Cisco IOS Software for the Catalyst 4500 Series Supervisor Engine III and IV

Cisco IOS Software for the Cisco Catalyst 4500 Series Supervisor Engine III and IV, Enhanced Layer 3 and voice software image, including Open Shortest Path First (OSPF), Intermediate System to Intermediate System (IS-IS), Interior Gateway Routing Protocol (IGRP), and Enhanced IGRP (EIGRP) <b>Cisco IOS Software Release 12.1(19)EW Software Support</b>

<b>New Software Features</b>
-Dynamic Address Resolution Protocol (ARP) Inspection.
-IP source guard.
-802.1x with virtual LAN (VLAN) assignment.
-802.1x with guest VLAN.
-Port ACL (PACL).
-Port flood blocking.
-Per-VLAN Rapid Spanning-Tree Plus (PVRST+).
-Storm control (broadcast suppression).
-Internet Group Management Protocol Version 3 (IGMPv3 snooping).
-Auto-QoS.
-Trusted boundary.
-Inline power pre-allocation.
-Switched Port Analyzer (SPAN) destination inpkts option.
-SPAN CPU source.
-SPAN packet type filtering.
-NetFlow Version 8.
-Show interface capabilities.
-IfIndex persistence.
-Unidirectional link routing (UDLR).
-Enhanced SNMP Management Information Base (MIB) support.

<b>Dynamic ARP Inspection</b>
ARP does not have any authentication. It is quite simple for a malicious user to poison ARP tables of other hosts on the same VLAN. In a typical attack, a malicious user can send unsolicited ARP replies (gratuitous ARP packets) to other hosts on the subnet with the attacker's MAC address and the default gateway's IP address. Such ARP poisoning leads to various "man-in-the-middle" attacks, posing a security threat in the network. Dynamic ARP Inspection intercepts all ARP requests and replies on the untrusted ports. Each intercepted packet is verified for valid IP-to-MAC bindings. The Dynamic Host Control Protocol (DHCP) snooping feature is typically used to maintain IP-to-MAC bindings. Dynamic ARP Inspection helps prevent the man-in-the-middle attacks by not relaying invalid ARP replies out to other ports in the same VLAN. It is a solution with no change to the end user or host configurations. Denied ARP packets are logged by the switch for auditing. Incoming ARP packets on the trusted ports or isolated private VLAN (PVLAN) trunks are not inspected.

<b>IP Source Guard</b>
IP source guard provides per-port IP traffic filtering of the assigned source IP addresses at wire speed. It is a unique Cisco Catalyst 4500 Series IOS Software feature that helps mitigate IP spoofing. It dynamically maintains per-port VLAN ACLs (VACLs) based on IP to MAC to switch port bindings. The binding table is populated either by the DHCP snooping feature or through static configuration of entries. IP source guard prevents a malicious host from attacking the network by hijacking its neighbor's IP address. IP source guard is typically deployed for untrusted switch ports in the access layer.

<b>802.1x with VLAN Assignment</b>
The 802.1x with VLAN assignment feature authorizes a user for an associated VLAN. This is achieved by maintaining a username-to-VLAN mapping database on the Remote Authentication Dial-In User Service (RADIUS) server. Following successful 802.1x authentication, the RADIUS server sends the VLAN name to the switch for that particular user, and the switch configures the authenticated port for the specified VLAN.

<b>802.1x with Guest VLAN</b>
When 802.1x is enabled on an access port, a user without an 802.1x client is typically denied access to the network. The 802.1x with guest VLAN feature offers limited network access through a guest VLAN to those users. It is usually deployed in a lobby or in customer briefing areas.

<b>PACL</b>
PACL is a security ACL feature applied to Layer 2 switch ports. PACL filters traffic to and from Layer 2 switch ports with permit and deny actions, based on Layer 3 and 4 header information or non-IP Layer 2 information. By default, PACL actions override VLAN-based ACLs. Both input and output PACLs are supported. PACLs can be configured on physical ports and channel ports. PACLs are typically used to limit IP address use per customer on access ports, by restricting a port to one IP address. PACLs can be deployed along with PVLANs to separate users from each other on the same subnet.

<b>Port Flood Blocking</b>
By default, a switch floods packets with unknown destination MAC addresses to all Ethernet ports. In certain configurations, such flooding is neither needed nor desired. For example, a port with only manually assigned address or only one connected host has no unknown destination. Flooding serves no purpose for such a port. Port flood blocking allows a user to disable the flooding of unicast and multicast packets on a per-port basis.

<b>PVRST+</b>
Rapid Spanning-Tree Protocol (RSTP) as specified in IEEE 802.1w provides rapid recovery of connectivity following the failure of a bridge, bridge port, or LAN. Cisco Per-VLAN Spanning Tree Plus (PVST+) applies RSTP convergence with 802.1d on a per-VLAN basis. Per-VLAN Rapid Spanning-Tree (PVRST+) is the implementation of 802.1w on a per-VLAN basis. It is the same as PVST+ with respect to Spanning-Tree Protocol mode and runs RSTP based on 802.1w.

<b>Storm Control (Broadcast Suppression)</b>
Broadcast suppression is used to prevent LANs from being disrupted by a broadcast storm. A broadcast storm occurs when broadcast packets flood the LAN, creating excessive traffic and degrading network performance. Broadcast suppression measures how much broadcast traffic traverses a port, and compares the broadcast traffic bandwidth with some configurable threshold value within a specific time interval. If the amount of broadcast traffic reaches the threshold during this interval, broadcast frames are dropped, and optionally the port is shut down. Simple Network Management Protocol (SNMP) traps can be generated by the switch when broadcast suppression is activated. Broadcast suppression can be enabled or disabled on a per-port basis. For nonblocking Gigabit Ethernet ports, broadcast suppression is achieved in hardware. In all other cases, broadcast suppression is implemented in software for the Cisco Catalyst 4500 Series Supervisor Engine II-Plus, III, and IV.

<b>IGMPv3 Snooping</b>
The IGMPv3 snooping feature provides constrained flooding of multicast traffic in the presence of IGMPv3 hosts or routers. IGMPv3 snooping listens to IGMPv3 query and membership report messages to maintain host-to-multicast group associations. IGMPv3 snooping enables a switch to propagate multicast data only to ports that need them. The IGMPv3 snooping feature is fully interoperable with IGMPv1 and v2.

<b>Auto-QoS</b>
Auto-QoS is a set of new Cisco IOS Software macros that simplify the voice over IP (VoIP) deployment of Cisco QoS features. It enables a user to consistently deploy appropriate QoS in the network for IP telephony. The same macros are used across Cisco IOS platforms for effective QoS configurations in the network.

<b>Trusted Boundary</b>
In a typical network supporting IP telephony, traffic sent from Cisco IP phones to a switch is usually marked with a tag in 802.1Q header. The header contains the VLAN information and a three-bit class of service (CoS) field, which determines the priority of the packet. In most IP telephony configurations, the traffic sent from a Cisco IP phone to the switch is trusted to help ensure that voice traffic is properly prioritized over other types of traffic in the network. If a user bypasses the Cisco IP phone and connects the PC directly to the switch, the trusted CoS labels generated by the PC can cause misuse of high-priority queues. The trusted boundary feature disables the trusted setting on the switch port and prevents misuse of a high-priority queue, if a Cisco IP phone is not detected.

<b>Inline Power Pre-Allocation</b>
An inline power port can be configured with option "static" to gain a higher priority than the "auto" option. A configurable amount of inline power is pre-allocated for the static port regardless of whether a device is connected to it. Such static ports no longer need to participate in the current first-come-first-served model, even when inline power is oversubscribed in the system. In the event of insufficient inline power due to partial power supply failure, auto ports are shut down before static ports.

<b>SPAN Destination Inpkts Option</b>
SPAN allows a user to configure a set of source ports or VLANs as SPAN sources. Packets either received at or transmitted from SPAN sources are copied to a destination port. A SPAN destination port is used to transmit the sniffed traffic of the SPAN source ports. All ingress traffic to the SPAN destination port is usually dropped. The SPAN destination inpkts option allows the SPAN destination port to receive and switch normal incoming traffic. This feature is typically used by an intrusion detection system (IDS) to send a reset or notification signal into the network through the SPAN destination port.

<b>SPAN CPU Source</b>
SPAN CPU source allows a user to specify the CPU (or a subset of CPU queues) as a SPAN source. Traffic going to or from the CPU via one of the specified queues is mirrored and sent to the SPAN destination port. This traffic includes both control packets and regular data packets that are sent to or from the CPU (due to software forwarding, for example). This feature is typically used for troubleshooting.

<b>SPAN Packet Type Filtering</b>
SPAN packet type filtering allows a user to apply packet filters to SPAN sources for ingress and egress traffic. Ingress traffic may be filtered by unicast, multicast, broadcast, good, or error packets. Egress traffic may be filtered by unicast, multicast, or broadcast. This feature is typically used to simplify network traffic monitoring.

<b>NetFlow Version 8</b>
NetFlow statistics collection and export are supported by the NetFlow Services Card on the Cisco Catalyst 4500 Series Supervisor Engine IV. NetFlow statistics enable flow-level monitoring of all IPv4 routed traffic through the switch. NetFlow Version 8 adds router-based aggregation schemes. By maintaining aggregation caches, NetFlow Version 8 enables aggregation of NetFlow data export streams. Additional NetFlow Version 5 fields are also supported in this release, such as input and output interface, Autonomous System (AS) info, and next-hop router.

<b>Show Interface Capabilities</b>
The show interface capabilities command allows a user to quickly determine available options that can be configured on an interface or a module. It does not provide the current operating configurations of an interface. It is only supported on all physical Layer 2 and Layer 3 interfaces.

<b>IfIndex Persistence</b>
The ifIndex persistence feature allows the ifIndex value for any interface to remain the same after a system reboot. The SNMP ifIndex value is a unique identifier for a physical or logical interface on a switch. This feature simplifies many SNMP-based network management applications.

<b>UDLR</b>
UDLR enables a router to emulate the behavior of a bidirectional link for IP operations over two unidirectional links. The feature is normally used for asymmetric links (such as in video transport networks) where the downstream link requires a much higher bandwidth than the upstream link.

<b>Enhanced SNMP MIB Support</b>
Additional SNMP MIBs are supported in this release. They are:
-CISCO-IF-EXTENSION-MIB.
-ETHERLIKE-MIB.