6509 IOS selection

Unanswered Question
Feb 11th, 2009

I have an opportunity to upgrade a 6509 IOS image but,

Cisco TAC is pretty much wortheless any more.

Also,

It wouldn't be so bad, but their site is so slow, it is frustrating trying to find information.

But,

I am not sure which platform I have,

I am running IOS and have a SUP720, running this :

s72033-ipservicesk9-mz.122-18.SXF13.bin

TAC is telling me I can use any image from any of these relaeases:

12.2.33-SXI(ED)

12.2.33-SXH4(ED)

12.2.18-SXF15a(ED)

12.2.18-SXD7b(ED)

would it be best practice to stay with the 12.2.18.SXF, or why not move up to the 12.2.33?

Could someone offer some input on this?

I am not even sure the 12.2.33 would boot with the sup720

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (5 ratings)
Loading.
Yudong Wu Wed, 02/11/2009 - 13:34

It is depend on the purpose of your IOS upgrading.

If you are not looking for some new feature or a bug fix in a specific version, staying in SXF train won't be a bad idea.

wilson_1234_2 Wed, 02/11/2009 - 13:41

Are you saying that all of the images shown here will boot with either the CAT or IOS platform of the 6509?

Also, what I am looking to do is to designate port security on specific VLANs and I cannot do it with the imnage I have.

I want to specify the "VLAN access" and "VLAN voice" on the port security:

switchport voice vlan 3

switchport port-security maximum 3

switchport port-security

switchport port-security aging time 5

switchport port-security aging type inactivity

switchport port-security mac-address 0013.19a9.00da

switchport port-security mac-address 001a.a072.e155

switchport port-security mac-address 0013.19a9.00da vlan voice

I know I have the sup720, but I want to know for sure which platform I have.

There are numerous platforms on the IOS selection tool

Edison Ortiz Wed, 02/11/2009 - 13:48

Richard,

Are you talking about the command

switchport port-security maximum ?

Your current IOS should support it:

http://www.cisco.com/en/US/docs/ios/interface/command/reference/ir_s7.html#wp1014291

Also, I don't understand about being unsure what platform you have. You mean what kind of PFC module is equipped with your Sup720?

You can find out with the show module command.

HTH,

__

Edison.

wilson_1234_2 Wed, 02/11/2009 - 14:01

No, I have the maximum command.

But there is no way to lock down the mac addresses on the phone when it first boots to the data vlan, then moves to the voice vlan.

I can designate a max 3 but can only specify the workstation and phone mac-address.

This leaves an available possible mac to be iues if some one were to unplug the workstation from the phone and try to access the network.

In the 3560 switches, I can specify three specific mac addresses on the port with the "access" and "voice" keywords.

the 6509 does not allow me to do that an my understanding was that later relaeases would.

6509:

switchport port-security maximum 3

switchport port-security aging time 5

switchport port-security aging type inactivity

switchport port-security mac-address 0011.43bb.1adf

switchport port-security mac-address 0013.19ad.de72

3560:

switchport port-security maximum 3

switchport port-security

switchport port-security aging time 5

switchport port-security aging type inactivity

switchport port-security mac-address 0014.1c80.7f02

switchport port-security mac-address 001a.a072.e386

switchport port-security mac-address 0014.1c80.7f02 vlan voice

even though you don't see it, "vlan access" was designated during config of the two lines above "vlan voice".

This locks down the port more securely that the 6509.

on the platform, there are about eight different platforms shown when selecting an image with the compare tool.

Edison Ortiz Wed, 02/11/2009 - 14:17

According to the documentation, the command is available in the 6500 as well:

http://www.cisco.com/en/US/docs/ios/interface/command/reference/ir_s7.html#wp1014126

As for the platform, you have 3 choices in the download section from what I see:

Cisco Catalyst 6500 Series Supervisor Engine 720

Cisco Catalyst 6500 Series Supervisor Engine 720 / MSFC3

Cisco Catalyst 6500 Series Virtual Switching Supervisor Engine 720 with 10GE uplinks

__

If you have an old PFC module (for instance, PFC2), you select the first from the list above.

PFC3 is the second from the list and the 3rd from the list is the new Sup720-10G.

__

If you post the show module from the switch, we can determine the right platform for you.

__

Edison.

wilson_1234_2 Wed, 02/11/2009 - 15:33

Thanks edison,

Here is my sh module, I do not have the vlan designation of voice or access feature, perhaps it is in the 12.2.33 train.

Also does this show I am 720 / MSFC3?

Mod Ports Card Type Model Serial No.

--- ----- -------------------------------------- ------------------ -----------

1 5 Communication Media Module WS-SVC-CMM SAD092001E5

2 8 8 port 1000mb GBIC Enhanced QoS WS-X6408A-GBIC SAD04250KHR

3 48 48 port 10/100 mb RJ45 WS-X6348-RJ-45 SAD04260MKR

4 48 48 port 10/100 mb RJ45 WS-X6348-RJ-45 SAD04260MLL

5 48 48 port 10/100 mb RJ45 WS-X6348-RJ-45 SAD04260N87

6 2 Supervisor Engine 720 (Active) WS-SUP720-BASE SAD072800W3

7 48 48 port 10/100 mb RJ45 WS-X6348-RJ-45 SAD04260M6P

8 48 SFM-capable 48 port 10/100/1000mb RJ45 WS-X6548-GE-TX SAD080901M8

9 16 16 port GE RJ45 WS-X6316-GE-TX SAD064000SY

Mod MAC addresses Hw Fw Sw Status

--- ---------------------------------- ------ ------------ ------------ -------

1 0013.c301.bb58 to 0013.c301.bb61 2.7 12.4(7a), 12.4(7a), Ok

2 00d0.c0cf.f1d4 to 00d0.c0cf.f1db 1.3 5.4(2) 8.5(0.46)RFW Ok

3 00b0.8e84.a318 to 00b0.8e84.a347 1.1 5.3(1) 8.5(0.46)RFW Ok

4 0001.9750.8880 to 0001.9750.88af 1.1 5.3(1) 8.5(0.46)RFW Ok

5 00b0.8e84.a2b8 to 00b0.8e84.a2e7 1.1 5.3(1) 8.5(0.46)RFW Ok

6 000c.ce64.230c to 000c.ce64.230f 2.8 8.4(2) 12.2(18)SXF1 Ok

7 0001.9750.8cd0 to 0001.9750.8cff 1.1 5.3(1) 8.5(0.46)RFW Ok

8 000f.348e.11ac to 000f.348e.11db 10.0 7.2(1) 8.5(0.46)RFW Ok

9 0002.7e39.8ec4 to 0002.7e39.8ed3 1.3 5.4(2) 8.5(0.46)RFW Ok

Mod Sub-Module Model Serial Hw Status

---- --------------------------- ------------------ ----------- ------- -------

3 Inline Power Module WS-F6K-PWR 2.0 Ok

4 Inline Power Module WS-F6K-PWR 2.0 Ok

5 Inline Power Module WS-F6K-PWR 2.0 Ok

6 Policy Feature Card 3 WS-F6K-PFC3A SAD073400J3 1.4 Ok

6 MSFC3 Daughterboard WS-SUP720 SAD072603GD 1.11 Ok

7 Inline Power Module WS-F6K-PWR 2.0 Ok

Mod Online Diag Status

---- -------------------

1 Pass

2 Pass

3 Pass

4 Pass

5 Pass

6 Pass

7 Pass

8 Pass

9 Pass

Edison Ortiz Wed, 02/11/2009 - 15:47

Yes, you have a PFC3A/MSFC3

As for the other query, Kevin was diligent enough to test the feature on a switch and provide the details.

Thanks Kevin !

__

Edison.

Yudong Wu Wed, 02/11/2009 - 15:09

I tested it on a SXF13a version.

You have to configure the port as trunk port in order to use "vlan" option in "switchport port-security mac".

SC3-Cat6506Eb(config-if)#do sh run int gig 5/1

Building configuration...

Current configuration : 247 bytes

!

interface GigabitEthernet5/1

switchport

switchport trunk encapsulation dot1q

switchport trunk native vlan 300

switchport trunk allowed vlan 300,400

switchport mode trunk

switchport nonegotiate

switchport port-security

no ip address

end

SC3-Cat6506Eb(config-if)#switch port-s mac 0001.1111.1111 ?

vlan set VLAN ID of the VLAN on which this address can be learned

SC3-Cat6506Eb(config-if)#

SC3-Cat6506Eb(config-if)#

SC3-Cat6506Eb(config-if)#sw mode acc

SC3-Cat6506Eb(config-if)#switch port-s mac 0001.1111.1111 ?

SC3-Cat6506Eb(config-if)#switch port-s mac 0001.1111.1111

wilson_1234_2 Wed, 02/11/2009 - 15:56

I didn't want to configure the ports as trunk ports.

The feature I was talking about above should be available on the 6509 as well.

Edison Ortiz Wed, 02/11/2009 - 16:33

I'm afraid that's the difference between the 6509 and the 3750/3560.

It's stated in the Usage Guidelines from the link I posted before:

http://www.cisco.com/en/US/docs/ios/interface/command/reference/ir_s7.html#wp1014126

The vlan-list argument is visible only if the port has been configured and is operational as a trunk. Enter the switchport mode trunk command and then enter the switchport nonegotiate command.

Edison Ortiz Wed, 02/11/2009 - 13:37

Hi Richard,

I recommend staying within the SXF train until you need a feature or the hardware demands SXH or SXI. SXD is out of the question, it's a very old track.

And Yes, Sup720 supports both SXH and SXI.

You can compare what features each track provides by checking the Cisco Release Notes on the 6500 for SXH and SXI

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/release/notes/ol_14271.html

or

SXF

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/release/notes/OL_4164.html

or the good old Feature Navigator:

http://www.cisco.com/web/go/fn

HTH,

__

Edison.

Actions

This Discussion