sleeping-client cache. The user can force normal authentication by logging out. To do that, the user must explicitly enter the following URL:
http[s]://<Virtual IP/Virtual Host>/logout.html
– Mobility is not supported. If the client roams from one controller to another, the client undergoes normal authentication on the foreign controller.
Multiple VLAN support for Wired Guest Access—Wired guest anchor can now support multiple VLANs and multiple guest LANs. Different VLANs can be assigned for each security profile like openauth, webauth and web consent.For more on Wired Guest Anchor, see “Wired Guest Access with Both Anchor and Foreign” section.
Note The Catalyst 3850 switch cannot be used as an anchor controller.
Cisco TrustSec (CTS) fields support in Flexible Netflow. This facilitates monitoring and troubleshooting of CTS network, and traffic segregation using source and destination group tags.
Long URL—Webauth parameter map supports external URL with a maximum length of 256 characters. While configuring login URL for webauth, care should be taken that the complete length of the redirected URL should not exceed 550 characters. Commands used to configure external webauth parameter map with long URL are given below:
Credentials support in HTTP GET Request—Customers can customize the HTML pages to send credentials in HTTP GET Request.
Note We recommended password encryption while using the HTTP GET Request.
Append AP radio mac or SSID or client mac—External URLs sent to the client can be appended with AP radio mac address or SSID or client mac address or any of these combinations, so that the webauth redirect URL sent to the wireless client is parsed by an external server based on the appended attribute configured in the parameter-map. For example, an external server can use this attribute information present in the redirect URL to send the login page based on the AP location or SSID or the client mac address. The commands to configure this feature are given below:
Multi-privilege level support to login to WEB UI through TACACS+—In releases prior to 3.6.3, the users were restricted to privilege level 15. In this release, users with privilege level 1 is supported to login and access for monitoring the controller, through TACACS+ or local authentication.
Cisco 1570 Series Access Point—This release supports Cisco 1570 Series Access Point, in local mode.
LWA—Multiple WebServer Configuration for External WebAuth.
The user has to configure extended ACL on the box and add the deny rule to allow the external server ip address. An example is given below:
Switch(config)# ip access-list extended BYPASS_ACL
Switch(config-ext-nacl)#deny ip any host 10.1.1.1
Switch(config-ext-nacl)# deny ip any host 20.1.1.1
Switch(config-ext-nacl)# end
Switch# show ip access-lists | sec BYPASS_ACL
Extended IP access list BYPASS_ACL
10 deny ip any host 10.1.1.1
20 deny ip any host 20.1.1.1
This release introduces a new CLI in global parameter-map to configure the BYPASS_ACL. So, to configure the extended BYPASS_ACL under global parameter-map, use the following commands:
After the configuration, content of the BYPASS-ACL would be merged with intercept-acl or redirect acl. So, the traffic destined for the ip addresses which are configured in BYPASS_ACL would be allowed enabling the user to access multiple external servers during the authentication.
CWA—Default Built-in Redirect URL ACL
Permit 443 is not advised and to avoid the users from making mistakes while defining CWA ACL, a built-in ACL is provided, which needs some modification for bypassing traffic to CWA server. (the Controller or Switch creates a default URL Redirect- ACL with mandatory ACEs [permit http traffic, deny dns and dhcp] excluding “permit tcp any any eq 443”.) Using this ACL, the user needs to configure only “deny” rule for ISE Server/Any external Server to access it.
Default ACL Name: CISCO-CWA-URL-REDIRECT-ACL
ACL Content:
ip access-list extended CISCO-CWA-URL-REDIRECT-ACL
remark Configure deny ip any host <server-ip> to allow access to <server-ip>
100 deny udp any any eq domain
101 deny tcp any any eq domain
102 deny udp any eq bootps any
103 deny udp any any eq bootpc
104 deny udp any eq bootpc any
105 permit tcp any any eq www
You can see the ACL using show ip access-list command. After modifying the ACL, its available from the show running-config command output.
Usage:
1. Modify the Default ACL “CISCO-CWA-URL-REDIRECT-ACL” to add “deny ip any host <server-ip>” above 100. If there is a requirement to allow multiple servers, use multiple “deny” rules.
2. Configure the Default ACL Name in ISE as redirect-url for CWA authorization profile.
Wired Guest Access with Both Anchor and Foreign
Restrictions
Wired guest VLAN on the access-switch should not have any SVI's present on any of the local switches. It should terminate directly on the foreign, so that the traffic is exported to the anchor.
Anchor VLAN should not be allowed on the foreign controllers’ uplink. Doing so may result in unexpected behavior.
The Foreign and Anchor guest LANs should not be on the same VLAN.
Wired guest configuration should only be done during scheduled network downtime period.
Overview
In enterprise networks, there is typically a need for providing network access to its guests on the campus. The guest access requirements include providing connectivity to the Internet or other selective enterprise resources to both wired and wireless guests in a consistent and manageable way. The same wireless LAN controller can be used to provide access to both types of guests on the campus. For security reasons, a large number of enterprise network administrators segregate guest access to a DMZ (Demilitarized Zone) controller via tunneling. The guest access solution is also used as a fallback method for guest clients that fail dot1x and MAB authentication methods.
This document covers deployment of wired guest access feature on Catalyst 3850 switch as foreign anchor and Cisco 5760 Wireless LAN controller acting as Guest Anchor in the DMZ. The feature works in a similar fashion on Cisco Catalyst 3650 switch acting as foreign controller.
The guest user connects to the designated wired port on a access layer switch for access and optionally may be made to go through Web Consent or Web Authentication modes, depending upon the security requirements (details in later sections). Once guest authentication succeeds, access is provided to the network resources and the guest controller manages the client traffic. Foreign controller is the primary switch where client connects for network access. It initiates tunnel requests. Guest anchor is the switch where the client actually gets anchored.
Before guest access feature can be deployed, there must be a mobility tunnel established between the foreign anchor and guest anchor switches. Guest access feature works for both MC (Foreign Controller)>> MC (Guest Anchor) and MA (Foreign Controller)>>MC (Guest Anchor) models. The foreign anchor switch trunks wired guest traffic to the guest anchor controller and multiple guest anchors can be configured for load balancing. The client is anchored to a Demilitarized Zone (DMZ) anchor controller. It is also responsible for handling DHCP IP address assignment as well as authentication of the client. After the authentication completes, the client is able to access the network.
Deployment Scenario
The following sections covers common use cases where the wired clients connect to access switches for network access. Two modes of access are explained with different examples. In all of the methods, the wired guest access feature can act as a fallback method for authentication. This is typically a use case when a guest user brings an end device that is unknown to the network. Since the end device is missing endpoint supplicant, it will fail dot1x mode of authentication. Similarly, MAB authentication would also fail, as the MAC address of the end device would be unknown to the authenticating server. It is worth noting that in such implementations, corporate end devices would successfully get access since they would either have a dot1x supplicant or their MAC addresses in the authenticating server for validation. This allows for flexibility in deployment, as the administrator does not need to restrict and tie up ports specifically for guest access.
The diagram below shows the topology used in the deployment scenario:
Figure 1-1 Wired Guest Access with Both Anchor and Foreign
Open Authentication
Guest Anchor Configuration:
Step 1 Enable IPDT and DHCP snooping on client VLANs (VLAN75 in this example). Client VLAN has to be created on the guest anchor.
ip device tracking
ip dhcp relay information trust-all
ip dhcp snooping vlan 75
ip dhcp snooping information option allow-untrusted
ip dhcp snooping
Step 2 Create VLAN 75 and L3 VLAN interface.
vlan 75
interface Vlan75
ip address <layer-3-interface-ip-address>
ip helper-address <dhcp-server-ip-address>
ip dhcp pool DHCP_75
network <client-subnet>
default-router 75.1.1.1
lease 0 0 10
update arp
Step 3 Create a guest LAN specifying the client VLAN with the Cisco WLC 5760 itself acting as the mobility-anchor.
For openmode, use the no security web-auth command.
guest-lan GUEST_LAN_OPENAUTH 3
client vlan 75
mobility anchor
no security web-auth
no shutdown
Foreign Configuration
Step 1 Enable DHCP and create a VLAN. The client VLAN need not be on the foreign.
ip dhcp relay information trust-all
ip dhcp snooping information option allow-untrusted
ip dhcp snooping
ip device tracking
Step 2 The switch detects mac address of the incoming client on the port-channel configured with ‘access-Session port-control auto’ and applies the subscriber policy ‘OPENAUTH’. The ‘OPENAUTH’ policy as described below should be created first:
policy-map type control subscriber OPENAUTH
event session-started match-all
class always do-until-failure
activate service-template SERV-TEMP3-OPENAUTH
authorize
interface Po1
switchport trunk allowed vlan 19,137
switchport mode trunk
ip arp inspection trust
access-session port-control auto
service-policy type control subscriber OPENAUTH
ip dhcp snooping trust
end
Note The policy can be applied on the port where the end device is connected while the 3850/3650 is acting as the Foreign.
Step 3 Configure Mac learning on the Foreign for VLAN
mac address-table learning vlan 19
Step 4 The ‘OPENAUTH’ policy is referred to sequentially which in this case points to a service. Template named ‘SERV-TEMP3 OPENAUTH’ as defined below:
service-template SERV-TEMP3-OPENAUTH
tunnel type capwap name GUEST_LAN_OPENAUTH
Step 5 The service template contains a reference to the tunnel type and name. Client VLAN75 only needs to exist on the guestanchor since it’s responsible for handling client traffic
guest-lan GUEST_LAN_OPENAUTH 3
client vlan 75
mobility anchor <anchor-ip-address>
no security web-auth
no shutdown
Step 6 Tunnel request is initiated from the foreign to the guestanchor for the wired client and
A ‘tunneladdsuccess’ indicated that the tunnel build up process completed:
On the ACCESS-SWITCH1 a Wired client connects to the Ethernet port that is set to access mode by the network administrator. It is portGigabitEthernet 1/0/11 in this example:
interface GigabitEthernet1/0/11
switchport access vlan 19
switchport mode access
WEBAUTH
Guest Anchor Configuration
Step 1 Enable IPDT and DHCP snooping on clientVLAN(s), in this case VLAN75. Client VLAN needs to be created on the guestanchor.
ip device tracking
ip dhcp relay information trust-all
ip dhcp snooping vlan 75
ip dhcp snooping information option allow-untrusted
Step 1 Enable DHCP and create a VLAN. The client VLAN does not need to be setup on the foreign.
ip dhcp relay information trust-all
ip dhcp snooping information option allow-untrusted
ip dhcp snooping
ip device tracking
Step 2 The switch detects mac address of the incoming client on the port-channel configured with ‘access-Session port-control auto’ and applies the subscriber policy ‘WEBAUTH’. The ‘WEBAUTH’ policy as described below should be created first:
policy-map type control subscriber WEBAUTH
event session-started match-all
class always do-until-failure
activate service-template SERV-TEMP3-WEBAUTH
authorize
interface po1
switchport trunk allowed vlan 19,137
switchport mode trunk
ip arp inspection trust
access-session port-control auto
service-policy type control subscriber WEBAUTH
ip dhcp snooping trust
end
Step 3 Mac learning should be configured on the Foreign for VLAN
mac address-table learning vlan 19
Step 4 The ‘WEBAUTH’ policy is referred to sequentially which in this case points to a service
Template named ‘SERV-TEMP3 WEBAUTH’ as defined below:
service-template SERV-TEMP3-WEBAUTH
tunnel type capwap name GUEST_LAN_WEBAUTH
Step 5 The service template contains a reference to the tunnel type and name. Client VLAN75 only needs to exist on the guestanchor since it’s responsible for handling client traffic
Step 6 Tunnel request is initiated from the foreign to the guestanchor for the wired client and a ‘tunneladdsuccess’ indicated that the tunnel build up process is completed.
On the ACCESS-SWITCH1, a Wired client connects to the Ethernet port that is set to access mode by the network administrator. It is portGigabitEthernet 1/0/11 in this example:
interface GigabitEthernet1/0/11
switchport access vlan 19
switchport mode access
Configuring OPENAUTH and WEBAUTH in Parallel
To have 2 guests LANs and assigning them to different clients we have to base them on the VLANs on which the clients are learned.
Guest Anchor Configuration
Step 1 Enable IPDT and DHCP snooping on client VLAN(s), in this case VLAN75. Client VLAN needs to be created on the guestanchor.
ip device tracking
ip dhcp relay information trust-all
ip dhcp snooping vlan 75
ip dhcp snooping information option allow-untrusted
ip dhcp snooping
Step 2 Create VLAN 75 and L3 VLAN interface.
vlan 75
interface Vlan75
ip address 75.1.1.1 255.255.255.0
ip helper-address 192.168.1.1
ip dhcp pool DHCP_75
network 75.1.1.0 255.255.255.0
default-router 75.1.1.1
lease 0 0 10
update arp
Step 3 Create a guest LAN specifying the client VLAN with the Cisco WLC 5760 itself acting as the mobilityanchor. For openmode, use the no security web-auth command.
Step 1 Enable DHCP and create a VLAN. As noted, client VLAN does not need to be setup on the foreign:
ip dhcp relay information trust-all
ip dhcp snooping information option allow-untrusted
ip dhcp snooping
ip device tracking
Step 2 The switch detects mac address of the incoming client on the port-channel configured with ‘access-Session port-control auto’ and applies the subscriber policy ‘DOUBLEAUTH’. TThe vlan18, vlan19 class maps are explained in “Step4”. Everything else is webauth using the second “always” class-map with “match-first” event The ‘DOUBLEAUTH’ policy as described below should be created first:
policy-map type control subscriber DOUBLEAUTH
event session-started match-first
class vlan19 do-until-failure
activate service-template SERV-TEMP3-OPENAUTH
authorize
class vlan18 do-until-failure
activate service-template SERV-TEMP4-WEBAUTH
authorize
interface po1
switchport trunk allowed vlan 19,137
switchport mode trunk
ip arp inspection trust
access-session port-control auto
service-policy type control subscriber DOUBLEAUTH
ip dhcp snooping trust
end
Step 3 Mac learning should be configured on the Foreign for vlan 18 and 19.
mac address-table learning vlan 18 19
Step 4 The ‘vlan19’ and 'vlan18' class-map contains the VLAN match criteria based on which we will differentiate which guest LAN the client falls in. It is defined below:
class-map type control subscriber match-any vlan18
match vlan 18
class-map type control subscriber match-any vlan19
match vlan 19
Step 5 The ‘OPENAUTH’ policy is referred to sequentially which in this case points to a service
Template named ‘SERV-TEMP3 OPENAUTH’ as defined below:
service-template SERV-TEMP3-OPENAUTH
tunnel type capwap name GUEST_LAN_OPENAUTH
service-template SERV-TEMP4-WEBAUTH
tunnel type capwap name GUEST_LAN_WEBAUTH
Step 6 The service template contains a reference to the tunnel type and name. Client VLAN75 only needs to exist on the guestanchor since it’s responsible for handling client traffic
Step 7 Tunnel request is initiated from the foreign to the guestanchor for the wired client and A ‘tunneladdsuccess’ indicated that the tunnel build up process completed:
On the ACCESS-SWITCH's there are multiple Wired client connecting to wither vlan18 or vlan19 which can be then assigned the guest LANs accordingly.
Note Device Classifier has been disabled by default starting from Release 3.6.0E. Any features dependent on device classifier should enable it if required.
Provides quick and easy access to all relevant documentation for specific platforms. Look for Quick Links to Platform Documentation on the respective platform documentation pages.
Integrated Documentation Guides
Provides platform and software documentation for these technologies:
IP Multicast Routing Configuration Guide
Cisco Flexible Netflow Configuration Guide
Cisco IOS Device Sensor for ISE profiling
(IP Base and IP Services)
Supports Cisco Identity Services Engine (ISE) profiling for connected devices by using IOS Device Sensor
VRF-aware support for IPv6 routing protocols
(IP Services)
Introduces VRF-aware support for IPv6 routing protocols (VRF-aware OSPFv3, EIGRPv6, and BGPv6).
IEEE 802.1Q Tunnel (Q-in-Q)
(IP Base)
Supports IEEE 802.1Q tunneling.
Medianet Support (MSP, Metadata (no QoS), Perfmon, Mediatrace)
(IP Base and IP Services)
Supports Cisco Media Services Proxy, Cisco Medianet Metadata (no QoS), and Cisco Performance Monitor.
SMI Post-install
Eliminates the overhead of manual post install configuration on all the switches, in the smart install network.
Auto Security
Provides a single line CLI, to enable base line security features (Port Security, DHCP snooping, DAI)
Cisco EnergyWise
Introduces support for Cisco EnergyWise Version 2.8. For more information, see the Cisco EnergyWise software release notes and configuration guide.
IPv6 Unicast Reverse Path Forwarding
(IP Base and IP Services)
Introduces support for Unicast Reverse Path Forwarding in IPv6.
WCCP in IP base
(IP Base)
Supports for Web Cache Communication Protocol (WCCP); however, CLIs are not available for this feature.
Object Tracking: IPv6 Route Tracking
(IP Base and IP Services)
Expands the Enhanced Object Tracking (EOT) functionality to allow the tracking of IP version 6 (IPv6) routes.
IPv6 Static Route support for Object Tracking
Allows an IPv6 Static Route to be associated with a tracked-object.
Open Plug-N-Play Agent
Switch-based agent support for zero touch automated device installation solution called NG-PNP.
Cisco TrustSec Critical Authentication
Ensures that the Network Device Admission Control (NDAC)-authenticated 802.1X links between Cisco TrustSec devices are in open state even when the Authentication, Authorization, and Accounting (AAA) server is not reachable.
Enabling Bidirectional SXP Support
Enhances the functionality of Cisco TrustSec with SXP version 4 by adding support for Security Group Tag (SGT) Exchange Protocol (SXP) bindings that can be propagated in both directions between a speaker and a listener over a single connection.
Enablement of Security Group ACL at Interface Level
(IP Base, IP Services)
Controls and manages the Cisco TrustSec access control on a network device based on an attribute-based access control list. When a security group access control list (SGACL) is enabled globally, the SGACL is enabled on all interfaces in the network by default; use the Enablement of Security Group ACL at Interface Level feature to disable the SGACL on a Layer 3 interface.
Role-Based CLI Inclusive Views
(IP Base, IP Services)
Enables a standard CLI view including all commands by default.
Custom Web Authentication Result Display Enhancement
Displays the authentication results on the main HTML page. There is no pop-up window to display the authentication results.
Custom Web Authentication Download Bundle
Ensures that one or more custom HTML pages can be downloaded and configured from a single tar file bundle.
The images and the custom pages containing the images are also part of the same downloadable tar file bundle.
Virtual IP Support for Images in Custom Web Authentication
Supports image file names without prefixes and removes the requirement of users having to specify the wireless management interface IP to indicate the source of image in the HTML code.
Service Discovery Gateway: mDNS enhancements
Enables multicast Domain Name System (mDNS) to operate across layer 3 boundaries.
HSRP: Global IPv6 Address
(IP Base, IP Services)
Allows users to configure multiple non-link local addresses as virtual addresses. The Hot Standby Router Protocol (HSRP) ensures host-to-router resilience and failover, in case the path between a host and the first-hop router fails, or the first-hop router itself fails.
HTTP Gleaning
(IP Base, IP Services)
Allows the device-sensor to extract the HTTP packet Type-Length-Value (TLV) to derive useful information about the end device type.
Banner Page and Inactivity timeout for HTTP/S connections
Allows you to create a banner page and set an inactivity timeout for HTTP or HTTP Secure (HTTPS) connections. The banner page allows you to log on to the server when the session is invalid or expired.
Secure CDP
(LAN Base, IP Base, IP Services)
Allows you to select the type, length, value (TLV) fields that are sent on a particular interface to filter information sent through Cisco Discovery Protocol packets.
OSPFv3 Authentication Trailer
Provides a mechanism to authenticate Open Shortest Path First version 3 (OSPFv3) protocol packets as an alternative to existing OSPFv3 IPsec authentication.
IPv6 Policy-Based Routing
(IP Services)
Helps you manually configure how the received packets should be routed. You can identify packets by using several attributes and specify the next hop or the output interface to which the packet should be sent.
Web Authentication Redirection to Original URL
Enables networks to redirect guest users to the URL they had originally requested. This feature is enabled by default and requires no configuration.
Auto configuration
Determines the level of network access provided to an endpoint based on the type of the endpoint device. This feature also permits hardbinding between the end device and the interface. Autoconfig falls under the umbrella of Smart Operations solution.
Interface templates
(LAN Base, IP Base, IP Services)
Provides a mechanism to configure multiple commands at the same time and associate it with a target such as an interface. An interface template is a container of configurations or policies that can be applied to specific ports.
NMSP
Enables strong ciphers (SHA2) for NMSP connections.
IPv6 Multicast Routing
(IP Services)
Introduces IPv6 multicast routing.
Embedded Event Manager (EEM) 4.0
Provides unique customization capabilities and event driven automation within Cisco products.
MediaTrace 1.0
Provides the capability to diagnose Media Stream on top of various instrumentations in Cisco routers/switches and endpoints. Also addresses the MediaNet Video monitoring requirement to discover the signaling path and provides end-to-end diagnostics along the media stream routes.
Support is added to the following APs in this release:
AP2700I, AP2700E
AP1532I, AP1532E
Note The Cisco Aironet 1530 Series APs are supported operating only in Local mode; these APs in mesh mode are not supported.
AP702W, AP702I
FQDN ACLs
Access control lists (ACLs) when configured using fully qualified domain name (FQDN) enables ACLs to be applied based on the destination domain name. The destination domain name is then resolved to an IP address, which is provided to the client as a part of DNS response. Guest users can log in using web authentication with parameter map that consists of FQDN ACL name. You can apply access list to a specific domain. RADIUS server has to send AAA attribute fqdn-acl-name to the controller. The operating system checks for the pass through domain list, its mapping, and permits the FQDN. FQDN ACL allows clients to access only configured domains without authentication. The FQDN ACL is supported only for IPv4 wireless session.
Local Policies
Local policies can profile devices based on HTTP and DHCP to identify the end devices on the network. Users can configure device-based policies and enforce the policies per user or per device policy on the network. Local policies allow profiling of mobile devices and basic onboarding of the profiled devices to a specific VLAN. They also assign ACL and QoS or configure session timeouts
Auto MAC Learning of Valid Client via MSE
You can validate the rogue clients by utilizing the resources available in the Cisco Mobility Services Engine (MSE). Using MSE, you can dynamically list the clients joining to the controller. The list of clients joined to the controller is stored in the MSE as a centralized location, where the controller communicates with MSE and validates the client before reporting if the rogue client is a valid one or not. MSE maintains the MAC addresses of clients joined to the controller. The communication between the controller and MSE is an on-demand service as the controller requests this service from MSE.
QoS Upstream
Marking and policing actions for ingress SSID and client policies are applied at the access point. The SSID and client ingress policies that you configure in the controller are pushed to the AP. The AP performs policing and marking actions for each packet. However, the controller selects the QoS policies. Marking and policing of egress SSID and client policies are applied at the controller. QoS statistics are collated for client and SSID targets in ingress direction. Statistics are supported only for ingress policies with a maximum of five classes on wireless targets. For very large policies, statistics for ingress policies are not visible at the controller. The frequency of the statistics depends on the number of clients associated with the access point.
Implement Control part of AVC (Tie-in to QOS)
Application Visibility and Control (AVC) classifies applications using deep packet inspection techniques with the Network-Based Application Recognition (NBAR2) engine, and provides application-level visibility and control (QoS) in wireless networks. After the applications are recognized, the AVC feature enables you to either drop, mark, or police the data traffic. AVC is configured by defining a class map in a QoS client policy to match a protocol. AVC QoS actions are applied with AVC filters in both upstream and downstream directions. The QoS actions supported for upstream flow are drop, mark, and police, and for downstream flow are mark and police. AVC QoS is applicable only when the application is classified correctly and matched with the class map filter in the policy map.
Note This feature is applicable only to wireless clients.
Support for Syslog traps using the snmp-server enable traps syslog command.
After enabling Syslog traps, specify the trap message severity by using the logging snmp-trap command. Use the logging snmp-trap 0 7 command to enable all severity levels (0 to 7).
To enable individual trap levels, configure the following commands:
logging snmp-trap emergencies : Enables only severity 0 traps.
logging snmp-trap alert : Enables only severity 1 traps.
Note that, along with the Syslog traps, the Syslog history should also be applied. Without this configuration, Syslog traps are not sent. Use the logging history informational command to enable the Syslog history.
Flexible Netflow Enhancement
Support for IPv6 destination server export. For more information, see the Cisco Flexible NetFlow Configuration Guide.
Support for NetFlow Data Export Format Version 10 (IPFIX). For more information, see the Cisco Flexible NetFlow Configuration Guide.
802.11r Mixed Mode Support
You do not have to create a separate WLAN for 802.11r support. You can specify the non-802.11r clients to associate with an SSID that is enabled with 802.11r.
Support for Cisco SFP+ Active Optical Cables
Support for Cisco SFP+ Active Optical Cables - Cisco SFP-10G-AOC1M Cisco SFP-10G-AOC2M Cisco SFP-10G-AOC3M, Cisco SFP-10G-AOC5M, Cisco SFP-10G-AOC7M, Cisco SFP-10G-AOC10.
For a list of all supported SFP+ modules, see http://www.cisco.com/c/en/us/td/docs/interfaces_modules/transceiver_modules/compatibility/matrix/OL_6974.html
Supported Hardware
Catalyst 3850 Switch Models
Table 1 Catalyst 3850 Switch Models
Switch Model
Cisco IOS Image
Description
WS-C3850-24T-L
LAN Base
Cisco Catalyst 3850 Stackable 24 10/100/1000 Ethernet ports, with 350-WAC power supply 1 RU, LAN Base feature set (StackPower cables must be purchased separately)
WS-C3850-48T-L
LAN Base
Cisco Catalyst 3850 Stackable 48 10/100/1000 Ethernet ports, with 350-WAC power supply 1 RU, LAN Base feature set (StackPower cables must be purchased separately)
WS-C3850-24P-L
LAN Base
Cisco Catalyst 3850 Stackable 24 10/100/1000 Ethernet PoE+ ports, with 715-WAC power supply 1 RU, LAN Base feature set (StackPower cables must be purchased separately)
WS-C3850-48P-L
LAN Base
Cisco Catalyst 3850 Stackable 48 10/100/1000 Ethernet PoE+ ports, with 715-WAC power supply 1 RU, LAN Base feature set (StackPower cables must be purchased separately)
WS-C3850-48F-L
LAN Base
Cisco Catalyst 3850 Stackable 48 10/100/1000 Ethernet PoE+ ports, with 1100-WAC power supply 1 RU, LAN Base feature set (StackPower cables must be purchased separately)
WS-C3850-48U-L
LAN Base
Stackable 48 10/100/1000 Cisco UPOE ports, 1 network module slot, 1100 W power supply
WS-C3850-24T-S
IP Base
Cisco Catalyst 3850 Stackable 24 10/100/1000 Ethernet ports, with 350-WAC power supply 1 RU, IP Base feature set
WS-C3850-48T-S
IP Base
Cisco Catalyst 3850 Stackable 48 10/100/1000 Ethernet ports, with 350-WAC power supply 1 RU, IP Base feature set
WS-C3850-24P-S
IP Base
Cisco Catalyst 3850 Stackable 24 10/100/1000 Ethernet PoE+ ports, with 715-WAC power supply 1 RU, IP Base feature set
WS-C3850-48P-S
IP Base
Cisco Catalyst 3850 Stackable 48 10/100/1000 Ethernet PoE+ ports, with 715-WAC power supply 1 RU, IP Base feature set
WS-C3850-48F-S
IP Base
Cisco Catalyst 3850 Stackable 48 10/100/1000 Ethernet PoE+ ports, with 1100-WAC power supply 1 RU, IP Base feature set
WS-C3850-24U-S
IP Base
Cisco Catalyst 3850 Stackable 24 10/100/1000 UPOE ports, 1 network module slot, 1100 W power supply
WS-C3850-24T-E
IP Services
Cisco Catalyst 3850 Stackable 24 10/100/1000 Ethernet ports, with 350-WAC power supply 1 RU, IP Services feature set
WS-C3850-24PW-S
IP Base
Cisco Catalyst 3850 24-port PoE IP Base with 5-access point license
WS-C3850-48PW-S
IP Base
Cisco Catalyst 3850 48-port PoE IP Base with 5-access point license
Table 2 lists the three optional uplink network modules with 1-Gigabit and 10-Gigabit slots. You should only operate the switch with either a network module or a blank module installed.
Table 2 Supported Network Modules
Network Module
Description
C3850-NM-4-1G
Four 1-Gigabit small form-factor pleadable (SFP) module slots. Any combination of standard SFP modules are supported. SFP+ modules are not supported.
C3850-NM-2-10G
Four SFP module slots:
Two slots (left side) support only 1-Gigabit SFP modules and two slots (right side) support either 1-Gigabit SFP or 10-Gigabit SFP+ modules.
Supported combinations of SFP and SFP+ modules:
Slots 1, 2, 3, and 4 populated with 1-Gigabit SFP modules.
Slots 1 and 2 populated with 1-Gigabit SFP modules and Slot 3 and 4 populated with 10-Gigabit SFP+ module.
C3850-NM-4-10G
Four 10-Gigabit slots or four 1-Gigabit slots.
Note The module is supported only on the 48-port models.
C3850-NM-BLANK
No uplink ports.
Catalyst 3650 Switch Models
Table 3 Catalyst 3650 Switch Models
Switch Model
Cisco IOS Image
Description
Catalyst 3650-24TS-L
LAN Base
Stackable 24 10/100/1000 Ethernet downlink ports, four 1-Gigabit SFP (small form-factor pluggable) uplink ports, 250-W power supply
Catalyst 3650-48TS-L
LAN Base
Stackable 48 10/100/1000 Ethernet downlink ports, four 1-Gigabit SFP uplink ports, 250-W power supply
Catalyst 3650-24PS-L
LAN Base
Stackable 24 10/100/1000 PoE+1 downlink ports, four 1-Gigabit SFP uplink ports, 640-W power supply
Catalyst 3650-48PS-L
LAN Base
Stackable 48 10/100/1000 PoE+ downlink ports, four 1-Gigabit SFP uplink ports, 640-W power supply
Catalyst 3650-48FS-L
LAN Base
Stackable 48 10/100/1000 Full PoE downlink ports, four 1-Gigabit SFP uplink ports, 1025-W power supply
Catalyst 3650-24TD-L
LAN Base
Stackable 24 10/100/1000 Ethernet downlink ports, two 1-Gigabit SFP and two 10-Gigabit SFP+ uplink ports, 250-W power supply
Catalyst 3650-48TD-L
LAN Base
Stackable 48 10/100/1000 Ethernet downlink ports, two 1-Gigabit SFP and two 10-Gigabit SFP+ uplink ports, 250-W power supply
Catalyst 3650-24PD-L
LAN Base
Stackable 24 10/100/1000 PoE+ downlink ports, two 1-Gigabit SFP and two 10-Gigabit SFP+ uplink ports, 640-W power supply
Catalyst 3650-48PD-L
LAN Base
Stackable 48 10/100/1000 PoE+ downlink ports, two 1-Gigabit SFP and two 10-Gigabit SFP+ uplink ports, 640-W power supply
Catalyst 3650-48FD-L
LAN Base
Stackable 48 10/100/1000 Full PoE downlink ports, two 1-Gigabit SFP and two 10-Gigabit SFP+ uplink ports, 1025-W power supply
Catalyst 3650-48FQ-L
LAN Base
Stackable 48 10/100/1000 Full PoE downlink ports, four 10-Gigabit SFP+ uplink ports, 1025-W power supply
Catalyst 3650-48PQ-L
LAN Base
Stackable 48 10/100/1000 PoE+ downlink ports, four 10-Gigabit SFP+ uplink ports, 640-W power supply
Catalyst 3650-48TQ-L
LAN Base
Stackable 48 10/100/1000 Ethernet downlink ports, four 10-Gigabit SFP+ uplink ports, 250-W power supply
Catalyst 3650-24TS-S
IP Base
Stackable 24 10/100/1000 Ethernet downlink ports, four 1-Gigabit SFP uplink ports, 250-W power supply
Catalyst 3650-48TS-S
IP Base
Stackable 48 10/100/1000 Ethernet downlink ports, four 1-Gigabit SFP uplink ports, 250-W power supply
Catalyst 3650-24PS-S
IP Base
Stackable 24 10/100/1000 PoE+ downlink ports, four 1-Gigabit SFP uplink ports, 640-W power supply
Catalyst 3650-48PS-S
IP Base
Stackable 48 10/100/1000 PoE+ downlink ports, four 1-Gigabit SFP uplink ports, 640-W power supply
Catalyst 3650-48FS-S
IP Base
Stackable 48 10/100/1000 Full PoE downlink ports, four 1-Gigabit SFP uplink ports, 1025-W power supply
Catalyst 3650-24TD-S
IP Base
Stackable 24 10/100/1000 Ethernet downlink ports, two 1-Gigabit SFP and two 10-Gigabit SFP+ uplink ports, 250-W power supply
Catalyst 3650-48TD-S
IP Base
Stackable 48 10/100/1000 Ethernet downlink ports, two 1-Gigabit SFP and two 10-Gigabit SFP+ uplink ports, 250-W power supply
Catalyst 3650-24PD-S
IP Base
Stackable 24 10/100/1000 PoE+ downlink ports, two 1-Gigabit SFP and two 10-Gigabit SFP+ uplink ports, 640-W power supply
Catalyst 3650-48PD-S
IP Base
Stackable 48 10/100/1000 PoE+ downlink ports, two 1-Gigabit SFP and two 10-Gigabit SFP+ uplink ports, 640-W power supply
Catalyst 3650-48FD-S
IP Base
Stackable 48 10/100/1000 Full PoE downlink ports, two 1-Gigabit SFP and two 10-Gigabit SFP+ uplink ports, 1025-W power supply
Catalyst 3650-48FQ-S
IP Base
Stackable 48 10/100/1000 Full PoE downlink ports, four 10-Gigabit SFP+ uplink ports, 1025-W power supply
Catalyst 3650-48PQ-S
IP Base
Stackable 48 10/100/1000 PoE+ downlink ports, four 10-Gigabit SFP+ uplink ports, 640-W power supply
Catalyst 3650-48TQ-S
IP Base
Stackable 48 10/100/1000 Ethernet downlink ports, four 10-Gigabit SFP+ uplink ports, 250-W power supply
Catalyst 3650-24TS-E
IP Services
Stackable 24 10/100/1000 Ethernet downlink ports, four 1-Gigabit SFP uplink ports, 250-W power supply
Catalyst 3650-48TS-E
IP Services
Stackable 48 10/100/1000 Ethernet downlink ports, four 1-Gigabit SFP uplink ports, 250-W power supply
Catalyst 3650-24PS-E
IP Services
Stackable 24 10/100/1000 PoE+ downlink ports, four 1-Gigabit SFP uplink ports, 640-W power supply
Catalyst 3650-48PS-E
IP Services
Stackable 48 10/100/1000 PoE+ downlink ports, four 1-Gigabit SFP uplink ports, 640-W power supply
Catalyst 3650-48FS-E
IP Services
Stackable 48 10/100/1000 Full PoE downlink ports, four 1-Gigabit SFP uplink ports, 1025-W power supply
Catalyst 3650-24TD-E
IP Services
Stackable 24 10/100/1000 Ethernet downlink ports, two 1-Gigabit SFP and two 10-Gigabit SFP+ uplink ports, 250-W power supply
Catalyst 3650-48TD-E
IP Services
Stackable 48 10/100/1000 Ethernet downlink ports, two 1-Gigabit SFP and two 10-Gigabit SFP+ uplink ports, 250-W power supply
Catalyst 3650-24PD-E
IP Services
Stackable 24 10/100/1000 PoE+ downlink ports, two 1-Gigabit SFP and two 10-Gigabit SFP+ uplink ports, 640-W power supply
Catalyst 3650-48PD-E
IP Services
Stackable 48 10/100/1000 PoE+ downlink ports, two 1-Gigabit SFP and two 10-Gigabit SFP+ uplink ports, 640-W power supply
Catalyst 3650-48FD-E
IP Services
Stackable 48 10/100/1000 Full PoE downlink ports, two 1-Gigabit SFP and two 10-Gigabit SFP+ uplink ports, 1025-W power supply
Catalyst 3650-48FQ-E
IP Services
Stackable 48 10/100/1000 Full PoE downlink ports, four 10-Gigabit SFP+ uplink ports, 1025-W power supply
Catalyst 3650-48PQ-E
IP Services
Stackable 48 10/100/1000 PoE+ downlink ports, four 10-Gigabit SFP+ uplink ports, 640-W power supply
Catalyst 3650-48TQ-E
IP Services
Stackable 48 10/100/1000 Ethernet downlink ports, four 10-Gigabit SFP+ uplink ports, 250-W power supply
1.PoE+ = Power over Ethernet plus (provides up to 30 W per port).
Optics Modules
Catalyst switches support a wide range of optics. Because the list of supported optics is updated on a regular basis, consult the tables at this URL for the latest (SFP) compatibility information:
2.Because of SHA-2 certificate implementation, MSE 7.6 is not compatible with Cisco IOS XE Release 3.6E. Therefore, we recommend that you upgrade to MSE 8.0.
3.If MSE is deployed on your network, we recommend that you upgrade to Cisco Prime Infrastructure 2.1.2.
4.Cisco WLC Release 7.6 is not compatible with Cisco Prime Infrastructure 2.0.
5.Prime Infrastructure 2.0 enables you to manage Cisco WLC 7.5.102.0 with the features of Cisco WLC 7.4.110.0 and earlier releases. Prime Infrastructure 2.0 does not support any features of Cisco WLC 7.5.102.0 including the new AP platforms.
– Windows 7, Windows Vista, Windows XP, Windows 2003, or Windows 2000
– Microsoft Internet Explorer 6.0 and 7.0, and Mozilla Firefox up to version 26.0, with JavaScript enabled.
Wireless Web UI Software Requirements
Operating Systems
– Windows 7
– Windows 8
– Mac OS X 10.8
Browsers
– Google Chrome—Version 35
– Microsoft Internet Explorer—Versions 10 or 11
– Mozilla Firefox—Version 30
– Safari—Version 6.1
Finding the Software Version and Feature Set
Table 9 shows the mapping of the Cisco IOS XE version number and the Cisco IOS version number.
Table 9 Cisco IOS XE to Cisco IOS Version Number Mapping
Cisco IOS XE Version
Cisco IOSd Version
Cisco Wireless Control Module Version
Access Point Version
03.06.08E
15.2(2)E8
10.2.180.0
15.3(3)JN13
03.06.07E
15.2(2)E7
10.2.170.0
15.3(3)JN12
03.06.06E
15.2(2)E6
10.2.160.0
15.3(3)JN11
03.06.05E
15.2(2)E5
10.2.150.0
15.3(3)JN9
03.06.04E
15.2(2)E4
10.2.140.0
15.3(3)JN8
03.06.03E
15.2(2)E3
10.2.131.0
15.3(3)JN7
03.06.2E
15.2(2)E2
10.2.120.0
15.3(3)JN4
03.06.01E
15.2(2)E1
10.2.111.0
15.3(3)JN3
03.06.00E
15.2(2)E
10.2.102.0
15.3(3)JN
03.03.03SE
15.0(1)EZ3
10.1.130.0
15.2(4)JB5h
03.03.02SE
15.0(1)EZ2
10.1.121.0
15.2(4)JB5
03.03.01SE
15.0(1)EZ1
10.1.110.0
15.2(4)JB2
03.03.00SE
15.0(1)EZ
10.1.100.0
15.2(4)JN
The package files for the Cisco IOS XE software are stored on the system board flash device (flash:).
You can use the show version privileged EXEC command to see the software version that is running on your switch.
Note Although the show version output always shows the software image running on the switch, the model name shown at the end of this display is the factory configuration and does not change if you upgrade the software license.
You can also use the dir filesystem : privileged EXEC command to see the directory names of other software images that you might have stored in flash memory.
Upgrading the Switch Software
For information about how to upgrade the switch software, see the System Management Configuration Guide, Cisco IOS XE Release 3E (Catalyst 3850 Switches) at the following URL:
After you upgrade to Cisco IOS XE Release 3.6E, the WebAuth success page behavior is different from the behavior seen in Cisco IOS XE Release 3.3.X SE. After a successful authentication on the WebAuth login page, the original requested URL opens in a pop-up window and not on the parent page. Therefore, we recommend that you upgrade the Web Authentication bundle so that the bundle is in the format that is used by the AireOS Wireless LAN Controllers.
To download a sample Web Authentication bundle, follow these steps:
Step 2 Navigate to Products > Switches > Campus LAN Switches - Access > Cisco Catalyst 3850 Series Switches.
Step 3 Click a switch model.
Step 4 Click Wireless Lan Controller Web Authentication Bundle.
Step 5 Choose Release 3.6.0 and click Download.
Step 6 After the download, follow the instructions provided in the Read Me file that is attached in the bundle.
Note When you upgrade to Cisco IOS XE Release 3.6.5E, the SSH access is lost, because it cannot use the CISCO_IDEVID_SUDI_LEGACY RSA server key. Before upgrade, generate the server key using the crypto key generate rsa command in global configuration mode. To verify whether the RSA server key is available on your device, run the show crypto key command.
Note In a High Availability scenario, if you download the Web Authentication bundle to the active controller, the bundle cannot be synchronized with the standby controller. Therefore, we recommend that you also manually download the Web Authentication bundle to the standby controller.
Features
The Catalyst 3850 switch supports three different feature sets:
LAN Base feature set—Provides basic Layer 2+ features, including access control lists (ACLs) and quality of service (QoS) and up to 4094 VLANs.
IP Base feature set—Provides Layer 2+ and basic Layer 3 features (enterprise-class intelligent services). These features include access control lists (ACLs), quality of service (QoS), ACLs, QoS, static routing, EIGRP stub routing, IP multicast routing, Routing Information Protocol (RIP), basic IPv6 management, the Open Shortest Path First (OSPF) Protocol, and support for wireless controller functionality.
IP Services feature set—Provides a richer set of enterprise-class intelligent services and full IPv6 support. It includes IP Base features plus Layer 3 routing (IP unicast routing and IP multicast routing). The IP Services feature set includes protocols such as the Enhanced Interior Gateway Routing Protocol (EIGRP), the Open Shortest Path First (OSPF) Protocol, and support for wireless controller functionality.
Note A separate access point count license is required to use the switch as a wireless controller.
For more information about the features, see the product data sheet at this URL:
This section describes the interoperability of this version of the switch software release with other client devices.
Table 11 lists the client types on which the tests were conducted. The clients included laptops, handheld devices, phones, and printers.
Table 11 Client Types
Client Type and Name
Version
Laptop
Atheros HB92/HB97
8.0.0.320
Atheros HB95
7.7.0.358
Broadcom 4360
6.30.163.2005
Cisco CB21
v1.3.0.532
Dell 1395/1397/Broadcom 4312HMG(L)
5.30.21.0
Dell 1501 (Broadcom BCM4313)
v5.60.48.35/v5.60.350.11
Dell 1505/1510/Broadcom 4321MCAG/4322HM
5.60.18.8
Dell 1515 (Atheros)
8.0.0.239
Dell 1520/Broadcom 43224HMS
5.60.48.18
Dell 1530 (Broadcom BCM4359)
v5.100.235.12
Dell 1560
6.30.223.215
Engenius EUB 1200AC(USB)
1026.5.1118.2013
Intel 1000/1030
v14.3.0.6
Intel 4965
v13.4
Intel 5100/5300
v14.3.2.1
Intel 6200
v15.15.0.1
Intel 6205
v15.16.0.2
Intel 6235
V15.10.5.1
Intel 6300
v15.16.0.2
Intel 7260(11AC)
17.16.0.4, Windows 8.1
Intel 7265
17.16.0.4
MacBook 2015
OSX 10.10.5
Macbook Air new
OSX 10.10.5
Macbook Air old
OSX 10.10.5
MacBook Pro
OSX 10.10.5
MacBook Pro with Retina Display
OSX 10.10.5
Netgear A6200 (USB)
6.30.145.30
Netgear A6210 (USB)
5.1.18.0
Handheld Devices
Apple iPad Air
iOS 8.4.1(12H321)
Apple iPad Air 2
iOS 8.4.1(12H321)
Apple iPad Mini with Retina display
iOS 8.4.1(12H321)
Apple iPad2
iOS 8.4.1(12H321)
Apple iPad3
iOS 8.4.1(12H321)
Intermec CK70
Windows Mobile 6.5 / 2.01.06.0355
Intermec CN50
Windows Mobile 6.1 / 2.01.06.0333
Samsung Galaxy Tab Pro SM-T320
Android 4.4.2
Symbol MC5590
Windows Mobile 6.5 / 3.00.0.0.051R
Symbol MC75
Windows Mobile 6.5 / 3.00.2.0.006R
Phones and Printers
Apple iPhone 4S
iOS 8.4(12H143)
Apple iPhone 5
iOS 8.4(12H143)
Apple iPhone 5c
iOS 8.4.1(12H321)
Apple iPhone 5s
iOS 8.4.1(12H321)
Apple iPhone 6
iOS 8.4.1(12H321)
Apple iPhone 6 Plus
iOS 8.4.1(12H321)
Ascom i75
1.8.0
Cisco 7921G
1.4.5.3.LOADS
Cisco 7925G
1.4.5.3.LOADS
Cisco 8861
Sip88xx.10-2-1-16
Google Nexus 5
Android 5.1
HTC One
Android 5.0
Nexus 6
Android 5.1.1
Nokia Lumia 1520
Windows Phone 8.1
OnePlusOne
Android 4.3
Samsung Galaxy Nexus
Android 4.0.2
Samsung Galaxy Nexus GTI9200
Android 4.4.2
Samsung Galaxy Note (SM-900)
Android 5.0
Samsung Galaxy S III
Android 4.3
Samsung Galaxy S4– GT-I9500
Android 5.0.1
Samsung Galaxy S5-SM-G900A
Android 4.4.2
Samsung Galaxy S6
Android 5.0.2
Sony Xperia Z Ultra
Android 4.4.2
Spectralink 8030
119.081/131.030/132.030
SpectraLink 8450
3.0.2.6098/5.0.0.8774
Vocera B1000A
4.1.0.2817
Vocera B2000
4.0.0.345
Important Notes
A switch stack containing a mix of Catalyst 3850 and Catalyst 3650 switches is not supported.
With Cisco Prime Infrastructure 2.1.1, the refresh config and inventory collection tasks from the switch might take anywhere from 20 minutes to 40 minutes. For more information, see CSCum62747 on the Bug Search Tool.
Sometimes a delay is seen in the handling of ICMP reply packets when the packet timer is set to milliseconds (if the value is under 1 second). This is an expected behavior.
Although visible in the CLI, the following commands are not supported:
The following features are not supported in Cisco IOS XE Release 3.6E:
– Outdoor Access Points
– Mesh, FlexConnect, and OfficeExtend access point deployment
– Wireless Guest Anchor Controller (The Catalyst 3850 switch can be configured as a foreign controller.)
– Resilient Ethernet Protocol
– Private VLANs
– MVR (Multicast VLAN Registration)
– IPv6 routing - OSPFv3 Authentication
– Call Home
– DVMRP Tunneling
– Port Security on EtherChannel
– 802.1x Configurable username and password for MAB
– Link State Tracking (L2 Trunk Failover)
– Disable Per VLAN MAC Learning
– IEEE 802.1X-2010 with 802.1AE support
– IEEE 802.1AE MACsec (MKA & SAP)
– Command Switch Redundancy
– CNS Config Agent
– Dynamic Access Ports
– IPv6 Ready Logo phase II - Host
– IPv6 IKEv2 / IPSecv3
– OSPFv3 Graceful Restart (RFC 5187)
– Fallback bridging for non-IP traffic between VLANs
– DHCP snooping ASCII circuit ID
– Protocol Storm Protection
– Per VLAN Policy & Per Port Policer
– Packet Based Storm Control
– Ingress/egress Shared Queues
– Trust Boundary Configuration
– Cisco Group Management Protocol (CGMP)
– Device classifier for ASP
– IPSLA Media Operation
– Passive Monitoring
– Performance Monitor (Phase 1)
– AAA: RADIUS over IPv6 transport
– AAA: TACACS over IPv6 Transport
– Auto QoS for Video endpoints
– EX SFP Support (GLC-EX-SMD)
– IPv6 Strict Host Mode Support
– IPv6 Static Route support on LAN Base images
– VACL Logging of access denied
– RFC5460 DHCPv6 Bulk Leasequery
– DHCPv6 Relay Source Configuration
– RFC 4293 IP-MIB (IPv6 only)
– RFC 4292 IP-FORWARD-MIB (IPv6 only)
– RFC4292/RFC4293 MIBs for IPv6 traffic
– Layer 2 Tunneling Protocol Enhancements
– UniDirectional Link Routing (UDLR)
– Pragmatic General Multicast (PGM)
– PVLAN, DAI, IPSG Interoperability
– Ingress Rate Limiting
– Ingress Strict Priority Queuing (Expedite)
– Weighted Random Early Detect (WRED)
– Improvements in QoS policing rates
– Fast SSID support for guest access WLANs
Be careful when connecting a “snagless” Ethernet cable to port 1 on a 48-port switch. The protective boot of the cable might inadvertently press the Mode button, causing the switch to erase its startup configuration and reboot. (CSCuj17317)
There is no workaround except to avoid connecting a “snagless” Ethernet cable to port 1 on a 48-port switch.
Scaling Guidelines
Table 12 Scaling Guidelines
System Feature
Maximum Limit
Number of HTTP session redirections system-wide (wired/wireless)
Up to 100 clients per second
Number of HTTPS session redirections system-wide (wired/wireless)
Up to 20 clients per second
Limitations and Restrictions
Note Device Classifier has been disabled by default starting from Release 3.6.0E. Any features dependent on device classifier should enable it if required.
You cannot configure NetFlow export using the Ethernet Management port (g0/0).
The maximum committed information rate (CIR) for voice traffic on a wireless port is 132 Mb/sec.
On WS-C3850-48 switches, if the cable plugged into port 1 has a long cable boot, the boot may stay in contact with the mode button and cause the switch to reload and reset the configuration. To workaround this issue, use the no setup express command to disable Express Setup, or remove the cable boot from the cable in port 1.
VRRPv3 for IPv4 and IPv6 is not supported.
Restrictions for Cisco TrustSec:
– Cisco TrustSec can be configured only on physical interfaces, not on logical interfaces.
– Cisco TrustSec for IPv6 is not supported.
– Dynamic binding of IP-SGT is not supported for hosts on Layer 3 physical routed interfaces because the IP Device Tracking feature for Layer 3 physical interfaces is not supported.
– Cisco TrustSec cannot be configured on a pure bridging domain with IPSG feature enabled. You must either enable IP routing or disable the IPSG feature in the bridging domain.
– Cisco TrustSec on the switch supports up to 255 security group destination tags for enforcing security group ACLs.
The WEB UI home page may not load when ip http access class command is enabled. When you encounter this issue, we recommend that you do the following:
a. Run the show iosd liin command.
b. Get the internet-address and configure the same IP as permit in the access-list.
For WEB UI access using TACACS server, the custom method-list for authentication and authorization pointing to the TACACS server group does not work. You should use the default authorization method-list pointing to the same TACACS server group for the WEB UI to work.
We recommend that you run the exception dump device second flash command after the install process. This helps to store the crash files into a secondary flash during a crash when there is no available space in the main memory area to store the crash information.
When a logging discriminator is configured and applied to a device, memory leak is seen under heavy syslog or debug output. The rate of the leak is dependent on the quantity of logs produced. In extreme cases, the device may crash. As a workaround, disable the logging discriminator on the device.
For routing protocols, when aggressive hello timer is configured, a timely delivery of control packets is not guaranteed. Do not configure timers shorter than 3 seconds for Hello interval and shorter than 9 seconds for Dead interval, across the protocols. If there is a requirement to use aggressive timers of 1 and 3 seconds for Hello and Dead interval respectively, the recommendation is to upgrade to Cisco IOS XE Denali 16.3 release or later.
We recommend that you configure the access-session interface-template sticky timer timer-value command at the global or interface configuration mode, and not within the template.
With port-security configured on a port, switch may consume very first few frames that would be required to install newly learned or a re-learned MAC address in to the hardware. Those frames are not forwarded further to the network.
The Bug Search Tool (BST), which is the online successor to Bug Toolkit, is designed to improve the effectiveness in network risk management and device troubleshooting. The BST allows partners and customers to search for software bugs based on product, release, and keyword, and aggregates key data such as bug details, product, and version. The tool has a provision to filter bugs based on credentials to provide external and internal bug views for the search input.
To view the details of a caveat listed in this document:
Choose Product Support > Switches. Then choose your product and click Troubleshoot and Alerts to find information for the problem that you are experiencing.
Related Documentation
Cisco IOS XE 3E Release documentation at this URL:
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
Subscribe to the What’s New in Cisco Product Documentation, which lists all new and revised Cisco Technical documentation, as an RSS feed and deliver content directly to your desktop using a read application. The RSS feeds are a free service.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
Cisco APs and Cisco WLCs that are in the –A domain category can continue to operate and even coexist with –B domain devices without any issues.
Feedback