Cisco Catalyst 3524XL

From BovineNet

I bought a used Cisco Catalyst 3524XL rack-mounted, managed switch off eBay for $78 in Feb 2008.

After upgrading and playing around with its IOS version 12.0(5)WC17 (the latest version supported on this hardware), I thought it might be interesting to see what else I could do with it. Since Cisco classifies this device as a simple layer 2 switch, IOS doesn't allow you to do any fancy layer 3 stuff like routing, IP-based firewalls, or NAT. However, I have a suspicion that these limitations were mostly artificial marketing restrictions that are being enforced by what features were compiled into IOS.

• PowerPC 403 processor
• 8192K/1024K bytes of memory (RAM). Soldered, not-upgradable.
• 4MB flash (3,612,672 bytes flash total on file system). Soldered, not-upgradable.

Cisco has a page that provides some historical notes about the release of the development of the Catalyst 2900XL / 3500XL series switches.[1]

[edit] Linux ideas

I think it might be possible to get lightweight embedded Linux distribution running on this device, such as OpenWRT. They already support a wide variety of consumer-grade hardware, including some PPC40X hardware. They do mention some minimum system requirements, which will be very tight for OpenWRT in terms of flash and RAM size on my Cisco. The RAM will probably be most limiting, since the Flash size might be worked around by booting over TFTP (but I think my model might not actually support booting over TFTP).

There are existing attempts to run Linux on other types of Cisco hardware including:

• Unmaintained but functional "uclinux-cisco" port for Cisco 2500 routers running Motorola 68ec030-based CPUs
• Not-yet-functional port of Linux for Cisco 3600 routers running MIPS-based CPUs

I wrote to Koen De Vleeschauwer (author of the "uclinux-cisco" port for Cisco 2500 routers) and he estimated the possible routing performance: "Processor-based routing/bridging speed would be around 1 mbyte/second per mips. This is merely a first guess; could be way off."

[edit] MZIP firmware format

Cisco distributes all of their IOS firmware updates in ".bin" files that are supposedly compressed using a "MZIP" format. As it turns out this is just standard PKZIP file format, with a 112 byte header prepended to it.

• How to unpack Cisco firewall OS -- Notes comparing the different packing firmware formats of several different Cisco products.

# ls -l c3500xl-c3h2s-mz.120-5.WC17.bin
-rw-r--r-- 1 jlawson jlawson 1811552 2007-02-13 17:17 c3500xl-c3h2s-mz.120-5.WC17.bin
# hexdump -C c3500xl-c3h2s-mz.120-5.WC17.bin | grep "50 4b 03 04"
00000070  50 4b 03 04 14 00 08 00  08 00 2c 7a 4d 36 00 00  |PK........,zM6..|
# unzip -v c3500xl-c3h2s-mz.120-5.WC17.bin
Archive:  c3500xl-c3h2s-mz.120-5.WC17.bin
warning [c3500xl-c3h2s-mz.120-5.WC17.bin]:  112 extra bytes at beginning or within zipfile
  (attempting to process anyway)
 Length   Method    Size  Ratio   Date   Time   CRC-32    Name
--------  ------  ------- -----   ----   ----   ------    ----
 4559872  Defl:N  1811081  60%  02-13-07 15:17  34e3e15d  -
--------          -------  ---                            -------
 4559872          1811081  60%                            1 file
# head -c 112 c3500xl-c3h2s-mz.120-5.WC17.bin | hexdump
0000000 5a4d 5049 0000 0100 0000 0030 0000 0100
0000010 0000 0100 0000 0000 0000 0000 0000 0000
0000020 0000 0000 0000 0000 0000 0000 0000 0000
0000030 0000 0000 ae48 c4aa 0000 7000 0000 0030
0000040 0000 0100 1b00 fda2 4500 0094 4d00 2c4d
0000050 0000 0000 0000 0000 0000 0000 0000 0000
*
0000070

The breakdown of the 112 byte header appears to be roughly something like this:

00000000: 4d5a 4950     # magic header "MZIP"
00000004: 0000 0001 0000 3000 0000 0001 0000 0001    # platform/hardware type?
00000014: 0000 0000 0000 0000 0000 0000 0000 0000    # padding
00000024: 0000 0000 0000 0000 0000 0000 0000 0000    # padding
00000034: 48ae aac4     # checksum?  varies greatly
00000038: 0000 0070 0000 3000 0000 0001                    # platform/hardware type?
00000044: 001b a2fd     # compressed size? (compressed subfile size+116)
00000048: 0045 9400     # size of unzipped kernel (exact)
0000004c: 004d 4d2c     # size of unzipped kernel + fudge?
00000050: 0000 0000 0000 0000 0000 0000 0000 0000    # padding
00000060: 0000 0000 0000 0000 0000 0000 0000 0000    # padding

[edit] Memory details

# switch: memory
Text:   0x00700000 - 0x0071f99c (0x0001f99c bytes)
Rotext: 0x0071f99c - 0x0071f99c (0x00000000 bytes)
Data:   0x0071f99c - 0x007273ac (0x00007a10 bytes)
Bss:    0x00728ea0 - 0x0074aa48 (0x00021ba8 bytes)
Stack:  0x0074aa48 - 0x0075aa48 (0x00010000 bytes)
Heap:   0x0075aa4c - 0x00800000 (0x000a55b4 bytes)

Bottom heap utilization is 24 percent.
Top heap utilization is 0 percent.
Total heap utilization is 24 percent.
Total bytes: 0xa55b4 (677300)
Bytes used: 0x28adc (166620)
Bytes available: 0x7cad8 (510680)

Alternate heap utilization is 0 percent.
Total alternate heap bytes: 0x6fd000 (7327744)
Alternate heap bytes used: 0x0 (0)
Alternate heap bytes available: 0x6fd000 (7327744)

# switch: set
ASSEMBLY_REVISION_NUM=A0
BOOT=flash:c3500xl-c3h2s-mz.120-5.WC17.bin
ENABLE_BREAK=1
MAC_ADDR=xx:xx:42:28:1F:C0
MODEL_NUM=WS-C3524-XL-EN
MODEL_REVISION_NUM=S0
MOTHERBOARD_ASSEMBLY_NUM=73-3904-14
MOTHERBOARD_REVISION_NUM=A0
MOTHERBOARD_SERIAL_NUM=xxxxxxxxx
POWER_SUPPLY_PART_NUM=34-0963-01
POWER_SUPPLY_SERIAL_NUM=xxxxxxxx
SYSTEM_SERIAL_NUM=xxxxxxxxx

Image text-base: 0x00003000, data-base: 0x00352924

My boot loader does not seem to support the undocumented "priv" command.[2] I have version: C3500XL Boot Loader (C3500-HBOOT-M) Version 12.0(5.1)XP