Guest

Cisco Catalyst 5000 Series Switches

Identifying Catalyst 5000 EARL Version and Other Common EARL Questions

Document ID: 10590

Updated: Oct 04, 2005

   Print

Introduction

This document addresses common questions surrounding the 802.1x vulnerability issue with Catalyst 5000 switches. Also included in this document is how to determine the Catalyst 5000 EARL version. For more information on the 802.1x vulnerability, see the following security advisory:

http://www.cisco.com/warp/public/707/cisco-sa-20010413-cat5k-8021x.shtml

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

This document is not restricted to specific software and hardware versions.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

What is the EARL?

The Encoded Address Recognition Logic (EARL) is a centralized processing engine for learning and forwarding packets based upon MAC address on the Catalyst 5000 Supervisor Engines. The EARL stores the VLAN, MAC address, and port relationships. These relationships are used to make switching decisions in hardware.

Determining EARL Version From CLI

To determine the EARL version from the command line interface (CLI), issue the show module command from the Supervisor. An example is presented below:

Console (enable) sh mod
Mod Module-Name Ports Module-Type Model Serial-Num Status 
--- ------------------- ----- --------------------- --------- --------- ---- --- 
1 2 100BaseFX MM Supervis WS-X5506 005441962 ok 
2 48 10BaseT Ethernet WS-X5012A 010308246 ok 
3 48 10BaseT Ethernet WS-X5012A 010308178 ok 
4 24 3 Segment 100BaseTX E WS-X5223 005389389 ok 
5 12 100BaseFX MM Ethernet WS-X5201R 008951252 ok 

Mod MAC-Address(es) Hw Fw Sw 
--- -------------------------------------- ------ ---------- --------------- -- 
1 00-e0-f9-d6-64-00 to 00-e0-f9-d6-67-ff 1.0 2.2(2) 4.2(1) 
2 00-90-6f-6e-75-c0 to 00-90-6f-6e-75-ef 1.0 4.2(1) 4.2(1) 
3 00-90-6f-6e-5a-f0 to 00-90-6f-6e-5b-1f 1.0 4.2(1) 4.2(1) 
4 00-e0-b0-fb-0a-29 to 00-e0-b0-fb-0a-2b 1.0 2.2(1) 4.2(1) 
5 00-60-2f-39-3d-d4 to 00-60-2f-39-3d-df 1.1 4.1(1) 4.2(1) 

Mod Sub-Type Sub-Model Sub-Serial Sub-Hw 
--- -------- --------- ---------- ------ 
1 EARL 1+ WS-F5511 0005442554 1.0

The show module command above issued from the Supervisor will indicate the EARL Hardware Version in the Sub-Type Field. If the Supervisor is an EARL 1, 1.1, or a 1+,1++, the system is affected by the 802.1x vulnerability. Any other version of the EARL indicated in the Sub-Type such as NFFC, NFFC+, or NFFC II are not EARL 1s and are not affected by the 802.1x vulnerability.

Note: The Supervisor IIG and IIIG will not print the Sub-Type. The Supervisor IIG and IIIG are EARL 3s and are not affected by the 802.1x vulnerability.

Determine EARL Version from Part Number Matrix

Modular Supervisor Catalyst 5000 Series Supervisors

Supervisor Part Number Supervisor Model Earl Version Sub-Type EARL Version Sub-Model Type Affected by 802.1x Vulnerability
WS-X5005 Supervisor I EARL 1 WS-F5510 Yes
WS-X5006 Supervisor I EARL 1 WS-F5510 Yes
WS-X5009 Supervisor I EARL 1 WS-F5510 Yes
WS-X5505 Supervisor II EARL 1+ WS-F5511 Yes
WS-X5506 Supervisor II EARL 1+ WS-F5511 Yes
WS-X5509 Supervisor II EARL 1+ WS-F5511 Yes
WS-X5530-E1 Supervisor III EARL 1++ WS-F5520 Yes
WS-X5530-E2 Supervisor III NFFC EARL 2 (NFFC) WS-F5521 No
WS-X5530-E2A Supervisor III NFFC-A EARL 2 (NFFC) WS-F5521 No
WS-X5530-E3 Supervisor III NFFC II EARL 3 (NFFC II) WS-F5531 No
WS-X5530-E3A Supervisor III NFFC II-A EARL 3 (NFFC II) WS-F5531 No
WS-X5534 Supervisor III F EARL 1++ WS-F5520 Yes
WS-X5540 Supervisor II G EARL 3 (NFFC II) WS-F5531 No
WS-X5550 Supervisor III G EARL 3 (NFFC II) WS-F5531 No

Fixed Configuration Catalyst 5000 Series Switches

Switch Part Number Supervisor Model Earl Version Sub-Type EARL Version Sub-Model Type Affected by 802.1x Vulnerability
WS-C2901 Supervisor I EARL 1 WS-F5510 Yes
WS-C2902 Supervisor I EARL 1 WS-F5510 Yes
WS-C2926T Supervisor II EARL 1+ WS-F5511 Yes
WS-C2926G Supervisor II EARL 1+ WS-F5511 Yes
WS-C2926GS Supervisor III NFFC II EARL 3 (NFFC II) WS-F5531 No
WS-C2926GL Supervisor III NFFC II EARL 3 (NFFC II) WS-F5531 No

Note: In early software revisions, the EARL 3 (NFFC II) may be referred to as an NFFC+.

Determining EARL Version Through SNMP

The EARL hardware version can be determined by Simple Network Management Protocol (SNMP). Using the .iso.org.dod.internet.private.enterprises.cisco.workgroup.stack.moduleGrp.mo

duleTable.moduleEntry.moduleSubType

.1.3.6.1.4.1.9.5.1.3.1.1.16

The return values can be:

  • other(1)

  • empty(2)

  • wsf5510(3) (EARL1)

  • wsf5511(4) (EARL1+)

  • wsx5304(6) (RSM--NOT ON SUPERVISOR)

  • wsf5520(7) (EARL1++)

  • wsf5521(8) (EARL2/NFFC)

  • wsf5531(9) (EARL3/NFFCII)

The Supervisor II G and IIIG will not return a value. The Supervisor IIG and IIIG are EARL 3s and are not affected by the 802.1x vulnerability.

Why Are Catalyst 5000 EARL 1 Versions Only Affected?

EARL 1 versions are only affected because EARL 1s need to be programmed for each reserved MAC address individually. All other EARL versions were programmed with ranges and thus do not forward the 802.1x frame.

If There is no STP Redundancy in the Network Should I Still Upgrade?

Absolutely, the Catalyst 5000 software is still forwarding the packets on all ports. The switch should be dropping these frames inbound. Although the network will not suffer any degradation unless there is STP redundancy, the switch is still operating incorrectly.

Catalyst 4000 and 6000 Not Affected By 802.1x Vulnerability

The Catalyst 5000 series switches with the EARL 1 are the only affected switch. All other switches will not forward the frame and will actually stop a STP loop from occuring if the switches are located in the STP path.

Windows 2000 Participation in 802.1x

Currently, Windows XP (Whistler) is the only Microsoft operating system to support 802.1x. According to Microsoft, 802.1x for Windows 2000 might be added at a later time through a software upgrade or patch.Currently, Windows XP (Whistler) is the only Microsoft operating system to support 802.1x. According to Microsoft, 802.1x for Windows 2000 might be added at a later time through a software upgrade or patch.

Related Information

Updated: Oct 04, 2005
Document ID: 10590