Changes to Hardware Components and bug fixes
Improvements
Reset Button Functionality
The reset button function has been updated as follows:System LED provides different flash indication for regular device reload and reset to factory default:
- Regular device reload (the reset button is pressed and then released within 6-10 seconds) – the system LED will provide an indication of a slow flash.
- Resetting device to factory default (the reset button is pressed and then released within 16-20 seconds) – the system LED will provide an indication of a rapid flash.
Pressing the system LED and releasing within 1-2 seconds on SKUs that support PoE will provide the following indication:
- On ports that are delivering power to connected PDs – the port LED will provide a solid amber
indication for 5 seconds. - On ports that are not delivering power to connected PDs – the port LED will not provide any
indication for 5 seconds (LED will be off).
Type-C USB Interface
The device supports a type-C USB Interface located on device front panel. This provides an additional console interface besides the RJ45 interface. The type-C USB based console has the following characteristics:
- The console is active only from OS init stage and on.
- When active, the Type C USB consoled had priority over the RJ45 console.
- The type-C USB console is agnostic to baud rate setting.
Trusted Platform Module (TPM) SupportAllSKUs support a TPM component. The TPM provides hardware level protection and operation for security related features such as Chip guard and Boot Integrity Visibility. The device support TPM 2.0 specification
Bluetooth Management Interface
- The current version added support for a Bluetooth Management Interface – providing IP connectivity over Bluetooth. This device management over Bluetooth via telnet, SSH or HTTP/HTTPS GUI interface.
- Support of Bluetooth is achieved by connecting a Bluetooth (BT) dongle, to the device USB port. The device will automatically detect the insertion of a supported BT dongle into device’s USB port and provide Bluetooth
host support. The device supports the following Bluetooth Dongles.
Persistent PoE
ThePersistentPoE feature (also referred to as Always-OnPoE) minimizesthe dependency of thePoE operation on the switch’s status. Before the introduction of this feature, any disruption in the switch operation such asa software related reboot, would also cause a disruption in the PoE operation until the device finished coming back up. With the persistent PoE feature warm reboots such as the ones performed by the reload commandwill not disrupt the operation of thePoE in it’s current state, allowingPDs connected to the switch to continue and operate.
Auto Surveillance VLAN (ASV)
- Network communication between surveillance devices such as cameras and monitoring equipment should often be given higher priority and it is important that the various devices that comprise the surveillance
infrastructure in the organization are reachable for each-other. - Normally, it fallsto the network administrator to ensure that allsurveillance devices are connected to the same VLAN and to setup this VLAN and the interfaces on it to allow for this high priority traffic.
- The AutoSurveillance VLAN (ASV) feature automates aspects of thissetup by detecting surveillance devices on the network, assigning them to a VLAN and setting their traffic priority
MSTP Enhancements
The following MSTP related enhancements were added to this release:
- Catalyst 1300 product line supports 16 instances.
- MSTP instance ID can be in the range of 0-4094.
To allow support the range of 0-4094 for MSTP instance ID the user is required to create an MSTP instance– and assign it an instance ID. Once Instance ID is created the user can map VLANs to the created instances(in previous releases there was no need to create the instance prior to mapping VLANs to the instance.
Password Aging Enhancements
Password aging allows the administrator to force a change of a password after a predefined period. The current version added the following enhancements:
- Only a level 15 user can change passwords. A Level 1 user is presented with notice on (expected) password expiration but does not have the privilege to change the password.
- Expiration period (10 days prior to password expiration) – Upon login the (level 15) user will be presentedwith the option to change the password. The user can refuse the option – in which case login will be provide, or accept suggestion, in which case they will be able to change the password immediately (in previous version user would need to log in and then enter relevant configuration mode).
Attestation Certificate and Key-pair (AIK) Support
- The certificate and key pair are used to validate various device information as well as signing the output of commands displaying security related information (for example Chip Guard and Boot integrity Visibility).
- The current version added support for an additional certificate and key pair. This is the Attestation certificate and key pair (also known as AIK - Attestation Identity Key). The attestation certificate and keys are considered more secure than the SUDI certificate and keys, as operation using the AIK certificate is confined within the TPM. this provides a higher confidence in the validity of signed information.
Boot Integrity Visibility (BIV)
- Boot integrity Visibility (BIV) feature allows a platform’s software integrity information to be visible and actionable. Software integrity exposes boot integrity measurements that can be used to assess whether the
platform has booted and is running a trusted code. BIV on the Catalyst 1200 and 1300 product line utilizes the functionalities of the TPM component. - During the boot process, the software creates a hash record of the different images involved in the boot stages. To ensure integrity of the measurements, the measurements are stored in a hardware protected component called TPM and extended into PCRs (Platform Configuration Register). The user can then retrieve these records (via CLI commands) and compare it with Known Good Values (KGV) records maintained by Cisco. If the values do not match, the device may be running a software image that is either not certified by Cisco
or has been altered by an unauthorized party. - The CLI commands allow to display the hash measurements and PCR quote for the bootloader and entire image. Optionally this information can also be signed using SUDI or attestation Keys.
Dying Gasp
- The Dying Gasp feature provides a mechanism to alert monitoring systems that a device is experiencing an unexpected loss of power due to HW failure (disconnection or disruption of power source).
- When a loss of power event occurs, a hardware capacitor will delay the device shutting down for a short time. During this time, the device will send Dying Gasp messages. The messages can be sent to SNMP servers (as
notification) or to syslog servers. - This feature is supported only on the 1300 product lines (standalone and stacking). It is not supported on the
1200 product line.