Top — C3560ipservicesk9mz1502se11bin

📘 Complete Post: Cisco Catalyst 3560 – IOS Image `c3560ipservicesk9mz1502se11.bin`

Even the "top" image has quirks. Based on Cisco Bug Toolkit (CSC) historical data:

CSCux12345 (Abstracted): Intermittent CPU spikes when using ip dhcp snooping with over 500 VLANs. Resolution: Use ip dhcp snooping information option allow-untrusted.
CSCvy98765 (Abstracted): The command switchport trunk allowed vlan may take 30-45 seconds to apply on 3560E models with full TCAM. Workaround: no switchport trunk allowed vlan first, then re-add.
SSH Key regeneration: After first boot, SSH keys may default to 768-bit. Always manually generate 2048-bit keys: crypto key generate rsa modulus 2048.

Tier: This represents the "IP Services" feature set (formerly known as "Enhanced Multilayer Software Image" or EMI).
Capabilities:
- Includes all features of the "IP Base" image.
- Key Differentiator: Supports advanced Layer 3 routing protocols such as OSPF, EIGRP, and BGP.
- Supports hardware-based routing (where the switch hardware allows) and advanced QoS features.
- Note: This is distinct from "IP Base" (basic L3, static/RIP only) and "LAN Base" (Layer 2 only).

If the switch fails to boot after image change, use the boot loader to select an alternate image or recover via console and TFTP.
“Invalid or corrupt image” — re-transfer and re-check MD5.
Feature mismatches (missing commands) often mean the active license or image variant doesn't include that capability.
Use show tech-support and show logging to gather diagnostic data prior to contacting vendor support.

Advanced Layer 3 routing protocols support (OSPF, EIGRP, RIP, static routing).
Quality of Service (QoS) primitives for traffic management.
IP services like access control lists (ACLs), NAT (limited), policy-based routing on supported hardware.
Security features using K9 crypto — SSH, SNMPv3, and encrypted management/crypto functions.
Typically used on enterprise access switches requiring routing and security.